Wireshark - 0.99.5 Betriebsanweisung

Wireshark User's Guide21443 for Wireshark 0.99.5Ulf Lamping,Richard Sharpe, NS Computer Software and Services P/LEd Warnicke,

3. AcknowledgementsThe authors would like to thank the whole Wireshark team for their assistance. In particular, the au-thors would like to thank:• Ge

5.4. Merging capture filesSometimes you need to merge several capture files into one. For example this can be useful, if youhave captured simultaneous

Figure 5.8. "Merge" - new GTKversionUnix/Linux: GTK version >= 2.4This is the common Gimp/GNOME file opendialog - plus some Wireshark ext

5.5. File SetsWhen using the "Multiple Files" option while doing a capture (see: Section 4.6, “Capture files andfile modes”), the capture da

Each line contains information about a file of the file set:• Filename the name of the file. If you click on the filename (or the radio button left to

5.6. Exporting dataWireshark provides several ways and formats to export packet data. This section describes generalways to export data from Wireshark

Tip!You can easily convert PostScript files to PDF files using ghostscript. For example:export to a file named foo.ps and then call: ps2pdf foo.psFigu

Export packet data into PSML. This is an XML based format including only the packet summary.The PSML file specification is available at: http://www.nb

• Export to file: frame chooses the file to export the packet data to.• The Packet Range frame is described in Section 5.8, “The Packet Range frame”.T

• Name: the filename to export the packet data to.• The Save in folder: field lets you select the folder to save to (from some predefined folders).• B

Columns:• Packet num: The packet number in which this object was found. In some cases, there can bemultiple objects in the same packet.• Hostname: The

4. About this documentThis book was originally developed by Richard Sharpe with funds provided from the WiresharkFund. It was updated by Ed Warnicke a

5.7. Printing packetsTo print packets, select the "Print..." menu item from the File menu. When you do this, Wiresharkpops up the Print dial

Note!These Print command fields are not available on windowsplatforms.This field specifies the command to use for printing. It is typically lpr.You wo

5.8. The Packet Range frameThe packet range frame is a part of various output related dialog boxes. It provides options to selectwhich packets should

5.9. The Packet Format frameThe packet format frame is a part of various output related dialog boxes. It provides options to selectwhich parts of a pa

File Input / Output and Printing100

Chapter 6. Working with capturedpackets6.1. Viewing packets you have capturedOnce you have captured some packets, or you have opened a previously save

Figure 6.2. Viewing a packet in a separate windowWorking with captured packets102

6.2. Pop-up menusYou can bring up a pop-up menu over either the "Packet List", "Packet Details" or "Packet Bytes"pane by

Item Identical to mainmenu's item:Descriptionterformation from the selected packet. E.g. the IP menu entrywill set a filter to show the traffic b

6.2.2. Pop-up menu of the "Packet Details" paneFigure 6.4. Pop-up menu of the "Packet Details" paneThe following table gives an ov

5. Where to get the latest copy of thisdocument?The latest copy of this documentation can always be found at: http:/ / www.wireshark.org/ docs/#usersg

Item Identical to mainmenu's item:DescriptionCopy/ Bytes(Offset Hex Text)-Copy the packet bytes to the clipboard in hexdump-likeformat; similar t

Item Identical to mainmenu's item:Descriptionences...The menu item takes you to the properties dialog and se-lects the page corresponding to the

6.3. Filtering packets while viewingWireshark has two filtering languages: One used when capturing packets, and one used when dis-playing packets. In

As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10are hidden). The packet numbering will remain as befor

6.4. Building display filter expressionsWireshark provides a simple but powerful display filter language that you can build quite complexfilter expres

English C-like Description and examplege>=Greater than or equal toframe.pkt_len ge 0x100le<=Less than or equal toframe.pkt_len <= 0x20In addi

You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5,“Display Filter Logical Operations”Table 6.5. Display F

