summaryrefslogtreecommitdiffstats
path: root/doc/wsug_src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/wsug_src/capinfos-h.txt (renamed from docbook/wsug_src/capinfos-h.txt)8
-rw-r--r--doc/wsug_src/dumpcap-h.txt (renamed from docbook/wsug_src/dumpcap-h.txt)5
-rw-r--r--doc/wsug_src/editcap-F.txt (renamed from docbook/wsug_src/editcap-F.txt)1
-rw-r--r--doc/wsug_src/editcap-T.txt (renamed from docbook/wsug_src/editcap-T.txt)2
-rw-r--r--doc/wsug_src/editcap-h.txt (renamed from docbook/wsug_src/editcap-h.txt)7
-rw-r--r--doc/wsug_src/images/caution.svg (renamed from docbook/wsug_src/images/caution.svg)0
-rw-r--r--doc/wsug_src/images/important.svg (renamed from docbook/wsug_src/images/important.svg)0
-rw-r--r--doc/wsug_src/images/note.svg (renamed from docbook/wsug_src/images/note.svg)0
-rw-r--r--doc/wsug_src/images/related-ack.png (renamed from docbook/wsug_src/images/related-ack.png)bin221 -> 221 bytes
-rw-r--r--doc/wsug_src/images/related-current.png (renamed from docbook/wsug_src/images/related-current.png)bin92 -> 92 bytes
-rw-r--r--doc/wsug_src/images/related-dup-ack.png (renamed from docbook/wsug_src/images/related-dup-ack.png)bin247 -> 247 bytes
-rw-r--r--doc/wsug_src/images/related-first.png (renamed from docbook/wsug_src/images/related-first.png)bin105 -> 105 bytes
-rw-r--r--doc/wsug_src/images/related-last.png (renamed from docbook/wsug_src/images/related-last.png)bin105 -> 105 bytes
-rw-r--r--doc/wsug_src/images/related-other.png (renamed from docbook/wsug_src/images/related-other.png)bin99 -> 99 bytes
-rw-r--r--doc/wsug_src/images/related-request.png (renamed from docbook/wsug_src/images/related-request.png)bin148 -> 148 bytes
-rw-r--r--doc/wsug_src/images/related-response.png (renamed from docbook/wsug_src/images/related-response.png)bin153 -> 153 bytes
-rw-r--r--doc/wsug_src/images/related-segment.png (renamed from docbook/wsug_src/images/related-segment.png)bin165 -> 165 bytes
-rw-r--r--doc/wsug_src/images/tip.svg (renamed from docbook/wsug_src/images/tip.svg)0
-rw-r--r--doc/wsug_src/images/toolbar/document-open.png (renamed from docbook/wsug_src/images/toolbar/document-open.png)bin1393 -> 1393 bytes
-rw-r--r--doc/wsug_src/images/toolbar/edit-find.png (renamed from docbook/wsug_src/images/toolbar/edit-find.png)bin763 -> 763 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-add.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-add.png)bin101 -> 101 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-apply.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-apply.png)bin601 -> 601 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png)bin402 -> 402 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-clear.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-clear.png)bin482 -> 482 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-input.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-input.png)bin261 -> 261 bytes
-rw-r--r--doc/wsug_src/images/toolbar/filter-toolbar-recent.png (renamed from docbook/wsug_src/images/toolbar/filter-toolbar-recent.png)bin162 -> 162 bytes
-rw-r--r--doc/wsug_src/images/toolbar/go-first.png (renamed from docbook/wsug_src/images/toolbar/go-first.png)bin547 -> 547 bytes
-rw-r--r--doc/wsug_src/images/toolbar/go-jump.png (renamed from docbook/wsug_src/images/toolbar/go-jump.png)bin594 -> 594 bytes
-rw-r--r--doc/wsug_src/images/toolbar/go-last.png (renamed from docbook/wsug_src/images/toolbar/go-last.png)bin535 -> 535 bytes
-rw-r--r--doc/wsug_src/images/toolbar/go-next.png (renamed from docbook/wsug_src/images/toolbar/go-next.png)bin740 -> 740 bytes
-rw-r--r--doc/wsug_src/images/toolbar/go-previous.png (renamed from docbook/wsug_src/images/toolbar/go-previous.png)bin743 -> 743 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-file-close.png (renamed from docbook/wsug_src/images/toolbar/x-capture-file-close.png)bin1248 -> 1248 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-file-reload.png (renamed from docbook/wsug_src/images/toolbar/x-capture-file-reload.png)bin1284 -> 1284 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-file-save.png (renamed from docbook/wsug_src/images/toolbar/x-capture-file-save.png)bin1186 -> 1186 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-options.png (renamed from docbook/wsug_src/images/toolbar/x-capture-options.png)bin848 -> 848 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-restart.png (renamed from docbook/wsug_src/images/toolbar/x-capture-restart.png)bin1129 -> 1129 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-start.png (renamed from docbook/wsug_src/images/toolbar/x-capture-start.png)bin995 -> 995 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-capture-stop.png (renamed from docbook/wsug_src/images/toolbar/x-capture-stop.png)bin148 -> 148 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-colorize-packets.png (renamed from docbook/wsug_src/images/toolbar/x-colorize-packets.png)bin157 -> 157 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-reset-layout_2.pngbin0 -> 511 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-resize-columns.png (renamed from docbook/wsug_src/images/toolbar/x-resize-columns.png)bin299 -> 299 bytes
-rw-r--r--doc/wsug_src/images/toolbar/x-stay-last.png (renamed from docbook/wsug_src/images/toolbar/x-stay-last.png)bin238 -> 238 bytes
-rw-r--r--doc/wsug_src/images/toolbar/zoom-in.png (renamed from docbook/wsug_src/images/toolbar/zoom-in.png)bin485 -> 485 bytes
-rw-r--r--doc/wsug_src/images/toolbar/zoom-original.png (renamed from docbook/wsug_src/images/toolbar/zoom-original.png)bin477 -> 477 bytes
-rw-r--r--doc/wsug_src/images/toolbar/zoom-out.png (renamed from docbook/wsug_src/images/toolbar/zoom-out.png)bin474 -> 474 bytes
-rw-r--r--doc/wsug_src/images/warning.svg (renamed from docbook/wsug_src/images/warning.svg)0
-rw-r--r--doc/wsug_src/images/ws-about-codecs.png (renamed from docbook/wsug_src/images/ws-about-codecs.png)bin57604 -> 57604 bytes
-rw-r--r--doc/wsug_src/images/ws-analyze-menu.png (renamed from docbook/wsug_src/images/ws-analyze-menu.png)bin52817 -> 52817 bytes
-rw-r--r--doc/wsug_src/images/ws-asap-statistics.png (renamed from docbook/wsug_src/images/ws-asap-statistics.png)bin127589 -> 127589 bytes
-rw-r--r--doc/wsug_src/images/ws-bluetooth-devices.png (renamed from docbook/wsug_src/images/ws-bluetooth-devices.png)bin69083 -> 69083 bytes
-rw-r--r--doc/wsug_src/images/ws-bt-hci-summary.png (renamed from docbook/wsug_src/images/ws-bt-hci-summary.png)bin92829 -> 92829 bytes
-rw-r--r--doc/wsug_src/images/ws-bytes-pane-popup-menu.png (renamed from docbook/wsug_src/images/ws-bytes-pane-popup-menu.png)bin197570 -> 197570 bytes
-rw-r--r--doc/wsug_src/images/ws-bytes-pane-tabs.png (renamed from docbook/wsug_src/images/ws-bytes-pane-tabs.png)bin18490 -> 18490 bytes
-rw-r--r--doc/wsug_src/images/ws-bytes-pane.png (renamed from docbook/wsug_src/images/ws-bytes-pane.png)bin6313 -> 6313 bytes
-rw-r--r--doc/wsug_src/images/ws-calcappprotocol-statistics.png (renamed from docbook/wsug_src/images/ws-calcappprotocol-statistics.png)bin79688 -> 79688 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-file-properties.png (renamed from docbook/wsug_src/images/ws-capture-file-properties.png)bin22450 -> 22450 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-info.png (renamed from docbook/wsug_src/images/ws-capture-info.png)bin9558 -> 9558 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-interfaces-main-macos.png (renamed from docbook/wsug_src/images/ws-capture-interfaces-main-macos.png)bin73946 -> 73946 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-interfaces-main-win32.png (renamed from docbook/wsug_src/images/ws-capture-interfaces-main-win32.png)bin10465 -> 10465 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-menu.png (renamed from docbook/wsug_src/images/ws-capture-menu.png)bin53166 -> 53166 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png (renamed from docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png)bin9448 -> 9448 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-options-options.png (renamed from docbook/wsug_src/images/ws-capture-options-options.png)bin9918 -> 9918 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-options-output.png (renamed from docbook/wsug_src/images/ws-capture-options-output.png)bin10716 -> 10716 bytes
-rw-r--r--doc/wsug_src/images/ws-capture-options.png (renamed from docbook/wsug_src/images/ws-capture-options.png)bin37310 -> 37310 bytes
-rw-r--r--doc/wsug_src/images/ws-choose-color-rule.png (renamed from docbook/wsug_src/images/ws-choose-color-rule.png)bin38640 -> 38640 bytes
-rw-r--r--doc/wsug_src/images/ws-coloring-fields.png (renamed from docbook/wsug_src/images/ws-coloring-fields.png)bin42734 -> 42734 bytes
-rw-r--r--doc/wsug_src/images/ws-coloring-rules-dialog.png (renamed from docbook/wsug_src/images/ws-coloring-rules-dialog.png)bin86176 -> 86176 bytes
-rw-r--r--doc/wsug_src/images/ws-column-header-popup-menu.png (renamed from docbook/wsug_src/images/ws-column-header-popup-menu.png)bin195258 -> 195258 bytes
-rw-r--r--doc/wsug_src/images/ws-csp-statistics.png (renamed from docbook/wsug_src/images/ws-csp-statistics.png)bin39735 -> 39735 bytes
-rw-r--r--doc/wsug_src/images/ws-decode-as.png (renamed from docbook/wsug_src/images/ws-decode-as.png)bin15591 -> 15591 bytes
-rw-r--r--doc/wsug_src/images/ws-details-pane-popup-menu.png (renamed from docbook/wsug_src/images/ws-details-pane-popup-menu.png)bin74518 -> 74518 bytes
-rw-r--r--doc/wsug_src/images/ws-details-pane.png (renamed from docbook/wsug_src/images/ws-details-pane.png)bin7205 -> 7205 bytes
-rw-r--r--doc/wsug_src/images/ws-diagram-pane-popup-menu.png (renamed from docbook/wsug_src/images/ws-diagram-pane-popup-menu.png)bin5452 -> 5452 bytes
-rw-r--r--doc/wsug_src/images/ws-diagram-pane.png (renamed from docbook/wsug_src/images/ws-diagram-pane.png)bin7250 -> 7250 bytes
-rw-r--r--doc/wsug_src/images/ws-display-filter-tcp.png (renamed from docbook/wsug_src/images/ws-display-filter-tcp.png)bin40945 -> 40945 bytes
-rw-r--r--doc/wsug_src/images/ws-dns.png (renamed from docbook/wsug_src/images/ws-dns.png)bin151855 -> 151855 bytes
-rw-r--r--doc/wsug_src/images/ws-edit-menu.png (renamed from docbook/wsug_src/images/ws-edit-menu.png)bin48059 -> 48059 bytes
-rw-r--r--doc/wsug_src/images/ws-enabled-protocols.png (renamed from docbook/wsug_src/images/ws-enabled-protocols.png)bin21977 -> 21977 bytes
-rw-r--r--doc/wsug_src/images/ws-enrp-statistics.png (renamed from docbook/wsug_src/images/ws-enrp-statistics.png)bin78250 -> 78250 bytes
-rw-r--r--doc/wsug_src/images/ws-expert-colored-tree.png (renamed from docbook/wsug_src/images/ws-expert-colored-tree.png)bin44360 -> 44360 bytes
-rw-r--r--doc/wsug_src/images/ws-expert-column.png (renamed from docbook/wsug_src/images/ws-expert-column.png)bin97013 -> 97013 bytes
-rw-r--r--doc/wsug_src/images/ws-expert-information.png (renamed from docbook/wsug_src/images/ws-expert-information.png)bin235306 -> 235306 bytes
-rw-r--r--doc/wsug_src/images/ws-export-objects.png (renamed from docbook/wsug_src/images/ws-export-objects.png)bin154811 -> 154811 bytes
-rw-r--r--doc/wsug_src/images/ws-export-packet-dissections.png (renamed from docbook/wsug_src/images/ws-export-packet-dissections.png)bin24546 -> 24546 bytes
-rw-r--r--doc/wsug_src/images/ws-export-pdus-to-file.png (renamed from docbook/wsug_src/images/ws-export-pdus-to-file.png)bin28903 -> 28903 bytes
-rw-r--r--doc/wsug_src/images/ws-export-selected.png (renamed from docbook/wsug_src/images/ws-export-selected.png)bin25319 -> 25319 bytes
-rw-r--r--doc/wsug_src/images/ws-export-specified-packets.png (renamed from docbook/wsug_src/images/ws-export-specified-packets.png)bin38066 -> 38066 bytes
-rw-r--r--doc/wsug_src/images/ws-fgp-statistics.png (renamed from docbook/wsug_src/images/ws-fgp-statistics.png)bin47411 -> 47411 bytes
-rw-r--r--doc/wsug_src/images/ws-file-import-regex.png (renamed from docbook/wsug_src/images/ws-file-import-regex.png)bin7502 -> 7502 bytes
-rw-r--r--doc/wsug_src/images/ws-file-import.png (renamed from docbook/wsug_src/images/ws-file-import.png)bin18522 -> 18522 bytes
-rw-r--r--doc/wsug_src/images/ws-file-menu.png (renamed from docbook/wsug_src/images/ws-file-menu.png)bin49589 -> 49589 bytes
-rw-r--r--doc/wsug_src/images/ws-file-set-dialog.png (renamed from docbook/wsug_src/images/ws-file-set-dialog.png)bin11837 -> 11837 bytes
-rw-r--r--doc/wsug_src/images/ws-filter-add-expression.png (renamed from docbook/wsug_src/images/ws-filter-add-expression.png)bin99425 -> 99425 bytes
-rw-r--r--doc/wsug_src/images/ws-filter-macros.pngbin0 -> 30242 bytes
-rw-r--r--doc/wsug_src/images/ws-filter-toolbar.png (renamed from docbook/wsug_src/images/ws-filter-toolbar.png)bin17135 -> 17135 bytes
-rw-r--r--doc/wsug_src/images/ws-filters.png (renamed from docbook/wsug_src/images/ws-filters.png)bin106617 -> 106617 bytes
-rw-r--r--doc/wsug_src/images/ws-find-packet.png (renamed from docbook/wsug_src/images/ws-find-packet.png)bin68633 -> 68633 bytes
-rw-r--r--doc/wsug_src/images/ws-flow-graph.png (renamed from docbook/wsug_src/images/ws-flow-graph.png)bin287244 -> 287244 bytes
-rw-r--r--doc/wsug_src/images/ws-follow-http2-stream.png (renamed from docbook/wsug_src/images/ws-follow-http2-stream.png)bin57209 -> 57209 bytes
-rw-r--r--doc/wsug_src/images/ws-follow-sip-stream.png (renamed from docbook/wsug_src/images/ws-follow-sip-stream.png)bin152551 -> 152551 bytes
-rw-r--r--doc/wsug_src/images/ws-follow-stream.png (renamed from docbook/wsug_src/images/ws-follow-stream.png)bin99270 -> 99270 bytes
-rw-r--r--doc/wsug_src/images/ws-go-menu.png (renamed from docbook/wsug_src/images/ws-go-menu.png)bin54427 -> 54427 bytes
-rw-r--r--doc/wsug_src/images/ws-goto-packet.png (renamed from docbook/wsug_src/images/ws-goto-packet.png)bin106466 -> 106466 bytes
-rw-r--r--doc/wsug_src/images/ws-gui-config-profiles.pngbin0 -> 59117 bytes
-rw-r--r--doc/wsug_src/images/ws-help-menu.png (renamed from docbook/wsug_src/images/ws-help-menu.png)bin57646 -> 57646 bytes
-rw-r--r--doc/wsug_src/images/ws-list-pane.png (renamed from docbook/wsug_src/images/ws-list-pane.png)bin179959 -> 179959 bytes
-rw-r--r--doc/wsug_src/images/ws-main-toolbar.pngbin0 -> 14341 bytes
-rw-r--r--doc/wsug_src/images/ws-main.png (renamed from docbook/wsug_src/images/ws-main.png)bin61749 -> 61749 bytes
-rw-r--r--doc/wsug_src/images/ws-manage-interfaces.png (renamed from docbook/wsug_src/images/ws-manage-interfaces.png)bin16108 -> 16108 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-analysis.png (renamed from docbook/wsug_src/images/ws-mate-analysis.png)bin15235 -> 15235 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-dns_pane.png (renamed from docbook/wsug_src/images/ws-mate-dns_pane.png)bin10026 -> 10026 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-dns_pdu.png (renamed from docbook/wsug_src/images/ws-mate-dns_pdu.png)bin5438 -> 5438 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-ftp_over_gre.png (renamed from docbook/wsug_src/images/ws-mate-ftp_over_gre.png)bin6319 -> 6319 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-gop_analysis.png (renamed from docbook/wsug_src/images/ws-mate-gop_analysis.png)bin26029 -> 26029 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png (renamed from docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png)bin8019 -> 8019 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-mmse_over_http.png (renamed from docbook/wsug_src/images/ws-mate-mmse_over_http.png)bin6450 -> 6450 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-pdu_analysis.png (renamed from docbook/wsug_src/images/ws-mate-pdu_analysis.png)bin12338 -> 12338 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-tcp-output.pngbin0 -> 11769 bytes
-rw-r--r--doc/wsug_src/images/ws-mate-transform.png (renamed from docbook/wsug_src/images/ws-mate-transform.png)bin5285 -> 5285 bytes
-rw-r--r--doc/wsug_src/images/ws-menu.png (renamed from docbook/wsug_src/images/ws-menu.png)bin1224 -> 1224 bytes
-rw-r--r--doc/wsug_src/images/ws-merge-qt5.png (renamed from docbook/wsug_src/images/ws-merge-qt5.png)bin87107 -> 87107 bytes
-rw-r--r--doc/wsug_src/images/ws-merge-win32.png (renamed from docbook/wsug_src/images/ws-merge-win32.png)bin31903 -> 31903 bytes
-rw-r--r--doc/wsug_src/images/ws-netperfmeter-statistics.png (renamed from docbook/wsug_src/images/ws-netperfmeter-statistics.png)bin292140 -> 292140 bytes
-rw-r--r--doc/wsug_src/images/ws-open-qt5.png (renamed from docbook/wsug_src/images/ws-open-qt5.png)bin94718 -> 94718 bytes
-rw-r--r--doc/wsug_src/images/ws-open-win32.png (renamed from docbook/wsug_src/images/ws-open-win32.png)bin36529 -> 36529 bytes
-rw-r--r--doc/wsug_src/images/ws-packet-format.png (renamed from docbook/wsug_src/images/ws-packet-format.png)bin59055 -> 59055 bytes
-rw-r--r--doc/wsug_src/images/ws-packet-pane-popup-menu.png (renamed from docbook/wsug_src/images/ws-packet-pane-popup-menu.png)bin63939 -> 63939 bytes
-rw-r--r--doc/wsug_src/images/ws-packet-range.png (renamed from docbook/wsug_src/images/ws-packet-range.png)bin3354 -> 3354 bytes
-rw-r--r--doc/wsug_src/images/ws-packet-selected.png (renamed from docbook/wsug_src/images/ws-packet-selected.png)bin185251 -> 185251 bytes
-rw-r--r--doc/wsug_src/images/ws-packet-sep-win.png (renamed from docbook/wsug_src/images/ws-packet-sep-win.png)bin17826 -> 17826 bytes
-rw-r--r--doc/wsug_src/images/ws-pingpongprotocol-statistics.png (renamed from docbook/wsug_src/images/ws-pingpongprotocol-statistics.png)bin47806 -> 47806 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-advanced.png (renamed from docbook/wsug_src/images/ws-pref-advanced.png)bin20099 -> 20099 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-appearance-columns.png (renamed from docbook/wsug_src/images/ws-pref-appearance-columns.png)bin11435 -> 11435 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png (renamed from docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png)bin15859 -> 15859 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-appearance-layout.png (renamed from docbook/wsug_src/images/ws-pref-appearance-layout.png)bin17347 -> 17347 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-appearance.png (renamed from docbook/wsug_src/images/ws-pref-appearance.png)bin16902 -> 16902 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-capture.png (renamed from docbook/wsug_src/images/ws-pref-capture.png)bin11318 -> 11318 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-expert.png (renamed from docbook/wsug_src/images/ws-pref-expert.png)bin9931 -> 9931 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-filter-buttons.png (renamed from docbook/wsug_src/images/ws-pref-filter-buttons.png)bin10546 -> 10546 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-name-resolution.png (renamed from docbook/wsug_src/images/ws-pref-name-resolution.png)bin15776 -> 15776 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-protocols.pngbin0 -> 42690 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-rsa-keys.png (renamed from docbook/wsug_src/images/ws-pref-rsa-keys.png)bin10373 -> 10373 bytes
-rw-r--r--doc/wsug_src/images/ws-pref-statistics.png (renamed from docbook/wsug_src/images/ws-pref-statistics.png)bin13621 -> 13621 bytes
-rw-r--r--doc/wsug_src/images/ws-print.png (renamed from docbook/wsug_src/images/ws-print.png)bin641979 -> 641979 bytes
-rw-r--r--doc/wsug_src/images/ws-resolved-addr.png (renamed from docbook/wsug_src/images/ws-resolved-addr.png)bin86141 -> 86141 bytes
-rw-r--r--doc/wsug_src/images/ws-rlc-graph.png (renamed from docbook/wsug_src/images/ws-rlc-graph.png)bin61853 -> 61853 bytes
-rw-r--r--doc/wsug_src/images/ws-save-as-qt5.png (renamed from docbook/wsug_src/images/ws-save-as-qt5.png)bin43012 -> 43012 bytes
-rw-r--r--doc/wsug_src/images/ws-save-as-win32.png (renamed from docbook/wsug_src/images/ws-save-as-win32.png)bin19241 -> 19241 bytes
-rw-r--r--doc/wsug_src/images/ws-sctp-1-association.png (renamed from docbook/wsug_src/images/ws-sctp-1-association.png)bin119620 -> 119620 bytes
-rw-r--r--doc/wsug_src/images/ws-sctp.png (renamed from docbook/wsug_src/images/ws-sctp.png)bin38473 -> 38473 bytes
-rw-r--r--doc/wsug_src/images/ws-ssp-statistics.png (renamed from docbook/wsug_src/images/ws-ssp-statistics.png)bin84536 -> 84536 bytes
-rw-r--r--doc/wsug_src/images/ws-statistics-menu.png (renamed from docbook/wsug_src/images/ws-statistics-menu.png)bin58896 -> 58896 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-conversations.png (renamed from docbook/wsug_src/images/ws-stats-conversations.png)bin482854 -> 482854 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-endpoints.png (renamed from docbook/wsug_src/images/ws-stats-endpoints.png)bin277413 -> 277413 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-hierarchy.png (renamed from docbook/wsug_src/images/ws-stats-hierarchy.png)bin86949 -> 86949 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-http-requestsequences.png (renamed from docbook/wsug_src/images/ws-stats-http-requestsequences.png)bin32351 -> 32351 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-iographs.png (renamed from docbook/wsug_src/images/ws-stats-iographs.png)bin48212 -> 48212 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-lte-mac-traffic.png (renamed from docbook/wsug_src/images/ws-stats-lte-mac-traffic.png)bin24809 -> 24809 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-lte-rlc-traffic.png (renamed from docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png)bin23041 -> 23041 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-packet-lengths.png (renamed from docbook/wsug_src/images/ws-stats-packet-lengths.png)bin92831 -> 92831 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-srt-smb2.png (renamed from docbook/wsug_src/images/ws-stats-srt-smb2.png)bin21338 -> 21338 bytes
-rw-r--r--doc/wsug_src/images/ws-stats-wlan-traffic.png (renamed from docbook/wsug_src/images/ws-stats-wlan-traffic.png)bin26157 -> 26157 bytes
-rw-r--r--doc/wsug_src/images/ws-statusbar-empty.png (renamed from docbook/wsug_src/images/ws-statusbar-empty.png)bin8447 -> 8447 bytes
-rw-r--r--doc/wsug_src/images/ws-statusbar-filter.png (renamed from docbook/wsug_src/images/ws-statusbar-filter.png)bin17185 -> 17185 bytes
-rw-r--r--doc/wsug_src/images/ws-statusbar-loaded.png (renamed from docbook/wsug_src/images/ws-statusbar-loaded.png)bin12944 -> 12944 bytes
-rw-r--r--doc/wsug_src/images/ws-statusbar-profile.png (renamed from docbook/wsug_src/images/ws-statusbar-profile.png)bin34604 -> 34604 bytes
-rw-r--r--doc/wsug_src/images/ws-statusbar-selected.png (renamed from docbook/wsug_src/images/ws-statusbar-selected.png)bin15042 -> 15042 bytes
-rw-r--r--doc/wsug_src/images/ws-tcp-analysis.png (renamed from docbook/wsug_src/images/ws-tcp-analysis.png)bin70774 -> 70774 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-playlist.dia (renamed from docbook/wsug_src/images/ws-tel-playlist.dia)bin1615 -> 1615 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-playlist.png (renamed from docbook/wsug_src/images/ws-tel-playlist.png)bin13572 -> 13572 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_1.png (renamed from docbook/wsug_src/images/ws-tel-rtp-player_1.png)bin287286 -> 287286 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_1.xcf (renamed from docbook/wsug_src/images/ws-tel-rtp-player_1.xcf)bin1094564 -> 1094564 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_2.png (renamed from docbook/wsug_src/images/ws-tel-rtp-player_2.png)bin329291 -> 329291 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_2.xcf (renamed from docbook/wsug_src/images/ws-tel-rtp-player_2.xcf)bin686083 -> 686083 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_3.png (renamed from docbook/wsug_src/images/ws-tel-rtp-player_3.png)bin31422 -> 31422 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-player_button.png (renamed from docbook/wsug_src/images/ws-tel-rtp-player_button.png)bin20816 -> 20816 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtp-streams.png (renamed from docbook/wsug_src/images/ws-tel-rtp-streams.png)bin76336 -> 76336 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png (renamed from docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png)bin214220 -> 214220 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png (renamed from docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png)bin87689 -> 87689 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png (renamed from docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png)bin213706 -> 213706 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-seq-dialog.png (renamed from docbook/wsug_src/images/ws-tel-seq-dialog.png)bin284185 -> 284185 bytes
-rw-r--r--doc/wsug_src/images/ws-tel-voip-calls.png (renamed from docbook/wsug_src/images/ws-tel-voip-calls.png)bin88363 -> 88363 bytes
-rw-r--r--doc/wsug_src/images/ws-telephony-menu.png (renamed from docbook/wsug_src/images/ws-telephony-menu.png)bin55412 -> 55412 bytes
-rw-r--r--doc/wsug_src/images/ws-time-reference.png (renamed from docbook/wsug_src/images/ws-time-reference.png)bin45981 -> 45981 bytes
-rw-r--r--doc/wsug_src/images/ws-time-shift-details.png (renamed from docbook/wsug_src/images/ws-time-shift-details.png)bin34914 -> 34914 bytes
-rw-r--r--doc/wsug_src/images/ws-time-shift.png (renamed from docbook/wsug_src/images/ws-time-shift.png)bin22411 -> 22411 bytes
-rw-r--r--doc/wsug_src/images/ws-tls-session-keys.png (renamed from docbook/wsug_src/images/ws-tls-session-keys.png)bin39511 -> 39511 bytes
-rw-r--r--doc/wsug_src/images/ws-tools-menu.png (renamed from docbook/wsug_src/images/ws-tools-menu.png)bin90865 -> 90865 bytes
-rw-r--r--doc/wsug_src/images/ws-udp-multicast-stream.png (renamed from docbook/wsug_src/images/ws-udp-multicast-stream.png)bin135427 -> 135427 bytes
-rw-r--r--doc/wsug_src/images/ws-user-guide-cover.png (renamed from docbook/wsug_src/images/ws-user-guide-cover.png)bin12238 -> 12238 bytes
-rw-r--r--doc/wsug_src/images/ws-view-menu.png (renamed from docbook/wsug_src/images/ws-view-menu.png)bin40750 -> 40750 bytes
-rw-r--r--doc/wsug_src/images/ws-wireless-ieee-80211-pref.pngbin0 -> 76179 bytes
-rw-r--r--doc/wsug_src/images/ws-wireless-key-examples.pngbin0 -> 7123 bytes
-rw-r--r--doc/wsug_src/images/ws-wireless-key-type.pngbin0 -> 5833 bytes
-rw-r--r--doc/wsug_src/images/ws-wireless-menu.png (renamed from docbook/wsug_src/images/ws-wireless-menu.png)bin53973 -> 53973 bytes
-rw-r--r--doc/wsug_src/mergecap-h.txt (renamed from docbook/wsug_src/mergecap-h.txt)4
-rw-r--r--doc/wsug_src/rawshark-h.txt (renamed from docbook/wsug_src/rawshark-h.txt)10
-rw-r--r--doc/wsug_src/reordercap-h.txt (renamed from docbook/wsug_src/reordercap-h.txt)2
-rw-r--r--doc/wsug_src/text2pcap-h.txt (renamed from docbook/wsug_src/text2pcap-h.txt)17
-rw-r--r--doc/wsug_src/tshark-h.txt (renamed from docbook/wsug_src/tshark-h.txt)14
-rw-r--r--doc/wsug_src/user-guide-docinfo.xml (renamed from docbook/wsug_src/user-guide-docinfo.xml)2
-rw-r--r--doc/wsug_src/user-guide.adoc (renamed from docbook/wsug_src/user-guide.adoc)0
-rw-r--r--doc/wsug_src/wireshark-h.txt (renamed from docbook/wsug_src/wireshark-h.txt)6
-rw-r--r--doc/wsug_src/wsug_advanced.adoc (renamed from docbook/wsug_src/wsug_advanced.adoc)114
-rw-r--r--doc/wsug_src/wsug_build_install.adoc (renamed from docbook/wsug_src/wsug_build_install.adoc)48
-rw-r--r--doc/wsug_src/wsug_capture.adoc (renamed from docbook/wsug_src/wsug_capture.adoc)6
-rw-r--r--doc/wsug_src/wsug_customize.adoc (renamed from docbook/wsug_src/wsug_customize.adoc)401
-rw-r--r--doc/wsug_src/wsug_files.adoc (renamed from docbook/wsug_src/wsug_files.adoc)121
-rw-r--r--doc/wsug_src/wsug_howitworks.adoc (renamed from docbook/wsug_src/wsug_howitworks.adoc)0
-rw-r--r--doc/wsug_src/wsug_introduction.adoc (renamed from docbook/wsug_src/wsug_introduction.adoc)4
-rw-r--r--doc/wsug_src/wsug_io.adoc (renamed from docbook/wsug_src/wsug_io.adoc)11
-rw-r--r--doc/wsug_src/wsug_mate.adoc (renamed from docbook/wsug_src/wsug_mate.adoc)1571
-rw-r--r--doc/wsug_src/wsug_messages.adoc (renamed from docbook/wsug_src/wsug_messages.adoc)0
-rw-r--r--doc/wsug_src/wsug_preface.adoc (renamed from docbook/wsug_src/wsug_preface.adoc)0
-rw-r--r--doc/wsug_src/wsug_protocols.adoc (renamed from docbook/wsug_src/wsug_protocols.adoc)0
-rw-r--r--doc/wsug_src/wsug_statistics.adoc (renamed from docbook/wsug_src/wsug_statistics.adoc)70
-rw-r--r--doc/wsug_src/wsug_telephony.adoc (renamed from docbook/wsug_src/wsug_telephony.adoc)10
-rw-r--r--doc/wsug_src/wsug_tools.adoc (renamed from docbook/wsug_src/wsug_tools.adoc)0
-rw-r--r--doc/wsug_src/wsug_troubleshoot.adoc (renamed from docbook/wsug_src/wsug_troubleshoot.adoc)0
-rw-r--r--doc/wsug_src/wsug_use.adoc (renamed from docbook/wsug_src/wsug_use.adoc)53
-rw-r--r--doc/wsug_src/wsug_wireless.adoc (renamed from docbook/wsug_src/wsug_wireless.adoc)1
-rw-r--r--doc/wsug_src/wsug_work.adoc (renamed from docbook/wsug_src/wsug_work.adoc)99
222 files changed, 1544 insertions, 1043 deletions
diff --git a/docbook/wsug_src/capinfos-h.txt b/doc/wsug_src/capinfos-h.txt
index 6757bd19..caff07c7 100644
--- a/docbook/wsug_src/capinfos-h.txt
+++ b/doc/wsug_src/capinfos-h.txt
@@ -1,4 +1,4 @@
-Capinfos (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Capinfos (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Print various information (infos) about capture files.
See https://www.wireshark.org for more information.
@@ -21,10 +21,10 @@ Size infos:
Time infos:
-u display the capture duration (in seconds)
- -a display the capture start time
- -e display the capture end time
+ -a display the timestamp of the earliest packet
+ -e display the timestamp of the latest packet
-o display the capture file chronological status (True/False)
- -S display start and end times as seconds
+ -S display earliest and latest packet timestamps as seconds
Statistic infos:
-y display average data rate (in bytes/sec)
diff --git a/docbook/wsug_src/dumpcap-h.txt b/doc/wsug_src/dumpcap-h.txt
index 8d73aed7..d24cd18b 100644
--- a/docbook/wsug_src/dumpcap-h.txt
+++ b/doc/wsug_src/dumpcap-h.txt
@@ -1,4 +1,4 @@
-Dumpcap (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Dumpcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Capture network packets and dump them into a pcapng or pcap file.
See https://www.wireshark.org for more information.
@@ -7,8 +7,7 @@ Usage: dumpcap [options] ...
