diff options
Diffstat (limited to 'doc/wireshark.adoc')
-rw-r--r-- | doc/wireshark.adoc | 2735 |
1 files changed, 0 insertions, 2735 deletions
diff --git a/doc/wireshark.adoc b/doc/wireshark.adoc deleted file mode 100644 index 24434827..00000000 --- a/doc/wireshark.adoc +++ /dev/null @@ -1,2735 +0,0 @@ -include::../docbook/attributes.adoc[] -= wireshark(1) -:doctype: manpage -:stylesheet: ws.css -:linkcss: -:copycss: ../docbook/{stylesheet} - -== NAME - -wireshark - Interactively dump and analyze network traffic - -== SYNOPSIS - -[manarg] -*wireshark* -[ *-i* <capture interface>|- ] -[ *-f* <capture filter> ] -[ *-Y* <display filter> ] -[ *-w* <outfile> ] -[ *options* ] -[ <infile> ] - -[manarg] -*wireshark* -*-h|--help* - -[manarg] -*wireshark* -*-v|--version* - -== DESCRIPTION - -*Wireshark* is a GUI network protocol analyzer. It lets you -interactively browse packet data from a live network or from a -previously saved capture file. *Wireshark*'s native capture file -formats are *pcapng* format and *pcap* format; it can read and write -both formats.. *pcap* format is also the format used by *tcpdump* and -various other tools; *tcpdump*, when using newer versions of the -*libpcap* library, can also read some pcapng files, and, on newer -versions of macOS, can read all pcapng files and can write them as well. - -*Wireshark* can also read / import the following file formats: - -* Oracle (previously Sun) *snoop* and *atmsnoop* captures - -* Finisar (previously Shomiti) *Surveyor* captures - -* Microsoft *Network Monitor* captures - -* Novell *LANalyzer* captures - -* AIX's *iptrace* captures - -* Cinco Networks *NetXRay* captures - -* NETSCOUT (previously Network Associates/Network General) Windows-based -*Sniffer* captures - -* Network General/Network Associates DOS-based *Sniffer* captures -(compressed or uncompressed) - -* LiveAction (previously WildPackets/Savvius) **Peek*/*EtherHelp*/*PacketGrabber* captures - -* *RADCOM*'s WAN/LAN analyzer captures - -* Viavi (previously Network Instruments) *Observer* captures - -* *Lucent/Ascend* router debug output - -* captures from HP-UX *nettl* - -* *Toshiba's* ISDN routers dump output - -* the output from *i4btrace* from the ISDN4BSD project - -* traces from the *EyeSDN* USB S0 - -* the *IPLog* format output from the Cisco Secure Intrusion Detection System - -* *pppd logs* (pppdump format) - -* the output from VMS's *TCPIPtrace*/*TCPtrace*/*UCX$TRACE* utilities - -* the text output from the *DBS Etherwatch* VMS utility - -* Visual Networks' *Visual UpTime* traffic capture - -* the output from *CoSine* L2 debug - -* the output from InfoVista (previously Accellent) *5View* LAN agents - -* Endace Measurement Systems' ERF format captures - -* Linux Bluez Bluetooth stack *hcidump -w* traces - -* Catapult DCT2000 .out files - -* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode - -* IBM Series (OS/400) Comm traces (ASCII & UNICODE) - -* Juniper Netscreen snoop files - -* Symbian OS btsnoop files - -* TamoSoft CommView files - -* Tektronix K12xx 32bit .rf5 format files - -* Tektronix K12 text file format captures - -* Apple PacketLogger files - -* Captures from Aethra Telecommunications' PC108 software for their test -instruments - -* Citrix NetScaler Trace files - -* Android Logcat binary and text format logs - -* Colasoft Capsa and PacketBuilder captures - -* Micropross mplog files - -* Unigraf DPA-400 DisplayPort AUX channel monitor traces - -* 802.15.4 traces from Daintree's Sensor Network Analyzer - -* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 - -* Log files from the _candump_ utility - -* Logs from the BUSMASTER tool - -* Ixia IxVeriWave raw captures - -* Rabbit Labs CAM Inspector files - -* _systemd_ journal files - -* 3GPP TS 32.423 trace files - -There is no need to tell *Wireshark* what type of -file you are reading; it will determine the file type by itself. -*Wireshark* is also capable of reading any of these file formats if they -are compressed using gzip. *Wireshark* recognizes this directly from -the file; the '.gz' extension is not required for this purpose. - -Like other protocol analyzers, *Wireshark*'s main window shows 3 views -of a packet. It shows a summary line, briefly describing what the -packet is. A packet details display is shown, allowing you to drill -down to exact protocol or field that you interested in. Finally, a hex -dump shows you exactly what the packet looks like when it goes over the -wire. - -In addition, *Wireshark* has some features that make it unique. It can -assemble all the packets in a TCP conversation and show you the ASCII -(or EBCDIC, or hex) data in that conversation. Display filters in -*Wireshark* are very powerful; more fields are filterable in *Wireshark* -than in other protocol analyzers, and the syntax you can use to create -your filters is richer. As *Wireshark* progresses, expect more and more -protocol fields to be allowed in display filters. - -Packet capturing is performed with the pcap library. The capture filter -syntax follows the rules of the pcap library. This syntax is different -from the display filter syntax. - -Compressed file support uses (and therefore requires) the zlib library. -If the zlib library is not present, *Wireshark* will compile, but will -be unable to read compressed files. - -The pathname of a capture file to be read can be specified with the -*-r* option or can be specified as a command-line argument. - -== OPTIONS - -Most users will want to start *Wireshark* without options and configure -it from the menus instead. Those users may just skip this section. - --a|--autostop <capture autostop condition>:: -+ --- -Specify a criterion that specifies when *Wireshark* is to stop writing -to a capture file. The criterion is of the form __test:value__, -where __test__ is one of: - -*duration*:__value__ Stop writing to a capture file after __value__ seconds have -elapsed. Floating point values (e.g. 0.5) are allowed. - -*files*:__value__ Stop writing to capture files after __value__ number of files -were written. - -*filesize*:__value__ Stop writing to a capture file after it reaches a size of -__value__ kB. If this option is used together with the -b option, Wireshark -will stop writing to the current capture file and switch to the next one if -filesize is reached. Note that the filesize is limited to a maximum value of -2 GiB. - -*packets*:__value__ Stop writing to a capture file after it contains __value__ -packets. Acts the same as *-c*<capture packet count>. --- - --b|--ring-buffer <capture ring buffer option>:: -+ --- -Cause *Wireshark* to run in "multiple files" mode. In "multiple files" mode, -*Wireshark* will write to several capture files. When the first capture file -fills up, *Wireshark* will switch writing to the next file and so on. - -The created filenames are based on the filename given with the *-w* flag, -the number of the file and on the creation date and time, -e.g. outfile_00001_20240714120117.pcap, outfile_00002_20240714120523.pcap, ... - -With the __files__ option it's also possible to form a "ring buffer". -This will fill up new files until the number of files specified, -at which point *Wireshark* will discard the data in the first file and start -writing to that file and so on. If the __files__ option is not set, -new files filled up until one of the capture stop conditions match (or -until the disk is full). - -The criterion is of the form __key:value__, -where __key__ is one of: - -*duration*:__value__ switch to the next file after __value__ seconds have -elapsed, even if the current file is not completely filled up. Floating -point values (e.g. 0.5) are allowed. - -*files*:__value__ begin again with the first file after __value__ number of -files were written (form a ring buffer). This value must be less than 100000. -Caution should be used when using large numbers of files: some filesystems do -not handle many files in a single directory well. The *files* criterion -requires one of the other criteria to be specified to -control when to go to the next file. It should be noted that each *-b* -parameter takes exactly one criterion; to specify two criteria, each must be -preceded by the *-b* option. - -*filesize*:__value__ switch to the next file after it reaches a size of -__value__ kB. Note that the filesize is limited to a maximum value of 2 GiB. - -*interval*:__value__ switch to the next file when the time is an exact -multiple of __value__ seconds. - -*packets*:__value__ switch to the next file after it contains __value__ -packets. - -Example: *-b filesize:1000 -b files:5* results in a ring buffer of five files -of size one megabyte each. --- - --B|--buffer-size <capture buffer size>:: -+ --- -Set capture buffer size (in MiB, default is 2 MiB). This is used by -the capture driver to buffer packet data until that data can be written -to disk. If you encounter packet drops while capturing, try to increase -this size. Note that, while *Wireshark* attempts to set the buffer size -to 2 MiB by default, and can be told to set it to a larger value, the -system or interface on which you're capturing might silently limit the -capture buffer size to a lower value or raise it to a higher value. - -This is available on UNIX-compatible systems, such as Linux, macOS, -\*BSD, Solaris, and AIX, with libpcap 1.0.0 or later, and on Windows. -It is not available on UNIX-compatible systems with earlier versions of -libpcap. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture buffer size. -If used after an *-i* option, it sets the capture buffer size for -the interface specified by the last *-i* option occurring before -this option. If the capture buffer size is not set specifically, -the default capture buffer size is used instead. --- - --c <capture packet count>:: -+ --- -Set the maximum number of packets to read when capturing live -data. Acts the same as *-a packets:*<capture packet count>. --- - --C <configuration profile>:: -+ --- -Start with the given configuration profile. --- - ---capture-comment <comment>:: -+ --- -When performing a capture file from the command line, with the *-k* -flag, add a capture comment to the output file, if supported by the -capture format. - -This option may be specified multiple times. Note that Wireshark -currently only displays the first comment of a capture file. --- - --D|--list-interfaces:: -+ --- -Print a list of the interfaces on which *Wireshark* can capture, and -exit. For each network interface, a number and an interface name, -possibly followed by a text description of the interface, is printed. -The interface name or the number can be supplied to the *-i* flag to -specify an interface on which to capture. The number can be useful on -Windows systems, where the interfaces have long names that usually -contain a GUID. --- - ---display <X display to use>:: -+ --- -Specifies the X display to use. A hostname and screen (otherhost:0.0) -or just a screen (:0.0) can be specified. This option is not available -under macOS or Windows. --- - --f <capture filter>:: -+ --- -Set the capture filter expression. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture filter expression. -If used after an *-i* option, it sets the capture filter expression for -the interface specified by the last *-i* option occurring before -this option. If the capture filter expression is not set specifically, -the default capture filter expression is used if provided. - -Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters, -can be used by prefixing the argument with "predef:". -Example: *-f "predef:MyPredefinedHostOnlyFilter"* --- - ---fullscreen:: -+ --- -Start Wireshark in full screen mode (kiosk mode). To exit from fullscreen mode, -open the View menu and select the Full Screen option. Alternatively, press the -F11 key (or Ctrl + Cmd + F for macOS). --- - --g <packet number>:: -After reading in a capture file using the *-r* flag, go to the given __packet number__. - --h|--help:: -Print the version number and options and exit. - --H:: -Hide the capture info dialog during live packet capture. - --i|--interface <capture interface>|-:: -+ --- -Set the name of the network interface or pipe to use for live packet -capture. - -Network interface names should match one of the names listed in "*wireshark --D*" (described above); a number, as reported by "*tshark -D*", can also -be used. - -If no interface is specified, *Wireshark* searches the list of -interfaces, choosing the first non-loopback interface if there are any -non-loopback interfaces, and choosing the first loopback interface if -there are no non-loopback interfaces. If there are no interfaces at all, -*Wireshark* reports an error and doesn't start the capture. - -Pipe names should be either the name of a FIFO (named pipe) or "-" to -read data from the standard input. On Windows systems, pipe names must be -of the form +"\\.