English C-like Description and exampleeth.src[2] == 83The example above uses the n format to specify a single range. In this casethe element in the se

6.5. The "Filter Expression" dialog boxWhen you are accustomed to Wireshark's filtering system and know what labels you wish to use iny

Value You may enter an appropriate value in the Value text box. The Valuewill also indicate the type of value for the field name you have selected(lik

6. Providing feedback about this documentShould you have any feedback about this document, please send them to the authors through wire-shark-dev[AT]w

6.6. Defining and saving filtersYou can define filters with Wireshark and give them labels for later use. This can save time in re-membering and retyp

New This button adds a new filter to the list of filters. The currently enteredvalues from Filter name and Filter string will be used. If any of these

6.7. Finding packetsYou can easily find packets once you have captured some packets or have read in a previously savedcapture file. Simply select the

You can choose the direction to be searched for:• UpSearch upwards in the packet list (decreasing packet numbers).• DownSearch downwards in the packet

6.8. Go to a specific packetYou can easily jump to specific packets with one of the menu items in the Go menu.6.8.1. The "Go Back" commandGo

6.9. Marking packetsYou can mark packets in the "Packet List" pane. A marked packet will be shown with black back-ground, regardless of the

6.10. Time display formats and timereferencesWhile packets are captured, each packet is timestamped. These timestamps will be saved to the cap-ture fi

Note!Time referencing will only be useful, if the time display format is set to "SecondsSince Beginning of Capture". If one of the other tim

Working with captured packets124

Chapter 7. Advanced Topics7.1. IntroductionIn this chapter some of the advanced features of Wireshark will be described.125

Prefacexiv

7.2. Following TCP streamsIf you are working with TCP based protocols it can be very helpful to see the data from a TCPstream in the way that the appl

length) and CRNL conversions?The stream content won't be updated while doing a live capture. To get the latest content you'll haveto reopen

7.3. Time StampsTime stamps, their precisions and all that can be quite confusing. This section will provide you withinformation about what's goi

inaccurate.Conclusion: don't use USB connected NIC's when you need precise time stamp accur-acy! (XXX - are there any such NIC's that s

7.4. Time ZonesIf you travel across the planet, time zones can be confusing. If you get a capture file from some-where around the world time zones can

7.4.1. Set your computer's time correct!If you work with people around the world, it's very helpful to set your computer's time and tim

Table 7.1. Time zone examples for UTC arrival times (without DST)Los Angeles New York Madrid London Berlin TokyoCaptureFile (UTC)10:00 10:00 10:00 10:

7.5. Packet Reassembling7.5.1. What is it?Network protocols often need to transport large chunks of data, which are complete in itself, e.g.when trans

2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble frag-mented protocol data. This too can often be enabled or

7.6. Name ResolutionName resolution tries to resolve some of the numerical address values into a human readable format.There are two possible ways to

Chapter 1. Introduction1.1. What is Wireshark?Wireshark is a network packet analyzer. A network packet analyzer will try to capture networkpackets and

7.6.3. IP name resolution (network layer)Try to resolve an IP address (e.g. 216.239.37.99) to something more "human readable".DNS/ADNS name

7.7. ChecksumsSeveral network protocols use checksums to ensure data integrity.Tip!Applying checksums as described here is also known as redundancy ch

7.7.2. Checksum offloadingThe checksum calculation might be done by the network driver, protocol driver or even in hardware.For example: The Ethernet

Advanced Topics139

Chapter 8. Statistics8.1. IntroductionWireshark provides a wide range of network statistics.These statistics range from general information about the

8.2. The "Summary" windowGeneral statistics about the current capture file.Figure 8.1. The "Summary" windowStatistics141

• File general information about the capture file.• Time the timestamps when the first and the last packet were capturing (and the time betweenthem).•

8.3. The "Protocol Hierarchy" windowThe protocol hierarchy of the captured packets.Figure 8.2. The "Protocol Hierarchy" windowThis