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback),
- or for remote capturing, use one of these formats:
- rpcap://<host>/<interface>
+ or for remote capturing, use this format:
TCP@<host>:<port>
--ifname <name> name to use in the capture file for a pipe from which
we're capturing
diff --git a/docbook/wsug_src/editcap-F.txt b/doc/wsug_src/editcap-F.txt
index c566bd2c..4f2bf7f8 100644
--- a/docbook/wsug_src/editcap-F.txt
+++ b/doc/wsug_src/editcap-F.txt
@@ -19,6 +19,7 @@ editcap: The available capture file types for the "-F" flag are:
logcat-threadtime - Android Logcat Threadtime text format
logcat-time - Android Logcat Time text format
modpcap - Modified tcpdump - pcap
+ mp2t - MPEG2 transport stream
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
diff --git a/docbook/wsug_src/editcap-T.txt b/doc/wsug_src/editcap-T.txt
index e975dcec..af5214ba 100644
--- a/docbook/wsug_src/editcap-T.txt
+++ b/doc/wsug_src/editcap-T.txt
@@ -27,12 +27,14 @@ editcap: The available encapsulation types for the "-T" flag are:
cosine - CoSine L2 debug log
dbus - D-Bus
dct2000 - Catapult DCT2000
+ dect_nr - DECT-2020 New Radio (NR) MAC layer
docsis - Data Over Cable Service Interface Specification
docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header
dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header
dpnss_link - Digital Private Signalling System No 1 Link Layer
dvbci - DVB-CI (Common Interface)
ebhscr - Elektrobit High Speed Capture and Replay
+ ems - EMS (EGNOS Message Server) file
enc - OpenBSD enc(4) encapsulating interface
epon - Ethernet Passive Optical Network
erf - Extensible Record Format
diff --git a/docbook/wsug_src/editcap-h.txt b/doc/wsug_src/editcap-h.txt
index c5aa64a5..93edff0b 100644
--- a/docbook/wsug_src/editcap-h.txt
+++ b/doc/wsug_src/editcap-h.txt
@@ -1,4 +1,4 @@
-Editcap (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Editcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.
@@ -79,6 +79,8 @@ Packet manipulation:
-a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):
+ if the output file(s) have the .gz extension, then
+ gzip compression will be used
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
@@ -92,6 +94,8 @@ Output File(s):
list the encapsulation types.
--inject-secrets <type>,<file> Insert decryption secrets from <file>. List
supported secret types with "--inject-secrets help".
+ --extract-secrets Extract decryption secrets into the output file instead.
+ Incompatible with other options besides -V.
--discard-all-secrets Discard all decryption secrets from the input file
when writing the output file. Does not discard
secrets added by "--inject-secrets" in the same
@@ -107,6 +111,7 @@ Output File(s):
Discard all packet comments from the input file
when writing the output file. Does not discard
comments added by "-a" in the same command line.
+ --compress <type> Compress the output file using the type compression format.
Miscellaneous:
-h, --help display this help and exit.
diff --git a/docbook/wsug_src/images/caution.svg b/doc/wsug_src/images/caution.svg
index 793c6020..793c6020 100644
--- a/docbook/wsug_src/images/caution.svg
+++ b/doc/wsug_src/images/caution.svg
diff --git a/docbook/wsug_src/images/important.svg b/doc/wsug_src/images/important.svg
index a2ee7012..a2ee7012 100644
--- a/docbook/wsug_src/images/important.svg
+++ b/doc/wsug_src/images/important.svg
diff --git a/docbook/wsug_src/images/note.svg b/doc/wsug_src/images/note.svg
index 803dc13e..803dc13e 100644
--- a/docbook/wsug_src/images/note.svg
+++ b/doc/wsug_src/images/note.svg
diff --git a/docbook/wsug_src/images/related-ack.png b/doc/wsug_src/images/related-ack.png
index a60c5fbb..a60c5fbb 100644
--- a/docbook/wsug_src/images/related-ack.png
+++ b/doc/wsug_src/images/related-ack.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-current.png b/doc/wsug_src/images/related-current.png
index 02578c5e..02578c5e 100644
--- a/docbook/wsug_src/images/related-current.png
+++ b/doc/wsug_src/images/related-current.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-dup-ack.png b/doc/wsug_src/images/related-dup-ack.png
index a73dc646..a73dc646 100644
--- a/docbook/wsug_src/images/related-dup-ack.png
+++ b/doc/wsug_src/images/related-dup-ack.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-first.png b/doc/wsug_src/images/related-first.png
index 03e44ac0..03e44ac0 100644
--- a/docbook/wsug_src/images/related-first.png
+++ b/doc/wsug_src/images/related-first.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-last.png b/doc/wsug_src/images/related-last.png
index 9f740ebe..9f740ebe 100644
--- a/docbook/wsug_src/images/related-last.png
+++ b/doc/wsug_src/images/related-last.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-other.png b/doc/wsug_src/images/related-other.png
index 3bde3ace..3bde3ace 100644
--- a/docbook/wsug_src/images/related-other.png
+++ b/doc/wsug_src/images/related-other.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-request.png b/doc/wsug_src/images/related-request.png
index 472b850d..472b850d 100644
--- a/docbook/wsug_src/images/related-request.png
+++ b/doc/wsug_src/images/related-request.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-response.png b/doc/wsug_src/images/related-response.png
index 883274eb..883274eb 100644
--- a/docbook/wsug_src/images/related-response.png
+++ b/doc/wsug_src/images/related-response.png
Binary files differ
diff --git a/docbook/wsug_src/images/related-segment.png b/doc/wsug_src/images/related-segment.png
index 9fff8a7e..9fff8a7e 100644
--- a/docbook/wsug_src/images/related-segment.png
+++ b/doc/wsug_src/images/related-segment.png
Binary files differ
diff --git a/docbook/wsug_src/images/tip.svg b/doc/wsug_src/images/tip.svg
index 1a60b74a..1a60b74a 100644
--- a/docbook/wsug_src/images/tip.svg
+++ b/doc/wsug_src/images/tip.svg
diff --git a/docbook/wsug_src/images/toolbar/document-open.png b/doc/wsug_src/images/toolbar/document-open.png
index 516a261c..516a261c 100644
--- a/docbook/wsug_src/images/toolbar/document-open.png
+++ b/doc/wsug_src/images/toolbar/document-open.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/edit-find.png b/doc/wsug_src/images/toolbar/edit-find.png
index f739ea98..f739ea98 100644
--- a/docbook/wsug_src/images/toolbar/edit-find.png
+++ b/doc/wsug_src/images/toolbar/edit-find.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-add.png b/doc/wsug_src/images/toolbar/filter-toolbar-add.png
index ca3454e4..ca3454e4 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-add.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-add.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-apply.png b/doc/wsug_src/images/toolbar/filter-toolbar-apply.png
index 262646e7..262646e7 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-apply.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-apply.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png b/doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png
index c7c4c951..c7c4c951 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-clear.png b/doc/wsug_src/images/toolbar/filter-toolbar-clear.png
index 1122947f..1122947f 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-clear.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-clear.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-input.png b/doc/wsug_src/images/toolbar/filter-toolbar-input.png
index 98962abd..98962abd 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-input.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-input.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-recent.png b/doc/wsug_src/images/toolbar/filter-toolbar-recent.png
index fff2d034..fff2d034 100644
--- a/docbook/wsug_src/images/toolbar/filter-toolbar-recent.png
+++ b/doc/wsug_src/images/toolbar/filter-toolbar-recent.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/go-first.png b/doc/wsug_src/images/toolbar/go-first.png
index 95b485a0..95b485a0 100644
--- a/docbook/wsug_src/images/toolbar/go-first.png
+++ b/doc/wsug_src/images/toolbar/go-first.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/go-jump.png b/doc/wsug_src/images/toolbar/go-jump.png
index cc13792d..cc13792d 100644
--- a/docbook/wsug_src/images/toolbar/go-jump.png
+++ b/doc/wsug_src/images/toolbar/go-jump.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/go-last.png b/doc/wsug_src/images/toolbar/go-last.png
index 78ea4b70..78ea4b70 100644
--- a/docbook/wsug_src/images/toolbar/go-last.png
+++ b/doc/wsug_src/images/toolbar/go-last.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/go-next.png b/doc/wsug_src/images/toolbar/go-next.png
index 0bc6a156..0bc6a156 100644
--- a/docbook/wsug_src/images/toolbar/go-next.png
+++ b/doc/wsug_src/images/toolbar/go-next.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/go-previous.png b/doc/wsug_src/images/toolbar/go-previous.png
index 6870ea2f..6870ea2f 100644
--- a/docbook/wsug_src/images/toolbar/go-previous.png
+++ b/doc/wsug_src/images/toolbar/go-previous.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-close.png b/doc/wsug_src/images/toolbar/x-capture-file-close.png
index dab2f84c..dab2f84c 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-file-close.png
+++ b/doc/wsug_src/images/toolbar/x-capture-file-close.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-reload.png b/doc/wsug_src/images/toolbar/x-capture-file-reload.png
index 22e6edb2..22e6edb2 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-file-reload.png
+++ b/doc/wsug_src/images/toolbar/x-capture-file-reload.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-save.png b/doc/wsug_src/images/toolbar/x-capture-file-save.png
index 48ef2525..48ef2525 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-file-save.png
+++ b/doc/wsug_src/images/toolbar/x-capture-file-save.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-options.png b/doc/wsug_src/images/toolbar/x-capture-options.png
index a3384e6a..a3384e6a 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-options.png
+++ b/doc/wsug_src/images/toolbar/x-capture-options.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-restart.png b/doc/wsug_src/images/toolbar/x-capture-restart.png
index eb5eb0b6..eb5eb0b6 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-restart.png
+++ b/doc/wsug_src/images/toolbar/x-capture-restart.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-start.png b/doc/wsug_src/images/toolbar/x-capture-start.png
index ac0a3d2b..ac0a3d2b 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-start.png
+++ b/doc/wsug_src/images/toolbar/x-capture-start.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-capture-stop.png b/doc/wsug_src/images/toolbar/x-capture-stop.png
index 7a64753d..7a64753d 100644
--- a/docbook/wsug_src/images/toolbar/x-capture-stop.png
+++ b/doc/wsug_src/images/toolbar/x-capture-stop.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-colorize-packets.png b/doc/wsug_src/images/toolbar/x-colorize-packets.png
index 624b7eae..624b7eae 100644
--- a/docbook/wsug_src/images/toolbar/x-colorize-packets.png
+++ b/doc/wsug_src/images/toolbar/x-colorize-packets.png
Binary files differ
diff --git a/doc/wsug_src/images/toolbar/x-reset-layout_2.png b/doc/wsug_src/images/toolbar/x-reset-layout_2.png
new file mode 100644
index 00000000..8d3287ef
--- /dev/null
+++ b/doc/wsug_src/images/toolbar/x-reset-layout_2.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-resize-columns.png b/doc/wsug_src/images/toolbar/x-resize-columns.png
index f79cf321..f79cf321 100644
--- a/docbook/wsug_src/images/toolbar/x-resize-columns.png
+++ b/doc/wsug_src/images/toolbar/x-resize-columns.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/x-stay-last.png b/doc/wsug_src/images/toolbar/x-stay-last.png
index eba7ae54..eba7ae54 100644
--- a/docbook/wsug_src/images/toolbar/x-stay-last.png
+++ b/doc/wsug_src/images/toolbar/x-stay-last.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/zoom-in.png b/doc/wsug_src/images/toolbar/zoom-in.png
index 0025c34c..0025c34c 100644
--- a/docbook/wsug_src/images/toolbar/zoom-in.png
+++ b/doc/wsug_src/images/toolbar/zoom-in.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/zoom-original.png b/doc/wsug_src/images/toolbar/zoom-original.png
index c8bb23e3..c8bb23e3 100644
--- a/docbook/wsug_src/images/toolbar/zoom-original.png
+++ b/doc/wsug_src/images/toolbar/zoom-original.png
Binary files differ
diff --git a/docbook/wsug_src/images/toolbar/zoom-out.png b/doc/wsug_src/images/toolbar/zoom-out.png
index e582655d..e582655d 100644
--- a/docbook/wsug_src/images/toolbar/zoom-out.png
+++ b/doc/wsug_src/images/toolbar/zoom-out.png
Binary files differ
diff --git a/docbook/wsug_src/images/warning.svg b/doc/wsug_src/images/warning.svg
index 80c0ba5c..80c0ba5c 100644
--- a/docbook/wsug_src/images/warning.svg
+++ b/doc/wsug_src/images/warning.svg
diff --git a/docbook/wsug_src/images/ws-about-codecs.png b/doc/wsug_src/images/ws-about-codecs.png
index 5f5c46fa..5f5c46fa 100644
--- a/docbook/wsug_src/images/ws-about-codecs.png
+++ b/doc/wsug_src/images/ws-about-codecs.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-analyze-menu.png b/doc/wsug_src/images/ws-analyze-menu.png
index 5147d7aa..5147d7aa 100644
--- a/docbook/wsug_src/images/ws-analyze-menu.png
+++ b/doc/wsug_src/images/ws-analyze-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-asap-statistics.png b/doc/wsug_src/images/ws-asap-statistics.png
index d1a33072..d1a33072 100644
--- a/docbook/wsug_src/images/ws-asap-statistics.png
+++ b/doc/wsug_src/images/ws-asap-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-bluetooth-devices.png b/doc/wsug_src/images/ws-bluetooth-devices.png
index b6d1e3c9..b6d1e3c9 100644
--- a/docbook/wsug_src/images/ws-bluetooth-devices.png
+++ b/doc/wsug_src/images/ws-bluetooth-devices.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-bt-hci-summary.png b/doc/wsug_src/images/ws-bt-hci-summary.png
index 16b7bec6..16b7bec6 100644
--- a/docbook/wsug_src/images/ws-bt-hci-summary.png
+++ b/doc/wsug_src/images/ws-bt-hci-summary.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-bytes-pane-popup-menu.png b/doc/wsug_src/images/ws-bytes-pane-popup-menu.png
index bee43bfc..bee43bfc 100644
--- a/docbook/wsug_src/images/ws-bytes-pane-popup-menu.png
+++ b/doc/wsug_src/images/ws-bytes-pane-popup-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-bytes-pane-tabs.png b/doc/wsug_src/images/ws-bytes-pane-tabs.png
index b9817a2c..b9817a2c 100644
--- a/docbook/wsug_src/images/ws-bytes-pane-tabs.png
+++ b/doc/wsug_src/images/ws-bytes-pane-tabs.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-bytes-pane.png b/doc/wsug_src/images/ws-bytes-pane.png
index 70d1291a..70d1291a 100644
--- a/docbook/wsug_src/images/ws-bytes-pane.png
+++ b/doc/wsug_src/images/ws-bytes-pane.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-calcappprotocol-statistics.png b/doc/wsug_src/images/ws-calcappprotocol-statistics.png
index 3c9d9fe9..3c9d9fe9 100644
--- a/docbook/wsug_src/images/ws-calcappprotocol-statistics.png
+++ b/doc/wsug_src/images/ws-calcappprotocol-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-file-properties.png b/doc/wsug_src/images/ws-capture-file-properties.png
index 816987b3..816987b3 100644
--- a/docbook/wsug_src/images/ws-capture-file-properties.png
+++ b/doc/wsug_src/images/ws-capture-file-properties.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-info.png b/doc/wsug_src/images/ws-capture-info.png
index e82ec0ad..e82ec0ad 100644
--- a/docbook/wsug_src/images/ws-capture-info.png
+++ b/doc/wsug_src/images/ws-capture-info.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-interfaces-main-macos.png b/doc/wsug_src/images/ws-capture-interfaces-main-macos.png
index 38698864..38698864 100644
--- a/docbook/wsug_src/images/ws-capture-interfaces-main-macos.png
+++ b/doc/wsug_src/images/ws-capture-interfaces-main-macos.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-interfaces-main-win32.png b/doc/wsug_src/images/ws-capture-interfaces-main-win32.png
index a50b64e8..a50b64e8 100644
--- a/docbook/wsug_src/images/ws-capture-interfaces-main-win32.png
+++ b/doc/wsug_src/images/ws-capture-interfaces-main-win32.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-menu.png b/doc/wsug_src/images/ws-capture-menu.png
index 5d001e18..5d001e18 100644
--- a/docbook/wsug_src/images/ws-capture-menu.png
+++ b/doc/wsug_src/images/ws-capture-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png b/doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png
index 14501e0e..14501e0e 100644
--- a/docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png
+++ b/doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-options-options.png b/doc/wsug_src/images/ws-capture-options-options.png
index b72a54f9..b72a54f9 100644
--- a/docbook/wsug_src/images/ws-capture-options-options.png
+++ b/doc/wsug_src/images/ws-capture-options-options.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-options-output.png b/doc/wsug_src/images/ws-capture-options-output.png
index 097c7f0a..097c7f0a 100644
--- a/docbook/wsug_src/images/ws-capture-options-output.png
+++ b/doc/wsug_src/images/ws-capture-options-output.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-capture-options.png b/doc/wsug_src/images/ws-capture-options.png
index 8a12d436..8a12d436 100644
--- a/docbook/wsug_src/images/ws-capture-options.png
+++ b/doc/wsug_src/images/ws-capture-options.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-choose-color-rule.png b/doc/wsug_src/images/ws-choose-color-rule.png
index 263aa551..263aa551 100644
--- a/docbook/wsug_src/images/ws-choose-color-rule.png
+++ b/doc/wsug_src/images/ws-choose-color-rule.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-coloring-fields.png b/doc/wsug_src/images/ws-coloring-fields.png
index 9a5171ab..9a5171ab 100644
--- a/docbook/wsug_src/images/ws-coloring-fields.png
+++ b/doc/wsug_src/images/ws-coloring-fields.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-coloring-rules-dialog.png b/doc/wsug_src/images/ws-coloring-rules-dialog.png
index ac6d28e5..ac6d28e5 100644
--- a/docbook/wsug_src/images/ws-coloring-rules-dialog.png
+++ b/doc/wsug_src/images/ws-coloring-rules-dialog.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-column-header-popup-menu.png b/doc/wsug_src/images/ws-column-header-popup-menu.png
index d895dd8a..d895dd8a 100644
--- a/docbook/wsug_src/images/ws-column-header-popup-menu.png
+++ b/doc/wsug_src/images/ws-column-header-popup-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-csp-statistics.png b/doc/wsug_src/images/ws-csp-statistics.png
index cbade243..cbade243 100644
--- a/docbook/wsug_src/images/ws-csp-statistics.png
+++ b/doc/wsug_src/images/ws-csp-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-decode-as.png b/doc/wsug_src/images/ws-decode-as.png
index 2b37e567..2b37e567 100644
--- a/docbook/wsug_src/images/ws-decode-as.png
+++ b/doc/wsug_src/images/ws-decode-as.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-details-pane-popup-menu.png b/doc/wsug_src/images/ws-details-pane-popup-menu.png
index c0980ba1..c0980ba1 100644
--- a/docbook/wsug_src/images/ws-details-pane-popup-menu.png
+++ b/doc/wsug_src/images/ws-details-pane-popup-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-details-pane.png b/doc/wsug_src/images/ws-details-pane.png
index cc0b9176..cc0b9176 100644
--- a/docbook/wsug_src/images/ws-details-pane.png
+++ b/doc/wsug_src/images/ws-details-pane.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-diagram-pane-popup-menu.png b/doc/wsug_src/images/ws-diagram-pane-popup-menu.png
index 1e17628d..1e17628d 100644
--- a/docbook/wsug_src/images/ws-diagram-pane-popup-menu.png
+++ b/doc/wsug_src/images/ws-diagram-pane-popup-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-diagram-pane.png b/doc/wsug_src/images/ws-diagram-pane.png
index 117f1f58..117f1f58 100644
--- a/docbook/wsug_src/images/ws-diagram-pane.png
+++ b/doc/wsug_src/images/ws-diagram-pane.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-display-filter-tcp.png b/doc/wsug_src/images/ws-display-filter-tcp.png
index 181f41d0..181f41d0 100644
--- a/docbook/wsug_src/images/ws-display-filter-tcp.png
+++ b/doc/wsug_src/images/ws-display-filter-tcp.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-dns.png b/doc/wsug_src/images/ws-dns.png
index 4458e3cb..4458e3cb 100644
--- a/docbook/wsug_src/images/ws-dns.png
+++ b/doc/wsug_src/images/ws-dns.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-edit-menu.png b/doc/wsug_src/images/ws-edit-menu.png
index 204e2194..204e2194 100644
--- a/docbook/wsug_src/images/ws-edit-menu.png
+++ b/doc/wsug_src/images/ws-edit-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-enabled-protocols.png b/doc/wsug_src/images/ws-enabled-protocols.png
index a7d149b1..a7d149b1 100644
--- a/docbook/wsug_src/images/ws-enabled-protocols.png
+++ b/doc/wsug_src/images/ws-enabled-protocols.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-enrp-statistics.png b/doc/wsug_src/images/ws-enrp-statistics.png
index df0db91d..df0db91d 100644
--- a/docbook/wsug_src/images/ws-enrp-statistics.png
+++ b/doc/wsug_src/images/ws-enrp-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-expert-colored-tree.png b/doc/wsug_src/images/ws-expert-colored-tree.png
index a203ff67..a203ff67 100644
--- a/docbook/wsug_src/images/ws-expert-colored-tree.png
+++ b/doc/wsug_src/images/ws-expert-colored-tree.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-expert-column.png b/doc/wsug_src/images/ws-expert-column.png
index 66941afb..66941afb 100644
--- a/docbook/wsug_src/images/ws-expert-column.png
+++ b/doc/wsug_src/images/ws-expert-column.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-expert-information.png b/doc/wsug_src/images/ws-expert-information.png
index 8fa63107..8fa63107 100644
--- a/docbook/wsug_src/images/ws-expert-information.png
+++ b/doc/wsug_src/images/ws-expert-information.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-export-objects.png b/doc/wsug_src/images/ws-export-objects.png
index fc9a0244..fc9a0244 100644
--- a/docbook/wsug_src/images/ws-export-objects.png
+++ b/doc/wsug_src/images/ws-export-objects.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-export-packet-dissections.png b/doc/wsug_src/images/ws-export-packet-dissections.png
index 4be7c958..4be7c958 100644
--- a/docbook/wsug_src/images/ws-export-packet-dissections.png
+++ b/doc/wsug_src/images/ws-export-packet-dissections.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-export-pdus-to-file.png b/doc/wsug_src/images/ws-export-pdus-to-file.png
index a4969229..a4969229 100644
--- a/docbook/wsug_src/images/ws-export-pdus-to-file.png
+++ b/doc/wsug_src/images/ws-export-pdus-to-file.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-export-selected.png b/doc/wsug_src/images/ws-export-selected.png
index 1c20f76f..1c20f76f 100644
--- a/docbook/wsug_src/images/ws-export-selected.png
+++ b/doc/wsug_src/images/ws-export-selected.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-export-specified-packets.png b/doc/wsug_src/images/ws-export-specified-packets.png
index e8bb8aef..e8bb8aef 100644
--- a/docbook/wsug_src/images/ws-export-specified-packets.png
+++ b/doc/wsug_src/images/ws-export-specified-packets.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-fgp-statistics.png b/doc/wsug_src/images/ws-fgp-statistics.png
index bfe4d50f..bfe4d50f 100644
--- a/docbook/wsug_src/images/ws-fgp-statistics.png
+++ b/doc/wsug_src/images/ws-fgp-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-file-import-regex.png b/doc/wsug_src/images/ws-file-import-regex.png
index 3f57eb16..3f57eb16 100644
--- a/docbook/wsug_src/images/ws-file-import-regex.png
+++ b/doc/wsug_src/images/ws-file-import-regex.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-file-import.png b/doc/wsug_src/images/ws-file-import.png
index e957d14e..e957d14e 100644
--- a/docbook/wsug_src/images/ws-file-import.png
+++ b/doc/wsug_src/images/ws-file-import.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-file-menu.png b/doc/wsug_src/images/ws-file-menu.png
index d7e8d43a..d7e8d43a 100644
--- a/docbook/wsug_src/images/ws-file-menu.png
+++ b/doc/wsug_src/images/ws-file-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-file-set-dialog.png b/doc/wsug_src/images/ws-file-set-dialog.png
index fb470d2b..fb470d2b 100644
--- a/docbook/wsug_src/images/ws-file-set-dialog.png
+++ b/doc/wsug_src/images/ws-file-set-dialog.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-filter-add-expression.png b/doc/wsug_src/images/ws-filter-add-expression.png
index e4f99703..e4f99703 100644
--- a/docbook/wsug_src/images/ws-filter-add-expression.png
+++ b/doc/wsug_src/images/ws-filter-add-expression.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-filter-macros.png b/doc/wsug_src/images/ws-filter-macros.png
new file mode 100644
index 00000000..001e724e
--- /dev/null
+++ b/doc/wsug_src/images/ws-filter-macros.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-filter-toolbar.png b/doc/wsug_src/images/ws-filter-toolbar.png
index 1c680c64..1c680c64 100644
--- a/docbook/wsug_src/images/ws-filter-toolbar.png
+++ b/doc/wsug_src/images/ws-filter-toolbar.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-filters.png b/doc/wsug_src/images/ws-filters.png
index afbb36ef..afbb36ef 100644
--- a/docbook/wsug_src/images/ws-filters.png
+++ b/doc/wsug_src/images/ws-filters.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-find-packet.png b/doc/wsug_src/images/ws-find-packet.png
index e773d94c..e773d94c 100644
--- a/docbook/wsug_src/images/ws-find-packet.png
+++ b/doc/wsug_src/images/ws-find-packet.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-flow-graph.png b/doc/wsug_src/images/ws-flow-graph.png
index 17dacdaf..17dacdaf 100644
--- a/docbook/wsug_src/images/ws-flow-graph.png
+++ b/doc/wsug_src/images/ws-flow-graph.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-follow-http2-stream.png b/doc/wsug_src/images/ws-follow-http2-stream.png
index 616dfd7f..616dfd7f 100644
--- a/docbook/wsug_src/images/ws-follow-http2-stream.png
+++ b/doc/wsug_src/images/ws-follow-http2-stream.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-follow-sip-stream.png b/doc/wsug_src/images/ws-follow-sip-stream.png
index 52f8181c..52f8181c 100644
--- a/docbook/wsug_src/images/ws-follow-sip-stream.png
+++ b/doc/wsug_src/images/ws-follow-sip-stream.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-follow-stream.png b/doc/wsug_src/images/ws-follow-stream.png
index 1c926aff..1c926aff 100644
--- a/docbook/wsug_src/images/ws-follow-stream.png
+++ b/doc/wsug_src/images/ws-follow-stream.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-go-menu.png b/doc/wsug_src/images/ws-go-menu.png
index d0231c9f..d0231c9f 100644
--- a/docbook/wsug_src/images/ws-go-menu.png
+++ b/doc/wsug_src/images/ws-go-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-goto-packet.png b/doc/wsug_src/images/ws-goto-packet.png
index 10092fc5..10092fc5 100644
--- a/docbook/wsug_src/images/ws-goto-packet.png
+++ b/doc/wsug_src/images/ws-goto-packet.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-gui-config-profiles.png b/doc/wsug_src/images/ws-gui-config-profiles.png
new file mode 100644
index 00000000..b1e22541
--- /dev/null
+++ b/doc/wsug_src/images/ws-gui-config-profiles.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-help-menu.png b/doc/wsug_src/images/ws-help-menu.png
index f083a851..f083a851 100644
--- a/docbook/wsug_src/images/ws-help-menu.png
+++ b/doc/wsug_src/images/ws-help-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-list-pane.png b/doc/wsug_src/images/ws-list-pane.png
index 8770bc45..8770bc45 100644
--- a/docbook/wsug_src/images/ws-list-pane.png
+++ b/doc/wsug_src/images/ws-list-pane.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-main-toolbar.png b/doc/wsug_src/images/ws-main-toolbar.png
new file mode 100644
index 00000000..27fe78d1
--- /dev/null
+++ b/doc/wsug_src/images/ws-main-toolbar.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-main.png b/doc/wsug_src/images/ws-main.png
index a975b9ef..a975b9ef 100644
--- a/docbook/wsug_src/images/ws-main.png
+++ b/doc/wsug_src/images/ws-main.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-manage-interfaces.png b/doc/wsug_src/images/ws-manage-interfaces.png
index ff37aa28..ff37aa28 100644
--- a/docbook/wsug_src/images/ws-manage-interfaces.png
+++ b/doc/wsug_src/images/ws-manage-interfaces.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-analysis.png b/doc/wsug_src/images/ws-mate-analysis.png
index bb33b4f9..bb33b4f9 100644
--- a/docbook/wsug_src/images/ws-mate-analysis.png
+++ b/doc/wsug_src/images/ws-mate-analysis.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-dns_pane.png b/doc/wsug_src/images/ws-mate-dns_pane.png
index 99e5a075..99e5a075 100644
--- a/docbook/wsug_src/images/ws-mate-dns_pane.png
+++ b/doc/wsug_src/images/ws-mate-dns_pane.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-dns_pdu.png b/doc/wsug_src/images/ws-mate-dns_pdu.png
index 15063035..15063035 100644
--- a/docbook/wsug_src/images/ws-mate-dns_pdu.png
+++ b/doc/wsug_src/images/ws-mate-dns_pdu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-ftp_over_gre.png b/doc/wsug_src/images/ws-mate-ftp_over_gre.png
index b7aa6371..b7aa6371 100644
--- a/docbook/wsug_src/images/ws-mate-ftp_over_gre.png
+++ b/doc/wsug_src/images/ws-mate-ftp_over_gre.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-gop_analysis.png b/doc/wsug_src/images/ws-mate-gop_analysis.png
index 6086fa76..6086fa76 100644
--- a/docbook/wsug_src/images/ws-mate-gop_analysis.png
+++ b/doc/wsug_src/images/ws-mate-gop_analysis.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png b/doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png
index a6e2baf1..a6e2baf1 100644
--- a/docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png
+++ b/doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-mmse_over_http.png b/doc/wsug_src/images/ws-mate-mmse_over_http.png
index 4ee2d4e7..4ee2d4e7 100644
--- a/docbook/wsug_src/images/ws-mate-mmse_over_http.png
+++ b/doc/wsug_src/images/ws-mate-mmse_over_http.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-pdu_analysis.png b/doc/wsug_src/images/ws-mate-pdu_analysis.png
index cf126e8e..cf126e8e 100644
--- a/docbook/wsug_src/images/ws-mate-pdu_analysis.png
+++ b/doc/wsug_src/images/ws-mate-pdu_analysis.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-mate-tcp-output.png b/doc/wsug_src/images/ws-mate-tcp-output.png
new file mode 100644
index 00000000..c6688867
--- /dev/null
+++ b/doc/wsug_src/images/ws-mate-tcp-output.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-mate-transform.png b/doc/wsug_src/images/ws-mate-transform.png
index a943011d..a943011d 100644
--- a/docbook/wsug_src/images/ws-mate-transform.png
+++ b/doc/wsug_src/images/ws-mate-transform.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-menu.png b/doc/wsug_src/images/ws-menu.png
index 3f7f847d..3f7f847d 100644
--- a/docbook/wsug_src/images/ws-menu.png
+++ b/doc/wsug_src/images/ws-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-merge-qt5.png b/doc/wsug_src/images/ws-merge-qt5.png
index e5d03684..e5d03684 100644
--- a/docbook/wsug_src/images/ws-merge-qt5.png
+++ b/doc/wsug_src/images/ws-merge-qt5.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-merge-win32.png b/doc/wsug_src/images/ws-merge-win32.png
index c3233baf..c3233baf 100644
--- a/docbook/wsug_src/images/ws-merge-win32.png
+++ b/doc/wsug_src/images/ws-merge-win32.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-netperfmeter-statistics.png b/doc/wsug_src/images/ws-netperfmeter-statistics.png
index 15a0c7aa..15a0c7aa 100644
--- a/docbook/wsug_src/images/ws-netperfmeter-statistics.png
+++ b/doc/wsug_src/images/ws-netperfmeter-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-open-qt5.png b/doc/wsug_src/images/ws-open-qt5.png
index 01acf864..01acf864 100644
--- a/docbook/wsug_src/images/ws-open-qt5.png
+++ b/doc/wsug_src/images/ws-open-qt5.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-open-win32.png b/doc/wsug_src/images/ws-open-win32.png
index 182942a2..182942a2 100644
--- a/docbook/wsug_src/images/ws-open-win32.png
+++ b/doc/wsug_src/images/ws-open-win32.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-packet-format.png b/doc/wsug_src/images/ws-packet-format.png
index 74a24d46..74a24d46 100644
--- a/docbook/wsug_src/images/ws-packet-format.png
+++ b/doc/wsug_src/images/ws-packet-format.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-packet-pane-popup-menu.png b/doc/wsug_src/images/ws-packet-pane-popup-menu.png
index 6a2cc4d5..6a2cc4d5 100644
--- a/docbook/wsug_src/images/ws-packet-pane-popup-menu.png
+++ b/doc/wsug_src/images/ws-packet-pane-popup-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-packet-range.png b/doc/wsug_src/images/ws-packet-range.png
index a35a008a..a35a008a 100644
--- a/docbook/wsug_src/images/ws-packet-range.png
+++ b/doc/wsug_src/images/ws-packet-range.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-packet-selected.png b/doc/wsug_src/images/ws-packet-selected.png
index bafc07cd..bafc07cd 100644
--- a/docbook/wsug_src/images/ws-packet-selected.png
+++ b/doc/wsug_src/images/ws-packet-selected.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-packet-sep-win.png b/doc/wsug_src/images/ws-packet-sep-win.png
index f9e507ff..f9e507ff 100644
--- a/docbook/wsug_src/images/ws-packet-sep-win.png
+++ b/doc/wsug_src/images/ws-packet-sep-win.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pingpongprotocol-statistics.png b/doc/wsug_src/images/ws-pingpongprotocol-statistics.png
index d67b7cdd..d67b7cdd 100644
--- a/docbook/wsug_src/images/ws-pingpongprotocol-statistics.png
+++ b/doc/wsug_src/images/ws-pingpongprotocol-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-advanced.png b/doc/wsug_src/images/ws-pref-advanced.png
index c7c44499..c7c44499 100644
--- a/docbook/wsug_src/images/ws-pref-advanced.png
+++ b/doc/wsug_src/images/ws-pref-advanced.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-appearance-columns.png b/doc/wsug_src/images/ws-pref-appearance-columns.png
index 84db3d9f..84db3d9f 100644
--- a/docbook/wsug_src/images/ws-pref-appearance-columns.png
+++ b/doc/wsug_src/images/ws-pref-appearance-columns.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png b/doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png
index 538a20f4..538a20f4 100644
--- a/docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png
+++ b/doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-appearance-layout.png b/doc/wsug_src/images/ws-pref-appearance-layout.png
index 6f896d1e..6f896d1e 100644
--- a/docbook/wsug_src/images/ws-pref-appearance-layout.png
+++ b/doc/wsug_src/images/ws-pref-appearance-layout.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-appearance.png b/doc/wsug_src/images/ws-pref-appearance.png
index ffc52e21..ffc52e21 100644
--- a/docbook/wsug_src/images/ws-pref-appearance.png
+++ b/doc/wsug_src/images/ws-pref-appearance.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-capture.png b/doc/wsug_src/images/ws-pref-capture.png
index 5c76d286..5c76d286 100644
--- a/docbook/wsug_src/images/ws-pref-capture.png
+++ b/doc/wsug_src/images/ws-pref-capture.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-expert.png b/doc/wsug_src/images/ws-pref-expert.png
index fe1594b9..fe1594b9 100644
--- a/docbook/wsug_src/images/ws-pref-expert.png
+++ b/doc/wsug_src/images/ws-pref-expert.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-filter-buttons.png b/doc/wsug_src/images/ws-pref-filter-buttons.png
index e45e736a..e45e736a 100644
--- a/docbook/wsug_src/images/ws-pref-filter-buttons.png
+++ b/doc/wsug_src/images/ws-pref-filter-buttons.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-name-resolution.png b/doc/wsug_src/images/ws-pref-name-resolution.png
index 3fdc7d55..3fdc7d55 100644