\pipe\+*pipename*". Data read from pipes must be in -standard pcapng or pcap format. Pcapng data must have the same -endianness as the capturing host. - -"TCP@<host>:<port>" causes *Wireshark* to attempt to connect to the -specified port on the specified host and read pcapng or pcap data. - -This option can occur multiple times. When capturing from multiple -interfaces, the capture file will be saved in pcapng format. --- - --I|--monitor-mode:: -+ --- -Put the interface in "monitor mode"; this is supported only on IEEE -802.11 Wi-Fi interfaces, and supported only on some operating systems. - -Note that in monitor mode the adapter might disassociate from the -network with which it's associated, so that you will not be able to use -any wireless networks with that adapter. This could prevent accessing -files on a network server, or resolving host names or network addresses, -if you are capturing in monitor mode and are not connected to another -network with another adapter. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it enables the monitor mode for all interfaces. -If used after an *-i* option, it enables the monitor mode for -the interface specified by the last *-i* option occurring before -this option. --- - --j:: -Use after *-J* to change the behavior when no exact match is found for -the filter. With this option select the first packet before. - --J <jump filter>:: -+ --- -After reading in a capture file using the *-r* flag, jump to the packet -matching the filter (display filter syntax). If no exact match is found -the first packet after that is selected. --- - --k:: -+ --- -Start the capture session immediately. If the *-i* flag was -specified, the capture uses the specified interface. Otherwise, -*Wireshark* searches the list of interfaces, choosing the first -non-loopback interface if there are any non-loopback interfaces, and -choosing the first loopback interface if there are no non-loopback -interfaces; if there are no interfaces, *Wireshark* reports an error and -doesn't start the capture. --- - --l:: -Turn on automatic scrolling if the packet display is being updated -automatically as packets arrive during a capture (as specified by the -*-S* flag). - --L|--list-data-link-types:: -List the data link types supported by the interface and exit. - ---list-time-stamp-types:: -List time stamp types supported for the interface. If no time stamp type can be -set, no time stamp types are listed. - --o <preference/recent setting>:: -+ --- -Set a preference or recent value, overriding the default value and any value -read from a preference/recent file. The argument to the flag is a string of -the form __prefname:value__, where __prefname__ is the name of the -preference/recent value (which is the same name that would appear in the -preference/recent file), and __value__ is the value to which it should be set. -Since *Ethereal* 0.10.12, the recent settings replaces the formerly used --B, -P and -T flags to manipulate the GUI dimensions. - -If __prefname__ is "uat", you can override settings in various user access -tables using the form "uat:__uat filename__:__uat record__". __uat filename__ -must be the name of a UAT file, e.g. __user_dlts__. __uat_record__ must be in -the form of a valid record for that file, including quotes. For instance, to -specify a user DLT from the command line, you would use - - -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\"" --- - --p|--no-promiscuous-mode:: -+ --- -__Don't__ put the interface into promiscuous mode. Note that the -interface might be in promiscuous mode for some other reason; hence, -*-p* cannot be used to ensure that the only traffic that is captured is -traffic sent to or from the machine on which *Wireshark* is running, -broadcast traffic, and multicast traffic to addresses received by that -machine. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, no interface will be put into the -promiscuous mode. -If used after an *-i* option, the interface specified by the last *-i* -option occurring before this option will not be put into the -promiscuous mode. --- - --P <path setting>:: -+ --- -Special path settings usually detected automatically. This is used for -special cases, e.g. starting Wireshark from a known location on an USB stick. - -The criterion is of the form __key:path__, where __key__ is one of: - -*persconf*:__path__ path of personal configuration files, like the -preferences files. - -*persdata*:__path__ path of personal data files, it's the folder initially -opened. After the very first initialization, the recent file will keep the -folder last used. --- - --r|--read-file <infile>:: -+ --- -Read packet data from __infile__, can be any supported capture file format -(including gzipped files). It's not possible to use named pipes or stdin -here! To capture from a pipe or from stdin use *-i -* --- - --R|--read-filter <read (display) filter>:: -+ --- -When reading a capture file specified with the *-r* flag, causes the -specified filter (which uses the syntax of display filters, rather than -that of capture filters) to be applied to all packets read from the -capture file; packets not matching the filter are discarded. --- - --s|--snapshot-length <capture snaplen>:: -+ --- -Set the default snapshot length to use when capturing live data. -No more than __snaplen__ bytes of each network packet will be read into -memory, or saved to disk. A value of 0 specifies a snapshot length of -262144, so that the full packet is captured; this is the default. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default snapshot length. -If used after an *-i* option, it sets the snapshot length for -the interface specified by the last *-i* option occurring before -this option. If the snapshot length is not set specifically, -the default snapshot length is used if provided. --- - --S:: -Automatically update the packet display as packets are coming in. - ---temp-dir <directory>:: -+ --- -Specifies the directory into which temporary files (including capture -files) are to be written. The default behavior on UNIX-compatible systems, -such as Linux, macOS, \*BSD, Solaris, and AIX, is to use the environment -variable __$TMPDIR__ if set, and the system default, typically __/tmp__, if it -is not. On Windows, the __%TEMP%__ environment variable is used, which -typically defaults to __%USERPROFILE%\AppData\Local\Temp__. --- - ---time-stamp-type <type>:: -Change the interface's timestamp method. See --list-time-stamp-types. - ---update-interval <interval>:: -Set the length of time in milliseconds between new packet reports during -a capture. Also sets the granularity of file duration conditions. -The default value is 100ms. - --v|--version:: -Print the full version information and exit. - --w <outfile>:: -Set the default capture file name, or '-' for standard output. - --X <eXtension options>:: -+ --- -Specify an option to be passed to an *Wireshark* module. The eXtension option -is in the form __extension_key:value__, where __extension_key__ can be: - -*lua_script*:__lua_script_filename__ tells *Wireshark* to load the given script in addition to the -default Lua scripts. - -**lua_script**__num__:__argument__ tells *Wireshark* to pass the given argument -to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command. -For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo' -will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua' -and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua -script, namely 'other.lua'. - -*read_format*:__file_format__ tells *Wireshark* to use the given file format to read in the -file (the file given in the *-r* command option). - -*stdin_descr*:__description__ tells *Wireshark* to use the given description when -capturing from standard input (*-i -*). --- - --y|--linktype <capture link type>:: -+ --- -If a capture is started from the command line with *-k*, set the data -link type to use while capturing packets. The values reported by *-L* -are the values that can be used. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture link type. -If used after an *-i* option, it sets the capture link type for -the interface specified by the last *-i* option occurring before -this option. If the capture link type is not set specifically, -the default capture link type is used if provided. --- - --Y|--display-filter <displaY filter>:: -Start with the given display filter. - --z <statistics>:: -+ --- -Get *Wireshark* to collect various types of statistics and display the result -in a window that updates in semi-real time. - -Some of the currently implemented statistics are: --- - -*-z help*:: -Display all possible values for *-z*. - -*-z* afp,srt[,__filter__]:: -+ --- -Show Apple Filing Protocol service response time statistics. --- - -*-z* conv,__type__[,__filter__]:: -+ --- -Create a table that lists all conversations that could be seen in the -capture. __type__ specifies the conversation endpoint types for which we -want to generate the statistics; currently the supported ones are: - - "eth" Ethernet addresses - "fc" Fibre Channel addresses - "fddi" FDDI addresses - "ip" IPv4 addresses - "ipv6" IPv6 addresses - "ipx" IPX addresses - "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported - "tr" Token Ring addresses - "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported - -If the optional __filter__ is specified, only those packets that match the -filter will be used in the calculations. - -The table is presented with one line for each conversation and displays -the number of packets/bytes in each direction as well as the total -number of packets/bytes. By default, the table is sorted according to -the total number of packets. - -These tables can also be generated at runtime by selecting the appropriate -conversation type from the menu "Tools/Statistics/Conversation List/". --- - -*-z* dcerpc,srt,__name-or-uuid__,__major__.__minor__[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for DCERPC interface -__name__ or __uuid__, version __major__.__minor__. -Data collected is the number of calls for each procedure, MinSRT, MaxSRT -and AvgSRT. -Interface __name__ and __uuid__ are case-insensitive. - -Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0*# will collect data for the CIFS SAMR Interface. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4*# will collect SAMR -SRT statistics for a specific host. --- - -*-z* dhcp,stat[,__filter__]:: -Show DHCP (BOOTP) statistics. - -*-z* expert:: -Show expert information. - -*-z* fc,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for FC. Data collected -is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z fc,srt* -will calculate the Service Response Time as the time delta between the -First packet of the exchange and the Last packet of the exchange. - -The data will be presented as separate tables for all normal FC commands, -Only those commands that are seen in the capture will have its stats -displayed. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "fc,srt,fc.id==01.02.03"* will collect stats only for -FC packets exchanged by the host at FC address 01.02.03 . --- - -*-z* h225,counter[__,filter__]:: -+ --- -Count ITU-T H.225 messages and their reasons. In the first column you get a -list of H.225 messages and H.225 message reasons which occur in the current -capture file. The number of occurrences of each message or reason is displayed -in the second column. - -Example: *-z h225,counter* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "h225,counter,ip.addr==1.2.3.4"* will collect stats only for -H.225 packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* h225,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS. -Data collected is the number of calls of each ITU-T H.225 RAS Message Type, -Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet. -You will also get the number of Open Requests (Unresponded Requests), -Discarded Responses (Responses without matching request) and Duplicate Messages. - -Example: *-z h225,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "h225,srt,ip.addr==1.2.3.4"* will collect stats only for -ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* io,stat:: -+ --- -Collect packet/bytes statistics for the capture in intervals of 1 second. -This option will open a window with up to 5 color-coded graphs where -number-of-packets-per-second or number-of-bytes-per-second statistics -can be calculated and displayed. - -This option can be used multiple times on the command line. - -This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat -menu item. --- - -*-z* ldap,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for LDAP. Data collected -is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z ldap,srt* -will calculate the Service Response Time as the time delta between the -Request and the Response. - -The data will be presented as separate tables for all implemented LDAP commands, -Only those commands that are seen in the capture will have its stats -displayed. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: use *-z "ldap,srt,ip.addr==10.1.1.1"* will collect stats only for -LDAP packets exchanged by the host at IP address 10.1.1.1 . - -The only LDAP commands that are currently implemented and for which the stats will be available are: -BIND -SEARCH -MODIFY -ADD -DELETE -MODRDN -COMPARE -EXTENDED --- - -*-z* megaco,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for MEGACO. -(This is similar to *-z smb,srt*). Data collected is the number of calls -for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT. - -Example: *-z megaco,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "megaco,srt,ip.addr==1.2.3.4"* will collect stats only for -MEGACO packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* mgcp,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for MGCP. -(This is similar to *-z smb,srt*). Data collected is the number of calls -for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT. - -Example: *-z mgcp,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "mgcp,srt,ip.addr==1.2.3.4"* will collect stats only for -MGCP packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* mtp3,msus[,<filter>]:: -Show MTP3 MSU statistics. - -*-z* multicast,stat[,<filter>]:: -Show UDP multicast stream statistics. - -*-z* rpc,programs:: -+ --- -Collect call/reply SRT data for all known ONC-RPC programs/versions. -Data collected is the number of calls for each protocol/version, MinSRT, -MaxSRT and AvgSRT. --- - -*-z* rpc,srt,__name-or-number__,__version__[,<filter>]:: -+ --- -Collect call/reply SRT (Service Response Time) data for program -__name__/__version__ or __number__/__version__. -Data collected is the number of calls for each procedure, MinSRT, MaxSRT and -AvgSRT. -Program __name__ is case-insensitive. - -Example: *-z rpc,srt,100003,3* will collect data for NFS v3. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: [.nowrap]#*-z rpc,srt,nfs,3,nfs.fh.hash==0x12345678*# will collect NFS v3 -SRT statistics for a specific file. --- - -*-z* scsi,srt,__cmdset__[,<filter>]:: -+ --- -Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>. - -Commandsets are 0:SBC 1:SSC 5:MMC - -Data collected -is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT. - -Example: *-z scsi,srt,0* will collect data for SCSI BLOCK COMMANDS (SBC). - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z scsi,srt,0,ip.addr==1.2.3.4* will collect SCSI SBC -SRT statistics for a specific iscsi/ifcp/fcip host. --- - -*-z* sip,stat[__,filter__]:: -+ --- -This option will activate a counter for SIP messages. You will get the number -of occurrences of each SIP Method and of each SIP Status-Code. Additionally you -also get the number of resent SIP Messages (only for SIP over UDP). - -Example: *-z sip,stat* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "sip,stat,ip.addr==1.2.3.4"* will collect stats only for -SIP packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* smb,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for SMB. Data collected -is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z smb,srt* - -The data will be presented as separate tables for all normal SMB commands, -all Transaction2 commands and all NT Transaction commands. -Only those commands that are seen in the capture will have their stats -displayed. -Only the first command in a xAndX command chain will be used in the -calculation. So for common SessionSetupAndX + TreeConnectAndX chains, -only the SessionSetupAndX call will be used in the statistics. -This is a flaw that might be fixed in the future. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "smb,srt,ip.addr==1.2.3.4"* will collect stats only for -SMB packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* voip,calls:: -+ --- -This option will show a window that shows VoIP calls found in the capture file. -This is the same window shown as when you go to the Statistics Menu and choose -VoIP Calls. - -Example: *-z voip,calls* --- - -*-z* wlan,stat[,<filter>]:: -Show IEEE 802.11 network and station statistics. - -*-z* wsp,stat[,<filter>]:: -Show WSP packet counters. - -include::dissection-options.adoc[tags=**;!tshark] - -include::diagnostic-options.adoc[] - -== INTERFACE - -=== MENU ITEMS - -menu:File[Open]:: - -menu:File[Open Recent]:: - -menu:File[Merge]:: -Merge another capture file to the currently loaded one. The __File:Merge__ -dialog box allows the merge "Prepended", "Chronologically" or "Appended", -relative to the already loaded one. - -menu:File[Close]:: -Open or close a capture file. The __File:Open__ dialog box -allows a filter to be specified; when the capture file is read, the -filter is applied to all packets read from the file, and packets not -matching the filter are discarded. The __File:Open Recent__ is a submenu -and will show a list of previously opened files. - -menu:File[Save]:: - -menu:File[Save As]:: -Save the current capture, or the packets currently displayed from that -capture, to a file. Check boxes let you select whether to save all -packets, or just those that have passed the current display filter and/or -those that are currently marked, and an option menu lets you select (from -a list of file formats in which at particular capture, or the packets -currently displayed from that capture, can be saved), a file format in -which to save it. - -menu:File[File Set,List Files]:: -Show a dialog box that lists all files of the file set matching the currently -loaded file. A file set is a compound of files resulting from a capture using -the "multiple files" / "ringbuffer" mode, recognizable by the filename pattern, -e.g.: Filename_00001_20240714101530.pcap. - -menu:File[File Set,Next File]:: - -menu:File[File Set,Previous File]:: -If the currently loaded file is part of a file set (see above), open the -next / previous file in that set. - -menu:File[Export]:: -Export captured data into an external format. Note: the data cannot be -imported back into Wireshark, so be sure to keep the capture file. - -menu:File[Print]:: -Print packet data from the current capture. You can select the range of -packets to be printed (which packets are printed), and the output format of -each packet (how each packet is printed). The output format will be similar -to the displayed values, so a summary line, the packet details view, and/or -the hex dump of the packet can be printed. - -menu:File[Quit]:: -Exit the application. - -menu:Edit[Copy,Description]:: -Copies the description of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,Fieldname]:: -Copies the fieldname of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,Value]:: -Copies the value of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,As Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details and copy that filter to the clipboard. - -If that data is a field that can be tested in a display filter -expression, the display filter will test that field; otherwise, the -display filter will be based on the absolute offset within the packet. -Therefore it could be unreliable if the packet contains protocols with -variable-length headers, such as a source-routed token-ring packet. --- - -menu:Edit[Find Packet]:: -+ --- -Search forward or backward, starting with the currently selected packet -(or the most recently selected packet, if no packet is selected). Search -criteria can be a display filter expression, a string of hexadecimal -digits, or a text string. - -When searching for a text string, you can search the packet data, or you -can search the text in the Info column in the packet list pane or in the -packet details pane. - -Hexadecimal digits can be separated by colons, periods, or dashes. -Text string searches can be ASCII or Unicode (or both), and may be -case insensitive. --- - -menu:Edit[Find Next]:: - -menu:Edit[Find Previous]:: -Search forward / backward for a packet matching the filter from the previous -search, starting with the currently selected packet (or the most recently -selected packet, if no packet is selected). - -menu:Edit[Mark Packet (toggle)]:: -Mark (or unmark if currently marked) the selected packet. The field -"frame.marked" is set for packets that are marked, so that, for example, -a display filters can be used to display only marked packets, and so that -the /"Edit:Find Packet" dialog can be used to find the next or previous -marked packet. - -menu:Edit[Find Next Mark]:: - -menu:Edit[Find Previous Mark]:: -Find next or previous marked packet. - -menu:Edit[Mark All Packets]:: - -menu:Edit[Unmark All Packets]:: -Mark or unmark all packets that are currently displayed. - -menu:Edit[Time Reference,Set Time Reference (toggle)]:: -+ --- -Set (or unset if currently set) the selected packet as a Time Reference packet. -When a packet is set as a Time Reference packet, the timestamps in the packet -list pane will be replaced with the string "*REF*". -The relative time timestamp in later packets will then be calculated relative -to the timestamp of this Time Reference packet and not the first packet in -the capture. - -Packets that have been selected as Time Reference packets will always be -displayed in the packet list pane. Display filters will not affect or -hide these packets. - -If there is a column displayed for "Cumulative Bytes" this counter will -be reset at every Time Reference packet. --- - -menu:Edit[Time Reference,Find Next]:: - -menu:Edit[Time Reference,Find Previous]:: -Search forward or backward for a time referenced packet. - -menu:Edit[Configuration Profiles]:: -Manage configuration profiles to be able to use more than one set of preferences and configurations. - -menu:Edit[Preferences]:: -Set the GUI, capture, and protocol options (see /Preferences dialog below). - -menu:View[Main Toolbar]:: - -menu:View[Filter Toolbar]:: - -menu:View[Statusbar]:: -Show or hide the main window controls. - -menu:View[Packet List]:: - -menu:View[Packet Details]:: - -menu:View[Packet Bytes]:: -Show or hide the main window panes. - -menu:View[Time Display Format]:: -Set the format of the packet timestamp displayed in the packet list window. - -menu:View[Name Resolution,Resolve Name]:: -Try to resolve a name for the currently selected item. - -menu:View[Name Resolution,Enable for ... Layer]:: -Enable or disable translation of addresses to names in the display. - -menu:View[Colorize Packet List]:: -Enable or disable the coloring rules. -Disabling will improve performance. - -menu:View[Auto Scroll in Live Capture]:: -Enable or disable the automatic scrolling of the packet list while a live capture is in progress. - -menu:View[Zoom In]:: - -menu:View[Zoom Out]:: -Zoom into or out of the main window data (by changing the font size). - -menu:View[Normal Size]:: -Reset the zoom level back to normal font size. - -menu:View[Resize All Columns]:: -Resize all columns to best fit the current packet