Wireshark - 1.0 Betriebsanweisung

Wireshark User's Guide27488 for Wireshark 1.0.0Ulf Lamping,Richard Sharpe, NS Computer Software and Services P/LEd Warnicke,

2. Who should read this document?The intended audience of this book is anyone using Wireshark.This book will explain all the basics and also some of t

• the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities• the text output from the DBS Etherwatch VMS utility• Visual Networks' Visua

5.3. Saving captured packetsYou can save captured packets simply by using the Save As... menu item from the File menu underWireshark. You can choose w

Figure 5.6. "Save" - old GTK versionUnix/Linux: GTK version < 2.4This is the file save dialog of former Gimp/GNOME versions - plus some W

3. Select the range of the packets to be saved, see Section 5.8, “The Packet Range frame”4. Specify the format of the saved capture file by clicking o

Third party protocol analyzers may require specific fileextensions!Other protocol analyzers than Wireshark may require that the file has a certain fil

5.4. Merging capture filesSometimes you need to merge several capture files into one. For example this can be useful, if youhave captured simultaneous

Figure 5.8. "Merge" - new GTKversionUnix/Linux: GTK version >= 2.4This is the common Gimp/GNOME file opendialog - plus some Wireshark ext

5.5. File SetsWhen using the "Multiple Files" option while doing a capture (see: Section 4.7, “Capture files andfile modes”), the capture da

Each line contains information about a file of the file set:• Filename the name of the file. If you click on the filename (or the radio button left to

5.6. Exporting dataWireshark provides several ways and formats to export packet data. This section describes generalways to export data from Wireshark

3. AcknowledgementsThe authors would like to thank the whole Wireshark team for their assistance. In particular, the au-thors would like to thank:• Ge

Tip!You can easily convert PostScript files to PDF files using ghostscript. For example:export to a file named foo.ps and then call: ps2pdf foo.psFigu

dialog boxXXX - add screenshotExport packet bytes into C arrays so you can import the stream data into your own C program.• Export to file: frame choo

Export packet data into PDML. This is an XML based format including the packet details. ThePDML file specification is available at: http:/ / www.nbee.

• Name: the filename to export the packet data to.• The Save in folder: field lets you select the folder to save to (from some predefined folders).• B

Columns:• Packet num: The packet number in which this object was found. In some cases, there can bemultiple objects in the same packet.• Hostname: The

5.7. Printing packetsTo print packets, select the "Print..." menu item from the File menu. When you do this, Wiresharkpops up the Print dial

Note!These Print command fields are not available on windowsplatforms.This field specifies the command to use for printing. It is typically lpr.You wo

5.8. The Packet Range frameThe packet range frame is a part of various output related dialog boxes. It provides options to selectwhich packets should

5.9. The Packet Format frameThe packet format frame is a part of various output related dialog boxes. It provides options to selectwhich parts of a pa

File Input / Output and Printing104

4. About this documentThis book was originally developed by Richard Sharpe with funds provided from the WiresharkFund. It was updated by Ed Warnicke a

Chapter 6. Working with capturedpackets6.1. Viewing packets you have capturedOnce you have captured some packets, or you have opened a previously save

Figure 6.2. Viewing a packet in a separate windowWorking with captured packets106

6.2. Pop-up menusYou can bring up a pop-up menu over either the "Packet List" or "Packet Details" pane by clickingyour right mouse

Item Identical to mainmenu's item:Descriptionterformation from the selected packet. E.g. the IP menu entrywill set a filter to show the traffic b

Item Identical to mainmenu's item:DescriptionShow Packet inNew WindowViewDisplay the selected packet in a new window.6.2.2. Pop-up menu of the &q

Item Identical to mainmenu's item:Description-----Copy/ Descrip-tion-Copy the displayed text of the selected field to the systemclipboard.Copy/ A

Item Identical to mainmenu's item:DescriptionStreamSame as "Follow TCP Stream" but for SSL. XXX - add anew section describing this bett

6.3. Filtering packets while viewingWireshark has two filtering languages: One used when capturing packets, and one used when dis-playing packets. In

As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10are hidden). The packet numbering will remain as befor

6.4. Building display filter expressionsWireshark provides a simple but powerful display filter language that allows you to build quite com-plex filte

5. Where to get the latest copy of thisdocument?The latest copy of this documentation can always be found at: http://www.wireshark.org/docs/.Prefacexi

English C-like Description and examplege>=Greater than or equal toframe.len ge 0x100le<=Less than or equal toframe.len <= 0x20In addition, al

