Wireshark is a popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education.


The following features are new (or have been significantly updated) since version 1.4:

• Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.
• Large file (greater than 2 GB) support has been improved.
• Wireshark and TShark can import text dumps, similar to text2pcap.
• You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
• Wireshark can export SSL session keys via File→Export→SSL Session Keys.
• TShark can show a specific occurrence of a field when using '-T fields'.
• Custom columns can show a specific occurrence of a field.
• You can hide columns in the packet list.
• Wireshark can now export SMB objects.
• dftest and randpkt now have manual pages.
• TShark can now display iSCSI, ICMP and ICMPv6 service response times.
• Dumpcap can now save files with a user-specified group id.
• Syntax checking is done for capture filters.
• You can display the compiled BPF code for capture filters in the Capture Options dialog.
• You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
• Packet length is (finally) a default column.
• TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
• 802.1q VLAN tags are now shown in the Ethernet II protocol tree instead of a separate tree.
• Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
• The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
• The RTP player now shows why media interruptions occur.
• Graphs now save as PNG images by default.
• Wireshark and TShark can now read compressed Windows Sniffer files.