Giving Wireshark Another Chance
If you've ever heard me speak, sat my class or read one of my papers, you know that I'm no fan of Wireshark. But after using it a bit this week, I may be coming around.
First of all, a clarification for all of the Wireshark lovers out there. I like the fact that Wireshark exists. I like using Wireshark when I want to see what my notebook is doing on a network. It's just that I really, really don't like (momma says don't say 'hate') Wireshark for WLAN analysis. It's a tool that was built and bred for upper layer (IP and above) analysis and most of what I need to see is at layer 1 or 2.
This week I was teaching a class and the group I had included a few Wireshark devotees. After spending a more-than-adequate amount of time touting the benefits of WildPackets OmniPeek and AirMagnet WiFi Analyzer, I gave in to my desire to be loved and did a few exercises with Wireshark. At times, it was painful. I wanted my statistics. I missed my statistics. I wanted my data rate percentages and retransmission rates and all of the other great stuff that those expensive commercial tools do. But at other times, it was OK. I set a Retry filter and got my look at channel quality. I set a Deauth filter to see the effects of a DoS attack. I was getting used to all of the wlan.fc commands and == values. The failed developer in me was getting a chance to redirect some of that pent up C+ energy from a decade ago.
I don't want to go overboard here. When I got back to OmniPeek it did feel like flopping in a comfortable bed after a power drive home from Las Vegas. The device listings and the protocol searches especially were just such a relief to have back.
Still, after giving Wireshark another chance I think I'm going to go back to it some more. WildPackets OmniPeek will still be my go-to product for the really tough stuff, but when just a little bit of sniffing for curiosity's sake is called for, I'm going to see how my OS X-based KisMAC/Wireshark combo fares.