Type ExampleIPX address ipx.addr == 00000000.ffffffffffffString (text) http.request.uri == "http://www.wireshark.org/"6.4.3. Combining expre

English C-like Description and examplebeginning of a sequence to offset m. It is equivalent to 0:meth.src[4:] == 20:20The example above uses the n: fo

6.5. The "Filter Expression" dialog boxWhen you are accustomed to Wireshark's filtering system and know what labels you wish to use iny

Value You may enter an appropriate value in the Value text box. The Valuewill also indicate the type of value for the field name you have selected(lik

6.6. Defining and saving filtersYou can define filters with Wireshark and give them labels for later use. This can save time in re-membering and retyp

New This button adds a new filter to the list of filters. The currently enteredvalues from Filter name and Filter string will be used. If any of these

6.7. Defining and saving filter macrosYou can define filter macros with Wireshark and give them labels for later use. This can save timein remembering

6.8. Finding packetsYou can easily find packets once you have captured some packets or have read in a previously savedcapture file. Simply select the

You can choose the search direction:• UpSearch upwards in the packet list (decreasing packet numbers).• DownSearch downwards in the packet list (incre

6. Providing feedback about this documentShould you have any feedback about this document, please send it to the authors through wireshark-dev[AT]wire

6.9. Go to a specific packetYou can easily jump to specific packets with one of the menu items in the Go menu.6.9.1. The "Go Back" commandGo

6.10. Marking packetsYou can mark packets in the "Packet List" pane. A marked packet will be shown with black back-ground, regardless of the

6.11. Time display formats and timereferencesWhile packets are captured, each packet is timestamped. These timestamps will be saved to the cap-ture fi

Note!Time referencing will only be useful, if the time display format is set to "SecondsSince Beginning of Capture". If one of the other tim

Working with captured packets129

Chapter 7. Advanced Topics7.1. IntroductionIn this chapter some of the advanced features of Wireshark will be described.130

7.2. Following TCP streamsIf you are working with TCP based protocols it can be very helpful to see the data from a TCPstream in the way that the appl

length) and CRNL conversions?The stream content won't be updated while doing a live capture. To get the latest content you'll haveto reopen

7.3. Expert InfosThe expert infos is a kind of log of the anomalies found by Wireshark in a capture file.The general idea behind the following "E

There are some common groups of expert infos. The following are currently implemented:• Checksum: a checksum was invalid• Sequence: protocol sequence

Prefacexv

infos will be combined into a single line - with a count column showing how often they appeared inthe capture file. Clicking on the plus sign shows th

7.4. Time StampsTime stamps, their precisions and all that can be quite confusing. This section will provide you withinformation about what's goi

inaccurate.Conclusion: don't use USB connected NIC's when you need precise time stamp accur-acy! (XXX - are there any such NIC's that g

7.5. Time ZonesIf you travel across the planet, time zones can be confusing. If you get a capture file from some-where around the world time zones can

7.5.1. Set your computer's time correctly!If you work with people around the world, it's very helpful to set your computer's time and t

Table 7.2. Time zone examples for UTC arrival times (without DST)Los Angeles New York Madrid London Berlin TokyoCaptureFile (UTC)10:00 10:00 10:00 10:

7.6. Packet Reassembling7.6.1. What is it?Network protocols often need to transport large chunks of data, which are complete in themselves,e.g. when t

2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble frag-mented protocol data. This too can often be enabled or

7.7. Name ResolutionName resolution tries to resolve some of the numerical address values into a human readable format.There are two possible ways to

7.7.3. IP name resolution (network layer)Try to resolve an IP address (e.g. 216.239.37.99) to something more "human readable".DNS/ADNS name

Chapter 1. Introduction1.1. What is Wireshark?Wireshark is a network packet analyzer. A network packet analyzer will try to capture networkpackets and

7.8. ChecksumsSeveral network protocols use checksums to ensure data integrity.Tip!Applying checksums as described here is also known as redundancy ch

7.8.2. Checksum offloadingThe checksum calculation might be done by the network driver, protocol driver or even in hardware.For example: The Ethernet

Advanced Topics147

Chapter 8. Statistics8.1. IntroductionWireshark provides a wide range of network statistics which can be accessed via the Statisticsmenu.These statist

8.2. The "Summary" windowGeneral statistics about the current capture file.Figure 8.1. The "Summary" window• File: general informa

• Time: the timestamps when the first and the last packet were captured (and the time betweenthem).• Capture: information from the time when the captu

8.3. The "Protocol Hierarchy" windowThe protocol hierarchy of the captured packets.Figure 8.2. The "Protocol Hierarchy" windowThis

