Wireshark User's Guide

Wireshark

previous page next page

Wireshark User's Guide

for Wireshark 1.10

Ulf Lamping

Richard Sharpe

NS Computer Software and Services P/L

Ed Warnicke

Copyright © 2004-2013 Ulf Lamping , Richard Sharpe , Ed Warnicke

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

All logos and trademarks in this document are property of their respective owner.

Table of Contents

Preface
1. Foreword
2. Who should read this document?
3. Acknowledgements
4. About this document
5. Where to get the latest copy of this document?
6. Providing feedback about this document
1. Introduction
1.1. What is Wireshark?
1.1.1. Some intended purposes
1.1.2. Features
1.1.3. Live capture from many different network media
1.1.4. Import files from many other capture programs
1.1.5. Export files for many other capture programs
1.1.6. Many protocol decoders
1.1.7. Open Source Software
1.1.8. What Wireshark is not
1.2. System Requirements
1.2.1. General Remarks
1.2.2. Microsoft Windows
1.2.3. Unix / Linux
1.3. Where to get Wireshark?
1.4. A brief history of Wireshark
1.5. Development and maintenance of Wireshark
1.6. Reporting problems and getting help
1.6.1. Website
1.6.2. Wiki
1.6.3. Q&A Forum
1.6.4. FAQ
1.6.5. Mailing Lists
1.6.6. Reporting Problems
1.6.7. Reporting Crashes on UNIX/Linux platforms
1.6.8. Reporting Crashes on Windows platforms
2. Building and Installing Wireshark
2.1. Introduction
2.2. Obtaining the source and binary distributions
2.3. Before you build Wireshark under UNIX
2.4. Building Wireshark from source under UNIX
2.5. Installing the binaries under UNIX
2.5.1. Installing from rpm's under Red Hat and alike
2.5.2. Installing from deb's under Debian, Ubuntu and other Debian derivatives
2.5.3. Installing from portage under Gentoo Linux
2.5.4. Installing from packages under FreeBSD
2.6. Troubleshooting during the install on Unix
2.7. Building from source under Windows
2.8. Installing Wireshark under Windows
2.8.1. Install Wireshark
2.8.2. Manual WinPcap Installation
2.8.3. Update Wireshark
2.8.4. Update WinPcap
2.8.5. Uninstall Wireshark
2.8.6. Uninstall WinPcap
3. User Interface
3.1. Introduction
3.2. Start Wireshark
3.3. The Main window
3.3.1. Main Window Navigation
3.4. The Menu
3.5. The "File" menu
3.6. The "Edit" menu
3.7. The "View" menu
3.8. The "Go" menu
3.9. The "Capture" menu
3.10. The "Analyze" menu
3.11. The "Statistics" menu
3.12. The "Telephony" menu
3.13. The "Tools" menu
3.14. The "Internals" menu
3.15. The "Help" menu
3.16. The "Main" toolbar
3.17. The "Filter" toolbar
3.18. The "Packet List" pane
3.19. The "Packet Details" pane
3.20. The "Packet Bytes" pane
3.21. The Statusbar
4. Capturing Live Network Data
4.1. Introduction
4.2. Prerequisites
4.3. Start Capturing
4.4. The "Capture Interfaces" dialog box
4.5. The "Capture Options" dialog box
4.5.1. Capture frame
4.5.2. Capture File(s) frame
4.5.3. Stop Capture... frame
4.5.4. Display Options frame
4.5.5. Name Resolution frame
4.5.6. Buttons
4.6. The "Edit Interface Settings" dialog box
4.7. The "Compile Results" dialog box
4.8. The "Add New Interfaces" dialog box
4.8.1. Add or remove pipes
4.8.2. Add or hide local interfaces
4.8.3. Add or hide remote interfaces
4.9. The "Remote Capture Interfaces" dialog box
4.9.1. Remote Capture Interfaces
4.9.2. Remote Capture Settings
4.10. The "Interface Details" dialog box
4.11. Capture files and file modes
4.12. Link-layer header type
4.13. Filtering while capturing