display. - -menu:View[Expand / Collapse Subtrees]:: -Expand or collapse the currently selected item and its subtrees in the packet details. - -menu:View[Expand All]:: - -menu:View[Collapse All]:: -Expand or Collapse all branches of the packet details. - -menu:View[Colorize Conversation]:: -Select a color for a conversation. - -menu:View[Reset Coloring 1-10]:: -Reset a color for a conversation. - -menu:View[Coloring Rules]:: -Change the foreground and background colors of the packet information in -the list of packets, based upon display filters. The list of display -filters is applied to each packet sequentially. After the first display -filter matches a packet, any additional display filters in the list are -ignored. Therefore, if you are filtering on the existence of protocols, -you should list the higher-level protocols first, and the lower-level -protocols last. - -How Colorization Works:: -+ --- -Packets are colored according to a list of color filters. Each filter -consists of a name, a filter expression and a coloration. A packet is -colored according to the first filter that it matches. Color filter -expressions use exactly the same syntax as display filter expressions. - -When Wireshark starts, the color filters are loaded from: - -1. The user's personal color filters file or, if that does not exist, -2. The global color filters file. - -If neither of these exist then the packets will not be colored. --- - -menu:View[Show Packet In New Window]:: -Create a new window containing a packet details view and a hex dump -window of the currently selected packet; this window will continue to -display that packet's details and data even if another packet is -selected. - -menu:View[Reload]:: -Reload a capture file. Same as __File:Close__ and __File:Open__ the same file again. - -menu:Go[Back]:: -Go back in previously visited packets history. - -menu:Go[Forward]:: -Go forward in previously visited packets history. - -menu:Go[Go To Packet]:: -Go to a particular numbered packet. - -menu:Go[Go To Corresponding Packet]:: -If a field in the packet details pane containing a packet number is -selected, go to the packet number specified by that field. (This works -only if the dissector that put that entry into the packet details put it -into the details as a filterable field rather than just as text.) This -can be used, for example, to go to the packet for the request -corresponding to a reply, or the reply corresponding to a request, if -that packet number has been put into the packet details. - -menu:Go[Previous Packet]:: - -menu:Go[Next Packet]:: - -menu:Go[First Packet]:: - -menu:Go[Last Packet]:: -Go to the previous, next, first, or last packet in the capture. - -menu:Go[Previous Packet In Conversation]:: - -menu:Go[Next Packet In Conversation]:: -Go to the previous or next packet of the TCP, UDP or IP conversation. - -menu:Capture[Interfaces]:: -Shows a dialog box with all currently known interfaces and displaying the -current network traffic amount. Capture sessions can be started from here. -Beware: keeping this box open results in high system load! - -menu:Capture[Options]:: -Initiate a live packet capture (see /"Capture Options Dialog" -below). If no filename is specified, a temporary file will be created -to hold the capture. Temporary files are written in the directory listed -in menu:Help[About Wireshark > Folders]. This location can be chosen with the -command line option *--temp-dir*, or by setting the environment variable -TMPDIR (on UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, -and AIX) or TEMP (on Windows) before starting **Wireshark**. - -menu:Capture[Start]:: -Start a live packet capture with the previously selected options. This won't -open the options dialog box, and can be convenient for repeatedly capturing -with the same options. - -menu:Capture[Stop]:: -Stop a running live capture. - -menu:Capture[Restart]:: -While a live capture is running, stop it and restart with the same options -again. This can be convenient to remove irrelevant packets, if no valuable -packets were captured so far. - -menu:Capture[Capture Filters]:: -Edit the saved list of capture filters, allowing filters to be added, changed, or deleted. - -menu:Analyze[Display Filters]:: -Edit the saved list of display filters, allowing filters to be added, changed, or deleted. - -menu:Analyze[Display Filter Macros]:: -Create shortcuts for complex macros. - -menu:Analyze[Apply as Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details and apply the filter. - -If that data is a field that can be tested in a display filter -expression, the display filter will test that field; otherwise, the -display filter will be based on the absolute offset within the packet. -Therefore it could be unreliable if the packet contains protocols with -variable-length headers, such as a source-routed token-ring packet. - -The *Selected* option creates a display filter that tests for a match -of the data; the *Not Selected* option creates a display filter that -tests for a non-match of the data. The *And Selected*, *Or Selected*, -*And Not Selected*, and *Or Not Selected* options add to the end of -the display filter in the strip at the top (or bottom) an AND or OR -operator followed by the new display filter expression. --- - -menu:Analyze[Prepare as Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details. The filter strip at the top (or bottom) is updated but -it is not yet applied. --- - -menu:Analyze[Enabled Protocols]:: -+ --- -Allow protocol dissection to be enabled or disabled for a specific -protocol. Individual protocols can be enabled or disabled by clicking -on them in the list or by highlighting them and pressing the space bar. -The entire list can be enabled, disabled, or inverted using the buttons -below the list. - -When a protocol is disabled, dissection in a particular packet stops -when that protocol is reached, and Wireshark moves on to the next packet. -Any higher-layer protocols that would otherwise have been processed will -not be displayed. For example, disabling TCP will prevent the dissection -and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively -dependent on TCP. - -The list of protocols can be saved, so that Wireshark will start up with -the protocols in that list disabled. --- - -menu:Analyze[Decode As]:: -If you have a packet selected, present a dialog allowing you to change -which dissectors are used to decode this packet. The dialog has one -panel each for the link layer, network layer and transport layer -protocol/port numbers, and will allow each of these to be changed -independently. For example, if the selected packet is a TCP packet to -port 12345, using this dialog you can instruct Wireshark to decode all -packets to or from that TCP port as HTTP packets. - -menu:Analyze[User Specified Decodes]:: -Create a new window showing whether any protocol ID to dissector -mappings have been changed by the user. This window also allows the -user to reset all decodes to their default values. - -menu:Analyze[Follow TCP Stream]:: -+ --- -If you have a TCP packet selected, display the contents of the data -stream for the TCP connection to which that packet belongs, as text, in -a separate window, and leave the list of packets in a filtered state, -with only those packets that are part of that TCP connection being -displayed. You can revert to your old view by pressing ENTER in the -display filter text box, thereby invoking your old display filter (or -resetting it back to no display filter). - -The window in which the data stream is displayed lets you select: - -* whether to display the entire conversation, or one or the other side of -it; - -* whether the data being displayed is to be treated as ASCII or EBCDIC -text or as raw hex data; - -and lets you print what's currently being displayed, using the same -print options that are used for the __File:Print Packet__ menu item, or -save it as text to a file. --- - -menu:Analyze[Follow UDP Stream]:: - -menu:Analyze[Follow TLS Stream]:: -Similar to Analyze:Follow TCP Stream. - -menu:Analyze[Expert Info]:: - -menu:Analyze[Expert Info Composite]:: -Show anomalies found by Wireshark in a capture file. - -menu:Analyze[Conversation Filter]:: - -menu:Statistics[Summary]:: -Show summary information about the capture, including elapsed time, -packet counts, byte counts, and the like. If a display filter is in -effect, summary information will be shown about the capture and about -the packets currently being displayed. - -menu:Statistics[Protocol Hierarchy]:: -Show the number of packets, and the number of bytes in those packets, -for each protocol in the trace. It organizes the protocols in the same -hierarchy in which they were found in the trace. Besides counting the -packets in which the protocol exists, a count is also made for packets -in which the protocol is the last protocol in the stack. These -last-protocol counts show you how many packets (and the byte count -associated with those packets) *ended* in a particular protocol. In -the table, they are listed under "End Packets" and "End Bytes". - -menu:Statistics[Conversations]:: -Lists of conversations; selectable by protocol. -See Statistics:Conversation List below. - -menu:Statistics[End Points]:: -List of End Point Addresses by protocol with packets, bytes, and other counts. - -menu:Statistics[Packet Lengths]:: -Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...) - -menu:Statistics[I/O Graphs]:: -+ --- -Open a window where up to 5 graphs in different colors can be displayed -to indicate number of packets or number of bytes per second for all packets -matching the specified filter. -By default only one graph will be displayed showing number of packets per second. - -The top part of the window contains the graphs and scales for the X and -Y axis. If the graph is too long to fit inside the window there is a -horizontal scrollbar below the drawing area that can scroll the graphs -to the left or the right. The horizontal axis displays the time into -the capture and the vertical axis will display the measured quantity at -that time. - -Below the drawing area and the scrollbar are the controls. On the -bottom left there will be five similar sets of controls to control each -individual graph such as "Display:<button>" which button will toggle -that individual graph on/off. If <button> is ticked, the graph will be -displayed. "Color:<color>" which is just a button to show which color -will be used to draw that graph. Finally "Filter:<filter-text>" which -can be used to specify a display filter for that particular graph. - -If filter-text is empty then all packets will be used to calculate the -quantity for that graph. If filter-text is specified only those packets -that match that display filter will be considered in the calculation of -quantity. - -To the right of the 5 graph controls there are four menus to control -global aspects of the draw area and graphs. The "Unit:" menu is used to -control what to measure; "packets/tick", "bytes/tick" or "advanced..." - -packets/tick will measure the number of packets matching the (if -specified) display filter for the graph in each measurement interval. - -bytes/tick will measure the total number of bytes in all packets matching -the (if specified) display filter for the graph in each measurement -interval. - -advanced... see below - -"Tick interval:" specifies what measurement intervals to use. The -default is 1 second and means that the data will be counted over 1 -second intervals. - -"Pixels per tick:" specifies how many pixels wide each measurement -interval will be in the drawing area. The default is 5 pixels per tick. - -"Y-scale:" controls the max value for the y-axis. Default value is -"auto" which means that *Wireshark* will try to adjust the maxvalue -automatically. - -"advanced..." If Unit:advanced... is selected the window will display -two more controls for each of the five graphs. One control will be a -menu where the type of calculation can be selected from -SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a -single display filter field can be specified. - -The following restrictions apply to type and field combinations: - -SUM: available for all types of integers and