Note!Packets will usually contain multiple protocols, so more than one protocol will becounted for each packet. Example: In the screenshot IP has 99,1

8.4. ConversationsStatistics of the captured conversations.8.4.1. What is a Conversation?A network conversation is the traffic between two specific en

8.4.3. The protocol specific "Conversation List"windowsBefore the combined window described above was available, each of its pages was shown

Figure 1.1. Wireshark captures packets and allows you to examine theircontent.1.1.3. Live capture from many different network mediaWireshark can captu

8.5. EndpointsStatistics of the endpoints captured.Tip!If you are looking for a feature other network tools call a hostlist, here is the rightplace to

For each supported protocol, a tab is shown in this window. Each tab label shows the number of en-dpoints captured (e.g. the tab label "Ethernet:

8.6. The "IO Graphs" windowUser configurable graph of the captured network packets.You can define up to five differently colored graphs.Figu

describe the Advanced feature.]• Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...)The save button will save the currently di

8.7. WLAN Traffic StatisticsStatistics of the captured WLAN traffic. This window will summarize the wireless network trafficfound in the capture. Prob

8.8. Service Response TimeThe service response time is the time between a request and the corresponding response. This in-formation is available for m

Figure 8.8. The "DCE-RPC Statistic for ..." windowEach row corresponds to a method of the interface selected (so the EPM interface in versio

8.9. The protocol specific statistics windowsThe protocol specific statistics windows display detailed information of specific protocols and mightbe d

Statistics163

Chapter 9. Customizing Wireshark9.1. IntroductionWireshark's default behaviour will usually suit your needs pretty well. However, as you becomemo

Wireshark is an open source software project, and is released under the GNU General Public Li-cense (GPL). You can freely use Wireshark on any number

9.2. Start Wireshark from the command lineYou can start Wireshark from the command line, but it can also be started from most Window man-agers as well

task based?-a <capture autostop condition> Specify a criterion that specifies when Wireshark is to stopwriting to a capture file. The criterion

supplied to the -i flag to specify an interface on which to cap-ture.This can be useful on systems that don't have a command tolist them (e.g., W

-N <name resolving flags> Turns on name resolving for particular types of addresses andport numbers; the argument is a string that may contain t

-Q This option forces Wireshark to exit when capturing is com-plete. It can be used with the -c option. It must be used inconjunction with the -i and

Customizing Wireshark170

9.3. Packet colorizationA very useful mechanism available in Wireshark is packet colorization. You can set-up Wiresharkso that it will colorize packet

If this is the first time you have used Coloring Rules, click on the New button which will bring upthe Edit color filter dialog box as shown in Figure

Select the color you desire for the selected packets and click on OK.Note!You must select a color in the colorbar next to the colorwheel to load value

9.4. Control Protocol dissectionThe user can control how protocols are dissected.Each protocol has its own dissector, so dissecting a complete packet

1.2. System RequirementsWhat you'll need to get Wireshark up and running ...1.2.1. General Remarks• The values below are the minimum requirements

To disable or enable a protocol, simply click on it using the mouse or press the space bar when theprotocol is highlighted. Note that typing the first

4. OK: Apply the changes and close the dialog box.5. Apply: Apply the changes and keep the dialog box open.6. Save: Save the settings to the disabled_

3. Link/Network/Transport: Specify the network layer at which "Decode As" should take place.Which of these pages are available depends on th

9.5. PreferencesThere are a number of preferences you can set. Simply select the Preferences... menu item from theEdit menu; and Wireshark will pop up

9.5.1. Interface OptionsIn the Capture preferences it is possible to configure several options for the interfaces available onyour computer. Select th

9.6. Configuration ProfilesConfiguration Profiles can be used to configure and use more than one set of preferences and con-figurations. Select the Co

New This button adds a new profile to the profiles list. The name ofthe created profile is "New profile" and can be changed in theProperties

with a period (.), and cannot contain any of the fol-lowing characters: \ / : * ? " < > |On Unix the profile name cannot contain the '

9.7. User TableThe User Table editor is used for managing various tables in wireshark. Its main dialog works verysimilarly to that of Section 9.3, “Pa

9.8. Display Filter MacrosDisplay Filter Macros are a mechanism to create shortcuts for complex filters. For example defininga display filter macro na

Wireshark User's Guide: 27488for Wireshark 1.0.0by Ulf Lamping, Richard Sharpe, and Ed WarnickeCopyright © 2004-2008 Ulf Lamping Richard Sharpe E

systems. BTW: Microsoft no longer supports 98/ME since July 11, 2006!• Windows NT 4.0 will no longer work with Wireshark. The last known version to wo

