Table of Contents

Preface

1. Foreword

2. Who should read this document?

3. Acknowledgements

4. About this document

5. Where to get the latest copy of this document?

6. Providing feedback about this document

1. Introduction

1.1. What is Wireshark?

1.1.1. Some intended purposes

1.1.2. Features

1.1.3. Live capture from many different network media

1.1.4. Import files from many other capture programs

1.1.5. Export files for many other capture programs

1.1.6. Many protocol decoders

1.1.7. Open Source Software

1.1.8. What Wireshark is not

1.2. System Requirements

1.2.1. General Remarks

1.2.2. Microsoft Windows

1.2.3. Unix / Linux

1.3. Where to get Wireshark?

1.4. A brief history of Wireshark

1.5. Development and maintenance of Wireshark

1.6. Reporting problems and getting help

1.6.1. Website

1.6.2. Wiki

1.6.3. Q&A Forum

1.6.4. FAQ

1.6.5. Mailing Lists

1.6.6. Reporting Problems

1.6.7. Reporting Crashes on UNIX/Linux platforms

1.6.8. Reporting Crashes on Windows platforms

2. Building and Installing Wireshark

2.1. Introduction

2.2. Obtaining the source and binary distributions

2.3. Before you build Wireshark under UNIX

2.4. Building Wireshark from source under UNIX

2.5. Installing the binaries under UNIX

2.5.1. Installing from rpm's under Red Hat and alike

2.5.2. Installing from deb's under Debian, Ubuntu and other Debian derivatives

2.5.3. Installing from portage under Gentoo Linux

2.5.4. Installing from packages under FreeBSD

2.6. Troubleshooting during the install on Unix

2.7. Building from source under Windows

2.8. Installing Wireshark under Windows

2.8.1. Install Wireshark

2.8.2. Manual WinPcap Installation

2.8.3. Update Wireshark

2.8.4. Update WinPcap

2.8.5. Uninstall Wireshark

2.8.6. Uninstall WinPcap

3. User Interface

3.1. Introduction

3.2. Start Wireshark

3.3. The Main window

3.3.1. Main Window Navigation

3.4. The Menu

3.5. The "File" menu

3.6. The "Edit" menu

3.7. The "View" menu

3.8. The "Go" menu

3.9. The "Capture" menu

3.10. The "Analyze" menu

3.11. The "Statistics" menu

3.12. The "Telephony" menu

3.13. The "Tools" menu

3.14. The "Internals" menu

3.15. The "Help" menu

3.16. The "Main" toolbar

3.17. The "Filter" toolbar

3.18. The "Packet List" pane

3.19. The "Packet Details" pane

3.20. The "Packet Bytes" pane

3.21. The Statusbar

4. Capturing Live Network Data

4.1. Introduction

4.2. Prerequisites

4.3. Start Capturing

4.4. The "Capture Interfaces" dialog box

4.5. The "Capture Options" dialog box

4.5.1. Capture frame

4.5.2. Capture File(s) frame

4.5.3. Stop Capture... frame

4.5.4. Display Options frame

4.5.5. Name Resolution frame

4.5.6. Buttons

4.6. The "Edit Interface Settings" dialog box

4.7. The "Compile Results" dialog box

4.8. The "Add New Interfaces" dialog box

4.8.1. Add or remove pipes