will calculate the SUM of -all occurrences of this field in the measurement interval. Note that -some field can occur multiple times in the same packet and then all -instances will be summed up. Example: 'tcp.len' which will count the -amount of payload data transferred across TCP in each interval. - -COUNT: available for all field types. This will COUNT the number of times -certain field occurs in each interval. Note that some fields -may occur multiple times in each packet and if that is the case -then each instance will be counted independently and COUNT -will be greater than the number of packets. - -MAX: available for all integer and relative time fields. This will calculate -the max seen integer/time value seen for the field during the interval. -Example: 'smb.time' which will plot the maximum SMB response time. - -MIN: available for all integer and relative time fields. This will calculate -the min seen integer/time value seen for the field during the interval. -Example: 'smb.time' which will plot the minimum SMB response time. - -AVG: available for all integer and relative time fields.This will -calculate the average seen integer/time value seen for the field during -the interval. Example: 'smb.time' which will plot the average SMB -response time. - -LOAD: available only for relative time fields (response times). - -Example of advanced: -Display how NFS response time MAX/MIN/AVG changes over time: - -Set first graph to: - - filter:nfs&&rpc.time - Calc:MAX rpc.time - -Set second graph to - - filter:nfs&&rpc.time - Calc:AVG rpc.time - -Set third graph to - - filter:nfs&&rpc.time - Calc:MIN rpc.time - -Example of advanced: -Display how the average packet size from host a.b.c.d changes over time. - -Set first graph to - - filter:ip.addr==a.b.c.d&&frame.pkt_len - Calc:AVG frame.pkt_len - -LOAD: -The LOAD io-stat type is very different from anything you have ever seen -before! While the response times themselves as plotted by MIN,MAX,AVG are -indications on the Server load (which affects the Server response time), -the LOAD measurement measures the Client LOAD. -What this measures is how much workload the client generates, -i.e. how fast will the client issue new commands when the previous ones -completed. -i.e. the level of concurrency the client can maintain. -The higher the number, the more and faster is the client issuing new -commands. When the LOAD goes down, it may be due to client load making -the client slower in issuing new commands (there may be other reasons as -well, maybe the client just doesn't have any commands it wants to issue -right then). - -Load is measured in concurrency/number of overlapping i/o and the value -1000 means there is a constant load of one i/o. - -In each tick interval the amount of overlap is measured. -See the graph below containing three commands: -Below the graph are the LOAD values for each interval that would be calculated. - - | | | | | | | | | - | | | | | | | | | - | | o=====* | | | | | | - | | | | | | | | | - | o========* | o============* | | | - | | | | | | | | | - --------------------------------------------------> Time - 500 1500 500 750 1000 500 0 0 --- - -menu:Statistics[Conversation List]:: -+ --- -This option will open a new window that displays a list of all -conversations between two endpoints. The list has one row for each -unique conversation and displays total number of packets/bytes seen as -well as number of packets/bytes in each direction. - -By default the list is sorted according to the number of packets but by -clicking on the column header; it is possible to re-sort the list in -ascending or descending order by any column. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -These statistics windows can also be invoked from the Wireshark command -line using the *-z conv* argument. --- - -menu:Statistics[Service Response Time]:: -+ --- - -* AFP - -* CAMEL - -* DCE-RPC - -Open a window to display Service Response Time statistics for an -arbitrary DCE-RPC program -interface and display *Procedure*, *Number of Calls*, *Minimum SRT*, -*Maximum SRT* and *Average SRT* for all procedures for that -program/version. These windows opened will update in semi-real time to -reflect changes when doing live captures or when reading new capture -files into *Wireshark*. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such DCE-RPC request/response pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -* Diameter - -* Fibre Channel - -Open a window to display Service Response Time statistics for Fibre Channel -and display *FC Type*, *Number of Calls*, *Minimum SRT*, -*Maximum SRT* and *Average SRT* for all FC types. -These windows opened will update in semi-real time to -reflect changes when doing live captures or when reading new capture -files into *Wireshark*. -The Service Response Time is calculated as the time delta between the -First packet of the exchange and the Last packet of the exchange. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such FC first/last exchange pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -* GTP - -* H.225 RAS - -Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. -Data collected is *number of calls* for each known ITU-T H.225 RAS Message Type, -*Minimum SRT*, *Maximum SRT*, *Average SRT*, *Minimum in Packet*, and *Maximum in Packet*. -You will also get the number of *Open Requests* (Unresponded Requests), -*Discarded Responses* (Responses without matching request) and Duplicate Messages. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The statistics will only be calculated -on those calls matching that filter. - -* LDAP - -* MEGACO - -* MGCP - -Collect requests/response SRT (Service Response Time) data for MGCP. -Data collected is *number of calls* for each known MGCP Type, -*Minimum SRT*, *Maximum SRT*, *Average SRT*, *Minimum in Packet*, and *Maximum in Packet*. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The statistics will only be calculated -on those calls matching that filter. - -* NCP - -* ONC-RPC - -Open a window to display statistics for an arbitrary ONC-RPC program interface -and display *Procedure*, *Number of Calls*, *Minimum SRT*, *Maximum SRT* and *Average SRT* for all procedures for that program/version. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such ONC-RPC request/response pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -* RADIUS - -* SCSI - -* SMB - -Collect call/reply SRT (Service Response Time) data for SMB. Data collected -is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. - -The data will be presented as separate tables for all normal SMB commands, -all Transaction2 commands and all NT Transaction commands. -Only those commands that are seen in the capture will have its stats -displayed. -Only the first command in a xAndX command chain will be used in the -calculation. So for common SessionSetupAndX + TreeConnectAndX chains, -only the SessionSetupAndX call will be used in the statistics. -This is a flaw that might be fixed in the future. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The stats will only be calculated -on those calls matching that filter. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -* SMB2 --- - -menu:Statistics[BOOTP-DHCP]:: -Show DHCP statistics. - -menu:Statistics[Compare]:: -Compare two capture files. - -menu:Statistics[Flow Graph]:: -Show protocol flows. - -menu:Statistics[HTTP]:: -HTTP Load Distribution, Packet Counter & Requests. - -menu:Statistics[IP Addresses]:: -Count, Rate, and Percent by IP Address. - -menu:Statistics[IP Destinations]:: -Count, Rate, and Percent by IP Address, protocol, and port. - -menu:Statistics[IP Protocol Types]:: -Count, Rate, and Percent by IP Protocol Types. - -menu:Statistics[ONC-RPC Programs]:: -This dialog will open a window showing aggregated SRT statistics for all ONC-RPC Programs/versions that exist in the capture file. - -menu:Statistics[TCP Stream Graph]:: -Show Round Trip, Throughput, Time-Sequence (Stevens), or Time-Sequence (tcptrace) graphs. - -menu:Statistics[UDP Multicast streams]:: -Multicast Streams counts, rates, and other statistics by source and destination address and port pairs. - -menu:Statistics[WLAN Traffic]:: -WLAN Traffic Statistics. - -menu:Telephony[ITU-T H.225]:: -+ --- -Count ITU-T H.225 messages and their reasons. In the first column you get a -list of H.225 messages and H.225 message reasons, which occur in the current -capture file. The number of occurrences of each message or reason will be displayed -in the second column. -This window opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the counter. The statistics will only be calculated -on those calls matching that filter. --- - -menu:Telephony[SIP]:: -+ --- -Activate a counter for SIP messages. You will get the number of occurrences of each -SIP Method and of each SIP Status-Code. Additionally you also get the number of -resent SIP Messages (only for SIP over UDP). - -This window opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the counter. The statistics will only be calculated -on those calls matching that filter. --- - -menu:Tools[Firewall ACL Rules]:: -Generate firewall rules for a selected packet. - -menu:Help[Contents]:: -Display the User's Guide. - -menu:Help[Supported Protocols]:: -List of supported protocols and display filter protocol fields. - -menu:Help[Manual Pages]:: -Display locally installed HTML versions of these manual pages in a web browser. - -menu:Help[Wireshark Online]:: -Various links to online resources to be open in a web browser, like https://www.wireshark.org. - -menu:Help[About Wireshark]:: -See various information about Wireshark (see /About dialog below), like the version, the folders used, the available plugins, ... - -=== WINDOWS - -Main Window:: -+ --- -The main window contains the usual things like the menu, some toolbars, the -main area and a statusbar. The main area is split into three panes, you can -resize each pane using a "thumb" at the right end of each divider line. - -The main window is much more flexible than before. The layout of the main -window can be customized by the __Layout__ page in the dialog box popped -up by __Edit:Preferences__, the following will describe the layout with the -default settings. --- - -Main Toolbar:: -Some menu items are available for quick access here. There is no way to -customize the items in the toolbar, however the toolbar can be hidden by -__View:Main Toolbar__. - -Filter Toolbar:: -+ --- -A display filter can be entered into the filter toolbar. -A filter for HTTP, HTTPS, and DNS traffic might look like this: - - tcp.port in {80 443 53} - -Selecting the __Filter:__ button lets you choose from a list of named -filters that you can optionally save. Pressing the Return or Enter -keys, or selecting the __Apply__ button, will cause the filter to be -applied to the current list of packets. Selecting the __Reset__ button -clears the display filter so that all packets are displayed (again). - -There is no way to customize the items in the toolbar, however the toolbar -can be hidden by __View:Filter Toolbar__. --- - -Packet List Pane:: -+ --- -The top pane contains the list of network packets that you can scroll -through and select. By default, the packet number, packet timestamp, -source and destination addresses, protocol, and description are -displayed for each packet; the __Columns__ page in the dialog box popped -up by __Edit:Preferences__ lets you change this (although, unfortunately, -you currently have to save the preferences, and exit and restart -Wireshark, for those changes to take effect). - -If you click on the heading for a column, the display will be sorted by -that column; clicking on the heading again will reverse the sort order -for that column. - -An effort is made to display information as high up the protocol stack -as possible, e.g. IP addresses are displayed for IP packets, but the -MAC layer address is displayed for unknown packet types. - -The right mouse button can be used to pop up a menu of operations. - -The middle mouse button can be used to mark a packet. --- - -Packet Details Pane:: -The middle pane contains a display of the details of the -currently-selected packet. The display shows each field and its value -in