Skip to content

Wireshark — Trivia & Interesting Facts

Surprising, historical, and little-known facts about Wireshark and packet analysis.

Wireshark was originally called Ethereal and was renamed due to a trademark dispute

Gerald Combs created Ethereal in 1998 while working at an ISP. When he changed employers in 2006, he couldn't take the Ethereal trademark with him (it was owned by his former employer). Rather than fight a legal battle, he forked the project and renamed it Wireshark. The entire development community followed him, and Ethereal was effectively abandoned. This is one of the most successful project forks in open-source history.

Wireshark can decode over 3,000 protocols

Wireshark's protocol dissector library is one of the most comprehensive in existence, supporting over 3,000 protocols from Ethernet and IP to exotic industrial (Modbus, PROFINET), telecom (SS7, GTP), and multimedia (RTP, SIP) protocols. Many of these dissectors were contributed by engineers who needed to debug their specific protocol and donated the code. Writing a custom Wireshark dissector in Lua is often faster than building a dedicated analysis tool.

The display filter language is a full expression language, not simple pattern matching

Wireshark's display filter syntax supports relational operators, logical operators, field existence checks, slice notation, and even membership operators. For example, tcp.port in {80, 443, 8080} or ip.addr == 10.0.0.0/8 && http.response.code >= 400. This is far more powerful than tcpdump's BPF syntax, which operates at the packet byte level. The display filter language is so expressive that complex network analyses can be performed with a single filter string.

Capture filters and display filters use completely different syntaxes

Wireshark capture filters use BPF (Berkeley Packet Filter) syntax — the same as tcpdump. Display filters use Wireshark's own syntax. port 80 is a valid capture filter; tcp.port == 80 is a valid display filter. The two are not interchangeable, and confusing them is one of the most common mistakes new Wireshark users make. Capture filters are applied by the kernel and are fast; display filters are applied by Wireshark and are powerful but slower.

The "Follow TCP Stream" feature has solved more debugging mysteries than any other tool

Wireshark's "Follow TCP Stream" reconstructs the entire conversation between two endpoints, showing the data exchanged in a readable format. For HTTP traffic, this reveals complete request/response pairs. For debugging TLS issues, it shows the handshake messages. For diagnosing application problems, it shows exactly what bytes were sent and received. This feature single-handedly makes Wireshark indispensable for application-level debugging.

tshark is Wireshark without the GUI, and it's more useful for automation

tshark (terminal shark) provides all of Wireshark's dissection and filtering capabilities from the command line. It can read pcap files, apply display filters, output in JSON or CSV format, and process captures in batch mode. tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port extracts specific fields from every packet — a capability that would require writing custom code with any other tool.

The pcap file format became a de facto standard by accident

The pcap (packet capture) file format was created for tcpdump/libpcap and was never formally standardized. Despite this, it became the universal interchange format for packet captures — every network tool can read and write pcap files. The newer pcapng (pcap next generation) format adds features like multiple capture interfaces, name resolution records, and comments, but pcap's simplicity ensures it remains widely used.

Wireshark's TCP analysis detects retransmissions, out-of-order packets, and window problems automatically

Wireshark's TCP stream analysis engine automatically identifies and labels TCP anomalies: retransmissions, duplicate ACKs, out-of-order segments, zero window conditions, and window full events. These labels appear as colored annotations in the packet list, turning raw TCP analysis from an expert-level skill into something accessible. The "Expert Information" dialog summarizes all detected anomalies in one view.

Promiscuous mode vs. monitor mode: one captures Ethernet, the other captures WiFi management frames

Promiscuous mode captures all Ethernet frames on a wired segment, not just those addressed to your MAC. Monitor mode (WiFi only) puts the wireless adapter into a raw capture state, allowing it to capture management frames (beacons, probe requests, deauthentication frames) and data frames from other networks. Monitor mode is essential for WiFi troubleshooting and security auditing but is not available on all wireless adapters — many consumer adapters don't support it.

The "Conversations" and "Endpoints" statistics reveal network behavior instantly

Wireshark's Statistics menu includes "Conversations" (showing all communication pairs with byte/packet counts) and "Endpoints" (showing all unique IP/MAC addresses with traffic volumes). These views can identify the top talkers on a network in seconds — invaluable for diagnosing bandwidth issues, identifying scanning activity, or finding unexpected communication patterns. Many network investigations start with these statistics rather than individual packet inspection.