4.8.2. Add or hide local interfaces

4.8.3. Add or hide remote interfaces

4.9. The "Remote Capture Interfaces" dialog box

4.9.1. Remote Capture Interfaces

4.9.2. Remote Capture Settings

4.10. The "Interface Details" dialog box

4.11. Capture files and file modes

4.12. Link-layer header type

4.13. Filtering while capturing

4.13.1. Automatic Remote Traffic Filtering

4.14. While a Capture is running ...

4.14.1. Stop the running capture

4.14.2. Restart a running capture

5. File Input / Output and Printing

5.1. Introduction

5.2. Open capture files

5.2.1. The "Open Capture File" dialog box

5.2.2. Input File Formats

5.3. Saving captured packets

5.3.1. The "Save Capture File As" dialog box

5.3.2. Output File Formats

5.4. Merging capture files

5.4.1. The "Merge with Capture File" dialog box

5.5. Import hex dump

5.5.1. The "Import from Hex Dump" dialog box

5.6. File Sets

5.6.1. The "List Files" dialog box

5.7. Exporting data

5.7.1. The "Export as Plain Text File" dialog box

5.7.2. The "Export as PostScript File" dialog box

5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box

5.7.4. The "Export as C Arrays (packet bytes) file" dialog box

5.7.5. The "Export as PSML File" dialog box

5.7.6. The "Export as PDML File" dialog box

5.7.7. The "Export selected packet bytes" dialog box

5.7.8. The "Export Objects" dialog box

5.8. Printing packets

5.8.1. The "Print" dialog box

5.9. The Packet Range frame

5.10. The Packet Format frame

6. Working with captured packets

6.1. Viewing packets you have captured

6.2. Pop-up menus

6.2.1. Pop-up menu of the "Packet List" column header

6.2.2. Pop-up menu of the "Packet List" pane

6.2.3. Pop-up menu of the "Packet Details" pane

6.3. Filtering packets while viewing

6.4. Building display filter expressions

6.4.1. Display filter fields

6.4.2. Comparing values

6.4.3. Combining expressions

6.4.4. A common mistake

6.5. The "Filter Expression" dialog box

6.6. Defining and saving filters

6.7. Defining and saving filter macros

6.8. Finding packets

6.8.1. The "Find Packet" dialog box

6.8.2. The "Find Next" command

6.8.3. The "Find Previous" command

6.9. Go to a specific packet

6.9.1. The "Go Back" command

6.9.2. The "Go Forward" command

6.9.3. The "Go to Packet" dialog box

6.9.4. The "Go to Corresponding Packet" command

6.9.5. The "Go to First Packet" command

6.9.6. The "Go to Last Packet" command

6.10. Marking packets

6.11. Ignoring packets

6.12. Time display formats and time references

6.12.1. Packet time referencing

7. Advanced Topics

7.1. Introduction

7.2. Following TCP streams

7.2.1. The "Follow TCP Stream" dialog box

7.3. Expert Infos

7.3.1. Expert Info Entries

7.3.2. "Expert Info" dialog

7.3.3. "Colorized" Protocol Details Tree

7.3.4. "Expert" Packet List Column (optional)