9.9. GeoIP Database PathsIf your copy of Wireshark supports MaxMind's GeoIP library, you can use their databases to matchIP addresses to countrie

9.10. Tektronix K12xx/15 RF5 protocols TableThe Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols thatare

9.11. SCCP users TableWireshark uses this table to map specific protocols to a certain DPC/SSN combination for SCCP.This table is handled by an Sectio

9.12. SMI (MIB and PIB) ModulesIf your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB modules here.The COPS and SNMP dissect

9.13. SMI (MIB and PIB) PathsIf your copy of Wireshark supports libSMI, you can specify one or more paths to MIB and PIBmodules here.name A module dir

9.14. SNMP users TableWireshark uses this table to verify authentication and to decrypt encrypted SNMPv3 packets.This table is handled by an Section 9

9.15. User DLTs protocol tableWhen a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know whichprotocol(s) to use for ea

Customizing Wireshark192

Chapter 10. Lua Support in Wireshark10.1. IntroductionWireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming languagede

10.2. Example of Dissector written in Luadolocal p_multi = Proto("multi","MultiProto");local vs_protos = {[2] = "mtp2",[

1.3. Where to get Wireshark?You can get the latest copy of the program from the Wireshark website: ht-tp://www.wireshark.org/download.html. The websit

10.3. Example of Listener written in Lua-- This program will register a menu that will open a window with a count of occurrences-- of every address in

10.4. Wireshark's Lua API Reference ManualThis Part of the User Guide describes the Wireshark specific functions in the embedded Lua.10.4.1. Savi

Creates a capture file using the same encapsulation as the one of the cuurrent packet10.4.1.1.5.1. Argumentsfiletype (optional) The file type. Default

vpi (optional) VPIvci (optional) VCIchannel (optional) Channelcells (optional) Number of cells in the PDUaal5u2u (optional) AAL5 User to User indicato

10.4.2.2. FieldInfoAn extracted Field10.4.2.2.1. fieldinfo:__len()Obtain the Length of the field10.4.2.2.2. fieldinfo:__unm()Obtain the Offset of the

The offset of this field10.4.2.3. Non Method Functions10.4.2.3.1. all_field_infos()obtain all fields from the current tree10.4.2.3.1.1. Errors• Cannot

true if the user has asked to stop the progress.10.4.3.1.3.2. Errors• cannot be called for something not a ProgDlg10.4.3.1.4. progdlg:close()Appends t

10.4.3.2.3.2. ReturnsThe TextWindow object.10.4.3.2.3.3. Errors• cannot be called for something not a TextWindow10.4.3.2.4. textwindow:append(text)App

10.4.3.2.7. textwindow:get_text()Get the text of the window10.4.3.2.7.1. ReturnsThe TextWindow's text.10.4.3.2.7.2. Errors• cannot be called for

10.4.3.3.2. register_menu(name, action, [group])Register a menu item in one of the main menus.10.4.3.3.2.1. Argumentsname The name of the menu item. T

1.4. A brief history of WiresharkIn late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted tolearn more about networki

10.4.3.3.6.1. Argumentsfilename The name of the file to be opened.filter A filter to be applied as the file gets opened.10.4.3.3.7. set_filter(text)se

filter (optional) a filter that when matches the tap.packet function gets called (use nil tobe called for every packet)10.4.4.1.1.2. ReturnsThe newly

10.4.5.1.4. address:__le()compares two Addresses10.4.5.1.5. address:__lt()compares two Addresses10.4.5.2. ColumnA Column in the packet list10.4.5.2.1.

10.4.5.3.2. columns:__newindex(column, text)Sets the text of a specific column10.4.5.3.2.1. Argumentscolumn the name of the column to settext the text

higher Address of this Packet10.4.5.4.13. pinfo.dl_srcData Link Source Address of this Packet10.4.5.4.14. pinfo.dl_dstData Link Destination Address of

10.4.5.4.28. pinfo.private_dataAccess to private data10.4.6. Functions for writing dissectors10.4.6.1. DissectorA refererence to a dissector, used to

The newly created DissectorTable10.4.6.2.2. DissectorTable.get(tablename)Obtain a reference to an existing dissector table.10.4.6.2.2.1. Argumentstabl

10.4.6.2.6.2. ReturnsThe dissector handle if foundnil if not found10.4.6.3. PrefA preference of a Protocol.10.4.6.3.1. Pref.bool(label, default, descr

enum enumradio radio_button or combobox10.4.6.3.5. Pref.range(label, default, descr, range, max)* Creates a range preference to be added to a Protocol

name The abbreviation of this preference10.4.6.4.2.2. Returnsthe current value of the preference10.4.6.4.2.3. Errors• unknow Pref type10.4.6.5. ProtoA

