Thank you. It has been an indispensable part of my work from the very beginning. Tcpdump was fine, but being able to right on a packet and do "follow TCP stream" then see the entire conversation in a second was a game changer. Same with the "right click->filter out this stream".
Also the fact ethereal/wire shark could read files saved by Tcpdump meant I could ssh onto a remote server, fire Tcpdump, run wire shark in a client and when something failed I was able to look at the network stream "from both ends". It saved me hours and hours, from dodgy ISP Nat being evident at first glance, to misconfigured MPLS networks being provable (no more the routing team could just say : it looks good for us). No, there was proof... I bet countless people continue having the same experience with this software :-)
However, I have to correct one statement made in the article. Ethereal wasn't the first free gui network packet analyzer. There was a Microsoft tool I forgot the name of that was available even in Windows NT days, perhaps "netmon"? It was a long time ago. It was free and it predates ethereal. It only worked on Windows and it used it's own file format.
>There was a Microsoft tool I forgot the name of that was available even in Windows NT days, perhaps "netmon"?
Network Monitor, also called netmon (or Bloodhound internally), which actually had a documented (maybe unsupported IIRC, but still easy to tap into) API. I wrote a tcpdump wrapper around it, before Ethereal was a thing. The API, and hence netmon, became invalid with the "next-gen" TCP stack of Longhorn/Vista.
Eventually, MSNA (Microsoft Network Analyzer) came along, which worked on ETW and was able to analyze network and other ETW traces. You could write handlers for any protocol in a supported DSL. You could even make it parse log files and filter/analyze the data.
The New Microsoft being what they are, they killed MSNA because it was too powerful and useful to Windows developers. It probably wasn't used by a lot of people, but if you knew how to use it it was one of the most powerful analysis tools of its time.
Edit: Microsoft Message Analyzer, not Network Analyzer.
I believe it was Message Analyzer, and what was super cool was its ability to correlate ETW stuff. So you could literally see the interplay between... say... a webserver log, an OS level NIC driver log, and a network capture.
I still don't get why MS stopped its public distribution, although I do know it was pretty buggy as released...
And yeah, netmon is great. I still use it when I want to filer Windows captures on PID, since Wireshark won't do that. (Even though netsh or pktmon -- built in Windows tools for recording captures -- have it in the header...)
Also the fact ethereal/wire shark could read files saved by Tcpdump meant I could ssh onto a remote server, fire Tcpdump, run wire shark in a client and when something failed I was able to look at the network stream "from both ends". It saved me hours and hours, from dodgy ISP Nat being evident at first glance, to misconfigured MPLS networks being provable (no more the routing team could just say : it looks good for us). No, there was proof... I bet countless people continue having the same experience with this software :-)
However, I have to correct one statement made in the article. Ethereal wasn't the first free gui network packet analyzer. There was a Microsoft tool I forgot the name of that was available even in Windows NT days, perhaps "netmon"? It was a long time ago. It was free and it predates ethereal. It only worked on Windows and it used it's own file format.