Blogheader image.png

TAP Into Technology

Leading the Way in Network Technology

Wireshark – From Ethereal to Today

Posted by Tim O'Neill | 6/7/16 8:00 AM

It has been my pleasure to know Gerald Combs, the inventor, founder and heart behind Wireshark, the number one downloaded open source network analyzer tool.

The story about Wireshark is entwined with the story of Gerald Combs, because it was always Gerald’s dream to build an open source, world class network analyzer.

A Not-So-Brief History of the World’s First Open Source Analyzer

When Ethereal started about 20 years ago, Gerald had a dream of giving technology a packet capture device that would help visualize and solve network issues. I am sure he had no idea that his dream would become the bench mark for all future network diagnostic tools.

When Gerald and his team of industry experts first launched Ethereal it had about four protocols and the console/main page was really quite simple compared to today’s complex and very versatile main pages with hundreds of different operation and display variables. This continued growth and development from Gerald and hundreds of developers – worldwide, have made today’s Wireshark the basis of all network diagnostic tool comparisons.

SharkBreak.png

Gerald remarks about the early days, “For the first year or so, keeping the web site up and running was tenuous at best. Hosting back then was still expensive. Project hosting services like GitHub and SourceForge didn't exist which meant that you had to fend for yourself. I ended up buying a small SPARC Station on eBay and traded consulting time with various ISPs around town for hosting. The arrangements were informal and worked great right up until they didn't. I had a talent for finding companies that would subsequently go out of business, get acquired, or pivot to a new line of business. On a couple of occasions I had to scramble to make sure my little server didn't end up in someone else's inventory - sometimes under the cover of darkness. Eventually, I ended up hosting the project's server in my employer's data center. I wanted to make sure that the arrangement was stable and sustainable and this ultimately led to the project's current sponsorship model.”

“Nowadays, I joke about it,” Combs continues. “But I had a near-pathological blindness to Windows early on which could have severely limited the reach of the project. I used various forms of UNIX along with Mac OS until the early 2000s. Ethereal was originally written with Solaris and Linux in mind. It wasn't until Loris Degioanni and Gianluca Varenni wrote WinPcap, and Gilbert Ramirez (an early Ethereal developer) used it to port Ethereal Windows that it became apparent just how many people were troubleshooting networks on that platform.”


“After adding a Windows installer our user community ballooned in size. It soon became clear that we were filling a significant need in the industry and that we had a large community that needed our help,” explains Combs. “One area that needed a lot of help was 802.11 capture. At that time it was terrible on Windows. This set a trajectory for the project that led to me joining CACE Technologies (aquired by Riverbed Technology in 2010) where we developed AirPcap and Pilot.”

“Today I develop on Windows, Mac OS and Linux and try to make sure Wireshark runs smoothly on all these platforms.”

Ethereal Then; Wireshark Today

One of the original capabilities (around 2001) was that Ethereal could follow a TCP/IP stream and the industry standard Sniffer could not.

The original Ethereal main capture console with 4 decodes

Original Ethereal Main Capture Console

 

Today’s Wireshark with 4000+ Decodes, Including WiFi

2016 Wireshark Capture Abilities and Console

 

A Long Time Ago, At a University Far, Far Away

The story begins in the early 1990’s when Gerald was working for a university and that university only had one NGC Sniffer. The Sniffer was a capital investment and way ahead of any competition for network analysis and trouble shooting. Gerald told me that every time he needed the Sniffer, it was ‘lent’ to another department and he would have to hunt it down and “borrow it.”

Combs recalls, “Tim, it reminded me of the an old adage, that the university had only one pencil and everyone had to share it!” 

Gerald’s frustration grew when he was in his new position with a small company that could only afford one Sniffer and getting hold of the Sniffer was a real pain. Tired of having to waste time “finding and borrowing” Gerald started thinking of the need for a “simple” protocol analyzer that everyone could use to learn about networking and to help solve problems.

In 1997 Gerald set out to conceive, build and code the analyzer we called Ethereal. Supported by three key developers who helped to get started building and coding the analyzer: Richard Sharpe, Guy Harris and Gilbert Ramirez.

SharkBreak.png

Over the years, many developers have contributed to Wireshark. Of which, many are today’s industry experts and bring their real world experience to help Wireshark grow technically. 

