Wireshark User's Guide
Wireshark
Table of contents
-
Wireshark User's Guide
-
Preface
-
Foreword
-
Who should read this document?
-
Acknowledgements
-
About this document
-
Where to get the latest copy of this document?
-
Providing feedback about this document
-
Introduction
-
What is Wireshark?
-
Some intended purposes
-
Features
-
Live capture from many different network media
-
Import files from many other capture programs
-
Export files for many other capture programs
-
Many protocol decoders
-
Open Source Software
-
What Wireshark is not
-
System Requirements
-
General Remarks
-
Microsoft Windows
-
Unix / Linux
-
Where to get Wireshark?
-
A brief history of Wireshark
-
Development and maintenance of Wireshark
-
Reporting problems and getting help
-
Website
-
Wiki
-
Q&A Forum
-
FAQ
-
Mailing Lists
-
Reporting Problems
-
Reporting Crashes on UNIX/Linux platforms
-
Reporting Crashes on Windows platforms
-
Building and Installing Wireshark
-
Introduction
-
Obtaining the source and binary distributions
-
Before you build Wireshark under UNIX
-
Building Wireshark from source under UNIX
-
Installing the binaries under UNIX
-
Installing from rpm's under Red Hat and alike
-
Installing from deb's under Debian, Ubuntu and other Debian derivatives
-
Installing from portage under Gentoo Linux
-
Installing from packages under FreeBSD
-
Troubleshooting during the install on Unix
-
Building from source under Windows
-
Installing Wireshark under Windows
-
Install Wireshark
-
"Choose Components" page
-
"Additional Tasks" page
-
"Install WinPcap?" page
-
Command line options
-
Manual WinPcap Installation
-
Update Wireshark
-
Update WinPcap
-
Uninstall Wireshark
-
Uninstall WinPcap
-
User Interface
-
Introduction
-
Start Wireshark
-
The Main window
-
Main Window Navigation
-
The Menu
-
The "File" menu
-
The "Edit" menu
-
The "View" menu
-
The "Go" menu
-
The "Capture" menu
-
The "Analyze" menu
-
The "Statistics" menu
-
The "Telephony" menu
-
The "Tools" menu
-
The "Internals" menu
-
The "Help" menu
-
The "Main" toolbar
-
The "Filter" toolbar
-
The "Packet List" pane
-
The "Packet Details" pane
-
The "Packet Bytes" pane
-
The Statusbar
-
Capturing Live Network Data
-
Introduction
-
Prerequisites
-
Start Capturing
-
The "Capture Interfaces" dialog box
-
The "Capture Options" dialog box
-
Capture frame
-
Capture File(s) frame
-
Stop Capture... frame
-
Display Options frame
-
Name Resolution frame
-
Buttons
-
The "Edit Interface Settings" dialog box
-
The "Compile Results" dialog box
-
The "Add New Interfaces" dialog box
-
Add or remove pipes
-
Add or hide local interfaces
-
Add or hide remote interfaces
-
The "Remote Capture Interfaces" dialog box
-
Remote Capture Interfaces
-
Remote Capture Settings
-
The "Interface Details" dialog box
-
Capture files and file modes
-
Link-layer header type
-
Filtering while capturing
-
Automatic Remote Traffic Filtering
-
While a Capture is running ...