1.5. Development and maintenance ofWiresharkWireshark was initially developed by Gerald Combs. Ongoing development and maintenance ofWireshark is hand

name Actual name of the field (the string that appears in the tree).abbr Filter name of the field (the string that is used in filters).type Field Type

10.4.6.6.4.1. Argumentsabbr abbreviated name of the field (the string used in filters)name (optional) Actual name of the field (the string that appear

10.4.6.6.7. ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc])10.4.6.6.7.1. Argumentsabbr abbreviated name of the field (the string

a protofield item to be added to a ProtoFieldArray10.4.6.6.10. ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc])10.4.6.6.10.1. Arg

desc (optional) description of the field10.4.6.6.12.2. Returnsa protofield item to be added to a ProtoFieldArray10.4.6.6.13. ProtoField.ipv4(abbr, [na

desc (optional) description of the field10.4.6.6.16.2. Returnsa protofield item to be added to a ProtoFieldArray10.4.6.6.17. ProtoField.double(abbr, [

desc (optional) description of the field10.4.6.6.20.2. Returnsa protofield item to be added to a ProtoFieldArray10.4.6.6.21. ProtoField.ubytes(abbr, [

desc (optional) description of the field10.4.6.6.24.2. Returnsa protofield item to be added to a ProtoFieldArray10.4.6.7. Non Method Functions10.4.6.7

text The text to be appended.10.4.7.1.5. treeitem:set_expert_flags([group], [severity])Sets the expert flags of the item.10.4.7.1.5.1. Argumentsgroup

concatenate two ByteArrays10.4.8.1.2.1. Argumentsfirst first arraysecond second array10.4.8.1.2.2. ReturnsThe new composite ByteArray.10.4.8.1.2.3. Er

1.6. Reporting problems and getting helpIf you have problems, or need help with Wireshark, there are several places that may be of interestto you (wel

• ByteArray size must be non-negative10.4.8.1.6. bytearray:set_index(index, value)sets the value of an index of a ByteArray.10.4.8.1.6.1. Argumentsind

a Tvb represents the packet's buffer. It is passed as an argument to listeners and dissectors, and canbe used to extract information (via TvbRang

* a TvbRange represents an usable range of a Tvb and is used to extract data from the Tvb that gen-erated it * TvbRanges are created by calling a tvb

10.4.8.4.8. tvbrange:ipv4()get an IPv4 Address from a TvbRange.10.4.8.4.8.1. Returnsthe IPv4 Address10.4.8.4.9. tvbrange:le_ipv4()get an Little Endian

10.4.9. Utility Functions10.4.9.1. DirA Directory10.4.9.1.1. Dir.open(pathname, [extension])usage: for filename in Dir.open(path) do ... end10.4.9.1.1

10.4.9.2.3.1. Argumentstext message10.4.9.2.4. critical(...)Will add a log entry with critical severity10.4.9.2.4.1. Arguments... objects to be printe

filename name of the file to be loaded10.4.9.2.10. dofile(filename)Lua's dofile() has been modified so that if a file does not exist in the curre

Lua Support in Wireshark232

Appendix A. Files and FoldersA.1. Capture FilesTo understand which information will remain available after the captured packets are saved to a cap-tur

• time references set with "Edit/Time Reference"• the current display filter• ...Files and Folders234

1.6.5. Reporting ProblemsNote!Before reporting any problems, please make sure you have installed the latest versionof Wireshark.When reporting problem

A.2. Configuration Files and FoldersWireshark uses a number of files and folders while it is running. Some of these reside in the person-al configurat

File/Folder Description Unix/LinuxfoldersWindows foldersusr/share/wire-shark/plugins, /usr/loc-al/share/wire-shark/plugins,$HOME/.wireshark/plugins%AP

written to disk when you press the Save button in the "Cap-ture Filters" dialog box.dfilters This file contains all the display filters that

00:00:01 Xerox # XEROX CORPORATIONThe settings from this file are read in at program start andnever written by Wireshark.hosts Wireshark uses the file

ipxnets Wireshark uses the files listed in Table A.1, “Configurationfiles and folders overview” to translate IPX network numbersinto names.An example

A.3. Windows foldersHere you will find some details about the folders used in Wireshark on different Windows versions.As already mentioned, you can fi

able will be set by the Windows installer.Vista XXX - could someone give information about this?XP/2000 C:\Documents and Settings\<username>\Loc

