Wireshark 2.0: Now with Qt

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

The headline feature for Wireshark 2.0, which was released on November 18, is the switch away from GTK+ and to the Qt framework, but there is more to it than just that. The bulk of the changes to Wireshark—the venerable free-software network packet sniffer that started out as Ethereal in 1998—come under the heading of user-interface improvements, but that leads to some improved functionality as well.

The switch to Qt was announced back in October 2013, so it has taken around two years to complete the switch. The main reason behind the change was to better support Mac OS X, which is something of second-tier platform for GTK+. In addition, Qt will make Android and, possibly, iOS versions possible as well. Based on a blog post from Wireshark founder Gerald Combs, Qt has also helped make the interface function "much more smoothly".

Combs noted that the new interface looks largely the same as the previous version, which is intentional.

The screenshots above are similar because we’ve also tried to ensure that the new UI is familiar to current users. The features you’re used to are still there and in the same place (or at least nearby).

At its core, Wireshark provides a way for users to capture packets on the local network, then to display them for analysis. The basic three-pane display, with a pane for a list of packets captured (i.e. the "Packet List" pane) and two that show details of the currently selected packet, looks much the same. The packet-specific panes show a decoded version of the packet that splits out various fields in it (Packet Details), while the other shows a hex and ASCII version of the packet (Packet Bytes). There is also a toolbar, display filter entry box, and a menu at the top (as seen at right for 2.0.0rc2 from Combs's post).

There are some things that have changed in the analysis interface, however. Packets related to the one selected in the packet list now have icons to indicate that status. For example, DNS requests and replies have left and right arrows and TCP packets that have been acknowledged have a check mark next to them. In addition, the packet list scrollbar shows a "minimap" of the color of packets nearby in the list—similar to the minimaps in modern text editors. When combined with rules that display different types of packets in various colors, it can help find more interesting portions of the captured packets. The minimap from the screen shot above can be seen at left.

In a webinar [YouTube] given on November 12, Combs and Laura Chappell demonstrate some of the features in the new interface. Many things have been streamlined in the Qt-based interface, they said. But, the GTK+ interface will still be supported until the next stable release, which will be 2.2—odd minor numbers are for development releases.

Some of the examples shown in the webinar were things like an improved interface to choose a saved filter to apply to a capture. Previously that required bringing up a separate window that listed all of the saved filters to choose from; now that can be done directly from a menu just to the left of the filter entry box in the main window. Hiding and showing columns in the packet list can also be chosen directly from a menu that comes up when right-clicking the column headings. The interface for setting coloring rules has also been improved so that colors can be chosen from a "picker" rather than having to enter color names.

There has also been some cleanup done in the toolbar to remove clutter, as well as rearranging the main menus somewhat to put functions in more natural locations. For the graphs and statistics windows, there is no longer a step to choose settings before seeing the output; those settings are available at the bottom of the window, so if the standard output with no filter is all that's needed, users get that immediately.

There are many more keyboard shortcuts in Wireshark 2. The full list of those shortcuts can be found from the "Help" menu. In addition, individual windows have their own shortcuts, which can be listed from the window itself.

The capture screen, which initiates the packet capture process, has been streamlined as well. There are now small graphs of packet activity for each interface (called sparklines) that can be double-clicked to start a capture on that interface. Those can give users a quick idea of how much traffic is being seen on each interface in the system. Many of the options in the somewhat busy GTK+ capture window have moved to a separate options window (which has its own sparklines).

There is plenty more to the interface that is shown in the hour-long webinar. It is worth a look for those interested in more information. A zip archive of the trace files used in the demonstration are available as well.

Wireshark 2 has been localized for seven languages for the release. Chinese, English, French, German, Italian, Japanese, and Polish versions are available and more translations are currently being worked on. The project uses a Transifex site for that translation work and Combs invited those interested to join in the efforts.

In addition to the upgraded interface, lots of bugs were squashed in the release, including a number of security holes. Over the years, Wireshark has gotten something of a bad reputation for its security track-record. As the Wireshark security page indicates, the program is tasked with dealing with enormous amounts of user-supplied data using "dissectors" to parse and decode many different formats, including experimental ones. That's not an excuse for the large numbers of bugs that continue to be found, but most of the code in Wireshark is in the dissectors, which means that the bulk of the bugs found will be security issues.

There are a number of things that can be done to reduce the damage that a capture (or, worse, an attacker-supplied capture file) can do in the presence of dissector bugs. For example, Wireshark should never be run as root and captures can be done with a simpler program (e.g. tcpdump) and then imported into Wireshark running in a limited user account or dedicated machine (virtual or otherwise). In addition, the page lists several ongoing efforts to find and remove bugs from the code, which are further fleshed out on a dedicated security development page.

Overall, Wireshark 2 looks like a solid release that brings a lot of interface improvements. That should make it easier to work with and allow users to be more productive in their network troubleshooting and analysis.