top | item 45581295

(no title)

armitron | 4 months ago

Wild exaggeration. Wireshark is very limited in what it can do and has gained few if any new power-user features (especially when it comes to extensibility and programmability) in more than a decade of development. The macOS-specific functionality in this very post has been available for years.

Anyone who relies on non-trivial packet capture or processing workflows, ditches Wireshark (optionally reusing dissectors) and writes custom tooling (which is very easy to do).

discuss

ellg|4 months ago

Even the dissector stuff feels so.. broken? unmaintained? The lua api is very annoying to use and python support was removed over a decade ago. Have not used the C API so maybe thats just what most people use and its good, but for my usecase I usually just want to quickly sketch out a view for a custom protocol that I can see in the UI.

I would absolutely love for someone to write a good alternative to wireshark.

elevation|4 months ago

As a constant Wireshark user who's personally thanked Gerald Combs for this tool, we don't need an alternative to wireshark, just some architectural refactors. Many packet dissection fields are embarrassingly parallel, but because some of them can involve previous/future packets, wireshark does all packet dissection in a single thread. So when I scoop up 10M packets it can take 20 minutes for the GUI to load them all with a single core, while 100 other cores on the same machine sit idle.

Once loaded, you have to be super careful. One update to the filter bar, like "!icmp" and you'll have to wait another 20 minutes for all the dissectors to be re-run (for some reason.)

As a previous commenter stated, if you work with Wireshark a lot, you eventually write your own tool for your performance needs. It feels magical to have a 3-page C program sitting over libpcap giving reports in miliseconds that would take wireshark minutes.

c0nsumer|4 months ago

> The macOS-specific functionality in this very post has been available for years.

Can you provide a reference? From what I can see this dissection was only added about five months ago: https://gitlab.com/wireshark/wireshark/-/commit/389f6356c9d5...

(And just hit release with 4.6.0.)

And I know with certainty that it did not work when I wrote my previous blog post about this, back in 2021.

So, from what I can see, the specific functionality to dissect Darwin metadata in pcapng captures, from macOS' tcpdump, has not been "...available for years.".

ItsHarper|4 months ago

Without using Wireshark seems to be what they meant

bobthebuilders|4 months ago

I think it is not an exaggeration to say that without Wireshark, so much of modern computing would never have been developed and we would be stuck in the past. The amount of visibility it gives is immense. I have used it for years, decades now.