4.13.1. Automatic Remote Traffic Filtering
4.14. While a Capture is running ...
4.14.1. Stop the running capture
4.14.2. Restart a running capture
5. File Input / Output and Printing
5.1. Introduction
5.2. Open capture files
5.2.1. The "Open Capture File" dialog box
5.2.2. Input File Formats
5.3. Saving captured packets
5.3.1. The "Save Capture File As" dialog box
5.3.2. Output File Formats
5.4. Merging capture files
5.4.1. The "Merge with Capture File" dialog box
5.5. Import hex dump
5.5.1. The "Import from Hex Dump" dialog box
5.6. File Sets
5.6.1. The "List Files" dialog box
5.7. Exporting data
5.7.1. The "Export as Plain Text File" dialog box
5.7.2. The "Export as PostScript File" dialog box
5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box
5.7.4. The "Export as C Arrays (packet bytes) file" dialog box
5.7.5. The "Export as PSML File" dialog box
5.7.6. The "Export as PDML File" dialog box
5.7.7. The "Export selected packet bytes" dialog box
5.7.8. The "Export Objects" dialog box
5.8. Printing packets
5.8.1. The "Print" dialog box
5.9. The Packet Range frame
5.10. The Packet Format frame
6. Working with captured packets
6.1. Viewing packets you have captured
6.2. Pop-up menus
6.2.1. Pop-up menu of the "Packet List" column header
6.2.2. Pop-up menu of the "Packet List" pane
6.2.3. Pop-up menu of the "Packet Details" pane
6.3. Filtering packets while viewing
6.4. Building display filter expressions
6.4.1. Display filter fields
6.4.2. Comparing values
6.4.3. Combining expressions
6.4.4. A common mistake
6.5. The "Filter Expression" dialog box
6.6. Defining and saving filters
6.7. Defining and saving filter macros
6.8. Finding packets
6.8.1. The "Find Packet" dialog box
6.8.2. The "Find Next" command
6.8.3. The "Find Previous" command
6.9. Go to a specific packet
6.9.1. The "Go Back" command
6.9.2. The "Go Forward" command
6.9.3. The "Go to Packet" dialog box
6.9.4. The "Go to Corresponding Packet" command
6.9.5. The "Go to First Packet" command
6.9.6. The "Go to Last Packet" command
6.10. Marking packets
6.11. Ignoring packets
6.12. Time display formats and time references
6.12.1. Packet time referencing
7. Advanced Topics
7.1. Introduction
7.2. Following TCP streams
7.2.1. The "Follow TCP Stream" dialog box
7.3. Expert Infos
7.3.1. Expert Info Entries
7.3.2. "Expert Info" dialog
7.3.3. "Colorized" Protocol Details Tree
7.3.4. "Expert" Packet List Column (optional)
7.4. Time Stamps
7.4.1. Wireshark internals
7.4.2. Capture file formats
7.4.3. Accuracy
7.5. Time Zones
7.5.1. Set your computer's time correctly!
7.5.2. Wireshark and Time Zones
7.6. Packet Reassembling
7.6.1. What is it?
7.6.2. How Wireshark handles it
7.7. Name Resolution
7.7.1. Name Resolution drawbacks
7.7.2. Ethernet name resolution (MAC layer)
7.7.3. IP name resolution (network layer)
7.7.4. IPX name resolution (network layer)
7.7.5. TCP/UDP port name resolution (transport layer)
7.8. Checksums
7.8.1. Wireshark checksum validation
7.8.2. Checksum offloading
8. Statistics
8.1. Introduction
8.2. The "Summary" window
8.3. The "Protocol Hierarchy" window
8.4. Conversations
8.4.1. What is a Conversation?
8.4.2. The "Conversations" window
8.4.3. The protocol specific "Conversation List" windows
8.5. Endpoints
8.5.1. What is an Endpoint?
8.5.2. The "Endpoints" window
8.5.3. The protocol specific "Endpoint List" windows
8.6. The "IO Graphs" window
8.7. Service Response Time
