diff options
Diffstat (limited to 'doc')
325 files changed, 31224 insertions, 3725 deletions
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 674554fe..0256d0d8 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -9,6 +9,13 @@ find_package( Asciidoctor 1.5 ) +function(set_doc_target_properties _target) + set_target_properties(${_target} PROPERTIES + FOLDER "Documentation" + EXCLUDE_FROM_DEFAULT_BUILD True + ) +endfunction() + set(MAN1_SOURCE_FILES) set(MAN4_SOURCE_FILES) set(MAN1_INSTALL_FILES) @@ -17,14 +24,14 @@ set(HTML_INSTALL_FILES) macro (ADD_MAN_PAGE _page_name _man_section) if(ASCIIDOCTOR_FOUND) - list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.html) + list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/man_pages/${_page_name}.html) if (${_man_section} EQUAL 1) - list(APPEND MAN1_SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/${_page_name}.adoc) - list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.${_man_section}) + list(APPEND MAN1_SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/man_pages/${_page_name}.adoc) + list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/man_pages/${_page_name}.${_man_section}) elseif (${_man_section} EQUAL 4) - list(APPEND MAN4_SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/${_page_name}.adoc) - list(APPEND MAN4_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.${_man_section}) + list(APPEND MAN4_SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/man_pages/${_page_name}.adoc) + list(APPEND MAN4_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/man_pages/${_page_name}.${_man_section}) else() message(FATAL_ERROR "Unsupported manual page section ${_man_section} for ${_page_name}") endif() @@ -82,16 +89,17 @@ set(WIRESHARK_BUNDLE_RESOURCE_SHARE_MAN4_FILES ${MAN4_INSTALL_FILES} PARENT_SCOP set(LOGRAY_BUNDLE_RESOURCE_SHARE_MAN1_FILES ${WIRESHARK_BUNDLE_RESOURCE_SHARE_MAN1_FILES} PARENT_SCOPE) set(LOGRAY_BUNDLE_RESOURCE_SHARE_MAN4_FILES ${WIRESHARK_BUNDLE_RESOURCE_SHARE_MAN4_FILES} PARENT_SCOPE) -set(MAN_INCLUDES diagnostic-options.adoc dissection-options.adoc) +set(MAN_INCLUDES man_pages/diagnostic-options.adoc man_pages/dissection-options.adoc man_pages/files.adoc) if(ASCIIDOCTOR_FOUND) ASCIIDOCTOR2ROFFMAN(1 ${MAN1_SOURCE_FILES}) ASCIIDOCTOR2ROFFMAN(4 ${MAN4_SOURCE_FILES}) ASCIIDOCTOR2HTMLMAN(${MAN1_SOURCE_FILES} ${MAN4_SOURCE_FILES}) - add_custom_target(manpages DEPENDS - ${MAN1_INSTALL_FILES} - ${MAN4_INSTALL_FILES} + add_custom_target(manpages + DEPENDS + ${MAN1_INSTALL_FILES} + ${MAN4_INSTALL_FILES} ) set_target_properties(manpages PROPERTIES FOLDER "Documentation") endif() @@ -100,18 +108,19 @@ if(ASCIIDOCTOR_FOUND) ASCIIDOCTOR2HTML(release-notes.adoc) ASCIIDOCTOR2TXT(release-notes.adoc) - list(APPEND HTML_INSTALL_FILES "${CMAKE_CURRENT_BINARY_DIR}/release-notes.html") - add_custom_target(release_notes_html DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/release-notes.html ) set_target_properties(release_notes_html PROPERTIES FOLDER "Documentation") + add_custom_target(release_notes_txt DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/release-notes.txt + release_notes_html ) set_target_properties(release_notes_txt PROPERTIES FOLDER "Documentation") + add_custom_target(release_notes DEPENDS release_notes_html @@ -119,26 +128,24 @@ if(ASCIIDOCTOR_FOUND) ) set_target_properties(release_notes PROPERTIES FOLDER "Documentation") - add_custom_target(news - COMMAND ${CMAKE_COMMAND} -E copy_if_different - ${CMAKE_CURRENT_BINARY_DIR}/release-notes.txt - ${CMAKE_SOURCE_DIR}/NEWS - DEPENDS - release_notes_txt - ) - set_target_properties(news PROPERTIES FOLDER "Documentation") + ASCIIDOCTOR2HTML(faq.adoc) + add_custom_target(faq_html DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/faq.html) + set_doc_target_properties(faq_html) + + add_custom_target(faq DEPENDS faq_html) + set_doc_target_properties(faq) endif() -add_custom_target( - docs ALL + +add_custom_target(docs DEPENDS - ${MAN1_INSTALL_FILES} - ${MAN4_INSTALL_FILES} ${HTML_INSTALL_FILES} ) set_target_properties(docs PROPERTIES FOLDER "Documentation") if(ASCIIDOCTOR_FOUND) + add_dependencies(docs manpages release_notes_html) + install( FILES ${MAN1_INSTALL_FILES} @@ -152,15 +159,470 @@ if(ASCIIDOCTOR_FOUND) DESTINATION ${CMAKE_INSTALL_MANDIR}/man4 ) + + + install( + FILES + ${HTML_INSTALL_FILES} + ${CMAKE_CURRENT_BINARY_DIR}/release-notes.html + DESTINATION + ${CMAKE_INSTALL_DOCDIR} + COMPONENT "ReleaseNotes" + ) endif() -install( - FILES - ${HTML_INSTALL_FILES} - DESTINATION - ${CMAKE_INSTALL_DOCDIR} +# +# Wireshark User's and Developer's Guides +# + +set(COMMON_GUIDE_FILES + common_src/gpl_appendix.adoc + common_src/typographic_conventions.adoc +) + +set(WSUG_TITLE "Wireshark User's Guide") + +set(WSUG_FILES + wsug_src/wsug_advanced.adoc + wsug_src/wsug_build_install.adoc + wsug_src/wsug_capture.adoc + wsug_src/wsug_customize.adoc + wsug_src/wsug_files.adoc + wsug_src/wsug_howitworks.adoc + wsug_src/wsug_introduction.adoc + wsug_src/wsug_io.adoc + wsug_src/wsug_mate.adoc + wsug_src/wsug_messages.adoc + wsug_src/wsug_preface.adoc + wsug_src/wsug_protocols.adoc + wsug_src/wsug_statistics.adoc + wsug_src/wsug_telephony.adoc + wsug_src/wsug_tools.adoc + wsug_src/wsug_troubleshoot.adoc + wsug_src/wsug_use.adoc + wsug_src/wsug_work.adoc + wsug_src/capinfos-h.txt + wsug_src/dumpcap-h.txt + wsug_src/editcap-F.txt + wsug_src/editcap-T.txt + wsug_src/editcap-h.txt + wsug_src/mergecap-h.txt + wsug_src/rawshark-h.txt + wsug_src/reordercap-h.txt + wsug_src/text2pcap-h.txt + wsug_src/tshark-h.txt + wsug_src/wireshark-h.txt + ${COMMON_GUIDE_FILES} +) + +# Note: Images should be minimized using tools/compress-pngs.py. +set(WSUG_GRAPHICS + wsug_src/images/caution.svg + wsug_src/images/important.svg + wsug_src/images/note.svg + wsug_src/images/related-ack.png + wsug_src/images/related-current.png + wsug_src/images/related-dup-ack.png + wsug_src/images/related-first.png + wsug_src/images/related-last.png + wsug_src/images/related-other.png + wsug_src/images/related-request.png + wsug_src/images/related-response.png + wsug_src/images/related-segment.png + wsug_src/images/tip.svg + wsug_src/images/toolbar/document-open.png + wsug_src/images/toolbar/edit-find.png + wsug_src/images/toolbar/filter-toolbar-add.png + wsug_src/images/toolbar/filter-toolbar-apply.png + wsug_src/images/toolbar/filter-toolbar-bookmark.png + wsug_src/images/toolbar/filter-toolbar-clear.png + wsug_src/images/toolbar/filter-toolbar-input.png + wsug_src/images/toolbar/filter-toolbar-recent.png + wsug_src/images/toolbar/go-first.png + wsug_src/images/toolbar/go-jump.png + wsug_src/images/toolbar/go-last.png + wsug_src/images/toolbar/go-next.png + wsug_src/images/toolbar/go-previous.png + wsug_src/images/toolbar/x-capture-file-close.png + wsug_src/images/toolbar/x-capture-file-reload.png + wsug_src/images/toolbar/x-capture-file-save.png + wsug_src/images/toolbar/x-capture-options.png + wsug_src/images/toolbar/x-capture-restart.png + wsug_src/images/toolbar/x-capture-start.png + wsug_src/images/toolbar/x-capture-stop.png + wsug_src/images/toolbar/x-colorize-packets.png + wsug_src/images/toolbar/x-resize-columns.png + wsug_src/images/toolbar/x-stay-last.png + wsug_src/images/toolbar/zoom-in.png + wsug_src/images/toolbar/zoom-original.png + wsug_src/images/toolbar/zoom-out.png + wsug_src/images/warning.svg + wsug_src/images/ws-about-codecs.png + wsug_src/images/ws-analyze-menu.png + wsug_src/images/ws-bytes-pane-popup-menu.png + wsug_src/images/ws-bytes-pane-tabs.png + wsug_src/images/ws-bytes-pane.png + wsug_src/images/ws-capture-file-properties.png + wsug_src/images/ws-capture-info.png + wsug_src/images/ws-capture-interfaces-main-macos.png + wsug_src/images/ws-capture-interfaces-main-win32.png + wsug_src/images/ws-capture-menu.png + wsug_src/images/ws-capture-options-compile-selected-bpfs.png + wsug_src/images/ws-capture-options-options.png + wsug_src/images/ws-capture-options-output.png + wsug_src/images/ws-capture-options-output.png + wsug_src/images/ws-capture-options.png + wsug_src/images/ws-choose-color-rule.png + wsug_src/images/ws-coloring-fields.png + wsug_src/images/ws-coloring-rules-dialog.png + wsug_src/images/ws-column-header-popup-menu.png + wsug_src/images/ws-decode-as.png + wsug_src/images/ws-details-pane-popup-menu.png + wsug_src/images/ws-details-pane.png + wsug_src/images/ws-diagram-pane-popup-menu.png + wsug_src/images/ws-diagram-pane.png + wsug_src/images/ws-display-filter-tcp.png # GTK+ + wsug_src/images/ws-edit-menu.png + wsug_src/images/ws-enabled-protocols.png + wsug_src/images/ws-expert-colored-tree.png + wsug_src/images/ws-expert-column.png + wsug_src/images/ws-expert-information.png + wsug_src/images/ws-export-objects.png + wsug_src/images/ws-export-packet-dissections.png + wsug_src/images/ws-export-selected.png + wsug_src/images/ws-export-specified-packets.png + wsug_src/images/ws-file-import.png + wsug_src/images/ws-file-menu.png + wsug_src/images/ws-file-set-dialog.png # GTK+ + wsug_src/images/ws-filter-add-expression.png # GTK+ + wsug_src/images/ws-filter-toolbar.png + wsug_src/images/ws-filters.png # GTK+ + wsug_src/images/ws-find-packet.png + wsug_src/images/ws-follow-http2-stream.png + wsug_src/images/ws-follow-sip-stream.png + wsug_src/images/ws-follow-stream.png + wsug_src/images/ws-go-menu.png + wsug_src/images/ws-goto-packet.png + wsug_src/images/ws-help-menu.png + wsug_src/images/ws-list-pane.png # Outdated + wsug_src/images/ws-main-toolbar.png + wsug_src/images/ws-main.png + wsug_src/images/ws-manage-interfaces.png + wsug_src/images/ws-mate-analysis.png + wsug_src/images/ws-mate-dns_pane.png + wsug_src/images/ws-mate-dns_pdu.png + wsug_src/images/ws-mate-ftp_over_gre.png + wsug_src/images/ws-mate-gop_analysis.png + wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png + wsug_src/images/ws-mate-mmse_over_http.png + wsug_src/images/ws-mate-pdu_analysis.png + wsug_src/images/ws-mate-tcp-output.png + wsug_src/images/ws-mate-transform.png + wsug_src/images/ws-menu.png + wsug_src/images/ws-merge-qt5.png + wsug_src/images/ws-merge-win32.png + wsug_src/images/ws-open-qt5.png + wsug_src/images/ws-open-win32.png + wsug_src/images/ws-packet-format.png + wsug_src/images/ws-packet-pane-popup-menu.png + wsug_src/images/ws-packet-range.png + wsug_src/images/ws-packet-selected.png + wsug_src/images/ws-packet-sep-win.png + wsug_src/images/ws-pref-advanced.png + wsug_src/images/ws-pref-appearance-columns.png + wsug_src/images/ws-pref-appearance-fonts-and-colors.png + wsug_src/images/ws-pref-appearance-layout.png + wsug_src/images/ws-pref-appearance.png + wsug_src/images/ws-pref-capture.png + wsug_src/images/ws-pref-expert.png + wsug_src/images/ws-pref-filter-buttons.png + wsug_src/images/ws-pref-name-resolution.png + wsug_src/images/ws-pref-protocols.png + wsug_src/images/ws-pref-rsa-keys.png + wsug_src/images/ws-pref-statistics.png + wsug_src/images/ws-print.png + wsug_src/images/ws-save-as-qt5.png + wsug_src/images/ws-save-as-win32.png + wsug_src/images/ws-statistics-menu.png + wsug_src/images/ws-stats-conversations.png + wsug_src/images/ws-stats-endpoints.png + wsug_src/images/ws-stats-hierarchy.png + wsug_src/images/ws-stats-iographs.png + wsug_src/images/ws-stats-lte-mac-traffic.png + wsug_src/images/ws-stats-lte-rlc-traffic.png + wsug_src/images/ws-stats-packet-lengths.png + wsug_src/images/ws-stats-srt-smb2.png + wsug_src/images/ws-stats-wlan-traffic.png # GTK+ + wsug_src/images/ws-statusbar-empty.png + wsug_src/images/ws-statusbar-filter.png + wsug_src/images/ws-statusbar-loaded.png + wsug_src/images/ws-statusbar-profile.png + wsug_src/images/ws-statusbar-selected.png + wsug_src/images/ws-tcp-analysis.png + wsug_src/images/ws-tel-playlist.png + wsug_src/images/ws-tel-rtp-player_1.png + wsug_src/images/ws-tel-rtp-player_2.png + wsug_src/images/ws-tel-rtp-player_3.png + wsug_src/images/ws-tel-rtp-player_button.png + wsug_src/images/ws-tel-rtp-streams.png + wsug_src/images/ws-tel-rtpstream-analysis_1.png + wsug_src/images/ws-tel-rtpstream-analysis_2.png + wsug_src/images/ws-tel-rtpstream-analysis_3.png + wsug_src/images/ws-tel-seq-dialog.png + wsug_src/images/ws-tel-voip-calls.png + wsug_src/images/ws-telephony-menu.png + wsug_src/images/ws-time-reference.png # GTK+ + wsug_src/images/ws-tools-menu.png + wsug_src/images/ws-view-menu.png +) + +set(WSDG_TITLE "Wireshark Developer's Guide") + +set(WSDG_FILES + wsdg_src/wsdg_asn2wrs.adoc + wsdg_src/wsdg_build_intro.adoc + wsdg_src/wsdg_capture.adoc + wsdg_src/wsdg_dissection.adoc + wsdg_src/wsdg_env_intro.adoc + wsdg_src/wsdg_libraries.adoc + wsdg_src/wsdg_lua_support.adoc + wsdg_src/wsdg_preface.adoc + wsdg_src/wsdg_quick_setup.adoc + wsdg_src/wsdg_sources.adoc + wsdg_src/wsdg_tests.adoc + wsdg_src/wsdg_tools.adoc + wsdg_src/wsdg_userinterface.adoc + wsdg_src/wsdg_works.adoc + ${COMMON_GUIDE_FILES} +) + +set(WSDG_GRAPHICS + wsdg_src/images/caution.svg + wsdg_src/images/git-triangular-workflow.gv + wsdg_src/images/git-triangular-workflow.svg + wsdg_src/images/important.svg + wsdg_src/images/note.svg + wsdg_src/images/tip.svg + wsdg_src/images/warning.svg + wsdg_src/images/ws-capture_internals.dia + wsdg_src/images/ws-capture_internals.png + wsdg_src/images/ws-capture-sync.dia + wsdg_src/images/ws-capture-sync.png + wsdg_src/images/ws-capture-sync.png + wsdg_src/images/ws-function-blocks.dia + wsdg_src/images/ws-function-blocks.svg + wsdg_src/images/ws-logo.png ) +set(WSUG_SOURCE + ${WSUG_FILES} + ${WSUG_GRAPHICS} +) + +set(WSDG_SOURCE + ${WSDG_FILES} + ${WSDG_GRAPHICS} +) + +# Note: file order here MATTERS! +# new WSLUA_MODULE files must come right before any WSLUA_CONTINUE_MODULE +# files for the same module +set(WSLUA_MODULES + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dumper.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_field.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_gui.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_int64.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_listener.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_pinfo.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_address.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_column.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_nstime.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dissector.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_pref.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto_expert.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto_field.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_tree.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_tvb.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_byte_array.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_file.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_file_handler.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_frame_info.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_capture_info.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dir.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_wtap.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_utility.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_struct.c +) + +# Empty file to trigger wsluarm generation. +ADD_CUSTOM_COMMAND( + OUTPUT + wsluarm + COMMAND ${CMAKE_COMMAND} -E make_directory wsluarm_src + COMMAND ${Python3_EXECUTABLE} + ${CMAKE_SOURCE_DIR}/tools/make-wsluarm.py + --output-directory wsluarm_src + ${WSLUA_MODULES} + COMMAND ${CMAKE_COMMAND} -E touch + wsluarm + DEPENDS + ${CMAKE_SOURCE_DIR}/tools/make-wsluarm.py + ${WSLUA_MODULES} +) + +set( WSDG_BUILT_DEPS wsluarm ) + +set( ASCIIDOC_CONF_FILES + ${CMAKE_CURRENT_SOURCE_DIR}/attributes.adoc + # XXX Add macros +) + +if(ASCIIDOCTOR_FOUND) + # Generate the DocBook sources of user and developer guides + + ASCIIDOCTOR2DOCBOOK(wsug_src/user-guide.adoc ${ASCIIDOC_CONF_FILES} ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + add_custom_target(user_guide_docbook DEPENDS generate_user-guide.xml) + set_doc_target_properties(user_guide_docbook) + set_target_properties(user_guide_docbook PROPERTIES EXCLUDE_FROM_ALL True) + + ASCIIDOCTOR2DOCBOOK(wsdg_src/developer-guide.adoc ${ASCIIDOC_CONF_FILES} ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + add_custom_target(developer_guide_docbook DEPENDS generate_developer-guide.xml) + set_doc_target_properties(developer_guide_docbook) + set_target_properties(developer_guide_docbook PROPERTIES EXCLUDE_FROM_ALL True) + + # Top-level guide targets. + + add_custom_target(user_guides DEPENDS user_guide_docbook) + set_doc_target_properties(user_guides) + set_target_properties(user_guides PROPERTIES EXCLUDE_FROM_ALL True) + + add_custom_target(developer_guides DEPENDS developer_guide_docbook) + set_doc_target_properties(developer_guides) + set_target_properties(developer_guides PROPERTIES EXCLUDE_FROM_ALL True) + + add_custom_target(all_guides DEPENDS user_guides developer_guides ) + set_doc_target_properties(all_guides) + set_target_properties(all_guides PROPERTIES EXCLUDE_FROM_ALL True) +endif() + +# User's Guide chain. +if(ASCIIDOCTOR_FOUND AND XSLTPROC_EXECUTABLE) + XML2HTML( + user_guide + wsug + single-page + user-guide.xml + WSUG_GRAPHICS + ) + + XML2HTML( + user_guide + wsug + chunked + user-guide.xml + WSUG_GRAPHICS + ) + add_custom_target(user_guide_html + DEPENDS + wsug_html/index.html + wsug_html_chunked/index.html + ) + set_doc_target_properties(user_guide_html) + set_target_properties(user_guide_html PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(user_guides user_guide_html) + # Copy the WSUG to the build directory so that when running + # from the build directory ui/help_url.c will find the local file. + # It expects the WSUG in a different directory on Windows. + if(WIN32) + set(WSUG_DIR "${DATAFILE_DIR}/${WSUG_TITLE}") + else() + set(WSUG_DIR "${DATAFILE_DIR}/wsug_html_chunked") + endif() + # CMake 3.26 has copy_directory_if_different + add_custom_command( + TARGET user_guide_html + COMMAND ${CMAKE_COMMAND} -E copy_directory + "${CMAKE_CURRENT_BINARY_DIR}/wsug_html_chunked" "${WSUG_DIR}" + VERBATIM + ) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_PDF_EXECUTABLE) + ASCIIDOCTOR2PDF(${WSUG_TITLE} wsug_src/user-guide.adoc ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + + add_custom_target(user_guide_pdf + DEPENDS + "${WSUG_TITLE}.pdf" + ) + set_doc_target_properties(user_guide_pdf) + set_target_properties(user_guide_pdf PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(user_guides user_guide_pdf) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_EPUB_EXECUTABLE) + ASCIIDOCTOR2EPUB(${WSUG_TITLE} wsug_src/user-guide.adoc ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + + add_custom_target(user_guide_epub + DEPENDS + "${WSUG_TITLE}.epub" + ) + set_doc_target_properties(user_guide_epub) + set_target_properties(user_guide_epub PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(user_guides user_guide_epub) +endif() + +# Developer's Guide chain. +if(ASCIIDOCTOR_FOUND AND XSLTPROC_EXECUTABLE) + XML2HTML( + developer_guide + wsdg + single-page + developer-guide.xml + WSDG_GRAPHICS + ) + + XML2HTML( + developer_guide + wsdg + chunked + developer-guide.xml + WSDG_GRAPHICS + ) + add_custom_target(developer_guide_html + DEPENDS + wsdg_html/index.html + wsdg_html_chunked/index.html + ) + set_doc_target_properties(developer_guide_html) + set_target_properties(developer_guide_html PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(developer_guides developer_guide_html) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_PDF_EXECUTABLE) + ASCIIDOCTOR2PDF(${WSDG_TITLE} wsdg_src/developer-guide.adoc ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + + add_custom_target(developer_guide_pdf + DEPENDS + "${WSDG_TITLE}.pdf" + ) + set_doc_target_properties(developer_guide_pdf) + set_target_properties(developer_guide_pdf PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(developer_guides developer_guide_pdf) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_EPUB_EXECUTABLE) + ASCIIDOCTOR2EPUB(${WSDG_TITLE} wsdg_src/developer-guide.adoc ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + + add_custom_target(developer_guide_epub + DEPENDS + "${WSDG_TITLE}.epub" + ) + set_doc_target_properties(developer_guide_epub) + set_target_properties(developer_guide_epub PROPERTIES EXCLUDE_FROM_ALL True) + add_dependencies(developer_guides developer_guide_epub) +endif() + # # Editor modelines - https://www.wireshark.org/tools/modelines.html # diff --git a/doc/README.developer b/doc/README.developer index 6d6ede97..9769dd68 100644 --- a/doc/README.developer +++ b/doc/README.developer @@ -165,7 +165,7 @@ functions won't accept a size_t on LLP64: unsigned byte_after_greet; i = strlen(greeting); - byte_after_greet = tvb_get_guint8(tvb, i); /* Compiler warning */ + byte_after_greet = tvb_get_uint8(tvb, i); /* Compiler warning */ Try to use the appropriate data type when you can. When you can't, you will have to cast to a compatible data type, e.g. @@ -175,7 +175,7 @@ will have to cast to a compatible data type, e.g. uint8_t byte_after_greet; i = strlen(greeting); - byte_after_greet = tvb_get_guint8(tvb, (int) i); /* OK */ + byte_after_greet = tvb_get_uint8(tvb, (int) i); /* OK */ or @@ -184,9 +184,9 @@ or uint8_t byte_after_greet; i = (int) strlen(greeting); - byte_after_greet = tvb_get_guint8(tvb, i); /* OK */ + byte_after_greet = tvb_get_uint8(tvb, i); /* OK */ -See http://www.unix.org/version2/whatsnew/lp64_wp.html for more +See https://unix.org/version2/whatsnew/lp64_wp.html for more information on the sizes of common types in different data models. A lot of legacy code still uses GLib types and I/O replacement API. These @@ -208,14 +208,8 @@ the macros in <inttypes.h>, for example: proto_tree_add_uint64_format_value(tree, hf_uint64, tvb, offset, len, val, "%" PRIu64, val); -For GLib routines, and only those, you can choose whichever format style -you prefer: - - uint64_t val = UINT64_C(1); - char *str1 = g_string_printf("%" G_GUINT64_FORMAT, val); - char *str2 = g_string_printf("%" PRIu64, val); - -These format macros will be the same modulo any GLib bugs. +GLib provides the G_GUINT64_FORMAT and G_GINT64_FORMAT specifiers for +64-bit integral types. You should use PRIu64 and PRId64 instead. When specifying an integral constant that doesn't fit in 32 bits, don't use "LL" at the end of the constant - not all compilers use "LL" for @@ -725,6 +719,14 @@ should be stored in a 32-bit variable, such as an "int"; if you store it in an 8-bit or 16-bit variable, you run the risk of the variable overflowing. +If your dissector uses recursion, you must ensure that your code does +not do so excessively. If there isn't an inherent limit on recursion in +your dissector, you can can add one using increment_dissection_depth and +decrement_dissection_depth. Wireshark's CI system uses Clang-tidy to +check for recursion; you might also need to add suppressions described at +https://clang.llvm.org/extra/clang-tidy/#suppressing-undesired-diagnostics +in order to pass CI checks. + sprintf() -> snprintf() Prevent yourself from using the sprintf() function, as it does not test the length of the given output buffer and might be writing into unintended memory @@ -772,7 +774,7 @@ Please avoid using tab expansions different from 8 column widths, as not all text editors in use by the developers support this. For a detailed discussion of tabs, spaces, and indentation, see - http://www.jwz.org/doc/tabs-vs-spaces.html + https://www.jwz.org/doc/tabs-vs-spaces.html We use EditorConfig (http://editorconfig.org) files to provide formatting hints. Most editors and IDEs support EditorConfig, either directly or via @@ -973,7 +975,7 @@ not toLocal8Bit() or toLatin1(). 8. Miscellaneous notes -Each commit in your branch corresponds to a different VCSVERSION string +Each commit in your branch corresponds to a different VCS_VERSION string automatically defined in the header 'vcs_version.h' during the build. If you happen to find it convenient to disable this feature it can be done using: diff --git a/doc/README.display_filter b/doc/README.display_filter index ab4d74d1..ff6c6a53 100644 --- a/doc/README.display_filter +++ b/doc/README.display_filter @@ -437,7 +437,7 @@ Example: add an 'in' display filter operation This example has been discussed on ethereal-dev in April 2004. [Ethereal-dev] Need for an 'in' dfilter operator? -(https://www.wireshark.org/lists/ethereal-dev/200404/msg00372.html) +(https://lists.wireshark.org/archives/ethereal-dev/200404/msg00372.html) It illustrates how a more complex operation can be added to the display filter language. Question: diff --git a/doc/README.dissector b/doc/README.dissector index 464bba49..4258f96b 100644 --- a/doc/README.dissector +++ b/doc/README.dissector @@ -84,7 +84,7 @@ In the skeleton sample code the following strings should be substituted with your information. YOUR_NAME Your name, of course. You do want credit, don't you? - It's the only payment you will receive.... + It's the only payment you will receive... YOUR_EMAIL_ADDRESS Keep those cards and letters coming. PROTONAME The name of the protocol; this is displayed in the top-level protocol tree item for that protocol. @@ -273,8 +273,11 @@ uint64_t tvb_get_bits64(tvbuff_t *tvb, unsigned bit_offset, const int no_of_bits Single-byte accessors for 8-bit unsigned integers (uint8_t) and 8-bit signed integers (int8_t): -uint8_t tvb_get_guint8(tvbuff_t *tvb, const int offset); -int8_t tvb_get_gint8(tvbuff_t *tvb, const int offset); +uint8_t tvb_get_uint8(tvbuff_t *tvb, const int offset); +int8_t tvb_get_int8(tvbuff_t *tvb, const int offset); + +These functions were previously named tvb_get_guint8 and tvb_get_gint8. You +can still use the old names but they have been deprecated. Network-to-host-order accessors: @@ -371,38 +374,41 @@ Encoding-to_host-order accessors: 16-bit unsigned (uint16_t) and signed (int16_t) integers: -uint16_t tvb_get_guint16(tvbuff_t *tvb, const int offset, const unsigned encoding); -int16_t tvb_get_gint16(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint16_t tvb_get_uint16(tvbuff_t *tvb, const int offset, const unsigned encoding); +int16_t tvb_get_int16(tvbuff_t *tvb, const int offset, const unsigned encoding); 24-bit unsigned and signed integers: -uint32_t tvb_get_guint24(tvbuff_t *tvb, const int offset, const unsigned encoding); -int32_t tvb_get_gint24(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint32_t tvb_get_uint24(tvbuff_t *tvb, const int offset, const unsigned encoding); +int32_t tvb_get_int24(tvbuff_t *tvb, const int offset, const unsigned encoding); 32-bit unsigned (uint32_t) and signed (int32_t) integers: -uint32_t tvb_get_guint32(tvbuff_t *tvb, const int offset, const unsigned encoding); -int32_t tvb_get_gint32(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint32_t tvb_get_uint32(tvbuff_t *tvb, const int offset, const unsigned encoding); +int32_t tvb_get_int32(tvbuff_t *tvb, const int offset, const unsigned encoding); 40-bit unsigned and signed integers: -uint64_t tvb_get_guint40(tvbuff_t *tvb, const int offset, const unsigned encoding); -int64_t tvb_get_gint40(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint64_t tvb_get_uint40(tvbuff_t *tvb, const int offset, const unsigned encoding); +int64_t tvb_get_int40(tvbuff_t *tvb, const int offset, const unsigned encoding); 48-bit unsigned and signed integers: -uint64_t tvb_get_guint48(tvbuff_t *tvb, const int offset, const unsigned encoding); -int64_t tvb_get_gint48(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint64_t tvb_get_uint48(tvbuff_t *tvb, const int offset, const unsigned encoding); +int64_t tvb_get_int48(tvbuff_t *tvb, const int offset, const unsigned encoding); 56-bit unsigned and signed integers: -uint64_t tvb_get_guint56(tvbuff_t *tvb, const int offset, const unsigned encoding); -int64_t tvb_get_gint56(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint64_t tvb_get_uint56(tvbuff_t *tvb, const int offset, const unsigned encoding); +int64_t tvb_get_int56(tvbuff_t *tvb, const int offset, const unsigned encoding); 64-bit unsigned (uint64_t) and signed (int64_t) integers: -uint64_t tvb_get_guint64(tvbuff_t *tvb, const int offset, const unsigned encoding); -int64_t tvb_get_gint64(tvbuff_t *tvb, const int offset, const unsigned encoding); +uint64_t tvb_get_uint64(tvbuff_t *tvb, const int offset, const unsigned encoding); +int64_t tvb_get_int64(tvbuff_t *tvb, const int offset, const unsigned encoding); + +These functions were previously named tvb_get_guintXX and tvb_get_gintXX. You +can still use the old names but they have been deprecated. Single-precision and double-precision IEEE floating-point numbers: @@ -477,7 +483,7 @@ the string is guaranteed to have a terminating NULL. If the string was truncated when copied into buffer, a NULL is placed at the end of buffer to terminate it. char *tvb_get_ts_23_038_7bits_string(wmem_allocator_t *scope, tvbuff_t *tvb, - const int bit_offset, int no_of_chars); + const int bit_offset, int no_of_chars); tvb_get_ts_23_038_7bits_string() returns a string of a given number of characters and encoded according to 3GPP TS 23.038 7 bits alphabet. @@ -487,17 +493,18 @@ information). Byte Array Accessors: -char *tvb_bytes_to_str(wmem_allocator_t *scope, tvbuff_t *tvb, const int offset, const int len); +char *tvb_bytes_to_str(wmem_allocator_t *scope, tvbuff_t *tvb, + const int offset, const int len); Formats a bunch of data from a tvbuff as bytes, returning a pointer to the string with the data formatted as two hex digits for each byte. The string pointed to is stored in an "wmem_alloc'd" buffer which will be freed -depending on its scope (typically wmem_packet_scope which is freed after the frame). +depending on its scope (typically pinfo->pool which is freed after the frame). The formatted string will contain the hex digits for at most the first 16 bytes of the data. If len is greater than 16 bytes, a trailing "..." will be added to the string. char *tvb_bytes_to_str_punct(wmem_allocator_t *scope, tvbuff_t *tvb, - const int offset, const int len, const char punct); + const int offset, const int len, const char punct); This function is similar to tvb_bytes_to_str(...) except that 'punct' is inserted between the hex representation of each byte. @@ -512,7 +519,8 @@ passed-in 'bytes' array, based on the passed-in encoding. In other words, convert from a hex-ascii string in tvbuff, into the supplied GByteArray. -char *tvb_bcd_dig_to_wmem_packet_str(tvbuff_t *tvb, const int offset, const int len, dgt_set_t *dgt, bool skip_first); +char *tvb_bcd_dig_to_wmem_packet_str(tvbuff_t *tvb, const int offset, + const int len, dgt_set_t *dgt, bool skip_first); Given a tvbuff, an offset into the tvbuff, and a length that starts at that offset (which may be -1 for "all the way to the end of the @@ -523,7 +531,7 @@ A pointer to the packet scope allocated string will be returned. Note: a tvbuff content of 0xf is considered a 'filler' and will end the conversion. Copying memory: -void* tvb_memcpy(tvbuff_t *tvb, void* target, const int offset, size_t length); +void *tvb_memcpy(tvbuff_t *tvb, void *target, const int offset, size_t length); Copies into the specified target the specified length's worth of data from the specified tvbuff, starting at the specified offset. @@ -539,7 +547,7 @@ Pointer-retrieval: * no guarantee that the user will honor the 'length' and not overstep the * boundaries of the buffer. Also see the warning in the Portability section. */ -const uint8_t* tvb_get_ptr(tvbuff_t *tvb, const int offset, const int length); +const uint8_t *tvb_get_ptr(tvbuff_t *tvb, const int offset, const int length); Length query: Get amount of captured data in the buffer (which is *NOT* necessarily the @@ -824,14 +832,14 @@ information about its data type is needed. It helps to look at the header_field_info struct to see what information is expected: struct header_field_info { - const char *name; - const char *abbrev; - enum ftenum type; - int display; - const void *strings; - uint64_t bitmask; - const char *blurb; - ..... + const char *name; + const char *abbrev; + enum ftenum type; + int display; + const void *strings; + uint64_t bitmask; + const char *blurb; + ... }; name (FIELDNAME) @@ -1194,11 +1202,11 @@ one can use a range_string struct. Thus a 'range_string' structure is a way to map ranges to strings. - typedef struct _range_string { - uint32_t value_min; - uint32_t value_max; - const char *strptr; - } range_string; + typedef struct _range_string { + uint32_t value_min; + uint32_t value_max; + const char *strptr; + } range_string; For fields of that type, you would declare an array of "range_string"s: @@ -1304,19 +1312,20 @@ header_field_info struct (or an array of such structs), and calling the registration function along with the registration ID of the protocol that is the parent of the fields. Here is a complete example: - static int proto_eg = -1; - static int hf_field_a = -1; - static int hf_field_b = -1; + static int proto_eg; + static int hf_field_a; + static int hf_field_b; static hf_register_info hf[] = { - { &hf_field_a, - { "Field A", "proto.field_a", FT_UINT8, BASE_HEX, NULL, - 0xf0, "Field A represents Apples", HFILL }}, + { "Field A", "proto.field_a", FT_UINT8, BASE_HEX, NULL, + 0xf0, "Field A represents Apples", HFILL } + }, { &hf_field_b, - { "Field B", "proto.field_b", FT_UINT16, BASE_DEC, VALS(vs), - 0x0, "Field B represents Bananas", HFILL }} + { "Field B", "proto.field_b", FT_UINT16, BASE_DEC, VALS(vs), + 0x0, "Field B represents Bananas", HFILL } + } }; proto_eg = proto_register_protocol("Example Protocol", @@ -1330,8 +1339,8 @@ information that the compiler created inside your array. Here's the layout of the hf_register_info struct: typedef struct hf_register_info { - int *p_id; /* pointer to parent variable */ - header_field_info hfinfo; + int *p_id; /* pointer to parent variable */ + header_field_info hfinfo; } hf_register_info; Also be sure to use the handy array_length() macro found in packet.h @@ -1346,14 +1355,15 @@ It is OK to have header fields with a different format be registered with the same abbreviation. For instance, the following is valid: static hf_register_info hf[] = { - { &hf_field_8bit, /* 8-bit version of proto.field */ - { "Field (8 bit)", "proto.field", FT_UINT8, BASE_DEC, NULL, - 0x00, "Field represents FOO", HFILL }}, + { "Field (8 bit)", "proto.field", FT_UINT8, BASE_DEC, NULL, + 0x00, "Field represents FOO", HFILL } + }, { &hf_field_32bit, /* 32-bit version of proto.field */ - { "Field (32 bit)", "proto.field", FT_UINT32, BASE_DEC, NULL, - 0x00, "Field represents FOO", HFILL }} + { "Field (32 bit)", "proto.field", FT_UINT32, BASE_DEC, NULL, + 0x00, "Field represents FOO", HFILL } + } }; This way a filter expression can match a header field, irrespective of the @@ -1385,7 +1395,7 @@ handful of proto_XXX_DO_YYY() functions. Subtrees can be made with the proto_item_add_subtree() function: - item = proto_tree_add_item(....); + item = proto_tree_add_item(...); new_tree = proto_item_add_subtree(item, tree_type); This will add a subtree under the item in question; a subtree can be @@ -1394,11 +1404,11 @@ so that the tree can be given an arbitrary depth. Subtree types are integers, assigned by "proto_register_subtree_array()". To register subtree types, pass an -array of pointers to "gint" variables to hold the subtree type values to +array of pointers to "int" variables to hold the subtree type values to "proto_register_subtree_array()": - static int ett_eg = -1; - static int ett_field_a = -1; + static int ett_eg; + static int ett_field_a; static int *ett[] = { &ett_eg, @@ -1419,14 +1429,14 @@ you move to another packet. There are many functions that the programmer can use to add either protocol or field labels to the proto_tree, for example: - proto_item* + proto_item * proto_tree_add_item(tree, id, tvb, start, length, encoding); - proto_item* + proto_item * proto_tree_add_item_ret_int(tree, id, tvb, start, length, encoding, *retval); - proto_item* + proto_item * proto_tree_add_subtree(tree, tvb, start, length, idx, tree_item, text); @@ -2016,11 +2026,11 @@ matched string from that value_string will be printed on the expansion line as well. Example: (from the SCSI dissector) - static int hf_scsi_inq_peripheral = -1; - static int hf_scsi_inq_qualifier = -1; - static int hf_scsi_inq_devtype = -1; + static int hf_scsi_inq_peripheral; + static int hf_scsi_inq_qualifier; + static int hf_scsi_inq_devtype; ... - static int ett_scsi_inq_peripheral = -1; + static int ett_scsi_inq_peripheral; ... static int * const peripheral_fields[] = { &hf_scsi_inq_qualifier, @@ -2031,17 +2041,20 @@ Example: (from the SCSI dissector) /* Qualifier and DeviceType */ proto_tree_add_bitmask(tree, tvb, offset, hf_scsi_inq_peripheral, ett_scsi_inq_peripheral, peripheral_fields, ENC_BIG_ENDIAN); - offset+=1; + offset += 1; ... { &hf_scsi_inq_peripheral, {"Peripheral", "scsi.inquiry.peripheral", FT_UINT8, BASE_HEX, - NULL, 0, NULL, HFILL}}, + NULL, 0, NULL, HFILL} + }, { &hf_scsi_inq_qualifier, {"Qualifier", "scsi.inquiry.qualifier", FT_UINT8, BASE_HEX, - VALS (scsi_qualifier_val), 0xE0, NULL, HFILL}}, + VALS (scsi_qualifier_val), 0xE0, NULL, HFILL} + }, { &hf_scsi_inq_devtype, {"Device Type", "scsi.inquiry.devtype", FT_UINT8, BASE_HEX, - VALS (scsi_devtype_val), SCSI_DEV_BITS, NULL, HFILL}}, + VALS (scsi_devtype_val), SCSI_DEV_BITS, NULL, HFILL} + }, ... Which provides very pretty dissection of this one byte bitmask. @@ -2146,18 +2159,16 @@ skeleton of how the programmer might code this. proto_tree_add_none_format(tree, hf_tr_rif_label, ..., "RIF: %s", rif); - for(i = 0; i < num_rings; i++) { + for (i = 0; i < num_rings; i++) { proto_item *pi; - pi = proto_tree_add_item(tree, hf_tr_rif_ring, ..., - ENC_BIG_ENDIAN); + pi = proto_tree_add_item(tree, hf_tr_rif_ring, ..., ENC_BIG_ENDIAN); proto_item_set_hidden(pi); } - for(i = 0; i < num_rings - 1; i++) { + for (i = 0; i < num_rings - 1; i++) { proto_item *pi; - pi = proto_tree_add_item(tree, hf_tr_rif_bridge, ..., - ENC_BIG_ENDIAN); + pi = proto_tree_add_item(tree, hf_tr_rif_bridge, ..., ENC_BIG_ENDIAN); proto_item_set_hidden(pi); } @@ -2196,7 +2207,7 @@ to generate a COL_INFO line for a frame. val_to_str() handles the most common case: - const char* + const char * val_to_str(uint32_t val, const value_string *vs, const char *fmt) If the value 'val' is found in the 'value_string' table pointed to by @@ -2214,7 +2225,7 @@ unmodified when 'val' isn't found. If you need to handle the failure case in some custom way, try_val_to_str() will return NULL if val isn't found: - const char* + const char * try_val_to_str(uint32_t val, const value_string *vs) Note that, you must check whether 'try_val_to_str()' returns NULL, and arrange @@ -2336,13 +2347,13 @@ table using their unique identifier using one of the following APIs: dissector_handle_t handle); void dissector_add_uint_range(const char *abbrev, struct epan_range *range, - dissector_handle_t handle); + dissector_handle_t handle); void dissector_add_string(const char *name, const char *pattern, - dissector_handle_t handle); + dissector_handle_t handle); void dissector_add_for_decode_as(const char *name, - dissector_handle_t handle); + dissector_handle_t handle); dissector_add_for_decode_as doesn't add a unique identifier in the dissector table, but it lets the user add it from the command line or, in Wireshark, @@ -2383,7 +2394,7 @@ section of epan/dissectors/CMakeLists.txt 1.10 Submitting code for your new dissector. See <https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html> - and <https://gitlab.com/wireshark/wireshark/-/wikis/Development/SubmittingPatches>. + and <https://wiki.wireshark.org/Development/SubmittingPatches>. - VERIFY that your dissector code does not use prohibited or deprecated APIs as follows: @@ -2404,11 +2415,11 @@ section of epan/dissectors/CMakeLists.txt - TEST YOUR DISSECTOR BEFORE SUBMITTING IT. Use fuzz-test.sh and/or randpkt against your dissector. These are - described at <https://gitlab.com/wireshark/wireshark/-/wikis/FuzzTesting>. + described at <https://wiki.wireshark.org/FuzzTesting>. - Subscribe to <mailto:wireshark-dev[AT]wireshark.org> by sending an email to <mailto:wireshark-dev-request[AT]wireshark.org?body="help"> or visiting - <https://www.wireshark.org/lists/>. + <https://lists.wireshark.org/>. - 'git diff' to verify all your changes look good. @@ -2425,11 +2436,11 @@ section of epan/dissectors/CMakeLists.txt - Create a Wiki page on the protocol at <https://gitlab.com/wireshark/editor-wiki>. (You'll need to request access to https://gitlab.com/wireshark/wiki-editors.) A template is provided so it is easy to setup in a consistent style. - See: <https://gitlab.com/wireshark/wireshark/-/wikis/HowToEdit> - and <https://gitlab.com/wireshark/wireshark/-/wikis/ProtocolReference> + See: <https://wiki.wireshark.org/HowToEdit> + and <https://wiki.wireshark.org/ProtocolReference> - If possible, add sample capture files to the sample captures page at - <https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures>. These + <https://wiki.wireshark.org/SampleCaptures>. These files are used by the automated build system for fuzz testing. - If you don't think the wiki is the right place for your sample capture, @@ -2494,12 +2505,12 @@ The conversation_new prototype: Where: uint32_t setup_frame = The lowest numbered frame for this conversation - address* addr1 = first data packet address - address* addr2 = second data packet address - conversation_type ctype = conversation type, defined in conversation.h + address* addr1 = first data packet address + address* addr2 = second data packet address + conversation_type ctype = conversation type, defined in conversation.h uint32_t port1 = first data packet port uint32_t port2 = second data packet port - unsigned options = conversation options, NO_ADDR2 and/or NO_PORT2 + unsigned options = conversation options, NO_ADDR2 and/or NO_PORT2 setup_frame indicates the first frame for this conversation, and is used to distinguish multiple conversations with the same addr1/port1 and addr2/port2 @@ -2533,7 +2544,7 @@ The conversation_new_full prototype: conversation_element_t *elements); Where: - uint32_t setup_frame = The lowest numbered frame for + uint32_t setup_frame = The lowest numbered frame for this conversation conversation_element_t *elements = An array of data types and values which identify this conversation. The array MUST be @@ -2552,12 +2563,12 @@ The find_conversation prototype: Where: uint32_t frame_num = a frame number to match - address* addr_a = first address - address* addr_b = second address - conversation_type ctype = conversation type + address* addr_a = first address + address* addr_b = second address + conversation_type ctype = conversation type uint32_t port_a = first data packet port uint32_t port_b = second data packet port - unsigned options = conversation options, NO_ADDR_B and/or NO_PORT_B + unsigned options = conversation options, NO_ADDR_B and/or NO_PORT_B frame_num is a frame number to match. The conversation returned is where (frame_num >= conversation->setup_frame @@ -2599,7 +2610,7 @@ The find_conversation_full prototype: conversation_element_t *elements); Where: - uint32_t setup_frame = The lowest numbered frame for + uint32_t setup_frame = The lowest numbered frame for this conversation conversation_element_t *elements = An array of data types and values which identify this conversation. The array MUST be @@ -2780,7 +2791,7 @@ typedef struct { } my_entry_t; /* Registered protocol number */ -static int my_proto = -1; +static int my_proto; /********************* in the dissector routine *********************/ @@ -2793,13 +2804,13 @@ my_entry_t *data_ptr; /* look up the conversation */ conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, - conversation_pt_to_conversation_type(pinfo->ptype), + conversation_pt_to_conversation_type(pinfo->ptype), pinfo->srcport, pinfo->destport, 0); /* if conversation found get the data pointer that you stored */ -if (conversation) +if (conversation) { data_ptr = (my_entry_t*)conversation_get_proto_data(conversation, my_proto); -else { +} else { /* new conversation create local data structure */ @@ -2880,8 +2891,7 @@ upon the conversation index and values inside the request packets. /* only allocate a new hash element when it's a request */ opcode = 0; - if (!request_val && !reply) - { + if (!request_val && !reply) { new_request_key = wmem_alloc(wmem_file_scope(), sizeof(struct afs_request_key)); *new_request_key = request_key; @@ -2889,8 +2899,7 @@ upon the conversation index and values inside the request packets. request_val -> opcode = pntoh32(&afsh->opcode); opcode = request_val->opcode; - g_hash_table_insert(afs_request_hash, new_request_key, - request_val); + g_hash_table_insert(afs_request_hash, new_request_key, request_val); } @@ -2946,36 +2955,33 @@ An example - static dissector_handle_t sub_dissector_handle; /* prototype for the dynamic dissector */ -static void sub_dissector(tvbuff_t *tvb, packet_info *pinfo, - proto_tree *tree); +static void sub_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); /* in the main protocol dissector, where the next dissector is setup */ /* if conversation has a data field, create it and load structure */ -/* First check if a conversation already exists for this - socketpair -*/ +/* First check if a conversation already exists for this socketpair */ conversation = find_conversation(pinfo->num, - &pinfo->src, &pinfo->dst, conversation_type, - src_port, dst_port, 0); + &pinfo->src, &pinfo->dst, conversation_type, + src_port, dst_port, 0); /* If there is no such conversation, or if there is one but for someone else's protocol then we just create a new conversation and assign our protocol to it. */ - if ( (conversation == NULL) || - (conversation->dissector_handle != sub_dissector_handle) ) { + if ((conversation == NULL) || + (conversation->dissector_handle != sub_dissector_handle)) { new_conv_info = wmem_alloc(wmem_file_scope(), sizeof(struct _new_conv_info)); new_conv_info->data1 = value1; -/* create the conversation for the dynamic port */ - conversation = conversation_new(pinfo->num, - &pinfo->src, &pinfo->dst, protocol, - src_port, dst_port, new_conv_info, 0); + /* create the conversation for the dynamic port */ + conversation = conversation_new(pinfo->num, + &pinfo->src, &pinfo->dst, protocol, + src_port, dst_port, new_conv_info, 0); -/* set the dissector for the new conversation */ - conversation_set_dissector(conversation, sub_dissector_handle); + /* set the dissector for the new conversation */ + conversation_set_dissector(conversation, sub_dissector_handle); } ... @@ -3019,8 +3025,8 @@ the same socketpair. There are two support routines that will allow the second port and/or address to be set later. -conversation_set_port2( conversation_t *conv, uint32_t port); -conversation_set_addr2( conversation_t *conv, address addr); +conversation_set_port2(conversation_t *conv, uint32_t port); +conversation_set_addr2(conversation_t *conv, address addr); These routines will change the second address or port for the conversation. So, the server port conversation will be converted into a @@ -3051,19 +3057,20 @@ static dissector_handle_t sub_dissector_handle; IP/protocol/port */ conversation = find_conversation(pinfo->num, - &server_src_addr, 0, protocol, - server_src_port, 0, NO_ADDR2 | NO_PORT_B); + &server_src_addr, 0, protocol, + server_src_port, 0, NO_ADDR2 | NO_PORT_B); + /* If there is no such conversation, or if there is one but for someone else's protocol then we just create a new conversation and assign our protocol to it. */ - if ( (conversation == NULL) || - (conversation->dissector_handle != sub_dissector_handle) ) { + if ((conversation == NULL) || + (conversation->dissector_handle != sub_dissector_handle)) { conversation = conversation_new(pinfo->num, - &server_src_addr, 0, conversation_type, - server_src_port, 0, new_conv_info, NO_ADDR2 | NO_PORT2); + &server_src_addr, 0, conversation_type, + server_src_port, 0, new_conv_info, NO_ADDR2 | NO_PORT2); -/* set the dissector for the new conversation */ + /* set the dissector for the new conversation */ conversation_set_dissector(conversation, sub_dissector_handle); } @@ -3210,16 +3217,16 @@ An example from packet-rtpproxy.c - rtpproxy_module = prefs_register_protocol(proto_rtpproxy, proto_reg_handoff_rtpproxy); prefs_register_bool_preference(rtpproxy_module, "establish_conversation", - "Establish Media Conversation", - "Specifies that RTP/RTCP/T.38/MSRP/etc streams are decoded based " - "upon port numbers found in RTPproxy answers", - &rtpproxy_establish_conversation); + "Establish Media Conversation", + "Specifies that RTP/RTCP/T.38/MSRP/etc streams are decoded based " + "upon port numbers found in RTPproxy answers", + &rtpproxy_establish_conversation); prefs_register_uint_preference(rtpproxy_module, "reply.timeout", - "RTPproxy reply timeout", /* Title */ - "Maximum timeout value in waiting for reply from RTPProxy (in milliseconds).", /* Descr */ - 10, - &rtpproxy_timeout); + "RTPproxy reply timeout", /* Title */ + "Maximum timeout value in waiting for reply from RTPProxy (in milliseconds).", /* Descr */ + 10, + &rtpproxy_timeout); This will create preferences "rtpproxy.establish_conversation" and "rtpproxy.reply.timeout", the first of which is an Boolean and the @@ -3231,7 +3238,7 @@ a preference obsolete is to register it as such: /* Register a preference that used to be supported but no longer is. */ void prefs_register_obsolete_preference(module_t *module, - const char *name); + const char *name); 2.7 Reassembly/desegmentation for protocols running atop TCP. @@ -3278,7 +3285,7 @@ reference to a callback which will be called with reassembled data: return 0; tcp_dissect_pdus(tvb, pinfo, tree, hartip_desegment, HARTIP_HEADER_LENGTH, - get_dissect_hartip_len, dissect_hartip_pdu, data); + get_dissect_hartip_len, dissect_hartip_pdu, data); return tvb_reported_length(tvb); } @@ -3345,11 +3352,10 @@ your mind later: once you return a positive value from desegment_len, your PDU boundary is set in stone. static hf_register_info hf[] = { - {&hf_cstring, - {"C String", "c.string", FT_STRING, BASE_NONE, NULL, 0x0, - NULL, HFILL} - } - }; + { &hf_cstring, + { "C String", "c.string", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + } +}; /** * Dissect a buffer containing ASCII C strings. @@ -3362,11 +3368,12 @@ static hf_register_info hf[] = { static int dissect_cstr(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void *data _U_) { unsigned offset = 0; - while(offset < tvb_reported_length(tvb)) { + + while (offset < tvb_reported_length(tvb)) { int available = tvb_reported_length_remaining(tvb, offset); int len = tvb_strnlen(tvb, offset, available); - if( -1 == len ) { + if (-1 == len) { /* we ran out of data: ask for more */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; @@ -3377,9 +3384,7 @@ static int dissect_cstr(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, len += 1; /* Add one for the '\0' */ - if (tree) { - proto_tree_add_item(tree, hf_cstring, tvb, offset, len, ENC_ASCII); - } + proto_tree_add_item(tree, hf_cstring, tvb, offset, len, ENC_ASCII); offset += (unsigned)len; } @@ -3425,7 +3430,7 @@ are called to handle PDU data. dissect_dnp3_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { return udp_dissect_pdus(tvb, pinfo, tree, DNP_HDR_LEN, dnp3_udp_check_header, - get_dnp3_message_len, dissect_dnp3_message, data); + get_dnp3_message_len, dissect_dnp3_message, data); } static int @@ -3436,7 +3441,7 @@ are called to handle PDU data. } tcp_dissect_pdus(tvb, pinfo, tree, true, DNP_HDR_LEN, - get_dnp3_message_len, dissect_dnp3_message, data); + get_dnp3_message_len, dissect_dnp3_message, data); return tvb_captured_length(tvb); } @@ -3518,7 +3523,7 @@ Consider the following example using IP dissection, stolen from packet-ip.c: static build_valid_func ip_da_build_value[1] = {ip_value}; static decode_as_value_t ip_da_values = {ip_prompt, 1, ip_da_build_value}; static decode_as_t ip_da = {"ip", "ip.proto", 1, 0, &ip_da_values, NULL, NULL, - decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL}; + decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL}; ... ip_dissector_table = register_dissector_table("ip.proto", "IP protocol", ip_proto, FT_UINT8, BASE_DEC); ... @@ -3594,23 +3599,23 @@ the ptvcursor advances its cursor so the next call to ptvcursor_add starts where this call finished. The 'encoding' parameter is relevant for certain type of fields (See above under proto_tree_add_item()). -proto_item* +proto_item * ptvcursor_add_ret_uint(ptvcursor_t* ptvc, int hf, int length, const unsigned encoding, uint32_t *retval); Like ptvcursor_add, but returns uint value retrieved -proto_item* +proto_item * ptvcursor_add_ret_int(ptvcursor_t* ptvc, int hf, int length, const unsigned encoding, int32_t *retval); Like ptvcursor_add, but returns int value retrieved -proto_item* +proto_item * ptvcursor_add_ret_string(ptvcursor_t* ptvc, int hf, int length, const unsigned encoding, wmem_allocator_t *scope, const uint8_t **retval); Like ptvcursor_add, but returns string retrieved -proto_item* +proto_item * ptvcursor_add_ret_boolean(ptvcursor_t* ptvc, int hf, int length, const unsigned encoding, bool *retval); Like ptvcursor_add, but returns boolean value retrieved -proto_item* +proto_item * ptvcursor_add_no_advance(ptvcursor_t* ptvc, int hf, int length, const unsigned encoding) Like ptvcursor_add, but does not advance the internal cursor. @@ -3624,7 +3629,7 @@ ptvcursor_free(ptvcursor_t* ptvc) after your dissection with the ptvcursor API is completed. -proto_tree* +proto_tree * ptvcursor_push_subtree(ptvcursor_t* ptvc, proto_item* it, int ett_subtree) Pushes the current subtree in the tree stack of the cursor, creates a new one and sets this one as the working tree. @@ -3633,7 +3638,7 @@ void ptvcursor_pop_subtree(ptvcursor_t* ptvc); Pops a subtree in the tree stack of the cursor -proto_tree* +proto_tree * ptvcursor_add_with_subtree(ptvcursor_t* ptvc, int hfindex, int length, const unsigned encoding, int ett_subtree); Adds an item to the tree and creates a subtree. @@ -3641,9 +3646,9 @@ If the length is unknown, length may be defined as SUBTREE_UNDEFINED_LENGTH. In this case, at the next pop, the item length will be equal to the advancement of the cursor since the creation of the subtree. -proto_tree* +proto_tree * ptvcursor_add_text_with_subtree(ptvcursor_t* ptvc, int length, - int ett_subtree, const char* format, ...); + int ett_subtree, const char *format, ...); Add a text node to the tree and create a subtree. If the length is unknown, length may be defined as SUBTREE_UNDEFINED_LENGTH. In this case, at the next pop, the item length will be equal to the advancement @@ -3651,7 +3656,7 @@ of the cursor since the creation of the subtree. 2.11.2 Miscellaneous functions. -tvbuff_t* +tvbuff_t * ptvcursor_tvbuff(ptvcursor_t* ptvc) Returns the tvbuff associated with the ptvcursor. @@ -3659,7 +3664,7 @@ int ptvcursor_current_offset(ptvcursor_t* ptvc) Returns the current offset. -proto_tree* +proto_tree * ptvcursor_tree(ptvcursor_t* ptvc) Returns the proto_tree associated with the ptvcursor. @@ -3667,7 +3672,7 @@ void ptvcursor_set_tree(ptvcursor_t* ptvc, proto_tree *tree) Sets a new proto_tree for the ptvcursor. -proto_tree* +proto_tree * ptvcursor_set_subtree(ptvcursor_t* ptvc, proto_item* it, int ett_subtree); Creates a subtree and adds it to the cursor as the working tree but does not save the old working tree. @@ -3714,10 +3719,10 @@ necessary, in either case. * * Local variables: * c-basic-offset: 4 - * tab-width: 8 + * tab-width: 4 * indent-tabs-mode: nil * End: * - * vi: set shiftwidth=4 tabstop=8 expandtab: - * :indentSize=4:tabSize=8:noTabs=true: + * vi: set shiftwidth=4 tabstop=4 expandtab: + * :indentSize=4:tabSize=4:noTabs=true: */ diff --git a/doc/README.documentation.adoc b/doc/README.documentation.adoc new file mode 100644 index 00000000..850a870a --- /dev/null +++ b/doc/README.documentation.adoc @@ -0,0 +1,93 @@ + +:experimental: += Introduction + +This directory contains the source files needed to build the: + +- Wireshark User’s Guide +- Wireshark Developer’s Guide +- Release notes +- Lua Reference + +To build everything, build the `all_guides` target, e.g. `ninja +all_guides` or `msbuild all_guides.vcxproj`. Requirements are listed +below. + +The guides and release notes are written in +https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/[Asciidoctor syntax]. +For more information see https://asciidoctor.org. + +== Requirements + +Ultimately we'd like to reduce the toolchain requirements to AsciidoctorJ alone, but that's not yet possible. +Additional tooling is required for the HTML and HTMLHelp targets. +See the https://www.wireshark.org/docs/wsdg_html_chunked/ChToolsDocumentationToolchain.html[Developer's Guide] for instructions on installing required packages for your platform. + +== Asciidoctor Markup + +The User’s and Developer’s Guides were originally written in DocBook and +were later converted to https://asciidoc.org/[AsciiDoc]. We subsequently +switched from AsciiDoc to Asciidoctor. +We currently use Asciidoctor’s modern (>= 1.5.0) syntax. + +Please use the following conventions when writing documentation: + +- Window and dialog box names should be in “curly quotes”. + +- Use Asciidoctor macros for buttons, keys, and menus. Note that these + are currently experimental: + +** The btn:[Start] button +** Press kbd:[Shift+Ctrl+P] to open the preferences dialog. +** Select menu:File[Open] from the main menu. + +This ensures that UI elements are shown consistently and lets us apply styles +to each type of element. + +- Command line examples should reflect the OS: ++ +---- +$ echo Linux and UNIX +---- ++ +---- +C:\> echo Windows +---- + +Admonitions ([NOTE], [TIP], [IMPORTANT], [CAUTION] and [WARNING]) can be used to highlight important +information. Keep in mind that they interrupt the flow of text by design. Too +many (especially in a row) are distracting and annoying. + +== Custom Asciidoctor Macros + +The following custom macros are available in `doc/asciidoctor-macros`: + +commaize-block:: +Sorts a list of items and separates them with commas with an "and" preceding the last item. + +cveidlink-inline-macro:: +Links a CVE ID to cve.mitre.org. + +manarg-block:: +Ensures that individual arguments don't wrap in order to improve readability. + +wsbuglink-inline-macro:: +Links an issue number to gitlab.org/wireshark/wireshark/-/issues. + +wssalink-inline-macro:: +Links a security advisory to www.wireshark.org. + +== Asciidoctor Live Preview + +The Asciidoctor project provides a JavaScript version of Asciidoctor +(asciidoctor.js), which enables live previews in many web browsers and +text editors. See the +https://asciidoctor.org/docs/editing-asciidoc-with-live-preview/[Live +Preview] documentation for more information. + +Note that our documentation depends on attributes defined in +_attributes.adoc_. The User’s Guide and Developer’s Guide are split +across several files, and only the top-level _user-guide.adoc_ and +_developer-guide.adoc_ include _attributes.adoc_. As a result, +some markup will be incomplete. You can work around this somewhat by +adding the `experimental` attribute to your Live Preview settings. diff --git a/doc/README.heuristic b/doc/README.heuristic index 08e9464f..7f8a6364 100644 --- a/doc/README.heuristic +++ b/doc/README.heuristic @@ -125,15 +125,15 @@ test_PROTOABBREV(packet_info *pinfo _U_, tvbuff_t *tvb, int offset _U_, void *da return false; /* 1) first byte must be 0x42 */ - if ( tvb_get_guint8(tvb, 0) != 0x42 ) + if ( tvb_get_uint8(tvb, 0) != 0x42 ) return false; /* 2) second byte is a type field and only can contain values between 0x20-0x33 */ - if ( tvb_get_guint8(tvb, 1) < 0x20 || tvb_get_guint8(tvb, 1) > 0x33 ) + if ( tvb_get_uint8(tvb, 1) < 0x20 || tvb_get_uint8(tvb, 1) > 0x33 ) return false; /* 3) third byte is a flag field, where the lower 4 bits always contain the value 0 */ - if ( tvb_get_guint8(tvb, 2) & 0x0f ) + if ( tvb_get_uint8(tvb, 2) & 0x0f ) return false; /* 4) fourth and fifth bytes contains a 16 bit length field, where the value can't be longer than 10000 bytes */ @@ -187,7 +187,7 @@ dissect_PROTOABBREV_heur_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree /* and do the dissection */ dissect_PROTOABBREV_tcp(tvb, pinfo, tree, data); - return (true); + return true; } static int diff --git a/doc/README.request_response_tracking b/doc/README.request_response_tracking index 9660a625..56200946 100644 --- a/doc/README.request_response_tracking +++ b/doc/README.request_response_tracking @@ -34,9 +34,9 @@ First we need to include the definitions for conversations. Then we also need a few header fields to show the relations between request and response as well as the response time. - static int hf_pana_response_in = -1; - static int hf_pana_response_to = -1; - static int hf_pana_response_time = -1; + static int hf_pana_response_in; + static int hf_pana_response_to; + static int hf_pana_response_time; We need a structure that holds all the information we need to remember between the request and the responses. One such structure will be allocated diff --git a/doc/README.stats_tree b/doc/README.stats_tree index 1b7e69e4..9d303d38 100644 --- a/doc/README.stats_tree +++ b/doc/README.stats_tree @@ -116,10 +116,10 @@ stats_tree_register(tapname, abbr, name, flags, packet_cb, init_cb, cleanup_cb); registers a new stats tree with default group REGISTER_STAT_GROUP_UNSORTED stats_tree_register_plugin(tapname, abbr, name, flags, packet_cb, init_cb, cleanup_cb); - registers a new stats tree from a plugin with the default group + registers a new stats tree from a plugin with the default group REGISTER_STAT_GROUP_UNSORTED -stats_tree_register_with_group(tapname, abbr, name, flags, packet_cb, init_cb, cleanup_cb, stat_group); - registers a new stats tree under a particular stat group +stats_tree_set_group(st_config, stat_group); + changes the menu statistics group for a stats tree stats_tree_parent_id_by_name( st, parent_name) returns the id of a candidate parent node given its name diff --git a/doc/README.tapping b/doc/README.tapping index 4fcb6389..da3a0f27 100644 --- a/doc/README.tapping +++ b/doc/README.tapping @@ -33,7 +33,7 @@ do and is done in four easy steps; 1, We need tap.h so just add '#include <epan/tap.h>' (preceded by packet.h) to the includes. -2, We need a tap handler so just add 'static int <protocol>_tap = -1;' +2, We need a tap handler so just add 'static int <protocol>_tap;' 3, Down in proto_register_<protocol>() you need to add '<protocol>_tap = register_tap("<protocol>");' @@ -111,7 +111,15 @@ is a set of flags for the tap listener. The flags that can be set are: tree to be built. It will require a protocol tree to be built if either - 1) it looks at the protocol tree in edt->tree + 1) it looks at the protocol tree in edt->tree (N.B.: this + flag does *NOT* guarantee that the tree contains all fields + actually in the packet. Fields that are not referenced + [by a filter, by custom columns, etc.] will be "faked" and + not present. It is not necessary to include this flag if + the tap has a filter string, though, as filtering implies + needing the tree. So this case is rare. Actually making + all fields present in the tree requires a visible tree, + e.g. via epan_set_always_visible(), which hurts performance.) or @@ -126,7 +134,7 @@ is a set of flags for the tap listener. The flags that can be set are: TL_REQUIRES_ERROR_PACKET set if your tap listener should be updated even when pinfo->flags.in_error_pkt is set - e.g. if it is inside an ICMP unreachable packet + e.g. if it is inside an ICMP unreachable packet. If no flags are needed, use TL_REQUIRES_NOTHING. diff --git a/doc/README.wmem b/doc/README.wmem index 8473a23b..239926b7 100644 --- a/doc/README.wmem +++ b/doc/README.wmem @@ -13,7 +13,7 @@ Correct use of these functions will make your code faster, and greatly reduce the chances that it will leak memory in exceptional cases. Wmem was originally conceived in this email to the wireshark-dev mailing list: -https://www.wireshark.org/lists/wireshark-dev/201210/msg00178.html +https://lists.wireshark.org/archives/wireshark-dev/201210/msg00178.html 2. Usage for Consumers diff --git a/doc/README.wslua b/doc/README.wslua index c26dcf93..63bc1d51 100644 --- a/doc/README.wslua +++ b/doc/README.wslua @@ -44,9 +44,8 @@ Lua tables. (you can do so, but it's not advisable) Both of the scripts above are given the C-source files to search through by the make process, generated from the lists in epan/wslua/CMakeLists.txt. Naturally if you add new source files, you need to add them to the list in -epan/wslua/CMakeLists.txt. You also have to add the module name into -docbook/user-guide.xml and docbook/wsluarm.xml, and the source files into -docbook/CMakeLists.txt, to get it to be generated in the user guide. +epan/wslua/CMakeLists.txt. You also have to add the source files into +doc/CMakeLists.txt, to get it to be generated in the user guide. Due to those documentation and registration scripts, you MUST follow some very specific conventions in the functions you write to expose C-side code to Lua, @@ -255,10 +254,10 @@ type that make-taps.py has in its Python "types" and "comments" dictionaries. Note on Lua versions: -Wireshark supports both Lua 5.1 and 5.2, which are defined as LUA_VERSION_NUM -values 501 and 502 respectively. When exposing things into Lua, make sure to +Wireshark supports both Lua 5.3 and 5.4, which are defined as LUA_VERSION_NUM +values 503 and 504 respectively. When exposing things into Lua, make sure to use ifdef wrappers for things which changed between the versions of Lua. See -this for details: http://www.lua.org/manual/5.2/manual.html#8.3 +this for details: http://www.lua.org/manual/5.3/manual.html#8.3 ============================================================================== @@ -284,16 +283,15 @@ file as that WSLUA_MODULE comment. You'll also note the documentation includes a sub-section for 'Non Method Functions', which it auto-generated from anything with a 'WSLUA_FUNCTION' macro (as opposed to class member functions, which use the 'WSLUA_METHOD' and 'WSLUA_CONSTRUCTOR' macros). Also, -to make new wslua files generate documentation, it is not sufficient to just -add this macro to a new file and add the file to the CMakeLists.txt; you also -have to add the module name into docbook/user-guide.xml, and docbook/wsluarm.xml. +to make new wslua files generate documentation, add this macro to a new file +and add the file to the doc/CMakeLists.txt. WSLUA_CONTINUE_MODULE - like WSLUA_MODULE, except used at the top of a .c file to continue defining classes/functions/etc. within a previously declared module in a previous file (i.e., one that used WSLUA_MODULE). The module name must match the original one, and the .c file must be listed after the original one in the -CMakeLists.txt lists in the docbook directory. +CMakeLists.txt lists in the doc directory. WSLUA_ATTRIBUTE - this is another documentation-only "macro", only used within diff --git a/doc/asciidoctor-macros/README.adoc b/doc/asciidoctor-macros/README.adoc new file mode 100644 index 00000000..cc5d64e5 --- /dev/null +++ b/doc/asciidoctor-macros/README.adoc @@ -0,0 +1,5 @@ +Asciidoctor macros. + +These files are available under the MIT license to match the +https://github.com/asciidoctor/asciidoctor-extensions-lab[Asciidoctor Extensions Lab] +and Asciidoctor itself. diff --git a/doc/asciidoctor-macros/commaize-block.rb b/doc/asciidoctor-macros/commaize-block.rb new file mode 100644 index 00000000..aff6a3c1 --- /dev/null +++ b/doc/asciidoctor-macros/commaize-block.rb @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: MIT +RUBY_ENGINE == 'opal' ? (require 'commaize-block/extension') : (require_relative 'commaize-block/extension') + +Extensions.register do + block CommaizeBlock +end diff --git a/doc/asciidoctor-macros/commaize-block/extension.rb b/doc/asciidoctor-macros/commaize-block/extension.rb new file mode 100644 index 00000000..710f1a7e --- /dev/null +++ b/doc/asciidoctor-macros/commaize-block/extension.rb @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include Asciidoctor + +# An extension that converts a list of lines to an inline Oxford comma-separated list. +# +# Usage +# +# [commaize] +# -- +# item1 +# item2 +# item3 +# -- +# +class CommaizeBlock < Extensions::BlockProcessor + include WsUtils + use_dsl + + named :commaize + on_contexts :paragraph, :open + # XXX What's the difference between text, raw, simple, verbatim, etc? + parse_content_as :simple + + def process(parent, reader, attrs) + lines = reader.lines + sort = attrs.fetch('sort', 'true') == 'true' + + lines = lines.reject(&:empty?) + lines = lines.map(&:strip) + lines = lines.sort_by(&:downcase) if sort + + if lines.length < 2 + create_paragraph parent, lines, attrs + elsif lines.length == 2 + create_paragraph parent, lines.join(" and "), attrs + else + commaized = lines[0..