each protocol header in the stack. The right mouse button can be -used to pop up a menu of operations. - -Packet Bytes Pane:: -+ --- -The lowest pane contains a hex and ASCII dump of the actual packet data. -Selecting a field in the packet details highlights the corresponding -bytes in this section. - -The right mouse button can be used to pop up a menu of operations. --- - -Statusbar:: -+ --- -The statusbar is divided into three parts, on the left some context dependent -things are shown, like information about the loaded file, in the center the -number of packets are displayed, and on the right the current configuration -profile. - -The statusbar can be hidden by __View:Statusbar__. --- - -Preferences:: -Adjust the behavior of *Wireshark*. - -User Interface Preferences:: -Modify the UI to your own personal tastes. - -Selection Bars:: -The selection bar in the packet list and packet details can have either -a "browse" or "select" behavior. If the selection bar has a "browse" -behavior, the arrow keys will move an outline of the selection bar, -allowing you to browse the rest of the list or details without changing -the selection until you press the space bar. If the selection bar has a -"select" behavior, the arrow keys will move the selection bar and change -the selection to the new item in the packet list or packet details. - -Save Window Position:: -If this item is selected, the position of the main Wireshark window will -be saved when Wireshark exits, and used when Wireshark is started again. - -Save Window Size:: -If this item is selected, the size of the main Wireshark window will -be saved when Wireshark exits, and used when Wireshark is started again. - -Save Window Maximized state:: -If this item is selected the maximize state of the main Wireshark window -will be saved when Wireshark exists, and used when Wireshark is started again. - -File Open Dialog Behavior:: -This item allows the user to select how Wireshark handles the listing -of the "File Open" Dialog when opening trace files. "Remember Last -Directory" causes Wireshark to automatically position the dialog in the -directory of the most recently opened file, even between launches of Wireshark. -"Always Open in Directory" allows the user to define a persistent directory -that the dialog will always default to. - -Directory:: -Allows the user to specify a persistent File Open directory. Trailing -slashes or backslashes will automatically be added. - -File Open Preview timeout:: -This items allows the user to define how much time is spend reading the -capture file to present preview data in the File Open dialog. - -Open Recent maximum list entries:: -The File menu supports a recent file list. This items allows the user to -specify how many files are kept track of in this list. - -Ask for unsaved capture files:: -When closing a capture file or Wireshark itself if the file isn't saved yet -the user is presented the option to save the file when this item is set. - -Wrap during find:: -This items determines the behavior when reaching the beginning or the end -of a capture file. When set the search wraps around and continues, otherwise -it stops. - -Settings dialogs show a save button:: -This item determines if the various dialogs sport an explicit Save button -or that save is implicit in OK / Apply. - -Web browser command:: -This entry specifies the command line to launch a web browser. It is used -to access online content, like the Wiki and user guide. Use '%s' to place -the request URL in the command line. - -Layout Preferences:: -The __Layout__ page lets you specify the general layout of the main window. -You can choose from six different layouts and fill the three panes with the -contents you like. - -Scrollbars:: -The vertical scrollbars in the three panes can be set to be either on -the left or the right. - -Alternating row colors:: - -Hex Display:: -The highlight method in the hex dump display for the selected protocol -item can be set to use either inverse video, or bold characters. - -Toolbar style:: - -Filter toolbar placement:: - -Custom window title:: - -Column Preferences:: -+ --- -The __Columns__ page lets you specify the number, title, and format -of each column in the packet list. - -The __Column title__ entry is used to specify the title of the column -displayed at the top of the packet list. The type of data that the column -displays can be specified using the __Column format__ option menu. -The row of buttons on the left perform the following actions: --- - -New:: -Adds a new column to the list. - -Delete:: -Deletes the currently selected list item. - -Up / Down:: -Moves the selected list item up or down one position. - -Font Preferences:: -The __Font__ page lets you select the font to be used for most text. - -Color Preferences:: -The __Colors__ page can be used to change the color of the text -displayed in the TCP stream window and for marked packets. To change a color, -simply select an attribute from the "Set:" menu and use the color selector to -get the desired color. The new text colors are displayed as a sample text. - -Capture Preferences:: -+ --- -The __Capture__ page lets you specify various parameters for capturing -live packet data; these are used the first time a capture is started. - -The __Interface:__ combo box lets you specify the interface from which to -capture packet data, or the name of a FIFO from which to get the packet -data. - -The __Data link type:__ option menu lets you, for some interfaces, select -the data link header you want to see on the packets you capture. For -example, in some OSes and with some versions of libpcap, you can choose, -on an 802.11 interface, whether the packets should appear as Ethernet -packets (with a fake Ethernet header) or as 802.11 packets. - -The __Limit each packet to ... bytes__ check box lets you set the -snapshot length to use when capturing live data; turn on the check box, -and then set the number of bytes to use as the snapshot length. - -The __Filter:__ text entry lets you set a capture filter expression to be -used when capturing. - -If any of the environment variables SSH_CONNECTION, SSH_CLIENT, -REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create a -default capture filter that excludes traffic from the hosts and ports -defined in those variables. - -The __Capture packets in promiscuous mode__ check box lets you specify -whether to put the interface in promiscuous mode when capturing. - -The __Update list of packets in real time__ check box lets you specify -that the display should be updated as packets are seen. --- - -Name Resolution Preferences:: -+ --- -The __Enable MAC name resolution__, __Enable network name resolution__ and -__Enable transport name resolution__ check boxes let you specify whether -MAC addresses, network addresses, and transport-layer port numbers -should be translated to names. - -The __Enable concurrent DNS name resolution__ allows Wireshark to send out -multiple name resolution requests and not wait for the result before -continuing dissection. This speeds up dissection with network name -resolution but initially may miss resolutions. The number of concurrent -requests can be set here as well. - -__SMI paths__ - -__SMI modules__ --- - -RTP Player Preferences:: -This page allows you to select the number of channels visible in the -RTP player window. It determines the height of the window, more channels -are possible and visible by means of a scroll bar. - -Protocol Preferences:: -There are also pages for various protocols that Wireshark dissects, -controlling the way Wireshark handles those protocols. - -Edit Capture Filter List:: - -Edit Display Filter List:: - -Capture Filter:: - -Display Filter:: - -Read Filter:: - -Search Filter:: -+ --- -The __Edit Capture Filter List__ dialog lets you create, modify, and -delete capture filters, and the __Edit Display Filter List__ dialog lets -you create, modify, and delete display filters. - -The __Capture Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used when -capturing packets. - -The __Display Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used to -filter the current capture being viewed. - -The __Read Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used to -as a read filter for a capture file you open. - -The __Search Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter expression to be -used in a find operation. - -In all of those dialogs, the __Filter name__ entry specifies a -descriptive name for a filter, e.g. *Web and DNS traffic*. The -__Filter string__ entry is the text that actually describes the filtering -action to take, as described above.The dialog buttons perform the -following actions: --- - -New:: -If there is text in the two entry boxes, creates a new associated list item. - -Edit:: -Modifies the currently selected list item to match what's in the entry boxes. - -Delete:: -Deletes the currently selected list item. - -Add Expression...:: -+ --- -For display filter expressions, pops up a dialog box to allow you to -construct a filter expression to test a particular field; it offers -lists of field names, and, when appropriate, lists from which to select -tests to perform on the field and values with which to compare it. In -that dialog box, the OK button will cause the filter expression you -constructed to be entered into the __Filter string__ entry at the current -cursor position. --- - -OK:: -+ --- -In the __Capture Filter__ dialog, closes the dialog box and makes the -filter in the __Filter string__ entry the filter in the __Capture - Preferences__ dialog. In the __Display Filter__ dialog, closes the dialog -box and makes the filter in the __Filter string__ entry the current -display filter, and applies it to the current capture. In the __Read - Filter__ dialog, closes the dialog box and makes the filter in the -__Filter string__ entry the filter in the __Open Capture File__ dialog. -In the __Search Filter__ dialog, closes the dialog box and makes the -filter in the __Filter string__ entry the filter in the __Find Packet__ -dialog. --- - -Apply:: -Makes the filter in the __Filter string__ entry the current display filter, and applies it to the current capture. - -Save:: -If the list of filters being edited is the list of -capture filters, saves the current filter list to the personal capture -filters file, and if the list of filters being edited is the list of -display filters, saves the current filter list to the personal display -filters file. - -Close:: -Closes the dialog without doing anything with the filter in the __Filter string__ entry. - -The Color Filters Dialog:: -This dialog displays a list of color filters and allows it to be modified. - -THE FILTER LIST:: -Single rows may be selected by clicking. Multiple rows may be selected -by using the ctrl and shift keys in combination with the mouse button. - -NEW:: -Adds a new filter at the bottom of the list and opens the Edit Color -Filter dialog box. You will have to alter the filter expression at -least before the filter will be accepted. The format of color filter -expressions is identical to that of display filters. The new filter is -selected, so it may immediately be moved up and down, deleted or edited. -To avoid confusion all filters are unselected before the new filter is -created. - -EDIT:: -Opens the Edit Color Filter dialog box for the selected filter. (If this -button is disabled you may have more than one filter selected, making it -ambiguous which is to be edited.) - -ENABLE:: -Enables the selected color filter(s). - -DISABLE:: -Disables the selected color filter(s). - -DELETE:: -Deletes the selected color filter(s). - -EXPORT:: -Allows you to choose a file in which to save the current list of color -filters. You may also choose to save only the selected filters. A -button is provided to save the filters in the global color filters file -(you must have sufficient permissions to write this file, of course). - -IMPORT:: -Allows you to choose a file containing color filters which are then -added to the bottom of the current list. All the added filters are -selected, so they may be moved to the correct position in the list as a -group. To avoid confusion, all filters are unselected before the