--- a/docbook/wsug_src/images/ws-pref-name-resolution.png
+++ b/doc/wsug_src/images/ws-pref-name-resolution.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-pref-protocols.png b/doc/wsug_src/images/ws-pref-protocols.png
new file mode 100644
index 00000000..2b73d3e6
--- /dev/null
+++ b/doc/wsug_src/images/ws-pref-protocols.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-rsa-keys.png b/doc/wsug_src/images/ws-pref-rsa-keys.png
index 21cb6200..21cb6200 100644
--- a/docbook/wsug_src/images/ws-pref-rsa-keys.png
+++ b/doc/wsug_src/images/ws-pref-rsa-keys.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-pref-statistics.png b/doc/wsug_src/images/ws-pref-statistics.png
index 2bef021e..2bef021e 100644
--- a/docbook/wsug_src/images/ws-pref-statistics.png
+++ b/doc/wsug_src/images/ws-pref-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-print.png b/doc/wsug_src/images/ws-print.png
index 9c3b79ec..9c3b79ec 100644
--- a/docbook/wsug_src/images/ws-print.png
+++ b/doc/wsug_src/images/ws-print.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-resolved-addr.png b/doc/wsug_src/images/ws-resolved-addr.png
index c3868215..c3868215 100644
--- a/docbook/wsug_src/images/ws-resolved-addr.png
+++ b/doc/wsug_src/images/ws-resolved-addr.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-rlc-graph.png b/doc/wsug_src/images/ws-rlc-graph.png
index e14bb72a..e14bb72a 100644
--- a/docbook/wsug_src/images/ws-rlc-graph.png
+++ b/doc/wsug_src/images/ws-rlc-graph.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-save-as-qt5.png b/doc/wsug_src/images/ws-save-as-qt5.png
index 64d2eec5..64d2eec5 100644
--- a/docbook/wsug_src/images/ws-save-as-qt5.png
+++ b/doc/wsug_src/images/ws-save-as-qt5.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-save-as-win32.png b/doc/wsug_src/images/ws-save-as-win32.png
index e50619f9..e50619f9 100644
--- a/docbook/wsug_src/images/ws-save-as-win32.png
+++ b/doc/wsug_src/images/ws-save-as-win32.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-sctp-1-association.png b/doc/wsug_src/images/ws-sctp-1-association.png
index 0573ae84..0573ae84 100644
--- a/docbook/wsug_src/images/ws-sctp-1-association.png
+++ b/doc/wsug_src/images/ws-sctp-1-association.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-sctp.png b/doc/wsug_src/images/ws-sctp.png
index 884a91e2..884a91e2 100644
--- a/docbook/wsug_src/images/ws-sctp.png
+++ b/doc/wsug_src/images/ws-sctp.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-ssp-statistics.png b/doc/wsug_src/images/ws-ssp-statistics.png
index 8c6817b6..8c6817b6 100644
--- a/docbook/wsug_src/images/ws-ssp-statistics.png
+++ b/doc/wsug_src/images/ws-ssp-statistics.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statistics-menu.png b/doc/wsug_src/images/ws-statistics-menu.png
index e772bffa..e772bffa 100644
--- a/docbook/wsug_src/images/ws-statistics-menu.png
+++ b/doc/wsug_src/images/ws-statistics-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-conversations.png b/doc/wsug_src/images/ws-stats-conversations.png
index fb4cd9e3..fb4cd9e3 100644
--- a/docbook/wsug_src/images/ws-stats-conversations.png
+++ b/doc/wsug_src/images/ws-stats-conversations.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-endpoints.png b/doc/wsug_src/images/ws-stats-endpoints.png
index 917726a2..917726a2 100644
--- a/docbook/wsug_src/images/ws-stats-endpoints.png
+++ b/doc/wsug_src/images/ws-stats-endpoints.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-hierarchy.png b/doc/wsug_src/images/ws-stats-hierarchy.png
index f904ece4..f904ece4 100644
--- a/docbook/wsug_src/images/ws-stats-hierarchy.png
+++ b/doc/wsug_src/images/ws-stats-hierarchy.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-http-requestsequences.png b/doc/wsug_src/images/ws-stats-http-requestsequences.png
index 8365673b..8365673b 100644
--- a/docbook/wsug_src/images/ws-stats-http-requestsequences.png
+++ b/doc/wsug_src/images/ws-stats-http-requestsequences.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-iographs.png b/doc/wsug_src/images/ws-stats-iographs.png
index 80e4cf7f..80e4cf7f 100644
--- a/docbook/wsug_src/images/ws-stats-iographs.png
+++ b/doc/wsug_src/images/ws-stats-iographs.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-lte-mac-traffic.png b/doc/wsug_src/images/ws-stats-lte-mac-traffic.png
index 441ab970..441ab970 100644
--- a/docbook/wsug_src/images/ws-stats-lte-mac-traffic.png
+++ b/doc/wsug_src/images/ws-stats-lte-mac-traffic.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png b/doc/wsug_src/images/ws-stats-lte-rlc-traffic.png
index 9fb13647..9fb13647 100644
--- a/docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png
+++ b/doc/wsug_src/images/ws-stats-lte-rlc-traffic.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-packet-lengths.png b/doc/wsug_src/images/ws-stats-packet-lengths.png
index 7b22e4d1..7b22e4d1 100644
--- a/docbook/wsug_src/images/ws-stats-packet-lengths.png
+++ b/doc/wsug_src/images/ws-stats-packet-lengths.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-srt-smb2.png b/doc/wsug_src/images/ws-stats-srt-smb2.png
index 6e05af05..6e05af05 100644
--- a/docbook/wsug_src/images/ws-stats-srt-smb2.png
+++ b/doc/wsug_src/images/ws-stats-srt-smb2.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-stats-wlan-traffic.png b/doc/wsug_src/images/ws-stats-wlan-traffic.png
index 8186b4ac..8186b4ac 100644
--- a/docbook/wsug_src/images/ws-stats-wlan-traffic.png
+++ b/doc/wsug_src/images/ws-stats-wlan-traffic.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statusbar-empty.png b/doc/wsug_src/images/ws-statusbar-empty.png
index 953acedc..953acedc 100644
--- a/docbook/wsug_src/images/ws-statusbar-empty.png
+++ b/doc/wsug_src/images/ws-statusbar-empty.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statusbar-filter.png b/doc/wsug_src/images/ws-statusbar-filter.png
index 1e09e0b1..1e09e0b1 100644
--- a/docbook/wsug_src/images/ws-statusbar-filter.png
+++ b/doc/wsug_src/images/ws-statusbar-filter.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statusbar-loaded.png b/doc/wsug_src/images/ws-statusbar-loaded.png
index 8b19b02c..8b19b02c 100644
--- a/docbook/wsug_src/images/ws-statusbar-loaded.png
+++ b/doc/wsug_src/images/ws-statusbar-loaded.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statusbar-profile.png b/doc/wsug_src/images/ws-statusbar-profile.png
index dcc309b6..dcc309b6 100644
--- a/docbook/wsug_src/images/ws-statusbar-profile.png
+++ b/doc/wsug_src/images/ws-statusbar-profile.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-statusbar-selected.png b/doc/wsug_src/images/ws-statusbar-selected.png
index fd10c24c..fd10c24c 100644
--- a/docbook/wsug_src/images/ws-statusbar-selected.png
+++ b/doc/wsug_src/images/ws-statusbar-selected.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tcp-analysis.png b/doc/wsug_src/images/ws-tcp-analysis.png
index 9a376c51..9a376c51 100644
--- a/docbook/wsug_src/images/ws-tcp-analysis.png
+++ b/doc/wsug_src/images/ws-tcp-analysis.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-playlist.dia b/doc/wsug_src/images/ws-tel-playlist.dia
index 28eced58..28eced58 100644
--- a/docbook/wsug_src/images/ws-tel-playlist.dia
+++ b/doc/wsug_src/images/ws-tel-playlist.dia
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-playlist.png b/doc/wsug_src/images/ws-tel-playlist.png
index 4c586d05..4c586d05 100644
--- a/docbook/wsug_src/images/ws-tel-playlist.png
+++ b/doc/wsug_src/images/ws-tel-playlist.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_1.png b/doc/wsug_src/images/ws-tel-rtp-player_1.png
index 9e7249dc..9e7249dc 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_1.png
+++ b/doc/wsug_src/images/ws-tel-rtp-player_1.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_1.xcf b/doc/wsug_src/images/ws-tel-rtp-player_1.xcf
index c48a0cad..c48a0cad 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_1.xcf
+++ b/doc/wsug_src/images/ws-tel-rtp-player_1.xcf
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_2.png b/doc/wsug_src/images/ws-tel-rtp-player_2.png
index 8ec513e9..8ec513e9 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_2.png
+++ b/doc/wsug_src/images/ws-tel-rtp-player_2.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_2.xcf b/doc/wsug_src/images/ws-tel-rtp-player_2.xcf
index 4411c7cb..4411c7cb 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_2.xcf
+++ b/doc/wsug_src/images/ws-tel-rtp-player_2.xcf
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_3.png b/doc/wsug_src/images/ws-tel-rtp-player_3.png
index 6eb5c15d..6eb5c15d 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_3.png
+++ b/doc/wsug_src/images/ws-tel-rtp-player_3.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_button.png b/doc/wsug_src/images/ws-tel-rtp-player_button.png
index a4a5183c..a4a5183c 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-player_button.png
+++ b/doc/wsug_src/images/ws-tel-rtp-player_button.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtp-streams.png b/doc/wsug_src/images/ws-tel-rtp-streams.png
index d9ce9592..d9ce9592 100644
--- a/docbook/wsug_src/images/ws-tel-rtp-streams.png
+++ b/doc/wsug_src/images/ws-tel-rtp-streams.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png
index 48b3de47..48b3de47 100644
--- a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png
+++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png
index 2819ede0..2819ede0 100644
--- a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png
+++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png
index cf3dccce..cf3dccce 100644
--- a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png
+++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-seq-dialog.png b/doc/wsug_src/images/ws-tel-seq-dialog.png
index 18f78cc3..18f78cc3 100644
--- a/docbook/wsug_src/images/ws-tel-seq-dialog.png
+++ b/doc/wsug_src/images/ws-tel-seq-dialog.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tel-voip-calls.png b/doc/wsug_src/images/ws-tel-voip-calls.png
index a8d8909c..a8d8909c 100644
--- a/docbook/wsug_src/images/ws-tel-voip-calls.png
+++ b/doc/wsug_src/images/ws-tel-voip-calls.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-telephony-menu.png b/doc/wsug_src/images/ws-telephony-menu.png
index 38facaaf..38facaaf 100644
--- a/docbook/wsug_src/images/ws-telephony-menu.png
+++ b/doc/wsug_src/images/ws-telephony-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-time-reference.png b/doc/wsug_src/images/ws-time-reference.png
index 656dfab1..656dfab1 100644
--- a/docbook/wsug_src/images/ws-time-reference.png
+++ b/doc/wsug_src/images/ws-time-reference.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-time-shift-details.png b/doc/wsug_src/images/ws-time-shift-details.png
index 8872a306..8872a306 100644
--- a/docbook/wsug_src/images/ws-time-shift-details.png
+++ b/doc/wsug_src/images/ws-time-shift-details.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-time-shift.png b/doc/wsug_src/images/ws-time-shift.png
index dcfb6f7e..dcfb6f7e 100644
--- a/docbook/wsug_src/images/ws-time-shift.png
+++ b/doc/wsug_src/images/ws-time-shift.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tls-session-keys.png b/doc/wsug_src/images/ws-tls-session-keys.png
index ba0084f1..ba0084f1 100644
--- a/docbook/wsug_src/images/ws-tls-session-keys.png
+++ b/doc/wsug_src/images/ws-tls-session-keys.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-tools-menu.png b/doc/wsug_src/images/ws-tools-menu.png
index edc753de..edc753de 100644
--- a/docbook/wsug_src/images/ws-tools-menu.png
+++ b/doc/wsug_src/images/ws-tools-menu.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-udp-multicast-stream.png b/doc/wsug_src/images/ws-udp-multicast-stream.png
index b2bcbdec..b2bcbdec 100644
--- a/docbook/wsug_src/images/ws-udp-multicast-stream.png
+++ b/doc/wsug_src/images/ws-udp-multicast-stream.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-user-guide-cover.png b/doc/wsug_src/images/ws-user-guide-cover.png
index 7aeda92a..7aeda92a 100644
--- a/docbook/wsug_src/images/ws-user-guide-cover.png
+++ b/doc/wsug_src/images/ws-user-guide-cover.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-view-menu.png b/doc/wsug_src/images/ws-view-menu.png
index 78e932b1..78e932b1 100644
--- a/docbook/wsug_src/images/ws-view-menu.png
+++ b/doc/wsug_src/images/ws-view-menu.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png b/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png
new file mode 100644
index 00000000..327ca1d3
--- /dev/null
+++ b/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-wireless-key-examples.png b/doc/wsug_src/images/ws-wireless-key-examples.png
new file mode 100644
index 00000000..5e85b5ed
--- /dev/null
+++ b/doc/wsug_src/images/ws-wireless-key-examples.png
Binary files differ
diff --git a/doc/wsug_src/images/ws-wireless-key-type.png b/doc/wsug_src/images/ws-wireless-key-type.png
new file mode 100644
index 00000000..cdce5d7d
--- /dev/null
+++ b/doc/wsug_src/images/ws-wireless-key-type.png
Binary files differ
diff --git a/docbook/wsug_src/images/ws-wireless-menu.png b/doc/wsug_src/images/ws-wireless-menu.png
index 002289ed..002289ed 100644
--- a/docbook/wsug_src/images/ws-wireless-menu.png
+++ b/doc/wsug_src/images/ws-wireless-menu.png
Binary files differ
diff --git a/docbook/wsug_src/mergecap-h.txt b/doc/wsug_src/mergecap-h.txt
index 6a35cc08..ffe8dd66 100644
--- a/docbook/wsug_src/mergecap-h.txt
+++ b/doc/wsug_src/mergecap-h.txt
@@ -1,4 +1,4 @@
-Mergecap (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Mergecap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.
@@ -9,10 +9,12 @@ Output:
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
+ if the output filename has the .gz extension, it will be compressed to a gzip archive
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
+ --compress <type> compress the output file using the type compression format.
Miscellaneous:
-h, --help display this help and exit.
diff --git a/docbook/wsug_src/rawshark-h.txt b/doc/wsug_src/rawshark-h.txt
index 29c96da8..c7435001 100644
--- a/docbook/wsug_src/rawshark-h.txt
+++ b/doc/wsug_src/rawshark-h.txt
@@ -1,11 +1,12 @@
-Rawshark (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Rawshark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: rawshark [options] ...
Input file:
- -r <infile> set the pipe or file name to read from
+ -r <infile>, --read-file <infile>
+ set the pipe or file name to read from
Processing:
-d <encap:linktype>|<proto:protoname>
@@ -17,8 +18,11 @@ Processing:
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-p use the system's packet header format
(which may have 64-bit timestamps)
- -R <read filter> packet filter in Wireshark display filter syntax
+ -R <read filter>, --read-filter <read filter>
+ packet filter in Wireshark display filter syntax
-s skip PCAP header on input
+ -Y <display filter>, --display-filter <display filter>
+ packet filter in Wireshark display filter syntax
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
diff --git a/docbook/wsug_src/reordercap-h.txt b/doc/wsug_src/reordercap-h.txt
index 3ad3f20a..a12e9fe3 100644
--- a/docbook/wsug_src/reordercap-h.txt
+++ b/doc/wsug_src/reordercap-h.txt
@@ -1,4 +1,4 @@
-Reordercap (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Reordercap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Reorder timestamps of input file frames into output file.
See https://www.wireshark.org for more information.
diff --git a/docbook/wsug_src/text2pcap-h.txt b/doc/wsug_src/text2pcap-h.txt
index 436623c0..934b2fe3 100644
--- a/docbook/wsug_src/text2pcap-h.txt
+++ b/doc/wsug_src/text2pcap-h.txt
@@ -1,4 +1,4 @@
-Text2pcap (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Text2pcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Generate a capture file from an ASCII hexdump of packets.
See https://www.wireshark.org for more information.
@@ -41,6 +41,8 @@ Input:
(def: 16: hexadecimal) No effect in hexdump mode.
Output:
+ if the output file(s) have the .gz extension, then
+ gzip compression will be used.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-E <encap type> set the output file encapsulation type; default is
@@ -53,9 +55,10 @@ Output:
Example: -l 7 for ARCNet packets.
-m <max-packet> max packet length in output; default is 262144
-N <intf-name> assign name to the interface in the pcapng file.
-
+ --compress <type> Compress the output file using the type compression format.
+
Prepend dummy header:
- -e <l3pid> prepend dummy Ethernet II header with specified L3PID
+ -e <ethertype> prepend dummy Ethernet II header with specified EtherType
(in HEX).
Example: -e 0x806 to specify an ARP packet.
-i <proto> prepend dummy IP header with specified IP protocol
@@ -64,10 +67,10 @@ Prepend dummy header:
link-layer type is Ethernet.
Example: -i 46
-4 <srcip>,<destip> prepend dummy IPv4 header with specified
- dest and source address.
+ source and destination addresses.
Example: -4 10.0.0.1,10.0.0.2
-6 <srcip>,<destip> prepend dummy IPv6 header with specified
- dest and source address.
+ source and destination addresses.
Example: -6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334
-u <srcp>,<destp> prepend dummy UDP header with specified
source and destination ports (in DECIMAL).
@@ -79,11 +82,11 @@ Prepend dummy header:
Automatically prepends Ethernet & IP headers as well.
Example: -T 50,60
-s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
- source/dest ports and verification tag (in DECIMAL).
+ source/destination ports and verification tag (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -s 30,40,34
-S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
- source/dest ports and verification tag 0.
+ source/destination ports and verification tag 0.
Automatically prepends a dummy SCTP DATA
chunk header with payload protocol identifier ppi.
Example: -S 30,40,34
diff --git a/docbook/wsug_src/tshark-h.txt b/doc/wsug_src/tshark-h.txt
index fddaca12..e7c12a2d 100644
--- a/docbook/wsug_src/tshark-h.txt
+++ b/doc/wsug_src/tshark-h.txt
@@ -1,4 +1,4 @@
-TShark (Wireshark) 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+TShark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.
@@ -39,6 +39,8 @@ Capture output:
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
+ printname:FILE - print filename to FILE when written
+ (can use 'stdout' or 'stderr')
Input file:
-r <infile>, --read-file <infile>
set the filename to read from (or '-' for stdin)
@@ -54,7 +56,7 @@ Processing:
syntax
-n disable all name resolutions (def: "mNd" enabled, or
as set in preferences)
- -N <name resolve flags> enable specific name resolution(s): "mnNtdv"
+ -N <name resolve flags> enable specific name resolution(s): "mtndsNvg"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
@@ -75,11 +77,13 @@ Processing:
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcapng-format file named "outfile"
- (or '-' for stdout)
+ (or '-' for stdout). If the output filename has the
+ .gz extension, it will be compressed to a gzip archive
--capture-comment <comment>
add a capture file comment, if supported
-C <config profile> start with specified configuration profile
- -F <output file type> set the output file type, default is pcapng
+ --global-profile use the global profile instead of personal profile
+ -F <output file type> set the output file type; default is pcapng.
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
@@ -116,6 +120,7 @@ Output:
output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
+ (implies --update-interval 0)
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
@@ -140,6 +145,7 @@ Output:
specified protocols within the mapping file
--temp-dir <directory> write temporary files to this directory
(default: /tmp)
+ --compress <type> compress the output file using the type compression format
Diagnostic output:
--log-level <level> sets the active log level ("critical", "warning", etc.)
diff --git a/docbook/wsug_src/user-guide-docinfo.xml b/doc/wsug_src/user-guide-docinfo.xml
index f6987c6e..4c1d50c7 100644
--- a/docbook/wsug_src/user-guide-docinfo.xml
+++ b/doc/wsug_src/user-guide-docinfo.xml
@@ -1,7 +1,7 @@
<!-- Document information for the User's Guide. -->
<!-- Updated by tools/make-version.py -->
-<subtitle>For Wireshark 4.2</subtitle>
+<subtitle>For Wireshark 4.4</subtitle>
<!--
<title><inlinegraphic entityref="WiresharkLogo" valign="middle" format="PNG"/> &DocumentTitle;</title>
diff --git a/docbook/wsug_src/user-guide.adoc b/doc/wsug_src/user-guide.adoc
index 7c80cf7b..7c80cf7b 100644
--- a/docbook/wsug_src/user-guide.adoc
+++ b/doc/wsug_src/user-guide.adoc
diff --git a/docbook/wsug_src/wireshark-h.txt b/doc/wsug_src/wireshark-h.txt
index b94e3565..954b0965 100644
--- a/docbook/wsug_src/wireshark-h.txt
+++ b/doc/wsug_src/wireshark-h.txt
@@ -1,4 +1,4 @@
-Wireshark 4.2.6 (v4.2.6rc0-2-g76ee960786d7)
+Wireshark 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.
@@ -51,7 +51,7 @@ Processing:
-R <read filter>, --read-filter <read filter>
packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
- -N <name resolve flags> enable specific name resolution(s): "mnNtdv"
+ -N <name resolve flags> enable specific name resolution(s): "mtndsNvg"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
@@ -86,6 +86,8 @@ User interface:
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
+ -F <capture type> set the output file type; default is pcapng.
+ an empty "-F" option will list the file types.
--capture-comment <comment>
add a capture file comment, if supported
--temp-dir <directory> write temporary files to this directory
diff --git a/docbook/wsug_src/wsug_advanced.adoc b/doc/wsug_src/wsug_advanced.adoc
index 2c3aef5c..7550ee2c 100644
--- a/docbook/wsug_src/wsug_advanced.adoc
+++ b/doc/wsug_src/wsug_advanced.adoc
@@ -147,7 +147,7 @@ peer1_0: !!binary |
How the old format data can be found in the new format:
[options="header"]
|===
-|New YAML format |Old YAML format |
+|New YAML format |Old YAML format |
a|
----
...
@@ -172,8 +172,11 @@ a|
|===
menu:Raw[]:: This allows you to load the unaltered stream data into a different
- program for further examination. The display will look the same as the ASCII
- setting, but “Save As” will result in a binary file.
+ program for further examination. The display will show the data as strings
+ of hex characters with each frame on a separate line, but “Save As”
+ will result in a binary file without any added line separators.
+
+You can optionally show the delta time each time the direction changes (turns) or for every packet or event.
You can switch between streams using the “Stream” selector.
@@ -206,8 +209,8 @@ If a selected packet field does not show all the bytes (i.e., they are truncated
when displayed) or if they are shown as bytes rather than string or if they require
more formatting because they contain an image or HTML then this dialog can be used.
-This dialog can also be used to decode field bytes from base64, zlib compressed
-or quoted-printable and show the decoded bytes as configurable output.
+This dialog can also be used to decode field bytes from base64, various compressed
+formats or quoted-printable and show the decoded bytes as configurable output.
It’s also possible to select a subset of bytes setting the start byte and end byte.
You can choose from the following actions:
@@ -226,12 +229,14 @@ You can choose to decode the data from one of the following formats:
menu:None[]:: This is the default which does not decode anything.
-menu:Base64[]:: This will decode from Base64.
+menu:Base64[]:: This will decode from Base64 or Base64Url.
-menu:Compressed[]:: This will decompress the buffer using zlib.
+menu:Compressed[]:: This will decompress the buffer using lz77, lz77huff, lznt1, snappy, zlib or zstd.
menu:Hex Digits[]:: This will decode from a string of hex digits. Non-hex characters are skipped.
+menu:Percent-Encoding[]:: This will decode from a Percent-Encoded string.
+
menu:Quoted-Printable[]:: This will decode from a Quoted-Printable string.
menu:ROT-13[]:: This will decode ROT-13 encoded text.
@@ -259,7 +264,7 @@ menu:Image[]:: This will try to convert the bytes into an image.
menu:ISO 8859-1[]:: In this view you see the bytes as ISO 8859-1.
-menu:Raw[]:: This allows you to load the unaltered stream data into a different
+menu:Raw[]:: This allows you to load the bytes into a different
program for further examination. The display will show HEX data, but
“Save As” will result in a binary file.
@@ -510,10 +515,6 @@ Next expected acknowledgment number:: The last-seen sequence number for
segments. Set when there are no analysis flags and for zero window probes.
// tcp_analyze_seq_info->lastack
-Last-seen acknowledgment number:: Always set. Note that this is not the
-same as the next expected acknowledgment number.
-
-// tcp_analyze_seq_info->lastack
Last-seen acknowledgment number:: Always updated for each packet. Note
that this is not the same as the next expected acknowledgment number.
@@ -531,7 +532,7 @@ direction and it’s less than the current acknowledgment number.
Set when all of the following are true:
* The segment size is zero.
-* The window size is non-zero and hasn’t changed.
+* The window size is non-zero and hasn’t changed, or there is valid SACK data.
* The next expected sequence number and last-seen acknowledgment number are non-zero (i.e., the connection has been established).
* SYN, FIN, and RST are not set.
@@ -643,7 +644,7 @@ reverse direction.
Set when the all of the following are true:
* The segment size is zero.
-* The window size is non-zero and not equal to the last-seen window size.
+* The window size is non-zero and not equal to the last-seen window size, and there is no valid SACK data.
* The sequence number is equal to the next expected sequence number.
* The acknowledgment number is equal to the last-seen acknowledgment number,
* or to the next expected sequence number when answering to a ZeroWindowProbe.
@@ -722,10 +723,12 @@ data transfer will be found with a longer filter as closing a connection can be
associated with FIN or RST packets, or even both :
'tcp.completeness==31 or tcp.completeness==47 or tcp.completeness==63'
-Another way to select specific conversation values is to filter on the
-tcp.completeness.str field. Thus, 'tcp.completeness.str matches "(R.*|F)[^D]ASS"'
-will find all 'Complete, NO_DATA' conversations, while the 'Complete, WITH_DATA'
-ones will be found with 'tcp.completeness.str matches "(R.*|F)DASS"'.
+Another way to select specific conversation values is to filter on individual
+flags, the summary field, or a combination of them.
+Thus, '(tcp.completeness.fin==1 || tcp.completeness.rst==1) && tcp.completeness.str contains "DASS"'
+will find all 'Complete, WITH_DATA' conversations, while the 'Complete, NO_DATA'
+ones will be found with
+'(tcp.completeness.fin==1 || tcp.completeness.rst==1) && tcp.completeness.data==0 && tcp.completeness.str contains "ASS"'.
[#ChAdvTimestamps]
@@ -756,20 +759,28 @@ While reading or writing capture files, Wireshark converts the time stamp data
between the capture file format and the internal format as required.
While capturing, Wireshark uses the libpcap (Npcap) capture library which
-supports microsecond resolution. Unless you are working with specialized
-capturing hardware, this resolution should be adequate.
+supports nanosecond resolution for both pcapng and pcap files, though some
+devices may only provide microsecond resolution, in which case that will be
+used. Unless you are working with specialized capturing hardware, this
+resolution should be adequate.
==== Capture File Formats
-Every capture file format that Wireshark knows supports time stamps. The time
-stamp precision supported by a specific capture file format differs widely and
-varies from one second “0” to one nanosecond “0.123456789”. Most file
-formats store the time stamps with a fixed precision (e.g., microseconds), while
-some file formats are even capable of storing the time stamp precision itself
-(whatever the benefit may be).
-
-The common libpcap capture file format that is used by Wireshark (and a lot of
-other tools) supports a fixed microsecond resolution “0.123456” only.
+The vast majority of capture file formats that Wireshark knows support time
+stamps. The time stamp precision supported by a specific capture file format
+differs widely and varies from one second “0” to one nanosecond “0.123456789”.
+Most file formats store the time stamps with a fixed precision (e.g., microseconds,
+“0.123456”), while some file formats are capable of storing the time stamp
+precision itself or even having a different precision for different records
+in the file (whatever the benefit may be).
+
+The pcapng capture file format supports a wide range of time stamp resolutions,
+which can be different for each interface in the file, as well as records without
+time stamps. The common libpcap capture file format, which is widely supported by
+many other tools, supports two possible fixed resolutions, microsecond or
+nanosecond, indicated by a magic number at the start of the file. Wireshark and
+tools like editcap can convert pcap files with nanosecond resolution to microsecond
+resolution for use with tools that only support the original time stamp precision.
Writing data into a capture file format that doesn’t provide the capability to
store the actual precision will lead to loss of information. For example, if you
@@ -912,7 +923,7 @@ represent time internally as UTC. When Wireshark is capturing, no
conversion is necessary. However, if the system time zone is not set
correctly, the system’s UTC time might not be correctly set even if
the system clock appears to display correct local time. When capturing,
-Npcap has to convert the time to UTC before supplying it to Wireshark.
+Npcap has to convert the time to UTC before supplying it to Wireshark.
If the system’s time zone is not set correctly, that conversion will
not be done correctly.
@@ -1271,14 +1282,17 @@ calculation, also known as checksum offloading. The network driver won’t
calculate the checksum itself but will simply hand over an empty (zero or
garbage filled) checksum field to the hardware.
-
[NOTE]
====
-Checksum offloading often causes confusion as the network packets to be
-transmitted are handed over to Wireshark before the checksums are actually
-calculated. Wireshark gets these “empty” checksums and displays them as
-invalid, even though the packets will contain valid checksums when they leave
-the network hardware later.
+Checksum offloading often causes confusion as network packets to be
+transmitted are given to Wireshark before they are handed over to the
+hardware. Wireshark gets these “empty” checksums and displays them as
+invalid, even though the packets will contain valid checksums when they
+transit the network.
+
+This only applies to packets that are locally generated by the capture
+point. Received packets will have traveled through network hardware
+and should have correct checksums.
====
@@ -1294,4 +1308,32 @@ You can do two things to avoid this checksum offloading problem:
Recent releases of Wireshark disable checksum validation by default due to the
prevalence of offloading in modern hardware and operating systems.
+==== Partial Checksums
+
+TCP and UDP checksums are calculated over both the payload and from selected
+elements from the IPv4 or IPv6 header, known as the pseudo header. Linux
+and Windows, when offloading checksums, will calculate the contribution from
+the pseudo header and place it in the checksum field. The driver then directs
+the hardware to calculate the checksum over the payload area, which will
+produce the correct result including the pseudo header's portion of the sum
+as a matter of mathematics.
+
+This precomputation speeds up the hardware checksum calculation later,
+allows the driver to direct the hardware to do checksums over encapsulated
+payloads (__Local Checksum Offload__), and allows applications to send
+the kernel large "superpacket" buffers that will be later divided by
+the hardware into multiple maximum size packets when sent on the network
+(__TCP Segmentation Offload (TSO)__ and __Generic Segmentation Offload (GSO)__).
+
+[NOTE]
+====
+Wireshark 4.2.0 and later can calculate the partial checksum contribution
+from the pseudo header, and when validating TCP and UDP checksums will
+mark partial checksums as valid but partial. The packets with partial
+checksums will not be colored as Bad Checksums by the default coloring rules,
+and will still be used for reassembly. This eliminates spurious checksum
+errors seen on packets transmitted from the capturing host on those platforms
+that use partial checksums when offloading.
+====
+
// End of WSUG Chapter Advanced
diff --git a/docbook/wsug_src/wsug_build_install.adoc b/doc/wsug_src/wsug_build_install.adoc
index 88199fcf..33035bde 100644
--- a/docbook/wsug_src/wsug_build_install.adoc
+++ b/doc/wsug_src/wsug_build_install.adoc
@@ -70,49 +70,6 @@ On the _Choose Components_ page of the installer you can select from the followi
* *TShark* - A command-line network protocol analyzer. If you haven’t tried it
you should.
-* *Plugins &amp; Extensions* - Extras for the Wireshark and TShark dissection engines
-
- - *Codec Plugins* - Additional codec support.
-
- - *Configuration Profiles* - Additional configuration profiles.
-
- - *Dissector Plugins* - Additional protocol dissectors.
-
- - *File Type Plugins - capture file support* - Extend wiretap support for capture file types. (e.g. usbdump)
-
- - *Mate - Meta Analysis and Tracing Engine* - User configurable extension(s)
- of the display filter engine, see <<ChMate>> for details.
-
- - *SNMP MIBs* - SNMP MIBs for a more detailed SNMP dissection.
-
- - *TRANSUM - performance analysis* - Plugin to calculate Response Time Element (RTE) statistics.
-
- - *Tree Statistics Plugin* - Extended statistics. (see stats_tree in WSDG; Packet Lengths in WSUG)
-
-* *Tools* - Additional command line tools to work with capture files and troubleshoot
-
- - *Capinfos* - Print information about capture files.
-
- - *Captype* - Print the type(format) of capture files.
-
- - *DFTest* - Show display filter byte-code, for debugging dfilter routines.
-
- - *Editcap* - Copy packets to a new file, optionally trimming packets, omitting them,
- or saving to a different format.
-
- - *Mergecap* - Combine multiple saved capture files into a single output file.
-
- - *MMDBResolve* - MaxMind Database resolution tool - read IPv4 and IPv6 addresses and
- print their IP geolocation information.
-
- - *Randpkt* - Create a pcap trace file full of random packets. (randpkt produces very bad packets)
-
- - *Rawshark* - Dump and analyze raw pcap data.
-
- - *Reordercap* - Copy packets to a new file, sorted by time.
-
- - *Text2Pcap* - Generate a capture file from an ASCII hexdump of packets.
-
* *External Capture (extcap)* - External Capture Interfaces
- *Androiddump* - Provide capture interfaces from Android devices.
@@ -125,10 +82,6 @@ On the _Choose Components_ page of the installer you can select from the followi
- *UDPdump* - Provide capture interface to receive UDP packets streamed from network devices.
-* *Documentation* - Local installation of the User’s Guide and FAQ. The Help buttons on
- most dialogs will require an internet connection to show help pages if the
- User’s Guide is not installed locally.
-
[#ChBuildInstallWinAdditionalTasks]
==== Additional Tasks
@@ -271,6 +224,7 @@ documentation.
=== Installing Wireshark under macOS
The official macOS packages can be downloaded from the Wireshark {wireshark-main-url}[main page] or the {wireshark-download-url}[download page].
+They are signed by *Wireshark Foundation*.
Packages are distributed as disk images (.dmg) containing the application bundle.
Package names contain the platform and version.