-2].join(", ") + commaized << ", and " + lines[-1] + create_paragraph parent, commaized, attrs + end + end +end diff --git a/doc/asciidoctor-macros/commaize-block/sample.adoc b/doc/asciidoctor-macros/commaize-block/sample.adoc new file mode 100644 index 00000000..9cb2e1ec --- /dev/null +++ b/doc/asciidoctor-macros/commaize-block/sample.adoc @@ -0,0 +1,31 @@ += Sorted, delimited, empty lines + +[commaize] +-- +One +two + +red + +blue +Fish +-- + += Unsorted + +[commaize, sort=false] +One +two +red +blue +Fish + += Two elements + +[commaize] +One +Two + += One element +[commaize] +Just the one diff --git a/doc/asciidoctor-macros/cveidlink-inline-macro.rb b/doc/asciidoctor-macros/cveidlink-inline-macro.rb new file mode 100644 index 00000000..beb19a3b --- /dev/null +++ b/doc/asciidoctor-macros/cveidlink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'cveidlink-inline-macro/extension') : (require_relative 'cveidlink-inline-macro/extension') + +Extensions.register do + inline_macro CVEIdLinkInlineMacro +end diff --git a/doc/asciidoctor-macros/cveidlink-inline-macro/extension.rb b/doc/asciidoctor-macros/cveidlink-inline-macro/extension.rb new file mode 100644 index 00000000..2dec88da --- /dev/null +++ b/doc/asciidoctor-macros/cveidlink-inline-macro/extension.rb @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a CVE Record identified by its CVE +# Number. +# +# Usage +# +# cveidlink:<cve-number>[] +# +class CVEIdLinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :cveidlink + + def process(parent, cvenum, _attrs) + cvename = "CVE-#{cvenum}" + target = %(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cvenum}) + create_doc_links(parent, target, cvename) + end +end diff --git a/doc/asciidoctor-macros/manarg-block.rb b/doc/asciidoctor-macros/manarg-block.rb new file mode 100644 index 00000000..07a9bf26 --- /dev/null +++ b/doc/asciidoctor-macros/manarg-block.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'manarg-block/extension') : (require_relative 'manarg-block/extension') + +Extensions.register do + block ManArgBlock +end diff --git a/doc/asciidoctor-macros/manarg-block/extension.rb b/doc/asciidoctor-macros/manarg-block/extension.rb new file mode 100644 index 00000000..2461e723 --- /dev/null +++ b/doc/asciidoctor-macros/manarg-block/extension.rb @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include Asciidoctor + +# An inline macro that generates markup for man page arguments. +# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb +# +# Usage: +# +# [manarg] +# *command* +# [ *--help* ] +# [ *--flash-lights* ] +# +class ManArgBlock < Extensions::BlockProcessor + use_dsl + + named :manarg + parse_content_as :simple + + def process parent, reader, attrs + nowrap_lines = reader.readlines.map {|line| + if parent.document.basebackend? 'html' + # Apply the custom style "[.nowrap]## ... ##" to each line. + # This generates "<span content="nowrap"> ... </span>". Pass + # each '#' through for extra paranoia. + %([.nowrap]###{line.gsub('#', '+++#+++')}##) + elsif parent.document.backend == 'manpage' + # Replace spaces with non-breaking spaces (' '), then make + # bold markup unconstrained ('*' -> '**'). For now we naively + # assume that bolds are always constrained (that is, we only + # have single '*'s). We *should* be able to do this properly + # with a regex, but for some reason + # gsub(/([^*])\*([^*])/, '\1**\2') + # doesn't match the first asterisk in "*--extcap-interface*=<interface>" + %(#{line.gsub(' ', ' ').gsub('*', '**')}) + else + line + end + } + # STDERR.puts(nowrap_lines) + create_paragraph parent, nowrap_lines, attrs + end +end diff --git a/doc/asciidoctor-macros/manarg-block/sample.adoc b/doc/asciidoctor-macros/manarg-block/sample.adoc new file mode 100644 index 00000000..5b4a4019 --- /dev/null +++ b/doc/asciidoctor-macros/manarg-block/sample.adoc @@ -0,0 +1,19 @@ += androiddump(1) +:doctype: manpage + +== NAME + +sample - Sample man page + +== SYNOPSIS + +[manarg] +*androiddump* +*--mandatory-argument +[ *--optional-argument* ] +*--complex-mandatory*=<argument> +[ *--complex-optional*=<argument> ] + +== DESCRIPTION + +Sample man page. diff --git a/doc/asciidoctor-macros/ws_utils.rb b/doc/asciidoctor-macros/ws_utils.rb new file mode 100644 index 00000000..9a4551a0 --- /dev/null +++ b/doc/asciidoctor-macros/ws_utils.rb @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: MIT +module WsUtils + def create_doc_links(parent, target, text) + if (parent.document.basebackend? 'docbook') || (parent.document.basebackend? 'html') + parent.document.register :links, target + create_anchor(parent, text, type: :link, target: target).render.to_s + elsif parent.document.backend == 'manpage' + "\\fB#{text}" + else + text + end + end +end diff --git a/doc/asciidoctor-macros/wsbuglink-inline-macro.rb b/doc/asciidoctor-macros/wsbuglink-inline-macro.rb new file mode 100644 index 00000000..3f192aab --- /dev/null +++ b/doc/asciidoctor-macros/wsbuglink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'wsbuglink-inline-macro/extension') : (require_relative 'wsbuglink-inline-macro/extension') + +Extensions.register do + inline_macro WSBugLinkInlineMacro +end diff --git a/doc/asciidoctor-macros/wsbuglink-inline-macro/extension.rb b/doc/asciidoctor-macros/wsbuglink-inline-macro/extension.rb new file mode 100644 index 00000000..6cdb665b --- /dev/null +++ b/doc/asciidoctor-macros/wsbuglink-inline-macro/extension.rb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a Wireshark bug report. +# +# Usage +# +# wsbuglink:<number>[<issue text>] +# Default bug text is "Issue <number>". +# +class WSBugLinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :wsbuglink + parse_content_as :text + name_positional_attributes 'bugtext' + + def process(parent, issueid, attrs) + bugtext = attrs['bugtext'] || %(Issue #{issueid}) + target = %(https://gitlab.com/wireshark/wireshark/-/issues/#{issueid}) + create_doc_links(parent, target, bugtext) + end +end diff --git a/doc/asciidoctor-macros/wssalink-inline-macro.rb b/doc/asciidoctor-macros/wssalink-inline-macro.rb new file mode 100644 index 00000000..3172ea50 --- /dev/null +++ b/doc/asciidoctor-macros/wssalink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'wssalink-inline-macro/extension') : (require_relative 'wssalink-inline-macro/extension') + +Extensions.register do + inline_macro WSSALinkInlineMacro +end diff --git a/doc/asciidoctor-macros/wssalink-inline-macro/extension.rb b/doc/asciidoctor-macros/wssalink-inline-macro/extension.rb new file mode 100644 index 00000000..3af9c8f3 --- /dev/null +++ b/doc/asciidoctor-macros/wssalink-inline-macro/extension.rb @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a Wireshark Security Advisory. +# +# Usage +# +# wssalink:<dddd>[] +# +class WSSALinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :'wssalink' + + def process(parent, sanum, attrs) + satext = "wnpa-sec-#{sanum}" + target = %(https://www.wireshark.org/security/wnpa-sec-#{sanum}) + create_doc_links(parent, target, satext) + end +end diff --git a/doc/asciidoctor-themes/wsug-theme.yml b/doc/asciidoctor-themes/wsug-theme.yml new file mode 100644 index 00000000..d45e4307 --- /dev/null +++ b/doc/asciidoctor-themes/wsug-theme.yml @@ -0,0 +1,12 @@ +extends: default-with-fallback-font + +font: + catalog: + merge: true + Noto Sans Symbols: NotoSansSymbols-VariableFont_wght.ttf + Noto Sans Math: NotoSansMath-Regular.ttf + fallbacks: + - M+ 1p Fallback + - Noto Emoji + - Noto Sans Symbols + - Noto Sans Math diff --git a/doc/attributes.adoc b/doc/attributes.adoc new file mode 100644 index 00000000..4a58a2a3 --- /dev/null +++ b/doc/attributes.adoc @@ -0,0 +1,113 @@ +// Common attributes + +:wireshark-version: 4.4.0 +:logray-version: 0.9.0 + +// Required for btn, kbd:, and menu: macros. +:experimental: + +// We want footers (which include page numbers) in our PDF output but +// not elsewhere, particularly in our man pages. +// We could use the "reproducible" attribute here, but it generates an +// empty black box. +ifndef::backend-pdf[] +:nofooter: +endif::[] + +// Create PA4 (210 × 280mm) pages: https://en.wikipedia.org/wiki/Paper_size#PA4_or_L4 +// This is the approximate intersection of A4 (210 × 297mm) and U.S. Letter +// (216 × 279mm). +:pdf-page-size: 210mm x 280mm + +// Include glyphs for up/down arrows +// We have a custom theme that adds fallback fonts for more symbols, +// like ⌃ and ⌄ (Up Arrowhead and Down Arrowhead), but setting the +// proper directory to look for theme so that it will work for all +// documents is somewhat annoying and done in FindAsciidoctor.cmake +// This built-in theme should be an acceptable fallback when not +// using the CMake target. +:pdf-theme: default-with-fallback-font + +// +// URLs +// + +// Wireshark top level URLs (sites) +:wireshark-main-url: https://www.wireshark.org/ +:wireshark-gitlab-project-url: https://gitlab.com/wireshark/wireshark +:wireshark-qa-url: https://ask.wireshark.org/ +:wireshark-foundation-url: https://wiresharkfoundation.org/ +:sharkfest-url: https://sharkfest.wireshark.org/ +:wireshark-wiki-url: https://wiki.wireshark.org/ + +// Wireshark secondary URLs (pages) +:wireshark-bugs-url: {wireshark-gitlab-project-url}/-/issues +:wireshark-code-review-url: {wireshark-gitlab-project-url}/-/merge_requests +:wireshark-authors-url: {wireshark-main-url}about.html#authors +:wireshark-code-browse-url: {wireshark-gitlab-project-url}/-/tree/master +:wireshark-code-file-url: {wireshark-gitlab-project-url}/-/blob/master/ +:wireshark-commits-url: {wireshark-gitlab-project-url}/-/commits/master +:wireshark-merge-request-url: {wireshark-gitlab-project-url}/-/merge_requests +:wireshark-developers-guide-url: {wireshark-main-url}docs/wsdg_html_chunked/ +:wireshark-display-filter-reference-url: {wireshark-main-url}docs/dfref/ +:wireshark-download-url: {wireshark-main-url}download.html +:wireshark-faq-url: {wireshark-main-url}faq.html +:wireshark-git-anonhttp-url: https://gitlab.com/wireshark/wireshark.git +:wireshark-git-ssh-url: \git@gitlab.com:wireshark/wireshark.git +:wireshark-mailing-lists-url: {wireshark-main-url}lists/ +:wireshark-man-page-url: {wireshark-main-url}docs/man-pages/ +:wireshark-snapshots-url: {wireshark-main-url}download/automated/src/ +:wireshark-users-guide-url: {wireshark-main-url}docs/wsug_html_chunked/ +:wireshark-wiki-moin-import-url: {wireshark-wiki-url}uploads/__moin_import__/attachments/ + +// External URLs +:tcpdump-main-url: https://www.tcpdump.org/ +:pcap-filter-man-page-url: {tcpdump-main-url}manpages/pcap-filter.7.html +:tcpdump-man-page-url: {tcpdump-main-url}manpages/tcpdump.1.html + +:npcap-main-url: https://npcap.com/ +:npcap-development-url: https://github.com/nmap/npcap +:npcap-license-url: https://raw.githubusercontent.com/nmap/npcap/master/LICENSE +:vcpkg-main-url: https://github.com/Microsoft/vcpkg/ + +:sysfs-main-url: http://linux-diag.sourceforge.net/Sysfsutils.html +:wikipedia-main-url: https://en.wikipedia.org/wiki/ +:pcre2pattern-url: https://www.pcre.org/current/doc/html/pcre2pattern.html + +:greenwichmeantime-main-url: https://wwp.greenwichmeantime.com/ +:timeanddate-main-url: https://www.timeanddate.com/worldclock/ +:ntp-main-url: http://www.ntp.org/ + +:gplv2-url: https://www.gnu.org/licenses/gpl-2.0.html +:spdx-license-url: https://spdx.org/licenses/ + +// Email addresses +:at-separator: [AT] +:wireshark-dev-list-email: wireshark-dev{at-separator}wireshark.org +:wsdg-author-email: ulf.lamping{at-separator}web.de +:wsdg-author-email2: graham.bloice{at-separator}trihedral.com + +:wsug-author-email: ulf.lamping{at-separator}web.de +:wsug-author-email2: rsharpe{at-separator}ns.aus.com +:wsug-author-email3: hagbard{at-separator}physics.rutgers.edu +:wsug-author-email4: luis{at-separator}ontanon.org + +// +// Image formatting +// + +// "scaledwidth" only applies to PDF output +:pdf-scaledwidth: scaledwidth="85%" +:screenshot-attrs: scaledwidth="85%" +:medium-screenshot-attrs: scaledwidth="60%" +:small-screenshot-attrs: scaledwidth="35%" +:related-attrs: height=18 +// XXX height=22 results in content-height="22px" in the .fo file. Not sure +// how to make scaledwidth take precedence. +:statusbar-attrs: scaledwidth="85%",height=22 + +:multiplication: × +:underscore: _ +:cmd: ⌘ + +:missing: Not yet written. If you would like to fix this, see https://gitlab.com/wireshark/wireshark/-/wikis/Development/SubmittingPatches. diff --git a/doc/common_src/gpl_appendix.adoc b/doc/common_src/gpl_appendix.adoc new file mode 100644 index 00000000..83744d3f --- /dev/null +++ b/doc/common_src/gpl_appendix.adoc @@ -0,0 +1,355 @@ +// Wireshark GPL Appendix + +[[AppGPL]] +== This Document’s License (GPL) + +As with the original license and documentation distributed +with Wireshark, this document is covered by the GNU General Public +License (GNU GPL). + +If you haven't read the GPL before, please do so. It +explains all the things that you are allowed to do with this +code and documentation. + +---- + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. +---- diff --git a/doc/common_src/typographic_conventions.adoc b/doc/common_src/typographic_conventions.adoc new file mode 100644 index 00000000..dae74595 --- /dev/null +++ b/doc/common_src/typographic_conventions.adoc @@ -0,0 +1,99 @@ +[[PrefaceTypographicConventions]] + +=== Typographic Conventions + +The following table shows the typographic conventions that are used in this guide. + +// https://github.com/oreillymedia/orm_book_samples/blob/master/asciidoc_only/preface.asciidoc + +// AsciiDoc allows alternative markup for some styles, specifically +// 'single quotes' and _underlines_ for italics and +plus signs+ and +// `backticks` for monospaces. +// Asciidoctor’s modern mode is more strict, and only allows _underline_ +// italics and `backtick` monospaces. +// https://asciidoctor.org/docs/migration/ + +.Typographic Conventions +[options="header",cols="1,3,3"] +|=== +|Style|Description|Example +|_Italic_ |File names, folder names, and extensions |_C:\Development\wireshark_. +|`Monospace` |Commands, flags, and environment variables|CMake’s `-G` option. +|**`Bold Monospace`** |Commands that should be run by the user|Run **`cmake -G Ninja ..`**. +|btn:[Button] |Dialog and window buttons |Press btn:[Launch] to go to the Moon. +|kbd:[Key] |Keyboard shortcut |Press kbd:[Ctrl+Down] to move to the next packet. +|menu:Menu[] |Menu item |Select menu:Go[Next Packet] to move to the next packet. +|=== + +==== Admonitions + +Important and notable items are marked as follows: + +[WARNING] +.This is a warning +==== +You should pay attention to a warning, otherwise data loss might occur. +==== + +[CAUTION] +.This is a caution +==== +Act carefully (i.e., exercise care). +==== + +[IMPORTANT] +.This is important information +==== +RTFM - Read The Fine Manual +==== + +[TIP] +.This is a tip +==== +Tips are helpful for your everyday work using Wireshark. +==== + +[NOTE] +.This is a note +==== +A note will point you to common mistakes and things that might not be obvious. +==== + +==== Shell Prompt and Source Code Examples + +.Bourne shell, normal user +---- +$ # This is a comment +$ git config --global log.abbrevcommit true +---- + +.Bourne shell, root user +---- +# # This is a comment +# ninja install +---- + +.Command Prompt (cmd.exe) +---- +>rem This is a comment +>cd C:\Development +---- + +.PowerShell +---- +PS$># This is a comment +PS$> choco list -l +---- + +.C Source Code +---- +#include "config.h" + +/* This method dissects foos */ +static int +dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) +{ + /* TODO: implement your dissecting code */ + return tvb_captured_length(tvb); +} +---- diff --git a/doc/custom_layer_single_html.xsl b/doc/custom_layer_single_html.xsl new file mode 100644 index 00000000..bdd136d8 --- /dev/null +++ b/doc/custom_layer_single_html.xsl @@ -0,0 +1,16 @@ +<?xml version='1.0'?> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + version="1.0"> + +<!-- copied from custom_layer_chm.xsl --> + +<!-- import the main stylesheet --> +<xsl:import href="http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl"/> + +<xsl:output + method="html" + encoding="UTF-8" + indent="yes" + /> + +</xsl:stylesheet> diff --git a/doc/extcap_example.py b/doc/extcap_example.py index 8c4a6b6d..60ec7e93 100755 --- a/doc/extcap_example.py +++ b/doc/extcap_example.py @@ -9,7 +9,7 @@ # SPDX-License-Identifier: GPL-2.0-or-later # -""" +r""" This is a generic example, which produces pcap packages every n seconds, and is configurable via extcap options. @@ -36,7 +36,6 @@ import re import argparse import time import struct -import array from threading import Thread ERROR_USAGE = 0 @@ -504,7 +503,7 @@ if __name__ == '__main__': if len(unknown) > 1: print("Extcap Example %d unknown arguments given" % len(unknown)) - m = re.match('example(\d+)', args.extcap_interface) + m = re.match(r'example(\d+)', args.extcap_interface) if not m: sys.exit(ERROR_INTERFACE) interface = m.group(1) diff --git a/doc/falcodump.adoc b/doc/falcodump.adoc deleted file mode 100644 index cecca017..00000000 --- a/doc/falcodump.adoc +++ /dev/null @@ -1,145 +0,0 @@ -include::../docbook/attributes.adoc[] -= falcodump(1) -:doctype: manpage -:stylesheet: ws.css -:linkcss: -:copycss: ../docbook/{stylesheet} - -== NAME - -falcodump - Dump log data to a file using a Falco source plugin. - -== SYNOPSIS - -[manarg] -*falcodump* -[ *--help* ] -[ *--version* ] -[ *--plugin-api-version* ] -[ *--extcap-interfaces* ] -[ *--extcap-dlts* ] -[ *--extcap-interface*=<interface> ] -[ *--extcap-config* ] -[ *--extcap-capture-filter*=<capture filter> ] -[ *--capture* ] -[ *--fifo*=<path to file or pipe> ] -[ *--plugin-source*=<source path or URL> ] - -== DESCRIPTION - -*falcodump* is an extcap tool that allows one to capture log messages from cloud providers. - -Each plugin is listed as a separate interface. -For example, the AWS CloudTrail plugin is listed as “cloudtrail”. - -== OPTIONS - ---help:: -Print program arguments. -This will also list the configuration arguments for each plugin. - ---version:: -Print the program version. - ---plugin-api-version:: -Print the Falco plugin API version. - ---extcap-interfaces:: -List the available interfaces. - ---extcap-interface=<interface>:: -Use the specified interface. - ---extcap-dlts:: -List the DLTs of the specified interface. - ---extcap-config:: -List the configuration options of specified interface. - ---extcap-capture-filter=<capture filter>:: -The capture filter. -Must be a valid Sysdig / Falco filter. - ---capture:: -Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo. - ---fifo=<path to file or pipe>:: -Save captured packet to file or send it through pipe. - ---plugin-source=<source path or URL>:: -Capture from the specified location. - -== PLUGINS - -=== cloudtrail (AWS CloudTrail) - -CloudTrail sources can be S3 buckets or SQS queue URLs. S3 bucket URLs have the form - -s3://__bucket_name__/AWSLogs/__id__/CloudTrail/__region__/__year__/_month_/__day__ - -The __region__, __year__, _month_, and __day__ components can be omitted in order to fetch more or less data. -For example, the source s3://mybucket/AWSLogs/012345678/CloudTrail/us-west-2/2023 will fetch all CloudWatch logs for the year 2023. - -The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/[environment variables and configuration files]. -Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well. - -== EXAMPLES - -To see program arguments: - - falcodump --help - -To see program version: - - falcodump --version - -To see interfaces: - - falcodump --extcap-interfaces - -Only one interface (falcodump) is supported. - -.Example output - interface {value=cloudtrail}{display=Falco plugin} - -To see interface DLTs: - - falcodump --extcap-interface=cloudtrail --extcap-dlts - -.Example output - dlt {number=147}{name=cloudtrail}{display=USER0} - -To see interface configuration options: - - falcodump --extcap-interface=cloudtrail --extcap-config - -.Example output - arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture} - arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture} - arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture} - arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture} - -To capture AWS CloudTrail events from an S3 bucket: - - falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture - -NOTE: kbd:[CTRL+C] should be used to stop the capture in order to ensure clean termination. - -== SEE ALSO - -xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4) -//, xref:logray.html[logray](1) - -== NOTES - -*falcodump* is part of the *Logray* distribution. -The latest version of *Logray* can be found at https://www.wireshark.org. - -HTML versions of the Wireshark project man pages are available at -https://www.wireshark.org/docs/man-pages. - -== AUTHORS - -.Original Author -[%hardbreaks] -Gerald Combs <gerald[AT]wireshark.org> diff --git a/doc/faq.adoc b/doc/faq.adoc new file mode 100644 index 00000000..9173e615 --- /dev/null +++ b/doc/faq.adoc @@ -0,0 +1,1084 @@ +include::attributes.adoc[] +:stylesheet: ws.css +:linkcss: +:copycss: {css_dir}/{stylesheet} +:toc: + += Wireshark Frequently Asked Questions + +== General Questions + +=== What is Wireshark? + +Wireshark® is a network protocol analyzer. It lets you capture and +interactively browse the traffic running on a computer network. It has a +rich and powerful feature set and is world's most popular tool of its +kind. It runs on most computing platforms including Windows, macOS, +Linux, and UNIX. Network professionals, security experts, developers, +and educators around the world use it regularly. It is freely available +as open source, and is released under the GNU General Public License +version 2. + +It is developed and maintained by a global team of protocol experts, +and it is an example of a +https://en.wikipedia.org/wiki/Disruptive_technology[disruptive +technology]. + +Wireshark used to be known as Ethereal®. See the next question for +details about the name change. If you're still using Ethereal, it is +strongly recommended that you upgrade to Wireshark as Ethereal is +unsupported and has known security vulnerabilities. + +For more information, please see the +https://www.wireshark.org/about.html[About Wireshark] page. + +[#wheretogethelp] +=== Where can I get help? + +Community support is available on the https://ask.wireshark.org/[Q&A site] and on the wireshark-users mailing list. +Subscription information and archives for all of Wireshark's mailing lists can be found at https://lists.wireshark.org/. +// An IRC channel dedicated to Wireshark can be found at +// irc://irc.freenode.net/wireshark[irc://irc.freenode.net/wireshark]. + +=== What kind of shark is Wireshark? + +_carcharodon photoshopia_. + +=== How is Wireshark pronounced, spelled and capitalized? + +Wireshark is pronounced as the word _wire_ followed immediately by +the word _shark_. Exact pronunciation and emphasis may vary depending on +your locale (e.g. Arkansas). + +It's spelled with a capital _W_, followed by a lower-case _ireshark_. +It is not a CamelCase word, i.e., _WireShark_ is incorrect. + +=== How much does Wireshark cost? + +Wireshark is "free software"; you can download it without paying any +license fee. The version of Wireshark you download isn't a "demo" +version, with limitations not present in a "full" version; it _is_ the +full version. + +The license under which Wireshark is issued is +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public License +version 2]. See +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[the GNU GPL +FAQ] for some more information. + +=== But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off? + +That depends. Did they provide any sort of value-added product or +service, such as installation support, installation media, training, +trace file analysis, or funky-colored shark-themed socks? Probably not. + +Wireshark is https://www.wireshark.org/download.html[available for +anyone to download, absolutely free, at any time]. Paying for a copy +implies that you should get something for your money. + +=== Can I use Wireshark commercially? + +Yes, if, for example, you mean "I work for a commercial organization; +can I use Wireshark to capture and analyze network traffic in our +company's networks or in our customer's networks?" + +If you mean "Can I use Wireshark as part of my commercial product?", +see link:#derived_work_gpl[the next entry in the FAQ]. + +=== Can I use Wireshark as part of my commercial product? + +As noted, Wireshark is licensed under +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public +License, version 2]. The GPL imposes conditions on your use of GPL'ed +code in your own products; you cannot, for example, make a "derived +work" from Wireshark, by making modifications to it, and then sell the +resulting derived work and not allow recipients to give away the +resulting work. You must also make the changes you've made to the +Wireshark source available to all recipients of your modified version; +those changes must also be licensed under the terms of the GPL. See the +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[GPL FAQ] for +more details; in particular, note the answer to +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLCommercially[the +question about modifying a GPLed program and selling it commercially], +and +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#LinkingWithGPL[the +question about linking GPLed code with other code to make a proprietary +program]. + +You can combine a GPLed program such as Wireshark and a commercial +program as long as they communicate "at arm's length", as per +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLInProprietarySystem[this +item in the GPL FAQ]. + +We recommend keeping Wireshark and your product completely separate, +communicating over sockets or pipes. If you're loading any part of +Wireshark as a DLL, you're probably doing it wrong. + +=== Can you help me fill out this compliance form so that I can use Wireshark? + +// While we try to make sure that Wireshark is as easy as possible to obtain and use, please keep in mind that it’s developed by a team of volunteers and that filling out compliance forms is pretty far beyond the scope of what those volunteers do. + +Please contact the https://wiresharkfoundation.org[Wireshark Foundation] and they will be able to help you for a nominal fee. + +=== Can you sign this legal agreement so that I can use Wireshark? + +// As with the previous question, Wireshark is developed by a team of volunteers. +// Even if they were inclined to do so, they aren’t authorized to sign agreements on behalf of the project. + +Please contact the https://wiresharkfoundation.org[Wireshark Foundation] and they will be able to help you for a somewhat less nominal fee. + +=== What protocols are currently supported? + +There are currently hundreds of supported protocols and media. +Details can be found in the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page. + +=== Are there any plans to support {your favorite protocol}? + +Support for particular protocols is added to Wireshark as a result of +people contributing that support; no formal plans for adding support for +particular protocols in particular future releases exist. + +=== Can Wireshark read capture files from {your favorite network analyzer}? + +Support for particular capture file formats is added to Wireshark as +a result of people contributing that support; no formal plans for adding +support for particular capture file formats in particular future +releases exist. + +If a network analyzer writes out files in a format already supported by +Wireshark (e.g., in libpcap format), Wireshark may already be able to +read them, unless the analyzer has added its own proprietary extensions +to that format. + +If a network analyzer writes out files in its own format, or has added +proprietary extensions to another format, in order to make Wireshark +read captures from that network analyzer, we would either have to have a +specification for the file format, or the extensions, sufficient to give +us enough information to read the parts of the file relevant to +Wireshark, or would need at least one capture file in that format *AND* +a detailed textual analysis of the packets in that capture file (showing +packet time stamps, packet lengths, and the top-level packet header) in +order to reverse-engineer the file format. + +Note that there is no guarantee that we will be able to +reverse-engineer a capture file format. + +=== What devices can Wireshark use to capture packets? + +Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial +(PPP and SLIP) (if the OS on which it's running allows Wireshark to do +so), 802.11 wireless LAN (if the OS on which it's running allows +Wireshark to do so), ATM connections (if the OS on which it's running +allows Wireshark to do so), and the "any" device supported on Linux by +recent versions of libpcap. + +See {wireshark-wiki-url}CaptureSetup/NetworkMedia[the list of +supported capture media on various OSes] for details (several items in +there say "Unknown", which doesn't mean "Wireshark can't capture on +them", it means "we don't know whether it can capture on them"; we +expect that it will be able to capture on many of them, but we haven't +tried it ourselves - if you try one of those types and it works, please +update the wiki page accordingly. + +It can also read a variety of capture file formats, including: + +* pcap, used by libpcap, tcpdump and various other tools +* Oracle (previously Sun) snoop and atmsnoop captures +* Finisar (previously Shomiti) Surveyor captures +* Microsoft Network Monitor captures +* Novell LANalyzer captures +* AIX's iptrace captures +* Cinco Networks NetXRay captures +* NETSCOUT (previously Network Associates/Network General) Windows-based +Sniffer captures +* Network General/Network Associates DOS-based Sniffer captures +(compressed or uncompressed) +* LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/Packet Grabber +captures +* RADCOM's WAN/LAN analyzer captures +* Viavi (previously Network Instruments) Observer captures +* Lucent/Ascend router debug output +* Toshiba's ISDN routers dump output +* captures from HP-UX nettl +* the output from i4btrace from the ISDN4BSD project +* traces from the EyeSDN USB S0 +* the IPLog format output from the Cisco Secure Intrusion Detection System +* pppd logs (pppdump format) +* the text output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities +* the text output from the DBS Etherwatch VMS utility +* Visual Networks' Visual UpTime traffic capture +* the output from CoSine L2 debug +* the output from InfoVista (formerly Accellent) 5Views LAN agents +* Endace Measurement Systems' ERF format captures +* Linux Bluez Bluetooth stack hcidump -w traces +* Catapult DCT2000 .out files +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) +* Juniper Netscreen snoop files +* Symbian OS btsnoop files +* TamoSoft CommView files +* Tektronix K12xx 32bit .rf5 format files +* Tektronix K12 text file format captures +* Apple PacketLogger files +* Files from Aethra Telecommunications' PC108 software for their test +instruments +* Citrix NetScaler Trace files +* Android Logcat binary and text format logs +* Colasoft Capsa and Packet Builder captures +* Micropross mplog files +* Unigraf DPA-400 DisplayPort AUX channel monitor traces +* 802.15.4 traces from Daintree's Sensor Network Analyzer +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 +* Log files from the _candump_ utility +* Logs from the BUSMASTER tool +* Ixia IxVeriWave raw captures +* Rabbit Labs CAM Inspector files +* systemd journal files +* 3GPP TS 32.423 trace files + +so that it can read traces from various network types, as captured by +other applications or equipment, even if it cannot itself capture on +those network types. + +=== Does Wireshark work on older versions of Windows such as Windows 7? + +Each major release branch of Wireshark supports the versions of Windows that are within their product lifecycle at the time of the “.0” release for that branch. +For example, Wireshark 3.2.0 was released in December 2019, shortly before Windows 7 reached the end of its extended support in January 2020. As a result, each of the Wireshark 3.2._x_ releases supports Windows 7, even after January 2020. +See the +link:{wireshark-users-guide-url}ChIntroPlatforms.html[Microsoft Windows section of the User’s Guide] +and the +link:{wireshark-wiki-url}Development/LifeCycle[End Of Life Planning section of the Release Life Cycle wiki page] +for more details. + +Npcap might not work well on Windows 8 and earlier, so you might want to install WinPcap instead. + +== Installing Wireshark + +=== I installed the Wireshark RPM (or other package); why did it install TShark but not Wireshark? + +Many distributions have separate Wireshark packages, one for non-GUI +components such as TShark, editcap, dumpcap, etc. and one for the GUI. +If this is the case on your system, there's probably a separate package +named “wireshark-qt”. Find it and install it. + +== Building Wireshark + +=== Why does building Wireshark fail due to missing headers (.h files)? + +If this is happening on Linux, it's likely due to missing development library packages. +For example, Debian and Ubuntu ship the GLib library in the libglib2.0-0 package, but ship its header files and other development assets in the libglib2.0-dev package. + +We maintain setup scripts (_*-setup.sh_) for many major distributions in the _tools_ directory of the Wireshark sources that can install the required development packages for you. + +== Crashes and other fatal errors + +=== I have an _XXX_ network card on my machine; if I try to capture on it, why does my machine crash or reset itself? + +This is almost certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap/Npcap library and, if this is Windows, the Npcap device +driver; + +so: + +* if you are using Windows, see {npcap-main-url}[the Npcap support page] - check the "Patches, Bug Reports, Questions, Suggestions, +etc" section; +* if you are using some Linux distribution, some version of BSD, or some +other UNIX-flavored OS, you should report the problem to the company or +organization that produces the OS (in the case of a Linux distribution, +report the problem to whoever produces the distribution). + +=== Why does my machine crash or reset itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu? + +Both of those operations cause Wireshark to try to build a list of +the interfaces that it can open; it does so by getting a list of +interfaces and trying to open them. There is probably an OS, driver, or, +for Windows, Npcap bug that causes the system to crash when this +happens; see the previous question. + +== Capturing packets + +[#promiscsniff] +=== When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor? + +This might be because the interface on which you're capturing is +plugged into an Ethernet or Token Ring switch; on a switched network, +unicast traffic between two ports will not necessarily appear on other +ports - only broadcast and multicast traffic will be sent to all ports. + +Note that even if your machine is plugged into a hub, the "hub" may be +a switched hub, in which case you're still on a switched network. + +Note also that on the Linksys Web site, they say that their +auto-sensing hubs "broadcast the 10Mb packets to the port that operate +at 10Mb only and broadcast the 100Mb packets to the ports that operate +at 100Mb only", which would indicate that if you sniff on a 10Mb port, +you will not see traffic coming sent to a 100Mb port, and _vice versa_. +This problem has also been reported for Netgear dual-speed hubs, and may +exist for other "auto-sensing" or "dual-speed" hubs. + +Some switches have the ability to replicate all traffic on all ports to +a single port so that you can plug your analyzer into that single port +to sniff all traffic. You would have to check the documentation for the +switch to see if this is possible and, if so, to see how to do this. See +{wireshark-wiki-url}SwitchReference[the switch reference page] on +{wireshark-wiki-url}[the Wireshark Wiki] for information on some +switches. (Note that it's a Wiki, so you can update or fix that +information, or add additional information on those switches or +information on new switches, yourself.) + +Note also that many firewall/NAT boxes have a switch built into them; +this includes many of the "cable/DSL router" boxes. If you have a box of +that sort, that has a switch with some number of Ethernet ports into +which you plug machines on your network, and another Ethernet port used +to connect to a cable or DSL modem, you can, at least, sniff traffic +between the machines on your network and the Internet by plugging the +Ethernet port on the router going to the modem, the Ethernet port on the +modem, and the machine on which you're running Wireshark into a hub +(make sure it's not a switching hub, and that, if it's a dual-speed hub, +all three of those ports are running at the same speed. + +If your machine is _not_ plugged into a switched network or a +dual-speed hub, or it is plugged into a switched network but the port is +set up to have all traffic replicated to it, the problem might be that +the network interface on which you're capturing doesn't support +"promiscuous" mode, or because your OS can't put the interface into +promiscuous mode. Normally, network interfaces supply to the host only: + +* packets sent to one of that host's link-layer addresses; +* broadcast packets; +* multicast packets sent to a multicast address that the host has +configured the interface to accept. + +Most network interfaces can also be put in "promiscuous" mode, in which +they supply to the host all network packets they see. Wireshark will try +to put the interface on which it's capturing into promiscuous mode +unless the "Capture packets in promiscuous mode" option is turned off in +the "Capture Options" dialog box, and TShark will try to put the +interface on which it's capturing into promiscuous mode unless the `-p` +option was specified. However, some network interfaces don't support +promiscuous mode, and some OSes might not allow interfaces to be put +into promiscuous mode. + +If the interface is not running in promiscuous mode, it won't see any +traffic that isn't intended to be seen by your machine. It *will* see +broadcast packets, and multicast packets sent to a multicast MAC address +the interface is set up to receive. + +You should ask the vendor of your network interface whether it supports +promiscuous mode. If it does, you should ask whoever supplied the driver +for the interface (the vendor, or the supplier of the OS you're running +on your machine) whether it supports promiscuous mode with that network +interface. + +In the case of wireless LAN interfaces, it appears that, when those +interfaces are promiscuously sniffing, they're running in a +significantly different mode from the mode that they run in when they're +just acting as network interfaces (to the extent that it would be a +significant effort for those drivers to support for promiscuously +sniffing _and_ acting as regular network interfaces at the same time), +so it may be that Windows drivers for those interfaces don't support +promiscuous mode. + +=== When I capture with Wireshark, why can't I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets? + +You're probably not seeing _any_ packets other than unicast packets +to or from your machine, and broadcast and multicast packets; a switch +will normally send to a port only unicast traffic sent to the MAC +address for the interface on that port, and broadcast and multicast +traffic - it won't send to that port unicast traffic sent to a MAC +address for some other interface - and a network interface not in +promiscuous mode will receive only unicast traffic sent to the MAC +address for that interface, broadcast traffic, and multicast traffic +sent to a multicast MAC address the interface is set up to receive. + +TCP doesn't use broadcast or multicast, so you will only see your own +TCP traffic, but UDP services may use broadcast or multicast so you'll +see some UDP traffic - however, this is not a problem with TCP traffic, +it's a problem with unicast traffic, as you also won't see all UDP +traffic between other machines. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I only seeing ARP packets when I try to capture traffic? + +You're probably on a switched network, and running Wireshark on a +machine that's not sending traffic to the switch and not being sent any +traffic from other machines on the switch. ARP packets are often +broadcast packets, which are sent to all switch ports. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I not seeing any traffic when I try to capture traffic? + +Is the machine running Wireshark sending out any traffic on the +network interface on which you're capturing, or receiving any traffic on +that network, or is there any broadcast traffic on the network or +multicast traffic to a multicast group to which the machine running +Wireshark belongs? + +If not, this may just be a problem with promiscuous sniffing, either +due to running on a switched network or a dual-speed hub, or due to +problems with the interface not supporting promiscuous mode; see the +response to link:#promiscsniff[this earlier question]. + +Otherwise, on Windows, see the response to link:#capprobwin[this +question] and, on a UNIX-flavored OS, see the response to +link:#capprobunix[this question]. + +=== How do I put an interface into promiscuous mode? + +By not disabling promiscuous mode when running Wireshark or TShark. + +Note, however, that: + +* the form of promiscuous mode that libpcap (the library that programs +such as tcpdump, Wireshark, etc. use to do packet capture) turns on will +*not* necessarily be shown if you run `ifconfig` on the interface on a +UNIX system; +* some network interfaces might not support promiscuous mode, and some +drivers might not allow promiscuous mode to be turned on - see +link:#promiscsniff[this earlier question] for more information on that; +* the fact that you're not seeing any traffic, or are only seeing +broadcast traffic, or aren't seeing any non-broadcast traffic other than +traffic to or from the machine running Wireshark, does not mean that +promiscuous mode isn't on - see link:#promiscsniff[this earlier +question] for more information on that. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== I can set a display filter just fine; why don't capture filters work? + +Capture filters currently use a different syntax than display +filters. Here's the corresponding section from the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page: + +"Display filters in Wireshark are very powerful; more fields are +filterable in Wireshark than in other protocol analyzers, and the syntax +you can use to create your filters is richer. As Wireshark progresses, +expect more and more protocol fields to be allowed in display filters. + +Packet capturing is performed with the pcap library. The capture filter +syntax follows the rules of the pcap library. This syntax is different +from the display filter syntax." + +The capture filter syntax used by libpcap can be found in the +http://www.tcpdump.org/tcpdump_man.html[tcpdump(8)] man page. + +=== How can I capture packets with CRC errors? + +Wireshark can capture only the packets that the packet capture +library - libpcap on UNIX-flavored OSes, and the Npcap port to Windows +of libpcap on Windows - can capture, and libpcap/Npcap can capture only +the packets that the OS's raw packet capture mechanism (or the Npcap +driver, and the underlying OS networking code and network interface +drivers, on Windows) will allow it to capture. + +Unless the OS always supplies packets with errors such as invalid CRCs +to the raw packet capture mechanism, or can be configured to do so, +invalid CRCs to the raw packet capture mechanism, Wireshark - and other +programs that capture raw packets, such as tcpdump - cannot capture +those packets. You will have to determine whether your OS needs to be so +configured and, if so, can be so configured, configure it if necessary +and possible, and make whatever changes to libpcap and the packet +capture program you're using are necessary, if any, to support capturing +those packets. + +Most OSes probably do *not* support capturing packets with invalid CRCs +on Ethernet, and probably do not support it on most other link-layer +types. Some drivers on some OSes do support it, such as some Ethernet +drivers on FreeBSD; in those OSes, you might always get those packets, +or you might only get them if you capture in promiscuous mode (you'd +have to determine which is the case). + +Note that libpcap does not currently supply to programs that use it an +indication of whether the packet's CRC was invalid (because the drivers +themselves do not supply that information to the raw packet capture +mechanism); therefore, Wireshark will not indicate which packets had CRC +errors unless the FCS was captured (see the next question) and you're +using Wireshark 0.9.15 and later, in which case Wireshark will check the +CRC and indicate whether it's correct or not. + +=== How can I capture entire frames, including the FCS? + +Wireshark can only capture data that the packet capture library - +libpcap on UNIX-flavored OSes, and the Npcap port to Windows of libpcap +on Windows - can capture, and libpcap/Npcap can capture only the data +that the OS's raw packet capture mechanism (or the Npcap driver, and the +underlying OS networking code and network interface drivers, on Windows) +will allow it to capture. + +For any particular link-layer network type, unless the OS supplies the +FCS of a frame as part of the frame, or can be configured to do so, +Wireshark - and other programs that capture raw packets, such as tcpdump +- cannot capture the FCS of a frame. You will have to determine whether +your OS needs to be so configured and, if so, can be so configured, +configure it if necessary and possible, and make whatever changes to +libpcap and the packet capture program you're using are necessary, if +any, to support capturing the FCS of a frame. + +Most OSes do *not* support capturing the FCS of a frame on Ethernet, +and probably do not support it on most other link-layer types. Some +drivers on some OSes do support it, such as some (all?) Ethernet drivers +on NetBSD and possibly the driver for Apple's gigabit Ethernet interface +in macOS; in those OSes, you might always get the FCS, or you might only +get the FCS if you capture in promiscuous mode (you'd have to determine +which is the case). + +Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in +a captured packet as an FCS. 0.9.15 and later will attempt to determine +whether there's an FCS at the end of the frame and, if it thinks there +is, will display it as such, and will check whether it's the correct +CRC-32 value or not. + +=== I'm capturing packets on a machine on a VLAN; why don't the packets I'm capturing have VLAN tags? + +You might be capturing on what might be called a "VLAN interface" - +the way a particular OS makes VLANs plug into the networking stack +might, for example, be to have a network device object for the physical +interface, which takes VLAN packets, strips off the VLAN header and +constructs an Ethernet header, and passes that packet to an internal +network device object for the VLAN, which then passes the packets onto +various higher-level protocol implementations. + +In order to see the raw Ethernet packets, rather than "de-VLANized" +packets, you would have to capture not on the virtual interface for the +VLAN, but on the interface corresponding to the physical network device, +if possible. See {wireshark-wiki-url}CaptureSetup/VLAN[the +Wireshark Wiki item on VLAN capturing] for details. + +=== Why does Wireshark hang after I stop a capture? + +The most likely reason for this is that Wireshark is trying to look +up an IP address in the capture to convert it to a name (so that, for +example, it can display the name in the source address or destination +address columns), and that lookup process is taking a very long time. + +Wireshark calls a routine in the OS of the machine on which it's +running to convert of IP addresses to the corresponding names. That +routine probably does one or more of: + +* a search of a system file listing IP addresses and names; +* a lookup using DNS; +* on UNIX systems, a lookup using NIS; +* on Windows systems, a NetBIOS-over-TCP query. + +If a DNS server that's used in an address lookup is not responding, the +lookup will fail, but will only fail after a timeout while the system +routine waits for a reply. + +In addition, on Windows systems, if the DNS lookup of the address +fails, either because the server isn't responding or because there are +no records in the DNS that could be used to map the address to a name, a +NetBIOS-over-TCP query will be made. That query involves sending a +message to the NetBIOS-over-TCP name service on that machine, asking for +the name and other information about the machine. If the machine isn't +running software that responds to those queries - for example, many +non-Windows machines wouldn't be running that software - the lookup will +only fail after a timeout. Those timeouts can cause the lookup to take a +long time. + +If you disable network address-to-name translation - for example, by +turning off the "Enable network name resolution" option in the "Capture +Options" dialog box for starting a network capture - the lookups of the +address won't be done, which may speed up the process of reading the +capture file after the capture is stopped. You can make that setting the +default by selecting "Preferences" from the "Edit" menu, turning off the +"Enable network name resolution" option in the "Name resolution" options +in the preferences dialog box, and using the "Save" button in that +dialog box; note that this will save _all_ your current preference +settings. + +If Wireshark hangs when reading a capture even with network name +resolution turned off, there might, for example, be a bug in one of +Wireshark's dissectors for a protocol causing it to loop infinitely. If +you're not running the most recent release of Wireshark, you should +first upgrade to that release, as, if there's a bug of that sort, it +might've been fixed in a release after the one you're running. If the +hang occurs in the most recent release of Wireshark, the bug should be +reported to mailto:wireshark-dev@wireshark.org[the Wireshark developers' +mailing list] at `wireshark-dev@wireshark.org`. + +On UNIX-flavored OSes, please try to force Wireshark to dump core, by +sending it a `SIGABRT` signal (usually signal 6) with the `kill` +command, and then get a stack trace if you have a debugger installed. A +stack trace can be obtained by using your debugger (`gdb` in this +example), the Wireshark binary, and the resulting core file. Here's an +example of how to use the gdb command `backtrace` to do so. + +---- +$ gdb wireshark core +(gdb) backtrace +..... prints the stack trace +(gdb) quit +$ +---- + +The core dump file may be named "wireshark.core" rather than "core" on +some platforms (e.g., BSD systems). + +Also, if at all possible, please send a copy of the capture file that +caused the problem. When capturing packets, Wireshark normally writes +captured packets to a temporary file, which will probably be in `/tmp` +or `/var/tmp` on UNIX-flavored OSes, `\TEMP` on the main system disk +(normally `\Documents and Settings\<your login name>\Local Settings\Temp` on the main system disk on Windows XP and +Server 2003, and `\Users\<your login name>\AppData\Local\Temp` on the main +system disk on Windows Vista and later, so the capture file will +probably be there. If you are capturing on a single interface, it will +have a name of the form, +`wireshark_<iface>_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <fmt> is the +capture file format (pcap or pcapng), and <iface> is the actual name of +the interface you are capturing on; otherwise, if you are capturing on +multiple interfaces, it will have a name of the form, +`wireshark_<N>_interfaces_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <N> is the +number of simultaneous interfaces you are capturing on. Please don't +send a trace file greater than 1 MB when compressed; instead, make it +available via FTP or HTTP, or say it's available but leave it up to a +developer to ask for it. If the trace file contains sensitive +information (e.g., passwords), then please do not send it. + +== Capturing packets on Windows + +[#capprobwin] +=== I'm running Wireshark on Windows; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +Wireshark relies on the Npcap library, the Npcap device driver, +and the facilities that come with the OS on which it's running in +order to do captures. + +Therefore, if the OS, the Npcap library, or the Npcap driver don't +support capturing on a particular network interface device, Wireshark +won't be able to capture on that device. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces. Try listing the interfaces with WinDump; see +https://www.winpcap.org/windump/[the WinDump Web site] for information on using +WinDump. + +You would run WinDump with the `-D` flag; if it lists the interface, +please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the output of WinDump. + +If WinDump does _not_ list the interface, this is almost certainly a +problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the Npcap library and/or the Npcap device driver; + +so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there. +If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section. + +If you are having trouble capturing on a particular network interface, +first try capturing on that device with WinDump; see +https://www.winpcap.org/windump/[the WinDump Web site] for information on using +WinDump. + +If you can capture on the interface with WinDump, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with WinDump, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the Npcap library and/or the Npcap device driver; + +so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there. +If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section. + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the mailto:dev@nmap.org[dev@nmap.org] mailing +lists to see if anybody happens to know about the problem and know a +workaround or fix for the problem. (Note that you will have to subscribe +to that list in order to be allowed to mail to it; see +{npcap-main-url}[the Npcap support page] for information on the +mailing list.) In your mail, please give full details of the problem, as +described above, and also indicate that the problem occurs with WinDump, +not just with Wireshark. + +=== I'm running Wireshark on Windows; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobwin[the same question as a previous one]; +see the response to that question. + +=== I'm running Wireshark on Windows; why am I not seeing any traffic being sent by the machine running Wireshark? + +If you are running some form of VPN client software, it might be +causing this problem; people have seen this problem when they have Check +Point's VPN software installed on their machine. If that's the cause of +the problem, you will have to remove the VPN software in order to have +Wireshark (or any other application using Npcap) see outgoing packets; +unfortunately, neither we nor the Npcap developers know any way to make +Npcap and the VPN software work well together. + +Also, some drivers for Windows (especially some wireless network +interface drivers) apparently do not, when running in promiscuous mode, +arrange that outgoing packets are delivered to the software that +requested that the interface run promiscuously; try turning promiscuous +mode off. + +=== When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine. What should I do to arrange that I see those packets in their entirety? + +In at least some cases, this appears to be the result of PGPnet +running on the network interface on which you're capturing; turn it off +on that interface. + +=== I'm trying to capture 802.11 traffic on Windows; why am I not seeing any packets? + +You should first ensure that Npcap was installed with {npcap-main-url}/guide/npcap-devguide.html#npcap-feature-dot11[raw 802.11 support] and that monitor mode is enabled. + +At least some 802.11 card drivers on Windows appear not to see any +packets if they're running in promiscuous mode. Try turning promiscuous +mode off; you'll only be able to see packets sent by and received by +your machine, not third-party traffic, and it'll look like Ethernet +traffic and won't include any management or control frames, but that's a +limitation of the card drivers. + +// XXX Is this still relevant? +// See the archived +// https://web.archive.org/web/20090226193157/http://www.micro-logix.com/winpcap/Supported.asp[MicroLogix's +// list of cards supported with WinPcap] for information on support of +// various adapters and drivers with WinPcap. + +=== I'm trying to capture 802.11 traffic on Windows; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +This appears to be another problem with promiscuous mode; try turning +it off. + +=== I'm trying to capture Ethernet VLAN traffic on Windows, and I'm capturing on a "raw" Ethernet device rather than a "VLAN interface", so that I can see the VLAN headers; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +The way the Windows networking code works probably means that packets +are sent on a "VLAN interface" rather than the "raw" device, so packets +sent by the machine will only be seen when you capture on the "VLAN +interface". If so, you will be unable to see outgoing packets when +capturing on the "raw" device, so you are stuck with a choice between +seeing VLAN headers and seeing outgoing packets. + +== Capturing packets on UN*Xes + +[#capprobunix] +=== I'm running Wireshark on a UNIX-flavored OS; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +You may need to run Wireshark from an account with sufficient +privileges to capture packets, such as the super-user account, or may +need to give your account sufficient privileges to capture packets. Only +those interfaces that Wireshark can open for capturing show up in that +list; if you don't have sufficient privileges to capture on any +interfaces, no interfaces will show up in the list. See +{wireshark-wiki-url}CaptureSetup/CapturePrivileges[the Wireshark +Wiki item on capture privileges] for details on how to give a particular +account or account group capture privileges on platforms where that can +be done. + +If you are running Wireshark from an account with sufficient +privileges, then note that Wireshark relies on the libpcap library, and +on the facilities that come with the OS on which it's running in order +to do captures. On some OSes, those facilities aren't present by +default; see {wireshark-wiki-url}CaptureSetup/CaptureSupport[the +Wireshark Wiki item on adding capture support] for details. + +And, even if you're running with an account that has sufficient +privileges to capture, and capture support is present in your OS, if the +OS or the libpcap library don't support capturing on a particular +network interface device or particular types of devices, Wireshark won't +be able to capture on that device. + +On Solaris, note that libpcap 0.6.2 and earlier didn't support Token +Ring interfaces; the current version, 0.7.2, does support Token Ring, +and the current version of Wireshark works with libpcap 0.7.2 and later. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces; please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using. + +If you are having trouble capturing on a particular network interface, +and you've made sure that (on platforms that require it) you've arranged +that packet capture support is present, as per the above, first try +capturing on that device with `tcpdump`. + +If you can capture on the interface with `tcpdump`, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with `tcpdump`, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap library; + +so you should report the problem to the company or organization that +produces the OS (in the case of a Linux distribution, report the problem +to whoever produces the distribution). + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the +mailto:tcpdump-workers@lists.tcpdump.org[tcpdump-workers@lists.tcpdump.org] +mailing lists to see if anybody happens to know about the problem and +know a workaround or fix for the problem. In your mail, please give full +details of the problem, as described above, and also indicate that the +problem occurs with `tcpdump` not just with Wireshark. + +=== I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobunix[the same question as the previous +one]; see the response to that question. + +=== I'm capturing packets on Linux; why do the time stamps have only 100ms resolution, rather than 1us resolution? + +Wireshark gets time stamps from libpcap/Npcap, and libpcap/Npcap get +them from the OS kernel, so Wireshark - and any other program using +libpcap, such as tcpdump - is at the mercy of the time stamping code in +the OS for time stamps. + +At least on x86-based machines, Linux can get high-resolution time +stamps on newer processors with the Time Stamp Counter (TSC) register; +for example, Intel x86 processors, starting with the Pentium Pro, and +including all x86 processors since then, have had a TSC, and other +vendors probably added the TSC at some point to their families of x86 +processors. The Linux kernel must be configured with the CONFIG_X86_TSC +option enabled in order to use the TSC. Make sure this option is enabled +in your kernel. + +In addition, some Linux distributions may have bugs in their versions +of the kernel that cause packets not to be given high-resolution time +stamps even if the TSC is enabled. See, for example, bug 61111 for Red +Hat Linux 7.2. If your distribution has a bug such as this, you may have +to run a standard kernel from kernel.org in order to get high-resolution +time stamps. + +== Capturing packets on wireless LANs + +=== How can I capture raw 802.11 frames, including non-data (management, beacon) frames? + +That depends on the operating system on which you're running, and on +the 802.11 interface on which you're capturing. + +This would probably require that you capture in promiscuous mode or in +the mode called "monitor mode" or "RFMON mode". On some platforms, or +with some cards, this might require that you capture in monitor mode - +promiscuous mode might not be sufficient. If you want to capture traffic +on networks other than the one with which you're associated, you will +have to capture in monitor mode. + +Not all operating systems support capturing non-data packets and, even +on operating systems that do support it, not all drivers, and thus not +all interfaces, support it. Even on those that do, monitor mode might +not be supported by the operating system or by the drivers for all +interfaces. + +*NOTE:* an interface running in monitor mode will, on most if not all +platforms, not be able to act as a regular network interface; putting it +into monitor mode will, in effect, take your machine off of whatever +network it's on as long as the interface is in monitor mode, allowing it +only to passively capture packets. + +This means that you should disable name resolution when capturing in +monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries to +display IP addresses as host names, it will probably block for a long +time trying to resolve the name because it will not be able to +communicate with any DNS or NIS servers. + +See {wireshark-wiki-url}CaptureSetup/WLAN[the Wireshark Wiki +item on 802.11 capturing] for details. + +=== How do I capture on an 802.11 device in monitor mode? + +Whether you will be able to capture in monitor mode depends on the +operating system, adapter, and driver you're using. See +link:#raw_80211_sniff[the previous question] for information on monitor +mode, including a link to the Wireshark Wiki page that gives details on +802.11 capturing. + +== Viewing traffic + +=== Why am I seeing lots of packets with incorrect TCP checksums? + +If the packets that have incorrect TCP checksums are all being sent +by the machine on which Wireshark is running, this is probably because +the network interface on which you're capturing does TCP checksum +offloading. That means that the TCP checksum is added to the packet by +the network interface, not by the OS's TCP/IP stack; when capturing on +an interface, packets being sent by the host on which you're capturing +are directly handed to the capture interface by the OS, which means that +they are handed to the capture interface without a TCP checksum being +added to them. + +The only way to prevent this from happening would be to disable TCP +checksum offloading, but + +1. that might not even be possible on some OSes; +2. that could reduce networking performance significantly. + +However, you can disable the check that Wireshark does of the TCP +checksum, so that it won't report any packets as having TCP checksum +errors, and so that it won't refuse to do TCP reassembly due to a packet +having an incorrect TCP checksum. That can be set as an Wireshark +preference by selecting "Preferences" from the "Edit" menu, opening up +the "Protocols" list in the left-hand pane of the "Preferences" dialog +box, selecting "TCP", from that list, turning off the "Check the +validity of the TCP checksum when possible" option, clicking "Save" if +you want to save that setting in your preference file, and clicking +"OK". + +It can also be set on the Wireshark or TShark command line with a +`-o tcp.check_checksum:false` command-line flag, or manually set in your +preferences file by adding a `tcp.check_checksum:false` line. + +=== I've just installed Wireshark, and the traffic on my local LAN is boring. Where can I find more interesting captures? + +We have a collection of strange and exotic sample capture files at +{wireshark-wiki-url}SampleCaptures[{wireshark-wiki-url}SampleCaptures] + +=== Why doesn't Wireshark correctly identify RTP packets? It shows them only as UDP. + +Wireshark can identify a UDP datagram as containing a packet of a +particular protocol running atop UDP only if + +1. The protocol in question has a particular standard port number, and +the UDP source or destination port number is that port +2. Packets of that protocol can be identified by looking for a +"signature" of some type in the packet - i.e., some data that, if +Wireshark finds it in some particular part of a packet, means that the +packet is almost certainly a packet of that type. +3. Some _other_ traffic earlier in the capture indicated that, for +example, UDP traffic between two particular addresses and ports will be +RTP traffic. + +RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, +as far as I know, have any "signature", so 2) doesn't work. + +That leaves 3). If there's RTSP traffic that sets up an RTP session, +then, at least in some cases, the RTSP dissector will set things up so +that subsequent RTP traffic will be identified. Currently, that's the +only place we do that; there may be other places. + +However, there will always be places where Wireshark is simply +*incapable* of deducing that a given UDP flow is RTP; a mechanism would +be needed to allow the user to specify that a given conversation should +be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if +you select a UDP or TCP packet, the right mouse button menu will have a +"Decode As..." menu item, which will pop up a dialog box letting you +specify that the source port, the destination port, or both the source +and destination ports of the packet should be dissected as some +particular protocol. + +=== Why doesn't Wireshark show Yahoo Messenger packets in captures that contain Yahoo Messenger traffic? + +Wireshark only recognizes as Yahoo Messenger traffic packets to or +from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP +segments that start with the middle of a Yahoo Messenger packet that +takes more than one TCP segment will not be recognized as Yahoo +Messenger packets (even if the TCP segment also contains the beginning +of another Yahoo Messenger packet). + +== Filtering traffic + +=== I saved a filter and tried to use its name to filter the display; why do I get an "Unexpected end of filter string" error? + +You cannot use the name of a saved display filter as a filter. To +filter the display, you can enter a display filter expression - *not* +the name of a saved display filter - in the "Filter:" box at the bottom +of the display, and type the <Enter> key or press the "Apply" button +(that does not require you to have a saved filter), or, if you want to +use a saved filter, you can press the "Filter:" button, select the +filter in the dialog box that pops up, and press the "OK" button. + +=== How can I search for, or filter, packets that have a particular string anywhere in them? + +If you want to do this when capturing, you can't. That's a feature +that would be hard to implement in capture filters without changes to +the capture filter code, which, on many platforms, is in the OS kernel +and, on other platforms, is in the libpcap library. + +After capture, you can search for text by selecting _Edit→Find +Packet..._ and making sure _String_ is selected. Alternately, you can +use the "contains" display filter operator or "matches" operator if it's +supported on your system. + +=== How do I filter a capture to see traffic for virus XXX? + +For some viruses/worms there might be a capture filter to recognize +the virus traffic. Check the +{wireshark-wiki-url}CaptureFilters[CaptureFilters] page on the +{wireshark-wiki-url}[Wireshark Wiki] to see if anybody's added +such a filter. + +Note that Wireshark was not designed to be an intrusion detection +system; you might be able to use it as an IDS, but in most cases +software designed to be an IDS, such as https://www.snort.org/[Snort] or +https://www.prelude-siem.org/[Prelude], will probably work better. + +== Questions Which Are Still Notable Even Though They Aren’t Asked Much Any More + +=== What's up with the name change? Is Wireshark a fork? + +In May of 2006, Gerald Combs (the original author of Ethereal) went +to work for CACE Technologies (best known for WinPcap). Unfortunately, +he had to leave the Ethereal trademarks behind. + +This left the project in an awkward position. The only reasonable way +to ensure the continued success of the project was to change the name. +This is how Wireshark was born. + +Wireshark is almost (but not quite) a fork. Normally a "fork" of an +open source project results in two names, web sites, development teams, +support infrastructures, etc. This is the case with Wireshark except for +one notable exception -- every member of the core development team is +now working on Wireshark. There has been no active development on +Ethereal since the name change. Several parts of the Ethereal web site` +(such as the mailing lists, source code repository, and build farm) have +gone offline. + +More information on the name change can be found here: + +* https://www.prweb.com/releases/2006/6/prweb396098.htm[Original press +release] +* https://www.linux.com/news/ethereal-changes-name-wireshark[NewsForge article] +* Many other articles in https://www.wireshark.org/bibliography.html[our +bibliography] diff --git a/doc/logray-quick-start.adoc b/doc/logray-quick-start.adoc new file mode 100644 index 00000000..d9007c37 --- /dev/null +++ b/doc/logray-quick-start.adoc @@ -0,0 +1,70 @@ += Logray Quick Start + +Logray is a sibling application for Wireshark which focuses on system calls and log messages. +It helps people understand, troubleshoot, and secure their systems via system calls and log messages similar to the way Wireshark helps people understand, troubleshoot, and secure their networks via packets. + +This document provides brief instructions for obtaining, using, and building Logray until more complete documentation comparable to the Wireshark Developer’s and User’s Guides can be written. + +== Getting Logray + +You can get Windows and macOS development packages from https://www.wireshark.org/download/automated/. +Native system call captures aren't yet supported on those platforms, but they do come with the https://github.com/falcosecurity/plugins/blob/main/plugins/cloudtrail/README.md[CloudTrail plugin], which can pull AWS CloudTrail logs from an S3 bucket or SQS/SNS. + +If you wish to use Logray on Linux you will have to built it yourself. +Instructions for doing that can be found in the <<building_logray,Building Logray>> section below. + +== Using Logray + +Logray shares a great deal of code with Wireshark, including most of its UI elements. +If you are familiar with Wireshark, its interface and workflows should be familiar. + +One issue that you might run into initially is that system calls and logs deal with different information. +As a result, the event list column preferences need to be configured to match the kind of data that you are analyzing. +Logray's default configuration profile assumes that you are analyzing system calls. +It ships with a "Cloudtrail" configuration profile which is geared toward CloudTrail events. +You can find more information on working with configuration profiles in the https://www.wireshark.org/docs/wsug_html_chunked/ChCustConfigProfilesSection.html[Configuration Profiles] section in the Wireshark User's Guide. +If you switch back and forth between system call and CloudTrail captures on a regular basis, you might find the "Automatic Profile Switching" feature useful. + +You can obtain system call captures using the https://github.com/draios/sysdig[sysdig command line tool] or by using Logray on a Linux system. + +The https://gitlab.com/wireshark/wireshark/-/blob/master/doc/falcodump.adoc[falcodump manpage] provides information how to use Falco Plugin extcap interface. + +== Building Logray[[building_logray]] + +Logray requires the same build environment as Wireshark. +See the https://www.wireshark.org/docs/wsdg_html_chunked/[Wireshark Developer’s Guide] for instructions on setting that up. + +It additionally requires libsinsp and libscap from https://github.com/falcosecurity/libs/[falcosecurity/libs] and any desired plugins from https://github.com/falcosecurity/plugins/[falcosecurity/plugins]. + +In order to build Logray, do the following: + +1. https://falco.org/docs/getting-started/source/[Build falcosecurity/libs]. + +2. Build any desired https://github.com/falcosecurity/plugins/[Falco plugins] and copy them somewhere, such as `/usr/local/lib/falcosecurity/plugins`. + +3. Build the Wireshark sources with the following CMake options: ++ +-- +[horizontal] +BUILD_logray:: Must be enabled, e.g. set to ON +BUILD_falcodump:: Must be enabled, e.g. set to ON +CMAKE_PREFIX_PATH:: If you installed libsinsp and libscap to a non-standard directory, https://cmake.org/cmake/help/latest/variable/CMAKE_PREFIX_PATH.html[this should point there]. +FALCO_PLUGINS:: Semicolon-separated paths to individual Falco plugins, e.g. `/path/to/libcloudtrail.so`. +-- + +.Example 1: Building on Linux using Make +[sh] +---- +# This assumes that falcosecurity-libs and the CloudTral plugin were installed in +# `/opt/falco-libs/0.17.1`. +cmake \ + -DBUILD_logray=ON \ + -DBUILD_falcodump=ON \ + -DCMAKE_PREFIX_PATH=/opt/falco-libs/0.17.1 \ + -DFALCO_PLUGINS=/opt/falco-libs/0.17.1/lib/falcosecurity/plugins/libcloudtrail.so \ + .. +make -j $(getconf _NPROCESSORS_ONLN) +---- + + +If you want to add other Falco plugins later you can copy them to a `falco` subfolder in the Global Plugins folder. The path to the Global Plugins folder is shown in the About Logray Folders dialog. diff --git a/doc/androiddump.adoc b/doc/man_pages/androiddump.adoc index d68a3a3a..21f5f79b 100644 --- a/doc/androiddump.adoc +++ b/doc/man_pages/androiddump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = androiddump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/asn2deb.adoc b/doc/man_pages/asn2deb.adoc index db976522..e02844cc 100644 --- a/doc/asn2deb.adoc +++ b/doc/man_pages/asn2deb.