IDS/NDROpen source · GPL-2.0
Wireshark
Community project
The standard graphical packet analyzer for capturing and manually inspecting network traffic down to the individual field, widely used for troubleshooting and forensic investigation rather than automated detection. Maintained by the nonprofit Wireshark Foundation, with the tshark command-line variant used for scripted or headless capture.
Verified Source: 1
- Product type
- Community project
- Deployment
- On-premCLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
IDS/NDRHow Wireshark measures up against the full Intrusion Detection & Network Detection and Response taxonomy.
- Signature-based detection — not supported
- Matches traffic against known attack and exploit signatures.
- Behavioral anomaly detection — not supported
- Baselines normal traffic patterns to flag deviations without a known signature.
- East-west traffic visibility — not supported
- Sees lateral movement between internal hosts, not just traffic crossing the perimeter.
- Packet capture & forensics — supported
- Stores full or metadata-level packet history for post-incident investigation.
- Threat intelligence integration — not supported
- Enriches detections with known-bad IPs, domains, and indicators from feeds.
- Inline blocking (IPS mode) — not supported
- Can actively drop malicious traffic in real time rather than only alert on it.
- Encrypted traffic analysis — not supported
- Flags malicious patterns in encrypted flows without decrypting them.
Alternatives
Other Intrusion Detection & Network Detection and Response tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Wireshark.