Table of contents
- Wireshark User's Guide
- Preface
- Foreword
- Who should read this document?
- Acknowledgements
- About this document
- Where to get the latest copy of this document?
- Providing feedback about this document
- Introduction
- What is Wireshark?
- Some intended purposes
- Features
- Live capture from many different network media
- Import files from many other capture programs
- Export files for many other capture programs
- Many protocol dissectors
- Open Source Software
- What Wireshark is not
- System Requirements
- Microsoft Windows
- UNIX / Linux
- Where to get Wireshark
- A brief history of Wireshark
- Development and maintenance of Wireshark
- Reporting problems and getting help
- Website
- Wiki
- Q&A Site
- FAQ
- Mailing Lists
- Reporting Problems
- Reporting Crashes on UNIX/Linux platforms
- Reporting Crashes on Windows platforms
- Building and Installing Wireshark
- Introduction
- Obtaining the source and binary distributions
- Installing Wireshark under Windows
- Installation Components
- Additional Tasks
- Install Location
- Installing WinPcap
- Windows installer command line options
- Manual WinPcap Installation
- Update Wireshark
- Update WinPcap
- Uninstall Wireshark
- Uninstall WinPcap
- Installing Wireshark under macOS
- Building Wireshark from source under UNIX
- Installing the binaries under UNIX
- Installing from RPM’s under Red Hat and alike
- Installing from deb’s under Debian, Ubuntu and other Debian derivatives
- Installing from portage under Gentoo Linux
- Installing from packages under FreeBSD
- Troubleshooting during the install on Unix
- Building from source under Windows
- User Interface
- Introduction
- Start Wireshark
- The Main window
- Main Window Navigation
- The Menu
- The “File” menu
- The “Edit” menu
- The “View” menu
- The “Go” menu
- The “Capture” menu
- The “Analyze” menu
- The “Statistics” menu
- The “Telephony” menu
- The “Tools” menu
- The “Internals” menu
- The “Help” menu
- The “Main” toolbar
- The “Filter” toolbar
- The “Packet List” pane
- The “Packet Details” pane
- The “Packet Bytes” pane
- The Statusbar
- Capturing Live Network Data
- Introduction
- Prerequisites
- Start Capturing
- The “Capture Interfaces” dialog box
- The “Capture Options” dialog box
- Capture frame
- Capture File(s) frame
- Stop Capture… frame
- Display Options frame
- Name Resolution frame
- Buttons
- The “Edit Interface Settings” dialog box
- The “Compile Results” dialog box
- The “Add New Interfaces” dialog box
- Add or remove pipes
- Add or hide local interfaces
- Add or hide remote interfaces
- The “Remote Capture Interfaces” dialog box
- Remote Capture Interfaces
- Remote Capture Settings
- The “Interface Details” dialog box
- Capture files and file modes
- Link-layer header type
- Filtering while capturing
- Automatic Remote Traffic Filtering
- Stop the running capture
- Restart a running capture
- File Input, Output, and Printing
- Introduction
- Open capture files
- The “Open Capture File” dialog box
- Input File Formats
- Saving captured packets
- The “Save Capture File As” dialog box
- Output File Formats
- Merging capture files
- The “Merge with Capture File” dialog box
- Import hex dump
- The “Import from Hex Dump” dialog box
- File Sets
- The “List Files” dialog box
- Exporting data
- The “Export as Plain Text File” dialog box
- The “Export as PostScript File” dialog box
- The "Export as CSV (Comma Separated Values) File" dialog box
- The "Export as C Arrays (packet bytes) file" dialog box
- The "Export as PSML File" dialog box
- The "Export as PDML File" dialog box
- The "Export selected packet bytes" dialog box
- The "Export Objects" dialog box
- Printing packets
- The “Print” dialog box
- The “Packet Range” frame
- The Packet Format frame
- Working with captured packets
- Viewing packets you have captured
- Pop-up menus
- Pop-up menu of the “Packet List” column header
- Pop-up menu of the “Packet List” pane
- Pop-up menu of the “Packet Details” pane
- Filtering packets while viewing
- Building display filter expressions
- Display filter fields
- Comparing values
- Combining expressions
- Substring Operator
- Membership Operator.