Note!Packets will usually contain multiple protocols, so more than one protocol will becounted for each packet. Example: In the screenshot IP has 99,1

8.4. EndpointsStatistics of the endpoints captured.Tip!If you are looking for a feature other network tools call a hostlist, here is the rightplace to

Figure 1.1. Wireshark captures packets and allows you to examine theircontent.1.1.3. Live capture from many different network mediaWireshark can captu

For each supported protocol, a tab is shown in this window. The tab labels shows the number of en-dpoints captured (e.g. the tab label "Ethernet:

8.5. ConversationsStatistics of the captured conversations.8.5.1. What is a Conversation?A network conversation is the traffic between two specific en

8.6. The "IO Graphs" windowUser configurable graph of the captured network packets.You can define up to five differently colored graphs.Figu

• Unit the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)• Scale the scale for the y unit (10,20,50,100,200,500,...)XXX -

8.7. Service Response TimeThe service response time is the time between a request and the corresponding response. This in-formation is available for m

Figure 8.7. The "DCE-RPC Statistic for ..." windowEach row corresponds to a method of the interface selected (so the EPM interface in versio

8.8. The protocol specific statistics windowsThe protocol specific statistics windows display detailed information of specific protocols and mightbe d

Statistics153

Chapter 9. Customizing Wireshark9.1. IntroductionWireshark's default behaviour will usually suit your needs pretty well. However, as you becomemo

9.2. Start Wireshark from the command lineYou can start Wireshark from the command line, but it can also be started from most Window man-agers as well

Wireshark is an open source software project, and is released under the GNU General Public Li-cence (GPL). You can freely use Wireshark on any number

writing to the next file, until it fills up the last file, at whichpoint it'll discard the data in the first file (unless 0 is spe-cified, in whi

Network interface names should match one of the names lis-ted in wireshark -D (described above); a number, as reportedby wireshark -D, can also be use

Tip!You can get a list of all available preferencestrings from the preferences file, see Ap-pendix A, Files and Folders.-p Don't put the interfac

-y <capture link type> If a capture is started from the command line with -k, set thedata link type to use while capturing packets. The values r

9.3. Packet colorizationA very useful mechanism available in Wireshark is packet colorization. You can set-up Wiresharkso that it will colorize packet

In the Edit Color dialog box, simply enter a name for the color filter, and enter a filter string in theFilter text field. Figure 9.2, “The "Edit

Figure 9.4, “Using color filters with Wireshark” shows an example of several color filters beingused in Wireshark. You may not like the color choices,

9.4. Control Protocol dissectionThe user can control how protocols are dissected.Each protocol has its own dissector, so dissecting a complete packet

To disable or enable a protocol, simply click on it using the mouse or press the space bar when theprotocol is highlighted.Warning!You have to use the

5. Apply Apply the changes and keep the dialog box open.6. Save Save the settings to the disabled_protos, see Appendix A, Files and Folders for detail

1.2. System RequirementsWhat you'll need to get Wireshark up and running ...1.2.1. General Remarks• The values below are the minimum requirements

5. OK Apply the currently selected decode and close the dialog box.6. Apply Apply the currently selected decode and keep the dialog box open.7. Cancel

9.5. PreferencesThere are a number of preferences you can set. Simply select the Preferences... menu item from theEdit menu, and Wireshark will pop up

9.6. User TableThe User Table editor is used for managing various tables in wireshark. It's main dialog works verysimilarly to that of Section 9.

9.7. Display Filter MacrosDisplay Filter Macos are a mechanism to create shortcuts for complex filters. For example defininga display filter macro nam

9.8. Tektronics K12xx/15 RF5 protocols TableThe Tektronix's K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocolst

9.9. User DLTs protocol tableWhen a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know whichprotocol(s) to use for eac

9.10. SNMP users TableWireshark uses this table to verify auhentication and to decrypt encrypted SNMPv3 packets.This table is handled by an Section 9.