-
Stop the running capture
-
Restart a running capture
-
File Input / Output and Printing
-
Introduction
-
Open capture files
-
The "Open Capture File" dialog box
-
Input File Formats
-
Saving captured packets
-
The "Save Capture File As" dialog box
-
Output File Formats
-
Merging capture files
-
The "Merge with Capture File" dialog box
-
Import hex dump
-
The "Import from Hex Dump" dialog box
-
File Sets
-
The "List Files" dialog box
-
Exporting data
-
The "Export as Plain Text File" dialog box
-
The "Export as PostScript File" dialog box
-
The "Export as CSV (Comma Separated Values) File" dialog box
-
The "Export as C Arrays (packet bytes) file" dialog box
-
The "Export as PSML File" dialog box
-
The "Export as PDML File" dialog box
-
The "Export selected packet bytes" dialog box
-
The "Export Objects" dialog box
-
Printing packets
-
The "Print" dialog box
-
The Packet Range frame
-
The Packet Format frame
-
Working with captured packets
-
Viewing packets you have captured
-
Pop-up menus
-
Pop-up menu of the "Packet List" column header
-
Pop-up menu of the "Packet List" pane
-
Pop-up menu of the "Packet Details" pane
-
Filtering packets while viewing
-
Building display filter expressions
-
Display filter fields
-
Comparing values
-
Combining expressions
-
A common mistake
-
The "Filter Expression" dialog box
-
Defining and saving filters
-
Defining and saving filter macros
-
Finding packets
-
The "Find Packet" dialog box
-
The "Find Next" command
-
The "Find Previous" command
-
Go to a specific packet
-
The "Go Back" command
-
The "Go Forward" command
-
The "Go to Packet" dialog box
-
The "Go to Corresponding Packet" command
-
The "Go to First Packet" command
-
The "Go to Last Packet" command
-
Marking packets
-
Ignoring packets
-
Time display formats and time references
-
Packet time referencing
-
Advanced Topics
-
Introduction
-
Following TCP streams
-
The "Follow TCP Stream" dialog box
-
Expert Infos
-
Expert Info Entries
-
Severity
-
Group
-
Protocol
-
Summary
-
"Expert Info" dialog
-
Errors / Warnings / Notes / Chats tabs
-
Details tab
-
"Colorized" Protocol Details Tree
-
"Expert" Packet List Column (optional)
-
Time Stamps
-
Wireshark internals
-
Capture file formats
-
Accuracy
-
Time Zones
-
Set your computer's time correctly!
-
Wireshark and Time Zones
-
Packet Reassembling
-
What is it?
-
How Wireshark handles it
-
Name Resolution
-
Name Resolution drawbacks
-
Ethernet name resolution (MAC layer)
-
IP name resolution (network layer)
-
IPX name resolution (network layer)
-
TCP/UDP port name resolution (transport layer)
-
Checksums
-
Wireshark checksum validation
-
Checksum offloading
-
Statistics
-
Introduction
-
The "Summary" window
-
The "Protocol Hierarchy" window
-
Conversations
-
What is a Conversation?
-
The "Conversations" window
-
The protocol specific "Conversation List" windows
-
Endpoints
-
What is an Endpoint?
-
The "Endpoints" window
-
The protocol specific "Endpoint List" windows
-
The "IO Graphs" window
-
Service Response Time
-
The "Service Response Time DCE-RPC" window
-
Compare two capture files
-
WLAN Traffic Statistics
-
The protocol specific statistics windows
-
Telephony
-
Introduction
-
RTP Analysis
-
VoIP Calls
-
LTE MAC Traffic Statistics
-
LTE RLC Traffic Statistics
-
The protocol specific statistics windows
-
Customizing Wireshark
-
Introduction
-
Start Wireshark from the command line
-
Packet colorization
-
Control Protocol dissection
-
The "Enabled Protocols" dialog box
-
User Specified Decodes
-
Show User Specified Decodes
-
Preferences
-
Interface Options
-
Configuration Profiles
-
User Table
-
Display Filter Macros
-
ESS Category Attributes
-
GeoIP Database Paths
