This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am new in packet analysis, The team I work with is having a big argument about which tool is better. so I decided to make it an open discussion and see your responses. thank you

asked 14 Sep '14, 10:12

Almeida's gravatar image

Almeida
16114
accept rate: 0%

edited 14 Sep '14, 14:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


"Which tools is better" is the same as asking about "PC vs. Mac", "Windows vs. Linux", "iPhone vs. Android", etc. - not really a good question to ask, because it depends on what you need.

Both Wireshark and Omnipeek are good tools, both have their strength and weaknesses. The two things where nobody will ever be able to beat Wireshark are

  1. Price (it's free)
  2. Dissectors - the packet dissectors are too numerous to count and decode things most other tools have never thought about

Things were Wireshark can be less optimal to use for are

  1. high speed packet capture (with "high speed" starting at about 300MBit/s) - other commercial tools come with specialized capture hardware, but to be fair you can use some of those cards with Wireshark, too
  2. protocols that are proprietary and no documentation available. Some commercial analyzers like Omnipeek are able to decode some of them (with an NDA) e.g. Citrix ICA
  3. fancy graphics - Wireshark is very technical and does not really produce eye candy (meaning: things that you can put in a report that the CEO has to understand, at least partially)
  4. Advanced diagnostics, e.g. when comparing multi point captures

There are probably more things, but any network analyst worth her/his salt will tell you that they combine different tools to get their results. Usually, Wireshark is the most trusted tool when it comes to decodes.

permanent link

answered 14 Sep '14, 11:41

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

nice thanks a lot.

(20 Apr '15, 18:44) zhiying678

Another advantage of Wireshark over OmniPeek:

If you're running some flavor of UN*X (Linux, OS X, *BSD, Solaris, AIX, HP-UX, etc.) rather than Windows, and don't have a virtual machine running Windows, and don't have a tool such as Wine that lets you run Windows binaries on your operating system, you can run Wireshark but you can't run OmniPeek. :-)

(20 Apr '15, 18:50) Guy Harris ♦♦

Another advantage of OmniPeek over Wireshark:

On Windows, OmniPeek can, with popular Wi-Fi adapters, capture in "monitor mode" and see traffic to or from other hosts and get radio information; Wireshark can't, because it uses WinPcap, which (currently) can't capture in monitor mode.

(20 Apr '15, 18:51) Guy Harris ♦♦

I think there IS a major difference between Wireshark and OmniPeek especially when it comes to the question of "What is the purpose of performing the capture over WiFi?" Over the last year I asked a similar question on a blog regarding WiFi. After receiving many responses from across the industry (including IT Professionals, developers, education professionals, and hobbyists), there seems to be two different types of thinking when it comes to WiFi capturing:

  1. Macro-capturing = the need to capture all traffic and analyze a large amount of data. This type of capturing is done by IT departments to ensure connectivity across the network. There are many solutions for this need, including OmniPeek, Eye P.A., AirMagnet, etc.

  2. Micro-capturing = the need to capture specific traffic between two devices and analyze the stream from a particular device. This type of capturing is mainly done by development and testing teams to ensure proper communication and protocol analysis. The best and cheapest solution for this type of need is Wireshark.

permanent link

answered 21 Apr '15, 06:37

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×3

question asked: 14 Sep '14, 10:12

question was seen: 16,117 times

last updated: 21 Apr '15, 06:37

p​o​w​e​r​e​d by O​S​Q​A