8.7.1. The "Service Response Time DCE-RPC" window
8.8. Compare two capture files
8.9. WLAN Traffic Statistics
8.10. The protocol specific statistics windows
9. Telephony
9.1. Introduction
9.2. RTP Analysis
9.3. VoIP Calls
9.4. LTE MAC Traffic Statistics
9.5. LTE RLC Traffic Statistics
9.6. The protocol specific statistics windows
10. Customizing Wireshark
10.1. Introduction
10.2. Start Wireshark from the command line
10.3. Packet colorization
10.4. Control Protocol dissection
10.4.1. The "Enabled Protocols" dialog box
10.4.2. User Specified Decodes
10.4.3. Show User Specified Decodes
10.5. Preferences
10.5.1. Interface Options
10.6. Configuration Profiles
10.7. User Table
10.8. Display Filter Macros
10.9. ESS Category Attributes
10.10. GeoIP Database Paths
10.11. IKEv2 decryption table
10.12. Object Identifiers
10.13. PRES Users Context List
10.14. SCCP users Table
10.15. SMI (MIB and PIB) Modules
10.16. SMI (MIB and PIB) Paths
10.17. SNMP Enterprise Specific Trap Types
10.18. SNMP users Table
10.19. Tektronix K12xx/15 RF5 protocols Table
10.20. User DLTs protocol table
11. Lua Support in Wireshark
11.1. Introduction
11.2. Example of Dissector written in Lua
11.3. Example of Listener written in Lua
11.4. Wireshark's Lua API Reference Manual
11.5. Saving capture files
11.5.1. Dumper
11.5.2. PseudoHeader
11.6. Obtaining dissection data
11.6.1. Field
11.6.2. FieldInfo
11.6.3. Non Method Functions
11.7. GUI support
11.7.1. ProgDlg
11.7.2. TextWindow
11.7.3. Non Method Functions
11.8. Post-dissection packet analysis
11.8.1. Listener
11.9. Obtaining packet information
11.9.1. Address
11.9.2. Column
11.9.3. Columns
11.9.4. NSTime
11.9.5. Pinfo
11.9.6. PrivateTable
11.10. Functions for writing dissectors
11.10.1. Dissector
11.10.2. DissectorTable
11.10.3. Pref
11.10.4. Prefs
11.10.5. Proto
11.10.6. ProtoField
11.10.7. Non Method Functions
11.11. Adding information to the dissection tree
11.11.1. TreeItem
11.12. Functions for handling packet data
11.12.1. ByteArray
11.12.2. Int
11.12.3. Tvb
11.12.4. TvbRange
11.12.5. UInt
11.13. Utility Functions
11.13.1. Dir
11.13.2. Non Method Functions
A. Files and Folders
A.1. Capture Files
A.1.1. Libpcap File Contents
A.1.2. Not Saved in the Capture File
A.2. Configuration Files and Folders
A.2.1. Protocol help configuration
A.3. Windows folders
A.3.1. Windows profiles
A.3.2. Windows 7, Vista, XP, 2000, and NT roaming profiles
A.3.3. Windows temporary folder
B. Protocols and Protocol Fields
C. Wireshark Messages
C.1. Packet List Messages
C.1.1. [Malformed Packet]
C.1.2. [Packet size limited during capture]
C.2. Packet Details Messages
C.2.1. [Response in frame: 123]
C.2.2. [Request in frame: 123]
C.2.3. [Time from request: 0.123 seconds]
C.2.4. [Stream setup by PROTOCOL (frame 123)]
D. Related command line tools
D.1. Introduction
D.2. tshark: Terminal-based Wireshark
D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark
D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark
D.5. capinfos: Print information about capture files
D.6. rawshark: Dump and analyze network traffic.
D.7. editcap: Edit capture files
D.8. mergecap: Merging multiple capture files into one
D.9. text2pcap: Converting ASCII hexdumps to network captures
D.10. idl2wrs: Creating dissectors from CORBA IDL files
D.10.1. What is it?
D.10.2. Why do this?
D.10.3. How to use idl2wrs
D.10.4. TODO
D.10.5. Limitations
D.10.6. Notes
D.11. reordercap: Reorder a capture file
E. This Document's License (GPL)