-
IKEv2 decryption table
-
Object Identifiers
-
PRES Users Context List
-
SCCP users Table
-
SMI (MIB and PIB) Modules
-
SMI (MIB and PIB) Paths
-
SNMP Enterprise Specific Trap Types
-
SNMP users Table
-
Tektronix K12xx/15 RF5 protocols Table
-
User DLTs protocol table
-
Lua Support in Wireshark
-
Introduction
-
Example of Dissector written in Lua
-
Example of Listener written in Lua
-
Wireshark's Lua API Reference Manual
-
Saving capture files
-
Dumper
-
Dumper.new(filename, [filetype], [encap])
-
Arguments
-
Returns
-
dumper:close()
-
Errors
-
dumper:flush()
-
dumper:dump(timestamp, pseudoheader, bytearray)
-
Arguments
-
dumper:new_for_current([filetype])
-
Arguments
-
Returns
-
Errors
-
dumper:dump_current()
-
Errors
-
PseudoHeader
-
PseudoHeader.none()
-
Returns
-
PseudoHeader.eth([fcslen])
-
Arguments
-
Returns
-
PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len])
-
Arguments
-
Returns
-
PseudoHeader.mtp2()
-
Returns
-
Obtaining dissection data
-
Field
-
Field.new(fieldname)
-
Arguments
-
Returns
-
Errors
-
field:__call()
-
Returns
-
Errors
-
field:__tostring()
-
FieldInfo
-
fieldinfo:__len()
-
fieldinfo:__unm()
-
fieldinfo:__call()
-
fieldinfo:__tostring()
-
fieldinfo:__eq()
-
Errors
-
fieldinfo:__le()
-
fieldinfo:__lt()
-
Errors
-
fieldinfo.name
-
fieldinfo.label
-
fieldinfo.value
-
fieldinfo.len
-
fieldinfo.offset
-
fieldinfo.display
-
Non Method Functions
-
all_field_infos()
-
Errors
-
GUI support
-
ProgDlg
-
ProgDlg.new([title], [task])
-
Arguments
-
Returns
-
progdlg:update(progress, [task])
-
Arguments
-
Errors
-
progdlg:stopped()
-
Returns
-
Errors
-
progdlg:close()
-
Errors
-
TextWindow
-
TextWindow.new([title])
-
Arguments
-
Returns
-
Errors
-
textwindow:set_atclose(action)
-
Arguments
-
Returns
-
Errors
-
textwindow:set(text)
-
Arguments
-
Returns
-
Errors
-
textwindow:append(text)
-
Arguments
-
Returns
-
Errors
-
textwindow:prepend(text)
-
Arguments
-
Returns
-
Errors
-
textwindow:clear()
-
Returns
-
Errors
-
textwindow:get_text()
-
Returns
-
Errors
-
textwindow:set_editable([editable])
-
Arguments
-
Returns
-
Errors
-
textwindow:add_button(label, function)
-
Arguments
-
Returns
-
Errors
-
Non Method Functions
-
gui_enabled()
-
Returns
-
register_menu(name, action, [group])
-
Arguments
-
new_dialog(title, action, ...)
-
Arguments
-
Errors
-
retap_packets()
-
copy_to_clipboard(text)
-
Arguments
-
open_capture_file(filename, filter)
-
Arguments
-
get_filter()
-
set_filter(text)
-
Arguments
-
set_color_filter_slot(row, text)
-
Arguments
-
apply_filter()
-
reload()
-
browser_open_url(url)
-
Arguments
-
browser_open_data_file(filename)
-
Arguments
-
Post-dissection packet analysis
-
Listener
-
Listener.new([tap], [filter])
-
Arguments
-
Returns
-
Errors
-
listener:remove()
-
listener:__tostring()
-
listener.packet
-
listener.draw
-
listener.reset
-
Obtaining packet information
-
Address
-
Address.ip(hostname)
-
Arguments
-
Returns
-
address:__tostring()
-
Returns
-
address:__eq()
-
address:__le()
-
address:__lt()
-
Column
-
column:__tostring()
-
Returns
-
column:clear()
-
column:set(text)
-
Arguments
-
column:append(text)
-
Arguments
-
column:prepend(text)
-
Arguments
-
column:fence()
-
Columns
-
columns:__tostring()
-
Returns
-
columns:__newindex(column, text)
-
Arguments
-
NSTime
-
NSTime.new([seconds], [nseconds])
-
Arguments
-
Returns
-
nstime:__tostring()
-
Returns
-
nstime:__add()
-
nstime:__sub()
-
nstime:__unm()
-
nstime:__eq()
-
Errors
-
nstime:__le()
-
Errors
-
nstime:__lt()
-
Errors
-
nstime.secs
-
nstime.nsecs
-
Pinfo
-
pinfo.number
-
pinfo.len
-
pinfo.caplen
-
pinfo.abs_ts
-
pinfo.rel_ts
-
pinfo.delta_ts
-
pinfo.delta_dis_ts
-
pinfo.visited
-
pinfo.src
-
pinfo.dst
-
pinfo.lo