7.4. Time Stamps

7.4.1. Wireshark internals

7.4.2. Capture file formats

7.4.3. Accuracy

7.5. Time Zones

7.5.1. Set your computer's time correctly!

7.5.2. Wireshark and Time Zones

7.6. Packet Reassembling

7.6.1. What is it?

7.6.2. How Wireshark handles it

7.7. Name Resolution

7.7.1. Name Resolution drawbacks

7.7.2. Ethernet name resolution (MAC layer)

7.7.3. IP name resolution (network layer)

7.7.4. IPX name resolution (network layer)

7.7.5. TCP/UDP port name resolution (transport layer)

7.8. Checksums

7.8.1. Wireshark checksum validation

7.8.2. Checksum offloading

8. Statistics

8.1. Introduction

8.2. The "Summary" window

8.3. The "Protocol Hierarchy" window

8.4. Conversations

8.4.1. What is a Conversation?

8.4.2. The "Conversations" window

8.4.3. The protocol specific "Conversation List" windows

8.5. Endpoints

8.5.1. What is an Endpoint?

8.5.2. The "Endpoints" window

8.5.3. The protocol specific "Endpoint List" windows

8.6. The "IO Graphs" window

8.7. Service Response Time

8.7.1. The "Service Response Time DCE-RPC" window

8.8. Compare two capture files

8.9. WLAN Traffic Statistics

8.10. The protocol specific statistics windows

9. Telephony

9.1. Introduction

9.2. RTP Analysis

9.3. VoIP Calls

9.4. LTE MAC Traffic Statistics

9.5. LTE RLC Traffic Statistics

9.6. The protocol specific statistics windows

10. Customizing Wireshark

10.1. Introduction

10.2. Start Wireshark from the command line

10.3. Packet colorization

10.4. Control Protocol dissection

10.4.1. The "Enabled Protocols" dialog box

10.4.2. User Specified Decodes

10.4.3. Show User Specified Decodes

10.5. Preferences

10.5.1. Interface Options

10.6. Configuration Profiles

10.7. User Table

10.8. Display Filter Macros

10.9. ESS Category Attributes

10.10. GeoIP Database Paths

10.11. IKEv2 decryption table

10.12. Object Identifiers

10.13. PRES Users Context List

10.14. SCCP users Table

10.15. SMI (MIB and PIB) Modules

10.16. SMI (MIB and PIB) Paths

10.17. SNMP Enterprise Specific Trap Types

10.18. SNMP users Table

10.19. Tektronix K12xx/15 RF5 protocols Table

10.20. User DLTs protocol table

11. Lua Support in Wireshark

11.1. Introduction

11.2. Example of Dissector written in Lua

11.3. Example of Listener written in Lua

11.4. Wireshark's Lua API Reference Manual

11.5. Saving capture files

11.5.1. Dumper

11.5.2. PseudoHeader

11.6. Obtaining dissection data

11.6.1. Field

11.6.2. FieldInfo

11.6.3. Non Method Functions

11.7. GUI support

11.7.1. ProgDlg

11.7.2. TextWindow

11.7.3. Non Method Functions

11.8. Post-dissection packet analysis

11.8.1. Listener

11.9. Obtaining packet information

11.9.1. Address

11.9.2. Column

11.9.3. Columns

11.9.4. NSTime

11.9.5. Pinfo

11.9.6. PrivateTable

11.10. Functions for writing dissectors

11.10.1. Dissector

11.10.2. DissectorTable

11.10.3. Pref

11.10.4. Prefs

11.10.5. Proto

11.10.6. ProtoField

11.10.7. Non Method Functions

11.11. Adding information to the dissection tree

11.11.1. TreeItem

11.12. Functions for handling packet data

11.12.1. ByteArray

11.12.2. Int

11.12.3. Tvb

11.12.4. TvbRange

11.12.5. UInt

11.13. Utility Functions

11.13.1. Dir

11.13.2. Non Method Functions

A. Files and Folders

A.1. Capture Files

A.1.1. Libpcap File Contents

A.1.2. Not Saved in the Capture File

A.2. Configuration Files and Folders

A.2.1. Protocol help configuration

A.3. Windows folders

A.3.1. Windows profiles

A.3.2. Windows 7, Vista, XP, 2000, and NT roaming profiles

A.3.3. Windows temporary folder

B. Protocols and Protocol Fields

C. Wireshark Messages

C.1. Packet List Messages

C.1.1. [Malformed Packet]

C.1.2. [Packet size limited during capture]

C.2. Packet Details Messages

C.2.1. [Response in frame: 123]

C.2.2. [Request in frame: 123]

C.2.3. [Time from request: 0.123 seconds]

C.2.4. [Stream setup by PROTOCOL (frame 123)]

D. Related command line tools

D.1. Introduction

D.2. tshark: Terminal-based Wireshark

D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark

D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark

D.5. capinfos: Print information about capture files

D.6. rawshark: Dump and analyze network traffic.

D.7. editcap: Edit capture files

D.8. mergecap: Merging multiple capture files into one

D.9. text2pcap: Converting ASCII hexdumps to network captures

D.10. idl2wrs: Creating dissectors from CORBA IDL files

D.10.1. What is it?

D.10.2. Why do this?