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = asn2deb(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/capinfos.adoc b/doc/man_pages/capinfos.adoc index 4dec8136..c609ab72 100644 --- a/doc/capinfos.adoc +++ b/doc/man_pages/capinfos.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = capinfos(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -93,11 +93,10 @@ the same way *Capinfos* handles this. == OPTIONS -a:: -Displays the start time of the capture. *Capinfos* considers -the earliest timestamp seen to be the start time, so the -first packet in the capture is not necessarily the earliest - -if packets exist "out-of-order", time-wise, in the capture, -*Capinfos* detects this. +Displays the timestamp of the earliest packet in the capture. The +earliest packet in the capture is not necessarily the first packet in +the capture - if packets exist "out-of-order", time-wise, in the +capture, *Capinfos* detects this. -A:: Generate all infos. By default *Capinfos* will display @@ -162,11 +161,10 @@ Displays a count of the number of decryption secrets in the file. This informati is not available in table format. -e:: -Displays the end time of the capture. *Capinfos* considers -the latest timestamp seen to be the end time, so the -last packet in the capture is not necessarily the latest - -if packets exist "out-of-order", time-wise, in the capture, -*Capinfos* detects this. +Displays the timestamp of the latest packet in the capture. The latest +packet in the capture is not necessarily the last packet in the capture +- if packets exist "out-of-order", time-wise, in the capture, *Capinfos* +detects this. -E:: Displays the per-file encapsulation of the capture file. @@ -285,8 +283,8 @@ Displays the size of the file, in bytes. This reports the size of the capture file itself. -S:: -Display the start and end times as seconds since January -1, 1970. Handy for synchronizing dumps using *editcap -t*. +Display the earliest and latest packet timestamps as seconds since +January 1, 1970. Handy for synchronizing dumps using *editcap -t*. -t:: Displays the capture type of the capture file. diff --git a/doc/captype.adoc b/doc/man_pages/captype.adoc index 11eb6bf0..94c07274 100644 --- a/doc/captype.adoc +++ b/doc/man_pages/captype.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = captype(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/ciscodump.adoc b/doc/man_pages/ciscodump.adoc index b721b284..10ce4b69 100644 --- a/doc/ciscodump.adoc +++ b/doc/man_pages/ciscodump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = ciscodump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/diagnostic-options.adoc b/doc/man_pages/diagnostic-options.adoc index 1500168f..1500168f 100644 --- a/doc/diagnostic-options.adoc +++ b/doc/man_pages/diagnostic-options.adoc diff --git a/doc/dissection-options.adoc b/doc/man_pages/dissection-options.adoc index 5c55a763..f46a06af 100644 --- a/doc/dissection-options.adoc +++ b/doc/man_pages/dissection-options.adoc @@ -111,6 +111,9 @@ MaxMind databases *N* to enable using external resolvers (e.g., DNS) for network address resolution; no effect without *n* also enabled. +*s* to enable address resolution using SNI information found in captured +handshake packets + *t* to enable transport-layer port number resolution *v* to enable VLAN IDs to names resolution diff --git a/doc/dpauxmon.adoc b/doc/man_pages/dpauxmon.adoc index cf98cecb..9d2a9e5c 100644 --- a/doc/dpauxmon.adoc +++ b/doc/man_pages/dpauxmon.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = dpauxmon(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/dumpcap.adoc b/doc/man_pages/dumpcap.adoc index a9998d2a..9fdcf72c 100644 --- a/doc/dumpcap.adoc +++ b/doc/man_pages/dumpcap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = dumpcap(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -21,6 +21,7 @@ dumpcap - Dump network traffic [ *-d* ] [ *-D*|*--list-interfaces* ] [ *-f* <capture filter> ] +[ *-F* <file format> ] [ *-g* ] [ *-i*|*--interface* <capture interface>|rpcap://<host>:<port>/<capture interface>|TCP@<host>:<port>|- ] [ *-I*|*--monitor-mode* ] @@ -34,6 +35,7 @@ dumpcap - Dump network traffic [ *--ifname* <name> ] [ *-P* ] [ *-q* ] +[ *-Q* ] [ *-s*|*--snapshot-length* <capture snaplen> ] [ *-S* ] [ *-t* ] @@ -57,9 +59,8 @@ dumpcap - Dump network traffic *Dumpcap* is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. *Dumpcap*'s -default capture file format is *pcapng* format. -When the *-P* option is specified, the output file is written in the -*pcap* format. +default capture file format is *pcapng* format. The *-F* option can +be specified to write the output file in the *pcap* format instead. Without any options set it will use the libpcap, Npcap, or WinPcap library to capture traffic from the first available network interface and writes @@ -92,7 +93,7 @@ were written. *filesize*:__value__ Stop writing to a capture file after it reaches a size of __value__ kB. If this option is used together with the -b option, dumpcap will stop writing to the current capture file and switch to the next one if filesize -is reached. Note that the filesize is limited to a maximum value of 2 GiB. +is reached. Note that the filesize is limited to a maximum value of 2 TB. *packets*:__value__ Stop writing to a capture file after __value__ packets have been written. Acts the same as *-c* <capture packet count>. @@ -134,7 +135,7 @@ parameter takes exactly one criterion; to specify two criterion, each must be preceded by the *-b* option. *filesize*:__value__ switch to the next file after it reaches a size of -__value__ kB. Note that the filesize is limited to a maximum value of 2 GiB. +__value__ kB. Note that the filesize is limited to a maximum value of 2 TB. *interval*:__value__ switch to the next file when the time is an exact multiple of __value__ seconds. For example, use 3600 to switch to a new file @@ -214,6 +215,17 @@ this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided. -- +-F <file format>:: +Set the file format of the output capture file written using the *-w* +option. In situations that require the *pcapng* format, such as capturing +from multiple interfaces, this option will be overridden. The option *-F* +without a value will list the available formats. The default is the +*pcapng* format. + +Fewer formats are supported than by xref:tshark.html[tshark](1); this is +intentional for security reasons. Use *tshark* or capture and then convert +the file with xref:editcap.html[editcap](1) if another format is needed. + -g:: This option causes the output file(s) to be created with group-read permission (meaning that the output file(s) can be read by other members of the calling @@ -320,7 +332,8 @@ The machine-readable output is intended to be read by *Wireshark* and -- -n:: -Save files as pcapng. This is the default. +Save files as pcapng. This is the default. This option is deprecated +and may be removed. -N <packet limit>:: + @@ -352,7 +365,8 @@ promiscuous mode. -P:: Save files as pcap instead of the default pcapng. In situations that require pcapng, such as capturing from multiple interfaces, this option will be -overridden. +overridden. This option is deprecated in favor of the *-F* option and +may be removed. -q:: + @@ -367,6 +381,23 @@ might be set to "disabled" by default on at least some BSDs, so you'd have to explicitly set it to use it). -- +-Q:: ++ +-- +When capturing packets, don't display, on the standard error, the initial +message indicating on what interfaces the capture is being done, the +messages indicating to what file a capture is being written, the continuous +count of packets captured that is normally shown when saving a capture to +a file, and the message at the end of the capture giving a count of packets +captured. This outputs less than the *-q* option; only true errors are +displayed on the standard error. + +On systems that support the SIGINFO signal, such as various BSDs, you can +cause the current count to be displayed by typing your "status" character +(typically control-T, although it might be set to "disabled" by default on +at least some BSDs, so you'd have to explicitly set it to use it). +-- + -s|--snapshot-length <capture snaplen>:: + -- diff --git a/doc/editcap.adoc b/doc/man_pages/editcap.adoc index 20fadc1a..5b4be3fc 100644 --- a/doc/editcap.adoc +++ b/doc/man_pages/editcap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = editcap(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -52,6 +52,13 @@ __outfile__ [manarg] *editcap* +*--extract-secrets* +[ *-V* ] +__infile__ +__outfile__ + +[manarg] +*editcap* *-h|--help* [manarg] @@ -97,6 +104,13 @@ the same way *Editcap* handles this. *Editcap* can write the file in several output formats. The *-F* flag can be used to specify the format in which to write the capture file; *editcap -F* provides a list of the available output formats. +*Editcap* can also compress the output file. The *--compress* option +can specify the compression type. If that option is not given, then the desired +compression method, if any, is deduced from the extension of __outfile__; +e.g., if the output filename has the .gz extension, then the gzip format is used. + +*Editcap* can also be used to extract embedded decryption secrets from file +formats like *pcapng* that contain them, in lieu of writing a capture file. == OPTIONS @@ -452,13 +466,27 @@ additional configuration in protocol preferences. The file format is described by <secrets type> which can be one of: -__tls__ TLS Key Log as described at https://developer.mozilla.org/NSS_Key_Log_Format + -__wg__ WireGuard Key Log, see https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format +__opcua__ OPC UA Key Log, see https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#name-decryption-secrets-block + +__ssh__ SSH Key Log, see {wireshark-wiki-url}SSH#key-log-format + +__tls__ TLS Key Log, see https://tlswg.org/sslkeylogfile/draft-ietf-tls-keylogfile.html + +__wg__ WireGuard Key Log, see {wireshark-wiki-url}WireGuard#key-log-format This option may be specified multiple times. The available options for <secrets type> can be listed with *--inject-secrets help*. -- +--extract-secrets:: ++ +-- +Extracts each Decryption Secrets Block (DSB) contained within __infile__. +If there is only one, it is written to __outfile__ instead of a capture file. +If there is more than one, they are each written to unique output files named +with an infix _nnnnn before the file extension of __outfile__ in a manner +similar to the *-c* flag (unless writing to standard output.) + +Incompatible with other options except for *-V*. + +-- --discard-all-secrets:: + -- @@ -502,6 +530,14 @@ file. Does not discard comments added by *-a* in the same command line. -- +--compress <type>:: ++ +-- +Compress the output file using the type compression format. +*--compress* with no argument provides a list of the compression formats supported +for writing. The type given takes precedence over the extension of __outfile__. +-- + include::diagnostic-options.adoc[] == EXAMPLES diff --git a/doc/etwdump.adoc b/doc/man_pages/etwdump.adoc index b1070d38..f9df8ac6 100644 --- a/doc/etwdump.adoc +++ b/doc/man_pages/etwdump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = etwdump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/extcap.adoc b/doc/man_pages/extcap.adoc index 511a59cc..ce8ae933 100644 --- a/doc/extcap.adoc +++ b/doc/man_pages/extcap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = extcap(4) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -29,8 +29,8 @@ The extcap subsystem is made of multiple extcap binaries that are automatically called by the GUI in a row. In the following chapters we will refer to them as "the extcaps". -Extcaps may be any binary or script within the extcap directory. Please note, that scripts -need to be executable without prefacing a script interpreter before the call. +Extcaps may be any binary or script within the _extcap/wireshark_ or _extcap/logray_ directories. +Please note that scripts need to be executable without prefacing a script interpreter before the call. WINDOWS USERS: Because of restrictions directly calling the script may not always work. In such a case, a batch file may be provided, which then in turn executes the script. Please diff --git a/doc/man_pages/falcodump.adoc b/doc/man_pages/falcodump.adoc new file mode 100644 index 00000000..9e5b94f0 --- /dev/null +++ b/doc/man_pages/falcodump.adoc @@ -0,0 +1,231 @@ +include::../attributes.adoc[] += falcodump(1) +:doctype: manpage +:stylesheet: ws.css +:linkcss: +:copycss: {css_dir}/{stylesheet} + +== NAME + +falcodump - Dump log data to a file using a Falco source plugin. + +== SYNOPSIS + +.Common options +[manarg] +*falcodump* +[ *--help* ] +[ *--version* ] +[ *--plugin-api-version* ] +[ *--extcap-interfaces* ] +[ *--extcap-dlts* ] +[ *--extcap-interface*=<interface> ] +[ *--extcap-config* ] +[ *--extcap-capture-filter*=<capture filter> ] +[ *--capture* ] +[ *--fifo*=<path to file or pipe> ] +[ *--plugin-source*=<source path or URL> ] +[ *--log-level*=<log level> ] +[ *--log-file*=<path to file> ] + +.System call options +[manarg] +[ *--include-capture-processes=<TRUE or FALSE> ] +[ *--include-switch-calls=<TRUE or FALSE> ] + + +.CloudTrail plugin options +[manarg] +[ *--cloudtrail-s3downloadconcurrency*=<number of concurrent downloads> ] +[ *--cloudtrail-s3interval*=<timeframe> ] +[ *--cloudtrail-s3accountlist*=<comma separated account IDs> ] +[ *--cloudtrail-sqsdelete*=<true or false> ] +[ *--cloudtrail-useasync*=<true or false> ] +[ *--cloudtrail-uses3sns*=<true or false> ] +[ *--cloudtrail-aws-region*=<AWS region> ] +[ *--cloudtrail-aws-profile*=<AWS profile> ] +[ *--cloudtrail-aws-config*=<path> ] +[ *--cloudtrail-aws-credentials*=<path to file> ] + + +== DESCRIPTION + +*falcodump* is an extcap tool that allows one to capture log messages from cloud providers. + +Each plugin is listed as a separate interface. +For example, the AWS CloudTrail plugin is listed as “cloudtrail”. + +== OPTIONS + +--help:: +Print program arguments. +This will also list the configuration arguments for each plugin. + +--version:: +Print the program version. + +--plugin-api-version:: +Print the Falco plugin API version. + +--extcap-interfaces:: +List the available interfaces. + +--extcap-interface=<interface>:: +Use the specified interface. + +--extcap-dlts:: +List the DLTs of the specified interface. + +--extcap-config:: +List the configuration options of specified interface. + +--extcap-capture-filter=<capture filter>:: +The capture filter. +Must be a valid Sysdig / Falco filter. + +--capture:: +Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo. + +--fifo=<path to file or pipe>:: +Save captured packet to file or send it through pipe. + +--plugin-source=<source path or URL>:: +Capture from the specified location. + +--log-level:: +Set the log level + +--log-file:: +Set a log file to log messages in addition to the console + +== SYSTEM CALL OPTIONS + +--include-capture-processes:: +Include system calls for capture processes (falcodump, dumpcap, and Logray) if TRUE. +Defaults to FALSE. + +--include-switch-calls:: +Include "switch" calls if TRUE. +Defaults to FALSE. + + +== PLUGINS + +=== cloudtrail (AWS CloudTrail) + +--cloudtrail-s3downloadconcurrency:: +Controls the number of background goroutines used to download S3 files (Default: 32) + +--cloudtrail-s3interval:: +Download log files over the specified interval (Default: no interval) + +--cloudtrail-s3accountlist:: +If source is an organization CloudTrail S3 bucket download log files for all specified account IDs (Default: no account IDs) + +--cloudtrail-sqsdelete:: +If true then the plugin will delete SQS messages from the queue immediately after receiving them (Default: true) + +--cloudtrail-useasync:: +If true then async extraction optimization is enabled (Default: true) + +--cloudtrail-uses3sns:: +If true then the plugin will expect SNS messages to originate from S3 instead of directly from Cloudtrail (Default: false) + +--cloudtrail-aws-profile:: +If non-empty overrides the AWS shared configuration profile (e.g. 'default') and environment variables such as AWS_PROFILE (Default: empty) + +--cloudtrail-aws-region:: +If non-empty overrides the AWS region specified in the profile (e.g. 'us-east-1') and environment variables such as AWS_REGION (Default: empty) + +--cloudtrail-aws-config:: +If non-empty overrides the AWS shared configuration filepath (e.g. ~/.aws/config) and env variables such as AWS_CONFIG_FILE (Default: empty) + +--cloudtrail-aws-credentials:: +If non-empty overrides the AWS shared credentials filepath (e.g. ~/.aws/credentials) and env variables such as AWS_SHARED_CREDENTIALS_FILE (Default: empty) + +CloudTrail sources can be S3 buckets or SQS queue URLs. S3 bucket URLs have the form + +'s3://__bucket_name__/__prefix__/AWSLogs/__account-id__/CloudTrail/__region__/__year__/__month__/__day__' + +For organization CloudTrail the S3 bucket URL can be + +'s3://__bucket_name__/__prefix__/AWSLogs/__org-id__/__account-id__/CloudTrail/__region__/__year__/__month__/__day__' + +The __region__, __year__, __month__, and __day__ components can be omitted in order to fetch more or less data. +For example, the source 's3://mybucket/AWSLogs/012345678/CloudTrail/us-west-2/2023' will fetch all CloudWatch logs for the year 2023. + +If the URL ends with '__account-id__/' or '__account-id__/CloudTrail/' (for example 's3://mybucket/AWSLOGS/012345678912/') the option '--cloudtrail-s3interval' can be used to define the time frame. A s3interval of '1d' for example would get all events of the last 24 hours from all available regions. A s3interval of '2w-1w' would get all events from all regions from two weeks ago up to one week ago. The s3invterval can also be defined as a RFC 3339-style timestamp like '2024-02-29T18:07:17Z' or '2024-02-29T00:00:00Z-2024-03-01T23:59:59Z'. + +If the URL ends with 'AWSLogs/__org-id__' option '--cloudtrail-s3accountlist' can be used to specify account IDs. This can be combined with '--cloudtrail-s3interval'. A source like 's3://my-org-bucket/AWSLogs/o-123abc/' with '--cloudstrail-s3accountlist' set to '123456789012,987654321098' and '--cloudtrail-s3interval' set to '30m' would get all events of the last 30min from all regions for accounts 123456789012 and 987654321098. + +If source URL is the organization CloudTrail bucket (like 's3://my-org-bucket/AWSLogs/o-123abc') and '--s3accountlist' is not set the plugin iterates over all accounts (limited by '--s3interval' if set). Attention: Depending on the size of the organization and the time interval, this can take a long time. + +The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/[environment variables and configuration files]. +Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well. + +More information is available in the https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md[README] of the CloudTrail plugin. + +== EXAMPLES + +To see program arguments: + + falcodump --help + +To see program version: + + falcodump --version + +To see interfaces: + + falcodump --extcap-interfaces + +Only one interface (falcodump) is supported. + +.Example output + interface {value=cloudtrail}{display=Falco plugin} + +To see interface DLTs: + + falcodump --extcap-interface=cloudtrail --extcap-dlts + +.Example output + dlt {number=147}{name=cloudtrail}{display=USER0} + +To see interface configuration options: + + falcodump --extcap-interface=cloudtrail --extcap-config + +.Example output + arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture} + arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture} + arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture} + arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture} + +To capture AWS CloudTrail events from an S3 bucket: + + falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture + +or: + + falcodump --capture --extcap-interface cloudtrail --fifo ~/cloudtrail.pcap --plugin-source s3://my-cloudtrail-bucket/AWSLogs/o-abc12345/123456789012/ --cloudtrail-s3downloadconcurrency 32 --cloudtrail-s3interval 5d-2d --cloudtrail-aws-region eu-west-1 + +NOTE: kbd:[CTRL+C] should be used to stop the capture in order to ensure clean termination. + +== SEE ALSO + +xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4) +//, xref:logray.html[logray](1) + +== NOTES + +*falcodump* is part of the *Logray* distribution. +The latest version of *Logray* can be found at https://www.wireshark.org. + +HTML versions of the Wireshark project man pages are available at +https://www.wireshark.org/docs/man-pages. + +== AUTHORS + +.Original Author +[%hardbreaks] +Gerald Combs <gerald[AT]wireshark.org> diff --git a/doc/man_pages/files.adoc b/doc/man_pages/files.adoc new file mode 100644 index 00000000..9653ff27 --- /dev/null +++ b/doc/man_pages/files.adoc @@ -0,0 +1,458 @@ +== FILES + +These files contain various *Wireshark* configuration settings. + +Preferences:: ++ +-- +The __preferences__ files contain global (system-wide) and personal +preference settings. If the system-wide preference file exists, it is +read first, overriding the default settings. If the personal preferences +file exists, it is read next, overriding any previous values. Note: If +the command line flag *-o* is used (possibly more than once), it will +in turn override values from the preferences files. + +The preferences settings are in the form __prefname:value__, +one per line, +where __prefname__ is the name of the preference +and __value__ is the value to +which it should be set; white space is allowed between *:* and +__value__. A preference setting can be continued on subsequent lines by +indenting the continuation lines with white space. A *#* character +starts a comment that runs to the end of the line: + + # Vertical scrollbars should be on right side? + # TRUE or FALSE (case-insensitive). + gui.scrollbar_on_right: TRUE + +The global preferences file is looked for in the __wireshark__ directory +under the __share__ subdirectory of the main installation directory. On +macOS, this would typically be +__/Application/Wireshark.app/Contents/Resources/share__; on other +UNIX-compatible systems, such as Linux, \*BSD, Solaris, and AIX, this +would typically be __/usr/share/wireshark/preferences__ for +system-installed packages and __/usr/local/share/wireshark/preferences__ +for locally-installed packages; on Windows, this would typically be +__C:\Program Files\Wireshark\preferences__. + +On UNIX-compatible systems, the personal preferences file is looked for +in __$XDG_CONFIG_HOME/wireshark/preferences__, (or, if +__$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ +does exist, __$HOME/.wireshark/preferences__); this is typically +__$HOME/.config/wireshark/preferences__. On Windows, +the personal preferences file is looked for in +__%APPDATA%\Wireshark\preferences__ (or, if %APPDATA% isn't defined, +__%USERPROFILE%\Application Data\Wireshark\preferences__). + +// tag::gui[] +Note: Whenever the preferences are saved by using the __Save__ button +in the __Edit:Preferences__ dialog box, your personal preferences file +will be overwritten with the new settings, destroying any comments and +unknown/obsolete settings that were in the file. +// end::gui[] +-- + +// tag::gui[] +Recent:: ++ +-- +The __recent__ file contains personal settings (mostly GUI related) such +as the current *Wireshark* window size. The file is saved at program exit and +read in at program start automatically. Note: The command line flag *-o* +may be used to override settings from this file. + +The settings in this file have the same format as in the __preferences__ +files, and the same directory as for the personal preferences file is +used. + +Note: Whenever Wireshark is closed, your recent file +will be overwritten with the new settings, destroying any comments and +unknown/obsolete settings that were in the file. +-- +// end::gui[] + +Disabled (Enabled) Protocols:: ++ +-- +The __disabled_protos__ files contain system-wide and personal lists of +protocols that have been disabled, so that their dissectors are never +called. The files contain protocol names, one per line, where the +protocol name is the same name that would be used in a display filter +for the protocol: + + http + tcp # a comment + +If a protocol is listed in the global __disabled_protos__ file it cannot +be enabled by the user. +// tag::gui[] +Thus it is not displayed in the __Analyze::Enabled Protocols__ dialog box. +// end::gui[] + +The global __disabled_protos__ file uses the same directory as the global +preferences file. + +The personal __disabled_protos__ file uses the same directory as the +personal preferences file. + +The __disabled_protos__ files list only protocols that are enabled by default +but have been disabled; protocols that are disabled by default (such as some +postdissectors) are not listed. There are analogous __enabled_protos__ files +for protocols that are disabled by default but have been enabled. + +// tag::gui[] +Note: Whenever the disabled protocols list is saved by using the __Save__ +button in the __Analyze:Enabled Protocols__ dialog box, your personal +disabled protocols file will be overwritten with the new settings, +destroying any comments that were in the file. +// end::gui[] +-- + +Heuristic Dissectors:: ++ +-- +The __heuristic_protos__ files contain system-wide and personal lists of +heuristic dissectors and indicate whether they are enabled or disabled. +The files contain heuristic dissector unique short names, one per line, +followed by a comma and 0 for disabled and 1 for enabled: + + quic,1 + rtcp_stun,1 + rtcp_udp,1 + rtp_stun,0 + rtp_udp,0 + tls_tcp,1 + +The global __heuristic_protos__ file uses the same directory as the global +preferences file. + +The personal __heuristic_protos__ file uses the same directory as the +personal preferences file. + +// The global heuristic_protos doesn't have the "set_cant_toggle" +// features that the enabled_protos and disabled_protos files do. +-- + +Name Resolution (hosts):: ++ +-- +Entries in __hosts__ files in the global and personal preferences +directory are used to resolve IPv4 and IPv6 addresses before any +other attempts are made to resolve them. +The file has the standard __hosts__ file syntax; each line contains one +IP address and name, separated by whitespace. The personal __hosts__ +file, if present, overrides the one in the global directory. + +Capture filter name resolution is handled by libpcap on UNIX-compatible +systems, such as Linux, macOS, \*BSD, Solaris, and AIX, and Npcap or +WinPcap on Windows. As such the Wireshark personal __hosts__ file will +not be consulted for capture filter name resolution. +-- + + +Name Resolution (subnets):: ++ +-- +If an IPv4 address cannot be translated via name resolution (no exact +match is found) then a partial match is attempted via the __subnets__ file. +Both the global __subnets__ file and personal __subnets__ files are used +if they exist. + +Each line of this file consists of an IPv4 address, a subnet mask length +separated only by a / and a name separated by whitespace. While the address +must be a full IPv4 address, any values beyond the mask length are subsequently +ignored. + +An example is: + +# Comments must be prepended by the # sign! +192.168.0.0/24 ws_test_network + +A partially matched name will be printed as "subnet-name.remaining-address". +For example, "192.168.0.1" under the subnet above would be printed as +"ws_test_network.1"; if the mask length above had been 16 rather than 24, the +printed address would be "ws_test_network.0.1". +-- + +Name Resolution (ethers):: ++ +-- +The __ethers__ files are consulted to correlate 6-byte hardware addresses to +names. First the personal __ethers__ file is tried and if an address is not +found there the global __ethers__ file is tried next. + +Each line contains one hardware address and name, separated by +whitespace. The digits of the hardware address are separated by colons +(:), dashes (-) or periods (.). The same separator character must be +used consistently in an address. The following three lines are valid +lines of an __ethers__ file: + + ff:ff:ff:ff:ff:ff Broadcast + c0-00-ff-ff-ff-ff TR_broadcast + 00.00.00.00.00.00 Zero_broadcast + +The global __ethers__ file is looked for in the __/etc__ directory on +UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, +and in the main installation directory (for example, __C:\Program +Files\Wireshark__) on Windows systems. + +The personal __ethers__ file is looked for in the same directory as the personal +preferences file. + +Capture filter name resolution is handled by libpcap on UNIX-compatible +systems and Npcap or WinPcap on Windows. As such the Wireshark personal +__ethers__ file will not be consulted for capture filter name +resolution. +-- + +Name Resolution (manuf):: ++ +-- +The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the +file is similar the __ethers__ files, except that entries such as: + + 00:00:0C Cisco Cisco Systems, Inc + +can be provided, with the 3-byte OUI and both an abbreviated and long name for +a vendor, and entries such as: + + 00-00-0C-07-AC/40 All-HSRP-routers + +can be specified, with a MAC address and a mask indicating how many bits +of the address must match. The above entry, for example, has 40 +significant bits, or 5 bytes, and would match addresses from +00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a +multiple of 8. + +A global __manuf__ file is looked for in the same directory as the global +preferences file, and a personal __manuf__ file is looked for in the same +directory as the personal preferences file. + +In earlier versions of Wireshark, official information from the IEEE +Registration Authority was distributed in this format as the global +__manuf__ file. This information is now compiled in to speed program +startup, but the internal information can be written out in this format +with *tshark -G manuf*. + +In addition to the __manuf__ file, another file with the same format, +__wka__, is looked for in the global directory. This file is distributed +with Wireshark, and contains data about well-known MAC adddresses and +address ranges assembled from various non IEEE but respected sources. +-- + +Name Resolution (services):: ++ +-- +The __services__ file is used to translate port numbers into names. +Both the global __services__ file and personal __services__ files are used +if they exist. + +The file has the standard __services__ file syntax; each line contains one +(service) name and one transport identifier separated by white space. The +transport identifier includes one port number and one transport protocol name +(typically tcp, udp, or sctp) separated by a /. + +An example is: + +mydns 5045/udp # My own Domain Name Server +mydns 5045/tcp # My own Domain Name Server + +In earlier versions of Wireshark, official information from the IANA +Registry was distributed in this format as the global __services__ file. +This information is now compiled in to speed program startup, but the +internal information can be written out in this format with *tshark -G services*. +-- + +Name Resolution (ipxnets):: ++ +-- +The __ipxnets__ files are used to correlate 4-byte IPX network numbers to +names. First the global __ipxnets__ file is tried and if that address is not +found there the personal one is tried next. + +The format is the same as the __ethers__ +file, except that each address is four bytes instead of six. +Additionally, the address can be represented as a single hexadecimal +number, as is more common in the IPX world, rather than four hex octets. +For example, these four lines are valid lines of an __ipxnets__ file: + + C0.A8.2C.00 HR + c0-a8-1c-00 CEO + 00:00:BE:EF IT_Server1 + 110f FileServer3 + +The global __ipxnets__ file is looked for in the __/etc__ directory on +UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, +and in the main installation directory (for example, __C:\Program +Files\Wireshark__) on Windows systems. + +The personal __ipxnets__ file is looked for in the same directory as the +personal preferences file. +-- + +Name Resolution (ss7pcs):: ++ +-- +The __ss7pcs__ file is used to translate SS7 point codes to names. +It is read from the personal configuration directory. + +Each line in this file consists of one network indicator followed by a dash +followed by a point code in decimal and a node name separated by whitespace. +An example is: + + 2-1234 MyPointCode1 + +-- + +Name Resolution (vlans):: ++ +-- +The __vlans__ file is used to translate VLAN tag IDs into names. +It is read from the personal configuration directory. + +Each line in this file consists of one VLAN tag ID separated by whitespace +from a name. An example is: + + 123 Server-Lan + 2049 HR-Client-LAN + +-- + +// tag::gui[] +Capture Filters:: ++ +-- +The __cfilters__ files contain system-wide and personal capture filters. +Each line contains one filter, starting with the string displayed in the +dialog box in quotation marks, followed by the filter string itself: + + "HTTP" port 80 + "DCERPC" port 135 + +The global __cfilters__ file uses the same directory as the +global preferences file. + +The personal __cfilters__ file uses the same directory as the personal +preferences file. It is written through the Capture:Capture Filters +dialog. + +If the global __cfilters__ file exists, it is used only if the personal +__cfilters__ file does not exist; global and personal capture filters are +not merged. +-- + +Display Filters:: ++ +-- +The __dfilters__ files contain system-wide and personal display filters. +Each line contains one filter, starting with the string displayed in the +dialog box in quotation marks, followed by the filter string itself: + + "HTTP" http + "DCERPC" dcerpc + +The global __dfilters__ file uses the same directory as the +global preferences file. + +The personal __dfilters__ file uses the same directory as the +personal preferences file. It is written through the Analyze:Display +Filters dialog. + +If the global __dfilters__ file exists, it is used only if the personal +__dfilters__ file does not exist; global and personal display filters are +not merged. +-- + +Display Filter Macros:: ++ +-- +The __dmacros__ files contain system-wide and personal display filter macros. +Each line contains one filter, starting with the string displayed in the +dialog box in quotation marks, followed by the macro expression itself: + + "private_ipv6" ipv6 && $1 == fc00::/7 + "private_ethernet" $1[0] & 0x0F == 2 + "private_ipv4" $1 == 192.168.0.0/16 or $1 == 172.16.0.0/12 or $1 == 10.0.0.0/8 + +The global __dmacros__ file uses the same directory as the +global preferences file. + +The personal __dmacros__ file uses the same directory as the +personal preferences file. It is written through the Analyze:Display +Filter Macros dialog. + +If the global __dmacros__ file exists, it is used only if the personal +__dmacros__ file does not exist; global and personal display filters are +not merged. + +Prior to Wireshark 4.4, a __dfilter_macros__ file with a somewhat different +syntax was used. That file is looked for at startup if a __dmacros__ file is +not found and used to migrate to the new format. +-- +// end::gui[] + +Color Filters (Coloring Rules):: ++ +-- +The __colorfilters__ files contain system-wide and personal color filters. +Each line contains one filter, starting with the string displayed in the +dialog box, followed by the corresponding display filter. Then the +background and foreground colors are appended: + + # a comment + @tcp@tcp@[59345,58980,65534][0,0,0] + @udp@udp@[28834,57427,65533][0,0,0] + +The global __colorfilters__ file uses the same directory as the +global preferences file. + +The personal __colorfilters__ file uses the same directory as the +personal preferences file. It is written through the View:Coloring Rules +dialog. + +If the global __colorfilters__ file exists, it is used only if the personal +__colorfilters__ file does not exist; global and personal color filters are +not merged. +-- + +Plugins:: ++ +-- +Wireshark looks for plugins in both a personal plugin folder and a +global plugin folder. + +On UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and +AIX, the global plugin directory is __lib/wireshark/plugins/__ (on +some systems substitute __lib64__ for __lib__) under the main installation +directory (for example, __/usr/local/lib/wireshark/plugins/__). The personal +plugin directory is __$HOME/.local/lib/wireshark/plugins__. + +On macOS, if Wireshark is installed as an application bundle, the global plugin +folder is instead __%APPDIR%/Contents/PlugIns/wireshark__. + +On Windows, the global plugin folder is __plugins/__ under the main +installation directory (for example, __C:\Program Files\Wireshark\plugins\__). +The personal plugin folder is __%APPDATA%\Wireshark\plugins__ (or, if +%APPDATA% isn't defined, __%USERPROFILE%\Application Data\Wireshark\plugins__). + +Lua plugins are stored in the plugin folders; +compiled plugins are stored in subfolders of the plugin folders, with +the subfolder name being the Wireshark minor version number (X.Y). There is +another hierarchical level for each Wireshark plugin type (libwireshark, +libwiretap and codecs). For example, the location for a libwireshark plugin +_foo.so_ (_foo.dll_ on Windows) would be _PLUGINDIR/X.Y/epan_ +(libwireshark used to be called libepan; the other folder names are _codecs_ +and _wiretap_). + +NOTE: On UNIX-compatible systems, Lua plugins (but not binary plugins) may also +be placed in __$XDG_CONFIG_HOME/wireshark/plugins__, +(or, if __$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ +does exist, __$HOME/.wireshark/plugins__.) + +Note that a dissector plugin module may support more than one protocol; +there is not necessarily a one-to-one correspondence between dissector plugin +modules and protocols. Protocols supported by a dissector plugin module are +enabled and disabled in the same way as protocols built into Wireshark. +-- diff --git a/doc/idl2deb.adoc b/doc/man_pages/idl2deb.adoc index 146672fd..f622fdf9 100644 --- a/doc/idl2deb.adoc +++ b/doc/man_pages/idl2deb.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = idl2deb(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/idl2wrs.adoc b/doc/man_pages/idl2wrs.adoc index c046c536..605f441a 100644 --- a/doc/idl2wrs.adoc +++ b/doc/man_pages/idl2wrs.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = idl2wrs(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/mergecap.adoc b/doc/man_pages/mergecap.adoc index a5c9a6c3..43412375 100644 --- a/doc/mergecap.adoc +++ b/doc/man_pages/mergecap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = mergecap(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -145,8 +145,19 @@ Causes *mergecap* to print a number of messages while it's working. -w <outfile>|-:: Sets the output filename. If the name is '*-*', stdout will be used. +If the *--compress* option is not given, then the filename extension is +used to deduce the desired compression method, if any; e.g., if the name has +the extension '.gz', then the output file is compressed to a gzip archive. This setting is mandatory. +--compress <type>:: ++ +-- +Compress the output file using the type compression format. +*--compress* with no argument provides a list of the compression formats supported +for writing. The type given takes precedence over the extension of __outfile__. +-- + include::diagnostic-options.adoc[] == EXAMPLES diff --git a/doc/mmdbresolve.adoc b/doc/man_pages/mmdbresolve.adoc index 4b880401..af66d6b4 100644 --- a/doc/mmdbresolve.adoc +++ b/doc/man_pages/mmdbresolve.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = mmdbresolve(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/randpkt.adoc b/doc/man_pages/randpkt.adoc index 97104b70..a9b799a5 100644 --- a/doc/randpkt.adoc +++ b/doc/man_pages/randpkt.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = randpkt(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/randpktdump.adoc b/doc/man_pages/randpktdump.adoc index 3e13a77f..8862b108 100644 --- a/doc/randpktdump.adoc +++ b/doc/man_pages/randpktdump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = randpktdump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/rawshark.adoc b/doc/man_pages/rawshark.adoc index a52e594a..5b52f034 100644 --- a/doc/rawshark.adoc +++ b/doc/man_pages/rawshark.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = rawshark(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -196,11 +196,12 @@ should not close rawshark's standard input handle prematurely, otherwise the C runtime might trigger an exception. -- --R <read (display) filter>:: +-R|--read-filter <read (display) filter>:: + -- Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing the output. +Read filters and display filters are synonymous in *rawshark*. -- -s:: @@ -226,216 +227,24 @@ could use *%D: %S (%N)*. -v|--version:: Print the full version information and exit. -include::dissection-options.adoc[tags=**;!tshark;!decode_as] - -include::diagnostic-options.adoc[] - -== READ FILTER SYNTAX - -For a complete table of protocol and protocol fields that are filterable -in *TShark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. - -== FILES - -These files contains various *Wireshark* configuration values. - -Preferences:: -+ --- -The __preferences__ files contain global (system-wide) and personal -preference settings. If the system-wide preference file exists, it is -read first, overriding the default settings. If the personal preferences -file exists, it is read next, overriding any previous values. Note: If -the command line option *-o* is used (possibly more than once), it will -in turn override values from the preferences files. - -The preferences settings are in the form __prefname:value__, -one per line, -where __prefname__ is the name of the preference -and __value__ is the value to -which it should be set; white space is allowed between *:* and -__value__. A preference setting can be continued on subsequent lines by -indenting the continuation lines with white space. A *#* character -starts a comment that runs to the end of the line: - - # Capture in promiscuous mode? - # TRUE or FALSE (case-insensitive). - capture.prom_mode: TRUE - -The global preferences file is looked for in the __wireshark__ directory -under the __share__ subdirectory of the main installation directory. On -macOS, this would typically be -__/Application/Wireshark.app/Contents/Resources/share__; on other -UNIX-compatible systems, such as Linux, \*BSD, Solaris, and AIX, this -would typically be __/usr/share/wireshark/preferences__ for -system-installed packages and __/usr/local/share/wireshark/preferences__ -for locally-installed packages; on Windows, this would typically be -__C:\Program Files\Wireshark\preferences__. - -On UNIX-compatible systems, the personal preferences file is looked for -in __$XDG_CONFIG_HOME/wireshark/preferences__, (or, if -__$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ -does exist, __$HOME/.wireshark/preferences__); this is typically -__$HOME/.config/wireshark/preferences__. On Windows, -the personal preferences file is looked for in -__%APPDATA%\Wireshark\preferences__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark\preferences__). --- - -Disabled (Enabled) Protocols:: -+ --- -The __disabled_protos__ files contain system-wide and personal lists of -protocols that have been disabled, so that their dissectors are never -called. The files contain protocol names, one per line, where the -protocol name is the same name that would be used in a display filter -for the protocol: - - http - tcp # a comment - -The global __disabled_protos__ file uses the same directory as the global -preferences file. - -The personal __disabled_protos__ file uses the same directory as the -personal preferences file. --- - -Name Resolution (hosts):: -+ --- -If the personal __hosts__ file exists, it is -used to resolve IPv4 and IPv6 addresses before any other -attempts are made to resolve them. The file has the standard __hosts__ -file syntax; each line contains one IP address and name, separated by -whitespace. The same directory as for the personal preferences file is -used. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX, and by Npcap or -WinPcap on Windows. As such the Wireshark personal __hosts__ file will -not be consulted for capture filter name resolution. --- - -Name Resolution (subnets):: -+ --- -If an IPv4 address cannot be translated via name resolution (no exact -match is found) then a partial match is attempted via the __subnets__ file. - -Each line of this file consists of an IPv4 address, a subnet mask length -separated only by a / and a name separated by whitespace. While the address -must be a full IPv4 address, any values beyond the mask length are subsequently -ignored. - -An example is: - -# Comments must be prepended by the # sign! -192.168.0.0/24 ws_test_network - -A partially matched name will be printed as "subnet-name.remaining-address". -For example, "192.168.0.1" under the subnet above would be printed as -"ws_test_network.1"; if the mask length above had been 16 rather than 24, the -printed address would be ``ws_test_network.0.1". --- - -Name Resolution (ethers):: -+ --- -The __ethers__ files are consulted to correlate 6-byte hardware addresses to -names. First the personal __ethers__ file is tried and if an address is not -found there the global __ethers__ file is tried next. - -Each line contains one hardware address and name, separated by -whitespace. The digits of the hardware address are separated by colons -(:), dashes (-) or periods (.). The same separator character must be -used consistently in an address. The following three lines are valid -lines of an __ethers__ file: - - ff:ff:ff:ff:ff:ff Broadcast - c0-00-ff-ff-ff-ff TR_broadcast - 00.00.00.00.00.00 Zero_broadcast - -The global __ethers__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ethers__ file is looked for in the same directory as the personal -preferences file. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and Npcap or WinPcap on Windows. As such the Wireshark personal -__ethers__ file will not be consulted for capture filter name resolution. --- - -Name Resolution (manuf):: +-Y|--display-filter <read (display) filter>:: + -- -The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte -hardware address with the manufacturer's name; it can also contain well-known -MAC addresses and address ranges specified with a netmask. The format of the -file is the same as the __ethers__ files, except that entries of the form: - - 00:00:0C Cisco - -can be provided, with the 3-byte OUI and the name for a vendor, and -entries such as: - - 00-00-0C-07-AC/40 All-HSRP-routers - -can be specified, with a MAC address and a mask indicating how many bits -of the address must match. The above entry, for example, has 40 -significant bits, or 5 bytes, and would match addresses from -00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a -multiple of 8. - -The __manuf__ file is looked for in the same directory as the global -preferences file. --- - -Name Resolution (services):: -+ --- -The __services__ file is used to translate port numbers into names. - -The file has the standard __services__ file syntax; each line contains one -(service) name and one transport identifier separated by white space. The -transport identifier includes one port number and one transport protocol name -(typically tcp, udp, or sctp) separated by a /. - -An example is: - - mydns 5045/udp # My own Domain Name Server - mydns 5045/tcp # My own Domain Name Server +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing the output. +Read filters and display filters are synonymous in *rawshark*. -- -Name Resolution (ipxnets):: -+ --- -The __ipxnets__ files are used to correlate 4-byte IPX network numbers to -names. First the global __ipxnets__ file is tried and if that address is not -found there the personal one is tried next. +include::dissection-options.adoc[tags=**;!tshark;!decode_as] -The format is the same as the __ethers__ -file, except that each address is four bytes instead of six. -Additionally, the address can be represented as a single hexadecimal -number, as is more common in the IPX world, rather than four hex octets. -For example, these four lines are valid lines of an __ipxnets__ file: +include::diagnostic-options.adoc[] - C0.A8.2C.00 HR - c0-a8-1c-00 CEO - 00:00:BE:EF IT_Server1 - 110f FileServer3 +== READ FILTER SYNTAX -The global __ipxnets__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. +For a complete table of protocol and protocol fields that are filterable +in *Rawshark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. -The personal __ipxnets__ file is looked for in the same directory as the -personal preferences file. --- +include::files.adoc[tags=**;!gui] == ENVIRONMENT VARIABLES diff --git a/doc/reordercap.adoc b/doc/man_pages/reordercap.adoc index fd57b0a7..0d03b166 100644 --- a/doc/reordercap.adoc +++ b/doc/man_pages/reordercap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = reordercap(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/sdjournal.adoc b/doc/man_pages/sdjournal.adoc index bf9a3689..d8736704 100644 --- a/doc/sdjournal.adoc +++ b/doc/man_pages/sdjournal.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = sdjournal(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/sshdump.adoc b/doc/man_pages/sshdump.adoc index 8acacd1f..562336c4 100644 --- a/doc/sshdump.adoc +++ b/doc/man_pages/sshdump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = sshdump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/text2pcap.adoc b/doc/man_pages/text2pcap.adoc index ab894747..9c2a8195 100644 --- a/doc/text2pcap.adoc +++ b/doc/man_pages/text2pcap.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = text2pcap(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -16,7 +16,7 @@ text2pcap - Generate a capture file from an ASCII hexdump of packets [ *-a* ] [ *-b* 2|8|16|64 ] [ *-D* ] -[ *-e* <l3pid> ] +[ *-e* <ethertype> ] [ *-E* <encapsulation type> ] [ *-F* <file format> ] [ *-i* <proto> ] @@ -57,7 +57,11 @@ hexdumps of application-level data only. The *-F* flag can be used to specify the format in which to write the capture file, *text2pcap -F* provides a list of the available output formats. By default, it writes the packets to __outfile__ in the *pcapng* -file format. +file format. *Text2cap* also supports compression formats, which can +be specified with the *--compress* options. If that option is not given, +the the desired compression method, if any, is deduced from the extension +of __outfile__; e.g. if it has the extension '.gz', then the output file +is compressed to a gzip archive. *Text2pcap* understands a hexdump of the form generated by __od -Ax -tx1 -v__. In other words, each byte is individually displayed, with @@ -203,10 +207,10 @@ supports it (e.g. pcapng), and is also used when generating dummy headers to swap the source and destination addresses and ports as appropriate. -- --e <l3pid>:: +-e <ethertype>:: + -- -Include a dummy Ethernet header before each packet. Specify the L3PID +Include a dummy Ethernet header before each packet. Specify the EtherType for the Ethernet header in hex. Use this option if your dump has Layer 3 header and payload (e.g. IP header), but no Layer 2 encapsulation. Example: __-e 0x806__ to specify an ARP packet. @@ -297,11 +301,11 @@ direction indicators or timestamps after the first byte along with any offsets. + -- Include an EXPORTED_PDU header before each packet. Specify, as a -string, the dissector to be called for the packet (DISSECTOR_NAME tag). +string, the dissector to be called for the packet (DISSECTOR_NAME tag). Use this option if your dump is the payload for a single upper layer protocol (so specifying a link layer type would not work) and you wish -to create a capture file without a full dummy protocol stack. -Automatically sets the link layer type to Wireshark Upper PDU export. +to create a capture file without a full dummy protocol stack. +Automatically sets the link layer type to Wireshark Upper PDU export. Without this option, if the Upper PDU export link layer type (252) is selected the dissector defaults to "data". -- @@ -385,7 +389,7 @@ Print the full version information and exit. -4 <srcip>,<destip>:: + -- -Prepend dummy IP header with specified IPv4 dest and source address. +Prepend dummy IP header with specified IPv4 source and destination addresses. This option should be accompanied by one of the following options: -i, -s, -S, -T, -u Use this option to apply "custom" IP addresses. Example: __-4 10.0.0.1,10.0.0.2__ to use 10.0.0.1 and 10.0.0.2 for all IP packets. @@ -394,13 +398,21 @@ Example: __-4 10.0.0.1,10.0.0.2__ to use 10.0.0.1 and 10.0.0.2 for all IP packet -6 <srcip>,<destip>:: + -- -Prepend dummy IP header with specified IPv6 dest and source address. +Prepend dummy IP header with specified IPv6 source and destination addresses. This option should be accompanied by one of the following options: -i, -s, -S, -T, -u Use this option to apply "custom" IP addresses. Example: __-6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334__ to use 2001:db8::b3ff:fe1e:8329 and 2001:0db8:85a3::8a2e:0370:7334 for all IP packets. -- +--compress <type>:: ++ +-- +Compress the output file using the type compression format. +*--compress* with no argument provides a list of the compression formats supported +for writing. The type given takes precedence over the extension of __outfile__. +-- + include::diagnostic-options.adoc[] == SEE ALSO diff --git a/doc/tshark.adoc b/doc/man_pages/tshark.adoc index 543579d5..2893a7d3 100644 --- a/doc/tshark.adoc +++ b/doc/man_pages/tshark.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = tshark(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -23,7 +23,9 @@ tshark - Dump and analyze network traffic [manarg] *tshark* -*-G* [ <report type> ] [ --elastic-mapping-filter <protocols> ] +*-G* [ <report type> ] +[ --elastic-mapping-filter <protocols> ] +[ *-C* <profile> ] [manarg] *tshark* @@ -53,7 +55,7 @@ from the file and displaying a summary line on the standard output for each packet read. *TShark* is able to detect, read and write the same capture files that are supported by *Wireshark*. The input file doesn't need a specific filename extension; the file format and an -optional gzip, zstd or lz4 compression will be automatically detected. Near the +optional gzip, Zstandard, or LZ4 compression will be automatically detected. Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed description of the way *Wireshark* handles this, which is the same way @@ -62,7 +64,8 @@ description of the way *Wireshark* handles this, which is the same way Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present when compiling *TShark*, it will be possible to compile it, but the resulting program will be unable to read -compressed files. +compressed files. Similarly, LZ4 and ZStandard also require their respective +libraries. When displaying packets on the standard output, *TShark* writes, by default, a summary line containing the fields specified by the @@ -134,9 +137,16 @@ will be displayed along with the detail lines. When writing packets to a file, *TShark*, by default, writes the file in *pcapng* format, and writes all of the packets it sees to the output file. The *-F* option can be used to specify the format in which to -write the file. This list of available file formats is displayed by the -*-F* option without a value. However, you can't specify a file format -for a live capture. +write the file. The list of available file formats is displayed by the +*-F* option without a value. However, for a live capture, you can only +specify a file format supported by xref:dumpcap.html[dumpcap](1), viz. +*pcapng* or *pcap*. The *--compress* option can be used to specify +a compression method as well; the list of supported compression methods +for writing can be displayed by the *--compress* method without an +argument. If the *--compress* option is not given, then the desired +compression method, if any, is deduced from the extension of the filename +given as argument to the *-w* option. Compression is not supported for +live capture. When capturing packets, *TShark* writes to the standard error an initial line listing the interfaces from which packets are being @@ -167,7 +177,9 @@ to dump one of several types of internal glossaries and then exit. Perform a two-pass analysis. This causes *TShark* to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly -frame dependencies to be calculated correctly. +frame dependencies to be calculated correctly. This requires the ability +to seek backwards on the input, and as such cannot be used with live captures +or when reading from a pipe or FIFO. -- -a|--autostop <capture autostop condition>:: @@ -189,7 +201,8 @@ will stop writing to the current capture file and switch to the next one if filesize is reached. When reading a capture file, *TShark* will stop reading the file after the number of bytes read exceeds this number (the complete packet will be read, so more bytes than this number may be read). Note that -the filesize is limited to a maximum value of 2 GiB. +the filesize is limited to a maximum value of 2 TB, although you might have +problems before then if the number of packets exceeds exceeds 2^32^ (4294967296). *packets*:__value__ switch to the next file after it contains __value__ packets. @@ -241,7 +254,9 @@ parameter takes exactly one criterion; to specify two criterion, each must be preceded by the *-b* option. *filesize*:__value__ switch to the next file after it reaches a size of -__value__ kB. Note that the filesize is limited to a maximum value of 2 GiB. +__value__ kB. Note that the filesize is limited to a maximum value of 2 TB, +although you might have problems before then if the number of packets exceeds +exceeds 2^32^ (4294967296). *interval*:__value__ switch to the next file when the time is an exact multiple of __value__ seconds. For example, use 3600 to switch to a new file @@ -250,6 +265,10 @@ every hour on the hour. *packets*:__value__ switch to the next file after it contains __value__ packets. +*printname*:__filename__ print the name of the most recently written file +to __filename__ after the file is closed. __filename__ can be `stdout` or `-` +for standard output, or `stderr` for standard error. + *nametimenum*:__value__ Choose between two save filename templates. If __value__ is 1, make running file number part before start time part; this is the original and default behaviour (e.g. log_00001_20240714164426.pcap). If @@ -299,7 +318,9 @@ may differ from *-a packets:*<capture packet count>. -C <configuration profile>:: + -- -Run with the given configuration profile. +Run with the given configuration profile. If used in conjucton with +--global-profile, then the global profile with the associated name +would be used. -- -D|--list-interfaces:: @@ -322,7 +343,7 @@ is selected. This option can be used multiple times on the command line. At least one field must be provided if the *-T fields* option is selected. Column types may be used prefixed with "_ws.col." -Example: *tshark -e frame.number -e ip.addr -e udp -e _ws.col.info* +Example: *tshark -T fields -e frame.number -e ip.addr -e udp -e _ws.col.info* Fields are separated by tab characters by default. *-E* controls the format of the printed fields. @@ -366,11 +387,14 @@ option may be used. *quote=d|s|n* Set the quote character to use to surround fields. *d* uses double-quotes, *s* single-quotes, *n* no quotes (the default). +If the quote character appears in a field value, it will be escaped +by being duplicated. *escape=y|n* If *y*, the whitespace control characters (tab, line feed, -carriage return, form feed, and vertical tab) and backspace will be -replaced in field values by C-style escapes, e.g. "\n" for line feed. -If *n*, field value strings will be printed as-is. Defaults to *y*. +carriage return, form feed, and vertical tab) backspace, and the +backslash will be replaced in field values by C-style escapes, e.g. +"\n" for line feed. If *n*, field value strings will be printed as-is. +Defaults to *y*. -- -f <capture filter>:: @@ -394,7 +418,9 @@ Example: *tshark -f "predef:MyPredefinedHostOnlyFilter"* Set the file format of the output capture file written using the *-w* option. The output written with the *-w* option is raw packet data, not text, so there is no *-F* option to request text output. The option *-F* -without a value will list the available formats. +without a value will list the available formats. The default is the +*pcapng* format (unless the default has been changed in preferences.) +. -g:: This option causes the output file(s) to be created with group-read permission @@ -405,8 +431,9 @@ user's group). + -- The *-G* option will cause *TShark* to dump one of several types of glossaries -and then exit. If no specific glossary type is specified, then the *fields* -report will be generated by default. +and then exit. If no glossary type is specified, then the *fields* report +will be generated by default; this is deprecated and a future version will +require the report type argument. The *-G* option must be the first option given. Using the report type of *help* lists all the current report types. The available report types include: @@ -443,10 +470,10 @@ is one record per line. The fields are tab-delimited. [horizontal] Field 1:: dissector table name, e.g. "tcp.port" Field 2:: name used for the dissector table in the GUI -Field 3:: type (textual representation of the ftenum type) +Field 3:: type (textual representation of the ftenum type, or "heuristic") Field 4:: base for display (for integer types) Field 5:: protocol name -Field 6:: "decode as" support +Field 6:: "decode as" support (for non-heuristic tables) *elastic-mapping* Dumps the ElasticSearch mapping file to stdout. Fields falling in the default case (string) won't be mapped. @@ -506,7 +533,7 @@ Field 2:: text description of type (e.g. "IPv6 address") There is one record per line. The fields are tab-delimited. [horizontal] -Field 1:: underlying dissector (e.g. "tcp") +Field 1:: heuristic dissector table name (e.g. "tcp") Field 2:: name of heuristic decoder (e.g. "ucp") Field 3:: heuristic enabled (e.g. "T" or "F") Field 4:: heuristic enabled by default (e.g. "T" or "F") @@ -638,7 +665,7 @@ Protocol match filter used for ek|json|jsonraw|pdml output file types. Only the protocol's parent node is included. Child nodes are only included if explicitly specified in the filter. -Example: *tshark -j "ip ip.flags http"* +Example: *tshark -T json -j "ip ip.flags http"* -- -J <protocol match filter>:: @@ -648,7 +675,7 @@ Protocol top level filter used for ek|json|jsonraw|pdml output file types. The protocol's parent node and all child nodes are included. Lower-level protocols must be explicitly specified in the filter. -Example: *tshark -J "tcp http"* +Example: *tshark -T pdml -J "tcp http"* -- -l:: @@ -662,7 +689,7 @@ normally used when piping a live capture to a program or script, so that output for a packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering. We do this as a workaround for a deficiency in the Microsoft Visual C++ C -library.) +library.) This also sets *--update-interval* to 0 ms. This may be useful when piping the output of *TShark* to another program, as it means that the program to which the output is piped will @@ -761,9 +788,13 @@ printed, just the statistics. + -- Read packet data from __infile__, can be any supported capture file format -(including gzipped files). It is possible to use named pipes or stdin (-) -here but only with certain (not compressed) capture file formats (in -particular: those that can be read without seeking backwards). +(including compressed files). It is possible to use named pipes or stdin (-) +here but only with certain capture file formats (in particular: those that +can be read without seeking backwards.) + +TIP: Reading a live capture from the standard out of another process through +a pipe can circumvent restrictions that apply to *TShark* during live capture, +such as file formats or compression. -- -R|--read-filter <Read filter>:: @@ -903,7 +934,10 @@ Cause *TShark* to print a view of the packet details. + -- Write raw packet data to __outfile__ or to the standard output if -__outfile__ is '-'. +__outfile__ is '-'. The *-F* and *--compress* options can be used +to control the file format and compression method. If the latter is +not given, then the extension may be used to deduce the desired +compression algorithm, if supported, e.g. a gzip archive for '.gz'. NOTE: *-w* provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the *-w* @@ -1904,19 +1938,19 @@ queries collated by receiver address and then topic name. Calculate statistics on LBM Topic Resolution Packets. Displays topic queries collated by topic name and then receiver address. -*-z* mac-lte,stat[,__filter__]:: +*-z* mac-3gpp,stat[,__filter__]:: + -- -This option will activate a counter for LTE MAC messages. You will get +This option will activate a counter for LTE or NR MAC messages. You will get information about the maximum number of UEs/TTI, common messages and various counters for each UE that appears in the log. -Example: *tshark -z mac-lte,stat*. +Example: *tshark -z mac-3gpp,stat*. This option can be used multiple times on the command line. -Example: *-z "mac-lte,stat,mac-lte.rnti>3000"* will only collect stats for -UEs with an assigned RNTI whose value is more than 3000. +Example: *-z "mac-3gpp,stat,mac-lte.rnti>3000"* will only collect stats for +LTE UEs with an assigned RNTI whose value is more than 3000. -- *-z* megaco,rtd[,__filter__]:: @@ -1968,6 +2002,12 @@ Displays the total number of OSmux packets, and displays for each stream the number of packets, number of packets with the RTP market bit set, number of AMR frames, jitter analysis, and sequence number analysis. +*-z* pfcp,srt[,__filter__]:: +Collect requests/response SRT (Service Response Time) data for PFCP. +Data collected is the number of calls, minimum SRT, maximum SRT, average +SRT, and sum SRT for certain commands. Currently no statistics are gathered +on unpaired messages. + *-z* pingpongprotocol,stat[,__filter__]:: Calculate statistics on the Ping Pong Protocol of Reliable Server Pooling. For each message type, displays the number, rate @@ -2018,19 +2058,19 @@ Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and Maximum in Frame, along with the number of Open Requests (Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate Messages. -*-z* rlc-lte,stat[,__filter__]:: +*-z* rlc-3gpp,stat[,__filter__]:: + -- -This option will activate a counter for LTE RLC messages. You will get +This option will activate a counter for LTE or NR RLC messages. You will get information about common messages and various counters for each UE that appears in the log. -Example: *tshark -z rlc-lte,stat*. +Example: *tshark -z rlc-3gpp,stat*. This option can be used multiple times on the command line. -Example: *-z "rlc-lte,stat,rlc-lte.ueid>3000"* will only collect stats for -UEs with a UEId of more than 3000. +Example: *-z "rlc-3gpp,stat,rlc-nr.ueid>3000"* will only collect stats for +NR UEs with a UEId of more than 3000. -- *-z* rpc,programs:: @@ -2215,7 +2255,7 @@ Enable coloring of packets according to standard Wireshark color filters. On Windows colors are limited to the standard console character attribute colors. Other platforms require a terminal that handles 24-bit "true color" terminal escape sequences. See -https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules for more information on +{wireshark-wiki-url}ColoringRules for more information on configuring color filters. --no-duplicate-keys:: @@ -2252,6 +2292,27 @@ Output JSON containing elapsed times for each pass tshark does to process a capt file and the sum elapsed time for all passes. The per-pass output contains the total elapsed time and aggregate counters for per-packet operations (dissection and filtering). +--compress <type>:: ++ +-- +Compress the output file using the type compression format. +*--compress* with no argument provides a list of the compression formats supported +for writing. The type given takes precedence over the extension of __outfile__. + +NOTE: This option only works with the *-r* option, i.e., when reading a +capture file, not for live captures. +//// +The --compress-type option is not documented anywhere; it works with live captures, +but only a limited set of capture options (multiple file mode (-b), but not +ringbuffer mode (no -b files), and only compressed upon file rotation.) +It works with TShark and dumpcap, but not from the command line in Wireshark +(though the Wireshark GUI can pass the option to dumpcap.) + +Should we document it? Deprecate it in favor of also using compress? Do nothing +until it has closer feature parity to *--compress* but for captures? +//// +-- + include::dissection-options.adoc[tags=**;!not_tshark] include::diagnostic-options.adoc[] @@ -2259,214 +2320,14 @@ include::diagnostic-options.adoc[] == CAPTURE FILTER SYNTAX See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), -or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters. +or, if that doesn't exist, {wireshark-wiki-url}CaptureFilters. == READ FILTER SYNTAX For a complete table of protocol and protocol fields that are filterable in *TShark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. -== FILES - -These files contains various *Wireshark* configuration values. - -Preferences:: -+ --- -The __preferences__ files contain global (system-wide) and personal -preference settings. If the system-wide preference file exists, it is -read first, overriding the default settings. If the personal preferences -file exists, it is read next, overriding any previous values. Note: If -the command line option *-o* is used (possibly more than once), it will -in turn override values from the preferences files. - -The preferences settings are in the form __prefname:value__, -one per line, -where __prefname__ is the name of the preference -and __value__ is the value to -which it should be set; white space is allowed between *:* and -__value__. A preference setting can be continued on subsequent lines by -indenting the continuation lines with white space. A *#* character -starts a comment that runs to the end of the line: - - # Capture in promiscuous mode? - # TRUE or FALSE (case-insensitive). - capture.prom_mode: TRUE - -The global preferences file is looked for in the __wireshark__ directory -under the __share__ subdirectory of the main installation directory. On -macOS, this would typically be -__/Application/Wireshark.app/Contents/Resources/share__; on other -UNIX-compatible systems, such as Linux, \*BSD, Solaris, and AIX, this -would typically be __/usr/share/wireshark/preferences__ for -system-installed packages and __/usr/local/share/wireshark/preferences__ -for locally-installed packages; on Windows, this would typically be -__C:\Program Files\Wireshark\preferences__. - -On UNIX-compatible systems, the personal preferences file is looked for -in __$XDG_CONFIG_HOME/wireshark/preferences__, (or, if -__$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ -does exist, __$HOME/.wireshark/preferences__); this is typically -__$HOME/.config/wireshark/preferences__. On Windows, -the personal preferences file is looked for in -__%APPDATA%\Wireshark\preferences__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark\preferences__). --- - -Disabled (Enabled) Protocols:: -+ --- -The __disabled_protos__ files contain system-wide and personal lists of -protocols that have been disabled, so that their dissectors are never -called. The files contain protocol names, one per line, where the -protocol name is the same name that would be used in a display filter -for the protocol: - - http - tcp # a comment - -The global __disabled_protos__ file uses the same directory as the global -preferences file. - -The personal __disabled_protos__ file uses the same directory as the -personal preferences file. --- - -Name Resolution (hosts):: -+ --- -If the personal __hosts__ file exists, it is -used to resolve IPv4 and IPv6 addresses before any other -attempts are made to resolve them. The file has the standard __hosts__ -file syntax; each line contains one IP address and name, separated by -whitespace. The same directory as for the personal preferences file is -used. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX, and by Npcap or -WinPcap on Windows. As such the Wireshark personal __hosts__ file will -not be consulted for capture filter name resolution. --- - -Name Resolution (subnets):: -+ --- -If an IPv4 address cannot be translated via name resolution (no exact -match is found) then a partial match is attempted via the __subnets__ file. - -Each line of this file consists of an IPv4 address, a subnet mask length -separated only by a / and a name separated by whitespace. While the address -must be a full IPv4 address, any values beyond the mask length are subsequently -ignored. - -An example is: - -# Comments must be prepended by the # sign! -192.168.0.0/24 ws_test_network - -A partially matched name will be printed as "subnet-name.remaining-address". -For example, "192.168.0.1" under the subnet above would be printed as -"ws_test_network.1"; if the mask length above had been 16 rather than 24, the -printed address would be ``ws_test_network.0.1". --- - -Name Resolution (ethers):: -+ --- -The __ethers__ files are consulted to correlate 6-byte hardware addresses to -names. First the personal __ethers__ file is tried and if an address is not -found there the global __ethers__ file is tried next. - -Each line contains one hardware address and name, separated by -whitespace. The digits of the hardware address are separated by colons -(:), dashes (-) or periods (.). The same separator character must be -used consistently in an address. The following three lines are valid -lines of an __ethers__ file: - - ff:ff:ff:ff:ff:ff Broadcast - c0-00-ff-ff-ff-ff TR_broadcast - 00.00.00.00.00.00 Zero_broadcast - -The global __ethers__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ethers__ file is looked for in the same directory as the personal -preferences file. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and Npcap or WinPcap on Windows. As such the Wireshark personal -__ethers__ file will not be consulted for capture filter name resolution. --- - -Name Resolution (manuf):: -+ --- -The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte -hardware address with the manufacturer's name; it can also contain well-known -MAC addresses and address ranges specified with a netmask. The format of the -file is the same as the __ethers__ files, except that entries of the form: - - 00:00:0C Cisco - -can be provided, with the 3-byte OUI and the name for a vendor, and -entries such as: - - 00-00-0C-07-AC/40 All-HSRP-routers - -can be specified, with a MAC address and a mask indicating how many bits -of the address must match. The above entry, for example, has 40 -significant bits, or 5 bytes, and would match addresses from -00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a -multiple of 8. - -The __manuf__ file is looked for in the same directory as the global -preferences file. --- - -Name Resolution (services):: -+ --- -The __services__ file is used to translate port numbers into names. - -The file has the standard __services__ file syntax; each line contains one -(service) name and one transport identifier separated by white space. The -transport identifier includes one port number and one transport protocol name -(typically tcp, udp, or sctp) separated by a /. - -An example is: - - mydns 5045/udp # My own Domain Name Server - mydns 5045/tcp # My own Domain Name Server --- - -Name Resolution (ipxnets):: -+ --- -The __ipxnets__ files are used to correlate 4-byte IPX network numbers to -names. First the global __ipxnets__ file is tried and if that address is not -found there the personal one is tried next. - -The format is the same as the __ethers__ -file, except that each address is four bytes instead of six. -Additionally, the address can be represented as a single hexadecimal -number, as is more common in the IPX world, rather than four hex octets. -For example, these four lines are valid lines of an __ipxnets__ file: - - C0.A8.2C.00 HR - c0-a8-1c-00 CEO - 00:00:BE:EF IT_Server1 - 110f FileServer3 - -The global __ipxnets__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ipxnets__ file is looked for in the same directory as the -personal preferences file. --- +include::files.adoc[tags=**;!gui] == OUTPUT diff --git a/doc/udpdump.adoc b/doc/man_pages/udpdump.adoc index 8739ab6f..37b5934c 100644 --- a/doc/udpdump.adoc +++ b/doc/man_pages/udpdump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = udpdump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/wifidump.adoc b/doc/man_pages/wifidump.adoc index e202d05a..d23ee092 100644 --- a/doc/wifidump.adoc +++ b/doc/man_pages/wifidump.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = wifidump(1) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME diff --git a/doc/wireshark-filter.adoc b/doc/man_pages/wireshark-filter.adoc index 3e8a7b84..2de71423 100644 --- a/doc/wireshark-filter.adoc +++ b/doc/man_pages/wireshark-filter.adoc @@ -1,9 +1,9 @@ -include::../docbook/attributes.adoc[] +include::../attributes.adoc[] = wireshark-filter(4) :doctype: manpage :stylesheet: ws.css :linkcss: -:copycss: ../docbook/{stylesheet} +:copycss: {css_dir}/{stylesheet} == NAME @@ -138,6 +138,9 @@ The filter language has the following functions: len(field) - returns the byte length of a string or bytes field count(field) - returns the number of field occurrences in a frame string(field) - converts a non-string field to string + vals(field) - converts a field value to its value string + dec(field) - converts an unsigned integer to a decimal string + hex(field) - converts an unsigned integer to a hexadecimal string max(f1,...,fn) - return the maximum value min(f1,...,fn) - return the minimum value abs(field) - return the absolute value of numeric fields @@ -155,11 +158,77 @@ byte fields. For example: string(frame.number) matches "[13579]$" -gives you all the odd packets. +gives you all the odd packets. Note that the "matches" operator implicitly +converts types of their value string representation; to match against the +decimal representation of an integer field use string(). + +vals() converts an integer or boolean field value to a string using the +field's associated value string, if it has one. This produces strings +similar to those seen in custom columns. The resultant string can also +be used with other operators. E.g.: + + vals(pfcp.msg_type) contains "Request" + +would match all packets which have a PFCP request, even if that request is not +matched with a response. + +dec() and hex() convert unsigned integer fields to decimal or hexadecimal +representation. Currently dec() and string() give same result for an unsigned +integer, but it is possible that in the future string() will use the native +base of the field. max() and min() take any number of arguments and returns one value, respectively the largest/smallest. The arguments must all have the same type. +There is also a set of functions to test IP addresses: + + ip_special_name(ip) - Returns the IP special-purpose block name as a string + ip_special_mask(ip) - Returns the IP special-purpose block flags as a mask. The bits are: + 4 3 2 1 0 + --------- + S D F G R + S = Source, D = Destination, F = Forwardable, G = Globally-reachable, R = Reserved-by-protocol + + ip_linklocal(ip) - true if the IPv4 or IPv6 address is link-local + ip_multicast(ip) - true if the IPv4 or IPv6 address is multicast + ip_rfc1918(ipv4) - true if the IPv4 address is private-use (from the allocation in RFC 1918) + ip_ula(ipv6) - true if the IPv6 address is unique-local (ULA) as in RFC 4193 + +=== Macros + +It is possible to define display filter macros. Macro are names that are +replaced with the associated expression, possibly performing argument substitution. +Macro expansions are purely textual replacements and performed recursively before compilation. +They allow replacing long and often used expressions with easy to use names. + +Macros are defined using the GUI or directly in the "dmacros" configuration +file. For example the definition + + "addplusone" {$1 + $2 + 1} + +creates a macro called `addplusone` that takes two arguments and expands to the given expression. +Arguments in the replacement expression are given using the dollar sign. + +Macros are invoked like function but preceded with a dollar sign +(sometimes also called a sigil): + + $addplusone(udp.src_port,udp.dst_port) + +results in the expression + + {udp.src_port + udp.dst_port + 1} + +after argument substitution. There is an older alternative notation to invoke macros: + + ${addplusone:udp.src_port;udp.dst_port} + +or + + ${addplusone;udp.src_port;udp.dst_port} + +Both forms are equivalent and can be used interchangibly as a matter of +preference. + === Protocol field types Each protocol field is typed. The types are: @@ -483,12 +552,46 @@ can be convenient: frame[4] == 0xff frame[1:4] contains 0x02 +An integer or boolean field that has a value string can be compared to +to one of the strings that corresponds with a value. +As with stringlike fields and comparisons, it is possible to perform +the comparison with an unquoted literal, though this is deprecated and +will not work if the literal contains a space (as with "Modify Bearer +Response" above). Double quotes are recommended. + +If there is a unique reverse mapping from the string literal into a +numeric value, the string is converted into that number and the +comparison function is applied using arithmetic rules. If the mapping +is not unique, then equality and inequality can be tested, but not the +ordered comparisons. + +This is in contrast to the `string()` and `vals()` function, which +convert the field value to a string and applies string (lexicographic) +comparisons, as well as work with all operators that take strings. +Therefore the following two filters give the same result: + + gtpv2.message_type <= 35 + gtpv2.message_type <= "Modify Bearer Response" + +whereas + + vals(gtpv2.message_type) <= "Modify Bearer Response" + +matches all messages whose value string precedes "Modify Bearer Response" +in lexicographical order, and + + string(gtpv2.message_type) <= "35" + +matches all messages such that the message type comes before "35" in +lexicographical order, i.e. would also match "170" (the message type +for "Release Access Bearers Request.") + === Bitwise operators It is also possible to define tests with bitwise operations. Currently the following bitwise operator is supported: - bitwise_and, & Bitwise AND + bitand, bitwise_and, & Bitwise AND The bitwise AND operation allows masking bits and testing to see if one or more bits are set. Bitwise AND operates on integer protocol fields and slices. @@ -519,6 +622,13 @@ Arithmetic expressions are supported with the usual operators: / Division % Modulo (integer remainder) +Arithmetic operations can be performed on numeric types. Numeric types are +integers, floating point numbers and date and time values. + +Date and time values can only be multiplied by integers or floating point +numbers (i.e: scalars) and furthermore the scalar multiplier must appear on +the right-hand side of the arithmetic operation. + For example it is possible to filter for UDP destination ports greater or equal by one to the source port with the expression: @@ -537,13 +647,17 @@ or "A - B". === Protocol field references -A variable using a sigil with the form ${some.proto.field} is called a field +A variable using a sigil with the form $some.proto.field or ${some.proto.field} is called a field reference. A field reference is a field value read from the currently selected frame in the GUI. This is useful to build dynamic filters such as, frames since the last five minutes to the selected frame: frame.time_relative >= ${frame.time_relative} - 300 +or more simply + + frame.time_relative >= $frame.time_relative - 300 + Field references share a similar notation to macros but are distinct syntactical elements in the filter language. @@ -618,7 +732,7 @@ can find references and examples at the following locations: * `tshark -G fields` on the command line -* The Wireshark wiki: https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters +* The Wireshark wiki: {wireshark-wiki-url}DisplayFilters == NOTES @@ -631,11 +745,10 @@ See https://www.pcre.org/ for more information. This manpage does not describe the capture filter syntax, which is different. See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, -xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters +xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), or, if that doesn't exist, {wireshark-wiki-url}CaptureFilters for a description of capture filters. -Display Filters are also described in the User's Guide: -https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html +Display Filters are also described in the link:{wireshark-users-guide-url}ChWorkBuildDisplayFilterSection.html[Wireshark User's Guide]. == SEE ALSO diff --git a/doc/man_pages/wireshark.adoc b/doc/man_pages/wireshark.adoc new file mode 100644 index 00000000..c5e963e1 --- /dev/null +++ b/doc/man_pages/wireshark.adoc @@ -0,0 +1,1099 @@ +include::../attributes.adoc[] += wireshark(1) +:doctype: manpage +:stylesheet: ws.css +:linkcss: +:copycss: {css_dir}/{stylesheet} + +== NAME + +wireshark - Interactively dump and analyze network traffic + +== SYNOPSIS + +[manarg] +*wireshark* +[ *-i* <capture interface>|- ] +[ *-f* <capture filter> ] +[ *-Y* <display filter> ] +[ *-w* <outfile> ] +[ *options* ] +[ <infile> ] + +[manarg] +*wireshark* +*-h|--help* + +[manarg] +*wireshark* +*-v|--version* + +== DESCRIPTION + +*Wireshark* is a GUI network protocol analyzer. It lets you +interactively browse packet data from a live network or from a +previously saved capture file. *Wireshark*'s native capture file +formats are *pcapng* format and *pcap* format; it can read and write +both formats.. *pcap* format is also the format used by *tcpdump* and +various other tools; *tcpdump*, when using newer versions of the +*libpcap* library, can also read some pcapng files, and, on newer +versions of macOS, can read all pcapng files and can write them as well. + +*Wireshark* can also read / import the following file formats: + +* Oracle (previously Sun) *snoop* and *atmsnoop* captures + +* Finisar (previously Shomiti) *Surveyor* captures + +* Microsoft *Network Monitor* captures + +* Novell *LANalyzer* captures + +* AIX's *iptrace* captures + +* Cinco Networks *NetXRay* captures + +* NETSCOUT (previously Network Associates/Network General) Windows-based +*Sniffer* captures + +* Network General/Network Associates DOS-based *Sniffer* captures +(compressed or uncompressed) + +* LiveAction (previously WildPackets/Savvius) **Peek*/*EtherHelp*/*PacketGrabber* captures + +* *RADCOM*'s WAN/LAN analyzer captures + +* Viavi (previously Network Instruments) *Observer* captures + +* *Lucent/Ascend* router debug output + +* captures from HP-UX *nettl* + +* *Toshiba's* ISDN routers dump output + +* the output from *i4btrace* from the ISDN4BSD project + +* traces from the *EyeSDN* USB S0 + +* the *IPLog* format output from the Cisco Secure Intrusion Detection System + +* *pppd logs* (pppdump format) + +* the output from VMS's *TCPIPtrace*/*TCPtrace*/*UCX$TRACE* utilities + +* the text output from the *DBS Etherwatch* VMS utility + +* Visual Networks' *Visual UpTime* traffic capture + +* the output from *CoSine* L2 debug + +* the output from InfoVista (previously Accellent) *5View* LAN agents + +* Endace Measurement Systems' ERF format captures + +* Linux Bluez Bluetooth stack *hcidump -w* traces + +* Catapult DCT2000 .out files + +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode + +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) + +* Juniper Netscreen snoop files + +* Symbian OS btsnoop files + +* TamoSoft CommView files + +* Tektronix K12xx 32bit .rf5 format files + +* Tektronix K12 text file format captures + +* Apple PacketLogger files + +* Captures from Aethra Telecommunications' PC108 software for their test +instruments + +* Citrix NetScaler Trace files + +* Android Logcat binary and text format logs + +* Colasoft Capsa and PacketBuilder captures + +* Micropross mplog files + +* Unigraf DPA-400 DisplayPort AUX channel monitor traces + +* 802.15.4 traces from Daintree's Sensor Network Analyzer + +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 + +* Log files from the _candump_ utility + +* Logs from the BUSMASTER tool + +* Ixia IxVeriWave raw captures + +* Rabbit Labs CAM Inspector files + +* _systemd_ journal files + +* 3GPP TS 32.423 trace files + +There is no need to tell *Wireshark* what type of +file you are reading; it will determine the file type by itself. +*Wireshark* is also capable of reading any of these file formats if they +are compressed using gzip, LZ4, or Zstandard, if compiled with the +appropriate support. *Wireshark* recognizes this directly from the file; +the '.gz' or other extension is not required for this purpose. + +Like other protocol analyzers, *Wireshark*'s main window shows 3 views +of a packet. It shows a summary line, briefly describing what the +packet is. A packet details display is shown, allowing you to drill +down to exact protocol or field that you interested in. Finally, a hex +dump shows you exactly what the packet looks like when it goes over the +wire. + +In addition, *Wireshark* has some features that make it unique. It can +assemble all the packets in a TCP conversation and show you the ASCII +(or EBCDIC, or hex) data in that conversation. Display filters in +*Wireshark* are very powerful; more fields are filterable in *Wireshark* +than in other protocol analyzers, and the syntax you can use to create +your filters is richer. As *Wireshark* progresses, expect more and more +protocol fields to be allowed in display filters. + +Packet capturing is performed with the pcap library. The capture filter +syntax follows the rules of the pcap library. This syntax is different +from the display filter syntax. + +Compressed file support uses (and therefore requires) the zlib library. +If the zlib library is not present, *Wireshark* will compile, but will +be unable to read compressed files. + +The pathname of a capture file to be read can be specified with the +*-r* option or can be specified as a command-line argument. + +== OPTIONS + +Most users will want to start *Wireshark* without options and configure +it from the menus instead. Those users may just skip this section. + +-a|--autostop <capture autostop condition>:: ++ +-- +Specify a criterion that specifies when *Wireshark* is to stop writing +to a capture file. The criterion is of the form __test:value__, +where __test__ is one of: + +*duration*:__value__ Stop writing to a capture file after __value__ seconds have +elapsed. Floating point values (e.g. 0.5) are allowed. + +*files*:__value__ Stop writing to capture files after __value__ number of files +were written. + +*filesize*:__value__ Stop writing to a capture file after it reaches a size of +__value__ kB. If this option is used together with the -b option, Wireshark +will stop writing to the current capture file and switch to the next one if +filesize is reached. Note that the filesize is limited to a maximum value of +2 TB, although you might have problems viewing the file in the GUI before then if +the number of packets exceeds 2^31^ (2147483648). + +*packets*:__value__ Stop writing to a capture file after it contains __value__ +packets. Acts the same as *-c*<capture packet count>. +-- + +-b|--ring-buffer <capture ring buffer option>:: ++ +-- +Cause *Wireshark* to run in "multiple files" mode. In "multiple files" mode, +*Wireshark* will write to several capture files. When the first capture file +fills up, *Wireshark* will switch writing to the next file and so on. + +The created filenames are based on the filename given with the *-w* flag, +the number of the file and on the creation date and time, +e.g. outfile_00001_20240714120117.pcap, outfile_00002_20240714120523.pcap, ... + +With the __files__ option it's also possible to form a "ring buffer". +This will fill up new files until the number of files specified, +at which point *Wireshark* will discard the data in the first file and start +writing to that file and so on. If the __files__ option is not set, +new files filled up until one of the capture stop conditions match (or +until the disk is full). + +The criterion is of the form __key:value__, +where __key__ is one of: + +*duration*:__value__ switch to the next file after __value__ seconds have +elapsed, even if the current file is not completely filled up. Floating +point values (e.g. 0.5) are allowed. + +*files*:__value__ begin again with the first file after __value__ number of +files were written (form a ring buffer). This value must be less than 100000. +Caution should be used when using large numbers of files: some filesystems do +not handle many files in a single directory well. The *files* criterion +requires one of the other criteria to be specified to +control when to go to the next file. It should be noted that each *-b* +parameter takes exactly one criterion; to specify two criteria, each must be +preceded by the *-b* option. + +*filesize*:__value__ switch to the next file after it reaches a size of +__value__ kB. Note that the filesize is limited to a maximum value of 2 TB, +although you might have problems viewing the file in the GUI before then if +the number of packets exceeds 2^31^ (2147483648). + +*interval*:__value__ switch to the next file when the time is an exact +multiple of __value__ seconds. + +*packets*:__value__ switch to the next file after it contains __value__ +packets. + +Example: *-b filesize:1000 -b files:5* results in a ring buffer of five files +of size one megabyte each. +-- + +-B|--buffer-size <capture buffer size>:: ++ +-- +Set capture buffer size (in MiB, default is 2 MiB). This is used by +the capture driver to buffer packet data until that data can be written +to disk. If you encounter packet drops while capturing, try to increase +this size. Note that, while *Wireshark* attempts to set the buffer size +to 2 MiB by default, and can be told to set it to a larger value, the +system or interface on which you're capturing might silently limit the +capture buffer size to a lower value or raise it to a higher value. + +This is available on UNIX-compatible systems, such as Linux, macOS, +\*BSD, Solaris, and AIX, with libpcap 1.0.0 or later, and on Windows. +It is not available on UNIX-compatible systems with earlier versions of +libpcap. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, it sets the default capture buffer size. +If used after an *-i* option, it sets the capture buffer size for +the interface specified by the last *-i* option occurring before +this option. If the capture buffer size is not set specifically, +the default capture buffer size is used instead. +-- + +-c <capture packet count>:: ++ +-- +Set the maximum number of packets to read when capturing live +data. Acts the same as *-a packets:*<capture packet count>. +-- + +-C <configuration profile>:: ++ +-- +Start with the given configuration profile. +-- + +--capture-comment <comment>:: ++ +-- +When performing a capture file from the command line, with the *-k* +flag, add a capture comment to the output file, if supported by the +capture format. + +This option may be specified multiple times. Note that Wireshark +currently only displays the first comment of a capture file. +-- + +-D|--list-interfaces:: ++ +-- +Print a list of the interfaces on which *Wireshark* can capture, and +exit. For each network interface, a number and an interface name, +possibly followed by a text description of the interface, is printed. +The interface name or the number can be supplied to the *-i* flag to +specify an interface on which to capture. The number can be useful on +Windows systems, where the interfaces have long names that usually +contain a GUID. +-- + +--display <X display to use>:: ++ +-- +Specifies the X display to use. A hostname and screen (otherhost:0.0) +or just a screen (:0.0) can be specified. This option is not available +under macOS or Windows. +-- + +-f <capture filter>:: ++ +-- +Set the capture filter expression. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, it sets the default capture filter expression. +If used after an *-i* option, it sets the capture filter expression for +the interface specified by the last *-i* option occurring before +this option. If the capture filter expression is not set specifically, +the default capture filter expression is used if provided. + +Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters, +can be used by prefixing the argument with "predef:". +Example: *-f "predef:MyPredefinedHostOnlyFilter"* +-- + +-F <file format>:: +When performing a capture file from the command line, with the *-k* option, +set the file format of the output capture file written using the *-w* option. +In situations that require the *pcapng* format, such as capturing from +multiple interfaces, this option will be overridden. The option *-F* +without a value will list the available formats. The default is the +*pcapng* format (unless the default has been changed in preferences.) + +This does not support every format to which Wireshark can convert a file; +this is intentional for security reasons. Capture in a supported format and +then save the file in a different format if so desired. + +--fullscreen:: ++ +-- +Start Wireshark in full screen mode (kiosk mode). To exit from fullscreen mode, +open the View menu and select the Full Screen option. Alternatively, press the +F11 key (or Ctrl + Cmd + F for macOS). +-- + +-g <packet number>:: +After reading in a capture file using the *-r* flag, go to the given __packet number__. + +-h|--help:: +Print the version number and options and exit. + +-H:: +Hide the capture info dialog during live packet capture. + +-i|--interface <capture interface>|-:: ++ +-- +Set the name of the network interface or pipe to use for live packet +capture. + +Network interface names should match one of the names listed in "*wireshark +-D*" (described above); a number, as reported by "*tshark -D*", can also +be used. + +If no interface is specified, *Wireshark* searches the list of +interfaces, choosing the first non-loopback interface if there are any +non-loopback interfaces, and choosing the first loopback interface if +there are no non-loopback interfaces. If there are no interfaces at all, +*Wireshark* reports an error and doesn't start the capture. + +Pipe names should be either the name of a FIFO (named pipe) or "-" to +read data from the standard input. On Windows systems, pipe names must be +of the form +"\\.\pipe\+*pipename*". Data read from pipes must be in +standard pcapng or pcap format. Pcapng data must have the same +endianness as the capturing host. + +"TCP@<host>:<port>" causes *Wireshark* to attempt to connect to the +specified port on the specified host and read pcapng or pcap data. + +This option can occur multiple times. When capturing from multiple +interfaces, the capture file will be saved in pcapng format. +-- + +-I|--monitor-mode:: ++ +-- +Put the interface in "monitor mode"; this is supported only on IEEE +802.11 Wi-Fi interfaces, and supported only on some operating systems. + +Note that in monitor mode the adapter might disassociate from the +network with which it's associated, so that you will not be able to use +any wireless networks with that adapter. This could prevent accessing +files on a network server, or resolving host names or network addresses, +if you are capturing in monitor mode and are not connected to another +network with another adapter. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, it enables the monitor mode for all interfaces. +If used after an *-i* option, it enables the monitor mode for +the interface specified by the last *-i* option occurring before +this option. +-- + +-j:: +Use after *-J* to change the behavior when no exact match is found for +the filter. With this option select the first packet before. + +-J <jump filter>:: ++ +-- +After reading in a capture file using the *-r* flag, jump to the packet +matching the filter (display filter syntax). If no exact match is found +the first packet after that is selected. +-- + +-k:: ++ +-- +Start the capture session immediately. If the *-i* flag was +specified, the capture uses the specified interface. Otherwise, +*Wireshark* searches the list of interfaces, choosing the first +non-loopback interface if there are any non-loopback interfaces, and +choosing the first loopback interface if there are no non-loopback +interfaces; if there are no interfaces, *Wireshark* reports an error and +doesn't start the capture. +-- + +-l:: +Turn on automatic scrolling if the packet display is being updated +automatically as packets arrive during a capture (as specified by the +*-S* flag). + +-L|--list-data-link-types:: +List the data link types supported by the interface and exit. + +--list-time-stamp-types:: +List time stamp types supported for the interface. If no time stamp type can be +set, no time stamp types are listed. + +-o <preference/recent setting>:: ++ +-- +Set a preference or recent value, overriding the default value and any value +read from a preference/recent file. The argument to the flag is a string of +the form __prefname:value__, where __prefname__ is the name of the +preference/recent value (which is the same name that would appear in the +preference/recent file), and __value__ is the value to which it should be set. +Since *Ethereal* 0.10.12, the recent settings replaces the formerly used +-B, -P and -T flags to manipulate the GUI dimensions. + +If __prefname__ is "uat", you can override settings in various user access +tables using the form "uat:__uat filename__:__uat record__". __uat filename__ +must be the name of a UAT file, e.g. __user_dlts__. __uat_record__ must be in +the form of a valid record for that file, including quotes. For instance, to +specify a user DLT from the command line, you would use + + -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\"" +-- + +-p|--no-promiscuous-mode:: ++ +-- +__Don't__ put the interface into promiscuous mode. Note that the +interface might be in promiscuous mode for some other reason; hence, +*-p* cannot be used to ensure that the only traffic that is captured is +traffic sent to or from the machine on which *Wireshark* is running, +broadcast traffic, and multicast traffic to addresses received by that +machine. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, no interface will be put into the +promiscuous mode. +If used after an *-i* option, the interface specified by the last *-i* +option occurring before this option will not be put into the +promiscuous mode. +-- + +-P <path setting>:: ++ +-- +Special path settings usually detected automatically. This is used for +special cases, e.g. starting Wireshark from a known location on an USB stick. + +The criterion is of the form __key:path__, where __key__ is one of: + +*persconf*:__path__ path of personal configuration files, like the +preferences files. + +*persdata*:__path__ path of personal data files, it's the folder initially +opened. After the very first initialization, the recent file will keep the +folder last used. +-- + +-r|--read-file <infile>:: ++ +-- +Read packet data from __infile__, can be any supported capture file format +(including compressed files). It's not possible to use named pipes or stdin +here, unlike *TShark*! To capture from a pipe or from stdin use *-i -*. +-- + +-R|--read-filter <read (display) filter>:: ++ +-- +When reading a capture file specified with the *-r* flag, causes the +specified filter (which uses the syntax of display filters, rather than +that of capture filters) to be applied to all packets read from the +capture file; packets not matching the filter are discarded. +-- + +-s|--snapshot-length <capture snaplen>:: ++ +-- +Set the default snapshot length to use when capturing live data. +No more than __snaplen__ bytes of each network packet will be read into +memory, or saved to disk. A value of 0 specifies a snapshot length of +262144, so that the full packet is captured; this is the default. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, it sets the default snapshot length. +If used after an *-i* option, it sets the snapshot length for +the interface specified by the last *-i* option occurring before +this option. If the snapshot length is not set specifically, +the default snapshot length is used if provided. +-- + +-S:: +Automatically update the packet display as packets are coming in. + +--temp-dir <directory>:: ++ +-- +Specifies the directory into which temporary files (including capture +files) are to be written. The default behavior on UNIX-compatible systems, +such as Linux, macOS, \*BSD, Solaris, and AIX, is to use the environment +variable __$TMPDIR__ if set, and the system default, typically __/tmp__, if it +is not. On Windows, the __%TEMP%__ environment variable is used, which +typically defaults to __%USERPROFILE%\AppData\Local\Temp__. +-- + +--time-stamp-type <type>:: +Change the interface's timestamp method. See --list-time-stamp-types. + +--update-interval <interval>:: +Set the length of time in milliseconds between new packet reports during +a capture. Also sets the granularity of file duration conditions. +The default value is 100ms. + +-v|--version:: +Print the full version information and exit. + +-w <outfile>:: +Set the default capture file name, or '-' for standard output. + +-X <eXtension options>:: ++ +-- +Specify an option to be passed to an *Wireshark* module. The eXtension option +is in the form __extension_key:value__, where __extension_key__ can be: + +*lua_script*:__lua_script_filename__ tells *Wireshark* to load the given script in addition to the +default Lua scripts. + +**lua_script**__num__:__argument__ tells *Wireshark* to pass the given argument +to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command. +For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo' +will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua' +and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua +script, namely 'other.lua'. + +*read_format*:__file_format__ tells *Wireshark* to use the given file format to read in the +file (the file given in the *-r* command option). + +*stdin_descr*:__description__ tells *Wireshark* to use the given description when +capturing from standard input (*-i -*). +-- + +-y|--linktype <capture link type>:: ++ +-- +If a capture is started from the command line with *-k*, set the data +link type to use while capturing packets. The values reported by *-L* +are the values that can be used. + +This option can occur multiple times. If used before the first +occurrence of the *-i* option, it sets the default capture link type. +If used after an *-i* option, it sets the capture link type for +the interface specified by the last *-i* option occurring before +this option. If the capture link type is not set specifically, +the default capture link type is used if provided. +-- + +-Y|--display-filter <displaY filter>:: +Start with the given display filter. + +-z <statistics>:: ++ +-- +Get *Wireshark* to collect various types of statistics and display the result +in a window that updates in semi-real time. + +Some of the currently implemented statistics are: +-- + +*-z help*:: +Display all possible values for *-z*. + +*-z* afp,srt[,__filter__]:: ++ +-- +Show Apple Filing Protocol service response time statistics. +-- + +*-z* conv,__type__[,__filter__]:: ++ +-- +Create a table that lists all conversations that could be seen in the +capture. __type__ specifies the conversation endpoint types for which we +want to generate the statistics; currently the supported ones are: + + "eth" Ethernet addresses + "fc" Fibre Channel addresses + "fddi" FDDI addresses + "ip" IPv4 addresses + "ipv6" IPv6 addresses + "ipx" IPX addresses + "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported + "tr" Token Ring addresses + "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported + +If the optional __filter__ is specified, only those packets that match the +filter will be used in the calculations. + +The table is presented with one line for each conversation and displays +the number of packets/bytes in each direction as well as the total +number of packets/bytes. By default, the table is sorted according to +the total number of packets. + +These tables can also be generated at runtime by selecting the appropriate +conversation type from the menu "Tools/Statistics/Conversation List/". +-- + +*-z* dcerpc,srt,__name-or-uuid__,__major__.__minor__[,__filter__]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for DCERPC interface +__name__ or __uuid__, version __major__.__minor__. +Data collected is the number of calls for each procedure, MinSRT, MaxSRT +and AvgSRT. +Interface __name__ and __uuid__ are case-insensitive. + +Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0*# will collect data for the CIFS SAMR Interface. + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4*# will collect SAMR +SRT statistics for a specific host. +-- + +*-z* dhcp,stat[,__filter__]:: +Show DHCP (BOOTP) statistics. + +*-z* expert:: +Show expert information. + +*-z* fc,srt[,__filter__]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for FC. Data collected +is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT. + +Example: *-z fc,srt* +will calculate the Service Response Time as the time delta between the +First packet of the exchange and the Last packet of the exchange. + +The data will be presented as separate tables for all normal FC commands, +Only those commands that are seen in the capture will have its stats +displayed. + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "fc,srt,fc.id==01.02.03"* will collect stats only for +FC packets exchanged by the host at FC address 01.02.03 . +-- + +*-z* h225,counter[__,filter__]:: ++ +-- +Count ITU-T H.225 messages and their reasons. In the first column you get a +list of H.225 messages and H.225 message reasons which occur in the current +capture file. The number of occurrences of each message or reason is displayed +in the second column. + +Example: *-z h225,counter* + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "h225,counter,ip.addr==1.2.3.4"* will collect stats only for +H.225 packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* h225,srt[__,filter__]:: ++ +-- +Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS. +Data collected is the number of calls of each ITU-T H.225 RAS Message Type, +Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet. +You will also get the number of Open Requests (Unresponded Requests), +Discarded Responses (Responses without matching request) and Duplicate Messages. + +Example: *-z h225,srt* + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "h225,srt,ip.addr==1.2.3.4"* will collect stats only for +ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* io,stat:: ++ +-- +Collect packet/bytes statistics for the capture in intervals of 1 second. +This option will open a window with up to 5 color-coded graphs where +number-of-packets-per-second or number-of-bytes-per-second statistics +can be calculated and displayed. + +This option can be used multiple times on the command line. + +This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat +menu item. +-- + +*-z* ldap,srt[,__filter__]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for LDAP. Data collected +is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT. + +Example: *-z ldap,srt* +will calculate the Service Response Time as the time delta between the +Request and the Response. + +The data will be presented as separate tables for all implemented LDAP commands, +Only those commands that are seen in the capture will have its stats +displayed. + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: use *-z "ldap,srt,ip.addr==10.1.1.1"* will collect stats only for +LDAP packets exchanged by the host at IP address 10.1.1.1 . + +The only LDAP commands that are currently implemented and for which the stats will be available are: +BIND +SEARCH +MODIFY +ADD +DELETE +MODRDN +COMPARE +EXTENDED +-- + +*-z* megaco,srt[__,filter__]:: ++ +-- +Collect request/response SRT (Service Response Time) data for MEGACO. +(This is similar to *-z smb,srt*). Data collected is the number of calls +for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT. + +Example: *-z megaco,srt* + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "megaco,srt,ip.addr==1.2.3.4"* will collect stats only for +MEGACO packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* mgcp,srt[__,filter__]:: ++ +-- +Collect request/response SRT (Service Response Time) data for MGCP. +(This is similar to *-z smb,srt*). Data collected is the number of calls +for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT. + +Example: *-z mgcp,srt* + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "mgcp,srt,ip.addr==1.2.3.4"* will collect stats only for +MGCP packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* mtp3,msus[,<filter>]:: +Show MTP3 MSU statistics. + +*-z* multicast,stat[,<filter>]:: +Show UDP multicast stream statistics. + +*-z* rpc,programs:: ++ +-- +Collect call/reply SRT data for all known ONC-RPC programs/versions. +Data collected is the number of calls for each protocol/version, MinSRT, +MaxSRT and AvgSRT. +-- + +*-z* rpc,srt,__name-or-number__,__version__[,<filter>]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for program +__name__/__version__ or __number__/__version__. +Data collected is the number of calls for each procedure, MinSRT, MaxSRT and +AvgSRT. +Program __name__ is case-insensitive. + +Example: *-z rpc,srt,100003,3* will collect data for NFS v3. + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: [.nowrap]#*-z rpc,srt,nfs,3,nfs.fh.hash==0x12345678*# will collect NFS v3 +SRT statistics for a specific file. +-- + +*-z* scsi,srt,__cmdset__[,<filter>]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>. + +Commandsets are 0:SBC 1:SSC 5:MMC + +Data collected +is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT. + +Example: *-z scsi,srt,0* will collect data for SCSI BLOCK COMMANDS (SBC). + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z scsi,srt,0,ip.addr==1.2.3.4* will collect SCSI SBC +SRT statistics for a specific iscsi/ifcp/fcip host. +-- + +*-z* sip,stat[__,filter__]:: ++ +-- +This option will activate a counter for SIP messages. You will get the number +of occurrences of each SIP Method and of each SIP Status-Code. Additionally you +also get the number of resent SIP Messages (only for SIP over UDP). + +Example: *-z sip,stat* + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "sip,stat,ip.addr==1.2.3.4"* will collect stats only for +SIP packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* smb,srt[,__filter__]:: ++ +-- +Collect call/reply SRT (Service Response Time) data for SMB. Data collected +is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. + +Example: *-z smb,srt* + +The data will be presented as separate tables for all normal SMB commands, +all Transaction2 commands and all NT Transaction commands. +Only those commands that are seen in the capture will have their stats +displayed. +Only the first command in a xAndX command chain will be used in the +calculation. So for common SessionSetupAndX + TreeConnectAndX chains, +only the SessionSetupAndX call will be used in the statistics. +This is a flaw that might be fixed in the future. + +This option can be used multiple times on the command line. + +If the optional __filter__ is provided, the stats will only be calculated +on those calls that match that filter. + +Example: *-z "smb,srt,ip.addr==1.2.3.4"* will collect stats only for +SMB packets exchanged by the host at IP address 1.2.3.4 . +-- + +*-z* voip,calls:: ++ +-- +This option will show a window that shows VoIP calls found in the capture file. +This is the same window shown as when you go to the Statistics Menu and choose +VoIP Calls. + +Example: *-z voip,calls* +-- + +*-z* wlan,stat[,<filter>]:: +Show IEEE 802.11 network and station statistics. + +*-z* wsp,stat[,<filter>]:: +Show WSP packet counters. + +include::dissection-options.adoc[tags=**;!tshark] + +include::diagnostic-options.adoc[] + +== INTERFACE + +The link:{wireshark-users-guide-url}[Wireshark User's Guide] contains a description of the user interface. It also may be installed locally along with Wireshark. Pressing the F1 key will attempt to open the guide locally if present, falling back to the online guide if not. + +== CAPTURE FILTER SYNTAX + +See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), +or, if that doesn't exist, {wireshark-wiki-url}CaptureFilters. + +== DISPLAY FILTER SYNTAX + +For a complete table of protocol and protocol fields that are filterable +in *Wireshark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. + +include::files.adoc[] + +== ENVIRONMENT VARIABLES + +// Should this be moved to an include file? + +WIRESHARK_CONFIG_DIR:: ++ +-- +This environment variable overrides the location of personal +configuration files. On UNIX-compatible systems, such as Linux, macOS, +\*BSD, Solaris, and AIX, it defaults to __$XDG_CONFIG_HOME/wireshark__ +(or, if that directory doesn't exist but __$HOME/.wireshark__ does +exist, __$HOME/.wireshark__); this is typically +__$HOME/.config/wireshark__. On Windows, it defaults to +__%APPDATA%\Wireshark__ (or, if %APPDATA% isn't defined, +__%USERPROFILE%\Application Data\Wireshark__). Available since +Wireshark 3.0. +-- + +WIRESHARK_DEBUG_WMEM_OVERRIDE:: +Setting this environment variable forces the wmem framework to use the +specified allocator backend for *all* allocations, regardless of which +backend is normally specified by the code. This is mainly useful to developers +when testing or debugging. See __README.wmem__ in the source distribution for +details. + +WIRESHARK_RUN_FROM_BUILD_DIRECTORY:: +This environment variable causes the plugins and other data files to be +loaded from the build directory (where the program was compiled) rather +than from the standard locations. It has no effect when the program in +question is running with root (or setuid) permissions on UNIX-compatible +systems, such as Linux, macOS, \*BSD, Solaris, and AIX. + +WIRESHARK_DATA_DIR:: +This environment variable causes the various data files to be loaded from +a directory other than the standard locations. It has no effect when the +program in question is running with root (or setuid) permissions on +UNIX-compatible systems. + +WIRESHARK_EXTCAP_DIR:: +This environment variable causes the various extcap programs and scripts +to be run from a directory other than the standard locations. It has no +effect when the program in question is running with root (or setuid) +permissions on UNIX-compatible systems. + +WIRESHARK_PLUGIN_DIR:: +This environment variable causes the various plugins to be loaded from +a directory other than the standard locations. It has no effect when the +program in question is running with root (or setuid) permissions on +UNIX-compatible systems. + +ERF_RECORDS_TO_CHECK:: +This environment variable controls the number of ERF records checked when +deciding if a file really is in the ERF format. Setting this environment +variable a number higher than the default (20) would make false positives +less likely. + +IPFIX_RECORDS_TO_CHECK:: +This environment variable controls the number of IPFIX records checked when +deciding if a file really is in the IPFIX format. Setting this environment +variable a number higher than the default (20) would make false positives +less likely. + +WIRESHARK_ABORT_ON_DISSECTOR_BUG:: +If this environment variable is set, *Wireshark* will call abort(3) +when a dissector bug is encountered. abort(3) will cause the program to +exit abnormally; if you are running *Wireshark* in a debugger, it +should halt in the debugger and allow inspection of the process, and, if +you are not running it in a debugger, it will, on some OSes, assuming +your environment is configured correctly, generate a core dump file. +This can be useful to developers attempting to troubleshoot a problem +with a protocol dissector. + +WIRESHARK_ABORT_ON_TOO_MANY_ITEMS:: +If this environment variable is set, *Wireshark* will call abort(3) +if a dissector tries to add too many items to a tree (generally this +is an indication of the dissector not breaking out of a loop soon enough). +abort(3) will cause the program to exit abnormally; if you are running +*Wireshark* in a debugger, it should halt in the debugger and allow +inspection of the process, and, if you are not running it in a debugger, +it will, on some OSes, assuming your environment is configured correctly, +generate a core dump file. This can be useful to developers attempting to +troubleshoot a problem with a protocol dissector. + +WIRESHARK_QUIT_AFTER_CAPTURE:: +Cause *Wireshark* to exit after the end of the capture session. This +doesn't automatically start a capture; you must still use *-k* to do +that. You must also specify an autostop condition, e.g. *-c* or *-a +duration:...*. This means that you will not be able to see the results +of the capture after it stops; it's primarily useful for testing. + +WIRESHARK_LOG_LEVEL:: +This environment variable controls the verbosity of diagnostic messages to +the console. From less verbose to most verbose levels can be `critical`, +`warning`, `message`, `info`, `debug` or `noisy`. Levels above the +current level are also active. Levels `critical` and `error` are always +active. + +WIRESHARK_LOG_FATAL:: +Sets the fatal log level. Fatal log levels cause the program to abort. +This level can be set to `Error`, `critical` or `warning`. `Error` is +always fatal and is the default. + +WIRESHARK_LOG_DOMAINS:: +This environment variable selects which log domains are active. The filter is +given as a case-insensitive comma separated list. If set only the included +domains will be enabled. The default domain is always considered to be enabled. +Domain filter lists can be preceded by '!' to invert the sense of the match. + +WIRESHARK_LOG_DEBUG:: +List of domains with `debug` log level. This sets the level of the provided +log domains and takes precedence over the active domains filter. If preceded +by '!' this disables the `debug` level instead. + +WIRESHARK_LOG_NOISY:: +Same as above but for `noisy` log level instead. + +== AUTHORS + +Wireshark would not be the powerful, featureful application it is without the generous contributions of hundreds of developers. + +A complete list of authors can be found in the AUTHORS file in Wireshark's source code repository and at https://www.wireshark.org/about.html#authors. + +== SEE ALSO + +xref:wireshark-filter.html[wireshark-filter](4), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:dumpcap.html[dumpcap](1), xref:mergecap.html[mergecap](1), +xref:text2pcap.html[text2pcap](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8) + +== NOTES + +This is the manual page for *Wireshark* {wireshark-version}. +The latest version of *Wireshark* can be found at +{wireshark-main-url}. + +HTML versions of the Wireshark project man pages are available at +{wireshark-man-page-url}. + +The Wireshark's User Guide is available at +{wireshark-users-guide-url}. diff --git a/doc/packet-PROTOABBREV.c b/doc/packet-PROTOABBREV.c index 6a2ce716..ee06f727 100644 --- a/doc/packet-PROTOABBREV.c +++ b/doc/packet-PROTOABBREV.c @@ -53,15 +53,15 @@ void proto_reg_handoff_PROTOABBREV(void); void proto_register_PROTOABBREV(void); /* Initialize the protocol and registered fields */ -static int proto_PROTOABBREV = -1; -static int hf_FIELDABBREV = -1; -static expert_field ei_PROTOABBREV_EXPERTABBREV = EI_INIT; +static int proto_PROTOABBREV; +static int hf_FIELDABBREV; +static expert_field ei_PROTOABBREV_EXPERTABBREV; static dissector_handle_t PROTOABBREV_handle; static dissector_handle_t PROTOABBREV_tls_handle; /* Global sample preference ("controls" display of numbers) */ -static bool pref_hex = false; +static bool pref_hex; /* Global sample port preference - real port preferences should generally * default to "" (for a range) or 0 (for a single uint) unless there is an * IANA-registered (or equivalent) port for your protocol. */ @@ -72,7 +72,7 @@ static unsigned tls_port_pref = PROTOABBREV_TLS_PORT; static range_t *tcp_port_range = PROTOABBREV_TCP_PORTS; /* Initialize the subtree pointers */ -static int ett_PROTOABBREV = -1; +static int ett_PROTOABBREV; /* A sample #define of the minimum length (in bytes) of the protocol data. * If data is received with fewer than this many bytes it is rejected by diff --git a/doc/plugins.example/hello.c b/doc/plugins.example/hello.c index 7a252c80..5a9ccd81 100644 --- a/doc/plugins.example/hello.c +++ b/doc/plugins.example/hello.c @@ -9,6 +9,7 @@ #define WS_BUILD_DLL #include <wireshark.h> +#include <wsutil/plugins.h> #include <epan/packet.h> #include <epan/proto.h> @@ -21,9 +22,9 @@ WS_DLL_PUBLIC_DEF const int plugin_want_major = WIRESHARK_VERSION_MAJOR; WS_DLL_PUBLIC_DEF const int plugin_want_minor = WIRESHARK_VERSION_MINOR; WS_DLL_PUBLIC void plugin_register(void); +WS_DLL_PUBLIC uint32_t plugin_describe(void); - -static int proto_hello = -1; +static int proto_hello; static dissector_handle_t handle_hello; static int @@ -56,3 +57,9 @@ plugin_register(void) plug.register_handoff = proto_reg_handoff_hello; /* or NULL */ proto_register_plugin(&plug); } + +uint32_t +plugin_describe(void) +{ + return WS_PLUGIN_DESC_DISSECTOR; +} diff --git a/doc/release-notes.adoc b/doc/release-notes.adoc index 1a169499..0a8c2e47 100644 --- a/doc/release-notes.adoc +++ b/doc/release-notes.adoc @@ -1,12 +1,14 @@ -include::../docbook/attributes.adoc[] +include::attributes.adoc[] :stylesheet: ws.css :linkcss: -:copycss: {stylesheet} +:copycss: {css_dir}/{stylesheet} = Wireshark {wireshark-version} Release Notes // Asciidoctor Syntax Quick Reference: // https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/ +This is the first release of the 4.4 branch. + == What is Wireshark? Wireshark is the world’s most popular network protocol analyzer. @@ -18,111 +20,483 @@ If you or your organization would like to contribute or become a sponsor, please == What’s New -=== Bug Fixes +// Add a summary of **major** changes here. +// Add other changes to "New and Updated Features" below. + +Many improvements and fixes to the graphing dialogs, including +I/O Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs. + +Wireshark now supports automatic profile switching. +You can associate a display filter with a configuration profile, and when you open a capture file that matches the filter, Wireshark will automatically switch to that profile. + +Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1 and 5.2 has been removed. +The Windows and macOS installers now ship with Lua 5.4.6. + +Improved display filter support for value strings (optional string representations for numeric fields). + +Display filter functions can be implemented as plugins, similar to protocol dissectors and file parsers. + +Display filters can be translated to pcap filters using menu:Edit[Copy,Display filter as pcap filter] if each display filter field has a corresponding pcap filter equivalent. -If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to https://www.wireshark.org/download.html[download and install] Wireshark {wireshark-version} or later by hand. +Custom columns can be defined using any valid field expression, such as +display filter functions, packet slices, arithmetic calculations, logical tests, +raw byte addressing, and protocol layer modifiers. -A regression in the TCP Stream Graph "Time Sequence (tcptrace)" receive window line behavior introduced in 4.2.5 and 4.0.15 has been fixed. wsbuglink:19846[] +Custom output fields for `tshark -e` can also be defined using any +valid field expression. -The following vulnerability has been fixed: +Wireshark can be built with the zlib-ng instead of zlib for compressed file support. +Zlib-ng is substantially faster than zlib. +The official Windows and macOS packages include this feature. -* wssalink:2024-10[] -SPRT dissector crash. -wsbuglink:19559[]. -// cveidlink:2024-xxx[]. -// Fixed in master: 8e5f8de883 -// Fixed in release-4.2: cef77b8fed -// Fixed in release-4.0: cc67f836c0 -// CVSS AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -// CWE-824 -// * SPRT parser crash. wsbuglink:19559[]. +Many other improvements have been made. +See the “New and Updated Features” section below for more details. -The following bugs have been fixed: +//=== Bug Fixes +//The following bugs have been fixed: //* wsbuglink:5000[] //* wsbuglink:6000[Wireshark bug] //* cveidlink:2014-2486[] -//* Wireshark grabs your ID at 3 am, goes to Waffle House, and insults people. - -* RADIUS dissector's dictionary loading broken in many ways. wsbuglink:6466[]. -* 3.4 -> 3.6.5 ASCII display is broken on CentOS 7. wsbuglink:18096[]. -* Funnel/Lua: Closing child window disconnects buttons of parent. wsbuglink:18386[]. -* Lua detection fails with Alpine Linux: missing: LUA_LIBRARIES. wsbuglink:19841[]. -* vnd.3gpp.5gnas payloads of type SMS not decoded inside HTTP2 5GC. wsbuglink:19845[]. -* TCP Stream Graphs green sliding window line not displayed correctly. wsbuglink:19846[]. -* Wireshark window doesn't fully fit on screen on small resolutions and can't be resized properly on Russian language. wsbuglink:19861[]. -* Wireshark started from command line doesn't set gui.fileopen_remembered_dir correctly on Windows. wsbuglink:19891[]. -* Wireshark expects wrong length for DHCP Relay Agent Information Source Port Suboption. wsbuglink:19909[]. -* SIP P-Access-Network-Info header not correctly decoded. wsbuglink:19917[]. +//* Wireshark took a bite out of each of your freshly baked muffins until it found the perfect one. === New and Updated Features -There are no new or updated features in this release. +The following features are either new or have been significantly updated since version 4.2.0: -// === Removed Features and Support +* The Windows installers now ship with Npcap 1.79. + They previously shipped with Npcap 1.78. -// === Removed Dissectors +//* The Windows installers now ship with Qt 6.5.2. +// They previously shipped with Qt 6.2.3. +* Improvements to the "I/O Graphs" dialog: -=== New Protocol Support + ** A number of crasher bugs have been fixed. -There are no new protocols in this release. + ** The protocol tree context menu can open a I/O graph of the currently + selected field. wsbuglink:11362[] -=== Updated Protocol Support + ** Smaller intervals can be used, down to 1 microsecond. wsbuglink:13682[] + + ** A larger number of I/O Graph item buckets can be used, up to 2^25^ (33 million) + items. wsbuglink:8460[] + + ** The size of individual graph items has been reduced, which reduces memory utilization. + + ** When the Y field or Y axis changes, the graph displays the new graph + correctly, retapping if necessary, instead of displaying information + based on stale data. + + ** The graph is smarter about choosing whether to retap (expensive), + recalculate (moderately intensive), or replot (cheap) in order to + display the newly chosen options correctly with the least amount of + calculations. For instance, a graph that has previously been + plotted and is disabled and then reenabled without any other changes + will not require a new retap. wsbuglink:15822[] + + ** LOAD graphs are graphed properly again. wsbuglink:18450[] + + ** Y axes have human readable units with SI prefixes. + wsbuglink:12827[] + + ** Bar widths are scaled to the size of the interval. + + ** Bar border colors are a slightly darker color than that + of the graph itself, instead of always black. wsbuglink:17422[] + + ** Time values have the correct width when axes are automatically reset. + + ** The precision of the interval time shown in the hint message depends + on the interval. + + ** The tracer follows the currently selected row on the table of graphs, + and does not appear on an invisible graph. + + ** The tracer moves to the frame selected in the main window. + wsbuglink:12909[] + + ** Pending graph changes are saved when changing profiles when the + I/O Graphs dialog is open. + + ** I/O Graph dialog windows for closed capture files are no longer affected + by changing the list of graphs (either in that dialogs or in other dialogs + for the currently open file.) + + ** Newly created temporary graphs, which will not be saved + unless the configuration has changed, are more clearly marked with + italics. + + ** When "Time of Day" is selected for a graph, the absolute time will be + saved to CSV exports instead of the relative time. wsbuglink:13717[] + + ** Graphs