-
pinfo.hi
-
pinfo.dl_src
-
pinfo.dl_dst
-
pinfo.net_src
-
pinfo.net_dst
-
pinfo.ptype
-
pinfo.src_port
-
pinfo.dst_port
-
pinfo.ipproto
-
pinfo.circuit_id
-
pinfo.match
-
pinfo.curr_proto
-
pinfo.columns
-
pinfo.cols
-
pinfo.desegment_len
-
pinfo.desegment_offset
-
pinfo.private_data
-
pinfo.private
-
pinfo.ethertype
-
pinfo.fragmented
-
pinfo.in_error_pkt
-
pinfo.match_uint
-
pinfo.match_string
-
PrivateTable
-
privatetable:__tostring()
-
Returns
-
Functions for writing dissectors
-
Dissector
-
Dissector.get(name)
-
Arguments
-
Returns
-
dissector:call(tvb, pinfo, tree)
-
Arguments
-
dissector:__tostring()
-
Returns
-
DissectorTable
-
DissectorTable.new(tablename, [uiname], [type], [base])
-
Arguments
-
Returns
-
DissectorTable.get(tablename)
-
Arguments
-
Returns
-
dissectortable:add(pattern, dissector)
-
Arguments
-
dissectortable:remove(pattern, dissector)
-
Arguments
-
dissectortable:try(pattern, tvb, pinfo, tree)
-
Arguments
-
dissectortable:get_dissector(pattern)
-
Arguments
-
Returns
-
dissectortable:__tostring()
-
Returns
-
Pref
-
Pref.bool(label, default, descr)
-
Arguments
-
Pref.uint(label, default, descr)
-
Arguments
-
Pref.string(label, default, descr)
-
Arguments
-
Pref.enum(label, default, descr, enum, radio)
-
Arguments
-
Pref.range(label, default, descr, max)
-
Arguments
-
Pref.statictext(label, descr)
-
Arguments
-
Prefs
-
prefs:__newindex(name, pref)
-
Arguments
-
Errors
-
prefs:__index(name)
-
Arguments
-
Returns
-
Errors
-
Proto
-
Proto.new(name, desc)
-
Arguments
-
Returns
-
proto.dissector
-
proto.fields
-
proto.prefs
-
proto.init
-
proto.name
-
proto.description
-
ProtoField
-
ProtoField.new(name, abbr, type, [voidstring], [base], [mask], [descr])
-
Arguments
-
Returns
-
ProtoField.uint8(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.uint16(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.uint24(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.uint32(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.uint64(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.int16(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.int24(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.int64(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.framenum(abbr, [name], [base], [valuestring], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.bool(abbr, [name], [display], [string], [mask], [desc])
-
Arguments
-
Returns
-
ProtoField.absolute_time(abbr, [name], [base], [desc])
-
Arguments
-
Returns
-
ProtoField.relative_time(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.ipv4(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.ipv6(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.ether(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.float(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.double(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.string(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.stringz(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.bytes(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.ubytes(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.guid(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.oid(abbr, [name], [desc])
-
Arguments
-
Returns
-
ProtoField.bool(abbr, [name], [desc])
-
Arguments
-
Returns
-
protofield:__tostring()
-
Non Method Functions
-
register_postdissector(proto)
-
Arguments
-
Adding information to the dissection tree
-
TreeItem
-
treeitem:add_packet_field()
-
treeitem:add()
-
Returns
-
treeitem:add_le()
-
Returns
-
treeitem:set_text(text)
-
Arguments
-
treeitem:append_text(text)
-
Arguments
-
treeitem:set_expert_flags([group], [severity])
-
Arguments
-