To install Wireshark simply open the disk image and drag _Wireshark_ to your _/Applications_ folder.
diff --git a/docbook/wsug_src/wsug_capture.adoc b/doc/wsug_src/wsug_capture.adoc
index 3029c6c3..7ac3faf4 100644
--- a/docbook/wsug_src/wsug_capture.adoc
+++ b/doc/wsug_src/wsug_capture.adoc
@@ -488,7 +488,11 @@ Information about the folders used for capture files can be found in
[options="header",cols="2,2,2,3,5"]
|===
|File Name|“Create a new file...”|“Use a ring buffer...”|Mode|Resulting filename(s) used
-|-|-|-|Single temporary file|wiresharkXXXXXX.pcap[ng] (where XXXXXX is a unique 6 character alphanumeric sequence)
+|-|-|-|Single temporary file|wireshark_<interface name>XXXXXX.pcap[ng]
+(<interface name> is the "friendly name" of the capture interface if available
+and the system name if not, when capturing on a single interface, and
+"N_interfaces" where N is the number of interfaces, when capturing on
+multiple interfaces; XXXXXX is a unique 6 character alphanumeric sequence.)
|foo.cap|-|-|Single named file|foo.cap
|foo.cap|x|-|Multiple files, continuous|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ...
|foo.cap|x|x|Multiple files, ring buffer|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ...
diff --git a/docbook/wsug_src/wsug_customize.adoc b/doc/wsug_src/wsug_customize.adoc
index 9ca4a473..21b95ef2 100644
--- a/docbook/wsug_src/wsug_customize.adoc
+++ b/doc/wsug_src/wsug_customize.adoc
@@ -273,6 +273,20 @@ _value_ is the value to which it should be set. Multiple instances of `-o
<preference settings> ` can be given on a single command line.
+
--
+
+[NOTE]
+.Preferences and Profiles
+====
+The preferences you specify on the command line will override any settings
+you have changed in any of your profiles; this includes when switching from
+one profile to another.
+
+If you change a setting using the Preferences dialog
+(see <<ChCustPreferencesSection>>) that you have also set on the command line,
+the command line option will then be ignored, and the setting will change
+as normal when you switch profiles.
+====
+
An example of setting a single preference would be:
----
@@ -287,8 +301,8 @@ wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
You can get a list of all available preference strings from the
preferences file. See <<AppFiles>> for details.
-User access tables can be overridden using “uat,” followed by
-the UAT file name and a valid record for the file:
+<<ChUserTable,User Accessible Tables>> can be overridden using “uat,”
+followed by the UAT file name and a valid record for the file:
----
wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\""
@@ -514,7 +528,7 @@ image::images/ws-coloring-fields.png[{screenshot-attrs}]
[#ChCustProtocolDissectionSection]
-=== Control Protocol dissection
+=== Control Protocol Dissection
The user can control how protocols are dissected.
@@ -651,6 +665,7 @@ These window title strings can contain variables which will be replaced by their
The following variables are available.
+* %C = Capture comment from command line
* %F = File path of the capture file
* %P = Currently selected profile name
* %S = Conditional separator (dash) that only shows when surrounded by variables with values or static text
@@ -690,12 +705,12 @@ The _Field Occurrence_ setting is count of the given field in the frame, for fie
Selecting _Resolved_ causes name resolution to be applied to the field value, when available.
-==== Fonts and Color
+==== Font and Colors
These preferences give you the option to select the font and colors used in the various packet panes.
Most usable is to select a mono spaced font, which allows for a cleaner presentation, but using a proportional font is possible too.
-.Font and color preferences
+.Font and colors preferences
image::images/ws-pref-appearance-fonts-and-colors.png[{screenshot-attrs}]
==== Layout
@@ -706,7 +721,7 @@ These preferences allow you to define the layout of the GUI once a capture file
image::images/ws-pref-appearance-layout.png[{screenshot-attrs}]
Make sure that you have at least one pane configured to contain the Packet list.
-Three panes can be active at the same time and they can be layed out as shown in the top layer.
+Three panes can be active at the same time and they can be laid out as shown in the top layer.
The exact sizes of these panes can be changed as needed once a capture file is opened.
Selecting _Show packet list separator_ causes the packet list entries to be slightly set apart, which may improve readability at the cost of the amount of packets shown in the packet list.
@@ -756,6 +771,8 @@ The interface list can always be populated after Wireshark is started via menu:C
Selecting _Disable external capture interfaces_ prevents Wireshark from spawning extcap programs to list off their capture interfaces.
This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue.
+[#ChCustPrefsExpertSection]
+
==== Expert Items
These preferences allow you to modify the severity set for expert items.
@@ -806,14 +823,17 @@ btn:[Copy from]:: Copy the list of user specified display filter buttons from an
The columns in the entries are as follows.
-Selecting _Show in toolbar_ causes the column to be shown in the toolbar besides the display filter text entry.
+Selecting _Show in toolbar_ causes the button to be shown in the toolbar besides the display filter text entry.
The _Button Label_ is the text shown on the button in the toolbar.
+The use of a double slash causes the button to create a dropdown list to allow grouping of multiple buttons, e.g. TCP//Syn and TCP//Res.
The _Filter Expression_ is the <<ChWorkBuildDisplayFilterSection,display filter expression>> entered into the display filter text entry when the button is clicked.
The _Comment_ is the comment text which appears in a bubble when the mouse hovers over the button.
+[#ChCustPrefsNameSection]
+
==== Name Resolution
These preferences allow you to configure which numeric identifiers in protocols are translated into human readable text.
@@ -857,8 +877,12 @@ The _SMI (MIB and PIB) paths_ btn:[Edit...] button provides access to the dialog
The _SMI (MIB and PIB) modules_ btn:[Edit...] button provides access to the dialog to manage the MIB/PIB modules to be loaded.
+Selecting _Enable IP geolocation_ causes the background MaxMind database IP geolocation resolver to be used to attempt to geolocate IP addresses in the packets.
+
The _MaxMind database directories_ btn:[Edit...] button provides access to the dialog to manage the directories where the MaxMind database files can be found. See <<ChMaxMindDbPaths>>.
+[#ChCustPrefsProtocolsSection]
+
==== Protocols
Wireshark supports quite a few protocols, which is reflected in the long list of child entries of the “Protocols” pane.
@@ -890,8 +914,15 @@ Currently only the IPv4, ICMP and ICMPv6 dissector use this preference.
Selecting _Ignore duplicate frames_ causes a duplicate frame to appear in the packet list, but flagged as ignored, hence not dissected.
The determination of a duplicate frame is made based on the SHA256 hash of the bytes in the frame.
+The preference _Deinterlacing conversations key_ gives you options for deinterlacing the conversations. While _NONE_ keeps the historical behaviour, the other options
+are built on three keys with the following meanings: _V_ (VLAN), _M_ (Mac Address), _I_ (Interface). Packets which seem identical because they have the
+same payload but have a different value for their VLAN Tag, a MAC Address, or were captured on different interfaces, will then be part of different conversations
+if the respective deinterlacing key is activated.
+
The preference _The max number of hashes to keep in memory for determining duplicate frames_ allows you to set how large the set of frames to consider for duplication is.
+[#ChCustPrefsRSASection]
+
==== RSA Keys
For more information see {wireshark-wiki-url}TLS.
@@ -969,47 +1000,13 @@ Configuration files stored in each profile include:
* Display Filters (dfilters) (<<ChWorkDefineFilterSection>>)
+* Display Filter Macros (dmacros) (<<ChWorkDefineFilterMacrosSection>>)
+
* Coloring Rules (colorfilters) (<<ChCustColorizationSection>>)
* Disabled Protocols (disabled_protos) (<<ChAdvEnabledProtocols>>)
-* User Accessible Tables:
-+
---
-* Custom HTTP headers (custom_http_header_fields)
-
-* Custom IMF headers (imf_header_fields)
-
-* Custom LDAP AttributeValue types (custom_ldap_attribute_types)
-
-* Display Filter Macros (dfilter_macros) (<<ChDisplayFilterMacrosSection>>)
-
-* ESS Category Attributes (ess_category_attributes)
- (<<ChEssCategoryAttributes>>)
-
-* MaxMind Database Paths (maxmind_db_paths) (<<ChMaxMindDbPaths>>)
-
-* K12 Protocols (k12_protos) (<<ChK12ProtocolsSection>>)
-
-* Object Identifier Names and Associated Syntaxes (<<ChObjectIdentifiers>>)
-
-* PRES Users Context List (pres_context_list) (<<ChPresContextList>>)
-
-* SCCP Users Table (sccp_users) (<<ChSccpUsers>>)
-
-* SNMP Enterprise Specific Trap Types (snmp_specific_traps)
- (<<ChSNMPEnterpriseSpecificTrapTypes>>)
-
-* SNMP Users (snmp_users) (<<ChSNMPUsersSection>>)
-
-* User DLTs Table (user_dlts) (<<ChUserDLTsSection>>)
-
-* IKEv2 decryption table (ikev2_decryption_table) (<<ChIKEv2DecryptionSection>>)
-
-* Protobuf Search Paths (protobuf_search_paths) (<<ChProtobufSearchPaths>>)
-
-* Protobuf UDP Message Types (protobuf_udp_message_types) (<<ChProtobufUDPMessageTypes>>)
---
+* Most User Accessible Tables (<<ChUserTable>>)
* Changed dissector assignments (__decode_as_entries__), which can be set in the “Decode
As...” dialog box (<<ChAdvDecodeAs>>).
@@ -1053,6 +1050,10 @@ profile currently selected in the list. The name of the created profile
is the same as the copied profile, with the text “(copy)” and is
highlighted so that you can more easily change it.
+Auto switch packet limit::
+The number of packets to check for automatic profile switching, described below.
+Setting this to zero disables automatic profile switching.
+
btn:[Import]::
Profiles can be imported from zip-archives as well as directly from directory
structures. Profiles, which already exist by name will be skipped, as well as
@@ -1074,46 +1075,92 @@ added and deleted profiles will not be deleted.
btn:[Help]::
Show this help page.
+==== Automatic Profile Switching
+
+You can configure Wireshark to automatically change configuration profiles by adding a display filter to the "Auto Switch Filter" setting for a profile.
+When you open a capture file, Wireshark will check each filter against a limited number of packets and will switch to the first profile with a matching filter.
+The number of packets is determined by the "Auto switch packet limit" setting, and a limit of 0 will disable this feature.
+Manually changing your profile will disable this behavior until you open a different capture file.
+
[#ChUserTable]
-=== User Table
+=== User Accessible Tables
-The User Table editor is used for managing various tables in Wireshark. Its main
-dialog works very similarly to that of <<ChCustColorizationSection>>.
+User Accessible Tables are a type of preference table which may be
+associated with particular <<ChCustPrefsProtocolsSection,protocols>> or
+with the application as a whole.
-[#ChDisplayFilterMacrosSection]
+User Accessible Tables have a common editor dialog which works as described
+in <<ChCustPrefsExpertSection>> and <<ChCustFilterButtons>>. Note that
+the name of the file appears in the lower right corner of the dialog.
-=== Display Filter Macros
+The files are saved in a CSV format, where values are either double quoted
+ASCII strings (using C-style backslash escapes for non-printable characters)
+or unquoted hexstrings, depending on the field type. They can be edited directly
+when Wireshark is not running, though this is discouraged. Entries can
+also be appended to the table by passing an appropriate CSV formatted
+record string <<ChCustCommandLine,on the command line>>.
-Display Filter Macros are a mechanism to create shortcuts for complex filters.
-For example, defining a display filter macro named _$$tcp_conv$$_ whose text is
+// There's a number of newer dissector UATs that aren't mentioned here
+// and could use help sections.
-----
-(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4)
-or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)
-----
+Most UATs are stored in the
+<<ChCustConfigProfilesSection,configuration profile>>:
+
+--
+* Custom HTTP headers (custom_http_header_fields)
-would allow to use a display filter like
+* Custom IMF headers (imf_header_fields)
-----
-${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
-----
+* Custom LDAP AttributeValue types (custom_ldap_attribute_types)
-instead of typing the whole filter. Once defined, a macro can
-be used in <<ChWorkDefineFilterSection,saved display (but not
-capture) filters>> and <<ChCustFilterButtons,filter buttons>>.
+* <<ChCustFilterButtons,Display Filter Buttons>> (dfilter_buttons)
-Display Filter Macros can be managed with a user table, as described in
-<<ChUserTable>>, by selecting menu:Analyze[Display Filter Macros] from
-the menu. The User Table has the following fields:
+* <<ChWorkDefineFilterMacrosSection,Display Filter Macros>> (dfilter_macros), prior to Wireshark 4.4
-Name::
-The name of the macro. The name must consist of ASCII alphanumerics or
-the '_' character. (Note that the presence of a '.' character would
-indicate a <<_field_references,field reference>>.)
+* <<ChCustPrefsNameSection,DNS Servers>> (addr_resolve_dns_servers)
+
+* <<ChEssCategoryAttributes,ESS Category Attributes>> (ess_category_attributes)
+
+* <<ChCustPrefsExpertSection,Expert Item Severity>> (expert_severity)
+
+* <<Ch80211Keys,IEEE 802.11 WLAN Decryption Keys>> (80211_keys)
+
+* <<ChIKEv2DecryptionSection,IKEv2 decryption table>> (ikev2_decryption_table)
+
+* <<ChStatIOGraphs,I/O Graphs>> (io_graphs)
+
+* <<ChK12ProtocolsSection,K12 Protocols>> (k12_protos)
+
+* <<ChObjectIdentifiers,Object Identifier Names and Associated Syntaxes>> ()
+
+* <<ChStatPacketLengths,Packet Lengths>> (packet_lengths)
+
+* <<ChPresContextList,PRES Users Context List>> (pres_context_list)
+
+* <<ChSccpUsers,SCCP Users Table>> (sccp_users)
+
+* <<ChSNMPEnterpriseSpecificTrapTypes,SNMP Enterprise Specific Trap Types>> (snmp_specific_traps)
+
+* <<ChSNMPUsersSection,SNMP Users>> (snmp_users)
+
+* <<ChUserDLTsSection,User DLTs Table>> (user_dlts)
+
+* <<ChProtobufSearchPaths,Protobuf Search Paths>> (protobuf_search_paths)
+
+* <<ChProtobufUDPMessageTypes,Protobuf UDP Message Types>> (protobuf_udp_message_types)
+--
+
+Other UATs are stored in the personal configuration directory and are
+common to all profiles:
+
+--
+* <<ChMaxMindDbPaths,MaxMind Database Paths>> (maxmind_db_paths)
+
+* <<ChCustPrefsRSASection,RSA Private Keys>> (rsa_keys) and <<ChCustPrefsRSASection,PKCS #11 Provider Libraries>> (pkcs11_libs)
-Text::
-The replacement text for the macro it uses $1, $2, $3, ... as the input arguments.
+* <<ChCustPrefsNameSection,SMI Modules>> (smi_modules) and <<ChCustPrefsNameSection,SMI Paths>> (smi_paths)
+--
[#ChEssCategoryAttributes]
@@ -1148,9 +1195,18 @@ Database pathname::
This specifies a directory containing MaxMind data files. Any files
ending with _.mmdb_ will be automatically loaded.
-The locations for your data files are up to you, but `/usr/share/GeoIP`
-and `/var/lib/GeoIP` are common on Linux and `C:\ProgramData\GeoIP`,
-`C:\Program Files\Wireshark\GeoIP` might be good choices on Windows.
+By default Wireshark will always search for data files in
+`/usr/share/GeoIP` and `/var/lib/GeoIP` on non-Windows platforms
+and in `C:\ProgramData\GeoIP` and `C:\GeoIP` on Windows. You can
+put any additional search paths here, e.g. `C:\Program Files\Wireshark\GeoIP`
+might be a good choice on Windows.
+
+[NOTE]
+====
+While the default search paths are not listed in the user table, they
+are in the list viewable by opening menu:Help[About Wireshark] and
+selecting the "Folders" tab.
+====
[#ChGeoIPDbPaths]
@@ -1160,6 +1216,191 @@ except GeoIP files must begin with _Geo_ and end with _.dat_. They are
no longer supported and MaxMind stopped distributing GeoLite Legacy
databases in April 2018.
+[#Ch80211Keys]
+
+=== IEEE 802.11 WLAN Decryption Keys
+
+Wireshark can decrypt WEP and WPA/WPA2/WPA3 in pre-shared (or personal) mode,
+as well as in enterprise mode. Security improvements in more recent 802.11
+releases require distinct session keys, instead of being able to decipher
+all traffic to a given access point with a single known password and SSID.
+
+You can add decryption keys using Wireshark's IEEE 802.11 preferences.
+Up to 64 keys are supported.
+
+==== Adding Keys
+
+Go to menu:Edit[Preferences >Protocols >IEEE 802.11], or, from the pop-up menu
+in the "Packet List" or "Packet Details" pane from a frame that contains IEEE
+802.11, menu:Protocol Preferences[IEEE 802.11 wireless LAN].
+You should see a window that looks like this:
+
+."IEEE 802.11 wireless LAN" preferences
+image::images/ws-wireless-ieee-80211-pref.png[{screenshot-attrs}]
+
+Click on the "Edit..." button next to "Decryption Keys" to add keys.
+You should see a window that looks like this:
+
+.802.11 Decryption Key Types
+image::images/ws-wireless-key-type.png[{screenshot-attrs}]
+
+When you click the **+** button to add a new key, there are five key types you
+can choose from: **wep**, **wpa-pwd**, **wpa-psk**, **tk**, or **msk**.
+The correct key type(s) depend on the Cipher Suite and Authentication and
+Key Management Suite (AKMS) used to encrypt the wireless traffic.
+
+wep:: The key must be provided as a string of hexadecimal numbers, with or
+without colons, and will be parsed as a WEP key. WEP keys can be 40-bit
+(5 bytes, or 10 hexadecimal characters), 104-bit, or occasionally 128-bit:
+
+ a1:b2:c3:d4:e5
+
+ 0102030405060708090a0b0c0d
+
+wpa-pwd:: The password and SSID are used to create a raw pre-shared WPA key.
+The password can be between 8 and 63 characters, and the SSID can be up to
+32 bytes. (Typically both are printable ASCII, but that is not a hard
+limitation of the specification, only a recommendation.)
+
+ MyPassword:MySSID
+
+You can optionally omit the colon and SSID, and Wireshark will try to decrypt
+packets using the last-seen SSID. This may not work for captures taken in busy
+environments, since the last-seen SSID may not be correct.
+
+ MyPassword
+
+[NOTE]
+====
+The WPA passphrase and SSID let you encode non-printable or otherwise troublesome
+characters using URI-style percent escapes, e.g., `%20` for a space. As a result
+you have to escape the percent characters themselves using `%25`. You also *must*
+escape colons in the passphrase or SSID themselves as `%3a`, in order to
+distinguish them from a colon as a separator between the passphrase and SSID.
+====
+
+[WARNING]
+====
+The WPA pass-phrase and SSID method is for WPA/WPA2-Personal only. It will
+not work for WPA3-Personal, which uses SAE (Simultaneous Authentication of
+Equals), nor for the Enterprise / 802.1X / EAP modes.
+====
+
+wpa-psk:: The key must be provided as a hexadecimal string, and is parsed as a
+PSK (Pre-Shared Key) or PMK (Pairwise Master Key). For WPA/WPA2-Personal,
+the PSK and the PMK are identical, and directly derived from the passphrase
+and SSID above. The keys can be 256 bits (32 bytes, 64 hex characters) or
+384 bits (48 bytes, 96 hex characters).
+
+ 0102030405060708091011...6061626364
+
+tk:: The key must be provided as a hexadecimal string, and is parsed as a
+PTK (Pairwise Transient Key) or GTK (Group Temporal Key). The keys can
+be 16 or 32 bytes (128 or 256 bits), depending on the cipher suite used.
+(5 and 13 byte WEP TKs are not yet supported.)
+
+msk:: The key must be provided as a hexadecimal string, and is parsed as
+a MSK (Master Session Key). This is used for FT-EAP (IEEE 802.11r
+Fast BSS Transition with EAP authentication). The key can be 64 or 128
+bytes.
+
+.802.11 Decryption Key Examples
+image::images/ws-wireless-key-examples.png[{screenshot-attrs}]
+
+////
+AirPcap was discontinued so this sections from the Wiki isn't relevant for many people currently
+==== Adding Keys: Wireless Toolbar
+
+If you are using the Windows version of Wireshark and you have an [AirPcap](/AirPcap) adapter you can add decryption keys using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting *View-\>Wireless Toolbar*. Click on the *Decryption Keys...* button on the toolbar:
+
+![dot11-wireless-toolbar.png](uploads/__moin_import__/attachments/HowToDecrypt802.11/dot11-wireless-toolbar.png "dot11-wireless-toolbar.png")
+
+This will open the decryption key management window. As shown in the window you can select between three decryption modes: **None**, **Wireshark**, and **Driver**:
+
+![dot11-key-management.png](uploads/__moin_import__/attachments/HowToDecrypt802.11/dot11-key-management.png "dot11-key-management.png")
+
+Selecting **None** disables decryption. Selecting **Wireshark** uses Wireshark's built-in decryption features. **Driver** will pass the keys on to the [AirPcap](/AirPcap) adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode only supports WEP keys.
+////
+
+==== Gotchas
+
+Along with decryption keys there are other preference settings that affect decryption.
+
+ - Make sure *Enable decryption* is selected.
+
+ - You may have to toggle *Assume Packets Have FCS* and *Ignore the Protection bit* depending on how your 802.11 driver delivers frames.
+
+===== Capturing the 4-way Handshake
+
+WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless **all four** handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter **eapol** to locate EAPOL packets in your capture.
+
+In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need to do this for all machines whose traffic you want to see.
+
+If a TK is provided as a key, then the EAPOL 4-way handshake is not necessary,
+as the TK is what the handshake derives. However, all available TKs will be
+tried agi
+
+===== Too Many Associations
+
+WPA and WPA2 use individual keys for each device. Wireshark is able to handle
+up to 256 active associations, which should be enough in most circumstances.
+Nevertheless, if a capture has too many devices and too many associations, then
+while the packet list may show all packets decoded on the first pass, randomly
+accessing different packets in the packet details will result in some packets
+failing to be properly deciphered.
+
+Filtering out only the relevant packets (e.g. with "wlan.addr") and saving into
+a new file should get decryption working in all cases, though it may require
+editing keys in the preferences or restarting Wireshark in order to free used
+associations. For the same reason, it is possible to be able to decode packets
+in a capture file without any EAPOL packets in it, as long as Wireshark did see
+the handshake for this communication in another capture without being
+restarted or editing keys. This can sometimes lead to exporting selected
+packets to a new file, opening that file and decoding seeming to work, but
+then decoding suddenly fail on the new file after Wireshark is restarted or keys
+are edited. If decoding suddenly stops working on a capture make sure the needed
+EAPOL packets are still in it.
+
+===== WPA/WPA2 Enterprise/Rekeys
+
+As long as you can somehow extract the PMK from either the client or the Radius
+Server and configure the key (as PSK) all supported Wireshark versions will decode
+the traffic just fine up to the first EAPOL rekey.
+
+EAPoL rekey is often enabled for WPA/WPA2 enterprise and will change the used
+encryption key similar to the procedure for the initial connect, but it can also
+be configured and used for pre-shared (personal) mode.
+
+Decrypting IEEE 802.11r Fast BSS Transition roaming requires capturing
+reassociation frames for similar reasons, and is supported by recent
+Wireshark versions.
+
+===== WPA3 Per-Connection Decryption
+
+In WPA3, a different PMK is used for each connection in order to achieve forward
+secrecy. Capturing the 4-way handshake and knowing the network password is not
+enough to decrypt packets; you must obtain the PMK from either the client or
+access point (typically by enabling logging in `wpa_supplicant` or `hostapd`
+with the `-d -K` flags) and use this as the decryption key in Wireshark. Even
+then, the decryption will only work for packets between that client and access
+point, not for all devices on that network.
+
+===== TKs and Performance
+
+The TKs are the actual transient keys used to encrypt packets, which are derived
+during the handshake. If known, they can decrypt packets without having the
+handshake packets in a capture. However, having TKs as encryption keys in the
+table will affect IEEE 802.11 dissector performance as each encrypted
+packet will be tested against every TK until decryption is successful.
+If the table is configured with many TKs, none of which match any
+encrypted frame in the capture, performance can be slow.
+
+Once a match is found, an association is formed similar to in the usual
+method and decryption of other frames with the same key should be on
+par with normal decryption flow. Thus, if most frames in the capture
+match TKs (or other keys), and only a limited number of TKs are configured,
+the performance impact is slight.
+
[#ChIKEv2DecryptionSection]
=== IKEv2 decryption table
@@ -1212,6 +1453,9 @@ Integrity algorithm of the IKE_SA.
=== Object Identifiers
+// This table appears under the BER dissector, perhaps it should be moved
+// to the "Name Resolution" preference section?
+
Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify
certain pieces of information. In many cases, they are used in an extension
mechanism so that new object identifiers (and associated values) may be defined
@@ -1346,7 +1590,7 @@ different SNMP-engines the first entry to match both is taken, if you need a
catch all engine-id (empty) that entry should be the last one.
Authentication model::
-Which auth model to use (either “MD5” or “SHA1”).
+Which auth model to use (either “MD5”, “SHA1”, "SHA2-224", "SHA2-256", "SHA2-384" or "SHA2-512").
Password::
The authentication password. Use _\xDD_ for unprintable characters. A
@@ -1356,7 +1600,7 @@ _\x01\x02\x03\x04\x05\x06_. The _\_ character must be treated as an unprintable
character, i.e., it must be entered as _\x5C_ or _\x5c_.
Privacy protocol::
-Which encryption algorithm to use (either “DES” or “AES”).
+Which encryption algorithm to use (either “DES”, “AES”, "AES192" or "AES256").
Privacy password::
The privacy password. Use _\xDD_ for unprintable characters. A hexadecimal
@@ -1365,6 +1609,11 @@ password 010203040506 must be entered as _\x01\x02\x03\x04\x05\x06_. The _\_
character must be treated as an unprintable character, i.e., it must be entered
as _\x5C_ or _\x5c_.
+Key expansion method::
+Which method to use to expand the key when the generated key provides too few bytes
+for the selected encryption method (either based on "draft-reeder-snmpv3-usm-3desede-00" or
+as implemented in AGENT++).
+
[#ChK12ProtocolsSection]
=== Tektronix K12xx/15 RF5 protocols Table
diff --git a/docbook/wsug_src/wsug_files.adoc b/doc/wsug_src/wsug_files.adoc
index 3c4364bb..7819d484 100644
--- a/docbook/wsug_src/wsug_files.adoc
+++ b/doc/wsug_src/wsug_files.adoc
@@ -19,7 +19,7 @@ format as the default format to save captured packets. It is very flexible
but other tools may not support it.
Wireshark also supports the
-link:https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat[libpcap] file
+{wireshark-wiki-url}/Development/LibpcapFileFormat[libpcap] file
format. This is a much simpler format and is well established. However, it has
some drawbacks: it’s not extensible and lacks some information that would be
really helpful (e.g., being able to add a comment to a packet such as “the
@@ -49,7 +49,7 @@ The following data is saved for each packet:
* The packet’s raw bytes
A detailed description of the libpcap file format can be found at
-https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat
+{wireshark-wiki-url}Development/LibpcapFileFormat
[#ChIOFileNotContentSection]
@@ -162,9 +162,9 @@ _/usr/local/etc_.
|_cfilters_|Capture filters.
|_colorfilters_|Coloring rules.
|__dfilter_buttons__|Display filter buttons.
-|__dfilter_macros__|Display filter macros.
|_dfilters_|Display filters.
|__disabled_protos__|Disabled protocols.
+|__dmacros__|Display filter macros.
|_ethers_|Ethernet name resolution.
|_hosts_|IPv4 and IPv6 name resolution.
|_ipxnets_|IPX name resolution.
@@ -176,6 +176,7 @@ _/usr/local/etc_.
|_ss7pcs_|SS7 point code resolution.
|_subnets_|IPv4 subnet name resolution.
|_vlans_|VLAN ID name resolution.
+|_wka_|Well-known MAC addresses.
|===
[discrete]
@@ -243,29 +244,6 @@ When you save any changes to the filter buttons, all the current display
filter buttons are written to the personal display filter buttons file.
--
-dfilter_macros::
-+
---
-This file contains all the display filter macros that you have defined and saved.
-It consists of one or more lines, where each line has the following format:
-
-----
-"<macro name>" <filter string>
-----
-
-At program start, if there is a __dfilter_macros__ file in the personal
-configuration folder, it is read. If there isn’t a __dfilter_macros__ file
-in the personal configuration folder, then, if there is a __dfilter_macros__
-file in the global configuration folder, it is read.
-
-When you press the Save button in the "Display Filter Macros" dialog box,
-all the current display filter macros are written to the personal display
-filter macros file.
-
-More information about Display Filter Macros is available in
-<<ChDisplayFilterMacrosSection>>
---
-
dfilters::
+
--
@@ -309,6 +287,35 @@ the current set of disabled protocols is written to the personal
disabled protocols file.
--
+dmacros::
++
+--
+This file contains all the display filter macros that you have defined and saved.
+It consists of one or more lines, where each line has the following format:
+
+----
+"<macro name>" <macro expression>
+----
+
+At program start, if there is a __dmacros__ file in the personal
+configuration folder, it is read. If there isn’t a __dmacros__ file
+in the personal configuration folder, then, if there is a __dmacros__
+file in the global configuration folder, it is read.
+
+In versions of Wireshark prior to 4.4, the display filter macros were
+stored in a __dfilter_macros__ file with a somewhat different format,
+a <<ChUserTable,UAT>>. At program start if the __dmacros__ file
+is not found a __dfilter_macros__ file is looked for in the personal and
+global configuration folders and converted to the new format.
+
+When you press the Save button in the "Display Filter Macros" dialog box,
+all the current display filter macros are written to the personal display
+filter macros file.
+
+More information about Display Filter Macros is available in
+<<ChWorkDefineFilterMacrosSection>>
+--
+
ethers::
+
--
@@ -317,10 +324,13 @@ a name, it consults the _ethers_ file in the personal configuration
folder first. If the address is not found in that file, Wireshark
consults the _ethers_ file in the system configuration folder.
-This file has the same format as the _/etc/ethers_ file on some Unix-like systems.
+This file has a similar format to the _/etc/ethers_ file on some Unix-like systems.
Each line in these files consists of one hardware address and name separated by
-whitespace. The digits of hardware addresses are separated by colons (:), dashes
-(-) or periods(.). The following are some examples:
+whitespace (tabs or spaces). The hardware addresses are expressed as pairs
+of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with
+the same separator used in the entire address. A `#` can be used to indicate
+a comment that extends to the rest of the line. NIS lookups, as in some
+UNIX-like systems, are not supported. The following are some examples:
----
ff-ff-ff-ff-ff-ff Broadcast
@@ -381,12 +391,17 @@ be translated to a name, and never written by Wireshark.
manuf::
+
--
-At program start, if there is a _manuf_ file in the global configuration folder, it is read.
+At program start, if there is a _manuf_ file in the global configuration
+folder, it is read first. Then, if there is a _manuf_ file in the personal
+configuration folder, that is read; if there is an entry for a given address
+prefix in both files, the setting in the personal file overrides the entry
+in the global file.
The entries in this file are used to translate MAC address prefixes into short and long manufacturer names.
Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name.
Prefixes 24 bits long by default and may be followed by an optional length.
-Note that this is not the same format as the _ethers_ file.
+Note that this is not the same format as the _ethers_ file, which does not
+allow prefix lengths.
Examples are:
@@ -395,6 +410,15 @@ Examples are:
00:50:C2:00:30:00/36 Microsof Microsoft
----
+In earlier versions of Wireshark, official information from the IEEE
+Registration Authority was distributed in this format as the _manuf_ file
+in the global configuration folder. In current versions of Wireshark, this
+information is compiled into the program to speed startup, but if a file
+is present in the global configuration folder it is still read, and can
+be used to supplement or replace the official data just as the personal
+file does. The compiled-in information can be written out in this format
+as a report with `tshark -G manuf`.
+
The settings from this file are read in at program start and never written by Wireshark.
--
@@ -455,7 +479,9 @@ At program start, if there is a _services_ file in the global
configuration folder, it is read first. Then, if there is a _services_
file in the personal configuration folder, that is read; if there is an
entry for a given port number in both files, the setting in the personal
-hosts file overrides the entry in the global hosts file.
+_services_ file overrides the entry in the global _services_ file.
+The format is that of the standard _services(5)_ file on UNIX-compatible
+systems.
An example is:
@@ -464,6 +490,15 @@ mydns 5045/udp # My own Domain Name Server
mydns 5045/tcp # My own Domain Name Server
----
+In earlier versions of Wireshark, official information from the IANA
+Service Name and Transport Protocol Port Number Registry was distributed
+in this format as the _services_ file in the global configuration folder.
+In current versions of Wireshark, this information is compiled into the
+program to speed startup, but if a file is present in the global configuration
+folder it is still read, and can be used to supplement or replace the official
+data just as the personal file does. The compiled-in information can be
+written out in this format as a report with `tshark -G services`.
+
The settings from these files are read in at program start and never
written by Wireshark.
--
@@ -490,7 +525,7 @@ Wireshark.
subnets::
+
--
-Wireshark uses the __subnets__ files to translate an IPv4 address into a
+Wireshark uses the __subnets__ file to translate an IPv4 address into a
subnet name. If no exact match from a __hosts__ file or from DNS is
found, Wireshark will attempt a partial match for the subnet of the
address.
@@ -519,6 +554,12 @@ printed address would be “ws_test_network.0.1”.
The settings from these files are read in at program start and never
written by Wireshark.
+
+The __subnets__ file also changes the behavior of the Endpoints and
+Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user
+preference _Aggregate subnets in Statistics Dialogs_ is enabled. In this
+case, when an IPv4 address matches a subnet, the statistics dialog will
+show this subnet instead of the IPv4 address.
--
vlans::
@@ -540,6 +581,20 @@ The settings from this file are read in at program start or when changing
the active profile and are never written by Wireshark.
--
+wka::
++
+--
+At program start, if there is a _wka_ file in the global configuration folder,
+it is read.
+
+The entries in this file are used to translate MAC addresses and MAC address
+prefixes into names. The format is that of the _manuf_ file. This file is
+distributed with Wireshark, and contains data assembled from various non IEEE
+but respected sources.
+
+The settings from this file are read in at program start and never written by Wireshark.
+--
+
[#ChPluginFolders]
=== Plugin folders
diff --git a/docbook/wsug_src/wsug_howitworks.adoc b/doc/wsug_src/wsug_howitworks.adoc
index 13cb8176..13cb8176 100644
--- a/docbook/wsug_src/wsug_howitworks.adoc
+++ b/doc/wsug_src/wsug_howitworks.adoc
diff --git a/docbook/wsug_src/wsug_introduction.adoc b/doc/wsug_src/wsug_introduction.adoc
index 78f32f57..1cfbfe4f 100644
--- a/docbook/wsug_src/wsug_introduction.adoc
+++ b/doc/wsug_src/wsug_introduction.adoc
@@ -266,7 +266,7 @@ mailto:{wireshark-dev-list-email}[].
You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}.
The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror.
-Official Windows and macOS installers are signed using trusted certificates on those platforms.
+Official Windows and macOS installers are signed by *Wireshark Foundation* using trusted certificates on those platforms.
macOS installers are additionally notarized.
A new Wireshark version typically becomes available every six weeks.
@@ -275,7 +275,7 @@ If you want to be notified about new Wireshark releases you should subscribe to
You will find more details in <<ChIntroMailingLists>>.
Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt.
-Announcement messages are archived at https://www.wireshark.org/lists/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/.
+Announcement messages are archived at https://lists.wireshark.org/archives/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/.
Both are GPG-signed and include verification instructions for Windows, Linux, and macOS.
