Wireshark is a very popular packet sniffer. It can be installed on Windows, Linux, Unix, and Mac OS, and best of all, it’s free. Wireshark puts your network card into promiscuous mode so that your computer picks up all network packets, not just those intended for your computer. There is an option to use the tool just for the packets meant for your device. Hackers regularly use Wireshark and so many network administrators are wary of it.
The Wireshark system can capture packet traces from wired networks, wireless systems, and also Bluetooth. Wireshark doesn’t actually gather packets itself. The WinPcap program collects packets on Windows devices. On Linux and Unix you need dumpcap. Even though Wireshark is not directly responsible for the most powerful part of its operations, the network interface of Wireshark makes it a winner. There is a command-line version of the system, called Tshark.
Here is our list of the best Wireshark alternatives:
- Savvius Omnipeek A traffic analyzer with a packet capture add-on that has detailed packet analysis functions. This tool installs on Windows.
- Ettercap A packet sniffer that is widely used by hackers and can give useful information to network defenders.
- Kismet A wireless packet sniffer that evades intrusion detection systems.
- SmartSniff A free packet sniffer that includes packet analysis functions.
- EtherApe A network mapper that shows live connections and offers the option to capture packets.
Wireshark saves data in capture files that follow the pcap format. The Wireshark network interface can show you the captured packets, sort them, categorize them, and filter them. You can load stored packets into the interface for analysis.
The analysis engine of Wireshark is not that great and many users choose other tools to get better insights into their data.
The best Wireshark alternatives
What should you look for in packet sniffer tools like Wireshark?
We reviewed the market for Wireshark alternative packet sniffers and analyzed the options based on the following criteria:
- Solutions for Windows, macOS, and Linux
- Options for LAN and wireless networks
- The ability to interpret WinPcap or libpcap files
- A graphical interpretation of captured packets
- The ability to calculate packet flow statistics
- A free tool or a paid system that includes a free tool for assessment
- Value for money represented by a free tool that is easy to use or a paid tool that repays its purchase price with efficiency gains
Omnipeek from Savvius isn’t free to use like Wireshark. However, the software has a lot to recommend it and you can get it on a 30-day free trial to test whether it will replace Wireshark in your toolkit. Like Wireshark, Omnipeek doesn’t actually gather packets itself. An add-on called Capture Engine intercepts packets on a wired network and there is a separate Wifi Adapter for wireless networks. One attribute in which Omnipeek doesn’t compete with Wireshark is the operating systems that it can run on. It can’t operate on Linux, Unix, or Mac OS. To run Omnipeek you need 64-bit Windows 7, 8, or 10, or Windows Server 2008 R2, 2012, 2012 R2, or 2016.
The analytical capabilities of Omnipeek are superior to those of Wireshark. Omnipeek can scan packets for signs of trouble or detect changes in transfer speeds. These events can be set to trigger alerts. So, Omnipeek is a network management system as well as a packet sniffer. The traffic analyzing module can report on end-to-end network performance for connections and also link performance. This troubleshooting tool is also able to report on-demand on interfaces to web servers.
Ettercap’s website makes no secret of the fact that it was designed to facilitate hacking. As Wireshark is a well-known hacker tool, the Ettercap claim puts it in the same category and they are both free to use. Ettercap matches Wireshark’s portability because it can run on Windows, Linux, Unix, and Mac OS. Despite being designed as a utility for hackers, the tool can also be useful to network administrators. Ettercap can detect other hacker activities and intrusion, so it is very useful for system defense.
Ettercap uses the libpcap library to capture data packet traces. The Ettercap software itself can create several network attacks including ARP poisoning and MAC address masquerading. Ettercap is a powerful hacker tool with many more facilities than those of Wireshark. It can capture SSL security certificates, alter packet contents in transit, drop connections, and capture passwords. System defenders also get useful facilities in Ettercap. It can identify malicious users and isolate them from the network. If you want to gather evidence, you can track the actions of suspicious users and record their deeds instead of banning them. Ettercap is way more powerful than Wireshark.
Kismet can’t intercept packets on wired networks, but it is great for wireless packet sniffing. The standard Kismet tracks wifi systems, but it can be extended to detect Bluetooth networks as well. The wifi standard has several versions. Kismet can operate with 802.11a, 802.11b, 802.11g, 802.11n. Kismet is included with Kali Linux. The software will work on Linux, Unix, and Mac OS.