- A Common Mistake
- The “Filter Expression” dialog box
- Defining and saving filters
- Defining and saving filter macros
- Finding packets
- The “Find Packet” dialog box
- The “Find Next” command
- The “Find Previous” command
- Go to a specific packet
- The “Go Back” command
- The “Go Forward” command
- The “Go to Packet” dialog box
- The “Go to Corresponding Packet” command
- The “Go to First Packet” command
- The “Go to Last Packet” command
- Marking packets
- Ignoring packets
- Time display formats and time references
- Packet time referencing
- Advanced Topics
- Introduction
- Following TCP streams
- The “Follow TCP Stream” dialog box
- Show Packet Bytes
- Decode as
- Show as
- Expert Information
- Expert Info Entries
- Severity
- Group
- Protocol
- Summary
- “Expert Info” dialog
- Errors / Warnings / Notes / Chats tabs
- Details tab
- “Colorized” Protocol Details Tree
- “Expert” Packet List Column (optional)
- TCP Analysis
- Time Stamps
- Wireshark internals
- Capture file formats
- Accuracy
- Time Zones
- Set your computer’s time correctly!
- Wireshark and Time Zones
- Packet Reassembly
- What is it?
- How Wireshark handles it
- Name Resolution
- Name Resolution drawbacks
- Ethernet name resolution (MAC layer)
- IP name resolution (network layer)
- TCP/UDP port name resolution (transport layer)
- VLAN ID resolution
- Checksums
- Wireshark checksum validation
- Checksum offloading
- Statistics
- Introduction
- The “Summary” window
- The “Protocol Hierarchy” window
- Conversations
- The “Conversations” window
- Endpoints
- The “Endpoints” window
- The “IO Graphs” window
- Service Response Time
- The "Service Response Time DCE-RPC" window
- Compare two capture files
- WLAN Traffic Statistics
- The protocol specific statistics windows
- Telephony
- Introduction
- RTP Analysis
- IAX2 Analysis
- VoIP Calls
- LTE MAC Traffic Statistics
- LTE RLC Traffic Statistics
- The protocol specific statistics windows
- Customizing Wireshark
- Introduction
- Start Wireshark from the command line
- Packet colorization
- Control Protocol dissection
- The “Enabled Protocols” dialog box
- User Specified Decodes
- Show User Specified Decodes
- Preferences
- Interface Options
- Configuration Profiles
- User Table
- Display Filter Macros
- ESS Category Attributes
- GeoIP Database Paths
- IKEv2 decryption table
- Object Identifiers
- PRES Users Context List
- SCCP users Table
- SMI (MIB and PIB) Modules
- SMI (MIB and PIB) Paths
- SNMP Enterprise Specific Trap Types
- SNMP users Table
- Tektronix K12xx/15 RF5 protocols Table
- User DLTs protocol table
- Wireshark Messages
- Packet List Messages
- [Malformed Packet]
- [Packet size limited during capture]
- Packet Details Messages
- [Response in frame: 123]
- [Request in frame: 123]
- [Time from request: 0.123 seconds]
- [Stream setup by PROTOCOL (frame 123)]
- Files and Folders
- Capture Files
- Libpcap File Contents
- Not Saved in the Capture File
- Configuration File and Plugin Folders
- Folders on Windows
- Folders on Unix-like systems
- Configuration Files
- Protocol help configuration
- Plugin folders
- Windows folders
- Windows profiles
- Windows roaming profiles
- Windows temporary folder
- Protocols and Protocol Fields
- Related command line tools
- Introduction
- tshark: Terminal-based Wireshark
- tcpdump: Capturing with tcpdump for viewing with Wireshark
- dumpcap: Capturing with dumpcap for viewing with Wireshark
- capinfos: Print information about capture files
- rawshark: Dump and analyze network traffic.
- editcap: Edit capture files
- mergecap: Merging multiple capture files into one
- text2pcap: Converting ASCII hexdumps to network captures
- reordercap: Reorder a capture file
- This Document’s License (GPL)