List of Figures

1.1. Wireshark captures packets and allows you to examine their content.
3.1. The Main window
3.2. The Menu
3.3. The "File" Menu
3.4. The "Edit" Menu
3.5. The "View" Menu
3.6. The "Go" Menu
3.7. The "Capture" Menu
3.8. The "Analyze" Menu
3.9. The "Statistics" Menu
3.10. The "Telephony" Menu
3.11. The "Tools" Menu
3.12. The "Internals" Menu
3.13. The "Help" Menu
3.14. The "Main" toolbar
3.15. The "Filter" toolbar
3.16. The "Packet List" pane
3.17. The "Packet Details" pane
3.18. The "Packet Bytes" pane
3.19. The "Packet Bytes" pane with tabs
3.20. The initial Statusbar
3.21. The Statusbar with a loaded capture file
3.22. The Statusbar with a configuration profile menu
3.23. The Statusbar with a selected protocol field
3.24. The Statusbar with a display filter message
4.1. The "Capture Interfaces" dialog box on Microsoft Windows
4.2. The "Capture Interfaces" dialog box on Unix/Linux
4.3. The "Capture Options" dialog box
4.4. The "Edit Interface Settings" dialog box
4.5. The "Compile Results" dialog box
4.6. The "Add New Interfaces" dialog box
4.7. The "Add New Interfaces - Pipes" dialog box
4.8. The "Add New Interfaces - Local Interfaces" dialog box
4.9. The "Add New Interfaces - Remote Interfaces" dialog box
4.10. The "Remote Capture Interfaces" dialog box
4.11. The "Remote Capture Settings" dialog box
4.12. The "Interface Details" dialog box
4.13. The "Capture Info" dialog box
5.1. "Open" on native Windows
5.2. "Open" - new GTK version
5.3. "Open" - old GTK version
5.4. "Save" on native Windows
5.5. "Save" - new GTK version
5.6. "Save" - old GTK version
5.7. "Merge" on native Windows
5.8. "Merge" - new GTK version
5.9. "Merge" - old GTK version
5.10. The "Import from Hex Dump" dialog
5.11. The "List Files" dialog box
5.12. The "Export as Plain Text File" dialog box
5.13. The "Export as PostScript File" dialog box
5.14. The "Export as PSML File" dialog box
5.15. The "Export as PDML File" dialog box
5.16. The "Export Selected Packet Bytes" dialog box
5.17. The "Export Objects" dialog box
5.18. The "Print" dialog box
5.19. The "Packet Range" frame
5.20. The "Packet Format" frame
6.1. Wireshark with a TCP packet selected for viewing
6.2. Viewing a packet in a separate window
6.3. Pop-up menu of the "Packet List" column header
6.4. Pop-up menu of the "Packet List" pane
6.5. Pop-up menu of the "Packet Details" pane
6.6. Filtering on the TCP protocol
6.7. The "Filter Expression" dialog box
6.8. The "Capture Filters" and "Display Filters" dialog boxes
6.9. The "Find Packet" dialog box
6.10. The "Go To Packet" dialog box
6.11. Wireshark showing a time referenced packet
7.1. The "Follow TCP Stream" dialog box
7.2. The "Packet Bytes" pane with a reassembled tab
8.1. The "Summary" window
8.2. The "Protocol Hierarchy" window
8.3. The "Conversations" window
8.4. The "Endpoints" window
8.5. The "IO Graphs" window
8.6. The "Compute DCE-RPC statistics" window
8.7. The "DCE-RPC Statistic for ..." window
8.8. The "Compare" window
8.9. The "WLAN Traffic Statistics" window
9.1. The "RTP Stream Analysis" window
9.2. The "LTE MAC Traffic Statistics" window
9.3. The "LTE RLC Traffic Statistics" window
10.1. The "Coloring Rules" dialog box
10.2. The "Edit Color Filter" dialog box
10.3. The "Choose color" dialog box
10.4. Using color filters with Wireshark
10.5. The "Enabled Protocols" dialog box
10.6. The "Decode As" dialog box
10.7. The "Decode As: Show" dialog box
10.8. The preferences dialog box
10.9. The interface options dialog box
10.10. The configuration profiles dialog box

List of Tables

3.1. Keyboard Navigation
3.2. File menu items
3.3. Edit menu items
3.4. View menu items
3.5. Go menu items
3.6. Capture menu items
3.7. Analyze menu items
3.8. Statistics menu items
3.9. Telephony menu items
3.10. Tools menu items
3.11. Help menu items
3.12. Help menu items
3.13. Main toolbar items
3.14. Filter toolbar items
4.1. Capture file mode selected by capture options
5.1. The system specific "Open Capture File" dialog box
5.2. The system specific "Save Capture File As" dialog box
5.3. The system specific "Merge Capture File As" dialog box
6.1. The menu items of the "Packet List" column header pop-up menu
6.2. The menu items of the "Packet List" pop-up menu
6.3. The menu items of the "Packet Details" pop-up menu
6.4. Display Filter comparison operators
6.5. Display Filter Field Types
6.6. Display Filter Logical Operations
7.1. Some example expert infos
7.2. Time zone examples for UTC arrival times (without DST)
A.1. Configuration files and folders overview

List of Examples

2.1. Building GTK+ from source
2.2. Building and installing libpcap
2.3. Installing required RPMs under Red Hat Linux 6.2 and beyond
2.4. Installing debs under Debian, Ubuntu and other Debian derivatives
4.1. A capture filter for telnet that captures traffic to and from a particular host
4.2. Capturing all telnet traffic not from 10.0.0.5
10.1. Help information available from Wireshark
D.1. Help information available from tshark
D.2. Help information available from dumpcap
D.3. Help information available from capinfos
D.4. Help information available from rawshark
D.5. Help information available from editcap
D.6. Capture file types available from editcap
D.7. Encapsulation types available from editcap
D.8. Help information available from mergecap
D.9. Simple example of using mergecap
D.10. Help information available from text2pcap
D.11. Help information available from reordercap
previous page start next page