Wireshark User's Guide

Wireshark 2.1

previous page next page

Wireshark User's Guide

For Wireshark 2.1

Ulf Lamping

<ulf.lamping[AT]web.de>

Richard Sharpe

Director
NS Computer Software and Services P/L

<rsharpe[AT]ns.aus.com>

Ed Warnicke

<hagbard[AT]physics.rutgers.edu>

Copyright © 2004-2014 Ulf Lamping, Richard Sharpe, Ed Warnicke

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

All logos and trademarks in this document are property of their respective owner.

Revision History
Revision 3.2	9 Nov 2014	gcc
Converted from DocBook to AsciiDoc.
Revision 3.1	2 Nov 2014	gcc
Moved Lua reference from User's Guide to Developer's Guide.
Revision 3.0.2	31 May 2006	jk
Further cleanup of Wireshark User Guide
Revision 2.0.2	29 Jan 2005	ul
Add links to wiki example pages
Revision 2.0	6 Aug 2004	ul
Review updates
Revision 1.90	19 Jul 2004	ul
Updated for Ethereal 0.10.5.

Table of Contents

1. Foreword
2. Who should read this document?
3. Acknowledgements
4. About this document
5. Where to get the latest copy of this document?
6. Providing feedback about this document

1. Introduction

1.1. What is Wireshark?

1.1.1. Some intended purposes
1.1.2. Features
1.1.3. Live capture from many different network media
1.1.4. Import files from many other capture programs
1.1.5. Export files for many other capture programs
1.1.6. Many protocol dissectors
1.1.7. Open Source Software
1.1.8. What Wireshark is not

1.2. System Requirements

1.2.1. Microsoft Windows
1.2.2. UNIX / Linux

1.3. Where to get Wireshark

1.4. A brief history of Wireshark

1.5. Development and maintenance of Wireshark

1.6. Reporting problems and getting help

1.6.1. Website
1.6.2. Wiki
1.6.3. Q&A Site
1.6.4. FAQ
1.6.5. Mailing Lists
1.6.6. Reporting Problems
1.6.7. Reporting Crashes on UNIX/Linux platforms
1.6.8. Reporting Crashes on Windows platforms

2. Building and Installing Wireshark

2.1. Introduction

2.2. Obtaining the source and binary distributions

2.3. Installing Wireshark under Windows

2.3.1. Installation Components
2.3.2. Additional Tasks
2.3.3. Install Location
2.3.4. Installing WinPcap
2.3.5. Windows installer command line options
2.3.6. Manual WinPcap Installation
2.3.7. Update Wireshark
2.3.8. Update WinPcap
2.3.9. Uninstall Wireshark
2.3.10. Uninstall WinPcap

2.4. Installing Wireshark under macOS

2.5. Building Wireshark from source under UNIX

2.6. Installing the binaries under UNIX

2.6.1. Installing from RPM’s under Red Hat and alike
2.6.2. Installing from deb’s under Debian, Ubuntu and other Debian derivatives
2.6.3. Installing from portage under Gentoo Linux
2.6.4. Installing from packages under FreeBSD

2.7. Troubleshooting during the install on Unix

2.8. Building from source under Windows

3. User Interface

4. Capturing Live Network Data

4.1. Introduction

4.2. Prerequisites

4.3. Start Capturing

4.4. The “Capture Interfaces” dialog box

4.5. The “Capture Options” dialog box

4.5.1. Capture frame
4.5.2. Capture File(s) frame
4.5.3. Stop Capture… frame
4.5.4. Display Options frame
4.5.5. Name Resolution frame
4.5.6. Buttons

4.6. The “Edit Interface Settings” dialog box

4.7. The “Compile Results” dialog box

4.8. The “Add New Interfaces” dialog box

4.8.1. Add or remove pipes
4.8.2. Add or hide local interfaces
4.8.3. Add or hide remote interfaces

4.9. The “Remote Capture Interfaces” dialog box

4.9.1. Remote Capture Interfaces
4.9.2. Remote Capture Settings

4.10. The “Interface Details” dialog box

4.11. Capture files and file modes

4.12. Link-layer header type

4.13. Filtering while capturing

4.13.1. Automatic Remote Traffic Filtering
4.13.2. Stop the running capture
4.13.3. Restart a running capture

5. File Input, Output, and Printing

5.1. Introduction

5.2. Open capture files

5.2.1. The “Open Capture File” dialog box
5.2.2. Input File Formats

5.3. Saving captured packets

5.3.1. The “Save Capture File As” dialog box
5.3.2. Output File Formats

5.4. Merging capture files

5.4.1. The “Merge with Capture File” dialog box

5.5. Import hex dump

5.5.1. The “Import from Hex Dump” dialog box

5.6. File Sets

5.6.1. The “List Files” dialog box

5.7. Exporting data

5.7.1. The “Export as Plain Text File” dialog box
5.7.2. The “Export as PostScript File” dialog box
5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box
5.7.4. The "Export as C Arrays (packet bytes) file" dialog box
5.7.5. The "Export as PSML File" dialog box
5.7.6. The "Export as PDML File" dialog box
5.7.7. The "Export selected packet bytes" dialog box
5.7.8. The "Export Objects" dialog box