As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems.
diff --git a/docbook/wsug_src/wsug_io.adoc b/doc/wsug_src/wsug_io.adoc
index df8fced7..5cf4b038 100644
--- a/docbook/wsug_src/wsug_io.adoc
+++ b/doc/wsug_src/wsug_io.adoc
@@ -703,10 +703,13 @@ some features to handle these file sets in a convenient way.
.How does Wireshark detect the files of a file set?
****
-A filename in a file set uses the format Prefix_Number_DateTimeSuffix which
-might look something like `test_00001_20240714183910.pcap`. All files of a file
+A filename in a file set uses the format Prefix_Number_DateTimeSuffix (or,
+in Wireshark 4.4.0 and later, Prefix_DateTime_NumberSuffix) which might
+look something like `test_00001_20240714183910.pcap`. All files of a file
set share the same prefix (e.g., “test”) and suffix (e.g., “.pcap”) and a
-varying middle part.
+varying middle part. Files are also allowed to have a second compression
+suffix of types that Wireshark can open; the compression suffix does not
+have to match for all files in a set.
To find the files of a file set, Wireshark scans the directory where the
currently loaded file resides and checks for files matching the filename pattern
@@ -1023,7 +1026,7 @@ NOTE: As a developer you can add any dissector to the existing list or define a
+
NOTE: The file produced has a `Wireshark Upper PDU` encapsulation type that has somewhat limited support outside of Wireshark, but is very flexible and can contain PDUs for any protocol for which there is a Wireshark dissector.
-[#ChIOStripHeaders]
+[#ChIOStripHeadersDialog]
==== The “Strip Headers...” Dialog Box
diff --git a/docbook/wsug_src/wsug_mate.adoc b/doc/wsug_src/wsug_mate.adoc
index 6de78c70..9df35551 100644
--- a/docbook/wsug_src/wsug_mate.adoc
+++ b/doc/wsug_src/wsug_mate.adoc
@@ -17,7 +17,7 @@ was written to help troubleshooting gateways and other systems where a "use"
involves more protocols. However, MATE can be used as well to analyze other
issues regarding an interaction between packets like response times,
incompleteness of transactions, presence/absence of certain attributes in a
-group of PDUs and more.
+group of Protocol Data Units (PDUs) and more.
MATE is a Wireshark plugin that allows the user to specify how different
frames are related to each other. To do so, MATE extracts data from the frames'
@@ -47,24 +47,25 @@ that timeout)
These are the steps to try out MATE:
-* Run Wireshark and check if the plugin is installed correct (MATE should
-appear in Help->About->Plugins)
-* Get a configuration file e.g., tcp.mate (see {wireshark-wiki-url}Mate/Examples[Mate/Examples]
+* Run Wireshark and check if the plugin is installed (MATE should
+appear in Help->About Wireshark:Plugins)
+* Get a configuration file e.g., <<File_tcp_mate,tcp.mate>> (see {wireshark-wiki-url}Mate/Examples[Mate/Examples]
for more) and place it somewhere on your harddisk.
-* Go to Preferences->Protocols->MATE and set the config filename to the file
-you want to use (you don't have to restart Wireshark)
+* Go to Edit->Preferences...->Protocols->MATE and set the Configuration Filename to the file
+you want to use and restart Wireshark.
* Load a corresponding capture file (e.g.,
{wireshark-wiki-url}uploads/27707187aeb30df68e70c8fb9d614981/http.cap[http.cap]) and see if MATE
has added some new display filter fields, something like: `mate tcp_pdu:1->tcp_ses:1`
or, at prompt: `path_to/wireshark -o "mate.config: tcp.mate" -r http.cap`.
-If anything went well, your packet details might look something like this:
+If everything went well, your packet details might look something like this:
+.Packet Details - MATE TCP Session (tcp.mate)
image::images/ws-mate-tcp-output.png[]
[#ChMateManual]
-=== MATE Manual
+=== MATE Overview
==== Introduction
@@ -81,45 +82,53 @@ will use the term "PDU" to refer to the objects created by MATE containing the
relevant information extracted from the frame; I'll use "frame" to refer to the
"raw" information extracted by the various dissectors that pre-analyzed the frame.
-For every PDU, MATE checks if it belongs to an existing "Group of PDUs" (Gop).
-If it does, it assigns the PDU to that Gop and moves any new relevant attributes
-to the Gop's attribute list. How and when do PDUs belong to Gops is described
+For every PDU, MATE checks if it belongs to an existing "Group of PDUs" (GOP).
+If it does, it assigns the PDU to that GOP and moves any new relevant attributes
+to the GOP's attribute list. How and when do PDUs belong to GOPs is described
in the configuration file as well.
-Every time a Gop is assigned a new PDU, MATE will check if it matches the
-conditions to make it belong to a "Group of Groups" (Gog). Naturally the
-conditions that make a Gop belong to a Gog are taken from the configuration
+Every time a GOP is assigned a new PDU, MATE will check if it matches the
+conditions to make it belong to a "Group of Groups" (GOG). Naturally the
+conditions that make a GOP belong to a GOG are taken from the configuration
file as well.
Once MATE is done analyzing the frame it will be able to create a "protocol"
-tree for each frame based on the PDUs, the Gops they belong to and naturally any
-Gogs the former belongs to.
+tree for each frame based on the PDUs, the GOPs they belong to and naturally any
+GOGs the former belongs to.
How to tell MATE what to extract, how to group it and then how to relate those
groups is made using AVPs and AVPLs.
-Information in MATE is contained in Attribute/Value Pairs (AVPs). AVPs are made
+Information in MATE is contained in Attribute Value Pairs (AVPs). AVPs are made
of two strings: the name and the value. AVPs are used in the configuration and
there they have an operator as well. There are various ways AVPs can be matched
against each other using those operators.
-AVPs are grouped into AVP Lists (AVPLs). PDUs, Gops and Gogs have an AVPL each.
+AVPs are grouped into AVP Lists (AVPLs). PDUs, GOPs and GOGs have an AVPL each.
Their AVPLs will be matched in various ways against others coming from the
configuration file.
MATE will be instructed how to extract AVPs from frames in order to create a PDU
with an AVPL. It will be instructed as well, how to match that AVPL against the
AVPLs of other similar PDUs in order to relate them. In MATE the relationship
-between PDUs is a Gop, it has an AVPL as well. MATE will be configured with other
-AVPLs to operate against the Gop's AVPL to relate Gops together into Gogs.
+between PDUs is a GOP, it has an AVPL as well. MATE will be configured with other
+AVPLs to operate against the GOP's AVPL to relate GOPs together into GOGs.
A good understanding on how AVPs and AVPLs work is fundamental to understand how
MATE works.
+===== About MATE
+
+MATE was originally written by Luis Ontanon, a Telecommunications systems
+troubleshooter, as a way to save time filtering out the packets of a single call
+from huge capture files using just the calling number. Later he used the time he
+had saved to make it flexible enough to work with protocols other than the ones
+he was directly involved with.
+
[#AVP]
-==== Attribute Value Pairs
+==== Attribute Value Pairs (AVP)
-Information used by MATE to relate different frames is contained in Attribute/
+Information used by MATE to relate different frames is contained in Attribute
Value Pairs (AVPs). AVPs are made of two strings - the name and the value. When
AVPs are used in the configuration, an operator is defined as well. There are
various ways AVPs can be matched against each other using those operators.
@@ -129,16 +138,20 @@ various ways AVPs can be matched against each other using those operators.
another_name= "1234 is the value"
----
-The name is a string used to refer to a "kind" of an AVP. Two AVPs won't match
+The name is a string used to refer to a "type" of an AVP. Two AVPs won't match
unless their names are identical.
+
+The name must start with a lowercase letter (a-z) and can contain only alphanumeric characters
+(a-zA-Z0-9) and the special characters "_", "-", and ".". The name ends with an operator.
+
You should not use uppercase characters in names, or names that start with “.” or
“_”. Capitalized names are reserved for configuration parameters (we'll call them
keywords); nothing forbids you from using capitalized strings for other things as
well but it probably would be confusing. I'll avoid using capitalized words for
anything but the keywords in this document, the reference manual, the examples
and the base library. Names that start with a “.” would be very confusing as well
-because in the old grammar, AVPL transformations use names starting with a “.” to
+because in the old grammar, AVPL transforms use names starting with a “.” to
indicate they belong to the replacement AVPL.
The value is a string that is either set in the configuration (for configuration
@@ -146,17 +159,16 @@ AVPs) or by Wireshark while extracting interesting fields from a frame's tree.
The values extracted from fields use the same representation as they do in filter
strings except that no quotes are used.
-The name can contain only alphanumeric characters, "_", and ".". The name ends
-with an operator.
-
-The value will be dealt with as a string even if it is a number. If there are
+*The value will be dealt with as a string even if it is a number.* If there are
any spaces in the value, the value must be between quotes "".
+Values that are also keywords such as True and False should also be wrapped
+in quotes ("True", "False").
----
- ip_addr=10.10.10.11,
- tcp_port=1234,
- binary_data=01:23:45:67:89:ab:cd:ef,
- parameter12=0x23aa,
+ ip_addr=10.10.10.11
+ tcp_port=1234
+ binary_data=01:23:45:67:89:ab:cd:ef
+ parameter12=0x23aa
parameter_with_spaces="this value has spaces"
----
@@ -165,7 +177,7 @@ Remember two AVPs won't match unless their names are identical. In MATE, match
operations are always made between the AVPs extracted from frames (called data
AVPs) and the configuration's AVPs.
-Currently defined MATE's AVP match operators are:
+Currently defined MATE AVP match operators are:
* <<Equal,Equal>> _=_ will match if the string given completely matches the data
AVP's value string
@@ -186,20 +198,22 @@ higher than the string given
* <<Exists,Exists>> _?_ (the ? can be omitted) will match as far as a data AVP of the
given name exists
-==== AVP lists
+==== AVP lists (AVPL)
An AVPL is a set of diverse AVPs that can be matched against other AVPLs. Every
-PDU, Gop and Gog has an AVPL that contains the information regarding it. The
-rules that MATE uses to group Pdus and Gops are AVPL operations.
+PDU, GOP and GOG has an AVPL that contains the information regarding it. The
+rules that MATE uses to group PDUs and GOPs are AVPL operations.
-There will never be two identical AVPs in a given AVPL. However, we can have
+*There will never be two identical AVPs in a given AVPL.* However, we can have
more than one AVP with the same name in an AVPL as long as their values are
different.
Some AVPL examples:
----
- ( addr=10.20.30.40, addr=192.168.0.1, tcp_port=21, tcp_port=32534, user_cmd=PORT, data_port=12344, data_addr=192.168.0.1 )
- ( addr=10.20.30.40, addr=192.168.0.1, channel_id=22:23, message_type=Setup, calling_number=1244556673 )
+ ( addr=10.20.30.40, addr=192.168.0.1, tcp_port=21, tcp_port=32534, user_cmd=PORT,
+ data_port=12344, data_addr=192.168.0.1 )
+ ( addr=10.20.30.40, addr=192.168.0.1, channel_id=22:23, message_type=Setup,
+ calling_number=1244556673 )
( addr=10.20.30.40, addr=192.168.0.1, ses_id=01:23:45:67:89:ab:cd:ef )
( user_id=pippo, calling_number=1244556673, assigned_ip=10.23.22.123 )
----
@@ -207,74 +221,74 @@ Some AVPL examples:
In MATE there are two types of AVPLs:
* data AVPLs that contain information extracted from frames.
-* operation AVPLs that come from the configuration and are used to tell MATE how
+* configuration AVPLs that come from the configuration and are used to tell MATE how
to relate items based on their data AVPLs.
-Data AVPLs can be operated against operation AVPLs in various ways:
+Data AVPLs can be operated against configuration AVPLs in various ways:
* <<Loose,Loose Match>>: Will match if at least one of the AVPs of each AVPL
-match. If it matches it will return an AVPL containing all AVPs from the operand
-AVPL that did match the operator's AVPs.
-* <<Every,"Every" Match>>: Will match if none of the AVPs of the operator AVPL
-fails to match a present AVP in the operand AVPL, even if not all of the
-operator's AVPs have a match. If it matches it will return an AVPL containing
-all AVPs from the operand AVPL that did match one AVP in the operator AVPL.
-* <<Strict,Strict Match>>: Will match if and only if every one of the operator's
-AVPs have at least one match in the operand AVPL. If it matches it will return
-an AVPL containing the AVPs from the operand that matched.
+match. If it matches it will return an AVPL containing all AVPs from the data
+AVPL that did match the configuration AVPs.
+* <<Every,"Every" Match>>: Will match if none of the AVPs of the configuration AVPL
+fails to match a present AVP in the data AVPL, even if not all of the
+configuration AVPs have a match. If it matches it will return an AVPL containing
+all AVPs from the data AVPL that did match one AVP in the configuration AVPL.
+* <<Strict,Strict Match>>: Will match if and only if every one of the configuration
+AVPs have at least one match in the data AVPL. If it matches it will return
+an AVPL containing the AVPs from the data AVPL that matched.
* There's also a <<Merge,Merge>> operation that is to be performed between AVPLs
-where all the AVPs that don't exist in the operand AVPL but exist in the operand
-will be added to the operand AVPL.
-* Other than that, there are <<Transform,Transformations>> - a combination
+where all the AVPs that don't exist in the data AVPL but exist in the configuration
+will be added to the data AVPL.
+* Other than that, there are <<Transform,Transforms>> - a combination
of a match AVPL and an AVPL to merge.
-==== MATE Analysis
+=== MATE Frame Analysis
MATE's analysis of a frame is performed in three phases:
-* In the first phase, MATE attempts to extract a MATE Pdu from the frame's
-protocol tree. MATE will create a Pdu if MATE's config has a _Pdu_ declaration
+* In the first phase, MATE attempts to extract a MATE PDU from the frame's
+protocol tree. MATE will create a PDU if MATE's config has a _Pdu_ declaration
whose _Proto_ is contained in the frame.
-* In the second phase, if a Pdu has been extracted from the frame, MATE will try
-to group it to other Pdus into a Gop (Group of Pdus) by matching the key
-criteria given by a _Gop_ declaration. If there is no Gop yet with the key
-criteria for the Pdu, MATE will try to create a new Gop for it if it matches the
-_Start_ criteria given in the Gop declaration.
+* In the second phase, if a PDU has been extracted from the frame, MATE will try
+to group it to other PDUs into a GOP (Group of PDUs) by matching the key
+criteria given by a _Gop_ declaration. If there is no GOP yet with the key
+criteria for the PDU, MATE will try to create a new GOP for it if it matches the
+_Start_ criteria given in the _Gop_ declaration.
-* In the third phase, if there's a Gop for the Pdu, MATE will try to group this
-Gop with other Gops into a Gog (Group of Groups) using the criteria given by the
-_Member_ criteria of a Gog declaration.
+* In the third phase, if there's a GOP for the PDU, MATE will try to group this
+GOP with other GOPs into a GOG (Group of Groups) using the criteria given by the
+_Member_ criteria of a _Gog_ declaration.
+.MATE Analysis (PDU->GOP->GOG) flowchart
image::images/ws-mate-analysis.png[]
The extraction and matching logic comes from MATE's configuration; MATE's
-configuration file is declared by the _mate.config_ preference. By default it is
+configuration file is specified by the _mate.config_ preference. By default it is
an empty string which means: do not configure MATE.
The config file tells MATE what to look for in frames; How to make PDUs out of
-it; How will PDUs be related to other similar PDUs into Gops; And how Gops
-relate into Gogs.
+it; How will PDUs be related to other similar PDUs into GOPs; And how GOPs
+relate into GOGs.
The MATE configuration file is a list of declarations. There are 4 types of
-declarations: _Transform_, _Pdu_, _Gop_ and _Gog_.
+declarations: _Transform_, _Pdu_, _Gop_, and _Gog_. A _Transform_ block must be
+before any of the other block declarations that may use it.
-===== Mate's PDU's
+==== Create PDUs (Phase 1)
MATE will look in the tree of every frame to see if there is useful data to
extract, and if there is, it will create one or more PDU objects containing the
useful information.
-The first part of MATE's analysis is the "PDU extraction"; there are various
-"Actions" that are used to instruct MATE what has to be extracted from the
-current frame's tree into MATE's PDUs.
+The first part of MATE's analysis is the "PDU extraction".
-====== PDU data extraction
+===== PDU data extraction
-MATE will make a Pdu for each different proto field of Proto type present in the
+MATE will make a PDU for each different proto field of _Proto_ type present in the
frame. MATE will fetch from the field's tree those fields that are defined in
the <<Pdu>> declaration whose initial offset in the frame is within the
-boundaries of the current Proto and those of the given Transport and Payload
+boundaries of the current _Proto_ and those of the given _Transport_ and _Payload_
statements.
----
@@ -284,18 +298,16 @@ Pdu dns_pdu Proto dns Transport ip {
Extract dns_resp From dns.flags.response;
};
----
-MATE will make a Pdu for each different proto field of Proto type present in the
-frame. MATE will fetch from the field's tree those fields that are defined in
-the <<Pdu>> AVPL whose initial offset in the frame is within the boundaries of
-the current Proto and those of the various assigned Transports.
+.Wireshark window - fields for PDU extraction
image::images/ws-mate-dns_pane.png[]
-Once MATE has found a _Proto_ field for which to create a Pdu from the frame it
+Once MATE has found a _Proto_ field for which to create a PDU from the frame it
will move backwards in the frame looking for the respective _Transport_ fields.
After that it will create AVPs named as each of those given in the rest of the
AVPL for every instance of the fields declared as its values.
+.Frame fields mapped to PDU attributes
image::images/ws-mate-dns_pdu.png[]
Sometimes we need information from more than one _Transport_ protocol. In that
@@ -303,61 +315,68 @@ case MATE will check the frame looking backwards to look for the various
_Transport_ protocols in the given stack. MATE will choose only the closest
transport boundary per "protocol" in the frame.
-This way we'll have all Pdus for every _Proto_ that appears in a frame match its
+This way we'll have all PDUs for every _Proto_ that appears in a frame match its
relative transports.
----
Pdu isup_pdu Proto isup Transport mtp3/ip {
- Extract m3pc From mtp3.dpc;
- Extract m3pc From mtp3.opc;
- Extract cic From isup.cic;
- Extract addr From ip.addr;
- Extract isup_msg From isup.message_type;
+ Extract addr From ip.addr;
+
+ Extract m3pc From mtp3.dpc;
+ Extract m3pc From mtp3.opc;
+
+ Extract cic From isup.cic;
+ Extract isup_msg From isup.message_type;
};
----
+.Frame containing multiple PDUs
image::images/ws-mate-isup_over_mtp3_over_ip.png[]
-This allows to assign the right _Transport_ to the Pdu avoiding duplicate
+This allows to assign the right _Transport_ to the PDU avoiding duplicate
transport protocol entries (in case of tunneled ip over ip for example).
----
Pdu ftp_pdu Proto ftp Transport tcp/ip {
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Extract ftp_cmd From ftp.command;
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Extract ftp_cmd From ftp.command;
};
----
+.Frame with encapsulated (tunneled) fields
image::images/ws-mate-ftp_over_gre.png[]
Other than the mandatory _Transport_ there is also an optional _Payload_
statement, which works pretty much as _Transport_ but refers to elements after
the _Proto_'s range. It is useful in those cases where the payload protocol
-might not appear in a Pdu but nevertheless the Pdu belongs to the same category.
+might not appear in a PDU but nevertheless the PDU belongs to the same category.
----
Pdu mmse_over_http_pdu Proto http Transport tcp/ip {
- Payload mmse;
+ Payload mmse;
+
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+
+ Extract content From http.content_type;
+ Extract host From http.host;
+ Extract http_rq From http.request;
+ Extract method From http.request.method;
+ Extract resp From http.response.code;
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Extract method From http.request.method;
- Extract content From http.content_type;
- Extract http_rq From http.request;
- Extract resp From http.response.code;
- Extract host From http.host;
- Extract trx From mmse.transaction_id;
- Extract msg_type From mmse.message_type;
- Extract notify_status From mmse.status;
- Extract send_status From mmse.response_status;
+ Extract msg_type From mmse.message_type;
+ Extract notify_status From mmse.status;
+ Extract send_status From mmse.response_status;
+ Extract trx From mmse.transaction_id;
};
----
+.Extract from Payload fields
image::images/ws-mate-mmse_over_http.png[]
-====== Conditions on which to create PDUs
+===== Conditions on which to create PDUs
There might be cases in which we won't want MATE to create a PDU unless some of
its extracted attributes meet or do not meet some criteria. For that we use the
@@ -367,8 +386,8 @@ _Criteria_ statements of the _Pdu_ declarations.
Pdu isup_pdu Proto isup Transport mtp3/ip {
...
- // MATE will create isup_pdu PDUs only when there is not a point code '1234'
- Criteria Reject Strict (m3pc=1234);
+ // MATE will create isup_pdu PDUs only when there is not a point code '1234'
+ Criteria Reject Strict (m3pc=1234);
};
Pdu ftp_pdu Proto ftp Transport tcp/ip {
@@ -379,81 +398,82 @@ Pdu ftp_pdu Proto ftp Transport tcp/ip {
};
----
-The _Criteria_ statement is given an action (_Accept_ or _Reject_), a match mode
+The _Criteria_ statement is given an action (_Accept_ or _Reject_), a match type
(_Strict_, _Loose_ or _Every_) and an AVPL against which to match the currently
extracted one.
-====== Transforming the attributes of a PDU
+===== Transforming the attributes of a PDU
-Once the fields have been extracted into the Pdu's AVPL, MATE will apply any
-declared transformation to it. The way transforms are applied and how they work
+Once the fields have been extracted into the PDU's AVPL, MATE will apply any
+declared _Transform_ to it. The way transforms are applied and how they work
is described later on. However, it's useful to know that once the AVPL for the
-Pdu is created, it may be transformed before being analyzed. That way we can
+PDU is created, it may be transformed before being analyzed. That way we can
massage the data to simplify the analysis.
-====== MATE's PDU tree
+===== MATE's PDU tree
-Every successfully created Pdu will add a MATE tree to the frame dissection. If
-the Pdu is not related to any Gop, the tree for the Pdu will contain just the
-Pdu's info, if it is assigned to a Gop, the tree will also contain the Gop items,
-and the same applies for the Gog level.
+Every successfully created PDU will add a MATE tree to the frame dissection. If
+the PDU is not related to any GOP, the tree for the PDU will contain just the
+PDU's info. If it is assigned to a GOP, the tree will also contain the GOP items,
+and the same applies for the GOG level.
----
mate dns_pdu:1
dns_pdu: 1
dns_pdu time: 3.750000
dns_pdu Attributes
- dns_resp: 0
- dns_id: 36012
+ dns_resp: False
+ dns_id: 0x8cac
addr: 10.194.4.11
addr: 10.194.24.35
----
-The Pdu's tree contains some filterable fields
+The PDU's tree contains some filterable fields
-* _mate.dns_pdu_ will contain the number of the "dns_pdu" Pdu
+* _mate.dns_pdu_ will contain the number of the "dns_pdu" PDU
* _mate.dns_pdu.RelativeTime_ will contain the time passed since the beginning
of the capture in seconds
-* the tree will contain the various attributes of the Pdu as well, these will
+* the tree will contain the various attributes of the PDU as well, these will
all be strings (to be used in filters as "10.0.0.1", not as 10.0.0.1)
** mate.dns_pdu.dns_resp
** mate.dns_pdu.dns_id
** mate.dns_pdu.addr
-===== Grouping Pdus together (Gop)
+==== Grouping PDUs together (GOP) (Phase 2)
-Once MATE has created the Pdus it passes to the Pdu analysis phase. During the
-PDU analysis phase MATE will try to group Pdus of the same type into 'Groups of
-Pdus' (aka *Gop*s) and copy some AVPs from the Pdu's AVPL to the Gop's AVPL.
+Once MATE has created the PDUs it passes to the PDU analysis phase. During the
+PDU analysis phase MATE will try to group PDUs of the same type into 'Groups of
+PDUs' (aka *GOP*++s++) and copy some AVPs from the PDU's AVPL to the GOP's AVPL.
+.Grouping PDUs (GOP) flowchart
image::images/ws-mate-pdu_analysis.png[]
-====== What can belong to a Gop
+===== What can belong to a GOP
-Given a Pdu, the first thing MATE will do is to check if there is any Gop
-declaration in the configuration for the given Pdu type. If so, it will use its
-_Match_ AVPL to match it against the Pdu's AVPL; if they don't match, the
-analysis phase is done. If there is a match, the AVPL is the Gop's candidate key
-which will be used to search the Gop's index for the Gop to which to assign
-the current PDU. If there is no such Gop and this Pdu does not match the
-_Start_ criteria of a Gop declaration for the Pdu type, the Pdu will remain
+Given a PDU, the first thing MATE will do is to check if there is any GOP
+declaration in the configuration for the given PDU type. If so, it will use its
+_Match_ AVPL to match it against the PDU's AVPL; if they don't match, the
+analysis phase is done. If there is a match, the AVPL is the GOP's candidate key
+which will be used to search the index of GOPs for the GOP to which to assign
+the current PDU. If there is no such GOP and this PDU does not match the
+_Start_ criteria of a _Gop_ declaration for the PDU type, the PDU will remain
unassigned and only the analysis phase will be done.
----
-Gop ftp_ses On ftp_pdu Match (addr, addr, port, port);
-Gop dns_req On dns_pdu Match (addr, addr, dns_id);
-Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic);
+Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {...};
+Gop dns_req On dns_pdu Match (addr, addr, dns_id) {...};
+Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {...};
----
-====== Start of a Gop
+===== Start of a GOP
-If there was a match, the candidate key will be used to search the Gop's index
-to see if there is already a Gop matching the Gop's key the same way. If there
-is such a match in the Gops collection, and the PDU doesn't match the _Start_
-AVPL for its kind, the PDU will be assigned to the matching Gop. If it is a
-_Start_ match, MATE will check whether or not that Gop has been already
-stopped. If the Gop has been stopped, a new Gop will be created and will replace
-the old one in the Gop's index.
+If there was a match, the candidate key will be used to search the index of GOPs
+to see if there is already a GOP matching the GOP's key the same way. If there
+is such a match in the GOPs collection, and the PDU doesn't match the _Start_
+AVPL for its type, the PDU will be assigned to the matching GOP. If it is a
+_Start_ match, MATE will check whether or not that GOP has been already
+stopped. If the GOP has been stopped, a new GOP will be created and will replace
+the old one in the index of GOPs.
----
Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {
@@ -461,7 +481,7 @@ Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {
};
Gop dns_req On dns_pdu Match (addr, addr, dns_id) {
- Start (dns_resp=0);
+ Start (dns_resp="True");
};
Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {
@@ -469,14 +489,14 @@ Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {
};
----
-If no _Start_ is given for a Gop, a Pdu whose AVPL matches an existing Gog's
-key will act as the start of a Gop.
+If no _Start_ is given for a GOP, a PDU whose AVPL matches an existing GOP's
+key will act as the start of a GOP.
-====== What goes into the Gop's AVPL
+===== What goes into the GOP's AVPL
-Once we know a Gop exists and the Pdu has been assigned to it, MATE will copy
-into the Gop's AVPL all the attributes matching the key plus any AVPs of the
-Pdu's AVPL matching the _Extra_ AVPL.
+Once we know a GOP exists and the PDU has been assigned to it, MATE will copy
+into the GOP's AVPL all the attributes matching the key plus any AVPs of the
+PDU's AVPL matching the _Extra_ AVPL.
----
Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {
@@ -490,24 +510,24 @@ Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {
};
----
-====== End of a Gop
+===== End of a GOP
-Once the Pdu has been assigned to the Gop, MATE will check whether or not the
-Pdu matches the _Stop_, if it happens, MATE will mark the Gop as stopped. Even
-after stopped, a Gop may get assigned new Pdus matching its key, unless such
-Pdu matches _Start_. If it does, MATE will instead create a new Gop starting
-with that Pdu.
+Once the PDU has been assigned to the GOP, MATE will check whether or not the
+PDU matches the _Stop_, if it happens, MATE will mark the GOP as stopped. Even
+after stopped, a GOP may get assigned new PDUs matching its key, unless such
+PDU matches _Start_. If it does, MATE will instead create a new GOP starting
+with that PDU.
----
Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {
Start (ftp_cmd=USER);
- Stop (ftp_cmd=QUIT); // The response to the QUIT command will be assigned to the same Gop
+ Stop (ftp_cmd=QUIT); // The response to the QUIT command will be assigned to the same GOP
Extra (pasv_prt, pasv_addr);
};
Gop dns_req On dns_pdu Match (addr, addr, dns_id) {
- Start (dns_resp=0);
- Stop (dns_resp=1);
+ Start (dns_resp="False");
+ Stop (dns_resp="True");
};
Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {
@@ -517,92 +537,102 @@ Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {
};
----
-If no _Stop_ criterium is stated for a given Gop, the Gop will be stopped as
-soon as it is created. However, as with any other Gop, Pdus matching the Gop's
-key will still be assigned to the Gop unless they match a _Start_ condition,
-in which case a new Gop using the same key will be created.
+If no _Stop_ criterium is stated for a given GOP, the GOP will be stopped as
+soon as it is created. However, as with any other GOP, PDUs matching the GOP's
+key will still be assigned to the GOP unless they match a _Start_ condition,
+in which case a new GOP using the same key will be created. To group multiple
+PDUs that match the _Start_, add a bogus _Stop_ such as
+----
+Gop frame_ses On frame_pdu Match (frame_time) {
+ Start (frame_time);
+ Stop (frame_time="FOO");
+};
+----
-===== Gop's tree
+===== GOP's tree
-For every frame containing a Pdu that belongs to a Gop, MATE will create a tree
-for that Gop.
+For every frame containing a PDU that belongs to a GOP, MATE will create a tree
+for that GOP.
The example below represents the tree created by the _dns_pdu_ and _dns_req_
examples.
----
...
-mate dns_pdu:6->dns_req:1
+MATE dns_pdu:6->dns_req:1
dns_pdu: 6
dns_pdu time: 2.103063
dns_pdu time since beginning of Gop: 2.103063
- dns_req: 1
- dns_req Attributes
- dns_id: 36012
- addr: 10.194.4.11
- addr: 10.194.24.35
- dns_req Times
- dns_req start time: 0.000000
- dns_req hold time: 2.103063
- dns_req duration: 2.103063
- dns_req number of PDUs: 2
- Start PDU: in frame 1
- Stop PDU: in frame 6 (2.103063 : 2.103063)
dns_pdu Attributes
- dns_resp: 1
- dns_id: 36012
+ dns_resp: True
+ dns_id: 0x8cac
+ addr: 10.194.4.11
+ addr: 10.194.24.35
+ dns_req: 1
+ GOP Key: addr=10.194.4.11; addr=10.194.24.35; dns_id=0x8cac;
+ dns_req Attributes
+ dns_id: 0x8cac
addr: 10.194.4.11
addr: 10.194.24.35
+ dns_req Times
+ dns_req start time: 0.000000
+ dns_req hold time: 2.103063
+ dns_req duration: 2.103063
+ dns_req number of PDUs: 2
+ Start PDU: in frame 1
+ Stop PDU: in frame 6 (2.103063 : 2.103063)
+
----
-Other than the pdu's tree, this one contains information regarding the
-relationship between the Pdus that belong to the Gop. That way we have:
+Other than the PDU's tree, this one contains information regarding the
+relationship between the PDUs that belong to the GOP. That way we have:
-* mate.dns_req which contains the id of this dns_req Gop. This will be present
-in frames that belong to dns_req Gops.
+* mate.dns_req which contains the id of this dns_req GOP. This will be present
+in frames that belong to dns_req GOPs.
* mate.dns_req.dns_id and mate.dns_req.addr which represent the values of the
-attributes copied into the Gop.
-* the timers of the Gop
+attributes copied into the GOP.
+* the timers of the GOP
** mate.dns_req.StartTime time (in seconds) passed since beginning of capture
-until Gop's start.
-** mate.dns_req.Time time passed between the start Pdu and the stop Pdu assigned
-to this Gop (only created if a Stop criterion has been declared for the Gop and
-a matching Pdu has arrived).
-** mate.dns_req.Duration time passed between the start Pdu and the last Pdu
-assigned to this Gop.
-* mate.dns_req.NumOfPdus the number of Pdus that belong to this Gop
-** a filterable list of frame numbers of the pdus of this Gop
+until GOP's start.
+** mate.dns_req.Time time passed between the start PDU and the stop PDU assigned
+to this GOP (only created if a Stop criterion has been declared for the GOP and
+a matching PDU has arrived).
+** mate.dns_req.Duration time passed between the start PDU and the last PDU
+assigned to this GOP.
+* mate.dns_req.NumOfPdus the number of PDUs that belong to this GOP
+** mate.dns_req.Pdu a filterable list of frame numbers of the PDUs of this GOP
-====== Gop's timers
+===== GOP's timers
-Note that there are two "timers" for a Gop:
+Note that there are two "timers" for a GOP:
-* *Time*, which is defined only for Gops that have been Stopped, and gives the
-time passed between the _Start_ and the _Stop_ Pdus.
-* *Duration*, which is defined for every Gop regardless of its state, and give
-the time passed between its _Start_ Pdu and the last Pdu that was assigned to
-that Gop.
+* *Time*, which is defined only for GOPs that have been Stopped, and gives the
+time passed between the _Start_ and the _Stop_ PDUs.
+* *Duration*, which is defined for every GOP regardless of its state, and give
+the time passed between its _Start_ PDU and the last PDU that was assigned to
+that GOP.
So:
-* we can filter for Pdus that belong to Gops that have been Stopped with
+* we can filter for PDUs that belong to GOPs that have been Stopped with
*mate.xxx.Time*
-* we can filter for Pdus that belong to unstopped Gops with *mate.xxx &&
-mate.xxx.Time*
-* we can filter for Pdus that belong to stopped Gops using *mate.xxx.Duration*
-* we can filter for Pdus that belong to Gops that have taken more (or less) time
+* we can filter for PDUs that belong to unstopped GOPs with *mate.xxx &&
+!mate.xxx.Time*
+* we can filter for PDUs that belong to stopped GOPs using *mate.xxx.Duration*
+* we can filter for PDUs that belong to GOPs that have taken more (or less) time
that 0.5s to complete with *mate.xxx.Time > 0.5* (you can try these also as
color filters to find out when response times start to grow)
-===== Grouping Gops together (Gog)
+==== Grouping GOPs together (GOG) (Phase 3)
-When Gops are created, or whenever their AVPL changes, Gops are (re)analyzed to
-check if they match an existent group of groups (Gog) or can create a new one.
-The Gop analysis is divided into two phases. In the first phase, the still
-unassigned Gop is checked to verify whether it belongs to an already existing
-Gog or may create a new one. The second phase eventually checks the Gog and
-registers its keys in the Gogs index.
+When GOPs are created, or whenever their AVPL changes, GOPs are (re)analyzed to
+check if they match an existent group of groups (GOG) or can create a new one.
+The GOP analysis is divided into two phases. In the first phase, the still
+unassigned GOP is checked to verify whether it belongs to an already existing
+GOG or may create a new one. The second phase eventually checks the GOG and
+registers its keys in the index of GOGs.
