Wireshark is “free software”; you can download it without paying any license fee. The version of Wireshark you download isn’t a “demo” version, with limitations not present in a “full” version; it is the full version.
Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse with graphical interface the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
Supports for particular protocols is added to Wireshark as a result of people contributing that support; no formal plans for adding support for particular protocols in particular future releases exist.
If a network analyzer writes out files in a format already supported by Wireshark (e.g., in libpcap format), Wireshark may already be able to read them, unless the analyzer has added its own proprietary extensions to that format.
If a network analyzer writes out files in its own format, or has added proprietary extensions to another format, in order to make Wireshark read captures from that network analyzer, we would either have to have a specification for the file format, or the extensions, sufficient to give us enough information to read the parts of the file relevant to Wireshark, or would need at least one capture file in that format and a detailed textual analysis of the packets in that capture file (showing packet time stamps, packet lengths, and the top-level packet header) in order to reverse-engineer the file format.
Note that there is no guarantee that we will be able to reverse-engineer a capture file format.
Wireshark is almost (but not quite) a fork. Normally a “fork” of an open source project results in two names, web sites, development teams, support infrastructures, etc. This is the case with Wireshark except for one notable exception — every member of the core development team is now working on Wireshark. There has been no active development on Ethereal since the name change. Several parts of the Ethereal web site (such as the mailing lists, source code repository, and build farm) have gone offline.
Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.
Wireshark allows the user to put the network interfaces that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface’s configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all of the traffic traveling through the switch will necessarily be sent to the port on which the capture is being done, so capturing in promiscuous mode will not necessarily be sufficient to see all traffic on the network. Port mirroring or various network taps extend capture to any point on net; simple passive taps are extremely resistant to malware tampering.
On Linux, BSD, and Mac OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put Wi-Fi adapters into monitor mode.