Files and Folders242

Appendix B. Protocols and ProtocolFieldsWireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).A comprehensive list

Appendix C. Wireshark MessagesWireshark provides you with additional information generated out of the plain packet data or it mayneed to indicate diss

the D key together) will cause gdb to exit. This will leave you with a file calledbt.txt in the current directory. Include the file with your bug repo

C.2. Packet Details MessagesThese messages might appear in the packet details.C.2.1. [Response in frame: 123]The current packet is the request of a de

Wireshark Messages246

Appendix D. Related command linetoolsD.1. IntroductionBesides the Wireshark GUI application, there are some command line tools which can be helpful fo

D.2. tshark: Terminal-based WiresharkTShark is a terminal oriented version of Wireshark designed for capturing and displaying packetswhen an interacti

D.3. tcpdump: Capturing with tcpdump forviewing with WiresharkThere are occasions when you want to capture packets using tcpdump rather than wireshark

D.4. dumpcap: Capturing with dumpcap forviewing with WiresharkDumpcap is a network traffic dump tool. It captures packet data from a live network and

D.5. capinfos: Print information aboutcapture filesIncluded with Wireshark is a small utility called capinfos, which is a command-line utility to prin

D.6. editcap: Edit capture filesIncluded with Wireshark is a small utility called editcap, which is a command-line utility for work-ing with capture f

rawip - Raw IParcnet - ARCNETarcnet_linux - Linux ARCNETatm-rfc1483 - RFC 1483 ATMlinux-atm-clip - Linux ATM CLIPlapb - LAPBatm-pdus - ATM PDUsatm-pdu

Where each option has the following meaning:-r This option specifies that the frames listed should be kept, notdeleted. The default is to delete the l

Introduction12

D.7. mergecap: Merging multiple capture filesinto oneMergecap is a program that combines multiple saved capture files into a single output file specif

atm-rfc1483 - RFC 1483 ATMlinux-atm-clip - Linux ATM CLIPlapb - LAPBatm-pdus - ATM PDUsatm-pdus-untruncated - ATM PDUs - untruncatednull - NULLascend

Note: when merging, mergecap assumes that packets within a capture file are already in chro-nological order.-s Sets the snapshot length to use when wr

D.8. text2pcap: Converting ASCII hexdumpsto network capturesThere may be some occasions when you wish to convert a hex dump of some network traffic in

<output-filename> specifies output filename (use - for standard output)[options] are one or more of the following-h : Display this help message-

packet.-u srcport destport Include dummy UDP headers before each packet. Specify the sourceand destination UDP ports for the packet in decimal. Use th

D.9. idl2wrs: Creating dissectors fromCORBA IDL filesIn an ideal world idl2wrs would be mentioned in the users guide in passing and documented in thed

Procedure for converting a CORBA idl file into a Wireshark dissector1. To write the C code to stdout.idl2wrs <your file.idl>e.g.:idl2wrs echo.id

make8. Good Luck !!D.9.4. TODO1. Exception code not generated (yet), but can be added manually.2. Enums not converted to symbolic values (yet), but ca

Related command line tools264

Chapter 2. Building and InstallingWireshark2.1. IntroductionAs with all things, there must be a beginning, and so it is with Wireshark. To use Wiresha

Appendix E. This Document's License(GPL)As with the original licence and documentation distributed with Wireshark, this document iscovered by the

either verbatim or with modifications and/or translated into anotherlanguage. (Hereinafter, translation is included without limitation inthe term &quo

The source code for a work means the preferred form of the work formaking modifications to it. For an executable work, complete sourcecode means all t

Each version is given a distinguishing version number. If the Programspecifies a version number of this License which applies to it and "anylater

Yoyodyne, Inc., hereby disclaims all copyright interest in the program`Gnomovision' (which makes passes at compilers) written by James Hacker.<

2.2. Obtaining the source and binarydistributionsYou can obtain both source and binary distributions from the Wireshark web site: ht-tp://www.wireshar

2.3. Before you build Wireshark under UNIXBefore you build Wireshark from sources, or install a binary package, you must ensure that youhave the follo

Example 2.2. Building and installing libpcapgzip -dc libpcap-0.9.4.tar.Z | tar xvf -<much output removed>cd libpcap-0.9.4./configure<much out

2.4. Building Wireshark from source underUNIXUse the following general steps if you are building Wireshark from source under a UNIX operatingsystem:1.