+.Grouping GOPs (GOG) flowchart
image::images/ws-mate-gop_analysis.png[]
There are several reasons for the author to believe that this feature needs to
@@ -610,41 +640,41 @@ be reimplemented, so probably there will be deep changes in the way this is done
in the near future. This section of the documentation reflects the version of
MATE as of Wireshark 0.10.9; in future releases this will change.
-====== Declaring a Group Of Groups
+===== Declaring a Group Of Groups (GOG)
-The first thing we have to do configuring a Gog is to tell MATE that it exists.
+The first thing we have to do configuring a GOG is to tell MATE that it exists.
----
-Gog web_use {
+Gog http_use {
...
};
----
-====== Telling MATE what could be a Gog member
+===== Telling MATE what could be a GOG member
-Then we have to tell MATE what to look for a match in the candidate Gops.
+Then we have to tell MATE what to look for a match in the candidate GOPs.
----
-Gog web_use {
+Gog http_use {
Member http_ses (host);
Member dns_req (host);
};
----
-====== Getting interesting data into the Gop
+===== Getting interesting data into the GOG
Most often, also other attributes than those used for matching would be
-interesting. In order to copy from Gop to Gog other interesting attributes, we
-might use _Extra_ like we do for Gops.
+interesting. In order to copy from GOP to GOG other interesting attributes, we
+might use _Extra_ like we do for GOPs.
----
-Gog web_use {
+Gog http_use {
...
Extra (cookie);
};
----
-====== Gog's tree
+===== GOG's tree
----
mate http_pdu:4->http_req:2->http_use:1
@@ -669,11 +699,16 @@ mate http_pdu:4->http_req:2->http_use:1
We can filter on:
-* *mate.http_use.Duration* time elapsed between the first frame of a Gog and the last one assigned to it.
-* the attributes passed to the Gog
+* the timers of the GOG
+** *mate.http_use.StartTime* time (in seconds) passed since beginning of capture until GOG's start.
+** *mate.http_use.Duration* time elapsed between the first frame of a GOG and the last one assigned to it.
+* the attributes passed to the GOG
** *mate.http_use.host*
+* *mate.http_use.NumOfGops* the number of GOPs that belong to this GOG
+* *mate.http_use.GopStart* the start frame of a GOP
+* *mate.http_use.GopStop* the stop frame of a GOP
-===== AVPL Transforms
+==== Adjust data (AVPL Transforms)
A Transform is a sequence of Match rules optionally completed with modification
of the match result by an additional AVPL. Such modification may be an Insert
@@ -681,26 +716,26 @@ of the match result by an additional AVPL. Such modification may be an Insert
AVPL before it is processed further. They come to be very helpful in several
cases.
-====== Syntax
+===== Syntax
-AVPL Transformations are declared in the following way:
+AVPL Transforms are declared in the following way:
----
- Transform name {
- Match [Strict|Every|Loose] match_avpl [Insert|Replace] modify_avpl ;
- ...
- };
+Transform name {
+ Match [Strict|Every|Loose] match_avpl [Insert|Replace] modify_avpl;
+ ...
+};
----
-The *name* is the handle to the AVPL transformation. It is used to refer to the
+The *name* is the handle to the AVPL transform. It is used to refer to the
transform when invoking it later.
The _Match_ declarations instruct MATE what and how to match against the data
AVPL and how to modify the data AVPL if the match succeeds. They will be
executed in the order they appear in the config file whenever they are invoked.
-The optional match mode qualifier (_Strict_, _Every_, or _Loose_) is used
-to choose the match mode as explained above; _Strict_ is a default value which
+The optional match type qualifier (_Strict_, _Every_, or _Loose_) is used
+to choose the <<Match,Match type>>; _Strict_ is the default value which
may be omitted.
The optional modification mode qualifier instructs MATE how the modify AVPL
@@ -708,17 +743,28 @@ should be used:
* the default value _Insert_ (which may be omitted) causes the _modify_avpl_
to be *merged* to the existing data AVPL,
-* the _Replace_ causes all the matching AVPs from the data AVPL to be
+* _Replace_ causes all the matching AVPs from the data AVPL to be
*replaced* by the _modify_avpl_.
The _modify_avpl_ may be an empty one; this comes useful in some cases for
both _Insert_ and _Replace_ modification modes.
+----
+Transform rm_client_from_http_resp1 {
+ Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted
+ Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests
+};
+
+Transform rm_client_from_http_resp2 {
+ Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing
+};
+----
+
Examples:
----
- Transform insert_name_and {
- Match Strict (host=10.10.10.10, port=2345) Insert (name=JohnDoe);
+Transform insert_name_and {
+ Match Strict (host=10.10.10.10, port=2345) Insert (name=JohnDoe);
};
----
@@ -727,7 +773,7 @@ port=2345
----
Transform insert_name_or {
- Match Loose (host=10.10.10.10, port=2345) Insert (name=JohnDoe);
+ Match Loose (host=10.10.10.10, port=2345) Insert (name=JohnDoe);
};
----
@@ -736,7 +782,7 @@ port=2345
----
Transform replace_ip_address {
- Match (host=10.10.10.10) Replace (host=192.168.10.10);
+ Match (host=10.10.10.10) Replace (host=192.168.10.10);
};
----
@@ -744,7 +790,7 @@ replaces the original host=10.10.10.10 by host=192.168.10.10
----
Transform add_ip_address {
- Match (host=10.10.10.10) (host=192.168.10.10);
+ Match (host=10.10.10.10) (host=192.168.10.10);
};
----
@@ -753,7 +799,7 @@ host=10.10.10.10 in it too
----
Transform replace_may_be_surprising {
- Match Loose (a=aaaa, b=bbbb) Replace (c=cccc, d=dddd);
+ Match Loose (a=aaaa, b=bbbb) Replace (c=cccc, d=dddd);
};
----
@@ -765,10 +811,10 @@ intact,
* (a=aaaa, b=bbbb) gets transformed to (c=cccc, d=dddd) because both a=aaaa and
b=bbbb did match.
-====== Usage
+===== Usage
-Once declared, Transforms can be added to the declarations of PDUs, Gops or
-Gogs. This is done by adding the _Transform name_list_ statement to the
+Once declared, Transforms can be added to the declarations of PDUs, GOPs or
+GOGs. This is done by adding the _Transform name_list_ statement to the
declaration:
----
@@ -781,15 +827,16 @@ Pdu my_proto_pdu Proto my_proto Transport ip {
* In case of PDU, the list of transforms is applied against the PDU's AVPL
after its creation.
-* In case of Gop and Gog, the list of transforms is applied against their
+* In case of GOP and GOG, the list of transforms is applied against their
respective AVPLs when they are created and every time they change.
===== Operation
+.Applying Transform flowchart
image::images/ws-mate-transform.png[]
-* A list of previously declared Transforms may be given to every Item (Pdu, Gop,
-or Gog), using the Transform statement.
+* A list of previously declared Transforms may be given to every Item (_Pdu_, _Gop_,
+or _Gog_), using the _Transform_ statement.
* Every time the AVPL of an item changes, it will be operated against *all* the
Transforms on the list given to that item. The Transforms on the list are
applied left to right.
@@ -799,75 +846,83 @@ tried or until one of them succeeds.
MATE's Transforms can be used for many different things, like:
-====== Multiple Start/Stop conditions for a Gop
+===== Multiple Start/Stop conditions for a GOP
-Using _Transforms_ we can add more than one start or stop condition to a Gop.
+Using _Transforms_ we can add more than one start or stop condition to a GOP.
----
Transform start_cond {
- Match (attr1=aaa,attr2=bbb) (msg_type=start);
- Match (attr3=www,attr2=bbb) (msg_type=start);
- Match (attr5^a) (msg_type=stop);
- Match (attr6$z) (msg_type=stop);
+ Match (attr1=aaa,attr2=bbb) (msg_type=start);
+ Match (attr3=www,attr2=bbb) (msg_type=start);
+ Match (attr5^a) (msg_type=stop);
+ Match (attr6$z) (msg_type=stop);
};
Pdu pdu ... {
- ...
- Transform start_cond;
+ ...
+ Transform start_cond;
}
Gop gop ... {
- Start (msg_type=start);
- Stop (msg_type=stop);
- ...
+ Start (msg_type=start);
+ Stop (msg_type=stop);
+ ...
}
----
-====== Marking Gops and Gogs to filter them easily
+===== Marking GOPs and GOGs to filter them easily
----
Transform marks {
- Match (addr=10.10.10.10, user=john) (john_at_host);
- Match (addr=10.10.10.10, user=tom) (tom_at_host);
+ Match (addr=10.10.10.10, user=john) (john_at_host);
+ Match (addr=10.10.10.10, user=tom) (tom_at_host);
}
...
Gop my_gop ... {
- ...
- Transform marks;
+ ...
+ Transform marks;
}
----
-After that we can use a display filter *mate.gop.john_at_host* or
-*mate.gop.tom_at_host*
+After that we can use a display filter *mate.my_gop.john_at_host* or
+*mate.my_gop.tom_at_host*
-====== Adding direction knowledge to MATE
+===== Adding (Insert) direction knowledge to MATE
----
Transform direction_as_text {
- Match (src=192.168.0.2, dst=192.168.0.3) Replace (direction=from_2_to_3);
- Match (src=192.168.0.3, dst=192.168.0.2) Replace (direction=from_3_to_2);
+ Match (src=192.168.0.2, dst=192.168.0.3) Insert (direction=from_2_to_3);
+ Match (src=192.168.0.3, dst=192.168.0.2) Insert (direction=from_3_to_2);
};
Pdu my_pdu Proto my_proto Transport tcp/ip {
- Extract src From ip.src;
- Extract dst From ip.dst;
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Extract start From tcp.flags.syn;
- Extract stop From tcp.flags.fin;
- Extract stop From tcp.flags.rst;
- Transform direction_as_text;
+ Extract src From ip.src;
+ Extract dst From ip.dst;
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Extract start From tcp.flags.syn;
+ Extract stop From tcp.flags.fin;
+ Extract stop From tcp.flags.rst;
+ Transform direction_as_text;
}
Gop my_gop On my_pdu Match (addr,addr,port,port) {
- ...
- Extra (direction);
+ ...
+ Extra (direction);
}
----
-====== NAT
+The original example (below) would delete _src_ and _dst_ then add _direction_.
+----
+Transform direction_as_text {
+ Match (src=192.168.0.2, dst=192.168.0.3) Replace (direction=from_2_to_3);
+ Match (src=192.168.0.3, dst=192.168.0.2) Replace (direction=from_3_to_2);
+};
+----
+
+===== NAT
NAT can create problems when tracing, but we can easily work around it by
Transforming the NATed IP address and the Ethernet address of the router into
@@ -875,34 +930,26 @@ the non-NAT address:
----
Transform denat {
- Match (addr=192.168.0.5, ether=01:02:03:04:05:06) Replace (addr=123.45.67.89);
- Match (addr=192.168.0.6, ether=01:02:03:04:05:06) Replace (addr=123.45.67.90);
- Match (addr=192.168.0.7, ether=01:02:03:04:05:06) Replace (addr=123.45.67.91);
+ Match (addr=192.168.0.5, ether=01:02:03:04:05:06) Replace (addr=123.45.67.89);
+ Match (addr=192.168.0.6, ether=01:02:03:04:05:06) Replace (addr=123.45.67.90);
+ Match (addr=192.168.0.7, ether=01:02:03:04:05:06) Replace (addr=123.45.67.91);
}
Pdu my_pdu Proto my_proto transport tcp/ip/eth {
- Extract ether From eth.addr;
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Transform denat;
+ Extract ether From eth.addr;
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Transform denat;
}
----
-==== About MATE
-
-MATE was originally written by Luis Ontanon, a Telecommunications systems
-troubleshooter, as a way to save time filtering out the packets of a single call
-from huge capture files using just the calling number. Later he used the time he
-had saved to make it flexible enough to work with protocols other than the ones
-he was directly involved with.
-
[#ChMateConfigurationTutorial]
=== MATE's configuration tutorial
-We'll show a MATE configuration that first creates Gops for every DNS and HTTP
-request, then it ties the Gops together in a Gop based on the host. Finally,
-we'll separate into different Gogs request coming from different users.
+We'll show a MATE configuration that first creates GOPs for every DNS and HTTP
+request, then it ties the GOPs together in a GOG based on the host. Finally,
+we'll separate into different GOGs request coming from different users.
With this MATE configuration loaded we can:
@@ -915,78 +962,78 @@ to isolate DNS and HTTP packets related to a visit of a certain user.
that take more than 1.5 seconds to complete.
The complete config file is available on the Wireshark Wiki:
-https://gitlab.com/wireshark/wireshark/-/wikis/Mate/Tutorial
+{wireshark-wiki-url}Mate/Tutorial
Note: This example uses _dns.qry.name_ which is defined since Wireshark
-version 0.10.9. Supposing you have a mate plugin already installed you can test
+version 0.10.9. Supposing you have a MATE plugin already installed you can test
it with the current Wireshark version.
-==== A Gop for DNS requests
+==== A GOP for DNS requests
-First we'll tell MATE how to create a Gop for each DNS request/response.
+First we'll tell MATE how to create a GOP for each DNS request/response.
-MATE needs to know what makes a DNS PDU. We describe it this using a Pdu
+MATE needs to know what makes a DNS PDU. We describe it using a _Pdu_
declaration:
----
Pdu dns_pdu Proto dns Transport ip {
- Extract addr From ip.addr;
- Extract dns_id From dns.id;
- Extract dns_resp From dns.flags.response;
+ Extract addr From ip.addr;
+ Extract dns_id From dns.id;
+ Extract dns_resp From dns.flags.response;
};
----
-Using _Proto dns_ we tell MATE to create Pdus every time it finds _dns_. Using
+Using _Proto dns_ we tell MATE to create PDUs every time it finds _dns_. Using
_Transport ip_ we inform MATE that some of the fields we are interested are
in the _ip_ part of the frame. Finally, we tell MATE to import _ip.addr_ as
_addr_, _dns.id_ as _dns_id_ and _dns.flags.response_ as _dns_resp_.
Once we've told MATE how to extract _dns_pdus_ we'll tell it how to match
-requests and responses and group them into a Gop. For this we'll use a _Gop_
-declaration to define the Gop, and then, _Start_ and _Stop_ statements to
-tell it when the Gop starts and ends.
+requests and responses and group them into a GOP. For this we'll use a _Gop_
+declaration to define the GOP, and then, _Start_ and _Stop_ statements to
+tell it when the GOP starts and ends.
----
Gop dns_req On dns_pdu Match (addr,addr,dns_id) {
- Start (dns_resp=0);
- Stop (dns_resp=1);
+ Start (dns_resp="False");
+ Stop (dns_resp="True");
};
----
-Using the *Gop* declaration we tell MATE that the *Name* of the Gop is _dns_req_,
-that _dns_pdus_ can become members of the Gop, and what is the key used to match
-the Pdus to the Gop.
+Using the *Gop* declaration we tell MATE that the *Name* of the GOP is _dns_req_,
+that _dns_pdus_s can become members of the GOP, and what is the key used to match
+the PDUs to the GOP.
-The key for this Gop is _"addr, addr, dns_id"_. That means that in order to
-belong to the same Gop, _dns_pdus_ have to have both addresses and the
+The key for this GOP is _"addr, addr, dns_id"_. That means that in order to
+belong to the same GOP, _dns_pdus_ have to have both addresses and the
_request id_ identical. We then instruct MATE that a _dns_req_ starts whenever
-a _dns_pdu_ matches _"dns_resp=0"_ and that it stops when another _dns_pdu_
-matches _"dns_resp=1"_.
+a _dns_pdu_ matches _"dns_resp=++"++False++"++"_ and that it stops when another _dns_pdu_
+matches _"dns_resp=++"++True++"++"_.
At this point, if we open a capture file using this configuration, we are able
to use a display filter *mate.dns_req.Time > 1* to see only the packets of
DNS requests that take more than one second to complete.
We can use a display filter *mate.dns_req && ! mate.dns_req.Time* to find
-requests for which no response was given. *mate.xxx.Time* is set only for Gops
+requests for which no response was given. *mate.xxx.Time* is set only for GOPs
that have being stopped.
-==== A Gop for HTTP requests
+==== A GOP for HTTP requests
-This other example creates a Gop for every HTTP request.
+This other example creates a GOP for every HTTP request.
----
Pdu http_pdu Proto http Transport tcp/ip {
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Extract http_rq From http.request.method;
- Extract http_rs From http.response;
- DiscardPduData true;
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Extract http_rq From http.request.method;
+ Extract http_rs From http.response;
+ DiscardPduData true;
};
Gop http_req On http_pdu Match (addr, addr, port, port) {
- Start (http_rq);
- Stop (http_rs);
+ Start (http_rq);
+ Stop (http_rs);
};
----
@@ -997,64 +1044,64 @@ response header takes more than one second to come
* filtering with *mate.http_req.Duration > 1.5* will show those request that
take more than 1.5 seconds to complete.
-You have to know that *mate.xxx.Time* gives the time in seconds between the pdu
-matching the GopStart and the Pdu matching the GopStop (yes, you can create
+You have to know that *mate.xxx.Time* gives the time in seconds between the PDU
+matching the GOP *Start* clause and the PDU matching the GOP *Stop* clause (yes, you can create
timers using this!). On the other hand, *mate.xxx.Duration* gives you the time
-passed between the GopStart and the last pdu assigned to that Gop regardless
-whether it is a stop or not. After the GopStop, Pdus matching the Gop's Key will
-still be assigned to the same Gop as far as they don't match the GopStart, in
-which case a new Gop with the same key will be created.
+passed between the GOP *Start* and the last PDU assigned to that GOP regardless
+whether it is a *Stop* or not. After the GOP *Stop*, PDUs matching the GOP's Key will
+still be assigned to the same GOP as far as they don't match the GOP *Start*, in
+which case a new GOP with the same key will be created.
-==== Getting DNS and HTTP together into a Gog
+==== Getting DNS and HTTP together into a GOG
-We'll tie together to a single Gog all the http packets belonging to requests
-and responses to a certain host and the dns request and response used to resolve
-its domain name using the Pdu and Gop definitions of the previous examples
+We'll tie together to a single GOG all the HTTP packets belonging to requests
+and responses to a certain host and the DNS request and response used to resolve
+its domain name using the _Pdu_ and _Gop_ definitions of the previous examples
To be able to group DNS and HTTP requests together, we need to import into the
-Pdus and Gops some part of information that both those protocols share. Once the
-Pdus and Gops have been defined, we can use _Extract_ (for Pdus) and
-_Extract_ (for Gops) statements to tell MATE what other protocol fields are to
-be added to Pdus' and Gops' AVPLs. We add the following statements to the
+PDUs and GOPs some part of information that both those protocols share. Once the
+PDUs and GOPs have been defined, we can use _Extract_ (for PDUs) and
+_Extract_ (for GOPs) statements to tell MATE what other protocol fields are to
+be added to PDU's and GOP's AVPLs. We add the following statements to the
appropriate declarations:
----
-Extract host From http.host; // to Pdu http_pdu as the last Extract in the list
-Extra (host); // to Gop http_req after the Stop
+ Extract host From http.host; // to Pdu http_pdu as the last Extract in the list
+ Extra (host); // to Gop http_req after the Stop
-Extract host From dns.qry.name; // to Pdu dns_pdu as the last Extract in the list
-Extra (host); // to Gop dns_req after the Stop
+ Extract host From dns.qry.name; // to Pdu dns_pdu as the last Extract in the list
+ Extra (host); // to Gop dns_req after the Stop
----
Here we've told MATE to import _http.host_ into _http_pdu_ and _dns.qry.name_
into _dns_pdu_ as _host_. We also have to tell MATE to copy the _host_
-attribute from the Pdus to the Gops, we do this using _Extra_.
+attribute from the PDUs to the GOPs - we do this using _Extra_.
-Once we have all the data we need in Pdus and Gops, we tell MATE what makes
-different Gops belong to a certain Gog.
+Once we have all the data we need in PDUs and GOPs, we tell MATE what makes
+different GOPs belong to a certain GOG.
----
Gog http_use {
- Member http_req (host);
- Member dns_req (host);
- Expiration 0.75;
+ Member http_req (host);
+ Member dns_req (host);
+ Expiration 0.75;
};
----
-Using the _Gog_ declaration, we tell MATE to define a Gog type _Named_
-_http_use_ whose expiration is 0.75 seconds after all the Gops that belong to it
-had been stopped. After that time, an eventual new Gop with the same key match
-will create a new Gog instead of been added to the previous Gog.
+Using the _Gog_ declaration, we tell MATE to define a GOG type named
+_http_use_ whose expiration is 0.75 seconds after all the GOPs that belong to it
+had been stopped. After that time, an eventual new GOP with the same key match
+will create a new GOG instead of been added to the previous GOG.
Using the _Member_ statements, we tell MATE that *http_req*s with the same
-*host* belong to the same Gog, same thing for *dns_req*s.
+*host* belong to the same GOG, same thing for *dns_req*s.
-So far we have instructed mate to group every packet related to sessions towards
+So far we have instructed MATE to group every packet related to sessions towards
a certain host. At this point if we open a capture file and:
* a display filter *mate.http_use.Duration > 5* will show only those requests
that have taken more than 5 seconds to complete starting from the DNS request
-and ending with the last packet of the http responses.
+and ending with the last packet of the HTTP responses.
* a display filter *mate.http_use.host == "www.w3c.org"* will show all the
packets (both DNS and HTTP) related to the requests directed to www.w3c.org
@@ -1065,60 +1112,60 @@ packets (both DNS and HTTP) related to the requests directed to www.w3c.org
This configuration works fine if used for captures taken at the client's side
but deeper in the network we'd got a real mess. Requests from many users get
-mixed together into _http_uses_. Gogs are created and stopped almost randomly
-(depending on the timing in which Gops start and stop). How do we get requests
+mixed together into _http_uses_. GOGs are created and stopped almost randomly
+(depending on the timing in which GOPs start and stop). How do we get requests
from individual users separated from each other?
MATE has a tool that can be used to resolve this kind of grouping issues. This
-tool are the _Transforms_. Once defined, they can be applied against Pdus,
-Gops and Gogs and they might replace or insert more attributes based on what's
-there. We'll use them to create an attribute named client, using which we'll
+tool are the _Transforms_. Once defined, they can be applied against PDUs,
+GOPs and GOGs and they might replace or insert more attributes based on what's
+there. We'll use them to create an attribute named *client*, using which we'll
separate different requests.
-For DNS we need the ip.src of the request moved into the Gop only from the DNS
+For DNS we need the ip.src of the request moved into the GOP only from the DNS
request.
So we first tell MATE to import ip.src as client:
----
-Extract client From ip.src;
+ Extract client From ip.src;
----
-Next, we tell MATE to replace ( *dns_resp=1, client* ) with just *dns_resp=1* in
-the Pdu. That way, we'll keep the attribute *client* only in the DNS request
-Pdus (i.e., packets coming from the client).To do so, we have to add a
-_Transform_ declaration (in this case, with just one clause) before the Pdu
+Next, we tell MATE to replace ( *dns_resp="True", client* ) with just *dns_resp="True"* in
+the PDU. That way, we'll keep the attribute *client* only in the DNS request
+PDUs (i.e., packets coming from the client).To do so, we have to add a
+_Transform_ declaration (in this case, with just one clause) before the _Pdu_
declaration which uses it:
----
Transform rm_client_from_dns_resp {
- Match (dns_resp=1, client) Replace (dns_resp=1);
+ Match (dns_resp="True", client) Replace (dns_resp="True");
};
----
Next, we invoke the transform by adding the following line after the _Extract_
-list of the dns_pdu Pdu:
+list of the dns_pdu PDU:
----
- Transform rm_client_from_dns_resp;
+ Transform rm_client_from_dns_resp;
----
HTTP is a little trickier. We have to remove the attribute carrying ip.src from
both the response and the "continuations" of the response, but as there is
nothing to filter on for the continuations, we have to add a fake attribute
-first. And then we have to remove client when the fake attribute appears.
+first. And then we have to remove *client* when the fake attribute appears.
This is possible due to the fact that the _Match_ clauses in the _Transform_
are executed one by one until one of them succeeds. First, we declare another
two _Transforms_:
----
Transform rm_client_from_http_resp1 {
- Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted
- Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests
+ Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted
+ Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests
};
Transform rm_client_from_http_resp2 {
- Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing (will happen only in the response and eventual parts of it)
+ Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing (will happen only in the response and eventual parts of it)
};
----
@@ -1126,8 +1173,8 @@ Next, we add another _Extract_ statement to the _http_pdu_ declaration, and
apply both _Transforms_ declared above in a proper order:
----
- Extract client From ip.src;
- Transform rm_client_from_http_resp1, rm_client_from_http_resp2;
+ Extract client From ip.src;
+ Transform rm_client_from_http_resp1, rm_client_from_http_resp2;
----
In MATE, all the _Transform_s listed for an item will be evaluated, while
@@ -1137,24 +1184,24 @@ first sequence before adding the _not_rq_ attribute. Then we apply the second
_Transform_ which removes both _not_rq_ and _client_ if both are there. Yes,
_Transform_s are cumbersome, but they are very useful.
-Once we got all what we need in the Pdus, we have to tell MATE to copy the
-attribute _client_ from the Pdus to the respective Gops, by adding client to
-_Extra_ lists of both Gop declarations:
+Once we got all what we need in the PDUs, we have to tell MATE to copy the
+attribute _client_ from the PDUs to the respective GOPs, by adding client to
+_Extra_ lists of both _Gop_ declarations:
----
-Extra (host, client);
+ Extra (host, client);
----
-On top of that, we need to modify the old declarations of Gop key to new ones
-that include both _client_ and _host_. So we change the Gog *Member*
+On top of that, we need to modify the old declarations of GOP key to new ones
+that include both _client_ and _host_. So we change the _Gog_ *Member*
declarations the following way:
----
- Member http_req (host, client);
- Member dns_req (host, client);
+ Member http_req (host, client);
+ Member dns_req (host, client);
----
-Now we got it, every "usage" gets its own Gog.
+Now we got it, every "usage" gets its own GOG.
[#ChMateConfigurationExamples]
@@ -1164,22 +1211,29 @@ The following is a collection of various configuration examples for MATE. Many
of them are useless because the "conversations" facility does a better job.
Anyway they are meant to help users understanding how to configure MATE.
-==== TCP session
+[#File_tcp_mate]
+==== TCP session (tcp.mate)
-The following example creates a GoP out of every TCP session.
+The following example creates a GOP out of every TCP session.
----
+Transform add_tcp_stop {
+ Match (tcp_flags_reset="True") Insert (tcp_stop="True");
+ Match (tcp_flags_fin="True") Insert (tcp_stop="True");
+};
+
Pdu tcp_pdu Proto tcp Transport ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract tcp_start From tcp.flags.syn;
- Extract tcp_stop From tcp.flags.reset;
- Extract tcp_stop From tcp.flags.fin;
+ Extract tcp_flags_reset From tcp.flags.reset;
+ Extract tcp_flags_fin From tcp.flags.fin;
+ Transform add_tcp_stop;
};
Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) {
- Start (tcp_start=1);
- Stop (tcp_stop=1);
+ Start (tcp_start="True");
+ Stop (tcp_stop="True");
};
Done;
@@ -1187,54 +1241,54 @@ Done;
This probably would do fine in 99.9% of the cases but 10.0.0.1:20->10.0.0.2:22 and 10.0.0.1:22->10.0.0.2:20 would both fall into the same gop if they happen to overlap in time.
-* filtering with *mate.tcp_ses.Time > 1* will give all the sessions that last less than one second
+* filtering with *mate.tcp_ses.Time > 1* will give all the sessions that last more than one second
* filtering with *mate.tcp_ses.NumOfPdus < 5* will show all tcp sessions that have less than 5 packets.
* filtering with *mate.tcp_ses.Id == 3* will show all the packets for the third tcp session MATE has found
-==== a Gog for a complete FTP session
+==== a GOG for a complete FTP session
-This configuration allows to tie a complete passive ftp session (including the
-data transfer) in a single Gog.
+This configuration allows to tie a complete passive FTP session (including the
+data transfer) in a single GOG.
----
Pdu ftp_pdu Proto ftp Transport tcp/ip {
- Extract ftp_addr From ip.addr;
- Extract ftp_port From tcp.port;
- Extract ftp_resp From ftp.response.code;
- Extract ftp_req From ftp.request.command;
- Extract server_addr From ftp.passive.ip;
- Extract server_port From ftp.passive.port;
-
- LastPdu;
+ Extract ftp_addr From ip.addr;
+ Extract ftp_port From tcp.port;
+ Extract ftp_resp From ftp.response.code;
+ Extract ftp_req From ftp.request.command;
+ Extract server_addr From ftp.passive.ip;
+ Extract server_port From ftp.passive.port;
+
+ LastPdu true;
};
Pdu ftp_data_pdu Proto ftp-data Transport tcp/ip{
- Extract server_addr From ip.src;
- Extract server_port From tcp.srcport;
+ Extract server_addr From ip.src;
+ Extract server_port From tcp.srcport;
};
-Gop ftp_data On ftp_data_pdu (server_addr, server_port) {
- Start (server_addr);
+Gop ftp_data On ftp_data_pdu Match (server_addr, server_port) {
+ Start (server_addr);
};
-Gop ftp_ctl On ftp_pdu (ftp_addr, ftp_addr, ftp_port, ftp_port) {
- Start (ftp_resp=220);
- Stop (ftp_resp=221);
- Extra (server_addr, server_port);
+Gop ftp_ctl On ftp_pdu Match (ftp_addr, ftp_addr, ftp_port, ftp_port) {
+ Start (ftp_resp=220);
+ Stop (ftp_resp=221);
+ Extra (server_addr, server_port);
};
Gog ftp_ses {
- Member ftp_ctl (ftp_addr, ftp_addr, ftp_port, ftp_port);
- Member ftp_data (server_addr, server_port);
+ Member ftp_ctl (ftp_addr, ftp_addr, ftp_port, ftp_port);
+ Member ftp_data (server_addr, server_port);
};
Done;
----
Note: not having anything to distinguish between ftp-data packets makes this
-config to create one Gop for every ftp-data packet instead of each transfer.
-Pre-started Gops would avoid this.
+config to create one GOP for every ftp-data packet instead of each transfer.
+Pre-started GOPs would avoid this.
==== using RADIUS to filter SMTP traffic of a specific user
@@ -1285,46 +1339,46 @@ Done;
----
Filtering the capture file with *mate.user_mail.username == "theuser"* will
-filter the radius packets and smtp traffic for _"theuser"_.
+filter the RADIUS packets and SMTP traffic for _"theuser"_.
==== H323 Calls
-This configuration will create a Gog out of every call.
+This configuration will create a GOG out of every call.
----
Pdu q931 Proto q931 Transport ip {
- Extract addr From ip.addr;
- Extract call_ref From q931.call_ref;
- Extract q931_msg From q931.message_type;
- Extract calling From q931.calling_party_number.digits;
- Extract called From q931.called_party_number.digits;
- Extract guid From h225.guid;
- Extract q931_cause From q931.cause_value;
+ Extract addr From ip.addr;
+ Extract call_ref From q931.call_ref;
+ Extract q931_msg From q931.message_type;
+ Extract calling From q931.calling_party_number.digits;
+ Extract called From q931.called_party_number.digits;
+ Extract guid From h225.guid;
+ Extract q931_cause From q931.cause_value;
};
Gop q931_leg On q931 Match (addr, addr, call_ref) {
- Start (q931_msg=5);
- Stop (q931_msg=90);
- Extra (calling, called, guid, q931_cause);
+ Start (q931_msg=5);
+ Stop (q931_msg=90);
+ Extra (calling, called, guid, q931_cause);
};
Pdu ras Proto h225.RasMessage Transport ip {
- Extract addr From ip.addr;
- Extract ras_sn From h225.requestSeqNum;
- Extract ras_msg From h225.RasMessage;
- Extract guid From h225.guid;
+ Extract addr From ip.addr;
+ Extract ras_sn From h225.requestSeqNum;
+ Extract ras_msg From h225.RasMessage;
+ Extract guid From h225.guid;
};
Gop ras_req On ras Match (addr, addr, ras_sn) {
- Start (ras_msg {0|3|6|9|12|15|18|21|26|30} );
- Stop (ras_msg {1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31});
- Extra (guid);
+ Start (ras_msg {0|3|6|9|12|15|18|21|26|30} );
+ Stop (ras_msg {1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31});
+ Extra (guid);
};
Gog call {
- Member ras_req (guid);
- Member q931_leg (guid);
- Extra (called,calling,q931_cause);
+ Member ras_req (guid);
+ Member q931_leg (guid);
+ Extra (called,calling,q931_cause);
};
Done;
@@ -1339,10 +1393,10 @@ with this we can:
==== MMS
With this example, all the components of an MMS send or receive will be tied
-into a single Gog. Note that this example uses the _Payload_ clause because
+into a single GOG. Note that this example uses the _Payload_ clause because
MMS delivery uses MMSE over either HTTP or WSP. As it is not possible to relate
the retrieve request to a response by the means of MMSE only (the request is
-just an HTTP GET without any MMSE), a Gop is made of HTTP Pdus but MMSE data
+just an HTTP GET without any MMSE), a GOP is made of HTTP PDUs but MMSE data
need to be extracted from the bodies.
----
@@ -1351,61 +1405,61 @@ need to be extracted from the bodies.
## tested against any capture file due to lack of the latter.
Transform rm_client_from_http_resp1 {
- Match (http_rq);
- Match Every (addr) Insert (not_rq);
+ Match (http_rq);
+ Match Every (addr) Insert (not_rq);
};
Transform rm_client_from_http_resp2 {
- Match (not_rq,ue) Replace ();
+ Match (not_rq,ue) Replace ();
};
Pdu mmse_over_http_pdu Proto http Transport tcp/ip {
- Payload mmse;
- Extract addr From ip.addr;
- Extract port From tcp.port;
- Extract http_rq From http.request;
- Extract content From http.content_type;
- Extract resp From http.response.code;
- Extract method From http.request.method;
- Extract host From http.host;
- Extract content From http.content_type;
- Extract trx From mmse.transaction_id;
- Extract msg_type From mmse.message_type;
- Extract notify_status From mmse.status;
- Extract send_status From mmse.response_status;
- Transform rm_client_from_http_resp1, rm_client_from_http_resp2;
+ Payload mmse;
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Extract http_rq From http.request;
+ Extract content From http.content_type;
+ Extract resp From http.response.code;
+ Extract method From http.request.method;
+ Extract host From http.host;
+ Extract content From http.content_type;
+ Extract trx From mmse.transaction_id;
+ Extract msg_type From mmse.message_type;
+ Extract notify_status From mmse.status;
+ Extract send_status From mmse.response_status;
+ Transform rm_client_from_http_resp1, rm_client_from_http_resp2;
};
Gop mmse_over_http On mmse_over_http_pdu Match (addr, addr, port, port) {
- Start (http_rq);
- Stop (http_rs);
- Extra (host, ue, resp, notify_status, send_status, trx);
+ Start (http_rq);
+ Stop (http_rs);
+ Extra (host, ue, resp, notify_status, send_status, trx);
};
Transform mms_start {
- Match Loose() Insert (mms_start);
+ Match Loose() Insert (mms_start);
};
Pdu mmse_over_wsp_pdu Proto wsp Transport ip {
- Payload mmse;
- Extract trx From mmse.transaction_id;
- Extract msg_type From mmse.message_type;
- Extract notify_status From mmse.status;
- Extract send_status From mmse.response_status;
- Transform mms_start;
+ Payload mmse;
+ Extract trx From mmse.transaction_id;
+ Extract msg_type From mmse.message_type;
+ Extract notify_status From mmse.status;
+ Extract send_status From mmse.response_status;
+ Transform mms_start;
};
Gop mmse_over_wsp On mmse_over_wsp_pdu Match (trx) {
- Start (mms_start);
- Stop (never);
- Extra (ue, notify_status, send_status);
+ Start (mms_start);
+ Stop (never);
+ Extra (ue, notify_status, send_status);
};
Gog mms {
- Member mmse_over_http (trx);
- Member mmse_over_wsp (trx);
- Extra (ue, notify_status, send_status, resp, host, trx);
- Expiration 60.0;
+ Member mmse_over_http (trx);
+ Member mmse_over_wsp (trx);
+ Extra (ue, notify_status, send_status, resp, host, trx);
+ Expiration 60.0;
};
----
@@ -1413,13 +1467,13 @@ Gog mms {
=== MATE's configuration library
-The MATE library (will) contains GoP definitions for several protocols. Library
+The MATE library (will) contains GOP definitions for several protocols. Library
protocols are included in your MATE config using: +_Action=Include;
Lib=proto_name;_+.
