Q&A with the founder of Wireshark and Ethereal
25 May, 2008: Wireshark, the open source network protocol analyzer formally known as Ethereal, was recently upped to version number 1.0. For the large number of users who have been dependant on it for protocol development and network analysis work for years now, this is more than just a symbolic occasion. Gerald Combs, the founder developer of the project, tells us about the journey.
[Protocog.com]: Congratulations on the 1.0 release. For most of us itís been a fully functioning and incredibly useful product for a while now. So what makes this release special?
[Gerald]: Thanks! While it's true that Wireshark has been used in production environments for years, I wasn't willing to call it "1.0" until we had proper capture privilege separation. On some platforms (particularly Linux), this is important since you typically need root access to capture network traffic, but you really shouldn't run large GUI applications as root. We added privilege separation incrementally over the last year, and were able to have it ready in time to announce the release of 1.0 at Sharkfest, our recent user's and developer's conference.
[Protocog.com]: Tell us about the origins of the project and the role you played. How did the Wireshark/Ethereal take birth?
[Gerald]: Back in the late '90s I was working for a small ISP. We had plenty of situations where a protocol analyzer would have been handy, but all of the commercial products at the time didn't run on our primary platforms (Solaris and Linux), and were very expensive to boot. I couldn't justify paying $80,000 for something that we would use once or twice a month.
As a result, I decided to write my own analyzer. I spent several months doing research and making notes in my spare time, and I released the first version of Ethereal (0.2.0) in July 1998. I immediately started receiving contributions from other developers, and the project took off from there. I do development when I can, but my main role for a long time has been the "head janitor" -- making sure the infrastructure is in place to let the other developers do their work, making releases, and other grunt work.
The change to Wireshark came about in 2006. I had the opportunity to work for CACE Technologies, but my previous employer had the rights to the Ethereal trademark. We couldn't come to a agreement on Ethereal, so we renamed the project.
[Protocog.com]: At what point did the Windows port happen? Who did it?
[Gerald] It originally ran on two platforms: Solaris and Linux. In 1999/2000, Gilbert Ramirez and a few of the other core developers got it to compile under Windows without capture support. It wasn't until WinPcap materialized (which allowed packet capture) that Windows support really solidified. Windows is now Wireshark's most popular platform by far, and has been for a long time.
[Protocog.com]: Are any of the other original developers still actively contributing to the project?
[Gerald]: Many of the original developers are still active in the project. Some have moved on to other things, but the development team has been pretty stable over the years. We've also picked up many new developers over time. One thing has been consistent: the project has been blessed with a team that produces amazing work.
[Protocog.com]: And the user community can vouch for that. What does the development process look like and how has that changed over the years?
[Gerald]: We manage the source code using Subversion and a number of other open source tools. A small group of developers (the core team) has read-write access and everyone else has read-only access.
[Protocog.com]: Who merges patches into the release/stable tree?
[Gerald]: I do, as part of the "head janitor" duties.
[Protocog.com]: How many major architectural overhauls has the design been through that you can remember?
[Gerald]: Early on, the addition of display filters and our internal packet buffer code required some major structural changes. Packet reassembly, new memory allocators, and capture privilege separation also required major changes.
The process is continuing. Right now we're in the process of dropping support for older versions of GTK+, which allows for some much-needed changes in the UI code.
[Protocog.com]: The code base is all "C" and no "C++" right? Do you see that changing?
[Gerald]: Right now it's all in C, although we support Lua as an extension language for the application itself. We make heavy use of Perl and Python in the build process, for dissector generation and other things.
In the past we've discussed switching away from GTK+ (the user interface toolkit that we use). If we ever did that, a strong argument could be made for using one of the C++-based toolkits such as WxWidgets or QT.
[Protocog.com]: The core dissector is shipped as a library, right? Have you seen any open source apps using it?
[Gerald]: That's correct. It's called libwireshark, and it's primarily used by Wireshark and Tshark (the command-line version of Wireshark). It's been used in other open source applications, and many proprietary analyzers use it as well. This adds a bit of administrative overhead for the project, since we have to ensure that they're complying with the GPL.
[Protocog.com]: I think a lot of protocol developers have at some point felt compelled to write a program called "etherdiff" but never gotten down to it, for comparing snapshots of dissected packet captures. Has anyone ever done that?
[Gerald]: Funny you should ask! This has been discussed on the developer list many times over the years, and someone submitted a patch to add basic functionality for this a few days ago. Hopefully it will make it into a release soon.
[Protocog.com]: How different is the code base on wireshark.org from whats on ethereal.com?
[Gerald]: Very different. There have been a huge number of changes since we renamed the project, from new features to new and updated protocol dissectors. Out of curiosity, I generated a patch file containing the differences between the source code now and as it was back in May 2006. It was 172 megabytes.
[Protocog.com]: So how does Cacetech fit into the picture?
[Gerald]:: CACE Technologies sponsors Wireshark by hosting its web site, paying my salary, and supporting Wireshark in other ways, such as hosting Sharkfest. We offer products and services that compliment Wireshark and WinPcap, such as AirPcap, Pilot, SharkNet support, and TurboCap.
It was founded by John Bruno, a vice provost at UC Davis, and Loris Degioanni, the creator of WinPcap. Gianluca Varenni, WinPcap's current maintainer and several other amazingly talented people work there. I joined the company in 2006. My former employer owned and still owns the trademark for Ethereal, which meant we had to come up with a new name for the project. That's how the name "Wireshark" was born.
We're also partnered with Laura Chappell, the founder of Wireshark University.
[Protocog.com]: Whats Sharkfest all about?
[Gerald]: Sharkfest is the annual Wireshark user's and developer's conference, hosted by CACE and Wireshark University. It's our way of reaching out to the community and letting everyone meet face to face. This past April was our first Sharkfest, and the response we got was very positive. It was a lot of fun for us as well, and we hope to have many more.
[Protocog.com]: Great. Hope to catch up with you at the next Sharkfest. Thanks for your time, Gerald.
[Gerald]: Thank you. And thanks to Wireshark's developers and users. Without your support and enthusiasm over the years, it wouldn't be the success that it is today.