2.5. Installing the binaries under UNIXIn general, installing the binary under your version of UNIX will be specific to the installation meth-ods used

2.6. Troubleshooting during the install onUnixA number of errors can occur during the installation process. Some hints on solving these areprovided he

2.7. Building from source under WindowsIt is recommended to use the binary installer for Windows, until you want to start developing Wire-shark on the

2.8. Installing Wireshark under WindowsIn this section we explore installing Wireshark under Windows from the binary packages.2.8.1. Install Wireshark

2.8.1.2. "Additional Tasks" page• Start Menu Shortcuts - add some start menu shortcuts.• Desktop Icon - add a Wireshark icon to the desktop.

Example:wireshark-setup-1.0.0.exe /NCRC /S /desktopicon=yes/quicklaunchicon=no /D=C:\Program Files\Foo2.8.2. Manual WinPcap InstallationNote!As mentio

WinPcap won't be uninstalled by default, as other programs than Wireshark may use it as well.2.8.6. Uninstall WinPcapYou can uninstall WinPcap in

Table of ContentsPreface ... ix1. Foreword

Building and Installing Wireshark25

Chapter 3. User Interface3.1. IntroductionBy now you have installed Wireshark and are most likely keen to get started capturing your firstpackets. In

3.2. Start WiresharkYou can start Wireshark from your shell or window manager.Tip!When starting Wireshark it's possible to specify optional setti

3.3. The Main windowLet's look at Wireshark's user interface. Figure 3.1, “The Main window” shows Wireshark as youwould usually see it after

7. The statusbar (see Section 3.19, “The Statusbar”) shows some detailed information about thecurrent program state and the captured data.Tip!The layo

3.4. The MenuThe Wireshark menu sits on top of the Wireshark window. An example is shown in Figure 3.2, “TheMenu”.Note!Menu items will be greyed out i

3.5. The "File" menuThe Wireshark file menu contains the fields shown in Table 3.2, “File menu items”.Figure 3.3. The "File" MenuT

Menu Item Accelerator Description------Save Ctrl+SThis menu item saves the current capture. If you have not seta default capture file name (perhaps wi

Menu Item Accelerator DescriptionExport > as "CArrays"(packet bytes)file...This menu item allows you to export all (or some) of thepacket

3.6. The "Edit" menuThe Wireshark Edit menu contains the fields shown in Table 3.3, “Edit menu items”.Figure 3.4. The "Edit" MenuT

3.5. The "File" menu ...313.6. The "Edit" menu .

Menu Item Accelerator DescriptionSection 6.10, “Marking packets” for details.Find NextMarkShift+Ctrl+NFind the next marked packet.Find PreviousMarkShi

3.7. The "View" menuThe Wireshark View menu contains the fields shown in Table 3.4, “View menu items”.Figure 3.5. The "View" MenuT

Menu Item Accelerator DescriptionPacket BytesThis menu item hides or shows the packet bytes pane, seeSection 3.18, “The "Packet Bytes" pane”

Menu Item Accelerator DescriptionTime DisplayFormat >Seconds: 0Selecting this tells Wireshark to display time stamps with aprecision of one second,

Menu Item Accelerator DescriptionExpand Sub-treesThis menu item expands the currently selected subtree in thepacket details tree.Expand AllWireshark k

3.8. The "Go" menuThe Wireshark Go menu contains the fields shown in Table 3.5, “Go menu items”.Figure 3.6. The "Go" MenuTable 3.5

Menu Item Accelerator Descriptionmove to the previous packet even if the packet list doesn'thave keyboard focus.Next Packet Ctrl+DownMove to the

3.9. The "Capture" menuThe Wireshark Capture menu contains the fields shown in Table 3.6, “Capture menu items”.Figure 3.7. The "Capture

Menu Item Accelerator DescriptionCapture Fil-ters...This menu item brings up a dialog box that allows you to cre-ate and edit capture filters. You can

3.10. The "Analyze" menuThe Wireshark Analyze menu contains the fields shown in Table 3.7, “Analyze menu items”.Figure 3.8. The "Analyz

6.2.1. Pop-up menu of the "Packet List" pane ... 1076.2.2. Pop-up menu of the "Packet Details&qu

Menu Item Accelerator DescriptionPrepare a Fil-ter > ...These menu items will change the current display filter butwon't apply the changed fil

3.11. The "Statistics" menuThe Wireshark Statistics menu contains the fields shown in Table 3.8, “Statistics menu items”.Figure 3.9. The &qu

Menu Item Accelerator Description------ConversationListDisplay a list of conversations, obsoleted by the combinedwindow of Conversations above, see Se

Menu Item Accelerator DescriptionSMPP Opera-tions...See Section 8.9, “The protocol specific statistics windows”TCP StreamGraphSee Section 8.9, “The pr