For Every protocol with a library entry, we'll find defined what from the PDU is
-needed to create a GoP for that protocol, eventually any criteria and the very
-essential GoP definition (i.e., __GopDef__, _GopStart_ and _GopStop_).
+needed to create a GOP for that protocol, eventually any criteria and the very
+essential GOP definition (i.e., __Gop__, _Start_ and _Stop_).
[NOTE]
====
@@ -1432,20 +1486,36 @@ these in the new format.
===== TCP
-It will create a GoP for every TCP session, If it is used it should be the last
+It will create a GOP for every TCP session. If it is used it should be the last
one in the list. And every other proto on top of TCP should be declared with
-_Stop=TRUE;_ so the a TCP PDU is not created where we got already one going on.
+_LastPdu=TRUE;_ so that a TCP PDU is not created where another pdu type exists.
----
- Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; addr=ip.addr; port=tcp.port; tcp_start=tcp.flags.syn; tcp_stop=tcp.flags.fin; tcp_stop=tcp.flags.reset;
- Action=GopDef; Name=tcp_session; On=tcp_pdu; addr; addr; port; port;
- Action=GopStart; For=tcp_session; tcp_start=1;
- Action=GopStop; For=tcp_session; tcp_stop=1;
+Transform add_tcp_stop {
+ Match (tcp_flags_reset="True") Insert (tcp_stop="True");
+ Match (tcp_flags_fin="True") Insert (tcp_stop="True");
+};
+
+Pdu tcp_pdu Proto tcp Transport ip {
+ Extract addr From ip.addr;
+ Extract port From tcp.port;
+ Extract tcp_start From tcp.flags.syn;
+ Extract tcp_flags_reset From tcp.flags.reset;
+ Extract tcp_flags_fin From tcp.flags.fin;
+ Transform add_tcp_stop;
+};
+
+Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) {
+ Start (tcp_start="True");
+ Stop (tcp_stop="True");
+};
+
+Done;
----
===== DNS
-will create a GoP containing every request and its response (eventually
+will create a GOP containing every request and its response (eventually
retransmissions too).
----
@@ -1458,7 +1528,7 @@ Action=GopStop; For=dns_req; dns_rsp=1;
===== RADIUS
-A Gop for every transaction.
+A GOP for every transaction.
----
Action=PduDef; Name=radius_pdu; Proto=radius; Transport=udp/ip; addr=ip.addr; port=udp.port; radius_id=radius.id; radius_code=radius.code;
@@ -1482,7 +1552,7 @@ Action=GopExtra; For=rtsp_ses; rtsp_ses; rtsp_url;
==== VoIP/Telephony
-Most protocol definitions here will create one Gop for every Call Leg unless
+Most protocol definitions here will create one GOP for every Call Leg unless
stated.
===== ISUP
@@ -1529,7 +1599,7 @@ Action=GopStop; For=sip; sip_method=BYE;
===== MEGACO
-Will create a Gop out of every transaction.
+Will create a GOP out of every transaction.
To "tie" them to your call's GoG use: _Action=GogKey; Name=your_call; On=mgc_tr;
addr!mgc_addr; megaco_ctx;_
@@ -1547,7 +1617,7 @@ Action=GopExtra; For=mgc_tr; term^DS1; megaco_ctx!Choose one;
=== MATE's reference manual
-==== Attribute Value Pairs
+==== Attribute Value Pairs (AVP)
MATE uses AVPs for almost everything: to keep the data it has extracted from the
frames' trees as well as to keep the elements of the configuration.
@@ -1555,11 +1625,11 @@ frames' trees as well as to keep the elements of the configuration.
These "pairs" (actually tuples) are made of a name, a value and, in case of
configuration AVPs, an operator. Names and values are strings. AVPs with
operators other than '=' are used only in the configuration and are used for
-matching AVPs of Pdus, GoPs and GoGs in the analysis phase.
+matching AVPs of PDUs, GOPs and GOGs in the analysis phase.
===== Name
-The name is a string used to refer to a class of AVPs. Two attributes won't
+The name is a string used to refer to a type of AVP. Two attributes won't
match unless their names are identical. Capitalized names are reserved for
keywords (you can use them for your elements if you want but I think it's not
the case). MATE attribute names can be used in Wireshark's display filters the
@@ -1573,7 +1643,7 @@ AVPs) or by MATE while extracting interesting fields from a dissection tree
and/or manipulating them later. The values extracted from fields use the same
representation as they do in filter strings.
-===== Operators
+==== AVP Operators (=,!,{},^,$,~,<,>,?)
Currently only match operators are defined (there are plans to (re)add transform
attributes but some internal issues have to be solved before that). The match
@@ -1604,7 +1674,7 @@ higher than the configuration value string.
what the value string is.
[#Equal]
-====== Equal AVP Operator
+===== Equal AVP Operator (=)
This operator tests whether the values of the operator and the operand AVP are
equal.
@@ -1614,7 +1684,7 @@ attrib=aaa *matches* attrib=aaa +
attrib=aaa *does not match* attrib=bbb
[#NotEqual]
-====== Not equal AVP operator
+===== Not equal AVP operator (!)
This operator matches if the value strings of two AVPs are not equal.
@@ -1623,7 +1693,7 @@ attrib=aaa matches attrib!bbb +
attrib=aaa does not match attrib!aaa
[#OneOf]
-====== "One of" AVP operator
+===== "One of" AVP operator ({})
The "one of" operator matches if the data AVP value is equal to one of the
values listed in the "one of" AVP.
@@ -1634,7 +1704,7 @@ attrib=2 matches attrib{1|2|3} +
attrib=4 does not match attrib{1|2|3}
[#StartsWith]
-====== "Starts with" AVP operator
+===== "Starts with" AVP operator (^)
The "starts with" operator matches if the first characters of the data AVP
value are identical to the configuration AVP value.
@@ -1647,7 +1717,7 @@ attrib=abcd does not match attrib^bcd +
attrib=abc does not match attrib^abcd +
[#EndsWith]
-====== "Ends with" operator
+===== "Ends with" operator ($)
The ends with operator will match if the last bytes of the data AVP value are
equal to the configuration AVP value.
@@ -1658,7 +1728,7 @@ attrib=yz does not match attrib$xyz +
attrib=abc...wxyz does not match attrib$abc
[#Contains]
-====== Contains operator
+===== Contains operator (~)
The "contains" operator will match if the data AVP value contains a string
identical to the configuration AVP value.
@@ -1670,7 +1740,7 @@ attrib=abcde matches attrib~cde +
attrib=abcde does not match attrib~xyz
[#LowerThan]
-====== "Lower than" operator
+===== "Lower than" operator (<)
The "lower than" operator will match if the data AVP value is semantically lower
than the configuration AVP value.
@@ -1687,7 +1757,7 @@ BUGS
It should check whether the values are numbers and compare them numerically
[#HigherThan]
-====== "Higher than" operator
+===== "Higher than" operator (>)
The "higher than" operator will match if the data AVP value is semantically
higher than the configuration AVP value.
@@ -1705,7 +1775,7 @@ BUGS
It should check whether the values are numbers and compare them numerically
[#Exists]
-====== Exists operator
+===== Exists operator (?)
The exists operator will always match as far as the two operands have the same
name.
@@ -1716,14 +1786,15 @@ attrib=abc matches attrib? +
attrib=abc matches attrib (this is just an alternative notation of the previous example) +
obviously attrib=abc does not match other_attrib? +
-==== Attribute/Value Pair List (AVPL)
-Pdus, GoPs and GoGs use an AVPL to contain the tracing information. An AVPL is
+==== Attribute Value Pair List (AVPL)
+PDUs, GOPs and GOGs use an AVPL to contain the tracing information. An AVPL is
an unsorted set of <<AVP,AVPs>> that can be matched against other AVPLs.
-===== Operations between AVPLs
+[#Match]
+==== Operations between AVPLs (Match)
There are three types of match operations that can be performed between AVPLs.
-The Pdu's/GoP's/GoG's AVPL will be always one of the operands; the AVPL operator
+The PDU's/GOP's/GOG's AVPL will be always one of the operands; the AVPL operator
(match type) and the second operand AVPL will always come from the
<<Config,configuration>>.
Note that a diverse AVP match operator may be specified for each AVP in the
@@ -1733,7 +1804,7 @@ An AVPL match operation returns a result AVPL. In <<Transform,Transform>>s, the
result AVPL may be replaced by another AVPL. The replacement means that the
existing data AVPs are dropped and the replacement AVPL from the
<<Config,configuration>> is <<Merge,Merged>> to the data AVPL of the
-Pdu/GoP/GoG.
+PDU/GOP/GOG.
* <<Loose,Loose Match>>: Will match if at least one of the AVPs of the two
operand AVPLs match. If it matches, it returns a result AVPL containing all AVPs
@@ -1748,15 +1819,15 @@ configuration AVPL has at least one match in the data AVPL. If it matches, it
returns a result AVPL containing those AVPs from the data AVPL that matched.
[#Loose]
-====== Loose Match
+===== Loose Match
A loose match between AVPLs succeeds if at least one of the data AVPs matches at
least one of the configuration AVPs. Its result AVPL contains all the data AVPs
that matched.
-Loose matches are used in Extra operations against the <<Pdu,Pdu>>'s AVPL to
-merge the result into <<Gop,Gop>>'s AVPL, and against <<Gop,Gop>>'s AVPL to
-merge the result into <<Gog,Gog>>'s AVPL. They may also be used in
+Loose matches are used in Extra operations against the <<Pdu,PDU>>'s AVPL to
+merge the result into <<Gop,GOP>>'s AVPL, and against <<Gop,GOP>>'s AVPL to
+merge the result into <<Gog,GOG>>'s AVPL. They may also be used in
<<Criteria,Criteria>> and <<Transform,Transform>>s.
[NOTE]
@@ -1775,7 +1846,7 @@ Loose Match Examples
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a=xxx; attr_c=ccc) ==> No Match!
[#Every]
-====== Every Match
+===== Every Match
An "every" match between AVPLs succeeds if none of the configuration's AVPs that
have a counterpart in the data AVPL fails to match. Its result AVPL contains all
@@ -1800,13 +1871,13 @@ https://gitlab.com/wireshark/wireshark/-/issues/12184[issue 12184].
(attr_a=aaa; attr_b=bbb; attr_c=xxx) Match Every (attr_a=xxx, attr_c=ccc) ==> No Match!
[#Strict]
-====== Strict Match
+===== Strict Match
A Strict match between AVPLs succeeds if and only if every AVP in the
configuration AVPL has at least one counterpart in the data AVPL and none of the
AVP matches fails. The result AVPL contains all the data AVPs that matched.
-These are used between Gop keys (key AVPLs) and Pdu AVPLs. They may also be used
+These are used between GOP keys (key AVPLs) and PDU AVPLs. They may also be used
in <<Criteria,Criteria>> and <<Transform,Transform>>s.
Examples
@@ -1820,118 +1891,94 @@ Examples
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c?, attr_d?) ==> No Match!
[#Merge]
-====== AVPL Merge
+==== AVPL Merge
An AVPL may be merged into another one. That would add to the latter every AVP
from the former that does not already exist there.
This operation is done
-* between the result of a key match and the Gop's or Gog's AVPL,
-* between the result of an Extra match and the Gop's or Gog's AVPL,
-* between the result of a <<Transform,Transform>> match and Pdu's/Gop's AVPL. If
+* between the result of a key match and the GOP's or GOG's AVPL,
+* between the result of an Extra match and the GOP's or GOG's AVPL,
+* between the result of a <<Transform,Transform>> match and PDU's/GOP's AVPL. If
the operation specified by the Match clause is Replace, the result AVPL of the
match is removed from the item's AVPL before the modify_avpl is merged into it.
Examples
-(attr_a=aaa, attr_b=bbb) Merge (attr_a=aaa, attr_c=xxx) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx)
+(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_c=xxx) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx)
-(attr_a=aaa, attr_b=bbb) Merge (attr_a=aaa, attr_a=xxx) former becomes (attr_a=aaa, attr_a=xxx, attr_b=bbb)
+Can't have multiple "attr_a" with same value "aaa"
-(attr_a=aaa, attr_b=bbb) Merge (attr_c=xxx, attr_d=ddd) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_d=ddd)
+(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_a=xxx) former becomes (attr_a=aaa, attr_a=xxx, attr_b=bbb)
-[#Transform]
-====== Transforms
+Multiple "attr_a" with different values "aaa" and "xxx"
-A Transform is a sequence of Match rules optionally followed by an instruction
-how to modify the match result using an additional AVPL. Such modification may
-be an Insert (merge) or a Replace. The syntax is as follows:
+(attr_a=aaa, attr_b=bbb) "merge" (attr_c=xxx, attr_d=ddd) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_d=ddd)
-----
-Transform name {
- Match [Strict|Every|Loose] match_avpl [[Insert|Replace] modify_avpl] ; // may occur multiple times, at least once
-};
-----
-
-For examples of Transforms, check the <<ChMateManual,Manual>> page.
-
-TODO: migrate the examples here?
-
-The list of Match rules inside a Transform is processed top to bottom;
-the processing ends as soon as either a Match rule succeeds or all have been
-tried in vain.
-
-Transforms can be used as helpers to manipulate an item's AVPL before the item
-is processed further. An item declaration may contain a Transform clause
-indicating a list of previously declared Transforms. Regardless whether the
-individual transforms succeed or fail, the list is always executed completely
-and in the order given, i.e., left to right.
-
-In MATE configuration file, a Transform must be declared before declaring any
-item which uses it.
+All AVP names are unique so resulting AVPL contains all AVPs from both AVPLs
[#Config]
-=== Configuration AVPLs
+=== Configuration Reference (mate.config)
[#Pdu]
-==== Pdsu's configuration actions
+==== PDU declaration block
The following configuration AVPLs deal with PDU creation and data extraction.
-===== Pdu declaration block header
+===== _Pdu_ declaration block header
In each frame of the capture, MATE will look for source _proto_name_'s PDUs in
the order in which the declarations appear in its configuration and will create
-Pdus of every type it can from that frame, unless specifically instructed that
-some Pdu type is the last one to be looked for in the frame. If told so for a
-given type, MATE will extract all Pdus of that type and the previously declared
+PDUs of every type it can from that frame, unless specifically instructed that
+some PDU type is the last one to be looked for in the frame. If told so for a
+given type, MATE will extract all PDUs of that type and the previously declared
types it finds in the frame but not those declared later.
-The complete declaration of a Pdu looks as below; the mandatory order of the
+The complete declaration of a _Pdu_ looks as below; the mandatory order of the
diverse clauses is as shown.
----
- Pdu name Proto proto_name Transport proto1[/proto2/proto3[/...]]] {
- Payload proto; //optional, no default value
- Extract attribute From proto.field ; //may occur multiple times, at least once
- Transform (transform1[, transform2[, ...]]); //optional
- Criteria [{Accept|Reject}] [{Strict|Every|Loose} match_avpl];
- DropUnassigned {true|false}; //optional, default=false
- DiscardPduData {true|false}; //optional, default=false
- LastExtracted {true|false}; //optional, default=false
- };
+Pdu name Proto proto_name Transport {proto1[/proto2/proto3[/...]|mate}; {
+ Payload proto; //optional, no default value
+ Extract attribute From proto.field ; //may occur multiple times, at least once
+ Transform transform1[, transform2[, ...]]; //optional
+ Criteria {Accept|Reject} {Strict|Every|Loose} match_avpl; //optional
+ DropUnassigned {TRUE|FALSE}; //optional, default=FALSE
+ DiscardPduData {TRUE|FALSE}; //optional, default=FALSE
+ LastPdu {TRUE|FALSE}; //optional, default=FALSE
+};
----
-===== Pdu name
+====== Pdu name
-The _name_ is a mandatory attribute of a Pdu declaration. It is chosen
+The _name_ is a mandatory attribute of a _Pdu_ declaration. It is chosen
arbitrarily, except that each _name_ may only be used once in MATE's
configuration, regardless the class of an item it is used for. The _name_ is
-used to distinguish between different types of Pdus, Gops, and Gogs. The _name_
-is also used as part of the filterable fields' names related to this type of Pdu
+used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_
+is also used as part of the filterable fields' names related to this type of PDU
which MATE creates.
-However, several Pdu declarations may share the same _name_. In such case, all
+However, several _Pdu_ declarations may share the same _name_. In such case, all
of them are created from each source PDU matching their _Proto_, _Transport_,
and _Payload_ clauses, while the bodies of their declarations may be totally
different from each other. Together with the _Accept_ (or _Reject_) clauses,
-this feature is useful when it is necessary to build the Pdu's AVPL from
+this feature is useful when it is necessary to build the PDU's AVPL from
different sets of source fields depending on contents (or mere presence) of
other source fields.
====== Proto and Transport clauses
Every instance of the protocol _proto_name_ PDU in a frame will generate one
-Pdu with the AVPs extracted from fields that are in the _proto_name_'s range
+PDU with the AVPs extracted from fields that are in the _proto_name_'s range
and/or the ranges of underlying protocols specified by the _Transport_ list.
-It is a mandatory attribute of a Pdu declaration. The _proto_name_ is the name
+It is a mandatory attribute of a _Pdu_ declaration. The _proto_name_ is the name
of the protocol as used in Wireshark display filter.
-The Pdu's _Proto_, and its _Transport_ list of protocols separated by / tell
-MATE which fields of a frame can get into the Pdu's AVPL. In order that MATE
+The PDU's _Proto_, and its _Transport_ list of protocols separated by / tell
+MATE which fields of a frame can get into the PDU's AVPL. In order that MATE
would extract an attribute from a frame's protocol tree, the area representing
the field in the hex display of the frame must be within the area of either the
-_Proto_ or its relative _Transport_ s. _Transport_ s are chosen moving backwards
+_Proto_ or its relative _Transport_++s++. _Transport_++s++ are chosen moving backwards
from the protocol area, in the order they are given.
_Proto http Transport tcp/ip_ does what you'd expect it to - it selects the
@@ -1943,24 +1990,24 @@ too doesn't work so far.
Once we've selected the _Proto_ and _Transport_ ranges, MATE will fetch those
protocol fields belonging to them whose extraction is declared using the
-_Extract_ clauses for the Pdu type. The _Transport_ list is also mandatory,
+_Extract_ clauses for the PDU type. The _Transport_ list is also mandatory,
if you actually don't want to use any transport protocol, use _Transport mate_.
(This didn't work until 0.10.9).
-====== Payload clause
+===== Payload clause
-Other than the Pdu's _Proto_ and its _Transport_ protocols, there is also a
+Other than the PDU's _Proto_ and its _Transport_ protocols, there is also a
_Payload_ attribute to tell MATE from which ranges of _Proto_'s payload to
-extract fields of a frame into the Pdu. In order to extract an attribute from a
+extract fields of a frame into the PDU. In order to extract an attribute from a
frame's tree the highlighted area of the field in the hex display must be within
-the area of the _Proto_'s relative payload(s). _Payload_ s are chosen moving
+the area of the _Proto_'s relative payload(s). _Payload_++s++ are chosen moving
forward from the protocol area, in the order they are given.
_Proto http Transport tcp/ip Payload mmse_ will select the first mmse range
after the current http range. Once we've selected the _Payload_ ranges, MATE
will fetch those protocol fields belonging to them whose extraction is declared
-using the _Extract_ clauses for the Pdu type.
+using the _Extract_ clauses for the PDU type.
-====== Extract clause
+===== Extract clause
Each _Extract_ clause tells MATE which protocol field value to extract as an AVP
value and what string to use as the AVP name. The protocol fields are referred
@@ -1968,294 +2015,330 @@ to using the names used in Wireshark display filters. If there is more than one
such protocol field in the frame, each instance that fulfills the criteria
stated above is extracted into its own AVP. The AVP names may be chosen
arbitrarily, but to be able to match values originally coming from different
-Pdus (e.g., hostname from DNS query and a hostname from HTTP GET request) later
+PDUs (e.g., hostname from DNS query and a hostname from HTTP GET request) later
in the analysis, identical AVP names must be assigned to them and the dissectors
must provide the field values in identical format (which is not always the case).
-====== Transform clause
+===== Transform clause
-The _Transform_ clause specifies a list of previously declared _Transform_ s to
-be performed on the Pdu's AVPL after all protocol fields have been extracted to
+The _Transform_ clause specifies a list of previously declared _Transform_++s++ to
+be performed on the PDU's AVPL after all protocol fields have been extracted to
it. The list is always executed completely, left to right. On the contrary, the
list of Match clauses inside each individual _Transform_ is executed only until
the first match succeeds.
[#Criteria]
-====== Criteria clause
+===== Criteria clause
-This clause tells MATE whether to use the Pdu for analysis. It specifies a match
-AVPL, an AVPL match type (_Strict_, _Every_, or _Loose_) and the action to be
+This clause tells MATE whether to use the PDU for analysis. It specifies a match
+AVPL, an AVPL <<Match,Match type>> (_Strict_, _Every_, or _Loose_) and the action to be
performed (_Accept_ or _Reject_) if the match succeeds. Once every attribute has
been extracted and eventual transform list has been executed, and if the
-_Criteria_ clause is present, the Pdu's AVPL is matched against the match AVPL;
-if the match succeeds, the action specified is executed, i.e., the Pdu is
+_Criteria_ clause is present, the PDU's AVPL is matched against the match AVPL;
+if the match succeeds, the action specified is executed, i.e., the PDU is
accepted or rejected. The default behaviors used if the respective keywords are
omitted are _Strict_ and _Accept_. Accordingly, if the clause is omitted, all
-Pdus are accepted.
+PDUs are accepted.
-====== DropUnassigned clause
+===== DropUnassigned clause
-If set to _TRUE_, MATE will destroy the Pdu if it cannot assign it to a Gop.
+If set to _TRUE_, MATE will destroy the PDU if it cannot assign it to a GOP.
If set to _FALSE_ (the default if not given), MATE will keep them.
-====== DiscardPduData clause
+===== DiscardPduData clause
-If set to _TRUE_, MATE will delete the Pdu's AVPL once it has analyzed it and
-eventually extracted some AVPs from it into the Gop's AVPL. This is useful to
+If set to _TRUE_, MATE will delete the PDU's AVPL once it has analyzed it and
+eventually extracted some AVPs from it into the GOP's AVPL. This is useful to
save memory (of which MATE uses a lot). If set to _FALSE_ (the default if not
-given), MATE will keep the Pdu attributes.
+given), MATE will keep the PDU attributes.
-====== LastExtracted clause
+===== LastPdu clause
If set to _FALSE_ (the default if not given), MATE will continue to look for
-Pdus of other types in the frame. If set to _TRUE_, it will not try to create
-Pdus of other types from the current frame, yet it will continue to try for the
+PDUs of other types in the frame. If set to _TRUE_, it will not try to create
+PDUs of other types from the current frame, yet it will continue to try for the
current type.
[#Gop]
-===== Gop's configuration actions
+==== GOP declaration block
-====== Gop declaration block header
+===== _Gop_ declaration block header
-Declares a Gop type and its prematch candidate key.
+Declares a Gop type and its candidate key.
----
- Gop name On pduname Match key {
- Start match_avpl; // optional
- Stop match_avpl; // optional
- Extra match_avpl; // optional
- Transform transform_list; // optional
- Expiration time; // optional
- IdleTimeout time; // optional
- Lifetime time; // optional
- DropUnassigned [TRUE|FALSE]; //optional
- ShowTree [NoTree|PduTree|FrameTree|BasicTree]; //optional
- ShowTimes [TRUE|FALSE]; //optional, default TRUE
- };
+Gop name On pduname Match key {
+ Start match_avpl; // optional
+ Stop match_avpl; // optional
+ Extra match_avpl; // optional
+ Transform transform_list; // optional
+ Expiration time; // optional
+ IdleTimeout time; // optional
+ Lifetime time; // optional
+ DropUnassigned [TRUE|FALSE]; //optional
+ ShowTree [NoTree|PduTree|FrameTree|BasicTree]; //optional
+ ShowTimes [TRUE|FALSE]; //optional, default TRUE
+};
----
====== Gop name
-The _name_ is a mandatory attribute of a Gop declaration. It is chosen
+The _name_ is a mandatory attribute of a _Gop_ declaration. It is chosen
arbitrarily, except that each _name_ may only be used once in MATE's
configuration, regardless the class of an item it is used for. The _name_ is
-used to distinguish between different types of Pdus, Gops, and Gogs. The _name_
+used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_
is also used as part of the filterable fields' names related to this type of
-Gop which MATE creates.
+GOP which MATE creates.
====== On clause
-The _name_ of Pdus which this type of Gop is supposed to be groupping. It is
+The _name_ of PDUs which this type of GOP is supposed to be grouping. It is
mandatory.
====== Match clause
-Defines what AVPs form up the _key_ part of the Gop's AVPL (the Gop's _key_ AVPL
-or simply the Gop's _key_). All Pdus matching the _key_ AVPL of an active Gop
-are assigned to that Gop; a Pdu which contains the AVPs whose attribute names
-are listed in the Gop's _key_ AVPL, but they do not strictly match any active
-Gop's _key_ AVPL, will create a new Gop (unless a _Start_ clause is given).
-When a Gop is created, the elements of its key AVPL are copied from the creating
-Pdu.
+Defines what AVPs form up the _key_ part of the GOP's AVPL (the GOP's _key_ AVPL
+or simply the GOP's _key_). All PDUs matching the _key_ AVPL of an active GOP
+are assigned to that GOP; a PDU which contains the AVPs whose attribute names
+are listed in the GOP's _key_ AVPL, but they do not strictly match any active
+GOP's _key_ AVPL, will create a new GOP (unless a _Start_ clause is given).
+When a GOP is created, the elements of its key AVPL are copied from the creating
+PDU.
-====== Start clause
+===== Start clause
-If given, it tells MATE what match_avpl must a Pdu's AVPL match, in addition to
-matching the Gop's _key_, in order to start a Gop. If not given, any Pdu whose
-AVPL matches the Gop's _key_ AVPL will act as a start for a Gop. The Pdu's AVPs
-matching the match_avpl are not automatically copied into the Gop's AVPL.
+If given, it tells MATE what match_avpl must a PDU's AVPL match, in addition to
+matching the GOP's _key_, in order to start a GOP. If not given, any PDU whose
+AVPL matches the GOP's _key_ AVPL will act as a start for a GOP. The PDU's AVPs
+matching the match_avpl are not automatically copied into the GOP's AVPL.
-====== Stop clause
+===== Stop clause
-If given, it tells MATE what match_avpl must a Pdu's AVPL match, in addition to
-matching the Gop's key, in order to stop a Gop. If omitted, the Gop is
-"auto-stopped" - that is, the Gop is marked as stopped as soon as it is created.
-The Pdu's AVPs matching the match_avpl are not automatically copied into the
-Gop's AVPL.
+If given, it tells MATE what match_avpl must a PDU's AVPL match, in addition to
+matching the GOP's _key_, in order to stop a GOP. If omitted, the GOP is
+"auto-stopped" - that is, the GOP is marked as stopped as soon as it is created.
+The PDU's AVPs matching the match_avpl are not automatically copied into the
+GOP's AVPL.
-====== Extra clause
+===== Extra clause
-If given, tells MATE which AVPs from the Pdu's AVPL are to be copied into the
-Gop's AVPL in addition to the Gop's key.
+If given, tells MATE which AVPs from the PDU's AVPL are to be copied into the
+GOP's AVPL in addition to the GOP's key.
-====== Transform clause
+===== Transform clause
-The _Transform_ clause specifies a list of previously declared _Transform_ s to
-be performed on the Gop's AVPL after the AVPs from each new Pdu, specified by
-the key AVPL and the _Extra_ clause's match_avpl, have been merged into it.
+The _Transform_ clause specifies a list of previously declared _Transform_++s++ to
+be performed on the GOP's AVPL after the AVPs from each new PDU, specified by
+the _key_ AVPL and the _Extra_ clause's match_avpl, have been merged into it.
The list is always executed completely, left to right. On the contrary, the list
of _Match_ clauses inside each individual _Transform_ is executed only until
the first match succeeds.
-====== Expiration clause
+===== Expiration clause
-A (floating) number of seconds after a Gop is _Stop_ ped during which further
-Pdus matching the _Stop_ ped Gop's key but not the _Start_ condition will still
-be assigned to that Gop. The default value of zero has an actual meaning of
-infinity, as it disables this timer, so all Pdus matching the _Stop_ ped Gop's
-key will be assigned to that Gop unless they match the _Start_ condition.
+A (floating) number of seconds after a GOP is _Stop_ ped during which further
+PDUs matching the _Stop_ ped GOP's key but not the _Start_ condition will still
+be assigned to that GOP. The default value of zero has an actual meaning of
+infinity, as it disables this timer, so all PDUs matching the _Stop_ ped GOP's
+key will be assigned to that GOP unless they match the _Start_ condition.
-====== IdleTimeout clause
+===== IdleTimeout clause
-A (floating) number of seconds elapsed from the last Pdu assigned to the Gop
-after which the Gop will be considered released. The default value of zero has
-an actual meaning of infinity, as it disables this timer, so the Gop won't be
-released even if no Pdus arrive - unless the _Lifetime_ timer expires.
+A (floating) number of seconds elapsed from the last PDU assigned to the GOP
+after which the GOP will be considered released. The default value of zero has
+an actual meaning of infinity, as it disables this timer, so the GOP won't be
+released even if no PDUs arrive - unless the _Lifetime_ timer expires.
-====== Lifetime clause
+===== Lifetime clause
-A (floating) of seconds after the Gop _Start_ after which the Gop will be
+A (floating) of seconds after the GOP _Start_ after which the GOP will be
considered released regardless anything else. The default value of zero has an
actual meaning of infinity.
-====== DropUnassigned clause
+===== DropUnassigned clause
-Whether or not a Gop that has not being assigned to any Gog should be discarded.
-If _TRUE_, the Gop is discarded right after creation. If _FALSE_, the default,
-the unassigned Gop is kept. Setting it to _TRUE_ helps save memory and speed up
+Whether or not a GOP that has not being assigned to any GOG should be discarded.
+If _TRUE_, the GOP is discarded right after creation. If _FALSE_, the default,
+the unassigned GOP is kept. Setting it to _TRUE_ helps save memory and speed up
filtering.
-====== TreeMode clause
+===== TreeMode clause
-Controls the display of Pdus subtree of the Gop:
+Controls the display of PDUs subtree of the GOP:
* _NoTree_: completely suppresses showing the tree
-* _PduTree_: the tree is shown and shows the Pdus by Pdu Id
-* _FrameTree_: the tree is shown and shows the Pdus by the frame number in which
+* _PduTree_: the tree is shown and shows the PDUs by PDU Id
+* _FrameTree_: the tree is shown and shows the PDUs by the frame number in which
they are
* _BasicTree_: needs investigation
-====== ShowTimes clause
+===== ShowTimes clause
-Whether or not to show the times subtree of the Gop. If _TRUE_, the default,
-the subtree with the timers is added to the Gop's tree. If _FALSE_, the subtree
+Whether or not to show the times subtree of the GOP. If _TRUE_, the default,
+the subtree with the timers is added to the GOP's tree. If _FALSE_, the subtree
is suppressed.
[#Gog]
-===== Gog's configuration actions
+==== GOG declaration block
-====== Gop declaration block header
+===== _Gog_ declaration block header
-Declares a Gog type and its prematch candidate key.
+Declares a Gog type and its candidate key.
----
- Gog name {
- Member gopname (key); // mandatory, at least one
- Extra match_avpl; // optional
- Transform transform_list; // optional
- Expiration time; // optional, default 2.0
- GopTree [NoTree|PduTree|FrameTree|BasicTree]; // optional
- ShowTimes [TRUE|FALSE]; // optional, default TRUE
- };
+Gog name {
+ Member gopname (key); // mandatory, at least one
+ Extra match_avpl; // optional
+ Transform transform_list; // optional
+ Expiration time; // optional, default 2.0
+ GopTree [NoTree|PduTree|FrameTree|BasicTree]; // optional
+ ShowTimes [TRUE|FALSE]; // optional, default TRUE
+};
----
-====== Gop name
+====== Gog name
-The _name_ is a mandatory attribute of a Gog declaration. It is chosen
+The _name_ is a mandatory attribute of a _Gog_ declaration. It is chosen
arbitrarily, except that each _name_ may only be used once in MATE's
configuration, regardless the class of an item it is used for. The _name_ is
-used to distinguish between different types of Pdus, Gops, and Gogs. The _name_
+used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_
is also used as part of the filterable fields' names related to this type of
-Gop which MATE creates.
+GOG which MATE creates.
-====== Member clause
+===== Member clause
-Defines the _key_ AVPL for the Gog individually for each Gop type _gopname_.
-All _gopname_ type Gops whose _key_ AVPL matches the corresponding _key_ AVPL
-of an active Gog are assigned to that Gog; a Gop which contains the AVPs whose
-attribute names are listed in the Gog's corresponding _key_ AVPL, but they do
-not strictly match any active Gog's _key_ AVPL, will create a new Gog. When a
-Gog is created, the elements of its _key_ AVPL are copied from the creating Gop.
+Defines the _key_ AVPL for the GOG individually for each GOP type _gopname_.
+All _gopname_ type GOPs whose _key_ AVPL matches the corresponding _key_ AVPL
+of an active GOG are assigned to that GOG; a GOP which contains the AVPs whose
+attribute names are listed in the GOG's corresponding _key_ AVPL, but they do
+not strictly match any active GOG's _key_ AVPL, will create a new GOG. When a
+GOG is created, the elements of its _key_ AVPL are copied from the creating GOP.
Although the _key_ AVPLs are specified separately for each of the Member
-_gopname_ s, in most cases they are identical, as the very purpose of a Gog is
-to group together Gops made of Pdus of different types.