D.10.3. How to use idl2wrs

D.10.4. TODO

D.10.5. Limitations

D.10.6. Notes

D.11. reordercap: Reorder a capture file

E. This Document's License (GPL)

List of Figures

1.1. Wireshark captures packets and allows you to examine their content.

3.1. The Main window

3.2. The Menu

3.3. The "File" Menu

3.4. The "Edit" Menu

3.5. The "View" Menu

3.6. The "Go" Menu

3.7. The "Capture" Menu

3.8. The "Analyze" Menu

3.9. The "Statistics" Menu

3.10. The "Telephony" Menu

3.11. The "Tools" Menu

3.12. The "Internals" Menu

3.13. The "Help" Menu

3.14. The "Main" toolbar

3.15. The "Filter" toolbar

3.16. The "Packet List" pane

3.17. The "Packet Details" pane

3.18. The "Packet Bytes" pane

3.19. The "Packet Bytes" pane with tabs

3.20. The initial Statusbar

3.21. The Statusbar with a loaded capture file

3.22. The Statusbar with a configuration profile menu

3.23. The Statusbar with a selected protocol field

3.24. The Statusbar with a display filter message

4.1. The "Capture Interfaces" dialog box on Microsoft Windows

4.2. The "Capture Interfaces" dialog box on Unix/Linux

4.3. The "Capture Options" dialog box

4.4. The "Edit Interface Settings" dialog box

4.5. The "Compile Results" dialog box

4.6. The "Add New Interfaces" dialog box

4.7. The "Add New Interfaces - Pipes" dialog box

4.8. The "Add New Interfaces - Local Interfaces" dialog box

4.9. The "Add New Interfaces - Remote Interfaces" dialog box

4.10. The "Remote Capture Interfaces" dialog box

4.11. The "Remote Capture Settings" dialog box

4.12. The "Interface Details" dialog box

4.13. The "Capture Info" dialog box

5.1. "Open" on native Windows

5.2. "Open" - new GTK version

5.3. "Open" - old GTK version

5.4. "Save" on native Windows

5.5. "Save" - new GTK version

5.6. "Save" - old GTK version

5.7. "Merge" on native Windows

5.8. "Merge" - new GTK version

5.9. "Merge" - old GTK version

5.10. The "Import from Hex Dump" dialog

5.11. The "List Files" dialog box

5.12. The "Export as Plain Text File" dialog box

5.13. The "Export as PostScript File" dialog box

5.14. The "Export as PSML File" dialog box

5.15. The "Export as PDML File" dialog box

5.16. The "Export Selected Packet Bytes" dialog box

5.17. The "Export Objects" dialog box

5.18. The "Print" dialog box

5.19. The "Packet Range" frame

5.20. The "Packet Format" frame

6.1. Wireshark with a TCP packet selected for viewing

6.2. Viewing a packet in a separate window

6.3. Pop-up menu of the "Packet List" column header

6.4. Pop-up menu of the "Packet List" pane

6.5. Pop-up menu of the "Packet Details" pane

6.6. Filtering on the TCP protocol

6.7. The "Filter Expression" dialog box

6.8. The "Capture Filters" and "Display Filters" dialog boxes

6.9. The "Find Packet" dialog box

6.10. The "Go To Packet" dialog box

6.11. Wireshark showing a time referenced packet

7.1. The "Follow TCP Stream" dialog box

7.2. The "Packet Bytes" pane with a reassembled tab

8.1. The "Summary" window

8.2. The "Protocol Hierarchy" window

8.3. The "Conversations" window

8.4. The "Endpoints" window

8.5. The "IO Graphs" window

8.6. The "Compute DCE-RPC statistics" window

8.7. The "DCE-RPC Statistic for ..." window

8.8. The "Compare" window

8.9. The "WLAN Traffic Statistics" window

9.1. The "RTP Stream Analysis" window

9.2. The "LTE MAC Traffic Statistics" window

9.3. The "LTE RLC Traffic Statistics" window

10.1. The "Coloring Rules" dialog box

10.2. The "Edit Color Filter" dialog box

10.3. The "Choose color" dialog box

10.4. Using color filters with Wireshark

10.5. The "Enabled Protocols" dialog box

10.6. The "Decode As" dialog box

10.7. The "Decode As: Show" dialog box

10.8. The preferences dialog box

10.9. The interface options dialog box

10.10. The configuration profiles dialog box

List of Tables

3.1. Keyboard Navigation

3.2. File menu items

3.3. Edit menu items

3.4. View menu items

3.5. Go menu items

3.6. Capture menu items

3.7. Analyze menu items

3.8. Statistics menu items

3.9. Telephony menu items

3.10. Tools menu items

3.11. Help menu items

3.12. Help menu items

3.13. Main toolbar items

3.14. Filter toolbar items

4.1. Capture file mode selected by capture options

5.1. The system specific "Open Capture File" dialog box

5.2. The system specific "Save Capture File As" dialog box

5.3. The system specific "Merge Capture File As" dialog box

6.1. The menu items of the "Packet List" column header pop-up menu

6.2. The menu items of the "Packet List" pop-up menu

6.3. The menu items of the "Packet Details" pop-up menu

6.4. Display Filter comparison operators

6.5. Display Filter Field Types

6.6. Display Filter Logical Operations

7.1. Some example expert infos

7.2. Time zone examples for UTC arrival times (without DST)

A.1. Configuration files and folders overview

List of Examples

2.1. Building GTK+ from source

2.2. Building and installing libpcap

2.3. Installing required RPMs under Red Hat Linux 6.2 and beyond

2.4. Installing debs under Debian, Ubuntu and other Debian derivatives

4.1. A capture filter for telnet that captures traffic to and from a particular host

4.2. Capturing all telnet traffic not from 10.0.0.5

10.1. Help information available from Wireshark

D.1. Help information available from tshark

D.2. Help information available from dumpcap

D.3. Help information available from capinfos

D.4. Help information available from rawshark

D.5. Help information available from editcap

D.6. Capture file types available from editcap

D.7. Encapsulation types available from editcap

D.8. Help information available from mergecap

D.9. Simple example of using mergecap

D.10. Help information available from text2pcap

D.11. Help information available from reordercap