Wireshark is a great tool for doing network protocol analysis. It represents the de-facto analysis standard in many industries, and is supported by a worldwide community of network engineers and software developers. It is cross-platform, features both GUI and CLI interfaces, and supports deep analysis of hundreds of protocols.
However, as all test tools out there, not one of them is perfect. They all have their strengths and weaknesses. There are two scenarios where Wireshark will miss critical data needed to debug your network. One of our customers found this out the hard way over the weekend, and wasted countless hours trying to get their client's network back up and running.
Those two scenarios are:
1. When you need to capture 100% of the line data: Wireshark simply cannot capture 100% of the data at higher speeds. Wireshark runs across standard network interface cards so data gathering is limited to the throughput of that type of card when used with their software. Even though the Wireshark viewer supports over 900 different protocol decodes, throughput is very low even at 100Mbps speeds, and it certainly cannot keep-up with 10Gbps traffic.
2. Capturing data between frames: Wireshark does not capture what happens between frames, such as problems in the inter-frame gap and does not show the start of packet and preamble data, or the termination of a frame. These can result in problems where the engineer simply has no idea where the errors are happening. In this scenario, if equipment from different vendors is involved and no one can see where the errors exist, the finger pointing starts.
In these two cases, using a top of the line protocol analyzer like Investigator in conjunction with Wireshark is CRITICAL to your analysis. Investigator will capture 100% of the data at full line rate, while at the same time capture all data in the inter-frame gaps, preamble data, termination of a frame, and everything else. This gives the user a complete picture of what's happening on the line. The trace data can then be exported into Wireshark for viewing and analysis.
Wireshark is a great tool, and knowing its limitations and how to overcome them is the responsibility of every network engineer.