Customizing Wireshark173

Appendix A. Files and FoldersA.1. Capture FilesTo understand which information will remain available after the captured packets are saved to a cap-tur

• time references set with "Edit/Time Reference"• the current display filter• ...Files and Folders175

• Windows NT 4.0 will no longer work with Wireshark. The last known version to work wasWireshark 0.99.4 (which includes WinPcap 3.1), you still can ge

A.2. Configuration Files and FoldersWireshark uses a number of files and folders while it is running. Some of these reside in the person-al configurat

File/Folder Description Unix/LinuxfoldersWindows folders$HOME/.wireshark/pluginstemp Temporary files. Environment:TMPDIREnvironment: TMPDIR or TEMPWin

"<filter name>" <filter string>The settings from this file are read in at program start andwritten to disk when you press the Sa

hosts Wireshark uses the files listed in Table A.1, “Configurationfiles and folders overview” to translate IPv4 and IPv6 ad-dresses into names.This fi

A.3. Windows foldersHere you will find some details about the folders used in Wireshark on different Windows versions.As already mentioned, you can fi

able will be set by the windows installer.Vista XXX - could someone give information about this?XP/2000 C:\Documents and Settings\<username>\Loc

Files and Folders182

Appendix B. Protocols and ProtocolFieldsWireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).A comprehensive list

Appendix C. Wireshark MessagesWireshark provides you with additional information generated out of the plain packet data or it mayneed to indicate diss

C.2. Packet Details MessagesThese messages might appear in the packet details.C.2.1. [Response in frame: 123]The current packet is the request of a de

Wireshark User's Guide: 21443for Wireshark 0.99.5by Ulf Lamping, Richard Sharpe, and Ed WarnickeCopyright © 2004-2007 Ulf Lamping Richard Sharpe

1.3. Where to get Wireshark?You can get the latest copy of the program from the Wireshark website: ht-tp://www.wireshark.org/download.html. The websit

Wireshark Messages186

Appendix D. Related command linetoolsD.1. IntroductionBeside the Wireshark GUI application, there are some command line tools, which can be helpful fo

D.2. tshark: Terminal-based WiresharkTShark is a terminal oriented version of Wireshark designed for capturing and displaying packetswhen an interacti

D.3. tcpdump: Capturing with tcpdump forviewing with WiresharkThere are occasions when you want to capture packets using tcpdump rather than wireshark

D.4. dumpcap: Capturing with dumpcap forviewing with WiresharkDumpcap is a network traffic dump tool. It lets you capture packet data from a live netw

D.5. capinfos: Print information aboutcapture filesIncluded with Wireshark is a small utility called capinfos, which is a command-line utility to prin

D.6. editcap: Edit capture filesIncluded with Wireshark is a small utility called editcap, which is a command-line utility for work-ing with capture f

rawip - Raw IParcnet - ARCNETarcnet_linux - Linux ARCNETatm-rfc1483 - RFC 1483 ATMlinux-atm-clip - Linux ATM CLIPlapb - LAPBatm-pdus - ATM PDUsatm-pdu

Where each option has the following meaning:-r This option specifies that the frames listed should be kept, notdeleted. The default is to delete the l

D.7. mergecap: Merging multiple capture filesinto oneMergecap is a program that combines multiple saved capture files into a single output file specif

1.4. A brief history of WiresharkIn late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted tolearn more about networki

atm-pdus - ATM PDUsatm-pdus-untruncated - ATM PDUs - untruncatednull - NULLascend - Lucent/Ascend access equipmentisdn - ISDNip-over-fc - RFC 2625 IP-

-s Sets the snapshot length to use when writing the data.-w Sets the output filename.-T Sets the packet encapsulation type of the output capture file.

