Cyber Tool Stack
All tools
IDS/NDROpen source · GPL-2.0

Wireshark

Community project

The standard graphical packet analyzer for capturing and manually inspecting network traffic down to the individual field, widely used for troubleshooting and forensic investigation rather than automated detection. Maintained by the nonprofit Wireshark Foundation, with the tshark command-line variant used for scripted or headless capture.

Verified Source: 1

Product type
Community project
Deployment
On-premCLI
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

IDS/NDR

How Wireshark measures up against the full Intrusion Detection & Network Detection and Response taxonomy.

Signature-based detection — not supported
Matches traffic against known attack and exploit signatures.
Behavioral anomaly detection — not supported
Baselines normal traffic patterns to flag deviations without a known signature.
East-west traffic visibility — not supported
Sees lateral movement between internal hosts, not just traffic crossing the perimeter.
Packet capture & forensics — supported
Stores full or metadata-level packet history for post-incident investigation.
Threat intelligence integration — not supported
Enriches detections with known-bad IPs, domains, and indicators from feeds.
Inline blocking (IPS mode) — not supported
Can actively drop malicious traffic in real time rather than only alert on it.
Encrypted traffic analysis — not supported
Flags malicious patterns in encrypted flows without decrypting them.

Alternatives

Other Intrusion Detection & Network Detection and Response tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include Wireshark.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.