treeitem:add_expert_info([group], [severity], [text])
-
Arguments
-
treeitem:set_generated()
-
treeitem:set_hidden()
-
treeitem:set_len(len)
-
Arguments
-
Functions for handling packet data
-
ByteArray
-
ByteArray.new([hexbytes])
-
Arguments
-
Returns
-
bytearray:__concat(first, second)
-
Arguments
-
Returns
-
Errors
-
bytearray:prepend(prepended)
-
Arguments
-
Errors
-
bytearray:append(appended)
-
Arguments
-
Errors
-
bytearray:set_size(size)
-
Arguments
-
Errors
-
bytearray:set_index(index, value)
-
Arguments
-
bytearray:get_index(index)
-
Arguments
-
Returns
-
bytearray:len()
-
Returns
-
bytearray:subset(offset, length)
-
Arguments
-
Returns
-
Int
-
Tvb
-
ByteArray.tvb(name)
-
Arguments
-
Returns
-
TvbRange.tvb(range)
-
Arguments
-
tvb:__tostring()
-
Returns
-
tvb:reported_len()
-
Returns
-
tvb:len()
-
Returns
-
tvb:reported_length_remaining()
-
Returns
-
tvb:offset()
-
Returns
-
tvb:__call()
-
wslua:__concat()
-
TvbRange
-
tvb:range([offset], [length])
-
Arguments
-
Returns
-
tvbrange:uint()
-
Returns
-
tvbrange:le_uint()
-
Returns
-
tvbrange:uint64()
-
tvbrange:le_uint64()
-
tvbrange:int()
-
Returns
-
tvbrange:le_int()
-
Returns
-
tvbrange:int64()
-
tvbrange:le_int64()
-
tvbrange:float()
-
Returns
-
tvbrange:le_float()
-
Returns
-
tvbrange:ipv4()
-
Returns
-
tvbrange:le_ipv4()
-
Returns
-
tvbrange:ether()
-
Returns
-
Errors
-
tvbrange:nstime()
-
Returns
-
Errors
-
tvbrange:le_nstime()
-
Returns
-
Errors
-
tvbrange:string()
-
Returns
-
tvbrange:ustring()
-
Returns
-
tvbrange:le_ustring()
-
Returns
-
tvbrange:stringz()
-
Returns
-
tvbrange:ustringz()
-
Returns
-
tvbrange:le_ustringz()
-
Returns
-
tvbrange:bytes()
-
Returns
-
tvbrange:bitfield([position], [length])
-
Arguments
-
Returns
-
tvbrange:range([offset], [length], name)
-
Arguments
-
Returns
-
tvbrange:len()
-
tvbrange:offset()
-
tvbrange:__tostring()
-
UInt
-
Utility Functions
-
Dir
-
Dir.open(pathname, [extension])
-
Arguments
-
Returns
-
dir:__call()
-
dir:close()
-
Non Method Functions
-
get_version()
-
Returns
-
format_date(timestamp)
-
Arguments
-
Returns
-
format_time(timestamp)
-
Arguments
-
Returns
-
report_failure(text)
-
Arguments
-
critical(...)
-
Arguments
-
warn(...)
-
Arguments
-
message(...)
-
Arguments
-
info(...)
-
Arguments
-
debug(...)
-
Arguments
-
loadfile(filename)
-
Arguments
-
dofile(filename)
-
Arguments
-
persconffile_path([filename])
-
Arguments
-
Returns
-
datafile_path([filename])
-
Arguments
-
Returns
-
register_stat_cmd_arg(argument, [action])
-
Arguments
-
Files and Folders
-
Capture Files
-
Libpcap File Contents
-
Not Saved in the Capture File
-
Configuration Files and Folders
-
Protocol help configuration
-
Windows folders
-
Windows profiles
-
Windows 7, Vista, XP, 2000, and NT roaming profiles
-
Windows temporary folder
-
Protocols and Protocol Fields
-
Wireshark Messages
-
Packet List Messages
-
[Malformed Packet]
-
[Packet size limited during capture]
-
Packet Details Messages
-
[Response in frame: 123]
-
[Request in frame: 123]
-
[Time from request: 0.123 seconds]
-
[Stream setup by PROTOCOL (frame 123)]
-
Related command line tools
-
Introduction
-
tshark: Terminal-based Wireshark
-
tcpdump: Capturing with tcpdump for viewing with Wireshark
-
dumpcap: Capturing with dumpcap for viewing with Wireshark
-
capinfos: Print information about capture files
-
rawshark: Dump and analyze network traffic.
-
editcap: Edit capture files
-
mergecap: Merging multiple capture files into one
-
text2pcap: Converting ASCII hexdumps to network captures
-
idl2wrs: Creating dissectors from CORBA IDL files
-
What is it?
-
Why do this?
-
How to use idl2wrs
-
TODO
-
Limitations
-
Notes
-
reordercap: Reorder a capture file
-
This Document's License (GPL)