new -filters are imported. A button is provided to load the filters from the -global color filters file. - -CLEAR:: -Deletes your personal color filters file, reloads the global color filters file, if any, and closes the dialog. - -UP:: -Moves the selected filter(s) up the list, making it more likely that they will be used to color packets. - -DOWN:: -Moves the selected filter(s) down the list, making it less likely that they will be used to color packets. - -OK:: -Closes the dialog and uses the color filters as they stand. - -APPLY:: -Colors the packets according to the current list of color filters, but does not close the dialog. - -SAVE:: -Saves the current list of color filters in your personal color filters -file. Unless you do this they will not be used the next time you start -Wireshark. - -CLOSE:: -Closes the dialog without changing the coloration of the packets. Note -that changes you have made to the current list of color filters are not -undone. - -Capture Options Dialog:: -+ --- -The __Capture Options Dialog__ lets you specify various parameters for -capturing live packet data. - -The __Interface:__ field lets you specify the interface from which to -capture packet data or a command from which to get the packet data via a -pipe. - -The __Link layer header type:__ field lets you specify the interfaces link -layer header type. This field is usually disabled, as most interface have -only one header type. - -The __Capture packets in promiscuous mode__ check box lets you specify -whether the interface should be put into promiscuous mode when -capturing. - -The __Limit each packet to ... bytes__ check box and field lets you -specify a maximum number of bytes per packet to capture and save; if the -check box is not checked, the limit will be 262144 bytes. - -The __Capture Filter:__ entry lets you specify the capture filter using a -tcpdump-style filter string as described above. - -The __File:__ entry lets you specify the file into which captured packets -should be saved, as in the __Printer Options__ dialog above. If not -specified, the captured packets will be saved in a temporary file; you -can save those packets to a file with the __File:Save As__ menu item. - -The __Use multiple files__ check box lets you specify that the capture -should be done in "multiple files" mode. This option is disabled, if the -__Update list of packets in real time__ option is checked. - -The __Next file every ... megabyte(s)__ check box and fields lets -you specify that a switch to a next file should be done -if the specified filesize is reached. You can also select the appropriate -unit, but beware that the filesize has a maximum of 2 GiB. -The check box is forced to be checked, as "multiple files" mode requires a -file size to be specified. - -The __Next file every ... minute(s)__ check box and fields lets -you specify that the switch to a next file should be done after the specified -time has elapsed, even if the specified capture size is not reached. - -The __Ring buffer with ... files__ field lets you specify the number -of files of a ring buffer. This feature will capture into the first file -again, after the specified number of files have been used. - -The __Stop capture after ... files__ field lets you specify the number -of capture files used, until the capture is stopped. - -The __Stop capture after ... packet(s)__ check box and field let -you specify that Wireshark should stop capturing after having captured -some number of packets; if the check box is not checked, Wireshark will -not stop capturing at some fixed number of captured packets. - -The __Stop capture after ... megabyte(s)__ check box and field lets -you specify that Wireshark should stop capturing after the file to which -captured packets are being saved grows as large as or larger than some -specified number of megabytes. If the check box is not checked, Wireshark -will not stop capturing at some capture file size (although the operating -system on which Wireshark is running, or the available disk space, may still -limit the maximum size of a capture file). This option is disabled, if -"multiple files" mode is used, - -The __Stop capture after ... second(s)__ check box and field let you -specify that Wireshark should stop capturing after it has been capturing -for some number of seconds; if the check box is not checked, Wireshark -will not stop capturing after some fixed time has elapsed. - -The __Update list of packets in real time__ check box lets you specify -whether the display should be updated as packets are captured and, if -you specify that, the __Automatic scrolling in live capture__ check box -lets you specify the packet list pane should automatically scroll to -show the most recently captured packets as new packets arrive. - -The __Enable MAC name resolution__, __Enable network name resolution__ and -__Enable transport name resolution__ check boxes let you specify whether -MAC addresses, network addresses, and transport-layer port numbers -should be translated to names. --- - -About:: -The __About__ dialog lets you view various information about Wireshark. - -menu:About[Wireshark]:: -The __Wireshark__ page lets you view general information about Wireshark, -like the installed version, licensing information and such. - -menu:About[Authors]:: -The __Authors__ page shows the author and all contributors. - -menu:About[Folders]:: -The __Folders__ page lets you view the directory names where Wireshark is -searching its various configuration and other files. - -menu:About[Plugins]:: -+ --- -The __Plugins__ page lets you view the dissector plugin modules -available on your system. - -The __Plugins List__ shows the name and version of each dissector plugin -module found on your system. - -On Unix-compatible systems, such as Linux, macOS, \*BSD, Solaris, and -AIX, the plugins are looked for in the following directories: the -__lib/wireshark/plugins/$VERSION__ directory under the main installation -directory (for example, __/usr/local/lib/wireshark/plugins/$VERSION__), -and then __$HOME/.wireshark/plugins__. - -On Windows systems, the plugins are looked for in the following -directories: __plugins\$VERSION__ directory under the main installation -directory (for example, __C:\Program Files\Wireshark\plugins\$VERSION__), -and then __%APPDATA%\Wireshark\plugins\$VERSION__ (or, if %APPDATA% isn't -defined, __%USERPROFILE%\Application Data\Wireshark\plugins\$VERSION__). - -$VERSION is the version number of the plugin interface, which -is typically the version number of Wireshark. Note that a dissector -plugin module may support more than one protocol; there is not -necessarily a one-to-one correspondence between dissector plugin modules -and protocols. Protocols supported by a dissector plugin module are -enabled and disabled using the __Edit:Protocols__ dialog box, just as -protocols built into Wireshark are. --- - -== CAPTURE FILTER SYNTAX - -See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), -or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters. - -== DISPLAY FILTER SYNTAX - -For a complete table of protocol and protocol fields that are filterable -in *Wireshark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. - -== FILES - -These files contains various *Wireshark* configuration settings. - -Preferences:: -+ --- -The __preferences__ files contain global (system-wide) and personal -preference settings. If the system-wide preference file exists, it is -read first, overriding the default settings. If the personal preferences -file exists, it is read next, overriding any previous values. Note: If -the command line flag *-o* is used (possibly more than once), it will -in turn override values from the preferences files. - -The preferences settings are in the form __prefname:value__, -one per line, -where __prefname__ is the name of the preference -and __value__ is the value to -which it should be set; white space is allowed between *:* and -__value__. A preference setting can be continued on subsequent lines by -indenting the continuation lines with white space. A *#* character -starts a comment that runs to the end of the line: - - # Vertical scrollbars should be on right side? - # TRUE or FALSE (case-insensitive). - gui.scrollbar_on_right: TRUE - -The global preferences file is looked for in the __wireshark__ directory -under the __share__ subdirectory of the main installation directory. On -macOS, this would typically be -__/Application/Wireshark.app/Contents/Resources/share__; on other -UNIX-compatible systems, such as Linux, \*BSD, Solaris, and AIX, this -would typically be __/usr/share/wireshark/preferences__ for -system-installed packages and __/usr/local/share/wireshark/preferences__ -for locally-installed packages; on Windows, this would typically be -__C:\Program Files\Wireshark\preferences__. - -On UNIX-compatible systems, the personal preferences file is looked for -in __$XDG_CONFIG_HOME/wireshark/preferences__, (or, if -__$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ -does exist, __$HOME/.wireshark/preferences__); this is typically -__$HOME/.config/wireshark/preferences__. On Windows, -the personal preferences file is looked for in -__%APPDATA%\Wireshark\preferences__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark\preferences__). - -Note: Whenever the preferences are saved by using the __Save__ button -in the __Edit:Preferences__ dialog box, your personal preferences file -will be overwritten with the new settings, destroying any comments and -unknown/obsolete settings that were in the file. --- - -Recent:: -+ --- -The __recent__ file contains personal settings (mostly GUI related) such -as the current *Wireshark* window size. The file is saved at program exit and -read in at program start automatically. Note: The command line flag *-o* -may be used to override settings from this file. - -The settings in this file have the same format as in the __preferences__ -files, and the same directory as for the personal preferences file is -used. - -Note: Whenever Wireshark is closed, your recent file -will be overwritten with the new settings, destroying any comments and -unknown/obsolete settings that were in the file. --- - -Disabled (Enabled) Protocols:: -+ --- -The __disabled_protos__ files contain system-wide and personal lists of -protocols that have been disabled, so that their dissectors are never -called. The files contain protocol names, one per line, where the -protocol name is the same name that would be used in a display filter -for the protocol: - - http - tcp # a comment - -If a protocol is listed in the global __disabled_protos__ file, it is not -displayed in the __Analyze:Enabled Protocols__ dialog box, and so cannot -be enabled by the user. - -The global __disabled_protos__ file uses the same directory as the global -preferences file. - -The personal __disabled_protos__ file uses the same directory as the -personal preferences file. - -Note: Whenever the disabled protocols list is saved by using the __Save__ -button in the __Analyze:Enabled Protocols__ dialog box, your personal -disabled protocols file will be overwritten with the new settings, -destroying any comments that were in the file. --- - -Name Resolution (hosts):: -+ --- -If the personal __hosts__ file exists, it is -used to resolve IPv4 and IPv6 addresses before any other -attempts are made to resolve them. The file has the standard __hosts__ -file syntax; each line contains one IP address and name, separated by -whitespace. The same directory as for the personal preferences file is used. