Wild exaggeration. Wireshark is very limited in what it can do and has gained few if any new power-user features (especially when it comes to extensibility and programmability) in more than a decade of development. The macOS-specific functionality in this very post has been available for years.
Anyone who relies on non-trivial packet capture or processing workflows, ditches Wireshark (optionally reusing dissectors) and writes custom tooling (which is very easy to do).
Even the dissector stuff feels so.. broken? unmaintained? The lua api is very annoying to use and python support was removed over a decade ago. Have not used the C API so maybe thats just what most people use and its good, but for my usecase I usually just want to quickly sketch out a view for a custom protocol that I can see in the UI.
I would absolutely love for someone to write a good alternative to wireshark.
I think it is not an exaggeration to say that without Wireshark, so much of modern computing would never have been developed and we would be stuck in the past. The amount of visibility it gives is immense. I have used it for years, decades now.
VPNs have existed for a long time, while wireshark is the current new curve, there will always be the next curve that emerges and evolves to replace the current one.
You can do this with any capture device if you pipe the output to a FIFO handle and open it in wireshark. It can be a bit janky and you’re usually better off using the GUI configs when they’re available. But it gives you a bunch of flexibility to do things like “capture tcpdump in a docker exec in an SSH session on a remote host” [0].
It supports ETW as an input format, but I (personally) haven't yet gotten my head around how to do the same.
My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.
One piece of modern software without which, modern society would not exist. People don’t realize there’s no real alternative.
Melodramatic, and more importantly, wrong.
> People don’t realize there’s no real alternative
EtherPeek/OmniPeek has entered the chat
There were tools before Wireshark, and there will be tools after it's long gone. Just because you haven't heard of them doesn't mean they don't exist!
Wild exaggeration. Wireshark is very limited in what it can do and has gained few if any new power-user features (especially when it comes to extensibility and programmability) in more than a decade of development. The macOS-specific functionality in this very post has been available for years.
Anyone who relies on non-trivial packet capture or processing workflows, ditches Wireshark (optionally reusing dissectors) and writes custom tooling (which is very easy to do).
Even the dissector stuff feels so.. broken? unmaintained? The lua api is very annoying to use and python support was removed over a decade ago. Have not used the C API so maybe thats just what most people use and its good, but for my usecase I usually just want to quickly sketch out a view for a custom protocol that I can see in the UI.
I would absolutely love for someone to write a good alternative to wireshark.
6 replies →
I think it is not an exaggeration to say that without Wireshark, so much of modern computing would never have been developed and we would be stuck in the past. The amount of visibility it gives is immense. I have used it for years, decades now.
[dead]
Edit: Misread name, can't delete comment.
VPNs have existed for a long time, while wireshark is the current new curve, there will always be the next curve that emerges and evolves to replace the current one.
Wireshark != Wireguard
1 reply →
Recently I discovered you can use an android device as a live remote capture device for bluetooth and Internet captures and iOS for Internet captures.
Not creating a capture and then downloading it, actual real time network captures.
You can do this with any capture device if you pipe the output to a FIFO handle and open it in wireshark. It can be a bit janky and you’re usually better off using the GUI configs when they’re available. But it gives you a bunch of flexibility to do things like “capture tcpdump in a docker exec in an SSH session on a remote host” [0].
[0] https://gist.github.com/milesrichardson/fcec8c6d54a21845dd9f...
Any ways to bring that to Linux or Windows? I've long yearned for a solution for this.
It supports ETW as an input format, but I (personally) haven't yet gotten my head around how to do the same.
My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.