5.8. Printing packets

5.8.1. The “Print” dialog box

5.9. The “Packet Range” frame

5.10. The Packet Format frame

6. Working with captured packets

6.1. Viewing packets you have captured

6.2. Pop-up menus

6.2.1. Pop-up menu of the “Packet List” column header
6.2.2. Pop-up menu of the “Packet List” pane
6.2.3. Pop-up menu of the “Packet Details” pane

6.3. Filtering packets while viewing

6.4. Building display filter expressions

6.4.1. Display filter fields
6.4.2. Comparing values
6.4.3. Combining expressions
6.4.4. Substring Operator
6.4.5. Membership Operator.
6.4.6. A Common Mistake

6.5. The “Filter Expression” dialog box

6.6. Defining and saving filters

6.7. Defining and saving filter macros

6.8. Finding packets

6.8.1. The “Find Packet” dialog box
6.8.2. The “Find Next” command
6.8.3. The “Find Previous” command

6.9. Go to a specific packet

6.9.1. The “Go Back” command
6.9.2. The “Go Forward” command
6.9.3. The “Go to Packet” dialog box
6.9.4. The “Go to Corresponding Packet” command
6.9.5. The “Go to First Packet” command
6.9.6. The “Go to Last Packet” command

6.10. Marking packets

6.11. Ignoring packets

6.12. Time display formats and time references

6.12.1. Packet time referencing

7. Advanced Topics

7.1. Introduction

7.2. Following TCP streams

7.2.1. The “Follow TCP Stream” dialog box

7.3. Show Packet Bytes

7.3.1. Decode as
7.3.2. Show as

7.4. Expert Information

7.4.1. Expert Info Entries
7.4.2. “Expert Info” dialog
7.4.3. “Colorized” Protocol Details Tree
7.4.4. “Expert” Packet List Column (optional)

7.5. TCP Analysis

7.6. Time Stamps

7.6.1. Wireshark internals
7.6.2. Capture file formats
7.6.3. Accuracy

7.7. Time Zones

7.7.1. Set your computer’s time correctly!
7.7.2. Wireshark and Time Zones

7.8. Packet Reassembly

7.8.1. What is it?
7.8.2. How Wireshark handles it

7.9. Name Resolution

7.9.1. Name Resolution drawbacks
7.9.2. Ethernet name resolution (MAC layer)
7.9.3. IP name resolution (network layer)
7.9.4. TCP/UDP port name resolution (transport layer)
7.9.5. VLAN ID resolution

7.10. Checksums

7.10.1. Wireshark checksum validation
7.10.2. Checksum offloading

8. Statistics

8.1. Introduction

8.2. The “Summary” window

8.3. The “Protocol Hierarchy” window

8.4. Conversations

8.4.1. The “Conversations” window

8.5. Endpoints

8.5.1. The “Endpoints” window

8.6. The “IO Graphs” window

8.7. Service Response Time

8.7.1. The "Service Response Time DCE-RPC" window

8.8. Compare two capture files

8.9. WLAN Traffic Statistics

8.10. The protocol specific statistics windows

9. Telephony

9.1. Introduction
9.2. RTP Analysis
9.3. IAX2 Analysis
9.4. VoIP Calls
9.5. LTE MAC Traffic Statistics
9.6. LTE RLC Traffic Statistics
9.7. The protocol specific statistics windows

10. Customizing Wireshark

A. Wireshark Messages

A.1. Packet List Messages

A.1.1. [Malformed Packet]
A.1.2. [Packet size limited during capture]

A.2. Packet Details Messages

A.2.1. [Response in frame: 123]
A.2.2. [Request in frame: 123]
A.2.3. [Time from request: 0.123 seconds]
A.2.4. [Stream setup by PROTOCOL (frame 123)]

B. Files and Folders

B.1. Capture Files

B.1.1. Libpcap File Contents
B.1.2. Not Saved in the Capture File

B.2. Configuration File and Plugin Folders

B.2.1. Folders on Windows
B.2.2. Folders on Unix-like systems

B.3. Configuration Files

B.3.1. Protocol help configuration

B.4. Plugin folders

B.5. Windows folders

B.5.1. Windows profiles
B.5.2. Windows roaming profiles
B.5.3. Windows temporary folder

C. Protocols and Protocol Fields

D. Related command line tools

D.1. Introduction
D.2. tshark: Terminal-based Wireshark
D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark
D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark
D.5. capinfos: Print information about capture files
D.6. rawshark: Dump and analyze network traffic.
D.7. editcap: Edit capture files
D.8. mergecap: Merging multiple capture files into one
D.9. text2pcap: Converting ASCII hexdumps to network captures
D.10. reordercap: Reorder a capture file