+_gopname_++s++, in most cases they are identical, as the very purpose of a GOG is
+to group together GOPs made of PDUs of different types.
-====== Extra clause
+===== Extra clause
-If given, tells MATE which AVPs from any of the Gop's AVPL are to be copied
-into the Gog's AVPL in addition to the Gog's key.
+If given, tells MATE which AVPs from any of the GOP's AVPL are to be copied
+into the GOG's AVPL in addition to the GOG's key.
-====== Expiration clause
+===== Expiration clause
-A (floating) number of seconds after all the Gops assigned to a Gog have been
-released during which new Gops matching any of the session keys should still be
-assigned to the existing Gog instead of creating a new one. Its value can range
+A (floating) number of seconds after all the GOPs assigned to a GOG have been
+released during which new GOPs matching any of the session keys should still be
+assigned to the existing GOG instead of creating a new one. Its value can range
from 0.0 to infinite. Defaults to 2.0 seconds.
-====== Transform clause
+===== Transform clause
-The _Transform_ clause specifies a list of previously declared _Transform_ s to
-be performed on the Gog's AVPL after the AVPs from each new Gop, specified by
+The _Transform_ clause specifies a list of previously declared _Transform_++s++ to
+be performed on the GOG's AVPL after the AVPs from each new GOP, specified by
the _key_ AVPL and the _Extra_ clause's match_avpl, have been merged into it.
The list is always executed completely, left to right. On the contrary, the list
of _Match_ clauses inside each individual _Transform_ is executed only until
the first match succeeds.
-====== TreeMode clause
+===== TreeMode clause
-Controls the display of Gops subtree of the Gog:
+Controls the display of GOPs subtree of the GOG:
* _NoTree_: completely suppresses showing the tree
* _BasicTree_: needs investigation
* _FullTree_: needs investigation
-====== ShowTimes clause
+===== ShowTimes clause
-Whether or not to show the times subtree of the Gog. If _TRUE_, the default,
-the subtree with the timers is added to the Gog's tree. If _FALSE_, the subtree
+Whether or not to show the times subtree of the GOG. If _TRUE_, the default,
+the subtree with the timers is added to the GOG's tree. If _FALSE_, the subtree
is suppressed.
-===== Settings Config AVPL
+[#Transform]
+==== Transform declaration block
+
+A Transform is a sequence of Match rules optionally followed by an instruction
+how to modify the match result using an additional AVPL. Such modification may
+be an Insert (merge) or a Replace. The syntax is as follows:
+
+----
+Transform name {
+ Match [Strict|Every|Loose] match_avpl [[Insert|Replace] modify_avpl] ; // may occur multiple times, at least once
+};
+----
+
+For examples of Transforms, check the <<ChMateManual,Manual>> page.
+
+TODO: migrate the examples here?
+
+The list of Match rules inside a Transform is processed top to bottom;
+the processing ends as soon as either a Match rule succeeds or all have been
+tried in vain.
+
+Transforms can be used as helpers to manipulate an item's AVPL before the item
+is processed further. An item declaration may contain a Transform clause
+indicating a list of previously declared Transforms. Regardless whether the
+individual transforms succeed or fail, the list is always executed completely
+and in the order given, i.e., left to right.
+
+In MATE configuration file, a Transform must be declared before declaring any
+item which uses it.
+
+==== Settings configuration AVPL
+
+[NOTE]
+====
+The *Settings* parameters have been moved to other configuration parameters
+or deprecated. Leave for now until rest of document is updated for current syntax.
+====
The *Settings* config element is used to pass to MATE various operational
parameters. the possible parameters are
-====== GogExpiration
+===== GogExpiration
-How long in seconds after all the gops assigned to a gog have been released new
-gops matching any of the session keys should create a new gog instead of being
+How long in seconds after all the GOPs assigned to a GOG have been released new
+GOPs matching any of the session keys should create a new GOG instead of being
assigned to the previous one. Its value can range from 0.0 to infinite.
Defaults to 2.0 seconds.
-====== DiscardPduData
+===== DiscardPduData
-Whether or not the AVPL of every Pdu should be deleted after it was being
+Whether or not the AVPL of every PDU should be deleted after it was being
processed (saves memory). It can be either _TRUE_ or _FALSE_. Defaults to _TRUE_.
Setting it to _FALSE_ can save you from a headache if your config does not work.
-====== DiscardUnassignedPdu
+===== DiscardUnassignedPdu
-Whether Pdus should be deleted if they are not assigned to any Gop. It can be
+Whether PDUs should be deleted if they are not assigned to any GOP. It can be
either _TRUE_ or _FALSE_. Defaults to _FALSE_. Set it to _TRUE_ to save memory
-if unassigned Pdus are useless.
+if unassigned PDUs are useless.
-====== DiscardUnassignedGop
+===== DiscardUnassignedGop
-Whether GoPs should be deleted if they are not assigned to any session. It can
+Whether GOPs should be deleted if they are not assigned to any session. It can
be either _TRUE_ or _FALSE_. Defaults to _FALSE_. Setting it to _TRUE_ saves
memory.
-====== ShowPduTree
+===== ShowPduTree
-====== ShowGopTimes
+===== ShowGopTimes
-===== Debugging Stuff
+==== Debugging Stuff
The following settings are used to debug MATE and its configuration. All levels
are integers ranging from 0 (print only errors) to 9 (flood me with junk),
defaulting to 0.
-====== Debug declaration block header
+===== Debug declaration block header
----
- Debug {
- Filename "path/name"; //optional, no default value
- Level [0-9]; //optional, generic debug level
- Pdu Level [0-9]; //optional, specific debug level for Pdu handling
- Gop Level [0-9]; //optional, specific debug level for Gop handling
- Gog Level [0-9]; //optional, specific debug level for Gog handling
- };
+Debug {
+ Filename "path/name"; //optional, no default value
+ Level [0-9]; //optional, generic debug level
+ Pdu Level [0-9]; //optional, specific debug level for Pdu handling
+ Gop Level [0-9]; //optional, specific debug level for Gop handling
+ Gog Level [0-9]; //optional, specific debug level for Gog handling
+};
----
====== Filename clause
@@ -2272,27 +2355,27 @@ ranging from 0 (print only errors) to 9 (flood me with junk).
====== Pdu Level clause
-Sets the level of debugging for messages regarding Pdu creation. It is an
+Sets the level of debugging for messages regarding PDU creation. It is an
integer ranging from 0 (print only errors) to 9 (flood me with junk).
====== Gop Level clause
-Sets the level of debugging for messages regarding Pdu analysis (that is how do
-they fit into ?GoPs). It is an integer ranging from 0 (print only errors) to 9
+Sets the level of debugging for messages regarding PDU analysis (that is how do
+they fit into ?GOPs). It is an integer ranging from 0 (print only errors) to 9
(flood me with junk).
====== Gog Level clause
-Sets the level of debugging for messages regarding GoP analysis (that is how do
-they fit into ?GoGs). It is an integer ranging from 0 (print only errors) to 9
+Sets the level of debugging for messages regarding GOP analysis (that is how do
+they fit into ?GOGs). It is an integer ranging from 0 (print only errors) to 9
(flood me with junk).
-====== Settings Example
+===== Settings Example
----
Action=Settings; SessionExpiration=3.5; DiscardPduData=FALSE;
----
-===== Action=Include
+==== Action=Include
Will include a file to the configuration.
@@ -2300,17 +2383,17 @@ Will include a file to the configuration.
Action=Include; {Filename=filename;|Lib=libname;}
----
-====== Filename
+===== Filename
The filename of the file to include. If it does not begin with '/' it will look
for the file in the current path.
-====== Lib
+===== Lib
The name of the lib config to include. will look for libname.mate in
wiresharks_dir/matelib.
-====== Include Example
+===== Include Example
----
Action=Include; Filename=rtsp.mate;
----
diff --git a/docbook/wsug_src/wsug_messages.adoc b/doc/wsug_src/wsug_messages.adoc
index bd3291ed..bd3291ed 100644
--- a/docbook/wsug_src/wsug_messages.adoc
+++ b/doc/wsug_src/wsug_messages.adoc
diff --git a/docbook/wsug_src/wsug_preface.adoc b/doc/wsug_src/wsug_preface.adoc
index c343a805..c343a805 100644
--- a/docbook/wsug_src/wsug_preface.adoc
+++ b/doc/wsug_src/wsug_preface.adoc
diff --git a/docbook/wsug_src/wsug_protocols.adoc b/doc/wsug_src/wsug_protocols.adoc
index 8f2b8b92..8f2b8b92 100644
--- a/docbook/wsug_src/wsug_protocols.adoc
+++ b/doc/wsug_src/wsug_protocols.adoc
diff --git a/docbook/wsug_src/wsug_statistics.adoc b/doc/wsug_src/wsug_statistics.adoc
index 93d4f179..66e014b2 100644
--- a/docbook/wsug_src/wsug_statistics.adoc
+++ b/doc/wsug_src/wsug_statistics.adoc
@@ -188,8 +188,10 @@ In the screenshot there are many more TLS and Git PDUs than there are packets.
A network conversation is the traffic between two specific endpoints. For
example, an IP conversation is all the traffic between two IP addresses. The
-description of the known endpoint types can be found in
-<<ChStatEndpoints>>.
+description of the known endpoint types can be found in <<ChStatEndpoints>>.
+
+The conversations are influenced by the _Deinterlacing conversations key_
+preference.
[#ChStatConversationsWindow]
@@ -444,7 +446,9 @@ The sum of the values of the field specified in “Y Field” per interval.
COUNT FRAMES(Y Field):::
The number of frames that contain the field specified in “Y Field” per interval.
-Unlike the plain “Packets” graph, this always displays <<ChStatIOGraphsMissingValues, zero values>>.
+// Unlike the plain “Packets” graph, this always displays <<ChStatIOGraphsMissingValues, zero values>>.
+// Above is no longer true. COUNT FRAMES is now exactly the same as Packets, except that the Y Field
+// is used instead of just the filter. Everything you can graph with one you can graph with the other.
COUNT FIELDS(Y Field):::
The number of instances of the field specified in “Y Field” per interval.
@@ -454,19 +458,24 @@ MAX(Y Field), MIN(Y Field), AVG(Y Field):::
The maximum, minimum, and arithmetic mean values of the specified “Y Field” per interval.
For MAX and MIN values, hovering and clicking the graph will show and take you to the packet with the MAX or MIN value in the interval instead of the most recent packet.
-// io_graph_item.c says:
-// "LOAD graphs plot the QUEUE-depth of the connection over time"
-// (for response time fields such as smb.time, rpc.time, etc.)
-// This interval is expressed in milliseconds.
LOAD(Y Field):::
-If the “Y Field” is a relative time value, this is the sum of the “Y Field” values divided by the interval time.
-This can be useful for tracking response times.
+The queue depth, i.e., number of concurrent requests or calls, in each interval expressed in Erlangs.
+Requires “Y Field” be a relative time value, and treats it as the duration of an event which
+ended in the containing packet. Useful for response time fields like `smb.time`.
+
+THROUGHPUT(Y Field):::
+If the “Y Field” is a payload counted in Bytes (as frame.len, ip.len, ipv6.plen..), this is the throughput expressed in bits per second.
Y Field::
The display filter field from which to extract values for the Y axis calculations listed above.
SMA Period::
-Show an average of values over a specified period of intervals.
+Show a simple moving average of values over a specified period of intervals.
+
+Y Axis Factor::
+Scale the Y axis for this graph by multiplying by a constant factor, e.g. to
+graph bits if the “Y Field” contains bytes, or to present multiple graphs at
+a similar scale.
The chart as a whole can be configured using the controls under the graph list:
@@ -474,10 +483,14 @@ btn:[{plus}]::
Add a new graph.
btn:[-]::
-Add a new graph.
+Remove the selected graph(s).
btn:[Copy]::
-Copy the selected graph.
+Copy the selected graph(s).
+
+btn:[⌃]:: Move the selected graph(s) up in the list.
+
+btn:[⌄]:: Move the selected graph(s) down in the list.
btn:[Clear]::
Remove all graphs.
@@ -498,16 +511,18 @@ Automatic updates::
Redraw each graph automatically.
Enable legend::
-Show a legend for graphs with more than one type of Y axis.
+Show a graph legend.
The main dialog buttons along the bottom let you do the following:
-The btn:[Help] button will take you to this section of the User’s Guide.
+btn:[Help] will take you to this section of the User’s Guide.
-The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV
+btn:[Reset] will autoscale the axes to full display all graphs.
+
+btn:[Copy] will copy values from selected graphs to the clipboard in CSV
(Comma Separated Values) format.
-btn:[Copy from] will let you copy graphs from another profile.
+btn:[Copy from] will let you copy graphs from another profile to the current dialog.
btn:[Close] will close this dialog.
@@ -523,17 +538,20 @@ You can see a list of useful keyboard shortcuts by right-clicking on the graph.
[discrete]
==== Missing Values Are Zero
-Wireshark's I/O Graph window doesn’t distinguish between missing and zero values.
-For scatter plots it is assumed that zero values indicate missing data, and those values are omitted.
-Zero values are shown in line graphs, and bar charts.
-
-// No longer true as of eb4e2cca69.
-// For _plain_ (Packets, Bytes, and Bits) scatter plots, it is assumed that zero values indicate missing data, and those values are omitted.
-// Zero values are shown in line graphs, bar charts, and _calculated_ scatter plots.
-// Scatter plots are considered calculated if they have a calculated Y axis field or if a moving average is set.
+Wireshark's I/O Graph window counts or calculates summary statistics over intervals.
+If a packet or field does not occur in a given interval, the calculation might yield zero.
+This is particularly likely for very small intervals. For "counting" graphs
+(Packets, Bytes, Bits, COUNT FRAMES, COUNT FIELDS) zero values are omitted from scatter
+plots, but shown in line graphs and bar charts. For the summary statistics SUM, MAX, and AVG,
+values are always omitted if the Y field was not present in the interval.
+For LOAD graphs, values are omitted if no field's time indicated that an event was
+was present in the interval.
+(Note for LOAD graphs that a response time can contribute to earlier intervals than
+the one containing the packet if the duration is longer than the interval.)
// If you need to display zero values in a scatter plot, you can do so by making the Y Axis a calculated field.
// For example, the calculated equivalent of “Packets” is a “COUNT FRAMES” Y Axis with a Y Field set to “frame”.
+// XXX - No longer true as of eb4e2cca69.
[#ChStatSRT]
@@ -548,12 +566,14 @@ This information is available for many protocols, including the following:
* Diameter
* Fibre Channel
* GTP
+* GTPv2
* H.225 RAS
* LDAP
* MEGACO
* MGCP
* NCP
* ONC-RPC
+* PFCP
* RADIUS
* SCSI
* SMB
@@ -806,7 +826,7 @@ Illustrated” series of books.
Time Sequence (tcptrace):: Shows TCP metrics similar to the
http://www.tcptrace.org/[tcptrace] utility, including forward segments,
-acknowledgments, selective acknowledgments, reverse window sizes, and
+acknowledgements, selective acknowledgements, reverse window sizes, and
zero windows.
Throughput:: Average throughput and goodput.
diff --git a/docbook/wsug_src/wsug_telephony.adoc b/doc/wsug_src/wsug_telephony.adoc
index 4f856f0c..33a60575 100644
--- a/docbook/wsug_src/wsug_telephony.adoc
+++ b/doc/wsug_src/wsug_telephony.adoc
@@ -33,7 +33,7 @@ RTP Player is able to play any codec supported by an installed plugin. The codec
* Open menu:Help[About Wireshark] window
* Select the menu:Plugins[] tab
-* In the menu:Filter by type[] menu on the top-right, select codec
+* In the menu:Filter by type[] menu on the top-right, select codec
.List of supported codecs
image::images/ws-about-codecs.png[{screenshot-attrs}]
@@ -154,7 +154,7 @@ traffic. It finds calls by their signaling and shows related RTP streams. The cu
* SKINNY
* UNISTIM
-See https://gitlab.com/wireshark/wireshark/-/wikis/VOIPProtocolFamily[VOIPProtocolFamily] for an overview of the used VoIP protocols.
+See {wireshark-wiki-url}VOIPProtocolFamily[VOIPProtocolFamily] for an overview of the used VoIP protocols.
VoIP Calls window can be opened as window showing all protocol types (menu:Telephony[VoIP Calls] window) or limited to SIP messages only (menu:Telephony[SIP Flows] window).
@@ -193,7 +193,7 @@ The A-Interface Base Station Management Application Part (BSMAP) Statistics wind
==== A-I/F DTAP Statistics Window
-The A-Interface Direct Transfer Application Part (DTAP) Statistics widow shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file.
+The A-Interface Direct Transfer Application Part (DTAP) Statistics widow shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file.
[#ChTelGSM]
@@ -244,7 +244,7 @@ NOTE: That graph shows data of a single bearer and direction. The user can also
.The RLC Graph window
image::images/ws-rlc-graph.png[{screenshot-attrs}]
-[.small]#_The image of the RLC Graph is borrowed from link:https://gitlab.com/wireshark/wireshark/-/wikis/RLC-LTE[Wireshark wiki]._#
+[.small]#_The image of the RLC Graph is borrowed from link:{wireshark-wiki-url}RLC-LTE[the Wireshark wiki]._#
[#ChTelLTERLCTraffic]
@@ -608,7 +608,7 @@ Window has same features as <<ChTelVoipCalls,VoIP Calls>> window.
=== SIP Statistics Window
-SIP Statistics window shows captured SIP transactions. It is divided into SIP Responses and SIP Requests. In this window the user can filter, copy or save the statistics into a file.
+SIP Statistics window shows captured SIP transactions. It is divided into SIP Responses and SIP Requests. In this window the user can filter, copy or save the statistics into a file.
[#ChTelWAPWSPPacketCounter]
diff --git a/docbook/wsug_src/wsug_tools.adoc b/doc/wsug_src/wsug_tools.adoc
index 3a83d05f..3a83d05f 100644
--- a/docbook/wsug_src/wsug_tools.adoc
+++ b/doc/wsug_src/wsug_tools.adoc
diff --git a/docbook/wsug_src/wsug_troubleshoot.adoc b/doc/wsug_src/wsug_troubleshoot.adoc
index ededd77b..ededd77b 100644
--- a/docbook/wsug_src/wsug_troubleshoot.adoc
+++ b/doc/wsug_src/wsug_troubleshoot.adoc
diff --git a/docbook/wsug_src/wsug_use.adoc b/doc/wsug_src/wsug_use.adoc
index 7861a7da..c2511ba4 100644
--- a/docbook/wsug_src/wsug_use.adoc
+++ b/doc/wsug_src/wsug_use.adoc
@@ -272,8 +272,8 @@ bytes pane to a text file in a number of formats including plain, CSV,
and XML. It is discussed further in <<ChIOExportSelectedDialog>>.
|menu:Export Objects[] ||
-These menu items allow you to export captured DICOM, HTTP, IMF, SMB, or
-TFTP objects into local files. It pops up a corresponding object list
+These menu items allow you to export captured DICOM, FTP-DATA, HTTP, IMF, SMB,
+or TFTP objects into local files. It pops up a corresponding object list
(which is discussed further in <<ChIOExportObjectsDialog>>)
|menu:Print...[] |kbd:[Ctrl+P]|
@@ -320,7 +320,7 @@ Packet...”.
This menu item tries to find the previous packet matching the settings from
“Find Packet...”.
-|menu:Mark/Unmark Packet[] |kbd:[Ctrl+M] |
+|menu:Mark/Unmark Selected[] |kbd:[Ctrl+M] |
This menu item marks the currently selected packet. See
<<ChWorkMarkPacketSection>> for details.
@@ -336,7 +336,7 @@ Find the next marked packet.
|menu:Previous Mark[] |kbd:[Ctrl+Shift+B] |
Find the previous marked packet.
-|menu:Ignore/Unignore Packet[] |kbd:[Ctrl+D] |
+|menu:Ignore/Unignore Selected[] |kbd:[Ctrl+D] |
This menu item marks the currently selected packet as ignored. See
<<ChWorkIgnorePacketSection>> for details.
@@ -442,35 +442,34 @@ The fields “Automatic”, “Seconds” and “...seconds” are mutually excl
|menu:Name Resolution[Enable for MAC Layer]||This item allows you to control whether or not Wireshark translates MAC addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Network Layer]||This item allows you to control whether or not Wireshark translates network addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Transport Layer]||This item allows you to control whether or not Wireshark translates transport addresses into names, see <<ChAdvNameResolutionSection>>.
-|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list.
-
-Enabling colorization will slow down the display of new packets while
-capturing or loading capture files.
-
-|menu:Auto Scroll in Live Capture[] | |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
|menu:Zoom In[] |kbd:[Ctrl+&#43;] | Zoom into the packet data (increase the font size).
|menu:Zoom Out[] |kbd:[Ctrl+-] | Zoom out of the packet data (decrease the font size).
|menu:Normal Size[] |kbd:[Ctrl+=] | Set zoom level back to 100% (set font size back to normal).
-|menu:Resize All Columns[] |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it.
-
-Resizing may take a significant amount of time, especially if a large capture file is loaded.
-
-|menu:Displayed Columns[] | |This menu items folds out with a list of all configured columns. These columns can now be shown or hidden in the packet list.
|menu:Expand Subtrees[] |kbd:[Shift+→]|This menu item expands the currently selected subtree in the packet details tree.
|menu:Collapse Subtrees[] |kbd:[Shift+←]|This menu item collapses the currently selected subtree in the packet details tree.
|menu:Expand All[] |kbd:[Ctrl+→] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.
|menu:Collapse All[] |kbd:[Ctrl+←] |This menu item collapses the tree view of all packets in the capture list.
+|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list.
+
+Enabling colorization will slow down the display of new packets while
+capturing or loading capture files.
+
|menu:Colorize Conversation[] | |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>.
|menu:Colorize Conversation[Color 1-10] | |These menu items enable one of the ten temporary color filters based on the currently selected conversation.
|menu:Colorize Conversation[Reset coloring] | |This menu item clears all temporary coloring rules.
|menu:Colorize Conversation[New Coloring Rule...] | |This menu item opens a dialog window in which a new permanent coloring rule can be created based on the currently selected conversation.
|menu:Coloring Rules...[] | |This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see <<ChCustColorizationSection>>.
+|menu:Resize All Columns[] |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it.
+
+Resizing may take a significant amount of time, especially if a large capture file is loaded.
+
|menu:Internals[] | |Information about various internal data structures. See <<ChUseInternals>> below for more information.
|menu:Show Packet in New Window[] ||
Shows the selected packet in a separate window. The separate window
-shows only the packet details and bytes. See <<ChWorkPacketSepView>> for
-details.
+shows only the packet details and bytes of that packet, and will
+continue to do so even if another packet is selected in the main window.
+See <<ChWorkPacketSepView>> for details.
|menu:Reload[] |kbd:[Ctrl+R] |This menu item allows you to reload the current capture file.
|===
@@ -504,13 +503,15 @@ image::images/ws-go-menu.png[{screenshot-attrs}]
|menu:Back[] |kbd:[Alt+←] |Jump to the recently visited packet in the packet history, much like the page history in a web browser.
|menu:Forward[] |kbd:[Alt+→] |Jump to the next visited packet in the packet history, much like the page history in a web browser.
|menu:Go to Packet...[] |kbd:[Ctrl+G] |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details.
-|menu:Go to Corresponding Packet[] | |Go to the corresponding packet of the currently selected protocol field. If the selected field doesn’t correspond to a packet, this item is greyed out.
+|menu:Go to Corresponding Packet[] | |Go to the corresponding packet of the currently selected protocol field (e.g., the reply
+corresponding to a request packet, or vice versa). If the selected field doesn’t correspond to a packet, this item is greyed out.
|menu:Previous Packet[] |kbd:[Ctrl+↑]|Move to the previous packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet[] |kbd:[Ctrl+↓]|Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:First Packet[] |kbd:[Ctrl+Home] |Jump to the first packet of the capture file.
|menu:Last Packet[] |kbd:[Ctrl+End] |Jump to the last packet of the capture file.
|menu:Previous Packet In Conversation[] |kbd:[Ctrl+&#44;] |Move to the previous packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet In Conversation[] |kbd:[Ctrl+.] |Move to the next packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
+|menu:Auto Scroll in Live Capture[] | |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
|===
[#ChUseCaptureMenuSection]
@@ -581,6 +582,12 @@ macros. You can name filter macros, and you can save them for future
use.
See <<ChWorkDefineFilterMacrosSection>>.
+|menu:Display Filter Expression...[] ||
+Shows a dialog box that allows you to build a display filter expression
+to apply. This shows possible fields and their applicable relations and
+values, and allows you to search by name and description.
+See <<ChWorkFilterAddExpressionSection>>.
+
|menu:Apply as Column[] |kbd:[Shift+Ctrl+I]|
Adds the selected protocol item in the packet details pane as a column
to the packet list.
@@ -621,6 +628,13 @@ on providing TLS keys.
|menu:Follow[HTTP Stream] ||
Same functionality as “Follow TCP Stream” but for HTTP streams.
+|menu:Show Packet Bytes[] ||
+Open a window allowing for decoding and reformatting packet bytes.
+You can do actions like Base64 decode, decompress, interpret as
+a different character encoding, interpret bytes as an image format,
+and save, print, or copy to the clipboard the results.
+See <<ChAdvShowPacketBytes>> for more information.
+
|menu:Expert Info[] ||
Open a window showing expert information found in the capture.
Some protocol dissectors add packet detail items for notable or unusual
@@ -785,7 +799,7 @@ image::images/ws-help-menu.png[{screenshot-attrs}]
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
-|menu:Contents[]|F1| This menu item brings up a basic help system.
+|menu:User's Guide[]|F1| This menu item brings up the Wireshark User's Guide you're reading right now.
|menu:Manual Pages[...]|| This menu item starts a Web browser showing one of the locally installed html manual pages.
|menu:Website[]|| This menu item starts a Web browser showing the webpage from: link:{wireshark-main-url}[].
|menu:FAQs[]|| This menu item starts a Web browser showing various FAQs.
@@ -857,6 +871,7 @@ image::images/ws-main-toolbar.png[{screenshot-attrs}]
|image:images/toolbar/zoom-out.png[{toolbar-icon-attrs}] |btn:[Zoom Out]|menu:View[Zoom Out]| Zoom out of the packet data (decrease the font size).
|image:images/toolbar/zoom-original.png[{toolbar-icon-attrs}] |btn:[Normal Size]|menu:View[Normal Size]| Set zoom level back to 100%.
|image:images/toolbar/x-resize-columns.png[{toolbar-icon-attrs}] |btn:[Resize Columns]|menu:View[Resize Columns]| Resize columns, so the content fits into them.
+|image:images/toolbar/x-reset-layout_2.png[{toolbar-icon-attrs}] |btn:[Reset Layout]|menu:View[Reset Layout]| Reset layout to default size.
// --
//|image:images/toolbar/stock_colorselector_24.png[{toolbar-icon-attrs}]|btn:[Coloring Rules...]|menu:View[Coloring Rules...]| This item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in <<ChCustColorizationSection>>.
|===
diff --git a/docbook/wsug_src/wsug_wireless.adoc b/doc/wsug_src/wsug_wireless.adoc
index 2431707e..445d6abb 100644
--- a/docbook/wsug_src/wsug_wireless.adoc
+++ b/doc/wsug_src/wsug_wireless.adoc
@@ -9,6 +9,7 @@
=== Introduction
The Wireless menu provides access to statistics related to wireless traffic.
+For configuring keys to decrypt wireless traffic, see <<Ch80211Keys>>
[#ChWirelessBluetoothATTServerAttributes]
diff --git a/docbook/wsug_src/wsug_work.adoc b/doc/wsug_src/wsug_work.adoc
index 7c28ec3a..39499a89 100644
--- a/docbook/wsug_src/wsug_work.adoc
+++ b/doc/wsug_src/wsug_work.adoc
@@ -167,7 +167,7 @@ Same functionality as “Follow TCP Stream” but for DCCP streams.
|menu:Follow[TLS Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for TLS or SSL streams.
-See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions
+See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions
on providing TLS keys.
|menu:Follow[HTTP Stream] |menu:Analyze[] |
@@ -266,7 +266,7 @@ Same functionality as “Follow TCP Stream” but for UDP “streams”.
|menu:Follow[TLS Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for TLS or SSL streams.
-See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions
+See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions
on providing TLS keys.
|menu:Follow[HTTP Stream] |menu:Analyze[] |
@@ -918,16 +918,16 @@ You can perform the arithmetic operations on numeric fields shown in <<Arithmeti
[#ArithmeticOps]
.Display Filter Arithmetic Operations
-[options="header",cols="1,1,4"]
+[options="header",cols="1,1,1,4"]
|===
-|Name |Syntax | Description
-|Unary minus |-A | Negation of A
-|Addition |A + B | Add B to A
-|Subtraction |A - B | Subtract B from A
-|Multiplication |A * B | Multiply A times B
-|Division |A / B | Divide A by B
-|Modulo |A % B | Remainder of A divided by B
-|Bitwise AND |A & B | Bitwise AND of A and B
+|Name |Syntax | Alternative | Description
+|Unary minus |-A | | Negation of A
+|Addition |A + B | | Add B to A
+|Subtraction |A - B | | Subtract B from A
+|Multiplication |A * B | | Multiply A times B
+|Division |A / B | | Divide A by B
+|Modulo |A % B | | Remainder of A divided by B
+|Bitwise AND |A & B | A bitand B | Bitwise AND of A and B
|===
An unfortunate quirk in the filter syntax is that the subtraction
@@ -956,6 +956,9 @@ The display filter language has a number of functions to convert fields, see
|len |Returns the byte length of a string or bytes field.
|count |Returns the number of field occurrences in a frame.
|string |Converts a non-string field to a string.
+|vals |Converts a field value to its value string, if it has one.
+|dec |Converts an unsigned integer field to a decimal string.
+|hex |Converts an unsigned integer field to a hexadecimal string.
|max |Return the maximum value for the arguments.
|min |Return the minimum value for the arguments.
|abs |Return the absolute value for the argument.
@@ -987,6 +990,9 @@ To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255"
----
+The `vals` function converts an integer or boolean field value to a string
+using the field's associated value string, if it has one.
+
The functions max() and min() take any number of arguments of the same type
and returns the largest/smallest respectively of the set.
@@ -1012,10 +1018,9 @@ the DNS response in the current frame:
http && ip.dst eq ${dns.a}
----
-The notation of field references is similar to that of
-<<ChDisplayFilterMacrosSection,macros>> but they are syntactically
-distinct. Field references, like other complex filters, make excellent
-use cases for <<ChWorkDefineFilterMacrosSection,macros>>,
+The notation of field references is similar to that of macros but they are
+syntactically distinct. Field references, like other complex filters, make
+excellent use cases for <<ChWorkDefineFilterMacrosSection,macros>>,
<<ChWorkDefineFilterSection,saved filters>>, and
<<ChCustFilterButtons,filter buttons>>
@@ -1187,6 +1192,7 @@ Closes the dialog without saving any changes.
=== Defining And Saving Filter Macros
+Display Filter Macros are a mechanism to create shortcuts for complex filters.
You can define a filter macro with Wireshark and label it for later use.
This can save time in remembering and retyping some of the more complex filters
you use.
@@ -1202,11 +1208,50 @@ image::images/ws-filter-macros.png[{screenshot-attrs}]
. To add a new filter macro, click the btn:[{plus}] button in the bottom-left corner. A new row will appear in the Display Filter Macros table above.
-. Enter the name of your macro in the `Name` column. Enter your filter macro in the `Text` column.
+. Enter the name of your macro in the `Macro Name` column. Enter your filter macro in the `Macro Expression` column.
. To save your modifications, click the btn:[OK] button in the bottom-right corner of the <<FilterMacrosDialog>>.
-To learn more about display filter macro syntax, see <<ChDisplayFilterMacrosSection>>.
+==== Display Filter Macros syntax
+
+Display filter macros are invoked with the macro name and a number of
+input arguments. There are several supported syntaxes.
+
+The `Macro Name` must consist of ASCII alphanumerics or the '_' character.
+(Note that the presence of a '.' character would indicate a
+<<_field_references,field reference>>.)
+
+The `Macro Expression` is replacement text for the macro name. It substitutes
+$1, $2, $3, ... with the input arguments.
+
+For example, defining a display filter macro named _$$tcp_conv$$_ whose text is
+
+----
+(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4)
+or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)
+----
+
+would allow to use a display filter like
+
+----
+$tcp_conv(10.1.1.2,10.1.1.3,1200,1400)
+----
+
+or alternatively
+
+----
+${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
+----
+
+or
+
+----
+${tcp_conv;10.1.1.2;10.1.1.3;1200;1400}
+----
+
+instead of typing the whole filter. Both notations are equivalent. Once defined, a macro can
+be used in <<ChWorkDefineFilterSection,saved display (but not
+capture) filters>> and <<ChCustFilterButtons,filter buttons>>.
[#ChWorkFindPacketSection]
@@ -1321,7 +1366,7 @@ see <<ChIOPacketRangeSection>>.
There are several ways to mark and unmark packets. From the menu:Edit[] menu
you can select from the following:
-* menu:Mark/Unmark Packet[] toggles the marked state of a single packet.
+* menu:Mark/Unmark Selected[] toggles the marked state of the current selection.
This option is also available in the packet list context menu.
* menu:Mark All Displayed[] set the mark state of all displayed packets.
@@ -1346,8 +1391,8 @@ else. It will be lost when the capture file is closed.
There are several ways to ignore and unignore packets. From the
menu:Edit[] menu you can select from the following:
-* menu:Ignore/Unignore Packet[] toggles the ignored state of a single
- packet. This option is also available in the packet list context menu.
+* menu:Ignore/Unignore Selected[] toggles the ignored state of the current selection.
+ This option is also available in the packet list context menu.
* menu:Ignore All Displayed[] set the ignored state of all displayed packets.
@@ -1416,9 +1461,10 @@ new request. It’s possible to set multiple time references in the capture file
The time references will not be saved permanently and will be lost when you
close the capture file.
-Time referencing will only be useful if the time display format is set to
-“Seconds Since First Captured Packet”. If one of the other time display formats
-are used, time referencing will have no effect (and will make no sense either).
+Time referencing supercedes the value for the time relative to first
+capture packet. It affects the default Time column if the time display
+format is set to “Seconds Since First Captured Packet”, or a “Relative Time”
+column if one has been added. It also affects the `frame.time_relative` field.
To work with time references, choose one of the menu:Time Reference[] items in
the menu:[Edit] menu or from the pop-up menu of the “Packet List” pane. See
@@ -1439,7 +1485,12 @@ image::images/ws-time-reference.png[{screenshot-attrs}]
A time referenced packet will be marked with the string $$*REF*$$ in the Time
column (see packet number 10). All subsequent packets will show the time since
-the last time reference.
+the last time reference. If there is a column displayed for “Cumulative Bytes”
+its counter will also reset at every time reference packet.
+# Somewhat odd that cumulative bytes also resets.
+
+Time referenced packets will always be displayed in the packet list pane.
+Display filters will not affect or hide these packets.
[#ChWorkShiftTimePacketSection]