Tony Fortunato, a very well-known teacher, technology writer and analyst recalls, “I first used Ethereal back in 1999 and basically used it as a trace file translation tool. I was working as a consultant and would receive trace files from various clients in different trace file formats. After a few years, I got curious and wondered if it was a viable tool other than the traditional expensive analyzers and was pleasantly surprised. In 2001 I created my first Ethereal training class and have been using and training analysts ever since.”

Today, if you ask a person what Wireshark is they will most likely say it is a Packet or Data Analyzer and that is true. But in addition, there are some broader features like:

  • The SysDig events analyzer - founded by old friends of the Open Source community - Loris Degioanni
  • Metadata views
  • More integration to new methods of capturing not only data, packets, and frames but merged system information.

Wireshark is far from complete and we can expect many more features.

Read The Ultimate Guide to Network Monitoring Now!

 

Gerald Combs, the Founder of Wireshark

Gerald is a quiet and unassuming technologist – lets be truthful he is a Geek like so many of us in this technology. I and most of my friends are Geeks and are proud of being ones.

I am sure when Gerald was younger, no one ever expected him to change the world with his efforts building Wireshark and developing a consortium of professionals to help design and code. 

But he did and also gave us network Geeks a common plane of data visibility for conversations, development, troubleshooting and network management. The fact is that hundreds of millions of people worldwide use Wireshark. Wireshark has helped many network technology companies with their development and proof of their products. Now every Geek can carry around Wireshark in their computer and no one has to do without network visibility.

As part of Wireshark’s continual growth there is Wireshark University to help teach people how to use Wireshark expertly. In June each year, there is Sharkfest, an annual gathering of developers, students and experts for a week to learn about and share ideas.

Sharkfest 08 Gerald Combs and Vinton Cerf

Wireshark is growing fast to keep ahead of the demands made by the ever growing and changing network technology world. As network professionals, we should use Wireshark daily, consider it part of the ‘tool bag’ as it is a very good analysis and visibility tool that provides a common plane of analysis for the world.

Another well-known teacher and analyst Betty DuBois – “My life in Wireshark - I first used Ethereal while I was working for Network General, and needed dissectors for Q.931.  Sniffer didn't have them, so I downloaded Ethereal and was able to read my customer's trace file.  I had been a Sniffer snob, but then I was hooked.  How could this be free!?  The simple joy of being able to sort on the Delta Time column to find high latency packets vs. paging down a million times like I had to do in the Sniffer made me fall in love.  It seems like a small thing, but when you have wasted hours and hours scrolling looking for the one "slow" packet, it becomes a huge deal.  Now I just filter for the big deltas - even better! I've been training people in Wireshark for almost 10 years now, and there is nothing like the high of showing someone the hidden catacombs of their network.  They suddenly feel so empowered, like nothing can hide from them now.  The finger pointing meetings they have to attend will never be the same. 

I keep learning more about Wireshark in every class, and at each of my consulting engagements.  My new favorite thing is membership operator filters, for example "http.response.code in {PUT POST} it's like a matches character class, but it also works on integer fields.  Probably the biggest impact Wireshark has had on my life is the travel.  I have taught classes in nine different countries and cities all over the US.  The best part is I have gotten to take my family with me to places I would have never seen otherwise.  Not bad for a "little weekend project that got slightly out of hand" as Gerald Combs once called it.”

I believe that Betty and Tony sum up the value of Wireshark. But to read more go to https://www.wireshark.org/.

For those of you attending Sharkfest – be sure to stop by the Garland Technology table. Garland has been a Sharkfest sponsor since inception in 2008 and remains committed to supporting the Wireshark community with network access to every bit, byte. and packet®.

I wish all Great Success with Less Stress. 

 

Sources: Gerald Combs – interview

The Google book on Ethereal can be found here.

 

Topics: Network Visibility/Monitoring, Technology Partners, Wireshark

Written by Tim O'Neill

As the Senior Technology Consultant & Chief Editor at LoveMyTool, Tim O’Neill has over 45 years of technology experience at data/voice and video networking analysis companies, including successful senior roles in Sales, Product Design, Marketing Management, Business Development and Security.