11. This Document’s License (GPL)

List of Figures

1.1. Wireshark captures packets and lets you examine their contents.
3.1. The Main window
3.2. The Menu
3.3. The “File” Menu
3.4. The “Edit” Menu
3.5. The “View” Menu
3.6. The “Go” Menu
3.7. The “Capture” Menu
3.8. The “Analyze” Menu
3.9. The “Statistics” Menu
3.10. The “Telephony” Menu
3.11. The “Tools” Menu
3.12. The “Internals” Menu
3.13. The “Help” Menu
3.14. The “Main” toolbar
3.15. The “Filter” toolbar
3.16. The “Packet List” pane
3.17. The “Packet Details” pane
3.18. The “Packet Bytes” pane
3.19. The “Packet Bytes” pane with tabs
3.20. The initial Statusbar
3.21. The Statusbar with a loaded capture file
3.22. The Statusbar with a configuration profile menu
3.23. The Statusbar with a selected protocol field
3.24. The Statusbar with a display filter message
4.1. The “Capture Interfaces” dialog box on Microsoft Windows
4.2. The “Capture Interfaces” dialog box on Unix/Linux
4.3. The “Capture Options” dialog box
4.4. The “Edit Interface Settings” dialog box
4.5. The “Compile Results” dialog box
4.6. The “Add New Interfaces” dialog box
4.7. The “Add New Interfaces - Pipes” dialog box
4.8. The “Add New Interfaces - Local Interfaces” dialog box
4.9. The “Add New Interfaces - Remote Interfaces” dialog box
4.10. The “Remote Capture Interfaces” dialog box
4.11. The “Remote Capture Settings” dialog box
4.12. The “Interface Details” dialog box
4.13. Capture output options
5.1. “Open” on Microsoft Windows
5.2. “Open” - Linux and UNIX
5.3. “Save” on Microsoft Windows
5.4. “Save” on Linux and UNIX
5.5. “Merge” on Microsoft Windows
5.6. “Merge” on Linux and UNIX
5.7. The “Import from Hex Dump” dialog
5.8. The "List Files" dialog box
5.9. The “Export as Plain Text File” dialog box
5.10. The "Export as PostScript File" dialog box
5.11. The "Export as PSML File" dialog box
5.12. The "Export as PDML File" dialog box
5.13. The "Export Selected Packet Bytes" dialog box
5.14. The "Export Objects" dialog box
5.15. The “Print” dialog box
5.16. The “Packet Range” frame
5.17. The “Packet Format” frame
6.1. Wireshark with a TCP packet selected for viewing
6.2. Viewing a packet in a separate window
6.3. Pop-up menu of the “Packet List” column header
6.4. Pop-up menu of the “Packet List” pane
6.5. Pop-up menu of the “Packet Details” pane
6.6. Filtering on the TCP protocol
6.7. The “Filter Expression” dialog box
6.8. The “Capture Filters” and “Display Filters” dialog boxes
6.9. The “Find Packet” dialog box
6.10. The “Go To Packet” dialog box
6.11. Wireshark showing a time referenced packet
7.1. The “Follow TCP Stream” dialog box
7.2. The “Expert Info” dialog box
7.3. The “Colorized” protocol details tree
7.4. The “Expert” packet list column
7.5. “TCP Analysis” packet detail items
7.6. The “Packet Bytes” pane with a reassembled tab
8.1. The “Summary” window
8.2. The “Protocol Hierarchy” window
8.3. The “Conversations” window
8.4. The “Endpoints” window
8.5. The “IO Graphs” window
8.6. The "Compute DCE-RPC statistics" window
8.7. The "DCE-RPC Statistic for …" window
8.8. The "Compare" window
8.9. The "WLAN Traffic Statistics" window
9.1. The “RTP Stream Analysis” window
9.2. The “LTE MAC Traffic Statistics” window
9.3. The “LTE RLC Traffic Statistics” window
10.1. The “Coloring Rules” dialog box
10.2. A color chooser
10.3. Using color filters with Wireshark
10.4. The “Enabled Protocols” dialog box
10.5. The “Decode As” dialog box
10.6. The “Decode As: Show” dialog box
10.7. The preferences dialog box
10.8. The interface options dialog box
10.9. The configuration profiles dialog box

List of Tables

3.1. Keyboard Navigation
3.2. File menu items
3.3. Edit menu items
3.4. View menu items
3.5. Go menu items
3.6. Capture menu items
3.7. Analyze menu items
3.8. Statistics menu items
3.9. Telephony menu items
3.10. Tools menu items
3.11. Internals menu items
3.12. Help menu items
3.13. Main toolbar items
3.14. Filter toolbar items
3.15. Related packet symbols
4.1. Capture file mode selected by capture options
6.1. The menu items of the “Packet List” column header pop-up menu
6.2. The menu items of the “Packet List” pop-up menu
6.3. The menu items of the “Packet Details” pop-up menu
6.4. Display Filter comparison operators
6.5. Display Filter Logical Operations
7.1. Some example expert infos
7.2. Time zone examples for UTC arrival times (without DST)
B.1. Configuration files overview

List of Examples

4.1. A capture filter for telnet that captures traffic to and from a particular host
4.2. Capturing all telnet traffic not from 10.0.0.5
10.1. Help information available from Wireshark

previous page start next page