I haven't tried using Wireshark in a couple of years, so I decided to give Blam the benefit of the doubt and give it one more shot. After five minutes of trying to use it to capture a log of the toribash protocol, I remember why I didn't ever like it to begin with. Wireshark's a great program, and the functionality it provides is impressive. I've never been able to make any real use out of it, though, because of the issues I perceive in usability.
For instance, let's say I want to make a log of the Toribash protocol for the purpose of reverse engineering some of the new stuff. With that purpose in mind, I start up a network capture, do whatever I need to do in Toribash, and when I'm done, stop capturing.
Given how many background services make heavy use of network traffic, it's highly unlikely your capture will only consist of the the packets relevant to Toribash. That wouldn't be a huge issue, except that for some reason, they never saw it necessary to add functionality to the GUI for removing packets that have been capture. (At least, not to my knowledge. I took the time to read through most of the documentation, but if I missed something, let me know) I realize you can filter what packets are displayed, but why am hiding packets that will never be of any use to me? Why can't I just hold shift, click two rows, and hit delete? I also realize that you can setup capture filters before starting a capture, and any packet not matching your filter will be ignored. The problem I see with that, however, is most of the time, I don't have enough information related to the activity I'm trying to track to create an accurate filter - I'm using WireShark to find out that information.
tldr: From my perspective, Wireshark isn't really convenient for casual reverse engineering.
Last edited by Juntalis; Jun 12, 2013 at 03:19 PM.