D.8. text2pcap: Converting ASCII hexdumpsto network capturesThere may be some occasions when you wish to convert a hex dump of some network traffic in

-h : Display this help message-d : Generate detailed debug of parser states-o hex|oct : Parse offsets as (h)ex or (o)ctal. Default is hex-l typenum :

and destination UDP ports for the packet in decimal. Use this optionif your dump is the UDP payload of a packet but does not includeany UDP, IP or Eth

D.9. idl2wrs: Creating dissectors fromCORBA IDL filesIn an ideal world idl2wrs would be mentioned in the users guide in passing and documented in thed

Procedure for converting a CORBA idl file into a Wireshark dissector1. To write the C code to stdout.idl2wrs <your file.idl>eg:idl2wrs echo.idl2

4. More I am sure :-)D.9.5. LimitationsSee the TODO list inside packet-giop.cD.9.6. Notes1. The "-p ./" option passed to omniidl indicates t

Related command line tools204

Appendix E. This Document's License(GPL)As with the original licence and documentation distributed with Wireshark, this document iscovered by the

1.5. Development and maintenance ofWiresharkWireshark was initially developed by Gerald Combs. Ongoing development and maintenance ofWireshark is hand

either verbatim or with modifications and/or translated into anotherlanguage. (Hereinafter, translation is included without limitation inthe term &quo

The source code for a work means the preferred form of the work formaking modifications to it. For an executable work, complete sourcecode means all t

Each version is given a distinguishing version number. If the Programspecifies a version number of this License which applies to it and "anylater

Yoyodyne, Inc., hereby disclaims all copyright interest in the program`Gnomovision' (which makes passes at compilers) written by James Hacker.<

1.6. Reporting problems and getting helpIf you have problems, or need help with Wireshark, there are several places that may be of interestto you (wel

1.6.5. Reporting ProblemsNote!Before reporting any problems, please make sure you have installed the latest versionof Wireshark.When reporting problem

the D key together) will cause gdb to exit. This will leave you with a file calledbt.txt in the current directory. Include the file with your bug repo

Introduction12

Chapter 2. Building and InstallingWireshark2.1. IntroductionAs with all things, there must be a beginning, and so it is with Wireshark. To use Wiresha

2.2. Obtaining the source and binarydistributionsYou can obtain both source and binary distributions from the Wireshark web site: ht-tp://www.wireshar

2.3. Before you build Wireshark under UNIXBefore you build Wireshark from sources, or install a binary package, you must ensure that youhave the follo

Example 2.2. Building and installing libpcapgzip -dc libpcap-0.9.4.tar.Z | tar xvf -<much output removed>cd libpcap-0.9.4./configure<much out

2.4. Building Wireshark from source underUNIXUse the following general steps if you are building Wireshark from source under a UNIX operatingsystem:1.

2.5. Installing the binaries under UNIXIn general, installing the binary under your version of UNIX will be specific to the installation meth-ods used

2.6. Troubleshooting during the install onUnixA number of errors can occur during the installation process. Some hints on solving these areprovided he

2.7. Building from source under WindowsIt is recommended to use the binary installer for Windows, until you want to start developing Wire-shark on the

2.8. Installing Wireshark under WindowsIn this section we explore installing Wireshark under Windows from the binary packages.2.8.1. Install Wireshark

• Capinfos - Capinfos is a program that provides information on capture files.User's Guide - Local installation of the User's Guide. The Hel

stall, otherwise use defaults / user settings.• /D sets the default installation directory ($INSTDIR), overriding InstallDir and InstallDir-RegKey. It

You can uninstall Wireshark the usual way, using the "Add or Remove Programs" option inside theControl Panel. Select the "Wireshark&quo

Building and Installing Wireshark25

Table of ContentsPreface ... viii1. Foreword

Chapter 3. User Interface3.1. IntroductionBy now you have installed Wireshark and are most likely keen to get started capturing your firstpackets. In

3.2. Start WiresharkYou can start Wireshark from your shell or window manager.Tip!When starting Wireshark it's possible to specify optional setti

3.3. The Main windowLets look at Wireshark's user interface. Figure 3.1, “The Main window” shows Wireshark as youwould usually see it after some

