This is not to say I don't have problems with Wireshark. After more than a decade of use, I'm still frustrated that its network capturing parsing language is different from the display parsing language. I understand why -- it's due to its underlying original reliance on libpcap packet-capture drivers and libraries -- but it doesn't make it any less frustrating to have to remember two different syntaxes for what is often the same filtering operation.
From a security perspective, Wireshark has had plenty of vulnerabilities, most notably in the form of parser buffer overflows. I'm not sure how many it's suffered over the years, but it numbers in the dozens. If a system using Wireshark has one of the vulnerable parsers loaded, it's possible for a remote attacker to maliciously construct network packets in such a way as to be able to take over the system that Wireshark is running on (Wireshark usually runs in a system security context in order to be able to capture packets, especially when in promiscuous mode).
Luckily, most attackers don't know if their intended victim is running Wireshark or if it is running all the time to make it a juicy target. I've never heard of a public attack that involved Wireshark, but it reminds you that even your network tools can become targets of opportunity.
Wireshark's home page has downloads for many platforms and tons of documentation. Several companies, including CACE Technologies, offer services and enhanced product offerings around Wireshark. Network protocol analyzer expert Laura Chappell is also an advocate of the tool, which speaks volumes to its value. She's been doing network protocol analysis for more than 20 years, and absolutely no one is better. If you ever get a chance to see one of her seminars or bring her to your company, do it! I haven't talked to or seen her in person in at least 10 years, but I constantly hear adulation from current customers and students.
I'm a big fan of network protocol sniffing. How big? Rightly or wrongly, in the security world, we tend to summarize the intelligence and capabilities of people we've just met. You have 15 seconds to make a lasting impression. When I find someone who can talk sniffers or network packets, I immediately elevate them to a higher echelon of security professionals. Inexperienced practitioners just don't possess the same understanding as someone who has sniffed a network or two and pored over the results.
Understanding what you are seeing the first few tries isn't easy. It takes time, effort, and research, but the newly gained intelligence is like entering doctoral school. Again, I have to thank Wireshark for much of that education.
This story, "Wireshark reigns among the sea of network sniffers," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.