Kismet’s data collector doesn’t probe networks like other packet sniffers, so intrusion detection systems can’t spot its activities. This makes it a powerful tool for hackers who have access to a computer that is connected to the network. Standard network monitoring systems will spot the presence of the device on which Kismet is running, but won’t see that the program is gathering data packets on the network. The default mode of Kismet only collects packet headers, but it can also be used to reap network traffic dumps which captures all packets including the data payloads. Packets can be analyzed, sorted, filtered, and saved to a capture file. If you don’t like the front end of Kismet, you can open a saved file in a different tool for analysis.
SmartSniff works on Windows environments. The packet sniffer works on wired networks and is free to use. The collector can operate on wireless networks but only those wifi systems that include the computer that hosts the sniffer program.
The program includes a collector. However, this native system isn’t very effective and it is more usual to install WinPcap to gather packets. Packets get captured on demand — you turn the capture on and then off in the console. The top pane of the console shows connections between computers. When you click on one of these records, the traffic of that connection displays in the bottom panel. Plain text traffic is shown as is and you can view encrypted packets as a hexadecimal data dump. Captured data can be filtered to show only TCP, UDP, or ICMP packets and each packet gets tagged according to the application that it relates to. You can save packets to a pcap file to be reloaded into the interface later, or for analysis with a different tool.
EtherApe is a free utility that runs on Linux, Unix, and Mac OS. It creates a network map by picking up connected devices’ messages. The hosts on the network are plotted on the map and labeled with their IP addresses. EtherApe then captures all of the packets traveling between those hosts and displays them on the map in real-time. Each transfer is depicted by a color, which represents its protocol or application.
The tool can track both wired and wireless networks and it can also depict virtual machines and their underlying infrastructure. The map tracks both TCP and UDP traffic and can detect both IPv4 and IPv6 addresses.
Each node in the network map is an icon that allows access to details of the performance of that piece of equipment. You can switch views to see the links on an end-to-end connection with traffic depicted on them. You can filter all of the maps to just show specific applications or traffic from specific sources. You can also switch the network data representation to identify port number rather than applications. The port number traffic tracking will only show TCP traffic.
EtherApe only captures the headers of packets, which preserves the privacy of the data that is circulating around your network. That limitation may reassure your company’s CIO and allow you to use this packet sniffer without fear of compromising the business’s legal obligations to non-disclosure.
Switch from Wireshark
Even if you are perfectly happy with Wireshark, take a look at the alternatives in this list because you might find that one of them has functions that you need and aren’t in Wireshark. It is always good to explore alternatives rather than just using the first tool that you hear about. Wireshark is great, but it is not the most comprehensive tool on the market. Depending on the activities that you want to pursue with a packet sniffer and the limitations placed on you by your company, one of these tools may work better for you than Wireshark.
Have you tried a packet sniffer? Do you use Wireshark regularly? What do you use it for? Are you a fan of a packet sniffer that isn’t on our list? Leave a message in the Comments section below to share your knowledge.
Wireshark & Alternative tools FAQs
Can Wireshark do deep packet inspection or do I need something else?
Wireshark is a packet capture tool; deep packet inspection (DPI) refers to an automated process of scanning packet headers for information on its contents and purpose. Wireshark gathers packets for analysis by manual processes or to be imported into analysis tools, it does not include automated procedures for DPI.
Is Wireshark a vulnerability scanner?
A vulnerability scanner searches through a network or a device for known security weaknesses, such as open ports. Wireshark is a packet capture tool. Therefore, Wireshark is not a vulnerability scanner.
Is Wireshark good at port scanning?
Wireshark captures packets as they travel around a network. A port scanner sends test packets to a device to spot which ports are open. As Wireshark listens for packets and doesn’t send any out, it cannot be used for port scanning.
Which tool is a command line alternative to Wireshark?
tcpdump is a good command line packet capture utility that runs on Linux and uses a library of procedures called libpcap to access passing network traffic and display it on the screen and write it to files.
On Windows, the equivalent of tcpdump is WinDUMP, which uses the Windows PCAP library of procedures.
Wireshark Cheat Sheet
Ultimate Guide to TCP/IP
How to use Wireshark
How to use Wireshark to capture and inspect packets
Wireshark ‘no interfaces found’ error
Best packet sniffers
Downloadable tcpdump Cheat Sheet
What is tcpdump?
Packet Capture Guide