7. The statusbar (see Section 3.18, “The Statusbar”) shows some detailed information about thecurrent program state and the captured data.Tip!The layo

3.4. The MenuThe Wireshark menu sits on top of the Wireshark window. An example is shown in Figure 3.2, “TheMenu”.Note!Menu items will be greyed out i

3.5. The "File" menuThe Wireshark file menu contains the fields shown in Table 3.2, “File menu items”.Figure 3.3. The "File" MenuT

Menu Item Accelerator Description------Save Ctrl+SThis menu item saves the current capture. If you have not seta default capture file name (perhaps wi

Menu Item Accelerator DescriptionExport > as"PSML" file...This menu item allows you to export the (or some) of thepackets in the capture

3.6. The "Edit" menuThe Wireshark Edit menu contains the fields shown in Table 3.3, “Edit menu items”.Figure 3.4. The "Edit" MenuT

Menu Item Accelerator DescriptionSection 6.9, “Marking packets” for details.Find NextMarkShift+Ctrl+NFind the next marked packet.Find PreviousMarkShif

3.5. The "File" menu ...313.6. The "Edit" menu .

3.7. The "View" menuThe Wireshark View menu contains the fields shown in Table 3.4, “View menu items”.Figure 3.5. The "View" MenuT

Menu Item Accelerator DescriptionPacket BytesThis menu item hides or shows the packet bytes pane, seeSection 3.17, “The "Packet Bytes" pane”

Menu Item Accelerator Description...seconds: 0...precision of one second, decisecond, centisecond, milli-second, microsecond or nanosecond, see Secti

Menu Item Accelerator Descriptionpanded when you display a packet. This menu item expandsall subtrees in all packets in the capture.Collapse AllThis m

3.8. The "Go" menuThe Wireshark Go menu contains the fields shown in Table 3.5, “Go menu items”.Figure 3.6. The "Go" MenuTable 3.5

Menu Item Accelerator Descriptionmove to the previous packet even if the packet list doesn'thave keyboard focus.Next Packet Ctrl+DownMove to the

3.9. The "Capture" menuThe Wireshark Capture menu contains the fields shown in Table 3.6, “Capture menu items”.Figure 3.7. The "Capture

Menu Item Accelerator DescriptionCapture Fil-ters...This menu item brings up a dialog box that allows you to cre-ate and edit capture filters. You can

3.10. The "Analyze" menuThe Wireshark Analyze menu contains the fields shown in Table 3.7, “Analyze menu items”.Figure 3.8. The "Analyz

Menu Item Accelerator DescriptionFirewall ACLRulesThis allows you to create command-line ACL rules for manydifferent firewall products, including Cisc

6.4. Building display filter expressions ... 1106.4.1. Display filter fields ...

3.11. The "Statistics" menuThe Wireshark Statistics menu contains the fields shown in Table 3.8, “Statistics menu items”.Figure 3.9. The &qu

Menu Item Accelerator Description------ConversationListDisplay a list of conversations, obsoleted by the combinedwindow of Conversations above, see Se

3.12. The "Help" menuThe Wireshark Help menu contains the fields shown in Table 3.9, “Help menu items”.Figure 3.10. The "Help" Men

Note!Calling a Web browser might be unsupported in your version of Wireshark. If this isthe case, the corresponding menu items will be hidden.Note!If

3.13. The "Main" toolbarThe main toolbar provides quick access to frequently used items from the menu. This toolbar cannotbe customized by t

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionClose File/CloseThis item closes the current capture. If you havenot saved the capture, you w

ToolbarIconToolbar Item CorrespondingMenu ItemDescriptionMore detail on this subject is provided in Sec-tion 6.6, “Defining and saving filters”.Displa

3.14. The "Filter" toolbarThe filter toolbar lets you quickly edit and apply display filters. More information on display filtersis availabl