3.12. The "Tools" menuThe Wireshark Tools menu contains the fields shown in Table 3.9, “Tools menu items”.Table 3.9. Tools menu itemsMenu It

3.13. The "Help" menuThe Wireshark Help menu contains the fields shown in Table 3.10, “Help menu items”.Figure 3.10. The "Help" Me

Menu Item Accelerator DescriptionAbout Wire-sharkThis menu item brings up an information window thatprovides some information on Wireshark, such as th

3.14. The "Main" toolbarThe main toolbar provides quick access to frequently used items from the menu. This toolbar cannotbe customized by t

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionClose File/CloseThis item closes the current capture. If you havenot saved the capture, you w

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionMore detail on this subject is provided in Sec-tion 6.6, “Defining and saving filters”.Displa

8.5.2. The "Endpoints" window ... 1558.5.3. The protocol specific "Endpoint L

3.15. The "Filter" toolbarThe filter toolbar lets you quickly edit and apply display filters. More information on display filtersis availabl

3.16. The "Packet List" paneThe packet list pane displays all the packets in the current capture file.Figure 3.13. The "Packet List&quo

3.17. The "Packet Details" paneThe packet details pane shows the current packet (selected in the "Packet List" pane) in a more de-

3.18. The "Packet Bytes" paneThe packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in ah

3.19. The StatusbarThe statusbar displays informational messages.In general, the left side will show context related information, the middle part will

Figure 3.20. The Statusbar with a selected protocol fieldThis is displayed if you have selected a protocol field from the "Packet Details" p

User Interface61

Chapter 4. Capturing Live NetworkData4.1. IntroductionCapturing live network data is one of the major features of Wireshark.The Wireshark capture engi

4.2. PrerequisitesSetting up Wireshark to capture packets for the first time can be tricky.Tip!A comprehensive guide "How To setup a Capture"

4.3. Start CapturingOne of the following methods can be used to start capturing packets with Wireshark:• You can get an overview of the available loca

D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark ... 249D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark

4.4. The "Capture Interfaces" dialog boxWhen you select "Interfaces..." from the Capture menu, Wireshark pops up the "Capture

address could be resolved, only the first is shown(unpredictable which one in that case).Packets The number of packets captured from this interface, s

4.5. The "Capture Options" dialog boxWhen you select Start... from the Capture menu (or use the corresponding item in the "Main" t

drop-down list, so simply click on the button on the righthand side and select the interface you want. It defaults to thefirst non-loopback interface

CPU time is required for copying packets, less bufferspace is required for packets, and thus perhaps fewerpackets will be dropped if traffic is very h

... after n minute(s) Stop capturing after the given number ofsecond(s)/minutes(s)/hours(s)/days(s) have elapsed.4.5.4. Display Options frameUpdate li

4.6. The "Interface Details" dialog boxWhen you select Details from the Capture Interface menu, Wireshark pops up the "Interface De-tai

4.7. Capture files and file modesWhile capturing, the underlying libpcap capturing engine will grab the packets from the networkcard and keep the pack

Single named file A single capture file will be used. If you want to place thenew capture file to a specific folder, choose this mode.Multiple files,

4.8. Link-layer header typeIn the usual case, you won't have to choose this link-layer header type. The following paragraphsdescribe the exceptio

Preface1. ForewordWireshark is one of those programs that many network managers would love to be able to use, butthey are often prevented from getting

4.9. Filtering while capturingWireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump manpage, which can be h

present, packets where the specified address appears in eitherthe source or destination address will be selected.gateway host <host> This primit

DISPLAY (x11) [remote name]:<display num>SESSIONNAME (terminal server) <remote name>Capturing Live Network Data77

4.10. While a Capture is running ...While a capture is running, the following dialog box is shown:Figure 4.5. The "Capture Info" dialog boxT

Note!The Capture Info dialog box might be hidden, if the option "Hide capture infodialog" is used.2. Using the menu item "Capture/ Stop

Capturing Live Network Data80

Chapter 5. File Input / Output andPrinting5.1. IntroductionThis chapter will describe input and output of capture data.• Open/Import capture files in

5.2. Open capture filesWireshark can read in previously saved capture files. To read them, simply select the menu or tool-bar item: "File/ Open&q

Save a lot of time loading huge capture files!You can change the display filter and name resolution settings later while viewing thepackets. However,

Figure 5.3. "Open" - old GTK versionThis is the file open dialog of former Gimp/GNOME versions - plus some Wireshark exten-sions.Specific fo