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX, and Npcap or -WinPcap on Windows. As such the Wireshark personal __hosts__ file will -not be consulted for capture filter name resolution. --- - - -Name Resolution (subnets):: -+ --- -If an IPv4 address cannot be translated via name resolution (no exact -match is found) then a partial match is attempted via the __subnets__ file. -Both the global __subnets__ file and personal __subnets__ files are used -if they exist. - -Each line of this file consists of an IPv4 address, a subnet mask length -separated only by a / and a name separated by whitespace. While the address -must be a full IPv4 address, any values beyond the mask length are subsequently -ignored. - -An example is: - -# Comments must be prepended by the # sign! -192.168.0.0/24 ws_test_network - -A partially matched name will be printed as "subnet-name.remaining-address". -For example, "192.168.0.1" under the subnet above would be printed as -"ws_test_network.1"; if the mask length above had been 16 rather than 24, the -printed address would be "ws_test_network.0.1". --- - -Name Resolution (ethers):: -+ --- -The __ethers__ files are consulted to correlate 6-byte hardware addresses to -names. First the personal __ethers__ file is tried and if an address is not -found there the global __ethers__ file is tried next. - -Each line contains one hardware address and name, separated by -whitespace. The digits of the hardware address are separated by colons -(:), dashes (-) or periods (.). The same separator character must be -used consistently in an address. The following three lines are valid -lines of an __ethers__ file: - - ff:ff:ff:ff:ff:ff Broadcast - c0-00-ff-ff-ff-ff TR_broadcast - 00.00.00.00.00.00 Zero_broadcast - -The global __ethers__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ethers__ file is looked for in the same directory as the personal -preferences file. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and Npcap or WinPcap on Windows. As such the Wireshark personal -__ethers__ file will not be consulted for capture filter name -resolution. --- - -Name Resolution (manuf):: -+ --- -The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte -hardware address with the manufacturer's name; it can also contain well-known -MAC addresses and address ranges specified with a netmask. The format of the -file is the same as the __ethers__ files, except that entries such as: - - 00:00:0C Cisco - -can be provided, with the 3-byte OUI and the name for a vendor, and -entries such as: - - 00-00-0C-07-AC/40 All-HSRP-routers - -can be specified, with a MAC address and a mask indicating how many bits -of the address must match. The above entry, for example, has 40 -significant bits, or 5 bytes, and would match addresses from -00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a -multiple of 8. - -The __manuf__ file is looked for in the same directory as the global -preferences file. --- - -Name Resolution (services):: -+ --- -The __services__ file is used to translate port numbers into names. -Both the global __services__ file and personal __services__ files are used -if they exist. - -The file has the standard __services__ file syntax; each line contains one -(service) name and one transport identifier separated by white space. The -transport identifier includes one port number and one transport protocol name -(typically tcp, udp, or sctp) separated by a /. - -An example is: - -mydns 5045/udp # My own Domain Name Server -mydns 5045/tcp # My own Domain Name Server --- - -Name Resolution (ipxnets):: -+ --- -The __ipxnets__ files are used to correlate 4-byte IPX network numbers to -names. First the global __ipxnets__ file is tried and if that address is not -found there the personal one is tried next. - -The format is the same as the __ethers__ -file, except that each address is four bytes instead of six. -Additionally, the address can be represented as a single hexadecimal -number, as is more common in the IPX world, rather than four hex octets. -For example, these four lines are valid lines of an __ipxnets__ file: - - C0.A8.2C.00 HR - c0-a8-1c-00 CEO - 00:00:BE:EF IT_Server1 - 110f FileServer3 - -The global __ipxnets__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ipxnets__ file is looked for in the same directory as the -personal preferences file. --- - -Capture Filters:: -+ --- -The __cfilters__ files contain system-wide and personal capture filters. -Each line contains one filter, starting with the string displayed in the -dialog box in quotation marks, followed by the filter string itself: - - "HTTP" port 80 - "DCERPC" port 135 - -The global __cfilters__ file uses the same directory as the -global preferences file. - -The personal __cfilters__ file uses the same directory as the personal -preferences file. It is written through the Capture:Capture Filters -dialog. - -If the global __cfilters__ file exists, it is used only if the personal -__cfilters__ file does not exist; global and personal capture filters are -not merged. --- - -Display Filters:: -+ --- -The __dfilters__ files contain system-wide and personal display filters. -Each line contains one filter, starting with the string displayed in the -dialog box in quotation marks, followed by the filter string itself: - - "HTTP" http - "DCERPC" dcerpc - -The global __dfilters__ file uses the same directory as the -global preferences file. - -The personal __dfilters__ file uses the same directory as the -personal preferences file. It is written through the Analyze:Display -Filters dialog. - -If the global __dfilters__ file exists, it is used only if the personal -__dfilters__ file does not exist; global and personal display filters are -not merged. --- - -Color Filters (Coloring Rules):: -+ --- -The __colorfilters__ files contain system-wide and personal color filters. -Each line contains one filter, starting with the string displayed in the -dialog box, followed by the corresponding display filter. Then the -background and foreground colors are appended: - - # a comment - @tcp@tcp@[59345,58980,65534][0,0,0] - @udp@udp@[28834,57427,65533][0,0,0] - -The global __colorfilters__ file uses the same directory as the -global preferences file. - -The personal __colorfilters__ file uses the same directory as the -personal preferences file. It is written through the View:Coloring Rules -dialog. - -If the global __colorfilters__ file exists, it is used only if the personal -__colorfilters__ file does not exist; global and personal color filters are -not merged. --- - -Plugins:: -See above in the description of the About:Plugins page. - -== ENVIRONMENT VARIABLES - -// Should this be moved to an include file? - -WIRESHARK_CONFIG_DIR:: -+ --- -This environment variable overrides the location of personal -configuration files. On UNIX-compatible systems, such as Linux, macOS, -\*BSD, Solaris, and AIX, it defaults to __$XDG_CONFIG_HOME/wireshark__ -(or, if that directory doesn't exist but __$HOME/.wireshark__ does -exist, __$HOME/.wireshark__); this is typically -__$HOME/.config/wireshark__. On Windows, it defaults to -__%APPDATA%\Wireshark__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark__). Available since -Wireshark 3.0. --- - -WIRESHARK_DEBUG_WMEM_OVERRIDE:: -Setting this environment variable forces the wmem framework to use the -specified allocator backend for *all* allocations, regardless of which -backend is normally specified by the code. This is mainly useful to developers -when testing or debugging. See __README.wmem__ in the source distribution for -details. - -WIRESHARK_RUN_FROM_BUILD_DIRECTORY:: -This environment variable causes the plugins and other data files to be -loaded from the build directory (where the program was compiled) rather -than from the standard locations. It has no effect when the program in -question is running with root (or setuid) permissions on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX. - -WIRESHARK_DATA_DIR:: -This environment variable causes the various data files to be loaded from -a directory other than the standard locations. It has no effect when the -program in question is running with root (or setuid) permissions on -UNIX-compatible systems. - -WIRESHARK_EXTCAP_DIR:: -This environment variable causes the various extcap programs and scripts -to be run from a directory other than the standard locations. It has no -effect when the program in question is running with root (or setuid) -permissions on UNIX-compatible systems. - -WIRESHARK_PLUGIN_DIR:: -This environment variable causes the various plugins to be loaded from -a directory other than the standard locations. It has no effect when the -program in question is running with root (or setuid) permissions on -UNIX-compatible systems. - -ERF_RECORDS_TO_CHECK:: -This environment variable controls the number of ERF records checked when -deciding if a file really is in the ERF format. Setting this environment -variable a number higher than the default (20) would make false positives -less likely. - -IPFIX_RECORDS_TO_CHECK:: -This environment variable controls the number of IPFIX records checked when -deciding if a file really is in the IPFIX format. Setting this environment -variable a number higher than the default (20) would make false positives -less likely. - -WIRESHARK_ABORT_ON_DISSECTOR_BUG:: -If this environment variable is set, *Wireshark* will call abort(3) -when a dissector bug is encountered. abort(3) will cause the program to -exit abnormally; if you are running *Wireshark* in a debugger, it -should halt in the debugger and allow inspection of the process, and, if -you are not running it in a debugger, it will, on some OSes, assuming -your environment is configured correctly, generate a core dump file. -This can be useful to developers attempting to troubleshoot a problem -with a protocol dissector. - -WIRESHARK_ABORT_ON_TOO_MANY_ITEMS:: -If this environment variable is set, *Wireshark* will call abort(3) -if a dissector tries to add too many items to a tree (generally this -is an indication of the dissector not breaking out of a loop soon enough). -abort(3) will cause the program to exit abnormally; if you are running -*Wireshark* in a debugger, it should halt in the debugger and allow -inspection of the process, and, if you are not running it in a debugger, -it will, on some OSes, assuming your environment is configured correctly, -generate a core dump file. This can be useful to developers attempting to -troubleshoot a problem with a protocol dissector. - -WIRESHARK_QUIT_AFTER_CAPTURE:: -Cause *Wireshark* to exit after the end of the capture session. This -doesn't automatically start a capture; you must still use *-k* to do -that. You must also specify an autostop condition, e.g. *-c* or *-a -duration:...*. This means that you will not be able to see the results -of the capture after it stops; it's primarily useful for testing. - -WIRESHARK_LOG_LEVEL:: -This environment variable controls the verbosity of diagnostic messages to -the console. From less verbose to most verbose levels can be `critical`, -`warning`, `message`, `info`, `debug` or `noisy`. Levels above the -current level are also active. Levels `critical` and `error` are always -active. - -WIRESHARK_LOG_FATAL:: -Sets the fatal log level. Fatal log levels cause the program to abort. -This level can be set to `Error`, `critical` or `warning`. `Error` is -always fatal and is the default. - -WIRESHARK_LOG_DOMAINS:: -This environment variable selects which log domains are active. The filter is -given as a case-insensitive comma separated list. If set only the included -domains will be enabled. The default domain is always considered to be enabled. -Domain filter lists can be preceded by '!' to invert the sense of the match. - -WIRESHARK_LOG_DEBUG:: -List of domains with `debug` log level. This sets the level of the provided -log domains and takes precedence over the active domains filter. If preceded -by '!' this disables the `debug` level instead. - -WIRESHARK_LOG_NOISY:: -Same as above but for `noisy` log level instead. - -== AUTHORS - -Wireshark would not be the powerful, featureful application it is without the generous contributions of hundreds of developers. - -A complete list of authors can be found in the AUTHORS file in Wireshark's source code repository and at https://www.wireshark.org/about.html#authors. - -== SEE ALSO - -xref:wireshark-filter.html[wireshark-filter](4), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:dumpcap.html[dumpcap](1), xref:mergecap.html[mergecap](1), -xref:text2pcap.html[text2pcap](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8) - -== NOTES - -This is the manual page for *Wireshark* {wireshark-version}. -The latest version of *Wireshark* can be found at -https://www.wireshark.org. - -HTML versions of the Wireshark project man pages are available at -https://www.wireshark.org/docs/man-pages. |