Wireshark User's Guide
Unknown
Table of contents
Wireshark User's Guide
Preface
Foreword
Who should read this document?
Acknowledgements
About this document
Where to get the latest copy of this document?
Providing feedback about this document
Introduction
What is Wireshark?
Some intended purposes
Features
Live capture from many different network media
Import files from many other capture programs
Export files for many other capture programs
Many protocol dissectors
Open Source Software
What Wireshark is not
System Requirements
Microsoft Windows
UNIX / Linux
Where to get Wireshark
A brief history of Wireshark
Development and maintenance of Wireshark
Reporting problems and getting help
Website
Wiki
Q&A Site
FAQ
Mailing Lists
Reporting Problems
Reporting Crashes on UNIX/Linux platforms
Reporting Crashes on Windows platforms
Building and Installing Wireshark
Introduction
Obtaining the source and binary distributions
Installing Wireshark under Windows
Installation Components
Additional Tasks
Install Location
Installing WinPcap
Windows installer command line options
Manual WinPcap Installation
Update Wireshark
Update WinPcap
Uninstall Wireshark
Uninstall WinPcap
Installing Wireshark under macOS
Building Wireshark from source under UNIX
Installing the binaries under UNIX
Installing from RPM’s under Red Hat and alike
Installing from deb’s under Debian, Ubuntu and other Debian derivatives
Installing from portage under Gentoo Linux
Installing from packages under FreeBSD
Troubleshooting during the install on Unix
Building from source under Windows
User Interface
Introduction
Start Wireshark
The Main window
Main Window Navigation
The Menu
The “File” menu
The “Edit” menu
The “View” menu
The “Go” menu
The “Capture” menu
The “Analyze” menu
The “Statistics” menu
The “Telephony” menu
The “Tools” menu
The “Internals” menu
The “Help” menu
The “Main” toolbar
The “Filter” toolbar
The “Packet List” pane
The “Packet Details” pane
The “Packet Bytes” pane
The Statusbar
Capturing Live Network Data
Introduction
Prerequisites
Start Capturing
The “Capture Interfaces” dialog box
The “Capture Options” dialog box
Capture frame
Capture File(s) frame
Stop Capture… frame
Display Options frame
Name Resolution frame
Buttons
The “Edit Interface Settings” dialog box
The “Compile Results” dialog box
The “Add New Interfaces” dialog box
Add or remove pipes
Add or hide local interfaces
Add or hide remote interfaces
The “Remote Capture Interfaces” dialog box
Remote Capture Interfaces
Remote Capture Settings
The “Interface Details” dialog box
Capture files and file modes
Link-layer header type
Filtering while capturing
Automatic Remote Traffic Filtering
Stop the running capture
Restart a running capture
File Input, Output, and Printing
Introduction
Open capture files
The “Open Capture File” dialog box
Input File Formats
Saving captured packets
The “Save Capture File As” dialog box
Output File Formats
Merging capture files
The “Merge with Capture File” dialog box
Import hex dump
The “Import from Hex Dump” dialog box
File Sets
The “List Files” dialog box
Exporting data
The “Export as Plain Text File” dialog box
The “Export as PostScript File” dialog box
The "Export as CSV (Comma Separated Values) File" dialog box
The "Export as C Arrays (packet bytes) file" dialog box
The "Export as PSML File" dialog box
The "Export as PDML File" dialog box
The "Export selected packet bytes" dialog box
The "Export Objects" dialog box
Printing packets
The “Print” dialog box
The “Packet Range” frame
The Packet Format frame
Working with captured packets
Viewing packets you have captured
Pop-up menus
Pop-up menu of the “Packet List” column header
Pop-up menu of the “Packet List” pane
Pop-up menu of the “Packet Details” pane
Filtering packets while viewing
Building display filter expressions
Display filter fields
Comparing values
Combining expressions
Substring Operator
Membership Operator.
A Common Mistake
The “Filter Expression” dialog box
Defining and saving filters
Defining and saving filter macros
Finding packets
The “Find Packet” dialog box
The “Find Next” command
The “Find Previous” command
Go to a specific packet
The “Go Back” command
The “Go Forward” command
The “Go to Packet” dialog box
The “Go to Corresponding Packet” command
The “Go to First Packet” command
The “Go to Last Packet” command
Marking packets
Ignoring packets
Time display formats and time references
Packet time referencing
Advanced Topics
Introduction
Following TCP streams
The “Follow TCP Stream” dialog box
Show Packet Bytes
Decode as
Show as
Expert Information
Expert Info Entries
Severity
Group
Protocol
Summary
“Expert Info” dialog
Errors / Warnings / Notes / Chats tabs
Details tab
“Colorized” Protocol Details Tree
“Expert” Packet List Column (optional)
TCP Analysis
Time Stamps
Wireshark internals
Capture file formats
Accuracy
Time Zones
Set your computer’s time correctly!
Wireshark and Time Zones
Packet Reassembly
What is it?
How Wireshark handles it
Name Resolution
Name Resolution drawbacks
Ethernet name resolution (MAC layer)
IP name resolution (network layer)
TCP/UDP port name resolution (transport layer)
VLAN ID resolution
Checksums
Wireshark checksum validation
Checksum offloading
Statistics
Introduction
The “Summary” window
The “Protocol Hierarchy” window
Conversations
The “Conversations” window
Endpoints
The “Endpoints” window
The “IO Graphs” window
Service Response Time
The "Service Response Time DCE-RPC" window
Compare two capture files
WLAN Traffic Statistics
The protocol specific statistics windows
Telephony
Introduction
RTP Analysis
IAX2 Analysis
VoIP Calls
LTE MAC Traffic Statistics
LTE RLC Traffic Statistics
The protocol specific statistics windows
Customizing Wireshark
Introduction
Start Wireshark from the command line
Packet colorization
Control Protocol dissection
The “Enabled Protocols” dialog box
User Specified Decodes
Show User Specified Decodes
Preferences
Interface Options
Configuration Profiles
User Table
Display Filter Macros
ESS Category Attributes
GeoIP Database Paths
IKEv2 decryption table
Object Identifiers
PRES Users Context List
SCCP users Table
SMI (MIB and PIB) Modules
SMI (MIB and PIB) Paths
SNMP Enterprise Specific Trap Types
SNMP users Table
Tektronix K12xx/15 RF5 protocols Table
User DLTs protocol table
Wireshark Messages
Packet List Messages
[Malformed Packet]
[Packet size limited during capture]
Packet Details Messages
[Response in frame: 123]
[Request in frame: 123]
[Time from request: 0.123 seconds]
[Stream setup by PROTOCOL (frame 123)]
Files and Folders
Capture Files
Libpcap File Contents
Not Saved in the Capture File
Configuration File and Plugin Folders
Folders on Windows
Folders on Unix-like systems
Configuration Files
Protocol help configuration
Plugin folders
Windows folders
Windows profiles
Windows roaming profiles
Windows temporary folder
Protocols and Protocol Fields
Related command line tools
Introduction
tshark: Terminal-based Wireshark
tcpdump: Capturing with tcpdump for viewing with Wireshark
dumpcap: Capturing with dumpcap for viewing with Wireshark
capinfos: Print information about capture files
rawshark: Dump and analyze network traffic.
editcap: Edit capture files
mergecap: Merging multiple capture files into one
text2pcap: Converting ASCII hexdumps to network captures
reordercap: Reorder a capture file
This Document’s License (GPL)
next page