Organizations seeking a reliable ally to help defend the network should seriously consider enlisting Wireshark, a free, open source network protocol analyzer that has been around since 1998. Created by Gerald Combs and worked on by hundreds of contributing developers, this tool has been the go-to soldier in the trenches for tens of millions of network troubleshooters and the envy of almost every other open source program.
The only truth you have about a network is what the network sniffer sees. Everything else is opinion or conjecture. Firing up a good network sniffer is an excellent way to see what your network really looks like. I've turned to Wireshark to track hacker behavior, ferret out malicious traffic, or to explain the "unsolvable" problems.
When using a sniffer such as Wireshark, I'm constantly surprised by all the network packets that are sent for even the simplest tasks. Usually I'll see far more packets than expected because the theoretical protocol explanations are oversimplified and don't take into account what happens on a real network. Firing up a sniffer is also an excellent way to see problems you didn't know existed; conversely, only a sniffer can show you all the normal (and expected) failures that are part of any operating network.
I've used many packet sniffers in my 20-plus-year career, including other open source projects (such as TCPDump, Ettercap, and Dsniff) and commercial products (Novell's LANAnalyzer, Microsoft's Network Monitor, WildPacket's OmniPeek, and Network Instruments Observer). Those other open source products are good and particularly adept at very specific tasks, such as Dsniff's capability of picking out plain text log-on credentials and printing them to the screen. Commercial products often have sophisticated enterprise features that Wireshark does not. But for a free product, Wireshark is awesome.
The active development community keeps Wireshark feature rich, easy to use, and up to date. Wireshark doesn't suffer from a lack of continuing enthusiasm to which so many other promising open source products succumb.
My favorite features number in the dozens, but certainly the Follow TCP Stream feature is my top pick. Right-click on any single packet within a single TCP session and you can instantly see the entire stream highlighted with visible plain-text data immediately displayed. In the olden days, the same process could easily take 5 minutes or more as you filtered packets and tried to manually reconstruct the session.
Wireshark automatically colorizes and highlights different communication sessions so that you can easily see the different threads from within the plethora of collected data. On the same lines, Wireshark can automatically tell you what packets mark the beginning and end of a file transfer, along with the name of the file and its origination pathway. Again, this single feature -- another of my favorites -- easily saves me 5 to 10 minutes.