Tools
This is a place for scripts and tools related to Wireshark / TShark that users may like to share, and for links to related NetworkTroubleshooting tools.
You will find additional development related tools in the Development page.
Contents
Internal
Some command line tools are shipped together with Wireshark. These tools are useful to work with capture files.
dumpcap a small program which only purpose is to capture network traffic, while keeping advanced features like capturing to multiple files (since version 0.99.0)
capinfos is a program that reads a saved capture file and returns any or all of several statistics about that file
editcap edit and/or translate the format of capture files
mergecap merges multiple capture files into one
text2pcap generates a capture file from an ASCII hexdump of packets
Scripts
osXextraction, a Mac OS X bash script to extract particular packet types from a capture file (NOTE: it's not very OS X-specific - some small changes should allow it to work on other UN*Xes, and would probably allow it to work on Windows with Cygwin as well.)
RtpDumpScript, a perl script to dump RTP audio data
RtpH263DumpScript, a perl script to dump H.263 video data
tektronix2pcap, a script to convert Tektronix rf5 files to pcap format that can be loaded into Wireshark. Note that current versions of Wireshark can directly read rf5 binary captures.
menushark, a Bourne shell menu script to allow users to employ the use of tshark by answering a few menu questions. The script also gives you the command that the menu system has made to try to teach you how to use tshark at the command line.
External Links
Tools related to NetworkTroubleshooting and alike.
Dedicated capture tools
dumpcap shipped with Wireshark, already mentioned at the "Internal" section above
snoop SunOS/Solaris capture tool
UML Sniffing a patch to enable sniffing in User Mode Linux (like used in netkit)
Monitoring/tracing tools
The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark and TShark. In brackets you will find the program license and the supported operating systems.
Etherape A graphical network monitor (GPL, Linux only)
Ntop Network top - tool that lets you analyze network traffic statistics (GPL, FreeBSD/Linux/Unix)
Snort Network intrusion detection system (GPL, BSD/Linux/Unix/Win32)
Prelude Another network intrusion detection system (GPL, BSD/Linux/Unix)
tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, BSD/Linux/Unix)
tcptrace Tool for analysis of TCP connections (GPL, BSD/Linux/Unix)
online message parser Online single hex message parser, supports Wireless/PSTN/VoIP protocols (Freeware, Web)
tcpstat Tool for reporting statistics for TCP connections (BSD style, BSD/Linux/Unix)
Tele Traffic Tapper Graphical traffic-monitoring tool; can also read saved capture files (BSD style?, BSD/Linux)
Ettercap Allows for sniffing of machines in a switched network LAN (GPL, BSD/Linux/Solaris)
HUNT Allows for sniffing of machines in a switched network LAN as well as providing a very easy to use API to modify the intercepted frames before they are forwarded. Intercept and Modify. (GPL, Linux)
RRDtool is "a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average)". (GPL, various UN*Xes) Many RRDtool-based applications are listed on the RRD World page.
Show Traffic shows continuous summary list of TCP/UDP traffic (BSD, Win32)
TcpView maps TCP/UDP endpoints to running programs (Freeware, Win32)
p0f versatile passive OS fingerprinting and many other tricks (Freeware, BSD/Linux/Win32/...). Take a lookhere to see some stats generated with p0f and some scripts.
VisualEther Protocol Analyzer generates sequence diagrams from Wireshark PDML output (Win32)
Cap'r Mak'r generates new pcaps for various protocols
Mu DoS converts any packet into a DoS generator
Traffic generators
These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.
tcpreplay the opposite of tcpdump, send pcap files out of an interface (BSD, BSD/Linux/Unix)
packETH GUI Ethernet packet generator for Linux (GPL, Linux only)
Network Traffic Generator Client/Server based TCP/UDP traffic generator (GPL, BSD/Linux/Win32)
Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/Solaris/Windows 2000 and XP)
Scapy Scapy is a powerful interactive packet manipulation program (in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. (GPL, BSD/Linux/OSX)
Nemesis is a command-line network packet crafting and injection utility. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. (GPL, BSD/Linux/Solaris/Mac OSX/Win32)
Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libwireshark for all packet dissection tasks. (GPL, BSD/Linux/OSX)
D-ITG - (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, ...).
Mausezahn Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.
PlayCap is a GUI tool for playing back pcap/Wireshark captures (GPL, Linux/Windows).
Interactive Packet Builder Interactive IP L2-L7 packet builder. Add/Delete optional fields with point-and-clicks. Edit field values with direct entry. On the fly fields' syntax checking, data encoding (for ex. ASN.1, BER, PER), offsets, data pointers and CRC calculations, etc.
This is another collection of traffic generators: http://www.grid.unina.it/software/ITG/link.php
Capture file conversion
ProConvert convert capture files between different formats - some that Wireshark currently doesn't support (closed source freeware, registration required, Win32 only)
Collections
Top 75 Security Tools from nmap users votes
Packetfactory projects Various networking-related tools and libraries
A list of tools Web page of links to various networking tools
Network Security Toolkit (v2.11.0) Fedora-based (F11) bootable Linux CD/DVD with best-of-breed open source network security tools. Provides a Web-Based front-end to the dumpcap network packet capture engine. Simultaneous network packet capture on up to 4 network interfaces per Multi-Tap session is supported. Also provides extensive HTML report generation from PDML and PSML packet decoding. See the article: Multi-Tap Network Packet Capturing for a tutorial and example usage.
dsniff is a collection of tools for network auditing and penetration testing (BSD style?, BSD/Linux/Solaris/...)
USB capture
Raw USB traffic can be captured with Wireshark currently only under Linux, see CaptureSetup/USB. If it's an Ethernet (or any other network related) USB adapter, Wireshark can capture e.g. Ethernet traffic from that USB device if the platform supports it (which it usually will do). On Win32 you can however try:
usbsnoopy last updated (v0.13) in 2001 (no license, source incl., Win32)
SnoopyPro based on usbsnoopy, last updated (v0.22) in 2002 (GPL, Win32)
Also usbsnoop seems to be by the same developer, but updated through 2001-2003 (latest v1.8)
SniffUSB "minor" updates and port of usbsnoop 1.8 (v2.0.0006 Feb 2007)