Originally known as Ethereal, Wireshark has developed a reputation as one of the most reliable network protocol analyzers available out there. It captures packets in real time and display them in human-readable format.
Wireshark is absolutely safe to use. Government agencies, corporations, non-profits, and educational institutions use Wireshark for troubleshooting and teaching purposes. Probably, there isnโt a better way to learn networking than to look at the traffic under the Wireshark microscope.
On the other side, there are questions about the legality of Wireshark since it is a powerful packet sniffer. It captures network traffic on the local network and stores that data for offline analysis. Therefore, you should only use Wireshark on networks where you have permission to inspect network packets.
Now Wireshark 3.6.0 stable version has been released, so let’s take a look at what’s new.
Wireshark 3.6.0 Highlights
In the latest Wireshark version, several changes have been made to the display filter syntax. Now is possible to use the syntax a ~= b or a any_ne b to recover the previous (inconsistent with ==) logic for not equal. In addition to, the expression a != b now always has the same meaning as !(a == b).
In particular this means filter expressions with multi-value fields like ip.addr != 1.1.1.1 will work as expected (the result is the same as typing ip.src != 1.1.1.1 and ip.dst != 1.1.1.1). This avoids the contradiction (a == b and a != b) being true.
In addition to, literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
TCP conversations in Wireshark 3.6.0 now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
It’s important to note that Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination.
Among other noteworthy changes, Wireshark 3.6.0 comes with added support for many new protocols.
For detailed information on all changes in Wireshark 3.6.0 you can refer to the official announcement.
How to Install Wireshark
Wireshark is available on all major Linux distributions. However, Wiresshark developers provide an official PPA that you can use to install the latest stable version of Wireshark on Ubuntu and other Ubuntu-based distributions.
Open a terminal and use the following commands:
sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt update
sudo apt install wiresharkWhile installing, you will be asked whether to allow non-superusers to capture packets. Select Yes.
Next you have to add the your own user to wireshark group so that this user can use Wireshark. To do this, execute the following command:
sudo usermod -aG wireshark $(whoami)Code language: JavaScript (javascript)You can now open Wireshark by opening the activities on the Ubuntu desktop, and in the search bar, type โwireshark,โ and click on the application result.