3.15. The "Packet List" paneThe packet list pane displays all the packets in the current capture file.Figure 3.13. The "Packet List&quo

3.16. The "Packet Details" paneThe packet details pane shows the current packet (selected in the "Packet List" pane) in a more de-

9.3. Packet colorization ... 1609.4. Control Protocol dissection ...

3.17. The "Packet Bytes" paneThe packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in ah

3.18. The StatusbarThe statusbar displays informational messages.In general, the left side will show context related information, while the right side

User Interface58

Chapter 4. Capturing Live NetworkData4.1. IntroductionCapturing live network data is one of the major features of Wireshark.The Wireshark capture engi

4.2. PrerequisitesSetting up Wireshark to capture packets for the first time can be tricky.Tip!A comprehensive guide "How To setup a Capture"

4.3. Start CapturingOne of the following methods can be used to start capturing packets with Wireshark:• You can get an overview of the available loca

4.4. The "Capture Interfaces" dialog boxWhen you select "Interfaces..." from the Capture menu, Wireshark pops up the "Capture

Capturing Live Network Data63

4.5. The "Capture Options" dialog boxWhen you select Start... from the Capture menu (or use the corresponding item in the "Main" t

drop-down list, so simply click on the button on the righthand side and select the interface you want. It defaults to thefirst non-loopback interface

Preface1. ForewordWireshark is one of those programs that many network managers would love to be able to use, butthey are often prevented from getting

CPU time is required for copying packets, less bufferspace is required for packets, and thus perhaps fewerpackets will be dropped if traffic is very h

... after n minute(s) Stop capturing after the given number ofsecond(s)/minutes(s)/hours(s)/days(s) have elapsed.4.5.4. Display Options frameUpdate li

4.6. Capture files and file modesWhile capturing, the underlying libpcap capturing engine will grab the packets from the networkcard and keep the pack

Single named file A single capture file will be used. If you want to place thenew capture file to a specific folder, choose this mode.Multiple files,

4.7. Link-layer header typeIn the usual case, you won't have to choose this link-layer header type. The following paragraphsdescribe the exceptio

4.8. Filtering while capturingWireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump manpage, which can be h

present, packets where the specified address appears in eitherthe source or destination address will be selected.gateway host <host> This primit

DISPLAY (x11) [remote name]:<display num>SESSIONNAME (terminal server) <remote name>Capturing Live Network Data73

4.9. While a Capture is running ...While a capture is running, the following dialog box is shown:Figure 4.3. The "Capture Info" dialog boxTh

Note!The Capture Info dialog box might be hidden, if the option "Hide capture infodialog" is used.2. Using the menu item "Capture/ Stop

2. Who should read this document?The intended audience of this book is anyone using Wireshark.This book will explain all the basics and also some of t

Capturing Live Network Data76

Chapter 5. File Input / Output andPrinting5.1. IntroductionThis chapter will describe input and output of capture data.• Open/Import capture files in

5.2. Open capture filesWireshark can read in previously saved capture files. To read them, simply select the menu or tool-bar item: "File/ Open&q

Save a lot of time on huge capture files!You can change the display filter and name resolution settings later while viewing thepackets. However, for h

Figure 5.3. "Open" - old GTK versionWindows (GTK1 installed)This is the file open dialog of former Gimp/GNOME versions - plus some Wireshark

• the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities• the text output from the DBS Etherwatch VMS utility• Visual Networks' Visua

5.3. Saving captured packetsYou can save captured packets simply by using the Save As... menu item from the File menu underWireshark. You can choose w

Figure 5.6. "Save" - old GTK versionUnix/Linux: GTK version < 2.4 / MicrosoftWindows (GTK1 installed)This is the file save dialog of form

3. Select the range of the packets to be saved, see Section 5.8, “The Packet Range frame”4. Specify the format of the saved capture file by clicking o

Third party protocol analyzers may require specific fileextensions!Other protocol analyzers than Wireshark may require that the file has a certain fil