can be reordered by dragging and dropping their list entries. wsbuglink:13855[] + + ** The graph layer order and legend order always matches the + order in the graph list. Legends also appear properly. wsbuglink:13854[] + + ** The legend can be moved to other corners of the graph by right-clicking + on it and selecting its new location from a menu. + + ** For purposes of displaying zero values, graphs with both lines and data point symbols are treated as line graphs, not scatter plots. + + ** Logarithmic ticks are used when the Y axis is logarithmic. + + ** The graph crosshairs context menu option works. + + ** You can resize the graph list columns to their contents by right clicking on the list header. + wsbuglink:18102[] + + ** The graph is more responsive to mouse movement, especially on Linux Wayland. + +* Improvements to the Sequence Diagram (Flow Graphs and VoIP Calls): + + ** When exporting the graph as an image, the entire graph is shown + with up to 1000 items instead of only what was visible on-screen. + This value can be increased in the preferences. wsbuglink:13504[] + + ** Endpoints that share the same address now have two distinct nodes + with a line between them. wsbuglink:12038[] + + ** The "Comment" column can be resized by selecting the axis between the + "Comment" column and the graph and dragging, and auto-resized by + double-clicking the column. wsbuglink:4972[] + + ** Tooltips are shown for elided comments. + + ** The scroll direction via keyboard is no longer reversed. wsbuglink:12932[] + + ** The column widths are fixed instead of resizing slightly depending + on the visible entries. wsbuglink:12931[] + + ** The Y axis labels stay in the correct position without having to + click the btn:[Reset] button. + + ** The progress bar appears correctly in the Flow Graph (non VoIP Calls). + + ** The behavior of the "Any" and "Network" combobox is corrected. + wsbuglink:19818[] + + ** "Limit to Display Filter" is checked if a display filter is applied + when the Flow Graph is opened, per the documentation. + +* TCP Stream Graphs: + + ** A better decision is made about which side is the server and thus + the initially chosen direction in the graph. + + ** The "Window Scaling" graph axis labels are corrected and show both graphs. + + ** The graph crosshairs context menu option works. + + ** Switching between relative and absolute sequence numbers works again. + +* The "Follow Stream" dialog can now show delta times between turns and all packets and events. -// Add one protocol per line between the -- delimiters. -// ag -A1 '(define PSNAME|proto_register_protocol[^_])' $(git diff --name-only v4.2.5.. | ag packet- | sort -u) +* A number of graphs using the QCustomPlot widget ("I/O Graphs", "Flow Graph", + "TCP Stream Graphs", and "RTP Player") are more responsive to mouse + movement, especially on Linux when Wayland is used. + +* The "Find Packet" dialog can search backwards and find additional occurrences + of a string, hex value, or regular expression in a single frame. + +* When using "Go To Packet" with an undisplayed frame, the window goes to + nearest displayed frame by number. wsbuglink:2988[] + +* Display filter syntax enhancements: + + ** Better handling of comparisons with value strings. Now the display filter engine can + correctly handle cases where multiple different numeric values map to the same value + string, including but not limited to range-type value strings. + + ** Fields with value strings now support regular expression matching. + + ** Date and time values now support arithmetic, with some restrictions: + the multiplier/divisor must be an integer or floating point number and appear on the right-hand + side of the operator. + + ** The keyword "bitand" can be used as an alternative syntax for the bitwise-and operator. + + ** Functions alone can now be used as an entire logical expression. + The result of the expression is the truthiness of the function return + value (or of all values if more than one). This is useful for example to write + "len(something)" instead of "len(something) != 0". Even more so if a function + returns itself a boolean value, it is now possible to write + "bool_test(some.field)" instead of having to write "bool_test(some.field) == True". + Both forms are now valid. + + ** Display filter references can be written without curly braces. It + is now possible to write `$frame.number` instead of `${frame.number}` for example. + + ** There are new display filter functions which test various IP address properties. + Check the + https://www.wireshark.org/docs/man-pages/wireshark-filter.html[wireshark-filter](5) + man page for more information. + + ** There are new display filter functions which convert unsigned integer types to + decimal or hexadecimal, and convert fields with value strings into the + associated string for their value, which can be used to produce results similar to + custom columns. Check the + https://www.wireshark.org/docs/man-pages/wireshark-filter.html[wireshark-filter](5) + man page for more information. + + ** Display filter macros can be written with a semicolon after the macro + name before the argument list, e.g. `${mymacro;arg1;...;argN}`, instead + of `${mymacro:arg1;...;argN}`. The version with semicolons works better + with pop-up suggestions when editing the display filter, so the version + with the colon might be removed in the future. + + ** Display filter macros can be written using a function-like notation. + The macro `${mymacro:arg1;...;argN}` can be written + `$mymacro(arg1,...,argN)`. + + ** AX.25 addresses are now filtered using the "CALLSIGN-SSID" string syntax. + Filtering based on the raw bytes values is still possible, like other + field types, with the `@` operator. wsbuglink:17973[] + +* Display filter functions can be implemented as libwireshark plugins. Plugins are loaded + during startup from the usual binary plugin configuration directories. See the + `ipaddr.c` source file in the distribution for an example of a display filter C plugin + and the doc/plugins.example folder for generic instructions how to build a plugin. + +* Display filter autocompletions now also include display filter functions. + +* The display filter macro configuration file has changed format. It now uses + the same format as the "dfilters" file and has been renamed accordingly to + "dmacros". Internally it no longer uses the UAT API and the display filter macro + GUI dialog has been updated. There is some basic migration logic implemented + but it is advisable to check that the "dfilter_macros" (old) and + "dmacros" (new) files in the profile directory are consistent. + +* Custom columns can be defined using any valid field expression: + + ** Display filter functions, like `len(tcp.payload)`, including nested functions + like `min(len(tcp.payload), len(udp.payload))` and newly defined functions + using the plugin system mentioned above. wsbuglink:15990[] wsbuglink:16181[] + + ** Arithmetic calculations, like `ip.len * 8` or `tcp.srcport + tcp.dstport`. + wsbuglink:7752[] + + ** Slices, like `tcp.payload[4:4]`. wsbuglink:10154[] + + ** The layer operator, like `ip.proto#1`, which will return the protocol field in the + first IPv4 layer if there is tunneling. wsbuglink:18588[] + + ** Raw byte addressing, like `@ip`, which will return the bytes of protocol + or FT_NONE fields, among others. wsbuglink:19076[] + + ** Logical tests, like `tcp.port == 443`, which produce a check mark if + the test matches (similar to protocol and FT_NONE fields without `@`.) + This works with all logical operators, including e.g. regular expression + matching (`matches` or `~`.) + + ** Defined display filter macros. + + ** Any combination of the above also works. + + ** Multifield columns are still available. For backwards compatibility, + `X or Y` is interpreted as a multifield column as before. To represent a + logical test for the presence of multiple fields instead of concatenating + values, use parenthesis, e.g. `(tcp.options.timestamp or tcp.options.nop)`. + + ** Field references are not implemented because there's no sense of a + currently selected frame. "Resolved" column values (such as host name + resolution or value string lookup) are not supported for any of the new + expressions yet. + +* Custom output fields for `tshark -e <field>` can also be defined using any + valid field expression as above. + + ** For custom output fields, `X or Y` is the usual logical test; to output + multiple fields use multiple `-e` terms as before. + + ** The various `-E` options, including `-E occurrence`, all work as expected. + +* When selecting "Manage Interfaces" from "Capture Options", Wireshark only + attempts to reconnect to rpcap hosts that were active in the + last session, instead of every remote host that the current profile has ever + connected to. wsbuglink:17484[] + +* The "Resolved Addresses" dialog only shows what addresses and ports are + present in the file (not including information from static files), and + selected rows or the entire table can be saved or copied to the clipboard + in several formats. wsbuglink:16419[] + +* Dumpcap and Wireshark support the `-F` option when capturing a file + on the command line. wsbuglink:18009[] + +* When capturing on the command line dumpcap accepts a `-Q` option that is + quieter than `-q` and prints only errors to standard error, similar to tshark. + wsbuglink:14491[] + +* When capturing a file and requesting the `pcap` format, nanosecond resolution + time stamps will be written if the device and version of libpcap supports it. + +* When capturing using a file size autostop or ring buffer condition, + the maximum value is now 2 TB, up from 2GiB. Note that you may + have problems when the number of packets gets larger than 2^31^ or 2^32^, + though that is also true when no limit is set. + +* When capturing files in multiple file mode, a pattern that places the date and time + before the index number can be used (e.g., foo_20240714110102_00001.pcap instead of + foo_00001_20240714110102.pcap). This makes file names sortable in chronological order + across file sets from different captures. The "File Set" dialog has been updated to + handle the new pattern, which has been capable of being produced by tshark since + version 3.6.0. + +* Adding interfaces at startup is about twice as fast, and has many fewer + UAC pop-ups when Npcap is installed with access restricted to Administrators + on Windows. + +* The Lua version included with the Windows and macOS installers has been updated to 5.4. + While we have tried to help with backward compatibility by including lua_bitop library with + Lua 5.3 and 5.4 in addition to the native Lua support for bit operations + present in those versions, different versions of Lua are not guaranteed to + be compatible. If a Lua dissector has issues, check the manuals for + https://www.lua.org/manual/5.4/manual.html#8[Lua 5.4], + https://www.lua.org/manual/5.3/manual.html#8[Lua 5.3], and + https://www.lua.org/manual/5.2/manual.html#8[Lua 5.2] for + incompatibilities and suggested workarounds. Note that features marked as + deprecated in one version are removed in the subsequent version without + additional notice, so it can be worth checking the manual for previous versions. + +* Lua scripts in the plugins directories are now initially loaded via the same + internal Lua methods as `require()`. This avoids errors from loading plugins + twice, once by scanning the directory initially, and once by `require()`, + and also results in globals defined in plugins entering the global namespace. + Previously globals defined in plugins only entered the global namespace when + placed in the global plugins directory, but not the personal plugins directory. + Using globals in plugins remains deprecated style (both by Wireshark and in Lua + generally), that should be avoided via using other methods. wsbuglink:18589[] + +* Lua functions have been added to decompress and decode TvbRanges with other + compression types besides zlib, such as Brotli, Snappy, Zstd, and others, + matching the support in the C API. tvbrange:uncompress() has been deprecated + in favor of tvbrange:uncompress_zlib(). + +* Lua Dumper now defaults to the pcapng file type, and to per-packet + encapsulation (creating interfaces on demand as necessary) when writing + pcapng wsbuglink:16403[] + +* Editcap has an `--extract-secrets` option to extract embedded decryption + secrets from a capture file. wsbuglink:18197[] + +* Global profiles can be used in tshark by using `--global-profile` option. + +* Capture files can be saved with LZ4 compression. LZ4 has an emphasis on + speed and may be particularly useful for large files. + +* Fast random access is supported with LZ4 compressed files when compressed + with independent blocks, which is the default. This provides much more + responsive GUI performance when jumping to different packets. Fast random + access has been supported with gzip compressed files since version 1.8.0, + but this is not supported for Zstd compressed files. + +* Mergecap, Editcap, TShark and Text2pcap have an `--compress` option to + compress output to different formats. For now, it supports the gzip + and LZ4 compression formats. When the option is not given, the desired + compression format can also be deduced from the output filename + extension, e.g. gzip for .gz. + +* Wireshark's Git repostory tags are now signed using SSH. + See + https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcGitRepository.html#ChSrcWebInterface[the Developer's Guide] + for more details. + +=== Removed Features and Support + +* The tshark `-G` option with no argument is deprecated and will be removed in + a future version. Use `tshark -G fields` to produce the same report. + +=== Removed Dissectors + +The Parlay dissector has been removed. + +//=== New File Format Decoding Support + +//[commaize] +//-- +//-- + +=== New Protocol Support + +// Add one protocol per line between the -- delimiters in the format +// “Full protocol name (Abbreviation)” +// ag -A1 '(define PSNAME|proto_register_protocol[^_])' $(git diff --name-only v4.4.0.. | ag packet- | sort -u) [commaize] -- -DHCP -E.212 -MySQL -NAS-5GS -ProtoBuf -RADIUS -RLC-LTE -PKT CCC -RTP -SIP -SPRT -Thrift -Wi-SUN +Allied Telesis Resiliency Link (AT RL) +ATN Security Label +Bit Index Explicit Replication (BIER) +Bus Mirroring Protocol +EGNOS Message Server (EMS) file format +Galileo E1-B I/NAV navigation messages +IBM i RDMA Endpoint (iRDMA-EDP) +IWBEMSERVICES +MAC NR Framed (mac-nr-framed) +Matter Bluetooth Transport Protocol (MatterBTP) +MiWi P2P Star +Monero +NMEA 0183 +PLDM +RDP authentication redirection virtual channel protocol (rdpear) +RF4CE Network Layer (RF4CE) +RF4CE Profile (RF4CE Profile) +RK512 +SAP Remote Function Call (SAPRFC) +SBAS L1 Navigation Message +Scanner Access Now Easy (SANE) +TREL +WMIO +ZeroMQ Message Transport Protocol (ZMTP) -- -=== New and Updated Capture File Support +=== Updated Protocol Support + +IPv6: The "show address detail" preference is now enabled by default. The +address details provided have been extended to include more special purpose address +block properties (forwardable, globally-routable, etc). + +Too many other protocol updates have been made to list them all here. + +//=== New and Updated Capture File Support // There is no new or updated capture file support in this release. // Add one file type per line between the -- delimiters. [commaize] -- -log3gpp +EGNOS Messager Server (EMS) files +-- + +// === New and Updated Capture Interfaces support +[commaize] +-- +u-blox GNSS receivers -- -=== Updated File Format Decoding Support +//=== New and Updated Codec support -There is no updated file format support in this release. -// Add one file type per line between the -- delimiters. -// [commaize] -// -- -// -- +//_Non-empty section placeholder._ -// === New and Updated Capture Interfaces support +=== Major API Changes + +* The entire code base has been updated to use C99 types instead of GLib types. +This includes changing occurrences `gboolean`, which is an integer, to C99's native `bool` type in many places. +See https://gitlab.com/wireshark/wireshark/-/issues/19116[issue 19116] for more details. -// === New and Updated Codec support +* The `tvb_get_guintX` and `tvb_get_gintX` functions in the tvbuff API have been renamed to `tvb_get_uintX` and `tvb_get_intX` (the GLib-style "g" has been removed). +You can still use the old-style names, but they have been deprecated. -// === Major API Changes +* Plugins should provide a `plugin_describe()` function that returns an ORed + list of flags consisting of the plugin types used. + See _wsutil/plugins.h_ for details. -== Prior Versions +// == Prior Versions -This document only describes the changes introduced in Wireshark {wireshark-version}. -You can find release notes for prior versions at the following locations: +// This document only describes the changes introduced in Wireshark {wireshark-version}. +// You can find release notes for prior versions at the following locations: -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.5.html[Wireshark 4.2.5] -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.4.html[Wireshark 4.2.4] -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.3.html[Wireshark 4.2.3] -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.2.html[Wireshark 4.2.2] -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.1.html[Wireshark 4.2.1] -* https://www.wireshark.org/docs/relnotes/wireshark-4.2.0.html[Wireshark 4.2.0] +// * https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html[Wireshark 4.4.0] == Getting Wireshark @@ -151,8 +525,7 @@ https://www.wireshark.org/docs/ Community support is available on https://ask.wireshark.org/[Wireshark’s Q&A site] and on the wireshark-users mailing list. -Subscription information and archives for all of Wireshark’s mailing lists can be found on -https://www.wireshark.org/lists/[the web site]. +Subscription information and archives for all of Wireshark’s mailing lists can be found on https://lists.wireshark.org/lists/[the mailing list site]. Bugs and feature requests can be reported on https://gitlab.com/wireshark/wireshark/-/issues[the issue tracker]. diff --git a/doc/wireshark.adoc b/doc/wireshark.adoc deleted file mode 100644 index 24434827..00000000 --- a/doc/wireshark.adoc +++ /dev/null @@ -1,2735 +0,0 @@ -include::../docbook/attributes.adoc[] -= wireshark(1) -:doctype: manpage -:stylesheet: ws.css -:linkcss: -:copycss: ../docbook/{stylesheet} - -== NAME - -wireshark - Interactively dump and analyze network traffic - -== SYNOPSIS - -[manarg] -*wireshark* -[ *-i* <capture interface>|- ] -[ *-f* <capture filter> ] -[ *-Y* <display filter> ] -[ *-w* <outfile> ] -[ *options* ] -[ <infile> ] - -[manarg] -*wireshark* -*-h|--help* - -[manarg] -*wireshark* -*-v|--version* - -== DESCRIPTION - -*Wireshark* is a GUI network protocol analyzer. It lets you -interactively browse packet data from a live network or from a -previously saved capture file. *Wireshark*'s native capture file -formats are *pcapng* format and *pcap* format; it can read and write -both formats.. *pcap* format is also the format used by *tcpdump* and -various other tools; *tcpdump*, when using newer versions of the -*libpcap* library, can also read some pcapng files, and, on newer -versions of macOS, can read all pcapng files and can write them as well. - -*Wireshark* can also read / import the following file formats: - -* Oracle (previously Sun) *snoop* and *atmsnoop* captures - -* Finisar (previously Shomiti) *Surveyor* captures - -* Microsoft *Network Monitor* captures - -* Novell *LANalyzer* captures - -* AIX's *iptrace* captures - -* Cinco Networks *NetXRay* captures - -* NETSCOUT (previously Network Associates/Network General) Windows-based -*Sniffer* captures - -* Network General/Network Associates DOS-based *Sniffer* captures -(compressed or uncompressed) - -* LiveAction (previously WildPackets/Savvius) **Peek*/*EtherHelp*/*PacketGrabber* captures - -* *RADCOM*'s WAN/LAN analyzer captures - -* Viavi (previously Network Instruments) *Observer* captures - -* *Lucent/Ascend* router debug output - -* captures from HP-UX *nettl* - -* *Toshiba's* ISDN routers dump output - -* the output from *i4btrace* from the ISDN4BSD project - -* traces from the *EyeSDN* USB S0 - -* the *IPLog* format output from the Cisco Secure Intrusion Detection System - -* *pppd logs* (pppdump format) - -* the output from VMS's *TCPIPtrace*/*TCPtrace*/*UCX$TRACE* utilities - -* the text output from the *DBS Etherwatch* VMS utility - -* Visual Networks' *Visual UpTime* traffic capture - -* the output from *CoSine* L2 debug - -* the output from InfoVista (previously Accellent) *5View* LAN agents - -* Endace Measurement Systems' ERF format captures - -* Linux Bluez Bluetooth stack *hcidump -w* traces - -* Catapult DCT2000 .out files - -* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode - -* IBM Series (OS/400) Comm traces (ASCII & UNICODE) - -* Juniper Netscreen snoop files - -* Symbian OS btsnoop files - -* TamoSoft CommView files - -* Tektronix K12xx 32bit .rf5 format files - -* Tektronix K12 text file format captures - -* Apple PacketLogger files - -* Captures from Aethra Telecommunications' PC108 software for their test -instruments - -* Citrix NetScaler Trace files - -* Android Logcat binary and text format logs - -* Colasoft Capsa and PacketBuilder captures - -* Micropross mplog files - -* Unigraf DPA-400 DisplayPort AUX channel monitor traces - -* 802.15.4 traces from Daintree's Sensor Network Analyzer - -* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 - -* Log files from the _candump_ utility - -* Logs from the BUSMASTER tool - -* Ixia IxVeriWave raw captures - -* Rabbit Labs CAM Inspector files - -* _systemd_ journal files - -* 3GPP TS 32.423 trace files - -There is no need to tell *Wireshark* what type of -file you are reading; it will determine the file type by itself. -*Wireshark* is also capable of reading any of these file formats if they -are compressed using gzip. *Wireshark* recognizes this directly from -the file; the '.gz' extension is not required for this purpose. - -Like other protocol analyzers, *Wireshark*'s main window shows 3 views -of a packet. It shows a summary line, briefly describing what the -packet is. A packet details display is shown, allowing you to drill -down to exact protocol or field that you interested in. Finally, a hex -dump shows you exactly what the packet looks like when it goes over the -wire. - -In addition, *Wireshark* has some features that make it unique. It can -assemble all the packets in a TCP conversation and show you the ASCII -(or EBCDIC, or hex) data in that conversation. Display filters in -*Wireshark* are very powerful; more fields are filterable in *Wireshark* -than in other protocol analyzers, and the syntax you can use to create -your filters is richer. As *Wireshark* progresses, expect more and more -protocol fields to be allowed in display filters. - -Packet capturing is performed with the pcap library. The capture filter -syntax follows the rules of the pcap library. This syntax is different -from the display filter syntax. - -Compressed file support uses (and therefore requires) the zlib library. -If the zlib library is not present, *Wireshark* will compile, but will -be unable to read compressed files. - -The pathname of a capture file to be read can be specified with the -*-r* option or can be specified as a command-line argument. - -== OPTIONS - -Most users will want to start *Wireshark* without options and configure -it from the menus instead. Those users may just skip this section. - --a|--autostop <capture autostop condition>:: -+ --- -Specify a criterion that specifies when *Wireshark* is to stop writing -to a capture file. The criterion is of the form __test:value__, -where __test__ is one of: - -*duration*:__value__ Stop writing to a capture file after __value__ seconds have -elapsed. Floating point values (e.g. 0.5) are allowed. - -*files*:__value__ Stop writing to capture files after __value__ number of files -were written. - -*filesize*:__value__ Stop writing to a capture file after it reaches a size of -__value__ kB. If this option is used together with the -b option, Wireshark -will stop writing to the current capture file and switch to the next one if -filesize is reached. Note that the filesize is limited to a maximum value of -2 GiB. - -*packets*:__value__ Stop writing to a capture file after it contains __value__ -packets. Acts the same as *-c*<capture packet count>. --- - --b|--ring-buffer <capture ring buffer option>:: -+ --- -Cause *Wireshark* to run in "multiple files" mode. In "multiple files" mode, -*Wireshark* will write to several capture files. When the first capture file -fills up, *Wireshark* will switch writing to the next file and so on. - -The created filenames are based on the filename given with the *-w* flag, -the number of the file and on the creation date and time, -e.g. outfile_00001_20240714120117.pcap, outfile_00002_20240714120523.pcap, ... - -With the __files__ option it's also possible to form a "ring buffer". -This will fill up new files until the number of files specified, -at which point *Wireshark* will discard the data in the first file and start -writing to that file and so on. If the __files__ option is not set, -new files filled up until one of the capture stop conditions match (or -until the disk is full). - -The criterion is of the form __key:value__, -where __key__ is one of: - -*duration*:__value__ switch to the next file after __value__ seconds have -elapsed, even if the current file is not completely filled up. Floating -point values (e.g. 0.5) are allowed. - -*files*:__value__ begin again with the first file after __value__ number of -files were written (form a ring buffer). This value must be less than 100000. -Caution should be used when using large numbers of files: some filesystems do -not handle many files in a single directory well. The *files* criterion -requires one of the other criteria to be specified to -control when to go to the next file. It should be noted that each *-b* -parameter takes exactly one criterion; to specify two criteria, each must be -preceded by the *-b* option. - -*filesize*:__value__ switch to the next file after it reaches a size of -__value__ kB. Note that the filesize is limited to a maximum value of 2 GiB. - -*interval*:__value__ switch to the next file when the time is an exact -multiple of __value__ seconds. - -*packets*:__value__ switch to the next file after it contains __value__ -packets. - -Example: *-b filesize:1000 -b files:5* results in a ring buffer of five files -of size one megabyte each. --- - --B|--buffer-size <capture buffer size>:: -+ --- -Set capture buffer size (in MiB, default is 2 MiB). This is used by -the capture driver to buffer packet data until that data can be written -to disk. If you encounter packet drops while capturing, try to increase -this size. Note that, while *Wireshark* attempts to set the buffer size -to 2 MiB by default, and can be told to set it to a larger value, the -system or interface on which you're capturing might silently limit the -capture buffer size to a lower value or raise it to a higher value. - -This is available on UNIX-compatible systems, such as Linux, macOS, -\*BSD, Solaris, and AIX, with libpcap 1.0.0 or later, and on Windows. -It is not available on UNIX-compatible systems with earlier versions of -libpcap. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture buffer size. -If used after an *-i* option, it sets the capture buffer size for -the interface specified by the last *-i* option occurring before -this option. If the capture buffer size is not set specifically, -the default capture buffer size is used instead. --- - --c <capture packet count>:: -+ --- -Set the maximum number of packets to read when capturing live -data. Acts the same as *-a packets:*<capture packet count>. --- - --C <configuration profile>:: -+ --- -Start with the given configuration profile. --- - ---capture-comment <comment>:: -+ --- -When performing a capture file from the command line, with the *-k* -flag, add a capture comment to the output file, if supported by the -capture format. - -This option may be specified multiple times. Note that Wireshark -currently only displays the first comment of a capture file. --- - --D|--list-interfaces:: -+ --- -Print a list of the interfaces on which *Wireshark* can capture, and -exit. For each network interface, a number and an interface name, -possibly followed by a text description of the interface, is printed. -The interface name or the number can be supplied to the *-i* flag to -specify an interface on which to capture. The number can be useful on -Windows systems, where the interfaces have long names that usually -contain a GUID. --- - ---display <X display to use>:: -+ --- -Specifies the X display to use. A hostname and screen (otherhost:0.0) -or just a screen (:0.0) can be specified. This option is not available -under macOS or Windows. --- - --f <capture filter>:: -+ --- -Set the capture filter expression. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture filter expression. -If used after an *-i* option, it sets the capture filter expression for -the interface specified by the last *-i* option occurring before -this option. If the capture filter expression is not set specifically, -the default capture filter expression is used if provided. - -Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters, -can be used by prefixing the argument with "predef:". -Example: *-f "predef:MyPredefinedHostOnlyFilter"* --- - ---fullscreen:: -+ --- -Start Wireshark in full screen mode (kiosk mode). To exit from fullscreen mode, -open the View menu and select the Full Screen option. Alternatively, press the -F11 key (or Ctrl + Cmd + F for macOS). --- - --g <packet number>:: -After reading in a capture file using the *-r* flag, go to the given __packet number__. - --h|--help:: -Print the version number and options and exit. - --H:: -Hide the capture info dialog during live packet capture. - --i|--interface <capture interface>|-:: -+ --- -Set the name of the network interface or pipe to use for live packet -capture. - -Network interface names should match one of the names listed in "*wireshark --D*" (described above); a number, as reported by "*tshark -D*", can also -be used. - -If no interface is specified, *Wireshark* searches the list of -interfaces, choosing the first non-loopback interface if there are any -non-loopback interfaces, and choosing the first loopback interface if -there are no non-loopback interfaces. If there are no interfaces at all, -*Wireshark* reports an error and doesn't start the capture. - -Pipe names should be either the name of a FIFO (named pipe) or "-" to -read data from the standard input. On Windows systems, pipe names must be -of the form +"\\.\pipe\+*pipename*". Data read from pipes must be in -standard pcapng or pcap format. Pcapng data must have the same -endianness as the capturing host. - -"TCP@<host>:<port>" causes *Wireshark* to attempt to connect to the -specified port on the specified host and read pcapng or pcap data. - -This option can occur multiple times. When capturing from multiple -interfaces, the capture file will be saved in pcapng format. --- - --I|--monitor-mode:: -+ --- -Put the interface in "monitor mode"; this is supported only on IEEE -802.11 Wi-Fi interfaces, and supported only on some operating systems. - -Note that in monitor mode the adapter might disassociate from the -network with which it's associated, so that you will not be able to use -any wireless networks with that adapter. This could prevent accessing -files on a network server, or resolving host names or network addresses, -if you are capturing in monitor mode and are not connected to another -network with another adapter. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it enables the monitor mode for all interfaces. -If used after an *-i* option, it enables the monitor mode for -the interface specified by the last *-i* option occurring before -this option. --- - --j:: -Use after *-J* to change the behavior when no exact match is found for -the filter. With this option select the first packet before. - --J <jump filter>:: -+ --- -After reading in a capture file using the *-r* flag, jump to the packet -matching the filter (display filter syntax). If no exact match is found -the first packet after that is selected. --- - --k:: -+ --- -Start the capture session immediately. If the *-i* flag was -specified, the capture uses the specified interface. Otherwise, -*Wireshark* searches the list of interfaces, choosing the first -non-loopback interface if there are any non-loopback interfaces, and -choosing the first loopback interface if there are no non-loopback -interfaces; if there are no interfaces, *Wireshark* reports an error and -doesn't start the capture. --- - --l:: -Turn on automatic scrolling if the packet display is being updated -automatically as packets arrive during a capture (as specified by the -*-S* flag). - --L|--list-data-link-types:: -List the data link types supported by the interface and exit. - ---list-time-stamp-types:: -List time stamp types supported for the interface. If no time stamp type can be -set, no time stamp types are listed. - --o <preference/recent setting>:: -+ --- -Set a preference or recent value, overriding the default value and any value -read from a preference/recent file. The argument to the flag is a string of -the form __prefname:value__, where __prefname__ is the name of the -preference/recent value (which is the same name that would appear in the -preference/recent file), and __value__ is the value to which it should be set. -Since *Ethereal* 0.10.12, the recent settings replaces the formerly used --B, -P and -T flags to manipulate the GUI dimensions. - -If __prefname__ is "uat", you can override settings in various user access -tables using the form "uat:__uat filename__:__uat record__". __uat filename__ -must be the name of a UAT file, e.g. __user_dlts__. __uat_record__ must be in -the form of a valid record for that file, including quotes. For instance, to -specify a user DLT from the command line, you would use - - -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\"" --- - --p|--no-promiscuous-mode:: -+ --- -__Don't__ put the interface into promiscuous mode. Note that the -interface might be in promiscuous mode for some other reason; hence, -*-p* cannot be used to ensure that the only traffic that is captured is -traffic sent to or from the machine on which *Wireshark* is running, -broadcast traffic, and multicast traffic to addresses received by that -machine. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, no interface will be put into the -promiscuous mode. -If used after an *-i* option, the interface specified by the last *-i* -option occurring before this option will not be put into the -promiscuous mode. --- - --P <path setting>:: -+ --- -Special path settings usually detected automatically. This is used for -special cases, e.g. starting Wireshark from a known location on an USB stick. - -The criterion is of the form __key:path__, where __key__ is one of: - -*persconf*:__path__ path of personal configuration files, like the -preferences files. - -*persdata*:__path__ path of personal data files, it's the folder initially -opened. After the very first initialization, the recent file will keep the -folder last used. --- - --r|--read-file <infile>:: -+ --- -Read packet data from __infile__, can be any supported capture file format -(including gzipped files). It's not possible to use named pipes or stdin -here! To capture from a pipe or from stdin use *-i -* --- - --R|--read-filter <read (display) filter>:: -+ --- -When reading a capture file specified with the *-r* flag, causes the -specified filter (which uses the syntax of display filters, rather than -that of capture filters) to be applied to all packets read from the -capture file; packets not matching the filter are discarded. --- - --s|--snapshot-length <capture snaplen>:: -+ --- -Set the default snapshot length to use when capturing live data. -No more than __snaplen__ bytes of each network packet will be read into -memory, or saved to disk. A value of 0 specifies a snapshot length of -262144, so that the full packet is captured; this is the default. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default snapshot length. -If used after an *-i* option, it sets the snapshot length for -the interface specified by the last *-i* option occurring before -this option. If the snapshot length is not set specifically, -the default snapshot length is used if provided. --- - --S:: -Automatically update the packet display as packets are coming in. - ---temp-dir <directory>:: -+ --- -Specifies the directory into which temporary files (including capture -files) are to be written. The default behavior on UNIX-compatible systems, -such as Linux, macOS, \*BSD, Solaris, and AIX, is to use the environment -variable __$TMPDIR__ if set, and the system default, typically __/tmp__, if it -is not. On Windows, the __%TEMP%__ environment variable is used, which -typically defaults to __%USERPROFILE%\AppData\Local\Temp__. --- - ---time-stamp-type <type>:: -Change the interface's timestamp method. See --list-time-stamp-types. - ---update-interval <interval>:: -Set the length of time in milliseconds between new packet reports during -a capture. Also sets the granularity of file duration conditions. -The default value is 100ms. - --v|--version:: -Print the full version information and exit. - --w <outfile>:: -Set the default capture file name, or '-' for standard output. - --X <eXtension options>:: -+ --- -Specify an option to be passed to an *Wireshark* module. The eXtension option -is in the form __extension_key:value__, where __extension_key__ can be: - -*lua_script*:__lua_script_filename__ tells *Wireshark* to load the given script in addition to the -default Lua scripts. - -**lua_script**__num__:__argument__ tells *Wireshark* to pass the given argument -to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command. -For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo' -will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua' -and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua -script, namely 'other.lua'. - -*read_format*:__file_format__ tells *Wireshark* to use the given file format to read in the -file (the file given in the *-r* command option). - -*stdin_descr*:__description__ tells *Wireshark* to use the given description when -capturing from standard input (*-i -*). --- - --y|--linktype <capture link type>:: -+ --- -If a capture is started from the command line with *-k*, set the data -link type to use while capturing packets. The values reported by *-L* -are the values that can be used. - -This option can occur multiple times. If used before the first -occurrence of the *-i* option, it sets the default capture link type. -If used after an *-i* option, it sets the capture link type for -the interface specified by the last *-i* option occurring before -this option. If the capture link type is not set specifically, -the default capture link type is used if provided. --- - --Y|--display-filter <displaY filter>:: -Start with the given display filter. - --z <statistics>:: -+ --- -Get *Wireshark* to collect various types of statistics and display the result -in a window that updates in semi-real time. - -Some of the currently implemented statistics are: --- - -*-z help*:: -Display all possible values for *-z*. - -*-z* afp,srt[,__filter__]:: -+ --- -Show Apple Filing Protocol service response time statistics. --- - -*-z* conv,__type__[,__filter__]:: -+ --- -Create a table that lists all conversations that could be seen in the -capture. __type__ specifies the conversation endpoint types for which we -want to generate the statistics; currently the supported ones are: - - "eth" Ethernet addresses - "fc" Fibre Channel addresses - "fddi" FDDI addresses - "ip" IPv4 addresses - "ipv6" IPv6 addresses - "ipx" IPX addresses - "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported - "tr" Token Ring addresses - "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported - -If the optional __filter__ is specified, only those packets that match the -filter will be used in the calculations. - -The table is presented with one line for each conversation and displays -the number of packets/bytes in each direction as well as the total -number of packets/bytes. By default, the table is sorted according to -the total number of packets. - -These tables can also be generated at runtime by selecting the appropriate -conversation type from the menu "Tools/Statistics/Conversation List/". --- - -*-z* dcerpc,srt,__name-or-uuid__,__major__.__minor__[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for DCERPC interface -__name__ or __uuid__, version __major__.__minor__. -Data collected is the number of calls for each procedure, MinSRT, MaxSRT -and AvgSRT. -Interface __name__ and __uuid__ are case-insensitive. - -Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0*# will collect data for the CIFS SAMR Interface. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: [.nowrap]#*-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4*# will collect SAMR -SRT statistics for a specific host. --- - -*-z* dhcp,stat[,__filter__]:: -Show DHCP (BOOTP) statistics. - -*-z* expert:: -Show expert information. - -*-z* fc,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for FC. Data collected -is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z fc,srt* -will calculate the Service Response Time as the time delta between the -First packet of the exchange and the Last packet of the exchange. - -The data will be presented as separate tables for all normal FC commands, -Only those commands that are seen in the capture will have its stats -displayed. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "fc,srt,fc.id==01.02.03"* will collect stats only for -FC packets exchanged by the host at FC address 01.02.03 . --- - -*-z* h225,counter[__,filter__]:: -+ --- -Count ITU-T H.225 messages and their reasons. In the first column you get a -list of H.225 messages and H.225 message reasons which occur in the current -capture file. The number of occurrences of each message or reason is displayed -in the second column. - -Example: *-z h225,counter* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "h225,counter,ip.addr==1.2.3.4"* will collect stats only for -H.225 packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* h225,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS. -Data collected is the number of calls of each ITU-T H.225 RAS Message Type, -Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet. -You will also get the number of Open Requests (Unresponded Requests), -Discarded Responses (Responses without matching request) and Duplicate Messages. - -Example: *-z h225,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "h225,srt,ip.addr==1.2.3.4"* will collect stats only for -ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* io,stat:: -+ --- -Collect packet/bytes statistics for the capture in intervals of 1 second. -This option will open a window with up to 5 color-coded graphs where -number-of-packets-per-second or number-of-bytes-per-second statistics -can be calculated and displayed. - -This option can be used multiple times on the command line. - -This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat -menu item. --- - -*-z* ldap,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for LDAP. Data collected -is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z ldap,srt* -will calculate the Service Response Time as the time delta between the -Request and the Response. - -The data will be presented as separate tables for all implemented LDAP commands, -Only those commands that are seen in the capture will have its stats -displayed. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: use *-z "ldap,srt,ip.addr==10.1.1.1"* will collect stats only for -LDAP packets exchanged by the host at IP address 10.1.1.1 . - -The only LDAP commands that are currently implemented and for which the stats will be available are: -BIND -SEARCH -MODIFY -ADD -DELETE -MODRDN -COMPARE -EXTENDED --- - -*-z* megaco,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for MEGACO. -(This is similar to *-z smb,srt*). Data collected is the number of calls -for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT. - -Example: *-z megaco,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "megaco,srt,ip.addr==1.2.3.4"* will collect stats only for -MEGACO packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* mgcp,srt[__,filter__]:: -+ --- -Collect request/response SRT (Service Response Time) data for MGCP. -(This is similar to *-z smb,srt*). Data collected is the number of calls -for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT. - -Example: *-z mgcp,srt* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "mgcp,srt,ip.addr==1.2.3.4"* will collect stats only for -MGCP packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* mtp3,msus[,<filter>]:: -Show MTP3 MSU statistics. - -*-z* multicast,stat[,<filter>]:: -Show UDP multicast stream statistics. - -*-z* rpc,programs:: -+ --- -Collect call/reply SRT data for all known ONC-RPC programs/versions. -Data collected is the number of calls for each protocol/version, MinSRT, -MaxSRT and AvgSRT. --- - -*-z* rpc,srt,__name-or-number__,__version__[,<filter>]:: -+ --- -Collect call/reply SRT (Service Response Time) data for program -__name__/__version__ or __number__/__version__. -Data collected is the number of calls for each procedure, MinSRT, MaxSRT and -AvgSRT. -Program __name__ is case-insensitive. - -Example: *-z rpc,srt,100003,3* will collect data for NFS v3. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: [.nowrap]#*-z rpc,srt,nfs,3,nfs.fh.hash==0x12345678*# will collect NFS v3 -SRT statistics for a specific file. --- - -*-z* scsi,srt,__cmdset__[,<filter>]:: -+ --- -Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>. - -Commandsets are 0:SBC 1:SSC 5:MMC - -Data collected -is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT. - -Example: *-z scsi,srt,0* will collect data for SCSI BLOCK COMMANDS (SBC). - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z scsi,srt,0,ip.addr==1.2.3.4* will collect SCSI SBC -SRT statistics for a specific iscsi/ifcp/fcip host. --- - -*-z* sip,stat[__,filter__]:: -+ --- -This option will activate a counter for SIP messages. You will get the number -of occurrences of each SIP Method and of each SIP Status-Code. Additionally you -also get the number of resent SIP Messages (only for SIP over UDP). - -Example: *-z sip,stat* - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "sip,stat,ip.addr==1.2.3.4"* will collect stats only for -SIP packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* smb,srt[,__filter__]:: -+ --- -Collect call/reply SRT (Service Response Time) data for SMB. Data collected -is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. - -Example: *-z smb,srt* - -The data will be presented as separate tables for all normal SMB commands, -all Transaction2 commands and all NT Transaction commands. -Only those commands that are seen in the capture will have their stats -displayed. -Only the first command in a xAndX command chain will be used in the -calculation. So for common SessionSetupAndX + TreeConnectAndX chains, -only the SessionSetupAndX call will be used in the statistics. -This is a flaw that might be fixed in the future. - -This option can be used multiple times on the command line. - -If the optional __filter__ is provided, the stats will only be calculated -on those calls that match that filter. - -Example: *-z "smb,srt,ip.addr==1.2.3.4"* will collect stats only for -SMB packets exchanged by the host at IP address 1.2.3.4 . --- - -*-z* voip,calls:: -+ --- -This option will show a window that shows VoIP calls found in the capture file. -This is the same window shown as when you go to the Statistics Menu and choose -VoIP Calls. - -Example: *-z voip,calls* --- - -*-z* wlan,stat[,<filter>]:: -Show IEEE 802.11 network and station statistics. - -*-z* wsp,stat[,<filter>]:: -Show WSP packet counters. - -include::dissection-options.adoc[tags=**;!tshark] - -include::diagnostic-options.adoc[] - -== INTERFACE - -=== MENU ITEMS - -menu:File[Open]:: - -menu:File[Open Recent]:: - -menu:File[Merge]:: -Merge another capture file to the currently loaded one. The __File:Merge__ -dialog box allows the merge "Prepended", "Chronologically" or "Appended", -relative to the already loaded one. - -menu:File[Close]:: -Open or close a capture file. The __File:Open__ dialog box -allows a filter to be specified; when the capture file is read, the -filter is applied to all packets read from the file, and packets not -matching the filter are discarded. The __File:Open Recent__ is a submenu -and will show a list of previously opened files. - -menu:File[Save]:: - -menu:File[Save As]:: -Save the current capture, or the packets currently displayed from that -capture, to a file. Check boxes let you select whether to save all -packets, or just those that have passed the current display filter and/or -those that are currently marked, and an option menu lets you select (from -a list of file formats in which at particular capture, or the packets -currently displayed from that capture, can be saved), a file format in -which to save it. - -menu:File[File Set,List Files]:: -Show a dialog box that lists all files of the file set matching the currently -loaded file. A file set is a compound of files resulting from a capture using -the "multiple files" / "ringbuffer" mode, recognizable by the filename pattern, -e.g.: Filename_00001_20240714101530.pcap. - -menu:File[File Set,Next File]:: - -menu:File[File Set,Previous File]:: -If the currently loaded file is part of a file set (see above), open the -next / previous file in that set. - -menu:File[Export]:: -Export captured data into an external format. Note: the data cannot be -imported back into Wireshark, so be sure to keep the capture file. - -menu:File[Print]:: -Print packet data from the current capture. You can select the range of -packets to be printed (which packets are printed), and the output format of -each packet (how each packet is printed). The output format will be similar -to the displayed values, so a summary line, the packet details view, and/or -the hex dump of the packet can be printed. - -menu:File[Quit]:: -Exit the application. - -menu:Edit[Copy,Description]:: -Copies the description of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,Fieldname]:: -Copies the fieldname of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,Value]:: -Copies the value of the selected field in the protocol tree to the clipboard. - -menu:Edit[Copy,As Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details and copy that filter to the clipboard. - -If that data is a field that can be tested in a display filter -expression, the display filter will test that field; otherwise, the -display filter will be based on the absolute offset within the packet. -Therefore it could be unreliable if the packet contains protocols with -variable-length headers, such as a source-routed token-ring packet. --- - -menu:Edit[Find Packet]:: -+ --- -Search forward or backward, starting with the currently selected packet -(or the most recently selected packet, if no packet is selected). Search -criteria can be a display filter expression, a string of hexadecimal -digits, or a text string. - -When searching for a text string, you can search the packet data, or you -can search the text in the Info column in the packet list pane or in the -packet details pane. - -Hexadecimal digits can be separated by colons, periods, or dashes. -Text string searches can be ASCII or Unicode (or both), and may be -case insensitive. --- - -menu:Edit[Find Next]:: - -menu:Edit[Find Previous]:: -Search forward / backward for a packet matching the filter from the previous -search, starting with the currently selected packet (or the most recently -selected packet, if no packet is selected). - -menu:Edit[Mark Packet (toggle)]:: -Mark (or unmark if currently marked) the selected packet. The field -"frame.marked" is set for packets that are marked, so that, for example, -a display filters can be used to display only marked packets, and so that -the /"Edit:Find Packet" dialog can be used to find the next or previous -marked packet. - -menu:Edit[Find Next Mark]:: - -menu:Edit[Find Previous Mark]:: -Find next or previous marked packet. - -menu:Edit[Mark All Packets]:: - -menu:Edit[Unmark All Packets]:: -Mark or unmark all packets that are currently displayed. - -menu:Edit[Time Reference,Set Time Reference (toggle)]:: -+ --- -Set (or unset if currently set) the selected packet as a Time Reference packet. -When a packet is set as a Time Reference packet, the timestamps in the packet -list pane will be replaced with the string "*REF*". -The relative time timestamp in later packets will then be calculated relative -to the timestamp of this Time Reference packet and not the first packet in -the capture. - -Packets that have been selected as Time Reference packets will always be -displayed in the packet list pane. Display filters will not affect or -hide these packets. - -If there is a column displayed for "Cumulative Bytes" this counter will -be reset at every Time Reference packet. --- - -menu:Edit[Time Reference,Find Next]:: - -menu:Edit[Time Reference,Find Previous]:: -Search forward or backward for a time referenced packet. - -menu:Edit[Configuration Profiles]:: -Manage configuration profiles to be able to use more than one set of preferences and configurations. - -menu:Edit[Preferences]:: -Set the GUI, capture, and protocol options (see /Preferences dialog below). - -menu:View[Main Toolbar]:: - -menu:View[Filter Toolbar]:: - -menu:View[Statusbar]:: -Show or hide the main window controls. - -menu:View[Packet List]:: - -menu:View[Packet Details]:: - -menu:View[Packet Bytes]:: -Show or hide the main window panes. - -menu:View[Time Display Format]:: -Set the format of the packet timestamp displayed in the packet list window. - -menu:View[Name Resolution,Resolve Name]:: -Try to resolve a name for the currently selected item. - -menu:View[Name Resolution,Enable for ... Layer]:: -Enable or disable translation of addresses to names in the display. - -menu:View[Colorize Packet List]:: -Enable or disable the coloring rules. -Disabling will improve performance. - -menu:View[Auto Scroll in Live Capture]:: -Enable or disable the automatic scrolling of the packet list while a live capture is in progress. - -menu:View[Zoom In]:: - -menu:View[Zoom Out]:: -Zoom into or out of the main window data (by changing the font size). - -menu:View[Normal Size]:: -Reset the zoom level back to normal font size. - -menu:View[Resize All Columns]:: -Resize all columns to best fit the current packet display. - -menu:View[Expand / Collapse Subtrees]:: -Expand or collapse the currently selected item and its subtrees in the packet details. - -menu:View[Expand All]:: - -menu:View[Collapse All]:: -Expand or Collapse all branches of the packet details. - -menu:View[Colorize Conversation]:: -Select a color for a conversation. - -menu:View[Reset Coloring 1-10]:: -Reset a color for a conversation. - -menu:View[Coloring Rules]:: -Change the foreground and background colors of the packet information in -the list of packets, based upon display filters. The list of display -filters is applied to each packet sequentially. After the first display -filter matches a packet, any additional display filters in the list are -ignored. Therefore, if you are filtering on the existence of protocols, -you should list the higher-level protocols first, and the lower-level -protocols last. - -How Colorization Works:: -+ --- -Packets are colored according to a list of color filters. Each filter -consists of a name, a filter expression and a coloration. A packet is -colored according to the first filter that it matches. Color filter -expressions use exactly the same syntax as display filter expressions. - -When Wireshark starts, the color filters are loaded from: - -1. The user's personal color filters file or, if that does not exist, -2. The global color filters file. - -If neither of these exist then the packets will not be colored. --- - -menu:View[Show Packet In New Window]:: -Create a new window containing a packet details view and a hex dump -window of the currently selected packet; this window will continue to -display that packet's details and data even if another packet is -selected. - -menu:View[Reload]:: -Reload a capture file. Same as __File:Close__ and __File:Open__ the same file again. - -menu:Go[Back]:: -Go back in previously visited packets history. - -menu:Go[Forward]:: -Go forward in previously visited packets history. - -menu:Go[Go To Packet]:: -Go to a particular numbered packet. - -menu:Go[Go To Corresponding Packet]:: -If a field in the packet details pane containing a packet number is -selected, go to the packet number specified by that field. (This works -only if the dissector that put that entry into the packet details put it -into the details as a filterable field rather than just as text.) This -can be used, for example, to go to the packet for the request -corresponding to a reply, or the reply corresponding to a request, if -that packet number has been put into the packet details. - -menu:Go[Previous Packet]:: - -menu:Go[Next Packet]:: - -menu:Go[First Packet]:: - -menu:Go[Last Packet]:: -Go to the previous, next, first, or last packet in the capture. - -menu:Go[Previous Packet In Conversation]:: - -menu:Go[Next Packet In Conversation]:: -Go to the previous or next packet of the TCP, UDP or IP conversation. - -menu:Capture[Interfaces]:: -Shows a dialog box with all currently known interfaces and displaying the -current network traffic amount. Capture sessions can be started from here. -Beware: keeping this box open results in high system load! - -menu:Capture[Options]:: -Initiate a live packet capture (see /"Capture Options Dialog" -below). If no filename is specified, a temporary file will be created -to hold the capture. Temporary files are written in the directory listed -in menu:Help[About Wireshark > Folders]. This location can be chosen with the -command line option *--temp-dir*, or by setting the environment variable -TMPDIR (on UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, -and AIX) or TEMP (on Windows) before starting **Wireshark**. - -menu:Capture[Start]:: -Start a live packet capture with the previously selected options. This won't -open the options dialog box, and can be convenient for repeatedly capturing -with the same options. - -menu:Capture[Stop]:: -Stop a running live capture. - -menu:Capture[Restart]:: -While a live capture is running, stop it and restart with the same options -again. This can be convenient to remove irrelevant packets, if no valuable -packets were captured so far. - -menu:Capture[Capture Filters]:: -Edit the saved list of capture filters, allowing filters to be added, changed, or deleted. - -menu:Analyze[Display Filters]:: -Edit the saved list of display filters, allowing filters to be added, changed, or deleted. - -menu:Analyze[Display Filter Macros]:: -Create shortcuts for complex macros. - -menu:Analyze[Apply as Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details and apply the filter. - -If that data is a field that can be tested in a display filter -expression, the display filter will test that field; otherwise, the -display filter will be based on the absolute offset within the packet. -Therefore it could be unreliable if the packet contains protocols with -variable-length headers, such as a source-routed token-ring packet. - -The *Selected* option creates a display filter that tests for a match -of the data; the *Not Selected* option creates a display filter that -tests for a non-match of the data. The *And Selected*, *Or Selected*, -*And Not Selected*, and *Or Not Selected* options add to the end of -the display filter in the strip at the top (or bottom) an AND or OR -operator followed by the new display filter expression. --- - -menu:Analyze[Prepare as Filter]:: -+ --- -Create a display filter based on the data currently highlighted in the -packet details. The filter strip at the top (or bottom) is updated but -it is not yet applied. --- - -menu:Analyze[Enabled Protocols]:: -+ --- -Allow protocol dissection to be enabled or disabled for a specific -protocol. Individual protocols can be enabled or disabled by clicking -on them in the list or by highlighting them and pressing the space bar. -The entire list can be enabled, disabled, or inverted using the buttons -below the list. - -When a protocol is disabled, dissection in a particular packet stops -when that protocol is reached, and Wireshark moves on to the next packet. -Any higher-layer protocols that would otherwise have been processed will -not be displayed. For example, disabling TCP will prevent the dissection -and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively -dependent on TCP. - -The list of protocols can be saved, so that Wireshark will start up with -the protocols in that list disabled. --- - -menu:Analyze[Decode As]:: -If you have a packet selected, present a dialog allowing you to change -which dissectors are used to decode this packet. The dialog has one -panel each for the link layer, network layer and transport layer -protocol/port numbers, and will allow each of these to be changed -independently. For example, if the selected packet is a TCP packet to -port 12345, using this dialog you can instruct Wireshark to decode all -packets to or from that TCP port as HTTP packets. - -menu:Analyze[User Specified Decodes]:: -Create a new window showing whether any protocol ID to dissector -mappings have been changed by the user. This window also allows the -user to reset all decodes to their default values. - -menu:Analyze[Follow TCP Stream]:: -+ --- -If you have a TCP packet selected, display the contents of the data -stream for the TCP connection to which that packet belongs, as text, in -a separate window, and leave the list of packets in a filtered state, -with only those packets that are part of that TCP connection being -displayed. You can revert to your old view by pressing ENTER in the -display filter text box, thereby invoking your old display filter (or -resetting it back to no display filter). - -The window in which the data stream is displayed lets you select: - -* whether to display the entire conversation, or one or the other side of -it; - -* whether the data being displayed is to be treated as ASCII or EBCDIC -text or as raw hex data; - -and lets you print what's currently being displayed, using the same -print options that are used for the __File:Print Packet__ menu item, or -save it as text to a file. --- - -menu:Analyze[Follow UDP Stream]:: - -menu:Analyze[Follow TLS Stream]:: -Similar to Analyze:Follow TCP Stream. - -menu:Analyze[Expert Info]:: - -menu:Analyze[Expert Info Composite]:: -Show anomalies found by Wireshark in a capture file. - -menu:Analyze[Conversation Filter]:: - -menu:Statistics[Summary]:: -Show summary information about the capture, including elapsed time, -packet counts, byte counts, and the like. If a display filter is in -effect, summary information will be shown about the capture and about -the packets currently being displayed. - -menu:Statistics[Protocol Hierarchy]:: -Show the number of packets, and the number of bytes in those packets, -for each protocol in the trace. It organizes the protocols in the same -hierarchy in which they were found in the trace. Besides counting the -packets in which the protocol exists, a count is also made for packets -in which the protocol is the last protocol in the stack. These -last-protocol counts show you how many packets (and the byte count -associated with those packets) *ended* in a particular protocol. In -the table, they are listed under "End Packets" and "End Bytes". - -menu:Statistics[Conversations]:: -Lists of conversations; selectable by protocol. -See Statistics:Conversation List below. - -menu:Statistics[End Points]:: -List of End Point Addresses by protocol with packets, bytes, and other counts. - -menu:Statistics[Packet Lengths]:: -Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...) - -menu:Statistics[I/O Graphs]:: -+ --- -Open a window where up to 5 graphs in different colors can be displayed -to indicate number of packets or number of bytes per second for all packets -matching the specified filter. -By default only one graph will be displayed showing number of packets per second. - -The top part of the window contains the graphs and scales for the X and -Y axis. If the graph is too long to fit inside the window there is a -horizontal scrollbar below the drawing area that can scroll the graphs -to the left or the right. The horizontal axis displays the time into -the capture and the vertical axis will display the measured quantity at -that time. - -Below the drawing area and the scrollbar are the controls. On the -bottom left there will be five similar sets of controls to control each -individual graph such as "Display:<button>" which button will toggle -that individual graph on/off. If <button> is ticked, the graph will be -displayed. "Color:<color>" which is just a button to show which color -will be used to draw that graph. Finally "Filter:<filter-text>" which -can be used to specify a display filter for that particular graph. - -If filter-text is empty then all packets will be used to calculate the -quantity for that graph. If filter-text is specified only those packets -that match that display filter will be considered in the calculation of -quantity. - -To the right of the 5 graph controls there are four menus to control -global aspects of the draw area and graphs. The "Unit:" menu is used to -control what to measure; "packets/tick", "bytes/tick" or "advanced..." - -packets/tick will measure the number of packets matching the (if -specified) display filter for the graph in each measurement interval. - -bytes/tick will measure the total number of bytes in all packets matching -the (if specified) display filter for the graph in each measurement -interval. - -advanced... see below - -"Tick interval:" specifies what measurement intervals to use. The -default is 1 second and means that the data will be counted over 1 -second intervals. - -"Pixels per tick:" specifies how many pixels wide each measurement -interval will be in the drawing area. The default is 5 pixels per tick. - -"Y-scale:" controls the max value for the y-axis. Default value is -"auto" which means that *Wireshark* will try to adjust the maxvalue -automatically. - -"advanced..." If Unit:advanced... is selected the window will display -two more controls for each of the five graphs. One control will be a -menu where the type of calculation can be selected from -SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a -single display filter field can be specified. - -The following restrictions apply to type and field combinations: - -SUM: available for all types of integers and will calculate the SUM of -all occurrences of this field in the measurement interval. Note that -some field can occur multiple times in the same packet and then all -instances will be summed up. Example: 'tcp.len' which will count the -amount of payload data transferred across TCP in each interval. - -COUNT: available for all field types. This will COUNT the number of times -certain field occurs in each interval. Note that some fields -may occur multiple times in each packet and if that is the case -then each instance will be counted independently and COUNT -will be greater than the number of packets. - -MAX: available for all integer and relative time fields. This will calculate -the max seen integer/time value seen for the field during the interval. -Example: 'smb.time' which will plot the maximum SMB response time. - -MIN: available for all integer and relative time fields. This will calculate -the min seen integer/time value seen for the field during the interval. -Example: 'smb.time' which will plot the minimum SMB response time. - -AVG: available for all integer and relative time fields.This will -calculate the average seen integer/time value seen for the field during -the interval. Example: 'smb.time' which will plot the average SMB -response time. - -LOAD: available only for relative time fields (response times). - -Example of advanced: -Display how NFS response time MAX/MIN/AVG changes over time: - -Set first graph to: - - filter:nfs&&rpc.time - Calc:MAX rpc.time - -Set second graph to - - filter:nfs&&rpc.time - Calc:AVG rpc.time - -Set third graph to - - filter:nfs&&rpc.time - Calc:MIN rpc.time - -Example of advanced: -Display how the average packet size from host a.b.c.d changes over time. - -Set first graph to - - filter:ip.addr==a.b.c.d&&frame.pkt_len - Calc:AVG frame.pkt_len - -LOAD: -The LOAD io-stat type is very different from anything you have ever seen -before! While the response times themselves as plotted by MIN,MAX,AVG are -indications on the Server load (which affects the Server response time), -the LOAD measurement measures the Client LOAD. -What this measures is how much workload the client generates, -i.e. how fast will the client issue new commands when the previous ones -completed. -i.e. the level of concurrency the client can maintain. -The higher the number, the more and faster is the client issuing new -commands. When the LOAD goes down, it may be due to client load making -the client slower in issuing new commands (there may be other reasons as -well, maybe the client just doesn't have any commands it wants to issue -right then). - -Load is measured in concurrency/number of overlapping i/o and the value -1000 means there is a constant load of one i/o. - -In each tick interval the amount of overlap is measured. -See the graph below containing three commands: -Below the graph are the LOAD values for each interval that would be calculated. - - | | | | | | | | | - | | | | | | | | | - | | o=====* | | | | | | - | | | | | | | | | - | o========* | o============* | | | - | | | | | | | | | - --------------------------------------------------> Time - 500 1500 500 750 1000 500 0 0 --- - -menu:Statistics[Conversation List]:: -+ --- -This option will open a new window that displays a list of all -conversations between two endpoints. The list has one row for each -unique conversation and displays total number of packets/bytes seen as -well as number of packets/bytes in each direction. - -By default the list is sorted according to the number of packets but by -clicking on the column header; it is possible to re-sort the list in -ascending or descending order by any column. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -These statistics windows can also be invoked from the Wireshark command -line using the *-z conv* argument. --- - -menu:Statistics[Service Response Time]:: -+ --- - -* AFP - -* CAMEL - -* DCE-RPC - -Open a window to display Service Response Time statistics for an -arbitrary DCE-RPC program -interface and display *Procedure*, *Number of Calls*, *Minimum SRT*, -*Maximum SRT* and *Average SRT* for all procedures for that -program/version. These windows opened will update in semi-real time to -reflect changes when doing live captures or when reading new capture -files into *Wireshark*. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such DCE-RPC request/response pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -* Diameter - -* Fibre Channel - -Open a window to display Service Response Time statistics for Fibre Channel -and display *FC Type*, *Number of Calls*, *Minimum SRT*, -*Maximum SRT* and *Average SRT* for all FC types. -These windows opened will update in semi-real time to -reflect changes when doing live captures or when reading new capture -files into *Wireshark*. -The Service Response Time is calculated as the time delta between the -First packet of the exchange and the Last packet of the exchange. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such FC first/last exchange pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -* GTP - -* H.225 RAS - -Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. -Data collected is *number of calls* for each known ITU-T H.225 RAS Message Type, -*Minimum SRT*, *Maximum SRT*, *Average SRT*, *Minimum in Packet*, and *Maximum in Packet*. -You will also get the number of *Open Requests* (Unresponded Requests), -*Discarded Responses* (Responses without matching request) and Duplicate Messages. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The statistics will only be calculated -on those calls matching that filter. - -* LDAP - -* MEGACO - -* MGCP - -Collect requests/response SRT (Service Response Time) data for MGCP. -Data collected is *number of calls* for each known MGCP Type, -*Minimum SRT*, *Maximum SRT*, *Average SRT*, *Minimum in Packet*, and *Maximum in Packet*. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The statistics will only be calculated -on those calls matching that filter. - -* NCP - -* ONC-RPC - -Open a window to display statistics for an arbitrary ONC-RPC program interface -and display *Procedure*, *Number of Calls*, *Minimum SRT*, *Maximum SRT* and *Average SRT* for all procedures for that program/version. -These windows opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -This dialog will also allow an optional filter string to be used. -If an optional filter string is used only such ONC-RPC request/response pairs -that match that filter will be used to calculate the statistics. If no filter -string is specified all request/response pairs will be used. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -* RADIUS - -* SCSI - -* SMB - -Collect call/reply SRT (Service Response Time) data for SMB. Data collected -is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. - -The data will be presented as separate tables for all normal SMB commands, -all Transaction2 commands and all NT Transaction commands. -Only those commands that are seen in the capture will have its stats -displayed. -Only the first command in a xAndX command chain will be used in the -calculation. So for common SessionSetupAndX + TreeConnectAndX chains, -only the SessionSetupAndX call will be used in the statistics. -This is a flaw that might be fixed in the future. - -You can apply an optional filter string in a dialog box, before starting -the calculation. The stats will only be calculated -on those calls matching that filter. - -By first selecting a conversation by clicking on it and then using the -right mouse button (on those platforms that have a right -mouse button) Wireshark will display a popup menu offering several different -filter operations to apply to the capture. - -* SMB2 --- - -menu:Statistics[BOOTP-DHCP]:: -Show DHCP statistics. - -menu:Statistics[Compare]:: -Compare two capture files. - -menu:Statistics[Flow Graph]:: -Show protocol flows. - -menu:Statistics[HTTP]:: -HTTP Load Distribution, Packet Counter & Requests. - -menu:Statistics[IP Addresses]:: -Count, Rate, and Percent by IP Address. - -menu:Statistics[IP Destinations]:: -Count, Rate, and Percent by IP Address, protocol, and port. - -menu:Statistics[IP Protocol Types]:: -Count, Rate, and Percent by IP Protocol Types. - -menu:Statistics[ONC-RPC Programs]:: -This dialog will open a window showing aggregated SRT statistics for all ONC-RPC Programs/versions that exist in the capture file. - -menu:Statistics[TCP Stream Graph]:: -Show Round Trip, Throughput, Time-Sequence (Stevens), or Time-Sequence (tcptrace) graphs. - -menu:Statistics[UDP Multicast streams]:: -Multicast Streams counts, rates, and other statistics by source and destination address and port pairs. - -menu:Statistics[WLAN Traffic]:: -WLAN Traffic Statistics. - -menu:Telephony[ITU-T H.225]:: -+ --- -Count ITU-T H.225 messages and their reasons. In the first column you get a -list of H.225 messages and H.225 message reasons, which occur in the current -capture file. The number of occurrences of each message or reason will be displayed -in the second column. -This window opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the counter. The statistics will only be calculated -on those calls matching that filter. --- - -menu:Telephony[SIP]:: -+ --- -Activate a counter for SIP messages. You will get the number of occurrences of each -SIP Method and of each SIP Status-Code. Additionally you also get the number of -resent SIP Messages (only for SIP over UDP). - -This window opened will update in semi-real time to reflect changes when -doing live captures or when reading new capture files into *Wireshark*. - -You can apply an optional filter string in a dialog box, before starting -the counter. The statistics will only be calculated -on those calls matching that filter. --- - -menu:Tools[Firewall ACL Rules]:: -Generate firewall rules for a selected packet. - -menu:Help[Contents]:: -Display the User's Guide. - -menu:Help[Supported Protocols]:: -List of supported protocols and display filter protocol fields. - -menu:Help[Manual Pages]:: -Display locally installed HTML versions of these manual pages in a web browser. - -menu:Help[Wireshark Online]:: -Various links to online resources to be open in a web browser, like https://www.wireshark.org. - -menu:Help[About Wireshark]:: -See various information about Wireshark (see /About dialog below), like the version, the folders used, the available plugins, ... - -=== WINDOWS - -Main Window:: -+ --- -The main window contains the usual things like the menu, some toolbars, the -main area and a statusbar. The main area is split into three panes, you can -resize each pane using a "thumb" at the right end of each divider line. - -The main window is much more flexible than before. The layout of the main -window can be customized by the __Layout__ page in the dialog box popped -up by __Edit:Preferences__, the following will describe the layout with the -default settings. --- - -Main Toolbar:: -Some menu items are available for quick access here. There is no way to -customize the items in the toolbar, however the toolbar can be hidden by -__View:Main Toolbar__. - -Filter Toolbar:: -+ --- -A display filter can be entered into the filter toolbar. -A filter for HTTP, HTTPS, and DNS traffic might look like this: - - tcp.port in {80 443 53} - -Selecting the __Filter:__ button lets you choose from a list of named -filters that you can optionally save. Pressing the Return or Enter -keys, or selecting the __Apply__ button, will cause the filter to be -applied to the current list of packets. Selecting the __Reset__ button -clears the display filter so that all packets are displayed (again). - -There is no way to customize the items in the toolbar, however the toolbar -can be hidden by __View:Filter Toolbar__. --- - -Packet List Pane:: -+ --- -The top pane contains the list of network packets that you can scroll -through and select. By default, the packet number, packet timestamp, -source and destination addresses, protocol, and description are -displayed for each packet; the __Columns__ page in the dialog box popped -up by __Edit:Preferences__ lets you change this (although, unfortunately, -you currently have to save the preferences, and exit and restart -Wireshark, for those changes to take effect). - -If you click on the heading for a column, the display will be sorted by -that column; clicking on the heading again will reverse the sort order -for that column. - -An effort is made to display information as high up the protocol stack -as possible, e.g. IP addresses are displayed for IP packets, but the -MAC layer address is displayed for unknown packet types. - -The right mouse button can be used to pop up a menu of operations. - -The middle mouse button can be used to mark a packet. --- - -Packet Details Pane:: -The middle pane contains a display of the details of the -currently-selected packet. The display shows each field and its value -in each protocol header in the stack. The right mouse button can be -used to pop up a menu of operations. - -Packet Bytes Pane:: -+ --- -The lowest pane contains a hex and ASCII dump of the actual packet data. -Selecting a field in the packet details highlights the corresponding -bytes in this section. - -The right mouse button can be used to pop up a menu of operations. --- - -Statusbar:: -+ --- -The statusbar is divided into three parts, on the left some context dependent -things are shown, like information about the loaded file, in the center the -number of packets are displayed, and on the right the current configuration -profile. - -The statusbar can be hidden by __View:Statusbar__. --- - -Preferences:: -Adjust the behavior of *Wireshark*. - -User Interface Preferences:: -Modify the UI to your own personal tastes. - -Selection Bars:: -The selection bar in the packet list and packet details can have either -a "browse" or "select" behavior. If the selection bar has a "browse" -behavior, the arrow keys will move an outline of the selection bar, -allowing you to browse the rest of the list or details without changing -the selection until you press the space bar. If the selection bar has a -"select" behavior, the arrow keys will move the selection bar and change -the selection to the new item in the packet list or packet details. - -Save Window Position:: -If this item is selected, the position of the main Wireshark window will -be saved when Wireshark exits, and used when Wireshark is started again. - -Save Window Size:: -If this item is selected, the size of the main Wireshark window will -be saved when Wireshark exits, and used when Wireshark is started again. - -Save Window Maximized state:: -If this item is selected the maximize state of the main Wireshark window -will be saved when Wireshark exists, and used when Wireshark is started again. - -File Open Dialog Behavior:: -This item allows the user to select how Wireshark handles the listing -of the "File Open" Dialog when opening trace files. "Remember Last -Directory" causes Wireshark to automatically position the dialog in the -directory of the most recently opened file, even between launches of Wireshark. -"Always Open in Directory" allows the user to define a persistent directory -that the dialog will always default to. - -Directory:: -Allows the user to specify a persistent File Open directory. Trailing -slashes or backslashes will automatically be added. - -File Open Preview timeout:: -This items allows the user to define how much time is spend reading the -capture file to present preview data in the File Open dialog. - -Open Recent maximum list entries:: -The File menu supports a recent file list. This items allows the user to -specify how many files are kept track of in this list. - -Ask for unsaved capture files:: -When closing a capture file or Wireshark itself if the file isn't saved yet -the user is presented the option to save the file when this item is set. - -Wrap during find:: -This items determines the behavior when reaching the beginning or the end -of a capture file. When set the search wraps around and continues, otherwise -it stops. - -Settings dialogs show a save button:: -This item determines if the various dialogs sport an explicit Save button -or that save is implicit in OK / Apply. - -Web browser command:: -This entry specifies the command line to launch a web browser. It is used -to access online content, like the Wiki and user guide. Use '%s' to place -the request URL in the command line. - -Layout Preferences:: -The __Layout__ page lets you specify the general layout of the main window. -You can choose from six different layouts and fill the three panes with the -contents you like. - -Scrollbars:: -The vertical scrollbars in the three panes can be set to be either on -the left or the right. - -Alternating row colors:: - -Hex Display:: -The highlight method in the hex dump display for the selected protocol -item can be set to use either inverse video, or bold characters. - -Toolbar style:: - -Filter toolbar placement:: - -Custom window title:: - -Column Preferences:: -+ --- -The __Columns__ page lets you specify the number, title, and format -of each column in the packet list. - -The __Column title__ entry is used to specify the title of the column -displayed at the top of the packet list. The type of data that the column -displays can be specified using the __Column format__ option menu. -The row of buttons on the left perform the following actions: --- - -New:: -Adds a new column to the list. - -Delete:: -Deletes the currently selected list item. - -Up / Down:: -Moves the selected list item up or down one position. - -Font Preferences:: -The __Font__ page lets you select the font to be used for most text. - -Color Preferences:: -The __Colors__ page can be used to change the color of the text -displayed in the TCP stream window and for marked packets. To change a color, -simply select an attribute from the "Set:" menu and use the color selector to -get the desired color. The new text colors are displayed as a sample text. - -Capture Preferences:: -+ --- -The __Capture__ page lets you specify various parameters for capturing -live packet data; these are used the first time a capture is started. - -The __Interface:__ combo box lets you specify the interface from which to -capture packet data, or the name of a FIFO from which to get the packet -data. - -The __Data link type:__ option menu lets you, for some interfaces, select -the data link header you want to see on the packets you capture. For -example, in some OSes and with some versions of libpcap, you can choose, -on an 802.11 interface, whether the packets should appear as Ethernet -packets (with a fake Ethernet header) or as 802.11 packets. - -The __Limit each packet to ... bytes__ check box lets you set the -snapshot length to use when capturing live data; turn on the check box, -and then set the number of bytes to use as the snapshot length. - -The __Filter:__ text entry lets you set a capture filter expression to be -used when capturing. - -If any of the environment variables SSH_CONNECTION, SSH_CLIENT, -REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create a -default capture filter that excludes traffic from the hosts and ports -defined in those variables. - -The __Capture packets in promiscuous mode__ check box lets you specify -whether to put the interface in promiscuous mode when capturing. - -The __Update list of packets in real time__ check box lets you specify -that the display should be updated as packets are seen. --- - -Name Resolution Preferences:: -+ --- -The __Enable MAC name resolution__, __Enable network name resolution__ and -__Enable transport name resolution__ check boxes let you specify whether -MAC addresses, network addresses, and transport-layer port numbers -should be translated to names. - -The __Enable concurrent DNS name resolution__ allows Wireshark to send out -multiple name resolution requests and not wait for the result before -continuing dissection. This speeds up dissection with network name -resolution but initially may miss resolutions. The number of concurrent -requests can be set here as well. - -__SMI paths__ - -__SMI modules__ --- - -RTP Player Preferences:: -This page allows you to select the number of channels visible in the -RTP player window. It determines the height of the window, more channels -are possible and visible by means of a scroll bar. - -Protocol Preferences:: -There are also pages for various protocols that Wireshark dissects, -controlling the way Wireshark handles those protocols. - -Edit Capture Filter List:: - -Edit Display Filter List:: - -Capture Filter:: - -Display Filter:: - -Read Filter:: - -Search Filter:: -+ --- -The __Edit Capture Filter List__ dialog lets you create, modify, and -delete capture filters, and the __Edit Display Filter List__ dialog lets -you create, modify, and delete display filters. - -The __Capture Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used when -capturing packets. - -The __Display Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used to -filter the current capture being viewed. - -The __Read Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter to be used to -as a read filter for a capture file you open. - -The __Search Filter__ dialog lets you do all of the editing operations -listed, and also lets you choose or construct a filter expression to be -used in a find operation. - -In all of those dialogs, the __Filter name__ entry specifies a -descriptive name for a filter, e.g. *Web and DNS traffic*. The -__Filter string__ entry is the text that actually describes the filtering -action to take, as described above.The dialog buttons perform the -following actions: --- - -New:: -If there is text in the two entry boxes, creates a new associated list item. - -Edit:: -Modifies the currently selected list item to match what's in the entry boxes. - -Delete:: -Deletes the currently selected list item. - -Add Expression...:: -+ --- -For display filter expressions, pops up a dialog box to allow you to -construct a filter expression to test a particular field; it offers -lists of field names, and, when appropriate, lists from which to select -tests to perform on the field and values with which to compare it. In -that dialog box, the OK button will cause the filter expression you -constructed to be entered into the __Filter string__ entry at the current -cursor position. --- - -OK:: -+ --- -In the __Capture Filter__ dialog, closes the dialog box and makes the -filter in the __Filter string__ entry the filter in the __Capture - Preferences__ dialog. In the __Display Filter__ dialog, closes the dialog -box and makes the filter in the __Filter string__ entry the current -display filter, and applies it to the current capture. In the __Read - Filter__ dialog, closes the dialog box and makes the filter in the -__Filter string__ entry the filter in the __Open Capture File__ dialog. -In the __Search Filter__ dialog, closes the dialog box and makes the -filter in the __Filter string__ entry the filter in the __Find Packet__ -dialog. --- - -Apply:: -Makes the filter in the __Filter string__ entry the current display filter, and applies it to the current capture. - -Save:: -If the list of filters being edited is the list of -capture filters, saves the current filter list to the personal capture -filters file, and if the list of filters being edited is the list of -display filters, saves the current filter list to the personal display -filters file. - -Close:: -Closes the dialog without doing anything with the filter in the __Filter string__ entry. - -The Color Filters Dialog:: -This dialog displays a list of color filters and allows it to be modified. - -THE FILTER LIST:: -Single rows may be selected by clicking. Multiple rows may be selected -by using the ctrl and shift keys in combination with the mouse button. - -NEW:: -Adds a new filter at the bottom of the list and opens the Edit Color -Filter dialog box. You will have to alter the filter expression at -least before the filter will be accepted. The format of color filter -expressions is identical to that of display filters. The new filter is -selected, so it may immediately be moved up and down, deleted or edited. -To avoid confusion all filters are unselected before the new filter is -created. - -EDIT:: -Opens the Edit Color Filter dialog box for the selected filter. (If this -button is disabled you may have more than one filter selected, making it -ambiguous which is to be edited.) - -ENABLE:: -Enables the selected color filter(s). - -DISABLE:: -Disables the selected color filter(s). - -DELETE:: -Deletes the selected color filter(s). - -EXPORT:: -Allows you to choose a file in which to save the current list of color -filters. You may also choose to save only the selected filters. A -button is provided to save the filters in the global color filters file -(you must have sufficient permissions to write this file, of course). - -IMPORT:: -Allows you to choose a file containing color filters which are then -added to the bottom of the current list. All the added filters are -selected, so they may be moved to the correct position in the list as a -group. To avoid confusion, all filters are unselected before the new -filters are imported. A button is provided to load the filters from the -global color filters file. - -CLEAR:: -Deletes your personal color filters file, reloads the global color filters file, if any, and closes the dialog. - -UP:: -Moves the selected filter(s) up the list, making it more likely that they will be used to color packets. - -DOWN:: -Moves the selected filter(s) down the list, making it less likely that they will be used to color packets. - -OK:: -Closes the dialog and uses the color filters as they stand. - -APPLY:: -Colors the packets according to the current list of color filters, but does not close the dialog. - -SAVE:: -Saves the current list of color filters in your personal color filters -file. Unless you do this they will not be used the next time you start -Wireshark. - -CLOSE:: -Closes the dialog without changing the coloration of the packets. Note -that changes you have made to the current list of color filters are not -undone. - -Capture Options Dialog:: -+ --- -The __Capture Options Dialog__ lets you specify various parameters for -capturing live packet data. - -The __Interface:__ field lets you specify the interface from which to -capture packet data or a command from which to get the packet data via a -pipe. - -The __Link layer header type:__ field lets you specify the interfaces link -layer header type. This field is usually disabled, as most interface have -only one header type. - -The __Capture packets in promiscuous mode__ check box lets you specify -whether the interface should be put into promiscuous mode when -capturing. - -The __Limit each packet to ... bytes__ check box and field lets you -specify a maximum number of bytes per packet to capture and save; if the -check box is not checked, the limit will be 262144 bytes. - -The __Capture Filter:__ entry lets you specify the capture filter using a -tcpdump-style filter string as described above. - -The __File:__ entry lets you specify the file into which captured packets -should be saved, as in the __Printer Options__ dialog above. If not -specified, the captured packets will be saved in a temporary file; you -can save those packets to a file with the __File:Save As__ menu item. - -The __Use multiple files__ check box lets you specify that the capture -should be done in "multiple files" mode. This option is disabled, if the -__Update list of packets in real time__ option is checked. - -The __Next file every ... megabyte(s)__ check box and fields lets -you specify that a switch to a next file should be done -if the specified filesize is reached. You can also select the appropriate -unit, but beware that the filesize has a maximum of 2 GiB. -The check box is forced to be checked, as "multiple files" mode requires a -file size to be specified. - -The __Next file every ... minute(s)__ check box and fields lets -you specify that the switch to a next file should be done after the specified -time has elapsed, even if the specified capture size is not reached. - -The __Ring buffer with ... files__ field lets you specify the number -of files of a ring buffer. This feature will capture into the first file -again, after the specified number of files have been used. - -The __Stop capture after ... files__ field lets you specify the number -of capture files used, until the capture is stopped. - -The __Stop capture after ... packet(s)__ check box and field let -you specify that Wireshark should stop capturing after having captured -some number of packets; if the check box is not checked, Wireshark will -not stop capturing at some fixed number of captured packets. - -The __Stop capture after ... megabyte(s)__ check box and field lets -you specify that Wireshark should stop capturing after the file to which -captured packets are being saved grows as large as or larger than some -specified number of megabytes. If the check box is not checked, Wireshark -will not stop capturing at some capture file size (although the operating -system on which Wireshark is running, or the available disk space, may still -limit the maximum size of a capture file). This option is disabled, if -"multiple files" mode is used, - -The __Stop capture after ... second(s)__ check box and field let you -specify that Wireshark should stop capturing after it has been capturing -for some number of seconds; if the check box is not checked, Wireshark -will not stop capturing after some fixed time has elapsed. - -The __Update list of packets in real time__ check box lets you specify -whether the display should be updated as packets are captured and, if -you specify that, the __Automatic scrolling in live capture__ check box -lets you specify the packet list pane should automatically scroll to -show the most recently captured packets as new packets arrive. - -The __Enable MAC name resolution__, __Enable network name resolution__ and -__Enable transport name resolution__ check boxes let you specify whether -MAC addresses, network addresses, and transport-layer port numbers -should be translated to names. --- - -About:: -The __About__ dialog lets you view various information about Wireshark. - -menu:About[Wireshark]:: -The __Wireshark__ page lets you view general information about Wireshark, -like the installed version, licensing information and such. - -menu:About[Authors]:: -The __Authors__ page shows the author and all contributors. - -menu:About[Folders]:: -The __Folders__ page lets you view the directory names where Wireshark is -searching its various configuration and other files. - -menu:About[Plugins]:: -+ --- -The __Plugins__ page lets you view the dissector plugin modules -available on your system. - -The __Plugins List__ shows the name and version of each dissector plugin -module found on your system. - -On Unix-compatible systems, such as Linux, macOS, \*BSD, Solaris, and -AIX, the plugins are looked for in the following directories: the -__lib/wireshark/plugins/$VERSION__ directory under the main installation -directory (for example, __/usr/local/lib/wireshark/plugins/$VERSION__), -and then __$HOME/.wireshark/plugins__. - -On Windows systems, the plugins are looked for in the following -directories: __plugins\$VERSION__ directory under the main installation -directory (for example, __C:\Program Files\Wireshark\plugins\$VERSION__), -and then __%APPDATA%\Wireshark\plugins\$VERSION__ (or, if %APPDATA% isn't -defined, __%USERPROFILE%\Application Data\Wireshark\plugins\$VERSION__). - -$VERSION is the version number of the plugin interface, which -is typically the version number of Wireshark. Note that a dissector -plugin module may support more than one protocol; there is not -necessarily a one-to-one correspondence between dissector plugin modules -and protocols. Protocols supported by a dissector plugin module are -enabled and disabled using the __Edit:Protocols__ dialog box, just as -protocols built into Wireshark are. --- - -== CAPTURE FILTER SYNTAX - -See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), -or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters. - -== DISPLAY FILTER SYNTAX - -For a complete table of protocol and protocol fields that are filterable -in *Wireshark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page. - -== FILES - -These files contains various *Wireshark* configuration settings. - -Preferences:: -+ --- -The __preferences__ files contain global (system-wide) and personal -preference settings. If the system-wide preference file exists, it is -read first, overriding the default settings. If the personal preferences -file exists, it is read next, overriding any previous values. Note: If -the command line flag *-o* is used (possibly more than once), it will -in turn override values from the preferences files. - -The preferences settings are in the form __prefname:value__, -one per line, -where __prefname__ is the name of the preference -and __value__ is the value to -which it should be set; white space is allowed between *:* and -__value__. A preference setting can be continued on subsequent lines by -indenting the continuation lines with white space. A *#* character -starts a comment that runs to the end of the line: - - # Vertical scrollbars should be on right side? - # TRUE or FALSE (case-insensitive). - gui.scrollbar_on_right: TRUE - -The global preferences file is looked for in the __wireshark__ directory -under the __share__ subdirectory of the main installation directory. On -macOS, this would typically be -__/Application/Wireshark.app/Contents/Resources/share__; on other -UNIX-compatible systems, such as Linux, \*BSD, Solaris, and AIX, this -would typically be __/usr/share/wireshark/preferences__ for -system-installed packages and __/usr/local/share/wireshark/preferences__ -for locally-installed packages; on Windows, this would typically be -__C:\Program Files\Wireshark\preferences__. - -On UNIX-compatible systems, the personal preferences file is looked for -in __$XDG_CONFIG_HOME/wireshark/preferences__, (or, if -__$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__ -does exist, __$HOME/.wireshark/preferences__); this is typically -__$HOME/.config/wireshark/preferences__. On Windows, -the personal preferences file is looked for in -__%APPDATA%\Wireshark\preferences__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark\preferences__). - -Note: Whenever the preferences are saved by using the __Save__ button -in the __Edit:Preferences__ dialog box, your personal preferences file -will be overwritten with the new settings, destroying any comments and -unknown/obsolete settings that were in the file. --- - -Recent:: -+ --- -The __recent__ file contains personal settings (mostly GUI related) such -as the current *Wireshark* window size. The file is saved at program exit and -read in at program start automatically. Note: The command line flag *-o* -may be used to override settings from this file. - -The settings in this file have the same format as in the __preferences__ -files, and the same directory as for the personal preferences file is -used. - -Note: Whenever Wireshark is closed, your recent file -will be overwritten with the new settings, destroying any comments and -unknown/obsolete settings that were in the file. --- - -Disabled (Enabled) Protocols:: -+ --- -The __disabled_protos__ files contain system-wide and personal lists of -protocols that have been disabled, so that their dissectors are never -called. The files contain protocol names, one per line, where the -protocol name is the same name that would be used in a display filter -for the protocol: - - http - tcp # a comment - -If a protocol is listed in the global __disabled_protos__ file, it is not -displayed in the __Analyze:Enabled Protocols__ dialog box, and so cannot -be enabled by the user. - -The global __disabled_protos__ file uses the same directory as the global -preferences file. - -The personal __disabled_protos__ file uses the same directory as the -personal preferences file. - -Note: Whenever the disabled protocols list is saved by using the __Save__ -button in the __Analyze:Enabled Protocols__ dialog box, your personal -disabled protocols file will be overwritten with the new settings, -destroying any comments that were in the file. --- - -Name Resolution (hosts):: -+ --- -If the personal __hosts__ file exists, it is -used to resolve IPv4 and IPv6 addresses before any other -attempts are made to resolve them. The file has the standard __hosts__ -file syntax; each line contains one IP address and name, separated by -whitespace. The same directory as for the personal preferences file is used. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX, and Npcap or -WinPcap on Windows. As such the Wireshark personal __hosts__ file will -not be consulted for capture filter name resolution. --- - - -Name Resolution (subnets):: -+ --- -If an IPv4 address cannot be translated via name resolution (no exact -match is found) then a partial match is attempted via the __subnets__ file. -Both the global __subnets__ file and personal __subnets__ files are used -if they exist. - -Each line of this file consists of an IPv4 address, a subnet mask length -separated only by a / and a name separated by whitespace. While the address -must be a full IPv4 address, any values beyond the mask length are subsequently -ignored. - -An example is: - -# Comments must be prepended by the # sign! -192.168.0.0/24 ws_test_network - -A partially matched name will be printed as "subnet-name.remaining-address". -For example, "192.168.0.1" under the subnet above would be printed as -"ws_test_network.1"; if the mask length above had been 16 rather than 24, the -printed address would be "ws_test_network.0.1". --- - -Name Resolution (ethers):: -+ --- -The __ethers__ files are consulted to correlate 6-byte hardware addresses to -names. First the personal __ethers__ file is tried and if an address is not -found there the global __ethers__ file is tried next. - -Each line contains one hardware address and name, separated by -whitespace. The digits of the hardware address are separated by colons -(:), dashes (-) or periods (.). The same separator character must be -used consistently in an address. The following three lines are valid -lines of an __ethers__ file: - - ff:ff:ff:ff:ff:ff Broadcast - c0-00-ff-ff-ff-ff TR_broadcast - 00.00.00.00.00.00 Zero_broadcast - -The global __ethers__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ethers__ file is looked for in the same directory as the personal -preferences file. - -Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and Npcap or WinPcap on Windows. As such the Wireshark personal -__ethers__ file will not be consulted for capture filter name -resolution. --- - -Name Resolution (manuf):: -+ --- -The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte -hardware address with the manufacturer's name; it can also contain well-known -MAC addresses and address ranges specified with a netmask. The format of the -file is the same as the __ethers__ files, except that entries such as: - - 00:00:0C Cisco - -can be provided, with the 3-byte OUI and the name for a vendor, and -entries such as: - - 00-00-0C-07-AC/40 All-HSRP-routers - -can be specified, with a MAC address and a mask indicating how many bits -of the address must match. The above entry, for example, has 40 -significant bits, or 5 bytes, and would match addresses from -00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a -multiple of 8. - -The __manuf__ file is looked for in the same directory as the global -preferences file. --- - -Name Resolution (services):: -+ --- -The __services__ file is used to translate port numbers into names. -Both the global __services__ file and personal __services__ files are used -if they exist. - -The file has the standard __services__ file syntax; each line contains one -(service) name and one transport identifier separated by white space. The -transport identifier includes one port number and one transport protocol name -(typically tcp, udp, or sctp) separated by a /. - -An example is: - -mydns 5045/udp # My own Domain Name Server -mydns 5045/tcp # My own Domain Name Server --- - -Name Resolution (ipxnets):: -+ --- -The __ipxnets__ files are used to correlate 4-byte IPX network numbers to -names. First the global __ipxnets__ file is tried and if that address is not -found there the personal one is tried next. - -The format is the same as the __ethers__ -file, except that each address is four bytes instead of six. -Additionally, the address can be represented as a single hexadecimal -number, as is more common in the IPX world, rather than four hex octets. -For example, these four lines are valid lines of an __ipxnets__ file: - - C0.A8.2C.00 HR - c0-a8-1c-00 CEO - 00:00:BE:EF IT_Server1 - 110f FileServer3 - -The global __ipxnets__ file is looked for in the __/etc__ directory on -UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris, and AIX, -and in the main installation directory (for example, __C:\Program -Files\Wireshark__) on Windows systems. - -The personal __ipxnets__ file is looked for in the same directory as the -personal preferences file. --- - -Capture Filters:: -+ --- -The __cfilters__ files contain system-wide and personal capture filters. -Each line contains one filter, starting with the string displayed in the -dialog box in quotation marks, followed by the filter string itself: - - "HTTP" port 80 - "DCERPC" port 135 - -The global __cfilters__ file uses the same directory as the -global preferences file. - -The personal __cfilters__ file uses the same directory as the personal -preferences file. It is written through the Capture:Capture Filters -dialog. - -If the global __cfilters__ file exists, it is used only if the personal -__cfilters__ file does not exist; global and personal capture filters are -not merged. --- - -Display Filters:: -+ --- -The __dfilters__ files contain system-wide and personal display filters. -Each line contains one filter, starting with the string displayed in the -dialog box in quotation marks, followed by the filter string itself: - - "HTTP" http - "DCERPC" dcerpc - -The global __dfilters__ file uses the same directory as the -global preferences file. - -The personal __dfilters__ file uses the same directory as the -personal preferences file. It is written through the Analyze:Display -Filters dialog. - -If the global __dfilters__ file exists, it is used only if the personal -__dfilters__ file does not exist; global and personal display filters are -not merged. --- - -Color Filters (Coloring Rules):: -+ --- -The __colorfilters__ files contain system-wide and personal color filters. -Each line contains one filter, starting with the string displayed in the -dialog box, followed by the corresponding display filter. Then the -background and foreground colors are appended: - - # a comment - @tcp@tcp@[59345,58980,65534][0,0,0] - @udp@udp@[28834,57427,65533][0,0,0] - -The global __colorfilters__ file uses the same directory as the -global preferences file. - -The personal __colorfilters__ file uses the same directory as the -personal preferences file. It is written through the View:Coloring Rules -dialog. - -If the global __colorfilters__ file exists, it is used only if the personal -__colorfilters__ file does not exist; global and personal color filters are -not merged. --- - -Plugins:: -See above in the description of the About:Plugins page. - -== ENVIRONMENT VARIABLES - -// Should this be moved to an include file? - -WIRESHARK_CONFIG_DIR:: -+ --- -This environment variable overrides the location of personal -configuration files. On UNIX-compatible systems, such as Linux, macOS, -\*BSD, Solaris, and AIX, it defaults to __$XDG_CONFIG_HOME/wireshark__ -(or, if that directory doesn't exist but __$HOME/.wireshark__ does -exist, __$HOME/.wireshark__); this is typically -__$HOME/.config/wireshark__. On Windows, it defaults to -__%APPDATA%\Wireshark__ (or, if %APPDATA% isn't defined, -__%USERPROFILE%\Application Data\Wireshark__). Available since -Wireshark 3.0. --- - -WIRESHARK_DEBUG_WMEM_OVERRIDE:: -Setting this environment variable forces the wmem framework to use the -specified allocator backend for *all* allocations, regardless of which -backend is normally specified by the code. This is mainly useful to developers -when testing or debugging. See __README.wmem__ in the source distribution for -details. - -WIRESHARK_RUN_FROM_BUILD_DIRECTORY:: -This environment variable causes the plugins and other data files to be -loaded from the build directory (where the program was compiled) rather -than from the standard locations. It has no effect when the program in -question is running with root (or setuid) permissions on UNIX-compatible -systems, such as Linux, macOS, \*BSD, Solaris, and AIX. - -WIRESHARK_DATA_DIR:: -This environment variable causes the various data files to be loaded from -a directory other than the standard locations. It has no effect when the -program in question is running with root (or setuid) permissions on -UNIX-compatible systems. - -WIRESHARK_EXTCAP_DIR:: -This environment variable causes the various extcap programs and scripts -to be run from a directory other than the standard locations. It has no -effect when the program in question is running with root (or setuid) -permissions on UNIX-compatible systems. - -WIRESHARK_PLUGIN_DIR:: -This environment variable causes the various plugins to be loaded from -a directory other than the standard locations. It has no effect when the -program in question is running with root (or setuid) permissions on -UNIX-compatible systems. - -ERF_RECORDS_TO_CHECK:: -This environment variable controls the number of ERF records checked when -deciding if a file really is in the ERF format. Setting this environment -variable a number higher than the default (20) would make false positives -less likely. - -IPFIX_RECORDS_TO_CHECK:: -This environment variable controls the number of IPFIX records checked when -deciding if a file really is in the IPFIX format. Setting this environment -variable a number higher than the default (20) would make false positives -less likely. - -WIRESHARK_ABORT_ON_DISSECTOR_BUG:: -If this environment variable is set, *Wireshark* will call abort(3) -when a dissector bug is encountered. abort(3) will cause the program to -exit abnormally; if you are running *Wireshark* in a debugger, it -should halt in the debugger and allow inspection of the process, and, if -you are not running it in a debugger, it will, on some OSes, assuming -your environment is configured correctly, generate a core dump file. -This can be useful to developers attempting to troubleshoot a problem -with a protocol dissector. - -WIRESHARK_ABORT_ON_TOO_MANY_ITEMS:: -If this environment variable is set, *Wireshark* will call abort(3) -if a dissector tries to add too many items to a tree (generally this -is an indication of the dissector not breaking out of a loop soon enough). -abort(3) will cause the program to exit abnormally; if you are running -*Wireshark* in a debugger, it should halt in the debugger and allow -inspection of the process, and, if you are not running it in a debugger, -it will, on some OSes, assuming your environment is configured correctly, -generate a core dump file. This can be useful to developers attempting to -troubleshoot a problem with a protocol dissector. - -WIRESHARK_QUIT_AFTER_CAPTURE:: -Cause *Wireshark* to exit after the end of the capture session. This -doesn't automatically start a capture; you must still use *-k* to do -that. You must also specify an autostop condition, e.g. *-c* or *-a -duration:...*. This means that you will not be able to see the results -of the capture after it stops; it's primarily useful for testing. - -WIRESHARK_LOG_LEVEL:: -This environment variable controls the verbosity of diagnostic messages to -the console. From less verbose to most verbose levels can be `critical`, -`warning`, `message`, `info`, `debug` or `noisy`. Levels above the -current level are also active. Levels `critical` and `error` are always -active. - -WIRESHARK_LOG_FATAL:: -Sets the fatal log level. Fatal log levels cause the program to abort. -This level can be set to `Error`, `critical` or `warning`. `Error` is -always fatal and is the default. - -WIRESHARK_LOG_DOMAINS:: -This environment variable selects which log domains are active. The filter is -given as a case-insensitive comma separated list. If set only the included -domains will be enabled. The default domain is always considered to be enabled. -Domain filter lists can be preceded by '!' to invert the sense of the match. - -WIRESHARK_LOG_DEBUG:: -List of domains with `debug` log level. This sets the level of the provided -log domains and takes precedence over the active domains filter. If preceded -by '!' this disables the `debug` level instead. - -WIRESHARK_LOG_NOISY:: -Same as above but for `noisy` log level instead. - -== AUTHORS - -Wireshark would not be the powerful, featureful application it is without the generous contributions of hundreds of developers. - -A complete list of authors can be found in the AUTHORS file in Wireshark's source code repository and at https://www.wireshark.org/about.html#authors. - -== SEE ALSO - -xref:wireshark-filter.html[wireshark-filter](4), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:dumpcap.html[dumpcap](1), xref:mergecap.html[mergecap](1), -xref:text2pcap.html[text2pcap](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8) - -== NOTES - -This is the manual page for *Wireshark* {wireshark-version}. -The latest version of *Wireshark* can be found at -https://www.wireshark.org. - -HTML versions of the Wireshark project man pages are available at -https://www.wireshark.org/docs/man-pages. diff --git a/doc/ws.css b/doc/ws.css new file mode 100644 index 00000000..ee79141b --- /dev/null +++ b/doc/ws.css @@ -0,0 +1,770 @@ +/*! normalize.css v2.1.2 | MIT License | git.io/normalize */ +/* ========================================================================== HTML5 display definitions ========================================================================== */ +/** Correct `block` display not defined in IE 8/9. */ +article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary { display: block; } + +/** Correct `inline-block` display not defined in IE 8/9. */ +audio, canvas, video { display: inline-block; } + +/** Prevent modern browsers from displaying `audio` without controls. Remove excess height in iOS 5 devices. */ +audio:not([controls]) { display: none; height: 0; } + +/** Address `[hidden]` styling not present in IE 8/9. Hide the `template` element in IE, Safari, and Firefox < 22. */ +[hidden], template { display: none; } + +script { display: none !important; } + +/* ========================================================================== Base ========================================================================== */ +/** 1. Set default font family to sans-serif. 2. Prevent iOS text size adjust after orientation change, without disabling user zoom. */ +html { font-family: sans-serif; /* 1 */ -ms-text-size-adjust: 100%; /* 2 */ -webkit-text-size-adjust: 100%; /* 2 */ } + +/** Remove default margin. */ +body { margin: 0; } + +/* ========================================================================== Links ========================================================================== */ +/** Remove the gray background color from active links in IE 10. */ +a { background: transparent; } + +/** Address `outline` inconsistency between Chrome and other browsers. */ +a:focus { outline: thin dotted; } + +/** Improve readability when focused and also mouse hovered in all browsers. */ +a:active, a:hover { outline: 0; } + +/* ========================================================================== Typography ========================================================================== */ +/** Address variable `h1` font-size and margin within `section` and `article` contexts in Firefox 4+, Safari 5, and Chrome. */ +h1 { font-size: 2em; margin: 0.67em 0; } + +/** Address styling not present in IE 8/9, Safari 5, and Chrome. */ +abbr[title] { border-bottom: 1px dotted; } + +/** Address style set to `bolder` in Firefox 4+, Safari 5, and Chrome. */ +b, strong { font-weight: bold; } + +/** Address styling not present in Safari 5 and Chrome. */ +dfn { font-style: italic; } + +/** Address differences between Firefox and other browsers. */ +hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } + +/** Address styling not present in IE 8/9. */ +mark { background: #ff0; color: #000; } + +/** Correct font family set oddly in Safari 5 and Chrome. */ +code, kbd, pre, samp { font-family: monospace, serif; font-size: 1em; } + +/** Improve readability of pre-formatted text in all browsers. */ +pre { white-space: pre-wrap; } + +/** Set consistent quote types. */ +q { quotes: "\201C" "\201D" "\2018" "\2019"; } + +/** Address inconsistent and variable font size in all browsers. */ +small { font-size: 80%; } + +/** Prevent `sub` and `sup` affecting `line-height` in all browsers. */ +sub, sup { font-size: 75%; line-height: 0; position: relative; vertical-align: baseline; } + +sup { top: -0.5em; } + +sub { bottom: -0.25em; } + +/* ========================================================================== Embedded content ========================================================================== */ +/** Remove border when inside `a` element in IE 8/9. */ +img { border: 0; } + +/** Correct overflow displayed oddly in IE 9. */ +svg:not(:root) { overflow: hidden; } + +/* ========================================================================== Figures ========================================================================== */ +/** Address margin not present in IE 8/9 and Safari 5. */ +figure { margin: 0; } + +/* ========================================================================== Forms ========================================================================== */ +/** Define consistent border, margin, and padding. */ +fieldset { border: 1px solid #c0c0c0; margin: 0 2px; padding: 0.35em 0.625em 0.75em; } + +/** 1. Correct `color` not being inherited in IE 8/9. 2. Remove padding so people aren't caught out if they zero out fieldsets. */ +legend { border: 0; /* 1 */ padding: 0; /* 2 */ } + +/** 1. Correct font family not being inherited in all browsers. 2. Correct font size not being inherited in all browsers. 3. Address margins set differently in Firefox 4+, Safari 5, and Chrome. */ +button, input, select, textarea { font-family: inherit; /* 1 */ font-size: 100%; /* 2 */ margin: 0; /* 3 */ } + +/** Address Firefox 4+ setting `line-height` on `input` using `!important` in the UA stylesheet. */ +button, input { line-height: normal; } + +/** Address inconsistent `text-transform` inheritance for `button` and `select`. All other form control elements do not inherit `text-transform` values. Correct `button` style inheritance in Chrome, Safari 5+, and IE 8+. Correct `select` style inheritance in Firefox 4+ and Opera. */ +button, select { text-transform: none; } + +/** 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio` and `video` controls. 2. Correct inability to style clickable `input` types in iOS. 3. Improve usability and consistency of cursor style between image-type `input` and others. */ +button, html input[type="button"], input[type="reset"], input[type="submit"] { -webkit-appearance: button; /* 2 */ cursor: pointer; /* 3 */ } + +/** Re-set default cursor for disabled elements. */ +button[disabled], html input[disabled] { cursor: default; } + +/** 1. Address box sizing set to `content-box` in IE 8/9. 2. Remove excess padding in IE 8/9. */ +input[type="checkbox"], input[type="radio"] { box-sizing: border-box; /* 1 */ padding: 0; /* 2 */ } + +/** 1. Address `appearance` set to `searchfield` in Safari 5 and Chrome. 2. Address `box-sizing` set to `border-box` in Safari 5 and Chrome (include `-moz` to future-proof). */ +input[type="search"] { -webkit-appearance: textfield; /* 1 */ -moz-box-sizing: content-box; -webkit-box-sizing: content-box; /* 2 */ box-sizing: content-box; } + +/** Remove inner padding and search cancel button in Safari 5 and Chrome on OS X. */ +input[type="search"]::-webkit-search-cancel-button, input[type="search"]::-webkit-search-decoration { -webkit-appearance: none; } + +/** Remove inner padding and border in Firefox 4+. */ +button::-moz-focus-inner, input::-moz-focus-inner { border: 0; padding: 0; } + +/** 1. Remove default vertical scrollbar in IE 8/9. 2. Improve readability and alignment in all browsers. */ +textarea { overflow: auto; /* 1 */ vertical-align: top; /* 2 */ } + +/* ========================================================================== Tables ========================================================================== */ +/** Remove most spacing between table cells. */ +table { border-collapse: collapse; border-spacing: 0; } + +meta.foundation-mq-small { font-family: "only screen and (min-width: 768px)"; width: 768px; } + +meta.foundation-mq-medium { font-family: "only screen and (min-width:1280px)"; width: 1280px; } + +meta.foundation-mq-large { font-family: "only screen and (min-width:1440px)"; width: 1440px; } + +*, *:before, *:after { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; } + +html, body { font-size: 100%; } + +body { background: white; color: rgba(0, 0, 0, 0.8); padding: 0; margin: 0; font-family: Georgia, "Times New Roman", Times, serif; font-weight: normal; font-style: normal; line-height: 1; position: relative; cursor: auto; } + +a:hover { cursor: pointer; } + +img, object, embed { max-width: 100%; height: auto; } + +object, embed { height: 100%; } + +img { -ms-interpolation-mode: bicubic; } + +#map_canvas img, #map_canvas embed, #map_canvas object, .map_canvas img, .map_canvas embed, .map_canvas object { max-width: none !important; } + +.left { float: left !important; } + +.right { float: right !important; } + +.text-left { text-align: left !important; } + +.text-right { text-align: right !important; } + +.text-center { text-align: center !important; } + +.text-justify { text-align: justify !important; } + +.hide { display: none; } + +.antialiased { -webkit-font-smoothing: antialiased; } + +img { display: inline-block; vertical-align: middle; } + +textarea { height: auto; min-height: 50px; } + +select { width: 100%; } + +p.lead { font-size: 1.21875em; line-height: 1.6; } + +.subheader, .admonitionblock td.content > .title, .audioblock > .title, .exampleblock > .title, .imageblock > .title, .listingblock > .title, .literalblock > .title, .stemblock > .title, .openblock > .title, .paragraph > .title, .quoteblock > .title, table.tableblock > .title, .verseblock > .title, .videoblock > .title, .dlist > .title, .olist > .title, .ulist > .title, .qlist > .title, .hdlist > .title { line-height: 1.45; color: #00234c; font-weight: normal; margin-top: 0; margin-bottom: 0.25em; } + +/* Typography resets */ +div, dl, dt, dd, ul, ol, li, h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6, pre, form, p, blockquote, th, td { margin: 0; padding: 0; direction: ltr; } + +/* Default Link Styles */ +a { color: #2156a5; text-decoration: underline; line-height: inherit; } +a:hover, a:focus { color: #1d4b8f; } +a img { border: none; } + +/* Default paragraph styles */ +p { font-family: inherit; font-weight: normal; font-size: 1em; line-height: 1.6; margin-bottom: 1.25em; text-rendering: optimizeLegibility; } +p aside { font-size: 0.875em; line-height: 1.35; font-style: italic; } + +/* Default header styles */ +h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; font-weight: 300; font-style: normal; color: #004698; text-rendering: optimizeLegibility; margin-top: 1em; margin-bottom: 0.5em; line-height: 1.0125em; } +h1 small, h2 small, h3 small, #toctitle small, .sidebarblock > .content > .title small, h4 small, h5 small, h6 small { font-size: 60%; color: #3290ff; line-height: 0; } + +h1 { font-size: 2.125em; } + +h2 { font-size: 1.6875em; } + +h3, #toctitle, .sidebarblock > .content > .title { font-size: 1.375em; } + +h4 { font-size: 1.125em; } + +h5 { font-size: 1.125em; } + +h6 { font-size: 1em; } + +hr { border: solid #ddddd8; border-width: 1px 0 0; clear: both; margin: 1.25em 0 1.1875em; height: 0; } + +/* Helpful Typography Defaults */ +em, i { font-style: italic; line-height: inherit; } + +strong, b { font-weight: bold; line-height: inherit; } + +small { font-size: 60%; line-height: inherit; } + +code { font-family: "Lucida Console", Menlo, Consolas, monospace; font-weight: normal; color: rgba(0, 0, 0, 0.9); } + +/* Lists */ +ul, ol, dl { font-size: 1em; line-height: 1.6; margin-bottom: 1.25em; list-style-position: outside; font-family: inherit; } + +ul, ol { margin-left: 1.5em; } +ul.no-bullet, ol.no-bullet { margin-left: 1.5em; } + +/* Unordered Lists */ +ul li ul, ul li ol { margin-left: 1.25em; margin-bottom: 0; font-size: 1em; /* Override nested font-size change */ } +ul.square li ul, ul.circle li ul, ul.disc li ul { list-style: inherit; } +ul.square { list-style-type: square; } +ul.circle { list-style-type: circle; } +ul.disc { list-style-type: disc; } +ul.no-bullet { list-style: none; } + +/* Ordered Lists */ +ol li ul, ol li ol { margin-left: 1.25em; margin-bottom: 0; } + +/* Definition Lists */ +dl dt { margin-bottom: 0.3125em; font-weight: bold; } +dl dd { margin-bottom: 1.25em; } + +/* Abbreviations */ +abbr, acronym { text-transform: uppercase; font-size: 90%; color: rgba(0, 0, 0, 0.8); border-bottom: 1px dotted #dddddd; cursor: help; } + +abbr { text-transform: none; } + +/* Blockquotes */ +blockquote { margin: 0 0 1.25em; padding: 0.5625em 1.25em 0 1.1875em; border-left: 1px solid #dddddd; } +blockquote cite { display: block; font-size: 0.9375em; color: rgba(0, 0, 0, 0.6); } +blockquote cite:before { content: "\2014 \0020"; } +blockquote cite a, blockquote cite a:visited { color: rgba(0, 0, 0, 0.6); } + +blockquote, blockquote p { line-height: 1.6; color: rgba(0, 0, 0, 0.85); } + +/* Microformats */ +.vcard { display: inline-block; margin: 0 0 1.25em 0; border: 1px solid #dddddd; padding: 0.625em 0.75em; } +.vcard li { margin: 0; display: block; } +.vcard .fn { font-weight: bold; font-size: 0.9375em; } + +.vevent .summary { font-weight: bold; } +.vevent abbr { cursor: auto; text-decoration: none; font-weight: bold; border: none; padding: 0 0.0625em; } + +@media only screen and (min-width: 768px) { h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { line-height: 1.2; } + h1 { font-size: 2.75em; } + h2 { font-size: 2.3125em; } + h3, #toctitle, .sidebarblock > .content > .title { font-size: 1.6875em; } + h4 { font-size: 1.4375em; } } +/* Tables */ +table { background: white; margin-bottom: 1.25em; border: solid 1px #dedede; } +table thead, table tfoot { background: #f7f8f7; font-weight: bold; } +table thead tr th, table thead tr td, table tfoot tr th, table tfoot tr td { padding: 0.5em 0.625em 0.625em; font-size: inherit; color: rgba(0, 0, 0, 0.8); text-align: left; } +table tr th, table tr td { padding: 0.5625em 0.625em; font-size: inherit; color: rgba(0, 0, 0, 0.8); } +table tr.even, table tr.alt, table tr:nth-of-type(even) { background: #f8f8f7; } +table thead tr th, table tfoot tr th, table tbody tr td, table tr td, table tfoot tr td { display: table-cell; line-height: 1.6; } + +body { tab-size: 4; word-wrap: anywhere; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } + +table { word-wrap: normal; } + +h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { line-height: 1.2; word-spacing: -0.05em; } +h1 strong, h2 strong, h3 strong, #toctitle strong, .sidebarblock > .content > .title strong, h4 strong, h5 strong, h6 strong { font-weight: 400; } + +object, svg { display: inline-block; vertical-align: middle; } + +.center { margin-left: auto; margin-right: auto; } + +.stretch { width: 100%; } + +.clearfix:before, .clearfix:after, .float-group:before, .float-group:after { content: " "; display: table; } +.clearfix:after, .float-group:after { clear: both; } + +:not(pre).nobreak { word-wrap: normal; } +:not(pre).nowrap { white-space: nowrap; } +:not(pre).pre-wrap { white-space: pre-wrap; } + +:not(pre):not([class^=L]) > code { font-size: 0.9375em; font-style: normal !important; letter-spacing: 0; padding: 0.1em 0.5ex; word-spacing: -0.15em; background-color: #f7f7f8; -webkit-border-radius: 4px; border-radius: 4px; line-height: 1.45; text-rendering: optimizeSpeed; } + +pre { color: rgba(0, 0, 0, 0.9); font-family: "Lucida Console", Menlo, Consolas, monospace; line-height: 1.45; text-rendering: optimizeSpeed; } +pre code, pre pre { color: inherit; font-size: inherit; line-height: inherit; } +pre > code { display: block; } + +pre.nowrap, pre.nowrap pre { white-space: pre; word-wrap: normal; } + +em em { font-style: normal; } + +strong strong { font-weight: normal; } + +.keyseq { color: rgba(51, 51, 51, 0.8); } + +kbd { font-family: "Lucida Console", Menlo, Consolas, monospace; display: inline-block; color: rgba(0, 0, 0, 0.8); font-size: 0.65em; line-height: 1.45; background-color: #f7f7f7; border: 1px solid #ccc; -webkit-border-radius: 3px; border-radius: 3px; -webkit-box-shadow: 0 1px 0 rgba(0, 0, 0, 0.2), 0 0 0 0.1em white inset; box-shadow: 0 1px 0 rgba(0, 0, 0, 0.2), 0 0 0 0.1em white inset; margin: 0 0.15em; padding: 0.2em 0.5em; vertical-align: middle; position: relative; top: -0.1em; white-space: nowrap; } + +.keyseq kbd:first-child { margin-left: 0; } + +.keyseq kbd:last-child { margin-right: 0; } + +.menuseq, .menuref { color: #000; } + +.menuseq b:not(.caret), .menuref { font-weight: inherit; } + +.menuseq { word-spacing: -0.02em; } +.menuseq b.caret { font-size: 1.25em; line-height: 0.8; } +.menuseq i.caret { font-weight: bold; text-align: center; width: 0.45em; } + +b.button:before, b.button:after { position: relative; top: -1px; font-weight: normal; } + +b.button:before { content: "["; padding: 0 3px 0 2px; } + +b.button:after { content: "]"; padding: 0 2px 0 3px; } + +p a > code:hover { color: rgba(0, 0, 0, 0.9); } + +#header, #content, #footnotes, #footer { width: 100%; margin-left: auto; margin-right: auto; margin-top: 0; margin-bottom: 0; max-width: 62.5em; *zoom: 1; position: relative; padding-left: 0.9375em; padding-right: 0.9375em; } +#header:before, #header:after, #content:before, #content:after, #footnotes:before, #footnotes:after, #footer:before, #footer:after { content: " "; display: table; } +#header:after, #content:after, #footnotes:after, #footer:after { clear: both; } + +#content { margin-top: 1.25em; } + +#content:before { content: none; } + +#header > h1:first-child { color: rgba(0, 0, 0, 0.85); margin-top: 2.25rem; margin-bottom: 0; } +#header > h1:first-child + #toc { margin-top: 8px; border-top: 1px solid #ddddd8; } +#header > h1:only-child, body.toc2 #header > h1:nth-last-child(2) { border-bottom: 1px solid #ddddd8; padding-bottom: 8px; } +#header .details { border-bottom: 1px solid #ddddd8; line-height: 1.45; padding-top: 0.25em; padding-bottom: 0.25em; padding-left: 0.25em; color: rgba(0, 0, 0, 0.6); display: -ms-flexbox; display: -webkit-flex; display: flex; -ms-flex-flow: row wrap; -webkit-flex-flow: row wrap; flex-flow: row wrap; } +#header .details span:first-child { margin-left: -0.125em; } +#header .details span.email a { color: rgba(0, 0, 0, 0.85); } +#header .details br { display: none; } +#header .details br + span:before { content: "\00a0\2013\00a0"; } +#header .details br + span.author:before { content: "\00a0\22c5\00a0"; color: rgba(0, 0, 0, 0.85); } +#header .details br + span#revremark:before { content: "\00a0|\00a0"; } +#header #revnumber { text-transform: capitalize; } +#header #revnumber:after { content: "\00a0"; } + +#content > h1:first-child:not([class]) { color: rgba(0, 0, 0, 0.85); border-bottom: 1px solid #ddddd8; padding-bottom: 8px; margin-top: 0; padding-top: 1rem; margin-bottom: 1.25rem; } + +#toc { border-bottom: 1px solid #efefed; padding-bottom: 0.5em; } +#toc > ul { margin-left: 0.125em; } +#toc ul.sectlevel0 > li > a { font-style: italic; } +#toc ul.sectlevel0 ul.sectlevel1 { margin: 0.5em 0; } +#toc ul { font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; list-style-type: none; } +#toc li { line-height: 1.3334; margin-top: 0.3334em; } +#toc a { text-decoration: none; } +#toc a:active { text-decoration: underline; } + +#toctitle { color: #00234c; font-size: 1.2em; } + +@media only screen and (min-width: 768px) { #toctitle { font-size: 1.375em; } + body.toc2 { padding-left: 15em; padding-right: 0; } + #toc.toc2 { margin-top: 0 !important; background: #f8f8f7; position: fixed; width: 15em; left: 0; top: 0; border-right: 1px solid #efefed; border-top-width: 0 !important; border-bottom-width: 0 !important; z-index: 1000; padding: 1.25em 1em; height: 100%; overflow: auto; } + #toc.toc2 #toctitle { margin-top: 0; margin-bottom: 0.8rem; font-size: 1.2em; } + #toc.toc2 > ul { font-size: 0.9em; margin-bottom: 0; } + #toc.toc2 ul ul { margin-left: 0; padding-left: 1em; } + #toc.toc2 ul.sectlevel0 ul.sectlevel1 { padding-left: 0; margin-top: 0.5em; margin-bottom: 0.5em; } + body.toc2.toc-right { padding-left: 0; padding-right: 15em; } + body.toc2.toc-right #toc.toc2 { border-right-width: 0; border-left: 1px solid #efefed; left: auto; right: 0; } } +@media only screen and (min-width: 1280px) { body.toc2 { padding-left: 20em; padding-right: 0; } + #toc.toc2 { width: 20em; } + #toc.toc2 #toctitle { font-size: 1.375em; } + #toc.toc2 > ul { font-size: 0.95em; } + #toc.toc2 ul ul { padding-left: 1.25em; } + body.toc2.toc-right { padding-left: 0; padding-right: 20em; } } +#content #toc { border-style: solid; border-width: 1px; border-color: #e0e0dc; margin-bottom: 1.25em; padding: 1.25em; background: #f8f8f7; -webkit-border-radius: 4px; border-radius: 4px; } +#content #toc > :first-child { margin-top: 0; } +#content #toc > :last-child { margin-bottom: 0; } + +#footer { max-width: none; background: rgba(0, 0, 0, 0.8); padding: 1.25em; } + +#footer-text { color: rgba(255, 255, 255, 0.8); line-height: 1.44; } + +#content { margin-bottom: 0.625em; } + +.sect1 { padding-bottom: 0.625em; } + +@media only screen and (min-width: 768px) { #content { margin-bottom: 1.25em; } + .sect1 { padding-bottom: 1.25em; } } +.sect1:last-child { padding-bottom: 0; } + +.sect1 + .sect1 { border-top: 1px solid #efefed; } + +#content h1 > a.anchor, h2 > a.anchor, h3 > a.anchor, #toctitle > a.anchor, .sidebarblock > .content > .title > a.anchor, h4 > a.anchor, h5 > a.anchor, h6 > a.anchor { position: absolute; z-index: 1001; width: 1.5ex; margin-left: -1.5ex; display: block; text-decoration: none !important; visibility: hidden; text-align: center; font-weight: normal; } +#content h1 > a.anchor:before, h2 > a.anchor:before, h3 > a.anchor:before, #toctitle > a.anchor:before, .sidebarblock > .content > .title > a.anchor:before, h4 > a.anchor:before, h5 > a.anchor:before, h6 > a.anchor:before { content: "\00A7"; font-size: 0.85em; display: block; padding-top: 0.1em; } +#content h1:hover > a.anchor, #content h1 > a.anchor:hover, h2:hover > a.anchor, h2 > a.anchor:hover, h3:hover > a.anchor, #toctitle:hover > a.anchor, .sidebarblock > .content > .title:hover > a.anchor, h3 > a.anchor:hover, #toctitle > a.anchor:hover, .sidebarblock > .content > .title > a.anchor:hover, h4:hover > a.anchor, h4 > a.anchor:hover, h5:hover > a.anchor, h5 > a.anchor:hover, h6:hover > a.anchor, h6 > a.anchor:hover { visibility: visible; } +#content h1 > a.link, h2 > a.link, h3 > a.link, #toctitle > a.link, .sidebarblock > .content > .title > a.link, h4 > a.link, h5 > a.link, h6 > a.link { color: #004698; text-decoration: none; } +#content h1 > a.link:hover, h2 > a.link:hover, h3 > a.link:hover, #toctitle > a.link:hover, .sidebarblock > .content > .title > a.link:hover, h4 > a.link:hover, h5 > a.link:hover, h6 > a.link:hover { color: #003a7f; } + +details, .audioblock, .imageblock, .literalblock, .listingblock, .stemblock, .videoblock { margin-bottom: 1.25em; } + +details > summary:first-of-type { cursor: pointer; display: list-item; outline: none; margin-bottom: 0.75em; } + +.admonitionblock td.content > .title, .audioblock > .title, .exampleblock > .title, .imageblock > .title, .listingblock > .title, .literalblock > .title, .stemblock > .title, .openblock > .title, .paragraph > .title, .quoteblock > .title, table.tableblock > .title, .verseblock > .title, .videoblock > .title, .dlist > .title, .olist > .title, .ulist > .title, .qlist > .title, .hdlist > .title { text-rendering: optimizeLegibility; text-align: left; font-family: Georgia, "Times New Roman", Times, serif; font-size: 1rem; font-style: italic; } + +table.tableblock.fit-content > caption.title { white-space: nowrap; width: 0; } + +.paragraph.lead > p, #preamble > .sectionbody > [class="paragraph"]:first-of-type p { font-size: 1.21875em; line-height: 1.6; color: rgba(0, 0, 0, 0.85); } + +.admonitionblock > table { border-collapse: separate; border: 0; background: none; width: 100%; } +.admonitionblock > table td.icon { text-align: center; width: 80px; } +.admonitionblock > table td.icon img { max-width: none; } +.admonitionblock > table td.icon .title { font-weight: bold; font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; text-transform: uppercase; } +.admonitionblock > table td.content { padding-left: 1.125em; padding-right: 1.25em; border-left: 1px solid #ddddd8; color: rgba(0, 0, 0, 0.6); word-wrap: anywhere; } +.admonitionblock > table td.content > :last-child > :last-child { margin-bottom: 0; } + +.exampleblock > .content { border-style: solid; border-width: 1px; border-color: #e6e6e6; margin-bottom: 1.25em; padding: 1.25em; background: white; -webkit-border-radius: 4px; border-radius: 4px; } +.exampleblock > .content > :first-child { margin-top: 0; } +.exampleblock > .content > :last-child { margin-bottom: 0; } + +.sidebarblock { border-style: solid; border-width: 1px; border-color: #dbdbd6; margin-bottom: 1.25em; padding: 1.25em; background: #f3f3f2; -webkit-border-radius: 4px; border-radius: 4px; } +.sidebarblock > :first-child { margin-top: 0; } +.sidebarblock > :last-child { margin-bottom: 0; } +.sidebarblock > .content > .title { color: #00234c; margin-top: 0; text-align: center; } + +.exampleblock > .content > :last-child > :last-child, .exampleblock > .content .olist > ol > li:last-child > :last-child, .exampleblock > .content .ulist > ul > li:last-child > :last-child, .exampleblock > .content .qlist > ol > li:last-child > :last-child, .sidebarblock > .content > :last-child > :last-child, .sidebarblock > .content .olist > ol > li:last-child > :last-child, .sidebarblock > .content .ulist > ul > li:last-child > :last-child, .sidebarblock > .content .qlist > ol > li:last-child > :last-child { margin-bottom: 0; } + +.literalblock pre, .listingblock > .content > pre { -webkit-border-radius: 4px; border-radius: 4px; overflow-x: auto; padding: 1em; font-size: 0.8125em; } +@media only screen and (min-width: 768px) { .literalblock pre, .listingblock > .content > pre { font-size: 0.90625em; } } +@media only screen and (min-width: 1280px) { .literalblock pre, .listingblock > .content > pre { font-size: 1em; } } + +.literalblock pre, .listingblock > .content > pre:not(.highlight), .listingblock > .content > pre[class="highlight"], .listingblock > .content > pre[class^="highlight "] { background: #f7f7f8; } + +.literalblock.output pre { color: #f7f7f8; background-color: rgba(0, 0, 0, 0.9); } + +.listingblock > .content { position: relative; } + +.listingblock code[data-lang]:before { display: none; content: attr(data-lang); position: absolute; font-size: 0.75em; top: 0.425rem; right: 0.5rem; line-height: 1; text-transform: uppercase; color: inherit; opacity: 0.5; } + +.listingblock:hover code[data-lang]:before { display: block; } + +.listingblock.terminal pre .command:before { content: attr(data-prompt); padding-right: 0.5em; color: inherit; opacity: 0.5; } + +.listingblock.terminal pre .command:not([data-prompt]):before { content: "$"; } + +.listingblock pre.highlightjs { padding: 0; } +.listingblock pre.highlightjs > code { padding: 1em; -webkit-border-radius: 4px; border-radius: 4px; } + +.listingblock pre.prettyprint { border-width: 0; } + +.prettyprint { background: #f7f7f8; } + +pre.prettyprint .linenums { line-height: 1.45; margin-left: 2em; } + +pre.prettyprint li { background: none; list-style-type: inherit; padding-left: 0; } + +pre.prettyprint li code[data-lang]:before { opacity: 1; } + +pre.prettyprint li:not(:first-child) code[data-lang]:before { display: none; } + +table.linenotable { border-collapse: separate; border: 0; margin-bottom: 0; background: none; } +table.linenotable td[class] { color: inherit; vertical-align: top; padding: 0; line-height: inherit; white-space: normal; } +table.linenotable td.code { padding-left: 0.75em; } +table.linenotable td.linenos { border-right: 1px solid currentColor; opacity: 0.35; padding-right: 0.5em; } + +pre.pygments .lineno { border-right: 1px solid currentColor; opacity: 0.35; display: inline-block; margin-right: 0.75em; } +pre.pygments .lineno:before { content: ""; margin-right: -0.125em; } + +.quoteblock { margin: 0 1em 1.25em 1.5em; display: table; } +.quoteblock:not(.excerpt) > .title { margin-left: -1.5em; margin-bottom: 0.75em; } +.quoteblock blockquote, .quoteblock p { color: rgba(0, 0, 0, 0.85); font-size: 1.15rem; line-height: 1.75; word-spacing: 0.1em; letter-spacing: 0; font-style: italic; text-align: justify; } +.quoteblock blockquote { margin: 0; padding: 0; border: 0; } +.quoteblock blockquote:before { content: "\201c"; float: left; font-size: 2.75em; font-weight: bold; line-height: 0.6em; margin-left: -0.6em; color: #00234c; text-shadow: 0 1px 2px rgba(0, 0, 0, 0.1); } +.quoteblock blockquote > .paragraph:last-child p { margin-bottom: 0; } +.quoteblock .attribution { margin-top: 0.75em; margin-right: 0.5ex; text-align: right; } + +.verseblock { margin: 0 1em 1.25em 1em; } +.verseblock pre { font-family: "Open Sans", "DejaVu Sans", sans-serif; font-size: 1.15rem; color: rgba(0, 0, 0, 0.85); font-weight: 300; text-rendering: optimizeLegibility; } +.verseblock pre strong { font-weight: 400; } +.verseblock .attribution { margin-top: 1.25rem; margin-left: 0.5ex; } + +.quoteblock .attribution, .verseblock .attribution { font-size: 0.9375em; line-height: 1.45; font-style: italic; } +.quoteblock .attribution br, .verseblock .attribution br { display: none; } +.quoteblock .attribution cite, .verseblock .attribution cite { display: block; letter-spacing: -0.025em; color: rgba(0, 0, 0, 0.6); } + +.quoteblock.abstract blockquote:before, .quoteblock.excerpt blockquote:before, .quoteblock .quoteblock blockquote:before { display: none; } +.quoteblock.abstract blockquote, .quoteblock.abstract p, .quoteblock.excerpt blockquote, .quoteblock.excerpt p, .quoteblock .quoteblock blockquote, .quoteblock .quoteblock p { line-height: 1.6; word-spacing: 0; } +.quoteblock.abstract { margin: 0 1em 1.25em 1em; display: block; } +.quoteblock.abstract > .title { margin: 0 0 0.375em 0; font-size: 1.15em; text-align: center; } +.quoteblock.excerpt > blockquote, .quoteblock .quoteblock { padding: 0 0 0.25em 1em; border-left: 0.25em solid #ddddd8; } +.quoteblock.excerpt, .quoteblock .quoteblock { margin-left: 0; } +.quoteblock.excerpt blockquote, .quoteblock.excerpt p, .quoteblock .quoteblock blockquote, .quoteblock .quoteblock p { color: inherit; font-size: 1.0625rem; } +.quoteblock.excerpt .attribution, .quoteblock .quoteblock .attribution { color: inherit; font-size: 0.85rem; text-align: left; margin-right: 0; } + +p.tableblock:last-child { margin-bottom: 0; } + +td.tableblock > .content { margin-bottom: 1.25em; word-wrap: anywhere; } +td.tableblock > .content > :last-child { margin-bottom: -1.25em; } + +table.tableblock, th.tableblock, td.tableblock { border: 0 solid #dedede; } + +table.grid-all > * > tr > * { border-width: 1px; } + +table.grid-cols > * > tr > * { border-width: 0 1px; } + +table.grid-rows > * > tr > * { border-width: 1px 0; } + +table.frame-all { border-width: 1px; } + +table.frame-ends { border-width: 1px 0; } + +table.frame-sides { border-width: 0 1px; } + +table.frame-none > colgroup + * > :first-child > *, table.frame-sides > colgroup + * > :first-child > * { border-top-width: 0; } + +table.frame-none > :last-child > :last-child > *, table.frame-sides > :last-child > :last-child > * { border-bottom-width: 0; } + +table.frame-none > * > tr > :first-child, table.frame-ends > * > tr > :first-child { border-left-width: 0; } + +table.frame-none > * > tr > :last-child, table.frame-ends > * > tr > :last-child { border-right-width: 0; } + +table.stripe-all tr, table.stripe-odd tr:nth-of-type(odd) { background: #f8f8f7; } + +table.stripe-none tr, table.stripe-odd tr:nth-of-type(even) { background: none; } + +th.halign-left, td.halign-left { text-align: left; } + +th.halign-right, td.halign-right { text-align: right; } + +th.halign-center, td.halign-center { text-align: center; } + +th.valign-top, td.valign-top { vertical-align: top; } + +th.valign-bottom, td.valign-bottom { vertical-align: bottom; } + +th.valign-middle, td.valign-middle { vertical-align: middle; } + +table thead th, table tfoot th { font-weight: bold; } + +tbody tr th { display: table-cell; line-height: 1.6; background: #f7f8f7; } + +tbody tr th, tbody tr th p, tfoot tr th, tfoot tr th p { color: rgba(0, 0, 0, 0.8); font-weight: bold; } + +p.tableblock > code:only-child { background: none; padding: 0; } + +p.tableblock { font-size: 1em; } + +ol { margin-left: 1.75em; } + +ul li ol { margin-left: 1.5em; } + +dl dd { margin-left: 1.125em; } + +dl dd:last-child, dl dd:last-child > :last-child { margin-bottom: 0; } + +ol > li p, ul > li p, ul dd, ol dd, .olist .olist, .ulist .ulist, .ulist .olist, .olist .ulist { margin-bottom: 0.625em; } + +ul.checklist, ul.none, ol.none, ul.no-bullet, ol.no-bullet, ol.unnumbered, ul.unstyled, ol.unstyled { list-style-type: none; } + +ul.no-bullet, ol.no-bullet, ol.unnumbered { margin-left: 0.625em; } + +ul.unstyled, ol.unstyled { margin-left: 0; } + +ul.checklist > li > p:first-child { margin-left: -1em; } +ul.checklist > li > p:first-child > .fa-square-o:first-child, ul.checklist > li > p:first-child > .fa-check-square-o:first-child { width: 1.25em; font-size: 0.8em; position: relative; bottom: 0.125em; } +ul.checklist > li > p:first-child > input[type="checkbox"]:first-child { margin-right: 0.25em; } + +ul.inline { display: -ms-flexbox; display: -webkit-box; display: flex; -ms-flex-flow: row wrap; -webkit-flex-flow: row wrap; flex-flow: row wrap; list-style: none; margin: 0 0 0.625em -1.25em; } + +ul.inline > li { margin-left: 1.25em; } + +.unstyled dl dt { font-weight: normal; font-style: normal; } + +ol.arabic { list-style-type: decimal; } + +ol.decimal { list-style-type: decimal-leading-zero; } + +ol.loweralpha { list-style-type: lower-alpha; } + +ol.upperalpha { list-style-type: upper-alpha; } + +ol.lowerroman { list-style-type: lower-roman; } + +ol.upperroman { list-style-type: upper-roman; } + +ol.lowergreek { list-style-type: lower-greek; } + +.hdlist > table, .colist > table { border: 0; background: none; } +.hdlist > table > tbody > tr, .colist > table > tbody > tr { background: none; } + +td.hdlist1, td.hdlist2 { vertical-align: top; padding: 0 0.625em; } + +td.hdlist1 { font-weight: bold; padding-bottom: 1.25em; } + +td.hdlist2 { word-wrap: anywhere; } + +.literalblock + .colist, .listingblock + .colist { margin-top: -0.5em; } + +.colist td:not([class]):first-child { padding: 0.4em 0.75em 0 0.75em; line-height: 1; vertical-align: top; } +.colist td:not([class]):first-child img { max-width: none; } +.colist td:not([class]):last-child { padding: 0.25em 0; } + +.thumb, .th { line-height: 0; display: inline-block; border: solid 4px white; -webkit-box-shadow: 0 0 0 1px #dddddd; box-shadow: 0 0 0 1px #dddddd; } + +.imageblock.left { margin: 0.25em 0.625em 1.25em 0; } +.imageblock.right { margin: 0.25em 0 1.25em 0.625em; } +.imageblock > .title { margin-bottom: 0; } +.imageblock.thumb, .imageblock.th { border-width: 6px; } +.imageblock.thumb > .title, .imageblock.th > .title { padding: 0 0.125em; } + +.image.left, .image.right { margin-top: 0.25em; margin-bottom: 0.25em; display: inline-block; line-height: 0; } +.image.left { margin-right: 0.625em; } +.image.right { margin-left: 0.625em; } + +a.image { text-decoration: none; display: inline-block; } +a.image object { pointer-events: none; } + +sup.footnote, sup.footnoteref { font-size: 0.875em; position: static; vertical-align: super; } +sup.footnote a, sup.footnoteref a { text-decoration: none; } +sup.footnote a:active, sup.footnoteref a:active { text-decoration: underline; } + +#footnotes { padding-top: 0.75em; padding-bottom: 0.75em; margin-bottom: 0.625em; } +#footnotes hr { width: 20%; min-width: 6.25em; margin: -0.25em 0 0.75em 0; border-width: 1px 0 0 0; } +#footnotes .footnote { padding: 0 0.375em 0 0.225em; line-height: 1.3334; font-size: 0.875em; margin-left: 1.2em; margin-bottom: 0.2em; } +#footnotes .footnote a:first-of-type { font-weight: bold; text-decoration: none; margin-left: -1.05em; } +#footnotes .footnote:last-of-type { margin-bottom: 0; } +#content #footnotes { margin-top: -0.625em; margin-bottom: 0; padding: 0.75em 0; } + +.gist .file-data > table { border: 0; background: #fff; width: 100%; margin-bottom: 0; } +.gist .file-data > table td.line-data { width: 99%; } + +div.unbreakable { page-break-inside: avoid; } + +.big { font-size: larger; } + +.small { font-size: smaller; } + +.underline { text-decoration: underline; } + +.overline { text-decoration: overline; } + +.line-through { text-decoration: line-through; } + +.aqua { color: #00bfbf; } + +.aqua-background { background-color: #00fafa; } + +.black { color: black; } + +.black-background { background-color: black; } + +.blue { color: #0000bf; } + +.blue-background { background-color: #0000fa; } + +.fuchsia { color: #bf00bf; } + +.fuchsia-background { background-color: #fa00fa; } + +.gray { color: #606060; } + +.gray-background { background-color: #7d7d7d; } + +.green { color: #006000; } + +.green-background { background-color: #007d00; } + +.lime { color: #00bf00; } + +.lime-background { background-color: #00fa00; } + +.maroon { color: #600000; } + +.maroon-background { background-color: #7d0000; } + +.navy { color: #000060; } + +.navy-background { background-color: #00007d; } + +.olive { color: #606000; } + +.olive-background { background-color: #7d7d00; } + +.purple { color: #600060; } + +.purple-background { background-color: #7d007d; } + +.red { color: #bf0000; } + +.red-background { background-color: #fa0000; } + +.silver { color: #909090; } + +.silver-background { background-color: #bcbcbc; } + +.teal { color: #006060; } + +.teal-background { background-color: #007d7d; } + +.white { color: #bfbfbf; } + +.white-background { background-color: #fafafa; } + +.yellow { color: #bfbf00; } + +.yellow-background { background-color: #fafa00; } + +body { max-width: 250mm; margin-left: auto; margin-right: auto; } + +@media only screen and (min-width: 768px) { h1 { font-size: 2em; } + h2 { font-size: 1.8em; } + h3, #toctitle, .sidebarblock > .content > .title, #toctitle, .sidebarblock > .content > .title { font-size: 1.6em; } + h4 { font-size: 1.2em; } + h5 { font-size: 1.1em; } } +dt, th.tableblock, td.content, div.footnote { text-rendering: optimizeLegibility; } + +h1, h2, p, td.content, span.alt { letter-spacing: -0.01em; } + +p strong, td.content strong, div.footnote strong { letter-spacing: -0.005em; } + +p, blockquote, dt, td.content, span.alt { font-size: 1.0625rem; } + +p, pre { margin-bottom: 1.25rem; } + +.note td img, .tip td img, .important td img, .caution td img, .warning td img { max-width: none; min-width: 2em; } + +.sidebarblock p, .sidebarblock dt, .sidebarblock td.content, p.tableblock { font-size: 1em; } + +.exampleblock > .content { background-color: #fffef7; border-color: #e0e0dc; -webkit-box-shadow: 0 1px 4px #e0e0dc; box-shadow: 0 1px 4px #e0e0dc; } + +.guimenu, .guisubmenu, .guimenuitem { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; } + +.guibutton { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; border-radius: 4px; } + +.keycap { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; box-shadow: 1px 1px rgba(0, 0, 0, 0.2); border-radius: 4px; display: inline-block; min-width: 1.5em; text-align: center; } + +.print-only { display: none !important; } + +@page { margin: 1.25cm 0.75cm; } + +@media print { * { -webkit-box-shadow: none !important; box-shadow: none !important; text-shadow: none !important; } + body { max-width: default; } + html { font-size: 80%; } + a { color: inherit !important; text-decoration: underline !important; } + a.bare, a[href^="#"], a[href^="mailto:"] { text-decoration: none !important; } + a[href^="http:"]:not(.bare):after, a[href^="https:"]:not(.bare):after { content: "(" attr(href) ")"; display: inline-block; font-size: 0.875em; padding-left: 0.25em; } + abbr[title]:after { content: " (" attr(title) ")"; } + pre, blockquote, tr, img, object, svg { page-break-inside: avoid; } + thead { display: table-header-group; } + svg { max-width: 100%; } + p, blockquote, dt, td.content { font-size: 1em; orphans: 3; widows: 3; } + h2, h3, #toctitle, .sidebarblock > .content > .title, #toctitle, .sidebarblock > .content > .title { page-break-after: avoid; } + #header, #content, #footnotes, #footer { max-width: none; } + #toc, .sidebarblock, .exampleblock > .content { background: none !important; } + #toc { border-bottom: 1px solid #ddddd8 !important; padding-bottom: 0 !important; } + body.book #header { text-align: center; } + body.book #header > h1:first-child { border: 0 !important; margin: 2.5em 0 1em 0; } + body.book #header .details { border: 0 !important; display: block; padding: 0 !important; } + body.book #header .details span:first-child { margin-left: 0 !important; } + body.book #header .details br { display: block; } + body.book #header .details br + span:before { content: none !important; } + body.book #toc { border: 0 !important; text-align: left !important; padding: 0 !important; margin: 0 !important; } + body.book #toc, body.book #preamble, body.book h1.sect0, body.book .sect1 > h2 { page-break-before: always; } + .listingblock code[data-lang]:before { display: block; } + #footer { padding: 0 0.9375em; } + .hide-on-print { display: none !important; } + .print-only { display: block !important; } + .hide-for-print { display: none !important; } + .show-for-print { display: inherit !important; } } +@media print, amzn-kf8 { #header > h1:first-child { margin-top: 1.25rem; } + .sect1 { padding: 0 !important; } + .sect1 + .sect1 { border: 0; } + #footer { background: none; } + #footer-text { color: rgba(0, 0, 0, 0.6); font-size: 0.9em; } } +@media amzn-kf8 { #header, #content, #footnotes, #footer { padding: 0; } } diff --git a/doc/wsdg_src/developer-guide-docinfo.xml b/doc/wsdg_src/developer-guide-docinfo.xml new file mode 100644 index 00000000..341b061b --- /dev/null +++ b/doc/wsdg_src/developer-guide-docinfo.xml @@ -0,0 +1,85 @@ +<!-- Document information for the Developer's Guide. --> + +<!-- Updated by tools/make-version.py --> +<subtitle>For Wireshark 4.4</subtitle> + + <!-- <title><inlinegraphic entityref="WiresharkLogo" valign="middle" format="PNG"/> &DocumentTitle;</title> --> + +<authorgroup> + + <author><firstname>Ulf</firstname><surname>Lamping</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>ulf.lamping[AT]web.de</email> + </author> + + <author><firstname>Luis</firstname><othername>E.</othername><othername>Garcia</othername><surname>Ontanon</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>luis[AT]ontanon.org</email> + </author> + + <author><firstname>Graham</firstname><surname>Bloice</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>graham.bloice[AT]trihedral.com</email> + </author> + +</authorgroup> + +<!--<edition>&DocumentEdition;</edition> +<pubdate>2008</pubdate>--> +<copyright><year>2004-2014</year> + <holder>Ulf Lamping</holder> + <holder>Luis E. Garcia Ontanon</holder> + <holder>Graham Bloice</holder> +</copyright> + +<revhistory> + +<revision> + <revnumber>1.1</revnumber> + <date>28 Dec 2014</date> + <authorinitials>gb</authorinitials> + <revremark>Updated for 1.99.x and 2.0, move to VS2013.</revremark> +</revision> + +<revision> + <revnumber>1.0</revnumber> + <date>2 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Moved Lua reference from User's Guide to Developer's Guide.</revremark> +</revision> + +<revision> + <revnumber>0.9</revnumber> + <date>9 Feb 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Converted from DocBook to AsciiDoc.</revremark> +</revision> + +<revision> + <revnumber>0.5</revnumber> + <date>21 Jan 2007</date> + <authorinitials>ul</authorinitials> + <revremark>Major redesign.</revremark> +</revision> + +<revision> + <revnumber>0.1</revnumber> + <date>17 Aug 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Initial version.</revremark> +</revision> + +</revhistory> + +<legalnotice> + <simpara> + Permission is granted to copy, distribute + and/or modify this document under the terms of the GNU General Public + License, Version 2 or any later version published by the Free Software + Foundation. + </simpara> + <simpara> + All logos and trademarks in this document are property of their + respective owners. + </simpara> +</legalnotice> diff --git a/doc/wsdg_src/developer-guide.adoc b/doc/wsdg_src/developer-guide.adoc new file mode 100644 index 00000000..8f4bcbbe --- /dev/null +++ b/doc/wsdg_src/developer-guide.adoc @@ -0,0 +1,72 @@ +:doctype: book +include::../attributes.adoc[] + +// Electronic book attributes +:author: Ulf Lamping, Graham Bloice +:description: Wireshark Developer’s Guide +:keywords: Wireshark Developer Guide +ifdef::ebook-format-epub3[] +:front-cover-image: images/ws-dev-guide-cover.png +:toc: +endif::[] + += Wireshark Developer’s Guide: Version {wireshark-version} + +// Attributes +// XXX This should be surrounded by single quotes in the text. It’s +// currently surrounded by plus signs for AsciiDoc compatibility. +:dlt-glob: DLT_* +:qt6-lts-version: 6.5.3 +:source-highlighter: coderay + +include::wsdg_preface.adoc[] + +include::../common_src/typographic_conventions.adoc[] + +[#PartEnvironment] += Wireshark Build Environment + +[partintro] +.Wireshark Build Environment +-- +The first part describes how to set up the tools, libraries and sources needed to +generate Wireshark and how to do some typical development tasks. +-- + +include::wsdg_env_intro.adoc[] + +include::wsdg_quick_setup.adoc[] + +include::wsdg_sources.adoc[] + +include::wsdg_tools.adoc[] + +include::wsdg_libraries.adoc[] + +[#PartDevelopment] += Wireshark Development + +[partintro] +.Wireshark Development +-- +The second part describes how the Wireshark sources are structured and how to +change the sources such as adding a new dissector. +-- + +include::wsdg_build_intro.adoc[] + +include::wsdg_works.adoc[] + +include::wsdg_capture.adoc[] + +include::wsdg_dissection.adoc[] + +include::wsdg_lua_support.adoc[] + +include::wsdg_userinterface.adoc[] + +include::wsdg_tests.adoc[] + +include::wsdg_asn2wrs.adoc[] + +include::../common_src/gpl_appendix.adoc[] diff --git a/doc/wsdg_src/images/caution.svg b/doc/wsdg_src/images/caution.svg new file mode 100644 index 00000000..793c6020 --- /dev/null +++ b/doc/wsdg_src/images/caution.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightning-charge" viewBox="0 0 16 16"> + <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09zM4.157 8.5H7a.5.5 0 0 1 .478.647L6.11 13.59l5.732-6.09H9a.5.5 0 0 1-.478-.647L9.89 2.41 4.157 8.5z"/> +</svg> diff --git a/doc/wsdg_src/images/git-triangular-workflow.gv b/doc/wsdg_src/images/git-triangular-workflow.gv new file mode 100644 index 00000000..cb4fb174 --- /dev/null +++ b/doc/wsdg_src/images/git-triangular-workflow.gv @@ -0,0 +1,59 @@ +// dot -Tsvg -o doc/wsdg_graphics/git-triangular-workflow.svg doc/wsdg_graphics/git-triangular-workflow.gv + +digraph G { + // XXX Integrate ws.css. Match it manually for now. + graph [ + fontname = "Georgia", + fontsize = 12 + ]; + + node [ + fontname = "Georgia", + fontsize = 12, + shape=box, + style=rounded + ]; + + edge [ + fontname = "Georgia", + fontsize = 12 + ]; + + rankdir = TB; + ranksep = 1.0; + nodesep = 1.0; + // margin = "0.5,0.5"; + + main_repo [ + label=<Main Repository<br/><font point-size="9">gitlab.com/wireshark/wireshark</font>> + ] + + your_fork [ + label=<Your Fork<br/><font point-size="9">gitlab.com/you/wireshark</font>> + ] + + your_repo [ + label=<Your Local Repository<br/><font point-size="9">Somewhere on your machine</font>> + ] + + { rank = same; main_repo; your_fork; } + + // :nw adds needed space + main_repo -> your_fork:nw [ + label = "Fork (once)", + style = dashed + ] + + main_repo -> your_repo [ + label = "Pull" + ] + + your_repo -> your_fork [ + label = "Push" + ] + + your_fork -> main_repo [ + label = "Merge Request" + ] + +} diff --git a/doc/wsdg_src/images/git-triangular-workflow.svg b/doc/wsdg_src/images/git-triangular-workflow.svg new file mode 100644 index 00000000..1f8ae3ac --- /dev/null +++ b/doc/wsdg_src/images/git-triangular-workflow.svg @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<!-- Generated by graphviz version 2.44.1 (20200629.0846) + --> +<!-- Title: G Pages: 1 --> +<svg width="429pt" height="205pt" + viewBox="0.00 0.00 428.50 205.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> +<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 201)"> +<title>G</title> +<polygon fill="white" stroke="transparent" points="-4,4 -4,-201 424.5,-201 424.5,4 -4,4"/> +<!-- main_repo --> +<g id="node1" class="node"> +<title>main_repo</title> +<path fill="none" stroke="black" d="M134,-157C134,-157 12,-157 12,-157 6,-157 0,-151 0,-145 0,-145 0,-133 0,-133 0,-127 6,-121 12,-121 12,-121 134,-121 134,-121 140,-121 146,-127 146,-133 146,-133 146,-145 146,-145 146,-151 140,-157 134,-157"/> +<text text-anchor="start" x="27.5" y="-140.9" font-family="Georgia" font-size="12.00">Main Repository</text> +<text text-anchor="start" x="8" y="-131.3" font-family="Georgia" font-size="9.00">gitlab.com/wireshark/wireshark</text> +</g> +<!-- your_fork --> +<g id="node2" class="node"> +<title>your_fork</title> +<path fill="none" stroke="black" d="M408.5,-157C408.5,-157 311.5,-157 311.5,-157 305.5,-157 299.5,-151 299.5,-145 299.5,-145 299.5,-133 299.5,-133 299.5,-127 305.5,-121 311.5,-121 311.5,-121 408.5,-121 408.5,-121 414.5,-121 420.5,-127 420.5,-133 420.5,-133 420.5,-145 420.5,-145 420.5,-151 414.5,-157 408.5,-157"/> +<text text-anchor="start" x="332" y="-140.9" font-family="Georgia" font-size="12.00">Your Fork</text> +<text text-anchor="start" x="307.5" y="-131.3" font-family="Georgia" font-size="9.00">gitlab.com/you/wireshark</text> +</g> +<!-- main_repo->your_fork --> +<g id="edge1" class="edge"> +<title>main_repo->your_fork:nw</title> +<path fill="none" stroke="black" stroke-dasharray="5,2" d="M111.13,-157.13C158.91,-177.68 241.75,-203.49 292.02,-163.66"/> +<polygon fill="black" stroke="black" points="294.36,-166.27 299.5,-157 289.71,-161.04 294.36,-166.27"/> +<text text-anchor="middle" x="222" y="-187.4" font-family="Georgia" font-size="12.00">Fork (once)</text> +</g> +<!-- your_repo --> +<g id="node3" class="node"> +<title>your_repo</title> +<path fill="none" stroke="black" d="M272.5,-36C272.5,-36 159.5,-36 159.5,-36 153.5,-36 147.5,-30 147.5,-24 147.5,-24 147.5,-12 147.5,-12 147.5,-6 153.5,0 159.5,0 159.5,0 272.5,0 272.5,0 278.5,0 284.5,-6 284.5,-12 284.5,-12 284.5,-24 284.5,-24 284.5,-30 278.5,-36 272.5,-36"/> +<text text-anchor="start" x="155.5" y="-19.9" font-family="Georgia" font-size="12.00">Your Local Repository</text> +<text text-anchor="start" x="157.5" y="-10.3" font-family="Georgia" font-size="9.00">Somewhere on your machine</text> +</g> +<!-- main_repo->your_repo --> +<g id="edge2" class="edge"> +<title>main_repo->your_repo</title> +<path fill="none" stroke="black" d="M93.49,-120.95C118.23,-100.36 159.98,-65.62 187.76,-42.5"/> +<polygon fill="black" stroke="black" points="190.1,-45.11 195.55,-36.02 185.62,-39.72 190.1,-45.11"/> +<text text-anchor="middle" x="160" y="-75.4" font-family="Georgia" font-size="12.00">Pull</text> +</g> +<!-- your_fork->main_repo --> +<g id="edge4" class="edge"> +<title>your_fork->main_repo</title> +<path fill="none" stroke="black" d="M299.29,-139C257.86,-139 202.13,-139 156.46,-139"/> +<polygon fill="black" stroke="black" points="156.29,-135.5 146.29,-139 156.29,-142.5 156.29,-135.5"/> +<text text-anchor="middle" x="222" y="-142.4" font-family="Georgia" font-size="12.00">Merge Request</text> +</g> +<!-- your_repo->your_fork --> +<g id="edge3" class="edge"> +<title>your_repo->your_fork</title> +<path fill="none" stroke="black" d="M236.59,-36.02C261.49,-56.59 303.53,-91.33 331.52,-114.46"/> +<polygon fill="black" stroke="black" points="329.43,-117.28 339.37,-120.95 333.89,-111.88 329.43,-117.28"/> +<text text-anchor="middle" x="305.5" y="-75.4" font-family="Georgia" font-size="12.00">Push</text> +</g> +</g> +</svg> diff --git a/doc/wsdg_src/images/important.svg b/doc/wsdg_src/images/important.svg new file mode 100644 index 00000000..a2ee7012 --- /dev/null +++ b/doc/wsdg_src/images/important.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-circle" viewBox="0 0 16 16"> + <path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/> + <path d="M7.002 11a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 4.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 4.995z"/> +</svg> diff --git a/doc/wsdg_src/images/note.svg b/doc/wsdg_src/images/note.svg new file mode 100644 index 00000000..803dc13e --- /dev/null +++ b/doc/wsdg_src/images/note.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-sticky" viewBox="0 0 16 16"> + <path d="M2.5 1A1.5 1.5 0 0 0 1 2.5v11A1.5 1.5 0 0 0 2.5 15h6.086a1.5 1.5 0 0 0 1.06-.44l4.915-4.914A1.5 1.5 0 0 0 15 8.586V2.5A1.5 1.5 0 0 0 13.5 1h-11zM2 2.5a.5.5 0 0 1 .5-.5h11a.5.5 0 0 1 .5.5V8H9.5A1.5 1.5 0 0 0 8 9.5V14H2.5a.5.5 0 0 1-.5-.5v-11zm7 11.293V9.5a.5.5 0 0 1 .5-.5h4.293L9 13.793z"/> +</svg> diff --git a/doc/wsdg_src/images/tip.svg b/doc/wsdg_src/images/tip.svg new file mode 100644 index 00000000..1a60b74a --- /dev/null +++ b/doc/wsdg_src/images/tip.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightbulb" viewBox="0 0 16 16"> + <path d="M2 6a6 6 0 1 1 10.174 4.31c-.203.196-.359.4-.453.619l-.762 1.769A.5.5 0 0 1 10.5 13a.5.5 0 0 1 0 1 .5.5 0 0 1 0 1l-.224.447a1 1 0 0 1-.894.553H6.618a1 1 0 0 1-.894-.553L5.5 15a.5.5 0 0 1 0-1 .5.5 0 0 1 0-1 .5.5 0 0 1-.46-.302l-.761-1.77a1.964 1.964 0 0 0-.453-.618A5.984 5.984 0 0 1 2 6zm6-5a5 5 0 0 0-3.479 8.592c.263.254.514.564.676.941L5.83 12h4.342l.632-1.467c.162-.377.413-.687.676-.941A5 5 0 0 0 8 1z"/> +</svg> diff --git a/doc/wsdg_src/images/warning.svg b/doc/wsdg_src/images/warning.svg new file mode 100644 index 00000000..80c0ba5c --- /dev/null +++ b/doc/wsdg_src/images/warning.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-triangle" viewBox="0 0 16 16"> + <path d="M7.938 2.016A.13.13 0 0 1 8.002 2a.13.13 0 0 1 .063.016.146.146 0 0 1 .054.057l6.857 11.667c.036.06.035.124.002.183a.163.163 0 0 1-.054.06.116.116 0 0 1-.066.017H1.146a.115.115 0 0 1-.066-.017.163.163 0 0 1-.054-.06.176.176 0 0 1 .002-.183L7.884 2.073a.147.147 0 0 1 .054-.057zm1.044-.45a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566z"/> + <path d="M7.002 12a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 5.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995z"/> +</svg> diff --git a/doc/wsdg_src/images/ws-capture-sync.dia b/doc/wsdg_src/images/ws-capture-sync.dia Binary files differnew file mode 100644 index 00000000..00ba9cf8 --- /dev/null +++ b/doc/wsdg_src/images/ws-capture-sync.dia diff --git a/doc/wsdg_src/images/ws-capture-sync.png b/doc/wsdg_src/images/ws-capture-sync.png Binary files differnew file mode 100644 index 00000000..d46e1e94 --- /dev/null +++ b/doc/wsdg_src/images/ws-capture-sync.png diff --git a/doc/wsdg_src/images/ws-capture_internals.dia b/doc/wsdg_src/images/ws-capture_internals.dia Binary files differnew file mode 100644 index 00000000..0eae20e5 --- /dev/null +++ b/doc/wsdg_src/images/ws-capture_internals.dia diff --git a/doc/wsdg_src/images/ws-capture_internals.png b/doc/wsdg_src/images/ws-capture_internals.png Binary files differnew file mode 100644 index 00000000..6d110af3 --- /dev/null +++ b/doc/wsdg_src/images/ws-capture_internals.png diff --git a/doc/wsdg_src/images/ws-dev-guide-cover.png b/doc/wsdg_src/images/ws-dev-guide-cover.png Binary files differnew file mode 100644 index 00000000..8134d2d0 --- /dev/null +++ b/doc/wsdg_src/images/ws-dev-guide-cover.png diff --git a/doc/wsdg_src/images/ws-function-blocks.dia b/doc/wsdg_src/images/ws-function-blocks.dia Binary files differnew file mode 100644 index 00000000..bc17f05e --- /dev/null +++ b/doc/wsdg_src/images/ws-function-blocks.dia diff --git a/doc/wsdg_src/images/ws-function-blocks.svg b/doc/wsdg_src/images/ws-function-blocks.svg new file mode 100644 index 00000000..c9bc7f7e --- /dev/null +++ b/doc/wsdg_src/images/ws-function-blocks.svg @@ -0,0 +1,449 @@ +<?xml version="1.0" encoding="UTF-8"?> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="463pt" height="663pt" viewBox="0 0 463 663" version="1.1"> +<defs> +<g> +<symbol overflow="visible" id="glyph0-0"> +<path style="stroke:none;" d="M 1.203125 0 L 1.203125 -9.140625 L 6.46875 -9.140625 L 6.46875 0 Z M 1.859375 -0.65625 L 5.8125 -0.65625 L 5.8125 -8.484375 L 1.859375 -8.484375 Z M 1.859375 -0.65625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-1"> +<path style="stroke:none;" d="M 5.15625 -8.25 C 4.175781 -8.25 3.40625 -7.921875 2.84375 -7.265625 C 2.28125 -6.609375 2 -5.707031 2 -4.5625 C 2 -3.425781 2.257812 -2.53125 2.78125 -1.875 C 3.3125 -1.21875 4.097656 -0.890625 5.140625 -0.890625 C 5.546875 -0.890625 5.925781 -0.921875 6.28125 -0.984375 C 6.644531 -1.054688 6.992188 -1.140625 7.328125 -1.234375 L 7.328125 -0.25 C 6.992188 -0.113281 6.644531 -0.0195312 6.28125 0.03125 C 5.914062 0.09375 5.484375 0.125 4.984375 0.125 C 4.046875 0.125 3.265625 -0.0664062 2.640625 -0.453125 C 2.023438 -0.835938 1.5625 -1.378906 1.25 -2.078125 C 0.9375 -2.785156 0.78125 -3.617188 0.78125 -4.578125 C 0.78125 -5.503906 0.945312 -6.316406 1.28125 -7.015625 C 1.625 -7.722656 2.125 -8.273438 2.78125 -8.671875 C 3.4375 -9.066406 4.234375 -9.265625 5.171875 -9.265625 C 6.128906 -9.265625 6.96875 -9.085938 7.6875 -8.734375 L 7.234375 -7.75 C 6.953125 -7.882812 6.632812 -8 6.28125 -8.09375 C 5.9375 -8.195312 5.5625 -8.25 5.15625 -8.25 Z M 5.15625 -8.25 "/> +</symbol> +<symbol overflow="visible" id="glyph0-2"> +<path style="stroke:none;" d="M 7.046875 -3.4375 C 7.046875 -2.300781 6.757812 -1.421875 6.1875 -0.796875 C 5.613281 -0.179688 4.835938 0.125 3.859375 0.125 C 3.242188 0.125 2.695312 -0.0078125 2.21875 -0.28125 C 1.75 -0.5625 1.378906 -0.96875 1.109375 -1.5 C 0.835938 -2.03125 0.703125 -2.675781 0.703125 -3.4375 C 0.703125 -4.570312 0.988281 -5.445312 1.5625 -6.0625 C 2.132812 -6.675781 2.910156 -6.984375 3.890625 -6.984375 C 4.515625 -6.984375 5.0625 -6.84375 5.53125 -6.5625 C 6.007812 -6.289062 6.378906 -5.890625 6.640625 -5.359375 C 6.910156 -4.835938 7.046875 -4.195312 7.046875 -3.4375 Z M 1.875 -3.4375 C 1.875 -2.632812 2.03125 -1.992188 2.34375 -1.515625 C 2.664062 -1.046875 3.175781 -0.8125 3.875 -0.8125 C 4.5625 -0.8125 5.066406 -1.046875 5.390625 -1.515625 C 5.722656 -1.992188 5.890625 -2.632812 5.890625 -3.4375 C 5.890625 -4.25 5.722656 -4.882812 5.390625 -5.34375 C 5.066406 -5.8125 4.554688 -6.046875 3.859375 -6.046875 C 3.160156 -6.046875 2.65625 -5.8125 2.34375 -5.34375 C 2.03125 -4.882812 1.875 -4.25 1.875 -3.4375 Z M 1.875 -3.4375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-3"> +<path style="stroke:none;" d="M 4.28125 -6.984375 C 4.414062 -6.984375 4.554688 -6.976562 4.703125 -6.96875 C 4.847656 -6.957031 4.976562 -6.9375 5.09375 -6.90625 L 4.953125 -5.875 C 4.835938 -5.894531 4.710938 -5.914062 4.578125 -5.9375 C 4.453125 -5.957031 4.328125 -5.96875 4.203125 -5.96875 C 3.859375 -5.96875 3.53125 -5.867188 3.21875 -5.671875 C 2.914062 -5.484375 2.671875 -5.210938 2.484375 -4.859375 C 2.304688 -4.515625 2.21875 -4.113281 2.21875 -3.65625 L 2.21875 0 L 1.09375 0 L 1.09375 -6.859375 L 2.015625 -6.859375 L 2.140625 -5.609375 L 2.1875 -5.609375 C 2.40625 -5.984375 2.691406 -6.304688 3.046875 -6.578125 C 3.398438 -6.847656 3.8125 -6.984375 4.28125 -6.984375 Z M 4.28125 -6.984375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-4"> +<path style="stroke:none;" d="M 3.734375 -6.984375 C 4.328125 -6.984375 4.832031 -6.851562 5.25 -6.59375 C 5.675781 -6.34375 6 -5.984375 6.21875 -5.515625 C 6.445312 -5.054688 6.5625 -4.515625 6.5625 -3.890625 L 6.5625 -3.21875 L 1.875 -3.21875 C 1.882812 -2.4375 2.078125 -1.84375 2.453125 -1.4375 C 2.835938 -1.03125 3.375 -0.828125 4.0625 -0.828125 C 4.488281 -0.828125 4.867188 -0.867188 5.203125 -0.953125 C 5.546875 -1.035156 5.894531 -1.15625 6.25 -1.3125 L 6.25 -0.3125 C 5.90625 -0.164062 5.5625 -0.0546875 5.21875 0.015625 C 4.875 0.0859375 4.46875 0.125 4 0.125 C 3.351562 0.125 2.78125 -0.00390625 2.28125 -0.265625 C 1.78125 -0.535156 1.390625 -0.929688 1.109375 -1.453125 C 0.835938 -1.972656 0.703125 -2.613281 0.703125 -3.375 C 0.703125 -4.125 0.828125 -4.765625 1.078125 -5.296875 C 1.328125 -5.835938 1.679688 -6.253906 2.140625 -6.546875 C 2.597656 -6.835938 3.128906 -6.984375 3.734375 -6.984375 Z M 3.71875 -6.0625 C 3.1875 -6.0625 2.765625 -5.890625 2.453125 -5.546875 C 2.140625 -5.203125 1.953125 -4.722656 1.890625 -4.109375 L 5.390625 -4.109375 C 5.378906 -4.691406 5.238281 -5.160156 4.96875 -5.515625 C 4.707031 -5.878906 4.289062 -6.0625 3.71875 -6.0625 Z M 3.71875 -6.0625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-5"> +<path style="stroke:none;" d="M 6.34375 0 L 1.234375 0 L 1.234375 -9.140625 L 6.34375 -9.140625 L 6.34375 -8.125 L 2.390625 -8.125 L 2.390625 -5.265625 L 6.109375 -5.265625 L 6.109375 -4.28125 L 2.390625 -4.28125 L 2.390625 -1.015625 L 6.34375 -1.015625 Z M 6.34375 0 "/> +</symbol> +<symbol overflow="visible" id="glyph0-6"> +<path style="stroke:none;" d="M 4.34375 -6.984375 C 5.195312 -6.984375 5.878906 -6.6875 6.390625 -6.09375 C 6.910156 -5.507812 7.171875 -4.625 7.171875 -3.4375 C 7.171875 -2.269531 6.910156 -1.382812 6.390625 -0.78125 C 5.878906 -0.175781 5.195312 0.125 4.34375 0.125 C 3.8125 0.125 3.375 0.0234375 3.03125 -0.171875 C 2.6875 -0.367188 2.414062 -0.601562 2.21875 -0.875 L 2.140625 -0.875 C 2.148438 -0.726562 2.164062 -0.539062 2.1875 -0.3125 C 2.207031 -0.09375 2.21875 0.09375 2.21875 0.25 L 2.21875 3.078125 L 1.09375 3.078125 L 1.09375 -6.859375 L 2.015625 -6.859375 L 2.15625 -5.921875 L 2.21875 -5.921875 C 2.414062 -6.222656 2.679688 -6.472656 3.015625 -6.671875 C 3.347656 -6.878906 3.789062 -6.984375 4.34375 -6.984375 Z M 4.140625 -6.046875 C 3.441406 -6.046875 2.945312 -5.847656 2.65625 -5.453125 C 2.375 -5.054688 2.226562 -4.457031 2.21875 -3.65625 L 2.21875 -3.4375 C 2.21875 -2.59375 2.351562 -1.941406 2.625 -1.484375 C 2.90625 -1.035156 3.421875 -0.8125 4.171875 -0.8125 C 4.585938 -0.8125 4.929688 -0.925781 5.203125 -1.15625 C 5.472656 -1.382812 5.671875 -1.695312 5.796875 -2.09375 C 5.929688 -2.488281 6 -2.941406 6 -3.453125 C 6 -4.234375 5.847656 -4.859375 5.546875 -5.328125 C 5.242188 -5.804688 4.773438 -6.046875 4.140625 -6.046875 Z M 4.140625 -6.046875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-7"> +<path style="stroke:none;" d="M 3.6875 -6.96875 C 4.519531 -6.96875 5.132812 -6.785156 5.53125 -6.421875 C 5.9375 -6.054688 6.140625 -5.472656 6.140625 -4.671875 L 6.140625 0 L 5.328125 0 L 5.109375 -0.96875 L 5.0625 -0.96875 C 4.757812 -0.59375 4.441406 -0.316406 4.109375 -0.140625 C 3.785156 0.0351562 3.332031 0.125 2.75 0.125 C 2.125 0.125 1.609375 -0.0351562 1.203125 -0.359375 C 0.796875 -0.691406 0.59375 -1.207031 0.59375 -1.90625 C 0.59375 -2.59375 0.859375 -3.117188 1.390625 -3.484375 C 1.929688 -3.859375 2.757812 -4.0625 3.875 -4.09375 L 5.046875 -4.140625 L 5.046875 -4.546875 C 5.046875 -5.117188 4.921875 -5.515625 4.671875 -5.734375 C 4.421875 -5.953125 4.070312 -6.0625 3.625 -6.0625 C 3.257812 -6.0625 2.914062 -6.007812 2.59375 -5.90625 C 2.269531 -5.800781 1.96875 -5.679688 1.6875 -5.546875 L 1.34375 -6.390625 C 1.644531 -6.546875 2 -6.679688 2.40625 -6.796875 C 2.8125 -6.910156 3.238281 -6.96875 3.6875 -6.96875 Z M 4.015625 -3.3125 C 3.160156 -3.28125 2.566406 -3.144531 2.234375 -2.90625 C 1.910156 -2.664062 1.75 -2.328125 1.75 -1.890625 C 1.75 -1.503906 1.863281 -1.222656 2.09375 -1.046875 C 2.332031 -0.867188 2.632812 -0.78125 3 -0.78125 C 3.582031 -0.78125 4.066406 -0.9375 4.453125 -1.25 C 4.835938 -1.570312 5.03125 -2.066406 5.03125 -2.734375 L 5.03125 -3.359375 Z M 4.015625 -3.3125 "/> +</symbol> +<symbol overflow="visible" id="glyph0-8"> +<path style="stroke:none;" d="M 4.390625 -6.984375 C 5.210938 -6.984375 5.832031 -6.785156 6.25 -6.390625 C 6.664062 -5.992188 6.875 -5.351562 6.875 -4.46875 L 6.875 0 L 5.765625 0 L 5.765625 -4.390625 C 5.765625 -5.492188 5.25 -6.046875 4.21875 -6.046875 C 3.457031 -6.046875 2.929688 -5.832031 2.640625 -5.40625 C 2.359375 -4.976562 2.21875 -4.363281 2.21875 -3.5625 L 2.21875 0 L 1.09375 0 L 1.09375 -6.859375 L 2 -6.859375 L 2.15625 -5.921875 L 2.234375 -5.921875 C 2.453125 -6.285156 2.753906 -6.550781 3.140625 -6.71875 C 3.535156 -6.894531 3.953125 -6.984375 4.390625 -6.984375 Z M 4.390625 -6.984375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-9"> +<path style="stroke:none;" d="M 11.734375 -9.140625 L 9.296875 0 L 8.140625 0 L 6.359375 -5.984375 C 6.285156 -6.234375 6.210938 -6.484375 6.140625 -6.734375 C 6.078125 -6.984375 6.023438 -7.203125 5.984375 -7.390625 C 5.941406 -7.578125 5.914062 -7.710938 5.90625 -7.796875 C 5.894531 -7.679688 5.847656 -7.441406 5.765625 -7.078125 C 5.679688 -6.722656 5.582031 -6.347656 5.46875 -5.953125 L 3.734375 0 L 2.578125 0 L 0.15625 -9.140625 L 1.359375 -9.140625 L 2.78125 -3.5625 C 2.882812 -3.164062 2.96875 -2.785156 3.03125 -2.421875 C 3.101562 -2.054688 3.164062 -1.707031 3.21875 -1.375 C 3.257812 -1.707031 3.320312 -2.070312 3.40625 -2.46875 C 3.488281 -2.863281 3.585938 -3.25 3.703125 -3.625 L 5.3125 -9.140625 L 6.5 -9.140625 L 8.171875 -3.578125 C 8.296875 -3.191406 8.398438 -2.800781 8.484375 -2.40625 C 8.566406 -2.019531 8.628906 -1.675781 8.671875 -1.375 C 8.710938 -1.695312 8.769531 -2.039062 8.84375 -2.40625 C 8.925781 -2.78125 9.019531 -3.171875 9.125 -3.578125 L 10.53125 -9.140625 Z M 11.734375 -9.140625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-10"> +<path style="stroke:none;" d="M 1.65625 -9.4375 C 1.832031 -9.4375 1.984375 -9.375 2.109375 -9.25 C 2.242188 -9.132812 2.3125 -8.957031 2.3125 -8.71875 C 2.3125 -8.476562 2.242188 -8.296875 2.109375 -8.171875 C 1.984375 -8.054688 1.832031 -8 1.65625 -8 C 1.46875 -8 1.3125 -8.054688 1.1875 -8.171875 C 1.0625 -8.296875 1 -8.476562 1 -8.71875 C 1 -8.957031 1.0625 -9.132812 1.1875 -9.25 C 1.3125 -9.375 1.46875 -9.4375 1.65625 -9.4375 Z M 2.21875 -6.859375 L 2.21875 0 L 1.09375 0 L 1.09375 -6.859375 Z M 2.21875 -6.859375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-11"> +<path style="stroke:none;" d="M 3.375 -0.796875 C 3.550781 -0.796875 3.726562 -0.8125 3.90625 -0.84375 C 4.082031 -0.875 4.226562 -0.90625 4.34375 -0.9375 L 4.34375 -0.078125 C 4.21875 -0.015625 4.046875 0.03125 3.828125 0.0625 C 3.609375 0.101562 3.394531 0.125 3.1875 0.125 C 2.832031 0.125 2.5 0.0625 2.1875 -0.0625 C 1.882812 -0.1875 1.640625 -0.398438 1.453125 -0.703125 C 1.265625 -1.015625 1.171875 -1.445312 1.171875 -2 L 1.171875 -5.984375 L 0.203125 -5.984375 L 0.203125 -6.53125 L 1.1875 -6.96875 L 1.640625 -8.4375 L 2.296875 -8.4375 L 2.296875 -6.859375 L 4.28125 -6.859375 L 4.28125 -5.984375 L 2.296875 -5.984375 L 2.296875 -2.015625 C 2.296875 -1.597656 2.394531 -1.289062 2.59375 -1.09375 C 2.800781 -0.894531 3.0625 -0.796875 3.375 -0.796875 Z M 3.375 -0.796875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-12"> +<path style="stroke:none;" d="M 6.828125 -6.859375 L 6.828125 0 L 5.90625 0 L 5.734375 -0.90625 L 5.6875 -0.90625 C 5.457031 -0.550781 5.144531 -0.289062 4.75 -0.125 C 4.363281 0.0390625 3.945312 0.125 3.5 0.125 C 2.675781 0.125 2.054688 -0.0703125 1.640625 -0.46875 C 1.222656 -0.863281 1.015625 -1.5 1.015625 -2.375 L 1.015625 -6.859375 L 2.15625 -6.859375 L 2.15625 -2.4375 C 2.15625 -1.351562 2.660156 -0.8125 3.671875 -0.8125 C 4.429688 -0.8125 4.957031 -1.019531 5.25 -1.4375 C 5.539062 -1.863281 5.6875 -2.476562 5.6875 -3.28125 L 5.6875 -6.859375 Z M 6.828125 -6.859375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-13"> +<path style="stroke:none;" d="M 5.203125 -4.828125 L 8.375 -4.828125 L 8.375 -0.34375 C 7.875 -0.1875 7.367188 -0.0703125 6.859375 0 C 6.359375 0.0820312 5.789062 0.125 5.15625 0.125 C 4.207031 0.125 3.410156 -0.0625 2.765625 -0.4375 C 2.117188 -0.820312 1.625 -1.363281 1.28125 -2.0625 C 0.945312 -2.769531 0.78125 -3.601562 0.78125 -4.5625 C 0.78125 -5.519531 0.96875 -6.347656 1.34375 -7.046875 C 1.71875 -7.742188 2.253906 -8.285156 2.953125 -8.671875 C 3.660156 -9.066406 4.515625 -9.265625 5.515625 -9.265625 C 6.023438 -9.265625 6.507812 -9.21875 6.96875 -9.125 C 7.425781 -9.03125 7.847656 -8.898438 8.234375 -8.734375 L 7.8125 -7.734375 C 7.476562 -7.878906 7.109375 -8 6.703125 -8.09375 C 6.304688 -8.195312 5.890625 -8.25 5.453125 -8.25 C 4.359375 -8.25 3.503906 -7.921875 2.890625 -7.265625 C 2.285156 -6.609375 1.984375 -5.707031 1.984375 -4.5625 C 1.984375 -3.84375 2.097656 -3.203125 2.328125 -2.640625 C 2.566406 -2.078125 2.9375 -1.640625 3.4375 -1.328125 C 3.945312 -1.023438 4.609375 -0.875 5.421875 -0.875 C 5.828125 -0.875 6.171875 -0.894531 6.453125 -0.9375 C 6.734375 -0.976562 6.988281 -1.03125 7.21875 -1.09375 L 7.21875 -3.796875 L 5.203125 -3.796875 Z M 5.203125 -4.828125 "/> +</symbol> +<symbol overflow="visible" id="glyph0-14"> +<path style="stroke:none;" d="M 8.1875 -3.21875 C 8.1875 -2.59375 8.054688 -2.023438 7.796875 -1.515625 C 7.546875 -1.003906 7.15625 -0.601562 6.625 -0.3125 C 6.101562 -0.0195312 5.4375 0.125 4.625 0.125 C 3.5 0.125 2.640625 -0.179688 2.046875 -0.796875 C 1.453125 -1.421875 1.15625 -2.238281 1.15625 -3.25 L 1.15625 -9.140625 L 2.296875 -9.140625 L 2.296875 -3.21875 C 2.296875 -2.46875 2.492188 -1.890625 2.890625 -1.484375 C 3.296875 -1.078125 3.898438 -0.875 4.703125 -0.875 C 5.523438 -0.875 6.117188 -1.09375 6.484375 -1.53125 C 6.859375 -1.96875 7.046875 -2.53125 7.046875 -3.21875 L 7.046875 -9.140625 L 8.1875 -9.140625 Z M 8.1875 -3.21875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-15"> +<path style="stroke:none;" d="M 3.8125 0 L 0.515625 0 L 0.515625 -0.671875 L 1.59375 -0.90625 L 1.59375 -8.21875 L 0.515625 -8.46875 L 0.515625 -9.140625 L 3.8125 -9.140625 L 3.8125 -8.46875 L 2.734375 -8.21875 L 2.734375 -0.90625 L 3.8125 -0.671875 Z M 3.8125 0 "/> +</symbol> +<symbol overflow="visible" id="glyph0-16"> +<path style="stroke:none;" d=""/> +</symbol> +<symbol overflow="visible" id="glyph0-17"> +<path style="stroke:none;" d="M 0.515625 -3.5 C 0.515625 -4.539062 0.664062 -5.546875 0.96875 -6.515625 C 1.269531 -7.484375 1.742188 -8.359375 2.390625 -9.140625 L 3.453125 -9.140625 C 2.859375 -8.335938 2.410156 -7.453125 2.109375 -6.484375 C 1.804688 -5.523438 1.65625 -4.535156 1.65625 -3.515625 C 1.65625 -2.523438 1.804688 -1.554688 2.109375 -0.609375 C 2.410156 0.335938 2.851562 1.210938 3.4375 2.015625 L 2.390625 2.015625 C 1.742188 1.265625 1.269531 0.414062 0.96875 -0.53125 C 0.664062 -1.476562 0.515625 -2.46875 0.515625 -3.5 Z M 0.515625 -3.5 "/> +</symbol> +<symbol overflow="visible" id="glyph0-18"> +<path style="stroke:none;" d="M 9.21875 -4.578125 C 9.21875 -3.460938 8.992188 -2.507812 8.546875 -1.71875 C 8.097656 -0.9375 7.429688 -0.398438 6.546875 -0.109375 L 8.734375 2.171875 L 7.09375 2.171875 L 5.328125 0.109375 C 5.273438 0.109375 5.21875 0.109375 5.15625 0.109375 C 5.101562 0.117188 5.050781 0.125 5 0.125 C 4.050781 0.125 3.265625 -0.0664062 2.640625 -0.453125 C 2.015625 -0.847656 1.546875 -1.398438 1.234375 -2.109375 C 0.929688 -2.816406 0.78125 -3.644531 0.78125 -4.59375 C 0.78125 -5.53125 0.929688 -6.347656 1.234375 -7.046875 C 1.546875 -7.742188 2.015625 -8.289062 2.640625 -8.6875 C 3.265625 -9.082031 4.054688 -9.28125 5.015625 -9.28125 C 5.929688 -9.28125 6.695312 -9.082031 7.3125 -8.6875 C 7.9375 -8.300781 8.410156 -7.753906 8.734375 -7.046875 C 9.054688 -6.347656 9.21875 -5.523438 9.21875 -4.578125 Z M 2 -4.578125 C 2 -3.429688 2.238281 -2.523438 2.71875 -1.859375 C 3.207031 -1.203125 3.96875 -0.875 5 -0.875 C 6.039062 -0.875 6.800781 -1.203125 7.28125 -1.859375 C 7.757812 -2.523438 8 -3.429688 8 -4.578125 C 8 -5.734375 7.757812 -6.632812 7.28125 -7.28125 C 6.800781 -7.9375 6.046875 -8.265625 5.015625 -8.265625 C 3.984375 -8.265625 3.222656 -7.9375 2.734375 -7.28125 C 2.242188 -6.632812 2 -5.734375 2 -4.578125 Z M 2 -4.578125 "/> +</symbol> +<symbol overflow="visible" id="glyph0-19"> +<path style="stroke:none;" d="M 3.328125 -3.5 C 3.328125 -2.46875 3.175781 -1.476562 2.875 -0.53125 C 2.570312 0.414062 2.097656 1.265625 1.453125 2.015625 L 0.390625 2.015625 C 0.984375 1.210938 1.429688 0.335938 1.734375 -0.609375 C 2.035156 -1.554688 2.1875 -2.523438 2.1875 -3.515625 C 2.1875 -4.535156 2.035156 -5.523438 1.734375 -6.484375 C 1.429688 -7.453125 0.984375 -8.335938 0.390625 -9.140625 L 1.453125 -9.140625 C 2.097656 -8.359375 2.570312 -7.484375 2.875 -6.515625 C 3.175781 -5.546875 3.328125 -4.539062 3.328125 -3.5 Z M 3.328125 -3.5 "/> +</symbol> +<symbol overflow="visible" id="glyph0-20"> +<path style="stroke:none;" d="M 8.234375 0 L 7.078125 0 L 7.078125 -4.265625 L 2.390625 -4.265625 L 2.390625 0 L 1.234375 0 L 1.234375 -9.140625 L 2.390625 -9.140625 L 2.390625 -5.265625 L 7.078125 -5.265625 L 7.078125 -9.140625 L 8.234375 -9.140625 Z M 8.234375 0 "/> +</symbol> +<symbol overflow="visible" id="glyph0-21"> +<path style="stroke:none;" d="M 3.515625 0.125 C 2.660156 0.125 1.976562 -0.171875 1.46875 -0.765625 C 0.957031 -1.359375 0.703125 -2.242188 0.703125 -3.421875 C 0.703125 -4.597656 0.957031 -5.484375 1.46875 -6.078125 C 1.988281 -6.679688 2.675781 -6.984375 3.53125 -6.984375 C 4.0625 -6.984375 4.492188 -6.882812 4.828125 -6.6875 C 5.171875 -6.5 5.445312 -6.257812 5.65625 -5.96875 L 5.734375 -5.96875 C 5.722656 -6.082031 5.707031 -6.25 5.6875 -6.46875 C 5.664062 -6.6875 5.65625 -6.859375 5.65625 -6.984375 L 5.65625 -9.71875 L 6.78125 -9.71875 L 6.78125 0 L 5.875 0 L 5.703125 -0.921875 L 5.65625 -0.921875 C 5.445312 -0.628906 5.171875 -0.378906 4.828125 -0.171875 C 4.492188 0.0234375 4.054688 0.125 3.515625 0.125 Z M 3.703125 -0.8125 C 4.421875 -0.8125 4.925781 -1.007812 5.21875 -1.40625 C 5.519531 -1.800781 5.671875 -2.398438 5.671875 -3.203125 L 5.671875 -3.40625 C 5.671875 -4.257812 5.53125 -4.910156 5.25 -5.359375 C 4.96875 -5.816406 4.445312 -6.046875 3.6875 -6.046875 C 3.082031 -6.046875 2.628906 -5.804688 2.328125 -5.328125 C 2.023438 -4.847656 1.875 -4.203125 1.875 -3.390625 C 1.875 -2.566406 2.023438 -1.929688 2.328125 -1.484375 C 2.628906 -1.035156 3.085938 -0.8125 3.703125 -0.8125 Z M 3.703125 -0.8125 "/> +</symbol> +<symbol overflow="visible" id="glyph0-22"> +<path style="stroke:none;" d="M 5.546875 -1.890625 C 5.546875 -1.222656 5.296875 -0.71875 4.796875 -0.375 C 4.304688 -0.0390625 3.644531 0.125 2.8125 0.125 C 2.332031 0.125 1.921875 0.0820312 1.578125 0 C 1.234375 -0.0703125 0.929688 -0.175781 0.671875 -0.3125 L 0.671875 -1.328125 C 0.941406 -1.191406 1.269531 -1.066406 1.65625 -0.953125 C 2.039062 -0.835938 2.4375 -0.78125 2.84375 -0.78125 C 3.414062 -0.78125 3.828125 -0.867188 4.078125 -1.046875 C 4.335938 -1.234375 4.46875 -1.484375 4.46875 -1.796875 C 4.46875 -1.960938 4.421875 -2.113281 4.328125 -2.25 C 4.234375 -2.382812 4.0625 -2.519531 3.8125 -2.65625 C 3.570312 -2.789062 3.226562 -2.945312 2.78125 -3.125 C 2.332031 -3.289062 1.953125 -3.457031 1.640625 -3.625 C 1.328125 -3.800781 1.082031 -4.007812 0.90625 -4.25 C 0.738281 -4.488281 0.65625 -4.796875 0.65625 -5.171875 C 0.65625 -5.753906 0.890625 -6.203125 1.359375 -6.515625 C 1.835938 -6.828125 2.457031 -6.984375 3.21875 -6.984375 C 3.644531 -6.984375 4.035156 -6.941406 4.390625 -6.859375 C 4.753906 -6.785156 5.09375 -6.675781 5.40625 -6.53125 L 5.03125 -5.625 C 4.738281 -5.75 4.429688 -5.851562 4.109375 -5.9375 C 3.796875 -6.019531 3.472656 -6.0625 3.140625 -6.0625 C 2.679688 -6.0625 2.332031 -5.988281 2.09375 -5.84375 C 1.851562 -5.695312 1.734375 -5.492188 1.734375 -5.234375 C 1.734375 -5.046875 1.785156 -4.882812 1.890625 -4.75 C 2.003906 -4.625 2.191406 -4.5 2.453125 -4.375 C 2.710938 -4.25 3.0625 -4.097656 3.5 -3.921875 C 3.925781 -3.765625 4.289062 -3.597656 4.59375 -3.421875 C 4.90625 -3.253906 5.140625 -3.046875 5.296875 -2.796875 C 5.460938 -2.554688 5.546875 -2.253906 5.546875 -1.890625 Z M 5.546875 -1.890625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-23"> +<path style="stroke:none;" d="M 2.203125 -4.640625 C 2.203125 -4.503906 2.191406 -4.328125 2.171875 -4.109375 C 2.160156 -3.890625 2.15625 -3.695312 2.15625 -3.53125 L 2.203125 -3.53125 C 2.253906 -3.601562 2.328125 -3.703125 2.421875 -3.828125 C 2.523438 -3.953125 2.628906 -4.082031 2.734375 -4.21875 C 2.847656 -4.351562 2.941406 -4.460938 3.015625 -4.546875 L 5.203125 -6.859375 L 6.53125 -6.859375 L 3.75 -3.921875 L 6.71875 0 L 5.359375 0 L 2.984375 -3.203125 L 2.203125 -2.515625 L 2.203125 0 L 1.09375 0 L 1.09375 -9.71875 L 2.203125 -9.71875 Z M 2.203125 -4.640625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-24"> +<path style="stroke:none;" d="M 8.484375 0 L 7.140625 0 L 2.25 -7.59375 L 2.203125 -7.59375 C 2.222656 -7.289062 2.242188 -6.914062 2.265625 -6.46875 C 2.285156 -6.03125 2.296875 -5.578125 2.296875 -5.109375 L 2.296875 0 L 1.234375 0 L 1.234375 -9.140625 L 2.578125 -9.140625 L 7.453125 -1.578125 L 7.5 -1.578125 C 7.488281 -1.710938 7.476562 -1.914062 7.46875 -2.1875 C 7.457031 -2.457031 7.441406 -2.753906 7.421875 -3.078125 C 7.410156 -3.410156 7.40625 -3.710938 7.40625 -3.984375 L 7.40625 -9.140625 L 8.484375 -9.140625 Z M 8.484375 0 "/> +</symbol> +<symbol overflow="visible" id="glyph0-25"> +<path style="stroke:none;" d="M 5.515625 -3.875 C 5.398438 -4.226562 5.300781 -4.570312 5.21875 -4.90625 C 5.144531 -5.238281 5.085938 -5.5 5.046875 -5.6875 L 4.984375 -5.6875 C 4.953125 -5.5 4.894531 -5.238281 4.8125 -4.90625 C 4.738281 -4.570312 4.644531 -4.222656 4.53125 -3.859375 L 3.296875 -0.015625 L 2.015625 -0.015625 L 0.140625 -6.875 L 1.3125 -6.875 L 2.25 -3.21875 C 2.34375 -2.84375 2.429688 -2.46875 2.515625 -2.09375 C 2.609375 -1.71875 2.671875 -1.410156 2.703125 -1.171875 L 2.75 -1.171875 C 2.78125 -1.304688 2.816406 -1.476562 2.859375 -1.6875 C 2.910156 -1.90625 2.96875 -2.128906 3.03125 -2.359375 C 3.09375 -2.597656 3.15625 -2.8125 3.21875 -3 L 4.421875 -6.875 L 5.65625 -6.875 L 6.828125 -3 C 6.921875 -2.71875 7.015625 -2.40625 7.109375 -2.0625 C 7.203125 -1.71875 7.265625 -1.421875 7.296875 -1.171875 L 7.34375 -1.171875 C 7.375 -1.390625 7.429688 -1.6875 7.515625 -2.0625 C 7.609375 -2.4375 7.707031 -2.820312 7.8125 -3.21875 L 8.765625 -6.875 L 9.921875 -6.875 L 8.015625 -0.015625 L 6.6875 -0.015625 Z M 5.515625 -3.875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-26"> +<path style="stroke:none;" d="M 3.84375 0.125 C 3.238281 0.125 2.695312 0.00390625 2.21875 -0.234375 C 1.75 -0.484375 1.378906 -0.867188 1.109375 -1.390625 C 0.835938 -1.910156 0.703125 -2.578125 0.703125 -3.390625 C 0.703125 -4.234375 0.84375 -4.921875 1.125 -5.453125 C 1.40625 -5.984375 1.785156 -6.367188 2.265625 -6.609375 C 2.753906 -6.859375 3.304688 -6.984375 3.921875 -6.984375 C 4.265625 -6.984375 4.597656 -6.945312 4.921875 -6.875 C 5.242188 -6.800781 5.507812 -6.710938 5.71875 -6.609375 L 5.375 -5.6875 C 5.164062 -5.757812 4.925781 -5.828125 4.65625 -5.890625 C 4.382812 -5.960938 4.128906 -6 3.890625 -6 C 2.546875 -6 1.875 -5.132812 1.875 -3.40625 C 1.875 -2.570312 2.035156 -1.9375 2.359375 -1.5 C 2.691406 -1.0625 3.179688 -0.84375 3.828125 -0.84375 C 4.203125 -0.84375 4.53125 -0.878906 4.8125 -0.953125 C 5.101562 -1.035156 5.367188 -1.128906 5.609375 -1.234375 L 5.609375 -0.25 C 5.378906 -0.125 5.125 -0.03125 4.84375 0.03125 C 4.5625 0.09375 4.226562 0.125 3.84375 0.125 Z M 3.84375 0.125 "/> +</symbol> +<symbol overflow="visible" id="glyph0-27"> +<path style="stroke:none;" d="M 4.625 -9.140625 L 1.234375 0 L 0.125 0 L 3.53125 -9.140625 Z M 4.625 -9.140625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-28"> +<path style="stroke:none;" d="M 2.21875 0 L 1.09375 0 L 1.09375 -9.71875 L 2.21875 -9.71875 Z M 2.21875 0 "/> +</symbol> +<symbol overflow="visible" id="glyph0-29"> +<path style="stroke:none;" d="M 2.21875 -7.359375 C 2.21875 -7.066406 2.207031 -6.796875 2.1875 -6.546875 C 2.175781 -6.296875 2.164062 -6.097656 2.15625 -5.953125 L 2.21875 -5.953125 C 2.414062 -6.242188 2.679688 -6.484375 3.015625 -6.671875 C 3.359375 -6.867188 3.800781 -6.96875 4.34375 -6.96875 C 5.195312 -6.96875 5.878906 -6.671875 6.390625 -6.078125 C 6.910156 -5.492188 7.171875 -4.609375 7.171875 -3.421875 C 7.171875 -2.242188 6.910156 -1.359375 6.390625 -0.765625 C 5.867188 -0.171875 5.1875 0.125 4.34375 0.125 C 3.800781 0.125 3.359375 0.03125 3.015625 -0.15625 C 2.679688 -0.351562 2.414062 -0.59375 2.21875 -0.875 L 2.125 -0.875 L 1.890625 0 L 1.09375 0 L 1.09375 -9.71875 L 2.21875 -9.71875 Z M 4.140625 -6.046875 C 3.421875 -6.046875 2.921875 -5.832031 2.640625 -5.40625 C 2.359375 -4.988281 2.21875 -4.34375 2.21875 -3.46875 L 2.21875 -3.421875 C 2.21875 -2.578125 2.351562 -1.929688 2.625 -1.484375 C 2.90625 -1.035156 3.421875 -0.8125 4.171875 -0.8125 C 4.785156 -0.8125 5.242188 -1.035156 5.546875 -1.484375 C 5.847656 -1.929688 6 -2.582031 6 -3.4375 C 6 -5.175781 5.378906 -6.046875 4.140625 -6.046875 Z M 4.140625 -6.046875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-30"> +<path style="stroke:none;" d="M 8.5625 -4.65625 C 8.5625 -3.113281 8.140625 -1.953125 7.296875 -1.171875 C 6.460938 -0.390625 5.289062 0 3.78125 0 L 1.234375 0 L 1.234375 -9.140625 L 4.0625 -9.140625 C 4.976562 -9.140625 5.769531 -8.96875 6.4375 -8.625 C 7.113281 -8.28125 7.632812 -7.773438 8 -7.109375 C 8.375 -6.453125 8.5625 -5.632812 8.5625 -4.65625 Z M 7.34375 -4.625 C 7.34375 -5.84375 7.039062 -6.734375 6.4375 -7.296875 C 5.84375 -7.867188 4.992188 -8.15625 3.890625 -8.15625 L 2.390625 -8.15625 L 2.390625 -0.984375 L 3.640625 -0.984375 C 6.109375 -0.984375 7.34375 -2.195312 7.34375 -4.625 Z M 7.34375 -4.625 "/> +</symbol> +<symbol overflow="visible" id="glyph0-31"> +<path style="stroke:none;" d="M 8.609375 -6.984375 C 9.390625 -6.984375 9.96875 -6.785156 10.34375 -6.390625 C 10.726562 -5.992188 10.921875 -5.351562 10.921875 -4.46875 L 10.921875 0 L 9.8125 0 L 9.8125 -4.421875 C 9.8125 -5.503906 9.347656 -6.046875 8.421875 -6.046875 C 7.753906 -6.046875 7.273438 -5.851562 6.984375 -5.46875 C 6.703125 -5.082031 6.5625 -4.519531 6.5625 -3.78125 L 6.5625 0 L 5.453125 0 L 5.453125 -4.421875 C 5.453125 -5.503906 4.984375 -6.046875 4.046875 -6.046875 C 3.347656 -6.046875 2.867188 -5.832031 2.609375 -5.40625 C 2.347656 -4.976562 2.21875 -4.363281 2.21875 -3.5625 L 2.21875 0 L 1.09375 0 L 1.09375 -6.859375 L 2 -6.859375 L 2.15625 -5.921875 L 2.234375 -5.921875 C 2.441406 -6.285156 2.726562 -6.550781 3.09375 -6.71875 C 3.457031 -6.894531 3.84375 -6.984375 4.25 -6.984375 C 5.320312 -6.984375 6.019531 -6.597656 6.34375 -5.828125 L 6.40625 -5.828125 C 6.632812 -6.222656 6.945312 -6.515625 7.34375 -6.703125 C 7.75 -6.890625 8.171875 -6.984375 8.609375 -6.984375 Z M 8.609375 -6.984375 "/> +</symbol> +<symbol overflow="visible" id="glyph0-32"> +<path style="stroke:none;" d="M 3.515625 -6.984375 C 3.972656 -6.984375 4.378906 -6.894531 4.734375 -6.71875 C 5.097656 -6.550781 5.410156 -6.296875 5.671875 -5.953125 L 5.734375 -5.953125 L 5.890625 -6.859375 L 6.78125 -6.859375 L 6.78125 0.109375 C 6.78125 1.097656 6.53125 1.835938 6.03125 2.328125 C 5.53125 2.828125 4.757812 3.078125 3.71875 3.078125 C 2.707031 3.078125 1.878906 2.929688 1.234375 2.640625 L 1.234375 1.59375 C 1.910156 1.957031 2.757812 2.140625 3.78125 2.140625 C 4.363281 2.140625 4.820312 1.960938 5.15625 1.609375 C 5.5 1.265625 5.671875 0.796875 5.671875 0.203125 L 5.671875 -0.0625 C 5.671875 -0.164062 5.671875 -0.3125 5.671875 -0.5 C 5.679688 -0.695312 5.691406 -0.832031 5.703125 -0.90625 L 5.65625 -0.90625 C 5.195312 -0.21875 4.488281 0.125 3.53125 0.125 C 2.644531 0.125 1.953125 -0.179688 1.453125 -0.796875 C 0.953125 -1.421875 0.703125 -2.296875 0.703125 -3.421875 C 0.703125 -4.515625 0.953125 -5.378906 1.453125 -6.015625 C 1.953125 -6.660156 2.640625 -6.984375 3.515625 -6.984375 Z M 3.671875 -6.046875 C 3.097656 -6.046875 2.65625 -5.816406 2.34375 -5.359375 C 2.03125 -4.898438 1.875 -4.25 1.875 -3.40625 C 1.875 -2.5625 2.023438 -1.914062 2.328125 -1.46875 C 2.640625 -1.019531 3.097656 -0.796875 3.703125 -0.796875 C 4.390625 -0.796875 4.890625 -0.976562 5.203125 -1.34375 C 5.523438 -1.71875 5.6875 -2.316406 5.6875 -3.140625 L 5.6875 -3.421875 C 5.6875 -4.359375 5.519531 -5.03125 5.1875 -5.4375 C 4.863281 -5.84375 4.359375 -6.046875 3.671875 -6.046875 Z M 3.671875 -6.046875 "/> +</symbol> +<symbol overflow="visible" id="glyph0-33"> +<path style="stroke:none;" d="M 3.859375 -9.140625 C 4.992188 -9.140625 5.851562 -8.96875 6.4375 -8.625 C 7.019531 -8.289062 7.3125 -7.707031 7.3125 -6.875 C 7.3125 -6.332031 7.160156 -5.882812 6.859375 -5.53125 C 6.566406 -5.175781 6.140625 -4.945312 5.578125 -4.84375 L 5.578125 -4.78125 C 5.960938 -4.726562 6.3125 -4.617188 6.625 -4.453125 C 6.9375 -4.285156 7.179688 -4.050781 7.359375 -3.75 C 7.535156 -3.457031 7.625 -3.070312 7.625 -2.59375 C 7.625 -1.769531 7.335938 -1.128906 6.765625 -0.671875 C 6.203125 -0.222656 5.429688 0 4.453125 0 L 1.234375 0 L 1.234375 -9.140625 Z M 4.078125 -5.25 C 4.867188 -5.25 5.40625 -5.375 5.6875 -5.625 C 5.976562 -5.875 6.125 -6.25 6.125 -6.75 C 6.125 -7.25 5.945312 -7.609375 5.59375 -7.828125 C 5.238281 -8.046875 4.675781 -8.15625 3.90625 -8.15625 L 2.390625 -8.15625 L 2.390625 -5.25 Z M 2.390625 -4.28125 L 2.390625 -0.96875 L 4.234375 -0.96875 C 5.046875 -0.96875 5.609375 -1.125 5.921875 -1.4375 C 6.242188 -1.757812 6.40625 -2.175781 6.40625 -2.6875 C 6.40625 -3.164062 6.238281 -3.550781 5.90625 -3.84375 C 5.570312 -4.132812 4.984375 -4.28125 4.140625 -4.28125 Z M 2.390625 -4.28125 "/> +</symbol> +<symbol overflow="visible" id="glyph1-0"> +<path style="stroke:none;" d="M 1.046875 0 L 1.046875 -8 L 5.65625 -8 L 5.65625 0 Z M 1.625 -0.578125 L 5.09375 -0.578125 L 5.09375 -7.421875 L 1.625 -7.421875 Z M 1.625 -0.578125 "/> +</symbol> +<symbol overflow="visible" id="glyph1-1"> +<path style="stroke:none;" d="M 7.5 -4.078125 C 7.5 -2.722656 7.128906 -1.703125 6.390625 -1.015625 C 5.648438 -0.335938 4.625 0 3.3125 0 L 1.09375 0 L 1.09375 -8 L 3.546875 -8 C 4.359375 -8 5.054688 -7.847656 5.640625 -7.546875 C 6.234375 -7.253906 6.691406 -6.816406 7.015625 -6.234375 C 7.335938 -5.648438 7.5 -4.929688 7.5 -4.078125 Z M 6.4375 -4.046875 C 6.4375 -5.109375 6.171875 -5.890625 5.640625 -6.390625 C 5.109375 -6.890625 4.363281 -7.140625 3.40625 -7.140625 L 2.09375 -7.140625 L 2.09375 -0.859375 L 3.1875 -0.859375 C 5.351562 -0.859375 6.4375 -1.921875 6.4375 -4.046875 Z M 6.4375 -4.046875 "/> +</symbol> +<symbol overflow="visible" id="glyph1-2"> +<path style="stroke:none;" d="M 1.453125 -8.25 C 1.609375 -8.25 1.742188 -8.195312 1.859375 -8.09375 C 1.972656 -8 2.03125 -7.84375 2.03125 -7.625 C 2.03125 -7.414062 1.972656 -7.257812 1.859375 -7.15625 C 1.742188 -7.050781 1.609375 -7 1.453125 -7 C 1.285156 -7 1.144531 -7.050781 1.03125 -7.15625 C 0.925781 -7.257812 0.875 -7.414062 0.875 -7.625 C 0.875 -7.84375 0.925781 -8 1.03125 -8.09375 C 1.144531 -8.195312 1.285156 -8.25 1.453125 -8.25 Z M 1.9375 -6 L 1.9375 0 L 0.953125 0 L 0.953125 -6 Z M 1.9375 -6 "/> +</symbol> +<symbol overflow="visible" id="glyph1-3"> +<path style="stroke:none;" d="M 4.859375 -1.65625 C 4.859375 -1.070312 4.640625 -0.628906 4.203125 -0.328125 C 3.773438 -0.0351562 3.195312 0.109375 2.46875 0.109375 C 2.050781 0.109375 1.691406 0.0703125 1.390625 0 C 1.085938 -0.0625 0.816406 -0.148438 0.578125 -0.265625 L 0.578125 -1.171875 C 0.816406 -1.046875 1.101562 -0.929688 1.4375 -0.828125 C 1.78125 -0.734375 2.128906 -0.6875 2.484375 -0.6875 C 2.984375 -0.6875 3.34375 -0.765625 3.5625 -0.921875 C 3.789062 -1.085938 3.90625 -1.300781 3.90625 -1.5625 C 3.90625 -1.71875 3.863281 -1.851562 3.78125 -1.96875 C 3.695312 -2.09375 3.550781 -2.210938 3.34375 -2.328125 C 3.132812 -2.453125 2.832031 -2.585938 2.4375 -2.734375 C 2.039062 -2.878906 1.703125 -3.023438 1.421875 -3.171875 C 1.148438 -3.328125 0.941406 -3.507812 0.796875 -3.71875 C 0.648438 -3.925781 0.578125 -4.195312 0.578125 -4.53125 C 0.578125 -5.03125 0.78125 -5.414062 1.1875 -5.6875 C 1.601562 -5.96875 2.148438 -6.109375 2.828125 -6.109375 C 3.191406 -6.109375 3.53125 -6.070312 3.84375 -6 C 4.164062 -5.9375 4.460938 -5.84375 4.734375 -5.71875 L 4.40625 -4.921875 C 4.144531 -5.035156 3.875 -5.128906 3.59375 -5.203125 C 3.320312 -5.273438 3.039062 -5.3125 2.75 -5.3125 C 2.351562 -5.3125 2.046875 -5.242188 1.828125 -5.109375 C 1.617188 -4.984375 1.515625 -4.804688 1.515625 -4.578125 C 1.515625 -4.410156 1.5625 -4.269531 1.65625 -4.15625 C 1.75 -4.039062 1.910156 -3.925781 2.140625 -3.8125 C 2.367188 -3.707031 2.675781 -3.582031 3.0625 -3.4375 C 3.4375 -3.289062 3.757812 -3.144531 4.03125 -3 C 4.300781 -2.851562 4.503906 -2.671875 4.640625 -2.453125 C 4.785156 -2.242188 4.859375 -1.976562 4.859375 -1.65625 Z M 4.859375 -1.65625 "/> +</symbol> +<symbol overflow="visible" id="glyph1-4"> +<path style="stroke:none;" d="M 3.265625 -6.109375 C 3.785156 -6.109375 4.226562 -5.992188 4.59375 -5.765625 C 4.96875 -5.546875 5.253906 -5.234375 5.453125 -4.828125 C 5.648438 -4.421875 5.75 -3.945312 5.75 -3.40625 L 5.75 -2.8125 L 1.640625 -2.8125 C 1.648438 -2.132812 1.820312 -1.617188 2.15625 -1.265625 C 2.488281 -0.910156 2.953125 -0.734375 3.546875 -0.734375 C 3.929688 -0.734375 4.269531 -0.765625 4.5625 -0.828125 C 4.851562 -0.898438 5.160156 -1.003906 5.484375 -1.140625 L 5.484375 -0.28125 C 5.171875 -0.144531 4.863281 -0.046875 4.5625 0.015625 C 4.269531 0.078125 3.914062 0.109375 3.5 0.109375 C 2.9375 0.109375 2.4375 -0.00390625 2 -0.234375 C 1.5625 -0.460938 1.21875 -0.804688 0.96875 -1.265625 C 0.726562 -1.722656 0.609375 -2.285156 0.609375 -2.953125 C 0.609375 -3.609375 0.71875 -4.171875 0.9375 -4.640625 C 1.164062 -5.117188 1.476562 -5.484375 1.875 -5.734375 C 2.269531 -5.984375 2.734375 -6.109375 3.265625 -6.109375 Z M 3.265625 -5.3125 C 2.785156 -5.3125 2.410156 -5.160156 2.140625 -4.859375 C 1.867188 -4.554688 1.707031 -4.132812 1.65625 -3.59375 L 4.71875 -3.59375 C 4.707031 -4.101562 4.585938 -4.515625 4.359375 -4.828125 C 4.128906 -5.148438 3.765625 -5.3125 3.265625 -5.3125 Z M 3.265625 -5.3125 "/> +</symbol> +<symbol overflow="visible" id="glyph1-5"> +<path style="stroke:none;" d="M 3.359375 0.109375 C 2.828125 0.109375 2.351562 0.00390625 1.9375 -0.203125 C 1.53125 -0.421875 1.207031 -0.757812 0.96875 -1.21875 C 0.726562 -1.675781 0.609375 -2.257812 0.609375 -2.96875 C 0.609375 -3.707031 0.734375 -4.304688 0.984375 -4.765625 C 1.234375 -5.234375 1.566406 -5.570312 1.984375 -5.78125 C 2.410156 -6 2.890625 -6.109375 3.421875 -6.109375 C 3.734375 -6.109375 4.03125 -6.078125 4.3125 -6.015625 C 4.59375 -5.953125 4.820312 -5.878906 5 -5.796875 L 4.703125 -4.96875 C 4.523438 -5.039062 4.316406 -5.101562 4.078125 -5.15625 C 3.835938 -5.21875 3.613281 -5.25 3.40625 -5.25 C 2.226562 -5.25 1.640625 -4.492188 1.640625 -2.984375 C 1.640625 -2.253906 1.78125 -1.695312 2.0625 -1.3125 C 2.351562 -0.925781 2.78125 -0.734375 3.34375 -0.734375 C 3.675781 -0.734375 3.96875 -0.765625 4.21875 -0.828125 C 4.46875 -0.898438 4.695312 -0.988281 4.90625 -1.09375 L 4.90625 -0.21875 C 4.707031 -0.113281 4.484375 -0.0351562 4.234375 0.015625 C 3.992188 0.078125 3.703125 0.109375 3.359375 0.109375 Z M 3.359375 0.109375 "/> +</symbol> +<symbol overflow="visible" id="glyph1-6"> +<path style="stroke:none;" d="M 2.953125 -0.6875 C 3.109375 -0.6875 3.265625 -0.695312 3.421875 -0.71875 C 3.578125 -0.75 3.703125 -0.78125 3.796875 -0.8125 L 3.796875 -0.0625 C 3.691406 -0.0078125 3.539062 0.03125 3.34375 0.0625 C 3.15625 0.09375 2.972656 0.109375 2.796875 0.109375 C 2.472656 0.109375 2.179688 0.0546875 1.921875 -0.046875 C 1.660156 -0.160156 1.445312 -0.347656 1.28125 -0.609375 C 1.113281 -0.878906 1.03125 -1.257812 1.03125 -1.75 L 1.03125 -5.25 L 0.171875 -5.25 L 0.171875 -5.71875 L 1.046875 -6.109375 L 1.4375 -7.375 L 2.015625 -7.375 L 2.015625 -6 L 3.75 -6 L 3.75 -5.25 L 2.015625 -5.25 L 2.015625 -1.765625 C 2.015625 -1.398438 2.101562 -1.128906 2.28125 -0.953125 C 2.457031 -0.773438 2.679688 -0.6875 2.953125 -0.6875 Z M 2.953125 -0.6875 "/> +</symbol> +<symbol overflow="visible" id="glyph1-7"> +<path style="stroke:none;" d="M 6.171875 -3.015625 C 6.171875 -2.023438 5.914062 -1.253906 5.40625 -0.703125 C 4.90625 -0.160156 4.226562 0.109375 3.375 0.109375 C 2.84375 0.109375 2.367188 -0.0078125 1.953125 -0.25 C 1.535156 -0.488281 1.207031 -0.84375 0.96875 -1.3125 C 0.726562 -1.78125 0.609375 -2.347656 0.609375 -3.015625 C 0.609375 -4.003906 0.859375 -4.765625 1.359375 -5.296875 C 1.867188 -5.835938 2.550781 -6.109375 3.40625 -6.109375 C 3.945312 -6.109375 4.425781 -5.988281 4.84375 -5.75 C 5.257812 -5.507812 5.582031 -5.160156 5.8125 -4.703125 C 6.050781 -4.242188 6.171875 -3.679688 6.171875 -3.015625 Z M 1.640625 -3.015625 C 1.640625 -2.304688 1.773438 -1.742188 2.046875 -1.328125 C 2.328125 -0.910156 2.773438 -0.703125 3.390625 -0.703125 C 3.992188 -0.703125 4.4375 -0.910156 4.71875 -1.328125 C 5.007812 -1.742188 5.15625 -2.304688 5.15625 -3.015625 C 5.15625 -3.722656 5.007812 -4.273438 4.71875 -4.671875 C 4.4375 -5.078125 3.992188 -5.28125 3.390625 -5.28125 C 2.773438 -5.28125 2.328125 -5.078125 2.046875 -4.671875 C 1.773438 -4.273438 1.640625 -3.722656 1.640625 -3.015625 Z M 1.640625 -3.015625 "/> +</symbol> +<symbol overflow="visible" id="glyph1-8"> +<path style="stroke:none;" d="M 3.75 -6.109375 C 3.863281 -6.109375 3.984375 -6.101562 4.109375 -6.09375 C 4.242188 -6.082031 4.359375 -6.066406 4.453125 -6.046875 L 4.328125 -5.140625 C 4.234375 -5.160156 4.128906 -5.175781 4.015625 -5.1875 C 3.898438 -5.207031 3.789062 -5.21875 3.6875 -5.21875 C 3.375 -5.21875 3.082031 -5.132812 2.8125 -4.96875 C 2.550781 -4.800781 2.335938 -4.566406 2.171875 -4.265625 C 2.015625 -3.960938 1.9375 -3.609375 1.9375 -3.203125 L 1.9375 0 L 0.953125 0 L 0.953125 -6 L 1.765625 -6 L 1.875 -4.90625 L 1.921875 -4.90625 C 2.109375 -5.238281 2.351562 -5.519531 2.65625 -5.75 C 2.96875 -5.988281 3.332031 -6.109375 3.75 -6.109375 Z M 3.75 -6.109375 "/> +</symbol> +<symbol overflow="visible" id="glyph1-9"> +<path style="stroke:none;" d="M 0.453125 -2.5625 L 0.453125 -3.4375 L 3.15625 -3.4375 L 3.15625 -2.5625 Z M 0.453125 -2.5625 "/> +</symbol> +<symbol overflow="visible" id="glyph1-10"> +<path style="stroke:none;" d="M 3.203125 -8 C 4.242188 -8 5.003906 -7.789062 5.484375 -7.375 C 5.960938 -6.96875 6.203125 -6.390625 6.203125 -5.640625 C 6.203125 -5.203125 6.101562 -4.789062 5.90625 -4.40625 C 5.707031 -4.019531 5.375 -3.707031 4.90625 -3.46875 C 4.445312 -3.226562 3.816406 -3.109375 3.015625 -3.109375 L 2.09375 -3.109375 L 2.09375 0 L 1.09375 0 L 1.09375 -8 Z M 3.109375 -7.140625 L 2.09375 -7.140625 L 2.09375 -3.984375 L 2.90625 -3.984375 C 3.664062 -3.984375 4.234375 -4.101562 4.609375 -4.34375 C 4.984375 -4.59375 5.171875 -5.007812 5.171875 -5.59375 C 5.171875 -6.113281 5.003906 -6.5 4.671875 -6.75 C 4.335938 -7.007812 3.816406 -7.140625 3.109375 -7.140625 Z M 3.109375 -7.140625 "/> +</symbol> +<symbol overflow="visible" id="glyph1-11"> +<path style="stroke:none;" d="M 1.9375 0 L 0.953125 0 L 0.953125 -8.515625 L 1.9375 -8.515625 Z M 1.9375 0 "/> +</symbol> +<symbol overflow="visible" id="glyph1-12"> +<path style="stroke:none;" d="M 5.96875 -6 L 5.96875 0 L 5.171875 0 L 5.015625 -0.796875 L 4.96875 -0.796875 C 4.78125 -0.484375 4.515625 -0.253906 4.171875 -0.109375 C 3.828125 0.0351562 3.457031 0.109375 3.0625 0.109375 C 2.34375 0.109375 1.800781 -0.0625 1.4375 -0.40625 C 1.070312 -0.757812 0.890625 -1.316406 0.890625 -2.078125 L 0.890625 -6 L 1.875 -6 L 1.875 -2.140625 C 1.875 -1.179688 2.320312 -0.703125 3.21875 -0.703125 C 3.882812 -0.703125 4.34375 -0.890625 4.59375 -1.265625 C 4.851562 -1.640625 4.984375 -2.175781 4.984375 -2.875 L 4.984375 -6 Z M 5.96875 -6 "/> +</symbol> +<symbol overflow="visible" id="glyph1-13"> +<path style="stroke:none;" d="M 3.078125 -6.109375 C 3.472656 -6.109375 3.828125 -6.035156 4.140625 -5.890625 C 4.460938 -5.742188 4.738281 -5.515625 4.96875 -5.203125 L 5.015625 -5.203125 L 5.15625 -6 L 5.9375 -6 L 5.9375 0.09375 C 5.9375 0.957031 5.71875 1.601562 5.28125 2.03125 C 4.84375 2.46875 4.164062 2.6875 3.25 2.6875 C 2.363281 2.6875 1.644531 2.5625 1.09375 2.3125 L 1.09375 1.40625 C 1.675781 1.71875 2.414062 1.875 3.3125 1.875 C 3.820312 1.875 4.222656 1.722656 4.515625 1.421875 C 4.816406 1.117188 4.96875 0.703125 4.96875 0.171875 L 4.96875 -0.0625 C 4.96875 -0.144531 4.96875 -0.269531 4.96875 -0.4375 C 4.976562 -0.601562 4.988281 -0.722656 5 -0.796875 L 4.953125 -0.796875 C 4.546875 -0.191406 3.925781 0.109375 3.09375 0.109375 C 2.3125 0.109375 1.703125 -0.160156 1.265625 -0.703125 C 0.828125 -1.253906 0.609375 -2.015625 0.609375 -2.984375 C 0.609375 -3.941406 0.828125 -4.703125 1.265625 -5.265625 C 1.703125 -5.828125 2.304688 -6.109375 3.078125 -6.109375 Z M 3.21875 -5.28125 C 2.71875 -5.28125 2.328125 -5.082031 2.046875 -4.6875 C 1.773438 -4.289062 1.640625 -3.722656 1.640625 -2.984375 C 1.640625 -2.242188 1.773438 -1.675781 2.046875 -1.28125 C 2.316406 -0.882812 2.710938 -0.6875 3.234375 -0.6875 C 3.835938 -0.6875 4.273438 -0.847656 4.546875 -1.171875 C 4.828125 -1.503906 4.96875 -2.03125 4.96875 -2.75 L 4.96875 -2.984375 C 4.96875 -3.804688 4.828125 -4.394531 4.546875 -4.75 C 4.265625 -5.101562 3.820312 -5.28125 3.21875 -5.28125 Z M 3.21875 -5.28125 "/> +</symbol> +<symbol overflow="visible" id="glyph1-14"> +<path style="stroke:none;" d="M 3.84375 -6.109375 C 4.5625 -6.109375 5.101562 -5.9375 5.46875 -5.59375 C 5.832031 -5.25 6.015625 -4.6875 6.015625 -3.90625 L 6.015625 0 L 5.046875 0 L 5.046875 -3.84375 C 5.046875 -4.800781 4.597656 -5.28125 3.703125 -5.28125 C 3.035156 -5.28125 2.570312 -5.09375 2.3125 -4.71875 C 2.0625 -4.351562 1.9375 -3.816406 1.9375 -3.109375 L 1.9375 0 L 0.953125 0 L 0.953125 -6 L 1.75 -6 L 1.890625 -5.1875 L 1.953125 -5.1875 C 2.140625 -5.5 2.40625 -5.726562 2.75 -5.875 C 3.09375 -6.03125 3.457031 -6.109375 3.84375 -6.109375 Z M 3.84375 -6.109375 "/> +</symbol> +<symbol overflow="visible" id="glyph1-15"> +<path style="stroke:none;" d="M 3.8125 -6.109375 C 4.550781 -6.109375 5.144531 -5.851562 5.59375 -5.34375 C 6.050781 -4.832031 6.28125 -4.054688 6.28125 -3.015625 C 6.28125 -1.992188 6.050781 -1.21875 5.59375 -0.6875 C 5.144531 -0.15625 4.546875 0.109375 3.796875 0.109375 C 3.335938 0.109375 2.957031 0.0195312 2.65625 -0.15625 C 2.351562 -0.332031 2.113281 -0.535156 1.9375 -0.765625 L 1.875 -0.765625 C 1.882812 -0.640625 1.894531 -0.476562 1.90625 -0.28125 C 1.925781 -0.0820312 1.9375 0.0820312 1.9375 0.21875 L 1.9375 2.6875 L 0.953125 2.6875 L 0.953125 -6 L 1.765625 -6 L 1.890625 -5.1875 L 1.9375 -5.1875 C 2.113281 -5.445312 2.347656 -5.664062 2.640625 -5.84375 C 2.929688 -6.019531 3.320312 -6.109375 3.8125 -6.109375 Z M 3.625 -5.28125 C 3.019531 -5.28125 2.585938 -5.109375 2.328125 -4.765625 C 2.078125 -4.421875 1.945312 -3.898438 1.9375 -3.203125 L 1.9375 -3.015625 C 1.9375 -2.273438 2.054688 -1.703125 2.296875 -1.296875 C 2.546875 -0.898438 3 -0.703125 3.65625 -0.703125 C 4.019531 -0.703125 4.316406 -0.800781 4.546875 -1 C 4.785156 -1.207031 4.960938 -1.484375 5.078125 -1.828125 C 5.191406 -2.179688 5.25 -2.582031 5.25 -3.03125 C 5.25 -3.71875 5.113281 -4.265625 4.84375 -4.671875 C 4.582031 -5.078125 4.175781 -5.28125 3.625 -5.28125 Z M 3.625 -5.28125 "/> +</symbol> +<symbol overflow="visible" id="glyph1-16"> +<path style="stroke:none;" d="M 3.21875 -6.109375 C 3.957031 -6.109375 4.5 -5.945312 4.84375 -5.625 C 5.195312 -5.300781 5.375 -4.789062 5.375 -4.09375 L 5.375 0 L 4.65625 0 L 4.46875 -0.84375 L 4.421875 -0.84375 C 4.160156 -0.519531 3.882812 -0.28125 3.59375 -0.125 C 3.3125 0.03125 2.914062 0.109375 2.40625 0.109375 C 1.863281 0.109375 1.410156 -0.03125 1.046875 -0.3125 C 0.691406 -0.601562 0.515625 -1.054688 0.515625 -1.671875 C 0.515625 -2.265625 0.75 -2.722656 1.21875 -3.046875 C 1.6875 -3.378906 2.410156 -3.554688 3.390625 -3.578125 L 4.40625 -3.625 L 4.40625 -3.984375 C 4.40625 -4.484375 4.296875 -4.828125 4.078125 -5.015625 C 3.867188 -5.210938 3.566406 -5.3125 3.171875 -5.3125 C 2.859375 -5.3125 2.554688 -5.265625 2.265625 -5.171875 C 1.984375 -5.078125 1.722656 -4.96875 1.484375 -4.84375 L 1.171875 -5.59375 C 1.429688 -5.726562 1.738281 -5.847656 2.09375 -5.953125 C 2.457031 -6.054688 2.832031 -6.109375 3.21875 -6.109375 Z M 3.515625 -2.90625 C 2.765625 -2.875 2.242188 -2.753906 1.953125 -2.546875 C 1.671875 -2.335938 1.53125 -2.039062 1.53125 -1.65625 C 1.53125 -1.320312 1.632812 -1.078125 1.84375 -0.921875 C 2.050781 -0.765625 2.3125 -0.6875 2.625 -0.6875 C 3.132812 -0.6875 3.554688 -0.828125 3.890625 -1.109375 C 4.234375 -1.390625 4.40625 -1.816406 4.40625 -2.390625 L 4.40625 -2.9375 Z M 3.515625 -2.90625 "/> +</symbol> +<symbol overflow="visible" id="glyph1-17"> +<path style="stroke:none;" d="M 0.015625 -6 L 1.0625 -6 L 2.359375 -2.59375 C 2.472656 -2.289062 2.570312 -2.003906 2.65625 -1.734375 C 2.75 -1.460938 2.820312 -1.203125 2.875 -0.953125 L 2.90625 -0.953125 C 2.957031 -1.140625 3.03125 -1.382812 3.125 -1.6875 C 3.21875 -1.988281 3.316406 -2.289062 3.421875 -2.59375 L 4.65625 -6 L 5.71875 -6 L 3.125 0.828125 C 2.914062 1.398438 2.644531 1.851562 2.3125 2.1875 C 1.976562 2.519531 1.519531 2.6875 0.9375 2.6875 C 0.757812 2.6875 0.601562 2.675781 0.46875 2.65625 C 0.332031 2.632812 0.21875 2.613281 0.125 2.59375 L 0.125 1.8125 C 0.207031 1.832031 0.304688 1.847656 0.421875 1.859375 C 0.535156 1.867188 0.65625 1.875 0.78125 1.875 C 1.125 1.875 1.398438 1.773438 1.609375 1.578125 C 1.828125 1.390625 2 1.132812 2.125 0.8125 L 2.4375 0.015625 Z M 0.015625 -6 "/> +</symbol> +<symbol overflow="visible" id="glyph1-18"> +<path style="stroke:none;" d="M 2.09375 0 L 1.09375 0 L 1.09375 -8 L 5.5625 -8 L 5.5625 -7.109375 L 2.09375 -7.109375 L 2.09375 -4.28125 L 5.34375 -4.28125 L 5.34375 -3.390625 L 2.09375 -3.390625 Z M 2.09375 0 "/> +</symbol> +<symbol overflow="visible" id="glyph1-19"> +<path style="stroke:none;" d="M 3.625 0 L 2.609375 0 L 2.609375 -7.109375 L 0.109375 -7.109375 L 0.109375 -8 L 6.109375 -8 L 6.109375 -7.109375 L 3.625 -7.109375 Z M 3.625 0 "/> +</symbol> +<symbol overflow="visible" id="glyph1-20"> +<path style="stroke:none;" d="M 4.515625 -7.21875 C 3.648438 -7.21875 2.972656 -6.929688 2.484375 -6.359375 C 1.992188 -5.785156 1.75 -5 1.75 -4 C 1.75 -3.007812 1.976562 -2.222656 2.4375 -1.640625 C 2.894531 -1.054688 3.582031 -0.765625 4.5 -0.765625 C 4.851562 -0.765625 5.1875 -0.796875 5.5 -0.859375 C 5.8125 -0.921875 6.117188 -1 6.421875 -1.09375 L 6.421875 -0.21875 C 6.117188 -0.101562 5.804688 -0.0195312 5.484375 0.03125 C 5.171875 0.0820312 4.796875 0.109375 4.359375 0.109375 C 3.546875 0.109375 2.863281 -0.0546875 2.3125 -0.390625 C 1.769531 -0.722656 1.363281 -1.195312 1.09375 -1.8125 C 0.820312 -2.4375 0.6875 -3.171875 0.6875 -4.015625 C 0.6875 -4.816406 0.832031 -5.523438 1.125 -6.140625 C 1.414062 -6.753906 1.847656 -7.234375 2.421875 -7.578125 C 3.003906 -7.929688 3.707031 -8.109375 4.53125 -8.109375 C 5.375 -8.109375 6.109375 -7.953125 6.734375 -7.640625 L 6.328125 -6.78125 C 6.078125 -6.894531 5.800781 -6.992188 5.5 -7.078125 C 5.195312 -7.171875 4.867188 -7.21875 4.515625 -7.21875 Z M 4.515625 -7.21875 "/> +</symbol> +<symbol overflow="visible" id="glyph2-0"> +<path style="stroke:none;" d="M 1.5 0 L 1.5 -11.421875 L 8.078125 -11.421875 L 8.078125 0 Z M 2.3125 -0.8125 L 7.265625 -0.8125 L 7.265625 -10.609375 L 2.3125 -10.609375 Z M 2.3125 -0.8125 "/> +</symbol> +<symbol overflow="visible" id="glyph2-1"> +<path style="stroke:none;" d="M 15.46875 -11.421875 L 12.5625 0 L 9.8125 0 L 8.25 -6 C 8.21875 -6.113281 8.175781 -6.285156 8.125 -6.515625 C 8.082031 -6.753906 8.03125 -7.015625 7.96875 -7.296875 C 7.914062 -7.578125 7.867188 -7.84375 7.828125 -8.09375 C 7.785156 -8.34375 7.753906 -8.535156 7.734375 -8.671875 C 7.722656 -8.535156 7.691406 -8.34375 7.640625 -8.09375 C 7.585938 -7.84375 7.535156 -7.578125 7.484375 -7.296875 C 7.429688 -7.023438 7.378906 -6.769531 7.328125 -6.53125 C 7.273438 -6.289062 7.234375 -6.109375 7.203125 -5.984375 L 5.65625 0 L 2.90625 0 L 0 -11.421875 L 2.390625 -11.421875 L 3.84375 -5.1875 C 3.90625 -4.9375 3.972656 -4.625 4.046875 -4.25 C 4.117188 -3.882812 4.1875 -3.515625 4.25 -3.140625 C 4.320312 -2.765625 4.375 -2.445312 4.40625 -2.1875 C 4.4375 -2.457031 4.484375 -2.773438 4.546875 -3.140625 C 4.609375 -3.515625 4.671875 -3.875 4.734375 -4.21875 C 4.804688 -4.5625 4.867188 -4.832031 4.921875 -5.03125 L 6.59375 -11.421875 L 8.875 -11.421875 L 10.546875 -5.03125 C 10.597656 -4.84375 10.65625 -4.570312 10.71875 -4.21875 C 10.789062 -3.875 10.859375 -3.515625 10.921875 -3.140625 C 10.992188 -2.765625 11.046875 -2.445312 11.078125 -2.1875 C 11.109375 -2.457031 11.15625 -2.773438 11.21875 -3.140625 C 11.28125 -3.515625 11.347656 -3.882812 11.421875 -4.25 C 11.503906 -4.625 11.570312 -4.9375 11.625 -5.1875 L 13.09375 -11.421875 Z M 15.46875 -11.421875 "/> +</symbol> +<symbol overflow="visible" id="glyph2-2"> +<path style="stroke:none;" d="M 2.453125 -12.15625 C 2.796875 -12.15625 3.097656 -12.070312 3.359375 -11.90625 C 3.617188 -11.738281 3.75 -11.429688 3.75 -10.984375 C 3.75 -10.554688 3.617188 -10.253906 3.359375 -10.078125 C 3.097656 -9.910156 2.796875 -9.828125 2.453125 -9.828125 C 2.085938 -9.828125 1.78125 -9.910156 1.53125 -10.078125 C 1.28125 -10.253906 1.15625 -10.554688 1.15625 -10.984375 C 1.15625 -11.429688 1.28125 -11.738281 1.53125 -11.90625 C 1.78125 -12.070312 2.085938 -12.15625 2.453125 -12.15625 Z M 3.625 -8.734375 L 3.625 0 L 1.25 0 L 1.25 -8.734375 Z M 3.625 -8.734375 "/> +</symbol> +<symbol overflow="visible" id="glyph2-3"> +<path style="stroke:none;" d="M 6.125 -8.890625 C 6.238281 -8.890625 6.375 -8.882812 6.53125 -8.875 C 6.695312 -8.863281 6.828125 -8.847656 6.921875 -8.828125 L 6.75 -6.59375 C 6.675781 -6.613281 6.566406 -6.628906 6.421875 -6.640625 C 6.273438 -6.660156 6.148438 -6.671875 6.046875 -6.671875 C 5.640625 -6.671875 5.25 -6.597656 4.875 -6.453125 C 4.5 -6.304688 4.195312 -6.070312 3.96875 -5.75 C 3.738281 -5.4375 3.625 -5.003906 3.625 -4.453125 L 3.625 0 L 1.25 0 L 1.25 -8.734375 L 3.0625 -8.734375 L 3.40625 -7.265625 L 3.515625 -7.265625 C 3.773438 -7.710938 4.128906 -8.09375 4.578125 -8.40625 C 5.023438 -8.726562 5.539062 -8.890625 6.125 -8.890625 Z M 6.125 -8.890625 "/> +</symbol> +<symbol overflow="visible" id="glyph2-4"> +<path style="stroke:none;" d="M 4.84375 -8.890625 C 6.050781 -8.890625 7.003906 -8.546875 7.703125 -7.859375 C 8.410156 -7.171875 8.765625 -6.191406 8.765625 -4.921875 L 8.765625 -3.78125 L 3.140625 -3.78125 C 3.160156 -3.101562 3.359375 -2.570312 3.734375 -2.1875 C 4.109375 -1.800781 4.632812 -1.609375 5.3125 -1.609375 C 5.875 -1.609375 6.382812 -1.664062 6.84375 -1.78125 C 7.300781 -1.894531 7.773438 -2.066406 8.265625 -2.296875 L 8.265625 -0.46875 C 7.835938 -0.25 7.382812 -0.09375 6.90625 0 C 6.4375 0.101562 5.867188 0.15625 5.203125 0.15625 C 4.328125 0.15625 3.550781 -0.00390625 2.875 -0.328125 C 2.207031 -0.648438 1.679688 -1.140625 1.296875 -1.796875 C 0.910156 -2.460938 0.71875 -3.296875 0.71875 -4.296875 C 0.71875 -5.328125 0.890625 -6.179688 1.234375 -6.859375 C 1.585938 -7.535156 2.070312 -8.039062 2.6875 -8.375 C 3.300781 -8.71875 4.019531 -8.890625 4.84375 -8.890625 Z M 4.859375 -7.203125 C 4.398438 -7.203125 4.019531 -7.050781 3.71875 -6.75 C 3.414062 -6.445312 3.238281 -5.984375 3.1875 -5.359375 L 6.53125 -5.359375 C 6.519531 -5.890625 6.378906 -6.328125 6.109375 -6.671875 C 5.847656 -7.023438 5.429688 -7.203125 4.859375 -7.203125 Z M 4.859375 -7.203125 "/> +</symbol> +<symbol overflow="visible" id="glyph2-5"> +<path style="stroke:none;" d="M 7.34375 -2.59375 C 7.34375 -1.707031 7.03125 -1.023438 6.40625 -0.546875 C 5.78125 -0.078125 4.847656 0.15625 3.609375 0.15625 C 3.003906 0.15625 2.484375 0.113281 2.046875 0.03125 C 1.609375 -0.0390625 1.171875 -0.171875 0.734375 -0.359375 L 0.734375 -2.3125 C 1.203125 -2.101562 1.707031 -1.925781 2.25 -1.78125 C 2.800781 -1.644531 3.285156 -1.578125 3.703125 -1.578125 C 4.171875 -1.578125 4.5 -1.644531 4.6875 -1.78125 C 4.882812 -1.925781 4.984375 -2.113281 4.984375 -2.34375 C 4.984375 -2.488281 4.941406 -2.617188 4.859375 -2.734375 C 4.785156 -2.847656 4.613281 -2.976562 4.34375 -3.125 C 4.082031 -3.28125 3.671875 -3.476562 3.109375 -3.71875 C 2.554688 -3.945312 2.101562 -4.175781 1.75 -4.40625 C 1.40625 -4.632812 1.144531 -4.910156 0.96875 -5.234375 C 0.800781 -5.566406 0.71875 -5.976562 0.71875 -6.46875 C 0.71875 -7.28125 1.03125 -7.882812 1.65625 -8.28125 C 2.289062 -8.6875 3.128906 -8.890625 4.171875 -8.890625 C 4.710938 -8.890625 5.226562 -8.835938 5.71875 -8.734375 C 6.21875 -8.628906 6.726562 -8.453125 7.25 -8.203125 L 6.53125 -6.5 C 6.101562 -6.675781 5.695312 -6.828125 5.3125 -6.953125 C 4.925781 -7.078125 4.535156 -7.140625 4.140625 -7.140625 C 3.441406 -7.140625 3.09375 -6.945312 3.09375 -6.5625 C 3.09375 -6.425781 3.132812 -6.300781 3.21875 -6.1875 C 3.3125 -6.070312 3.488281 -5.945312 3.75 -5.8125 C 4.007812 -5.6875 4.394531 -5.519531 4.90625 -5.3125 C 5.40625 -5.113281 5.835938 -4.90625 6.203125 -4.6875 C 6.566406 -4.46875 6.847656 -4.191406 7.046875 -3.859375 C 7.242188 -3.535156 7.34375 -3.113281 7.34375 -2.59375 Z M 7.34375 -2.59375 "/> +</symbol> +<symbol overflow="visible" id="glyph2-6"> +<path style="stroke:none;" d="M 3.625 -9.6875 C 3.625 -9.257812 3.609375 -8.847656 3.578125 -8.453125 C 3.554688 -8.054688 3.535156 -7.773438 3.515625 -7.609375 L 3.640625 -7.609375 C 3.921875 -8.054688 4.28125 -8.378906 4.71875 -8.578125 C 5.15625 -8.785156 5.640625 -8.890625 6.171875 -8.890625 C 7.117188 -8.890625 7.878906 -8.632812 8.453125 -8.125 C 9.023438 -7.625 9.3125 -6.816406 9.3125 -5.703125 L 9.3125 0 L 6.921875 0 L 6.921875 -5.109375 C 6.921875 -6.359375 6.453125 -6.984375 5.515625 -6.984375 C 4.804688 -6.984375 4.3125 -6.734375 4.03125 -6.234375 C 3.757812 -5.742188 3.625 -5.035156 3.625 -4.109375 L 3.625 0 L 1.25 0 L 1.25 -12.15625 L 3.625 -12.15625 Z M 3.625 -9.6875 "/> +</symbol> +<symbol overflow="visible" id="glyph2-7"> +<path style="stroke:none;" d="M 4.828125 -8.90625 C 6.003906 -8.90625 6.90625 -8.648438 7.53125 -8.140625 C 8.15625 -7.640625 8.46875 -6.867188 8.46875 -5.828125 L 8.46875 0 L 6.796875 0 L 6.34375 -1.1875 L 6.265625 -1.1875 C 5.898438 -0.71875 5.507812 -0.375 5.09375 -0.15625 C 4.675781 0.0507812 4.101562 0.15625 3.375 0.15625 C 2.59375 0.15625 1.945312 -0.0664062 1.4375 -0.515625 C 0.925781 -0.972656 0.671875 -1.671875 0.671875 -2.609375 C 0.671875 -3.535156 0.992188 -4.21875 1.640625 -4.65625 C 2.296875 -5.101562 3.273438 -5.347656 4.578125 -5.390625 L 6.09375 -5.4375 L 6.09375 -5.828125 C 6.09375 -6.285156 5.972656 -6.617188 5.734375 -6.828125 C 5.492188 -7.046875 5.160156 -7.15625 4.734375 -7.15625 C 4.304688 -7.15625 3.890625 -7.09375 3.484375 -6.96875 C 3.078125 -6.84375 2.671875 -6.691406 2.265625 -6.515625 L 1.484375 -8.125 C 1.953125 -8.375 2.472656 -8.566406 3.046875 -8.703125 C 3.617188 -8.835938 4.210938 -8.90625 4.828125 -8.90625 Z M 5.171875 -4.015625 C 4.398438 -3.992188 3.863281 -3.851562 3.5625 -3.59375 C 3.269531 -3.34375 3.125 -3.007812 3.125 -2.59375 C 3.125 -2.226562 3.226562 -1.96875 3.4375 -1.8125 C 3.65625 -1.65625 3.929688 -1.578125 4.265625 -1.578125 C 4.785156 -1.578125 5.21875 -1.726562 5.5625 -2.03125 C 5.914062 -2.34375 6.09375 -2.773438 6.09375 -3.328125 L 6.09375 -4.046875 Z M 5.171875 -4.015625 "/> +</symbol> +<symbol overflow="visible" id="glyph2-8"> +<path style="stroke:none;" d="M 3.625 -6.71875 C 3.625 -6.382812 3.609375 -6.054688 3.578125 -5.734375 C 3.554688 -5.410156 3.53125 -5.082031 3.5 -4.75 L 3.53125 -4.75 C 3.695312 -4.976562 3.863281 -5.207031 4.03125 -5.4375 C 4.195312 -5.664062 4.378906 -5.878906 4.578125 -6.078125 L 7.03125 -8.734375 L 9.71875 -8.734375 L 6.234375 -4.9375 L 9.921875 0 L 7.171875 0 L 4.65625 -3.53125 L 3.625 -2.71875 L 3.625 0 L 1.25 0 L 1.25 -12.15625 L 3.625 -12.15625 Z M 3.625 -6.71875 "/> +</symbol> +</g> +</defs> +<g id="surface1057"> +<rect x="0" y="0" width="463" height="663" style="fill:rgb(100%,100%,100%);fill-opacity:1;stroke:none;"/> +<path style="fill-rule:evenodd;fill:rgb(89.803922%,89.803922%,89.803922%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 14 8 L 37 8 L 37 24 L 14 24 Z M 14 8 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 16 14 L 25 14 L 25 18 L 16 18 Z M 16 14 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-1" x="117.976562" y="247.710341"/> + <use xlink:href="#glyph0-2" x="126.032118" y="247.710341"/> + <use xlink:href="#glyph0-3" x="133.809896" y="247.710341"/> + <use xlink:href="#glyph0-4" x="138.809896" y="247.710341"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 26.968555 9.710156 L 35.968555 9.710156 L 35.968555 19.710156 L 26.968555 19.710156 Z M 26.968555 9.710156 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-5" x="270.371094" y="221.913466"/> + <use xlink:href="#glyph0-6" x="277.593316" y="221.913466"/> + <use xlink:href="#glyph0-7" x="285.371094" y="221.913466"/> + <use xlink:href="#glyph0-8" x="292.593316" y="221.913466"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 21 20 L 26 20 L 26 23 L 21 23 Z M 21 20 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-9" x="168.40625" y="357.710341"/> + <use xlink:href="#glyph0-10" x="180.350694" y="357.710341"/> + <use xlink:href="#glyph0-3" x="183.684028" y="357.710341"/> + <use xlink:href="#glyph0-4" x="188.684028" y="357.710341"/> + <use xlink:href="#glyph0-11" x="195.90625" y="357.710341"/> + <use xlink:href="#glyph0-7" x="200.628472" y="357.710341"/> + <use xlink:href="#glyph0-6" x="207.850694" y="357.710341"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 14.6375 20 L 20.3625 20 L 20.3625 23 L 14.6375 23 Z M 14.6375 20 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-1" x="48.113281" y="357.710341"/> + <use xlink:href="#glyph0-7" x="56.168837" y="357.710341"/> + <use xlink:href="#glyph0-6" x="63.391059" y="357.710341"/> + <use xlink:href="#glyph0-11" x="71.168837" y="357.710341"/> + <use xlink:href="#glyph0-12" x="75.891059" y="357.710341"/> + <use xlink:href="#glyph0-3" x="83.668837" y="357.710341"/> + <use xlink:href="#glyph0-4" x="88.668837" y="357.710341"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 16 11 L 25 11 L 25 12.9 L 16 12.9 Z M 16 11 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-13" x="107.429688" y="166.710341"/> + <use xlink:href="#glyph0-14" x="116.874132" y="166.710341"/> + <use xlink:href="#glyph0-15" x="126.318576" y="166.710341"/> + <use xlink:href="#glyph0-16" x="130.763021" y="166.710341"/> + <use xlink:href="#glyph0-17" x="134.096354" y="166.710341"/> + <use xlink:href="#glyph0-18" x="137.985243" y="166.710341"/> + <use xlink:href="#glyph0-11" x="147.985243" y="166.710341"/> + <use xlink:href="#glyph0-19" x="152.707465" y="166.710341"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 21.675 25.510742 C 22.406445 25.108984 22.77207 24.975 23.503516 24.975 C 24.234961 24.975 24.600781 25.108984 25.332031 25.510742 L 25.332031 27.653516 C 24.600781 28.055273 24.234961 28.189258 23.503516 28.189258 C 22.77207 28.189258 22.406445 28.055273 21.675 27.653516 Z M 21.675 25.510742 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 21.675 25.510742 C 22.406445 25.9125 22.77207 26.046484 23.503516 26.046484 C 24.234961 26.046484 24.600781 25.9125 25.332031 25.510742 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-20" x="165.273438" y="465.409559"/> + <use xlink:href="#glyph0-7" x="174.717882" y="465.409559"/> + <use xlink:href="#glyph0-3" x="181.940104" y="465.409559"/> + <use xlink:href="#glyph0-21" x="186.940104" y="465.409559"/> + <use xlink:href="#glyph0-21" x="194.717882" y="465.409559"/> + <use xlink:href="#glyph0-10" x="202.49566" y="465.409559"/> + <use xlink:href="#glyph0-22" x="205.828993" y="465.409559"/> + <use xlink:href="#glyph0-23" x="211.940104" y="465.409559"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 20.5 12.9 L 20.5 14 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 26.968555 14.710156 L 25 16 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 22.75 18 L 23.5 20 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 18.25 18 L 17.5 20 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 23.5 23 L 23.503516 24.975 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 29.95 12.541406 L 34.95 12.541406 L 34.95 14.541406 L 29.95 14.541406 Z M 29.95 12.541406 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph1-1" x="344.066406" y="197.828396"/> + <use xlink:href="#glyph1-2" x="352.121962" y="197.828396"/> + <use xlink:href="#glyph1-3" x="354.89974" y="197.828396"/> + <use xlink:href="#glyph1-3" x="360.177517" y="197.828396"/> + <use xlink:href="#glyph1-4" x="365.455295" y="197.828396"/> + <use xlink:href="#glyph1-5" x="371.844184" y="197.828396"/> + <use xlink:href="#glyph1-6" x="377.121962" y="197.828396"/> + <use xlink:href="#glyph1-7" x="381.288628" y="197.828396"/> + <use xlink:href="#glyph1-8" x="387.955295" y="197.828396"/> + <use xlink:href="#glyph1-3" x="392.677517" y="197.828396"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 17.5 23 L 17.502539 25.05 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph2-1" x="22" y="122.014106"/> + <use xlink:href="#glyph2-2" x="37.555556" y="122.014106"/> + <use xlink:href="#glyph2-3" x="42.555556" y="122.014106"/> + <use xlink:href="#glyph2-4" x="49.5" y="122.014106"/> + <use xlink:href="#glyph2-5" x="58.944444" y="122.014106"/> + <use xlink:href="#glyph2-6" x="67" y="122.014106"/> + <use xlink:href="#glyph2-7" x="77.555556" y="122.014106"/> + <use xlink:href="#glyph2-3" x="87.277778" y="122.014106"/> + <use xlink:href="#glyph2-8" x="94.5" y="122.014106"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(70.19608%,70.19608%,70.19608%);fill-opacity:1;stroke-width:0.05;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 18.75 4 L 22.275391 4 L 22.275391 6.644141 L 18.75 6.644141 Z M 18.75 4 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style=" stroke:none;fill-rule:evenodd;fill:rgb(0%,0%,0%);fill-opacity:1;" d="M 104.636719 9.636719 L 159.867188 9.636719 L 159.867188 46.066406 L 104.636719 46.066406 Z M 104.636719 9.636719 "/> +<path style="fill-rule:evenodd;fill:rgb(70.19608%,70.19608%,70.19608%);fill-opacity:1;stroke-width:0.05;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 19.227344 6.644141 L 21.041602 6.644141 L 21.041602 7.055273 L 19.322852 7.055273 Z M 19.227344 6.644141 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(70.19608%,70.19608%,70.19608%);fill-opacity:1;stroke-width:0.05;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 21.041602 6.644141 L 21.798047 6.644141 L 21.702539 7.055273 L 21.041602 7.055273 Z M 21.041602 6.644141 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.05;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 21.164844 6.767383 L 21.329297 6.767383 L 21.329297 6.931836 L 21.164844 6.931836 Z M 21.164844 6.767383 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(70.19608%,70.19608%,70.19608%);fill-opacity:1;stroke-width:0.05;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 20.160156 7.055273 L 20.865234 7.055273 L 20.865234 7.260938 L 21.217773 7.260938 L 21.217773 7.466602 L 19.807617 7.466602 L 19.807617 7.260938 L 20.160156 7.260938 Z M 20.160156 7.055273 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 20.512695 7.466602 L 20.5 11 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 20.3625 21.5 L 21 21.5 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 29.39082 14.516406 L 35.633398 14.516406 L 35.633398 17.016406 L 29.39082 17.016406 Z M 29.39082 14.516406 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph1-1" x="326.96875" y="242.328396"/> + <use xlink:href="#glyph1-2" x="335.024306" y="242.328396"/> + <use xlink:href="#glyph1-3" x="337.802083" y="242.328396"/> + <use xlink:href="#glyph1-3" x="343.079861" y="242.328396"/> + <use xlink:href="#glyph1-4" x="348.357639" y="242.328396"/> + <use xlink:href="#glyph1-5" x="354.746528" y="242.328396"/> + <use xlink:href="#glyph1-6" x="360.024306" y="242.328396"/> + <use xlink:href="#glyph1-7" x="364.190972" y="242.328396"/> + <use xlink:href="#glyph1-8" x="370.857639" y="242.328396"/> + <use xlink:href="#glyph1-9" x="375.579861" y="242.328396"/> + <use xlink:href="#glyph1-10" x="379.190972" y="242.328396"/> + <use xlink:href="#glyph1-11" x="385.857639" y="242.328396"/> + <use xlink:href="#glyph1-12" x="388.635417" y="242.328396"/> + <use xlink:href="#glyph1-13" x="395.579861" y="242.328396"/> + <use xlink:href="#glyph1-2" x="402.524306" y="242.328396"/> + <use xlink:href="#glyph1-14" x="405.302083" y="242.328396"/> + <use xlink:href="#glyph1-3" x="412.246528" y="242.328396"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 29.79707 17.023047 L 35.04707 17.023047 L 35.04707 19.023047 L 29.79707 19.023047 Z M 29.79707 17.023047 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph1-1" x="333.644531" y="287.461209"/> + <use xlink:href="#glyph1-2" x="341.700087" y="287.461209"/> + <use xlink:href="#glyph1-3" x="344.477865" y="287.461209"/> + <use xlink:href="#glyph1-15" x="349.755642" y="287.461209"/> + <use xlink:href="#glyph1-11" x="356.700087" y="287.461209"/> + <use xlink:href="#glyph1-16" x="359.477865" y="287.461209"/> + <use xlink:href="#glyph1-17" x="365.866753" y="287.461209"/> + <use xlink:href="#glyph1-9" x="371.700087" y="287.461209"/> + <use xlink:href="#glyph1-18" x="375.311198" y="287.461209"/> + <use xlink:href="#glyph1-2" x="381.144531" y="287.461209"/> + <use xlink:href="#glyph1-11" x="383.922309" y="287.461209"/> + <use xlink:href="#glyph1-6" x="386.700087" y="287.461209"/> + <use xlink:href="#glyph1-4" x="390.866753" y="287.461209"/> + <use xlink:href="#glyph1-8" x="397.255642" y="287.461209"/> + <use xlink:href="#glyph1-3" x="401.977865" y="287.461209"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 17.5 32.9 L 17.501172 33.805859 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 16.259766 34.60957 C 15.741211 34.597656 14.735547 34.847461 14.876953 35.382812 C 15.018359 35.918164 15.694141 36.037109 15.976953 35.882422 C 16.259766 35.72793 15.536914 36.632031 16.919922 36.869922 C 18.30293 37.107813 19.009961 36.727148 18.805664 36.453516 C 18.601367 36.179883 20.01582 37.096094 20.675977 36.572461 C 21.335938 36.049023 20.000195 35.549414 20.283008 35.620703 C 20.56582 35.692188 21.430273 35.596875 21.147266 34.704687 C 20.864453 33.812305 18.318555 34.502344 18.601367 34.371484 C 18.884375 34.240625 18.177148 33.586328 17.29707 33.717188 C 16.416992 33.848047 16.354492 34.085547 16.260352 34.608984 Z M 16.259766 34.60957 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-24" x="61.425781" y="636.597059"/> + <use xlink:href="#glyph0-4" x="71.148003" y="636.597059"/> + <use xlink:href="#glyph0-11" x="78.370226" y="636.597059"/> + <use xlink:href="#glyph0-25" x="83.092448" y="636.597059"/> + <use xlink:href="#glyph0-2" x="93.092448" y="636.597059"/> + <use xlink:href="#glyph0-3" x="100.870226" y="636.597059"/> + <use xlink:href="#glyph0-23" x="106.148003" y="636.597059"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 29.960156 10.607227 L 34.960156 10.607227 L 34.960156 12.607227 L 29.960156 12.607227 Z M 29.960156 10.607227 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph1-10" x="336.632812" y="159.144803"/> + <use xlink:href="#glyph1-8" x="343.299479" y="159.144803"/> + <use xlink:href="#glyph1-7" x="347.743924" y="159.144803"/> + <use xlink:href="#glyph1-6" x="354.41059" y="159.144803"/> + <use xlink:href="#glyph1-7" x="358.577257" y="159.144803"/> + <use xlink:href="#glyph1-5" x="365.243924" y="159.144803"/> + <use xlink:href="#glyph1-7" x="370.521701" y="159.144803"/> + <use xlink:href="#glyph1-11" x="377.188368" y="159.144803"/> + <use xlink:href="#glyph1-9" x="379.966146" y="159.144803"/> + <use xlink:href="#glyph1-19" x="383.021701" y="159.144803"/> + <use xlink:href="#glyph1-8" x="388.577257" y="159.144803"/> + <use xlink:href="#glyph1-4" x="393.021701" y="159.144803"/> + <use xlink:href="#glyph1-4" x="399.41059" y="159.144803"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 18.778516 32.95 L 18.753516 32.93457 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 14 28.9 L 21 28.9 L 21 32.9 L 14 32.9 Z M 14 28.9 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 14.825 30.25 L 20.175 30.25 L 20.175 32.25 L 14.825 32.25 Z M 14.825 30.25 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph1-20" x="33.113281" y="552.000271"/> + <use xlink:href="#glyph1-16" x="40.057726" y="552.000271"/> + <use xlink:href="#glyph1-15" x="46.446615" y="552.000271"/> + <use xlink:href="#glyph1-6" x="53.391059" y="552.000271"/> + <use xlink:href="#glyph1-12" x="57.557726" y="552.000271"/> + <use xlink:href="#glyph1-8" x="64.50217" y="552.000271"/> + <use xlink:href="#glyph1-4" x="68.946615" y="552.000271"/> + <use xlink:href="#glyph1-9" x="75.335503" y="552.000271"/> + <use xlink:href="#glyph1-18" x="78.946615" y="552.000271"/> + <use xlink:href="#glyph1-2" x="84.779948" y="552.000271"/> + <use xlink:href="#glyph1-11" x="87.557726" y="552.000271"/> + <use xlink:href="#glyph1-6" x="90.335503" y="552.000271"/> + <use xlink:href="#glyph1-4" x="94.50217" y="552.000271"/> + <use xlink:href="#glyph1-8" x="100.891059" y="552.000271"/> + <use xlink:href="#glyph1-3" x="105.613281" y="552.000271"/> +</g> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-8" x="14" y="517.011122"/> + <use xlink:href="#glyph0-6" x="21.777778" y="517.011122"/> + <use xlink:href="#glyph0-26" x="29.555556" y="517.011122"/> + <use xlink:href="#glyph0-7" x="35.666667" y="517.011122"/> + <use xlink:href="#glyph0-6" x="42.888889" y="517.011122"/> + <use xlink:href="#glyph0-16" x="50.666667" y="517.011122"/> + <use xlink:href="#glyph0-27" x="54" y="517.011122"/> + <use xlink:href="#glyph0-16" x="58.722222" y="517.011122"/> + <use xlink:href="#glyph0-28" x="62.055556" y="517.011122"/> + <use xlink:href="#glyph0-10" x="65.388889" y="517.011122"/> + <use xlink:href="#glyph0-29" x="68.722222" y="517.011122"/> + <use xlink:href="#glyph0-6" x="76.5" y="517.011122"/> + <use xlink:href="#glyph0-26" x="84.277778" y="517.011122"/> + <use xlink:href="#glyph0-7" x="90.388889" y="517.011122"/> + <use xlink:href="#glyph0-6" x="97.611111" y="517.011122"/> +</g> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 14.640039 25.05 L 20.365039 25.05 L 20.365039 28.05 L 14.640039 28.05 Z M 14.640039 25.05 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-30" x="43.027344" y="450.710341"/> + <use xlink:href="#glyph0-12" x="52.471788" y="450.710341"/> + <use xlink:href="#glyph0-31" x="60.249566" y="450.710341"/> + <use xlink:href="#glyph0-6" x="72.19401" y="450.710341"/> + <use xlink:href="#glyph0-26" x="79.971788" y="450.710341"/> + <use xlink:href="#glyph0-7" x="86.082899" y="450.710341"/> + <use xlink:href="#glyph0-6" x="93.305122" y="450.710341"/> +</g> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-26" x="26.914062" y="466.710341"/> + <use xlink:href="#glyph0-7" x="33.025174" y="466.710341"/> + <use xlink:href="#glyph0-6" x="40.247396" y="466.710341"/> + <use xlink:href="#glyph0-11" x="48.025174" y="466.710341"/> + <use xlink:href="#glyph0-12" x="52.747396" y="466.710341"/> + <use xlink:href="#glyph0-3" x="60.525174" y="466.710341"/> + <use xlink:href="#glyph0-4" x="65.525174" y="466.710341"/> + <use xlink:href="#glyph0-16" x="72.747396" y="466.710341"/> + <use xlink:href="#glyph0-4" x="76.080729" y="466.710341"/> + <use xlink:href="#glyph0-8" x="83.302951" y="466.710341"/> + <use xlink:href="#glyph0-32" x="91.080729" y="466.710341"/> + <use xlink:href="#glyph0-10" x="98.858507" y="466.710341"/> + <use xlink:href="#glyph0-8" x="102.19184" y="466.710341"/> + <use xlink:href="#glyph0-4" x="109.969618" y="466.710341"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 17.502539 28.05 L 17.5 28.9 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 21.625 26.57207 L 20.412109 26.565625 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill-rule:evenodd;fill:rgb(100%,100%,100%);fill-opacity:1;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 28.839062 20.271484 L 33.839062 20.271484 L 33.839062 23.271484 L 28.839062 23.271484 Z M 28.839062 20.271484 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-14" x="326.007812" y="363.140028"/> + <use xlink:href="#glyph0-11" x="335.452257" y="363.140028"/> + <use xlink:href="#glyph0-10" x="340.174479" y="363.140028"/> + <use xlink:href="#glyph0-28" x="343.507812" y="363.140028"/> + <use xlink:href="#glyph0-10" x="346.841146" y="363.140028"/> + <use xlink:href="#glyph0-11" x="350.174479" y="363.140028"/> + <use xlink:href="#glyph0-10" x="354.896701" y="363.140028"/> + <use xlink:href="#glyph0-4" x="358.230035" y="363.140028"/> + <use xlink:href="#glyph0-22" x="365.452257" y="363.140028"/> +</g> +<path style="fill:none;stroke-width:0.15;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 23.687305 34.999609 L 32.653906 34.999609 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 26.655469 34.756445 L 27.152539 34.757031 " transform="matrix(20,0,0,20,-278,-78)"/> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-miterlimit:10;" d="M 26.648438 35.236328 L 27.145508 35.237109 " transform="matrix(20,0,0,20,-278,-78)"/> +<g style="fill:rgb(0%,0%,0%);fill-opacity:1;"> + <use xlink:href="#glyph0-33" x="323.242188" y="638.292372"/> + <use xlink:href="#glyph0-12" x="331.575521" y="638.292372"/> + <use xlink:href="#glyph0-22" x="339.353299" y="638.292372"/> +</g> +<path style="fill:none;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke:rgb(0%,0%,0%);stroke-opacity:1;stroke-dasharray:0.1,0.1;stroke-miterlimit:10;" d="M 20.00293 32.968945 L 26.903906 34.756641 " transform="matrix(20,0,0,20,-278,-78)"/> +</g> +</svg> diff --git a/doc/wsdg_src/images/ws-logo.png b/doc/wsdg_src/images/ws-logo.png Binary files differnew file mode 100644 index 00000000..04226f39 --- /dev/null +++ b/doc/wsdg_src/images/ws-logo.png diff --git a/doc/wsdg_src/images/wslua-new-dialog.png b/doc/wsdg_src/images/wslua-new-dialog.png Binary files differnew file mode 100644 index 00000000..9de7e4a9 --- /dev/null +++ b/doc/wsdg_src/images/wslua-new-dialog.png diff --git a/doc/wsdg_src/images/wslua-progdlg.png b/doc/wsdg_src/images/wslua-progdlg.png Binary files differnew file mode 100644 index 00000000..d8d95101 --- /dev/null +++ b/doc/wsdg_src/images/wslua-progdlg.png diff --git a/doc/wsdg_src/images/wslua-textwindow.png b/doc/wsdg_src/images/wslua-textwindow.png Binary files differnew file mode 100644 index 00000000..7defd0fa --- /dev/null +++ b/doc/wsdg_src/images/wslua-textwindow.png diff --git a/doc/wsdg_src/wsdg_asn2wrs.adoc b/doc/wsdg_src/wsdg_asn2wrs.adoc new file mode 100644 index 00000000..a5add171 --- /dev/null +++ b/doc/wsdg_src/wsdg_asn2wrs.adoc @@ -0,0 +1,1256 @@ +[#CreatingAsn1Dissectors] + +== Creating ASN.1 Dissectors + +The `asn2wrs` compiler can be used to create a dissector from an ASN.1 specification of a protocol. +It is a work in progress but has been used to create a number of dissectors. + +It supports: + +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.680/en[X.680] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Specification of basic notation +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.681/en[X.681] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Information object specification +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.682/en[X.682] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Constraint specification +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.683/en[X.683] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Parameterization of ASN.1 specifications + +// Limitations: Add text here + +It has inbuilt support for: + +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.880/en[X.880] +(07/1994), Information technology - Remote Operations: Concepts, model +and notation + +[#AboutASN1] + +=== About ASN.1 + +The most useful first step in writing an ASN.1-based dissector is to +learn about ASN.1. There are a number of free resources available to +help with this. One collection of such resources is maintained on +https://www.itu.int/en/ITU-T/asn1/Pages/asn1_project.aspx[the ASN.1 Consortium's web site]. + +[#Asn1DissectorRequirements] +=== ASN.1 Dissector Requirements + +The compiler needs 4 input files: an ASN.1 description of a protocol, a .cnf file, and two template files. +The ASN.1 specification may have to be edited to work, however work is in progress to at least read all ASN1 specifications. +Changing the ASN1 file is being deprecated as this creates problems when updating protocols. +The H.248 Binary encoding dissector is a good example of a dissector with relatively small changes. + +A complete <<SimpleASN1BasedDissector,simple ASN1 UDP-based dissector>> is also available. + +[#BuildingAnASN1BasedPlugin] +==== Building An ASN.1-Based Plugin + +The usual way to build an ASN.1-based dissector is to put it into the +_epan/dissectors/asn1_ subtree. This works well and is somewhat simpler than building as a +plugin, but there are two reasons one might want to build as a plugin: + +* To speed development, since only the plugin needs to be recompiled. +* To allow flexibility in deploying an updated plugin, since only the +plugin needs to be distributed. + +Reasons one might _not_ want to build as a plugin: + +* The code is somewhat more complex. +* The CMakeFile is quite a bit more complex. +* Building under the asn1 subtree keeps all such dissectors together. + +If you still think you'd like to build your module as a plugin, see {wireshark-wiki-url}ASN1_plugin[Building ASN1 Plugins]. + +[#UnderstandingErrorMessages] +=== Understanding Error Messages + +When running asn2wrs, you could get the following errors: + +* A LexToken error (`__main__.ParseError: LexToken(DOT,'.',71)`) +means that something is not understood in the ASN1 file, line 71, +around the dot (.) - can be the dot itself. + +* A ParseError (`__main__.ParseError: LexToken(SEMICOLON,';',88)`) means that the ';' (SEMICOLON) is not understood. Maybe removing it will work? + +[#HandMassagingTheASN1File] +=== Hand-Massaging The ASN.1 File + +If a portion of your ASN.1 file is unsupported you can modify it by hand as needed. +However, the preferred way to resolve the issue is to report it on the link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev] mailing list or in the issue tracker so that asn2wrs can be improved. + +[#CommandLineSyntax] +=== Command Line Syntax + +---- +ASN.1 to Wireshark dissector compiler + + asn2wrs [-h|?] [-d dbg] [-b] [-p proto] [-c cnf_file] [-e] input_file(s) ... + -h|? : Usage + -b : BER (default is PER) + -u : Unaligned (default is aligned) + -p proto : Protocol name (implies -S). Default is module-name + from input_file (renamed by #.MODULE if present) + -o name : Output files name core (default is <proto>) + -O dir : Output directory for dissector + -c cnf_file : Conformance file + -I path : Path for conformance file includes + -e : Create conformance file for exported types + -E : Just create conformance file for exported types + -S : Single output for multiple modules + -s template : Single file output (template is input file + without .c/.h extension) + -k : Keep intermediate files though single file output is used + -L : Suppress #line directive from .cnf file + -D dir : Directory for input_file(s) (default: '.') + -C : Add check for SIZE constraints + -r prefix : Remove the prefix from type names + + input_file(s) : Input ASN.1 file(s) + + -d dbg : Debug output, dbg = [l][y][p][s][a][t][c][m][o] + l - lex + y - yacc + p - parsing + s - internal ASN.1 structure + a - list of assignments + t - tables + c - conformance values + m - list of compiled modules with dependency + o - list of output files +---- + +[#GeneratedFiles] +=== Generated Files + +Asn2wrs creates the following intermediate files: + +* packet-proto-ett.c +* packet-proto-ettarr.c +* packet-proto-fn.c +* packet-proto-hf.c +* packet-proto-hfarr.c +* packet-proto-val.h +* packet-proto-exp.h +* packet-proto-table.c +* packet-proto-syn-reg.c + +These files should be included in the template file as described in the <<ConformanceFiles,conformance file examples>>. +Some are optional. + +[#ASN1StepByStepInstructions] +=== Step By Step Instructions + +. Create a directory for your protocol in the _epan/dissectors/asn1_ directory and put +your ASN.1 file there. +. Copy _CMakeLists.txt_ from another ASN.1 dissector and edit it to suit your needs. +. Create a .cnf file either by copying an existing one and editing it or +using the empty example above. +. Create template files either by copying suitable existing ones and +editing them or use the examples above, putting your protocol name in the +appropriate places. +. Add your dissector to _epan/dissectors/asn1/CMakeLists.txt_ +. Test generating your dissector by building the _generate_dissector-*proto*_ target. +. Depending on the outcome you may have to edit your .cnf file, ASN.1 file +etc... +. Build Wireshark. + +[#HintsForUsingAsn2wrs] +=== Hints For Using Asn2wrs + +Asn2wrs does not support all of ASN.1 yet. +This means you might need to modify the ASN.1 definition before it will compile. +This page lists some tips and tricks that might make your life easier. + +[#COMPONENTS_OF] +[discrete] +==== COMPONENTS OF + +Asn2wrs does not support the COMPONENTS OF directive. +This means that you will have to modify the asn definition to manually +remove all COMPONENTS OF directives. Fortunately this is pretty easy. +COMPONENTS OF is a directive in ASN.1 which include +all specified fields in the referenced SEQUENCE by those fields as if +they had been explicitly specified. + +[#ASN1ComponentsOfExample] +[discrete] +==== Example + +Assume you have some definition that looks like this: + +---- +Foo ::= SEQUENCE { + field_1 INTEGER, + field_2 INTEGER +} + +Bar ::= SEQUENCE { + COMPONENTS OF Foo, + field_3 INTEGER +} +---- + +Since Asn2wrs can not handle COMPONENTS OF you will have to modify the ASN.1 file so that instead Bar +will look like this : + +---- +Bar ::= SEQUENCE { + field_1 INTEGER, + field_2 INTEGER, + field_3 INTEGER +} +---- + +That was pretty easy wasn't it? + +[#SemicolonCharacters] +[discrete] +==== Semicolon Characters + +In some ASN1 you may have semicolon characters like this: + +---- +PBAddressString ::= SEQUENCE { + extension INTEGER(1), natureOfAddressIndicator INTEGER, numberingPlanInd INTEGER, digits OCTET STRING (SIZE(0..19)) +}; +---- + +You will have to remove the last semicolon character. + +[#ASN1Parameters] +[discrete] +==== Parameters + +Parameters will have to be replaced too. +Something like this: + +---- +AChBillingChargingCharacteristics + {PARAMETERS-BOUND : bound} ::= OCTET STRING (SIZE (minAChBillingChargingLength .. +maxAChBillingChargingLength)) +---- + +Will have to be replaced with the real values of the parameters: + +---- +AChBillingChargingCharacteristics ::= OCTET STRING (SIZE (5 .. 177)) +---- + +[#ASN1ANYAndParameterizedTypes] +==== ANY And Parameterized Types + +Asn2wrs can handle the type ANY but not parameterized types. +Fortunately this is easy to work around with small changes to the ASN file and some conformance file magic. +Assuming you have a construct that looks something like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm ALGORITHM.&id({SupportedAlgorithms}), + parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL +} +---- + +Which is essentially a structure that takes two fields, one field being an object identifier and the second field that can be just about anything, depending on what object identifier was used. +Here we just have to rewrite this SEQUENCE slightly so that it looks like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} +---- + +The only thing remaining now is to add the actual code to manage the dissection of this structure. +We do this by using the <<ASN1CnfDirectiveFN_BODY,\#.FN_BODY conformance file directive>>, which will replace the function body of a dissector with the contents that you specify in the conformance file. +For this one we need a string where we store the OID from AlgorithmIdentifier/algorithm so that we can pick it up and act on later from inside the dissector for AlgorithmIdentifier/parameters. +So we have to add something like this: + +[source,c] +---- +static char algorithm_id[64]; /* 64 chars should be enough? */ +---- + +to the template file. +Then we add the following to the conformance file: + +---- +#.FN_BODY AlgorithmIdentifier/algorithmId + +offset = dissect_ber_object_identifier(false, pinfo, tree, tvb, offset, + hf_x509af_algorithm_id, algorithm_id); + +#.FN_BODY AlgorithmIdentifier/parameters + +offset=call_ber_oid_callback(algorithm_id, tvb, offset, pinfo, tree); +---- + +This example comes from the X509AF dissector. Please see the code there +for more examples on how to do this. + +[#TaggedAssignments] +==== Tagged Assignments + +There is currently a bug in Asn2wrs that makes it +generate incorrect code for the case when tagged assignments are used. +The bug is two-fold, first the generated code "forgets" to strip of the +actual tag and length, second it fails to specify 'implicit_tag' +properly. + +A tagged assignment is something that looks like this example from the +FTAM asn specification: + +---- +Degree-Of-Overlap ::= +[APPLICATION 30] IMPLICIT INTEGER { + normal(0), consecutive(1), concurrent(2) +} +---- + +I.e. an assignment that also specifies a tag value. + +Until Asn2wrs is enhanced to handle these constructs you MUST add a workaround for it to the conformance file: + +---- +#.FN_BODY Degree-Of-Overlap + +int8_t class; +bool pc, ind_field; +int32_t tag; +int32_t len1; + +/* + * XXX asn2wrs can not yet handle tagged assignment yes so this + * is some conformance file magic to work around that bug + */ + +offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); +offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); +offset = dissect_ber_integer(true, pinfo, tree, tvb, offset, hf_index, NULL); +---- + +This tells Asn2wrs to not +autogenerate any code at all for the Degree-Of-Overlap object instead it +should use the code specified here. Note that we +do have to specify the implicit_tag value explicitly and we can NOT use +the parameter passed to the function from the caller (also due to the +bug in Asn2wrs) this is the true parameter in the call to +dissect_ber_integer(). We specify true here since +the definition of Degree-Of-Overlap was using IMPLICIT tags and would +have specified false if it was not. + +The code above can be easily cut-n-pasted into the conformance file with +the exception of the last line that actually calls the next dissector +helper (...dissect_ber_integer... in this case). +The easiest way to find out exactly what this +final line should look like in the conformance file; just generate the +dissector first without this workaround and look at what call was +generated. Then put that line in the conformance directive and replace +`implicit_tag` with either true or false depending on whether IMPLICIT +is used or not. + +[#UntaggedCHOICEs] +==== Untagged CHOICEs + +Asn2wrs cannot handle untagged CHOICEs within either a SET or a SEQUENCE. For example: + +---- +MessageTransferEnvelope ::= SET { + ... + content-type ContentType, + ... +} + +ContentType ::= CHOICE { + built-in BuiltInContentType, + extended ExtendedContentType +} + +BuiltInContentType ::= [APPLICATION 6] INTEGER { + unidentified(0), external(1), interpersonal-messaging-1984(2), interpersonal-messaging-1988(22), + edi-messaging(35), voice-messaging(40)} + +ExtendedContentType ::= OBJECT IDENTIFIER +---- + +The Asn2wrs SET/SEQUENCE parsing only looks one level +deep into the dissection tree and does not have access to class/tags of +the elements in the CHOICE. + +As with COMPONENTS OF, the solution is to expand the CHOICE in-line +within the SET or SEQUENCE, but *make sure* that each element of the +CHOICE is marked as OPTIONAL. For example, + +---- +MessageTransferEnvelope ::= SET { + ... + built-in BuiltInContentType OPTIONAL, + extended ExtendedContentType OPTIONAL + ... +} +---- + +This isn't an entirely correct ASN.1 definition, but should allow +successful parsing. + +[#ImportedModuleNameConflicts] +==== Imported Module Name Conflicts + +When importing a module using <<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>> in the conformance file, this +may introduce a definition from the module which contradicts the +definition used in the current ASN.1 file. For example, the X.509 +Authentication Framework defines Time as + +---- +Time ::= CHOICE {utcTime UTCTime, + generalizedTime GeneralizedTime +} +---- + +whereas X.411 defines Time as + +---- +Time ::= UTCTime +---- + +This can lead to failure to decode the ASN.1 as, in the example, +Asn2wrs will be passed the wrong attributes when trying +to decode an X.411 time. In order to solve this +problem, (if you don't want to globally change the conflicting name +within the ASN.1 module), then you must add an appropriate #.TYPE_ATTR +into the conformance file *before* the <<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>> line. For example + +---- +#.TYPE_ATTR +Time TYPE = FT_STRING DISPLAY = BASE_NONE STRING = NULL BITMASK = 0 +---- + +[#SimpleASN1BasedDissector] +=== Simple ASN.1-Based Dissector + +// {wireshark-wiki-moin-import-url}ASN1_sample/foo.tar.gz +// all seven files as gzipped foo directory (suitable for unzipping in +// wireshark/asn1 directory) + +The following snippets show the different files that make up a dissector for a “FOO” protocol dissector. + +.README.txt +---- + + FOO protocol dissector + ---------------------- + +This trivial dissector is an example for the struggling dissector developer (me included) +of how to create a dissector for a protocol that is encapsulated in UDP packets +for a specific port, and the packet data is ASN1 PER encoded. + +The thing that took me a while to figure out was that in order to see my packet +dissected on the detail pane, I had to: +1. Tell the compiler which block in the ASN1 definition is a PDU definition by adding + FOO-MESSAGE under the #.PDU directive in the foo.cnf file +2. Add a call to dissect_FOO_MESSAGE_PDU() function in the dissect_foo() function in the + packet-foo-template.c file. + +To build and test it: +1. in foo directory, run make +2. run make copy_files +3. add packet-foo.c and packet-foo.h to epan/dissectors/Makefile.common +4. run top level make + +CAVEAT: Makefile.nmake was not tested . + +You can take it from here :-) + + --00-- +---- + +.foo.asn +---- +-- FOO PROTOCOL +-- + +FOO-PROTOCOL DEFINITIONS AUTOMATIC TAGS ::= +BEGIN + +-- General definitions + +MessageId ::= INTEGER (0..65535) +FlowId ::= INTEGER (0..65535) + +MessageData ::= SEQUENCE { + name OCTET STRING(SIZE(10)), + value OCTET STRING(SIZE(10)) +} + +FOO-MESSAGE ::= SEQUENCE { + messageId MessageId, + flowId FlowId, + messageData MessageData +} + +END +---- + +.foo.cnf +---- +# foo.cnf +# FOO conformation file + +# $Id$ + +#.MODULE_IMPORT + +#.EXPORTS + +#.PDU +FOO-MESSAGE + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.END +---- + +.packet-foo-template.h +[source,c] +---- +/* packet-foo.h + * Routines for foo packet dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_FOO_H +#define PACKET_FOO_H + +#endif /* PACKET_FOO_H */ +---- + +.packet-foo-template.c +[source,c] +---- +/* packet-foo.c + * Routines for FOO packet dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <glib.h> +#include <epan/packet.h> +#include <epan/conversation.h> + +#include <stdio.h> +#include <string.h> + +#include "packet-per.h" +#include "packet-foo.h" + +#define PNAME "FOO Protocol" +#define PSNAME "FOO" +#define PFNAME "foo" +#define FOO_PORT 5001 /* UDP port */ +static dissector_handle_t foo_handle; + +void proto_reg_handoff_foo(void); +void proto_register_foo(void); + +/* Initialize the protocol and registered fields */ +static int proto_foo; +static int global_foo_port = FOO_PORT; + +#include "packet-foo-hf.c" + +/* Initialize the subtree pointers */ +static int ett_foo; + +#include "packet-foo-ett.c" + +#include "packet-foo-fn.c" + +static void +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + proto_item *foo_item = NULL; + proto_tree *foo_tree = NULL; + int offset = 0; + + /* make entry in the Protocol column on summary display */ + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, PNAME); + + /* create the foo protocol tree */ + if (tree) { + foo_item = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + foo_tree = proto_item_add_subtree(foo_item, ett_foo); + + dissect_FOO_MESSAGE_PDU(tvb, pinfo, foo_tree); + } +} +/*--- proto_register_foo -------------------------------------------*/ +void proto_register_foo(void) { + + /* List of fields */ + static hf_register_info hf[] = { + +#include "packet-foo-hfarr.c" + }; + + /* List of subtrees */ + static int *ett[] = { + &ett_foo, +#include "packet-foo-ettarr.c" + }; + + /* Register protocol */ + proto_foo = proto_register_protocol(PNAME, PSNAME, PFNAME); + /* Register fields and subtrees */ + proto_register_field_array(proto_foo, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + + +} + +/*--- proto_reg_handoff_foo ---------------------------------------*/ +void +proto_reg_handoff_foo(void) +{ + static bool inited = false; + + if( !inited ) { + + foo_handle = create_dissector_handle(dissect_foo, + proto_foo); + dissector_add("udp.port", global_foo_port, foo_handle); + + inited = true; + } + +} +---- + +.CMakeLists.txt +---- +set( PROTOCOL_NAME foo ) + +set( PROTO_OPT ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + Foo.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS ) + +ASN2WRS() +---- + +[#ConformanceFiles] +=== Conformance (.cnf) Files + +The .cnf file tells the compiler what to do with certain things, such as skipping auto generation for some ASN.1 entries. +They can contain the following directives: + +#.OPT:: +Compiler options. + +#.MODULE and <<ASN1CnfDirectiveMODULE_IMPORT,++#++.MODULE_IMPORT>>:: +Assign Wireshark protocol name to ASN.1 module name. + +<<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>>:: +Include another conformance file. + +<<ASN1CnfDirectiveEXPORTS,++#++.EXPORTS>>:: +Export type or information object class. + +<<ASN1CnfDirectivePDUAndPDU_NEW,++#++.PDU>>, <<ASN1CnfDirectivePDUAndPDU_NEW,++#++.PDU_NEW>>, <<ASN1CnfDirectiveREGISTERAndREGISTER_NEW,++#++.REGISTER>>, <<ASN1CnfDirectiveREGISTERAndREGISTER_NEW,++#++.REGISTER_NEW>>, and #.SYNTAX:: +Create PDU functions and register them optionally to dissector table. + + +#.CLASS:: +Declare or define information object class. + +#.ASSIGNED_OBJECT_IDENTIFIER:: +Declare assigned object identifier. + +#.TABLE_HDR, #.TABLE_BODY, and #.TABLE_FTR:: +User tables. + +#.OMIT_ASSIGNMENT, #.NO_OMIT_ASSGN, #.OMIT_ALL_ASSIGNMENTS, #.OMIT_ASSIGNMENTS_EXCEPT, #.OMIT_ALL_TYPE_ASSIGNMENTS, #.OMIT_TYPE_ASSIGNMENTS_EXCEPT, #.OMIT_ALL_VALUE_ASSIGNMENTS, and #.OMIT_VALUE_ASSIGNMENTS_EXCEPT:: +Ignore assignments from ASN.1 source. + +<<ASN1CnfDirectiveNO_EMITAndUSER_DEFINED,++#++.NO_EMIT>> and <<ASN1CnfDirectiveNO_EMITAndUSER_DEFINED,++#++.USER_DEFINED>>:: +See linked text for info. + +#.VIRTUAL_ASSGN, #.SET_TYPE, #.MAKE_ENUM, #.MAKE_DEFINES, and #.ASSIGN_VALUE_TO_TYPE:: +Unknown. + +#.TYPE_RENAME, #.FIELD_RENAME, and #.TF_RENAME:: +Type/field renaming + +#.IMPORT_TAG, #.TYPE_ATTR, #.FIELD_ATTR:: +Type attributes + + +#.FN_HDR, <<ASN1CnfDirectiveFN_BODY,++#++.FN_BODY>>, #.FN_FTR, and #.FN_PARS:: +Type function modification + +<<ASN1CnfDirectiveEND,++#++.END>>:: +End of directive + +#.END_OF_CNF:: +End of conformance file + +[#ExampleCnfFile] +==== Example .cnf File + +---- +#.MODULE IMPORT +InformationFramework x509if + +#.INCLUDE ../x509if/x509if_exp.cnf + +#.EXPORTS + +ObjectName + +#.PDU +ObjectName + +#.REGISTER +Certificate B "2.5.4.36" "id-at-userCertificate" + +#.SYNTAX +ObjectName [FriendlyName] + +#.NO_EMIT ONLY_VALS +# this can be used with: [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +# using NO_EMIT NO_VALS means it won't generate value_string array for it +Type1 + +#.USER DEFINED +Type1 [WITH_VALS|WITHOUT_VALS|ONLY_VALS] + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.TYPE_ATTR Ss-Code TYPE = FT_UINT16 DISPLAY = BASE_HEX STRINGS = VALS(ssCode_vals) + +# This entry will change the hf definition from the auto-generated one for Ss-Code ::= OCTET STRING(SIZE(1)) + + { &hf_gsm_map_ss_Code, + { "ss-Code", "gsm_map.ss_Code", + FT_BYTES, BASE_HEX, NULL, 0, "", HFILL }}, + +# to: + + { &hf_gsm_map_ss_Code, + { "ss-Code", "gsm_map.ss_Code", + FT_UINT16, BASE_HEX, VALS(ssCode_vals), 0, "", HFILL }}, +---- + +In the proto_abbr-template.c file the corresponding value string must be +inserted. As an example the following would be included in +proto_abbr-template.c to define ssCode_vals: + +---- +static const value_string ssCode_vals[] = { + { 0, "ssCodeString 1" }, /* The string for value 0 */ + { 1, "String 2" }, /* String for value 1 */ + { 5, "String for value 5" }, /* Value String 5 */ + { 0, NULL } /* Null terminated array */ +} +---- + +Note that the NULL value must be the final entry and that the index values need not be consecutive. + +Foo is expressed in different ways depending on where you want to insert your code and the ASN.1 code in question. + +* Foo +* Foo/foo +* Foo/_item/foo + +For Tagged type use: + +---- +Foo/_untag + +#.FN_HDR Foo +/* This is code to be inserted into the dissector for Foo BEFORE the BER/PER helper is called. */ +tvbuff_t *out_tvb; +fragment_data *fd_head; +tvbuff_t *next_tvb = NULL; + +#.FN_BODY Foo +/* This here is code to replace the actual call to the helper completely. */ +offset = dissect_ber_octet_string(implicit_tag, pinfo, tree, tvb, offset, hf_index, &out_tvb); + +/* Putting %(DEFAULT_BODY)s inside #.FN_BODY will insert the original code there. */ + +#.FN_FTR Foo +/* This is code to be inserted into the dissector for Foo AFTER the ber/per helper has returned called. */ +if (foo_reassemble) { +... +} + +#.FN_PARS + +#.END +---- + +[#ExamplePacketProtocolTemplateHFile] +==== Example packet-protocol-template.h File + +Example template.h file. +Replace all PROTOCOL/protocol references with the name of your protocol. + +[source,c] +---- +/* packet-protocol.h + * Routines for Protocol packet dissection + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_PROTOCOL_H +#define PACKET_PROTOCOL_H + +#include "packet-protocol-exp.h" + +#endif /* PACKET_PROTOCOL_H */ +---- + +[#ExamplePacketProtocolTemplateCFile] +==== Example packet-protocol-template.c File + +Example template.c file. +Replace all PROTOCOL/protocol references with the name of your protocol. + +[source,c] +---- +/* packet-protocol.c + * Routines for PROTOCOL packet dissection + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <glib.h> +#include <epan/packet.h> +#include <epan/conversation.h> + +#include <stdio.h> +#include <string.h> + +#include "packet-ber.h" +#include "packet-protocol.h" + +#define PNAME "This Is The Protocol Name" +#define PSNAME "PROTOCOL" +#define PFNAME "protocol" + +/* Initialize the protocol and registered fields */ +int proto_protocol; +#include "packet-protocol-hf.c" + +/* Initialize the subtree pointers */ +#include "packet-protocol-ett.c" + +#include "packet-protocol-fn.c" + +/*--- proto_register_protocol ----------------------------------------------*/ +void proto_register_protocol(void) { + + /* List of fields */ + static hf_register_info hf[] = { +#include "packet-protocol-hfarr.c" + }; + + /* List of subtrees */ + static int *ett[] = { +#include "packet-protocol-ettarr.c" + }; + + /* Register protocol */ + proto_protocol = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_protocol, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + +/*--- proto_reg_handoff_protocol -------------------------------------------*/ +void proto_reg_handoff_protocol(void) { +#include "packet-protocol-dis-tab.c" +} +---- + +[#ASN1ConformanceFileDirectiveReference] +=== Conformance File Directive Reference + +The following directives can be used in conformance (.cnf) files: + +[#ASN1CnfDirectiveEND] +==== #.END + +Some of the other directives in the Asn2wrs conformance file consists of multiple lines. +The #.END directive is used to terminate such a directive. +All other “#.” directives (except #.INCLUDE) automatically act as an implicit #.END directive which is why you will not see many #.END directives in the conformance files for the dissectors shipped with Wireshark. + +[#ASN1CnfDirectiveEXPORTS] +==== #.EXPORTS + +This directive in the Asn2wrs conformation file is used to export functions for type decoding from the dissector. + +[#ASN1CnfDirectiveEXPORTSSyntax] +===== Syntax + +---- +#.EXPORTS + +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] [WS_VAR] [NO_PROT_PREFIX] +... +#.END +---- + +Options: + +* WITH_VALS (default): Exports dissection function and value string table if present. +* WITHOUT_VALS: Exports only the dissection function. +* ONLY_VALS: Exports only the value string table. +* WS_VAR and WS_VAR_IMPORT: Used for value string table so as it can be exported from libwireshark.dll. +* NO_PROT_PREFIX: - value string table name does not have protocol prefix + +[#ASN1CnfDirectiveEXPORTSExample] +===== Example + +---- +#.EXPORTS +NonStandardParameter +RasMessage WITH_VALS WS_VAR +H323-UU-PDU/h323-message-body ONLY_VALS WS_VAR +#.END +---- + +[#ASN1CnfDirectiveFN_BODY] +==== #.FN_BODY + +Sometimes, like when we have ANY types, we might want to replace +whatever function body that Asn2wrs generates with code +of our own. This is what this directive allows us to do. + +[#ASN1CnfDirectiveFN_BODYExample] +===== Example: ANY + +Asn2wrs can handle the type ANY but we have to help it by adding some small changes to the conformance file. +Assuming you have a construct that looks something like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} +---- + +To handle this we need to specify our own function bodies to both the +algorithm and the parameters fields, which we do using the #.FN_BODY +directive. + +This particular example also requires us to keep some state between the +two field dissectors, namely the OBJECT IDENTIFIER from algorithm which +specifies what the content of parameters is. For +this one we need a string where we store the oid from +AlgorithmIdentifier/algorithm so that we can pick it up and act on +later from inside the dissector for AlgorithmIdentifier/parameters. +So we have to add: + +---- +static char algorithm_id[64]; /* 64 chars should be enough? */ +---- + +to the template file as a placeholder to remember which OID we picked +up. Then we add to the conformance file: + +---- +#.FN_BODY AlgorithmIdentifier/algorithmId + offset = dissect_ber_object_identifier(false, pinfo, tree, tvb, offset, + hf_x509af_algorithm_id, algorithm_id); + +#.FN_BODY AlgorithmIdentifier/parameters + offset=call_ber_oid_callback(algorithm_id, tvb, offset, pinfo, tree); +---- + +The dissector body we specified for AlgorithmIdentifier/algorithmId +here stores the retrieved OID inside the variable algorithm_id we +specified. + +When we later come to the dissector for +AlgorithmIdentifier/parameters we pick this OID up from the static +variable and just pass it on to the ber/oid dissector helper. + + + + +This example comes from the X509AF dissector. Please see the code there +for more examples on how to do this. + + + +[#ASN1CnfDirectiveMODULE_IMPORTAndINCLUDE] +==== #.MODULE_IMPORT And #.INCLUDE + +These directive in the Asn2wrs conformation file are used to manage references to external type definitions, i.e. IMPORTS. +The examples below are all from the X.509 Authentication Framework (x509af) dissector source code in Wireshark. + +[#ASN1CnfDirectiveMODULE_IMPORTAndINCLUDEExample] +===== Example ASN + +This is an example from the X509AF dissector which amongst other things +imports definitions from X.509 InformationFramework: + +---- +IMPORTS + Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute + FROM InformationFramework informationFramework +---- + +Which tells the Asn2wrs compiler that the types 'Name', +'ATTRIBUTE', 'AttributeType', 'MATCHING-RULE' and 'Attribute' are +declared inside the external InformationFramework ASN module and +that they are referenced from this module. +In order for Asn2wrs to generate correct code for the +dissection it is necessary to give it some help by telling what kind of +types these are, i.e. are they INTEGERs or SEQUENCEs or something +else. + +In order to be able to access these functions from this module it is +important that these types have been declared as #.EXPORTS in the X509 +InformationFramework dissector so that they are exported and that we +can link to them. + +[#ASN1CnfDirectiveMODULE_IMPORT] +==== #.MODULE_IMPORT + +First we need to tell Asn2wrs which protocol name +Wireshark uses for the functions in this external import, so that +Asn2wrs can generate suitable function call signatures to +these external functions. + +We do this by adding a directive to the conformation file : + +---- +#.MODULE_IMPORT +InformationFramework x509if +---- + +Where InformationFramework is the ASN name for the module used in +the asn IMPORTS declaration and that x509if is the name we use inside +Wireshark for this protocol. + +This tells Asn2wrs that the function name to call to +dissect Name would be dissect_x509if_Name(...). Without this knowledge +Asn2wrs would not know which function name to generate. + + +[#ASN1CnfDirectiveINCLUDE] +==== #.INCLUDE + +Second, in order for Asn2wrs to generate correct code it +also needs to know the BER type and class of these types that are +imported, since that would affect how they are to be encoded on the +wire. + +This information about what kind of BER attributes these imported types +have are done using the #.INCLUDE directive in the conformance file: + +---- +#.INCLUDE ../x509if/x509if_exp.cnf +---- + +See #.EXPORTS for a description and examples of these types of include +files. + +[#ASN1CnfDirectiveNO_EMITAndUSER_DEFINED] +==== #.NO_EMIT And #.USER_DEFINED + +These two directives in the conformance file for Asn2wrs +can be used to suppress generation of dissectors +and/or value_strings and similar for a protocol. This is useful when +there are types in the asn definition that either Asn2wrs +can not handle or if we want to handle the dissection ourself inside the +template file to do additional state keeping or things that +Asn2wrs does not know how to manage. + +These two directives are very similar. The only +difference between is that #.NO_EMIT will suppress emitting the +dissector for that function and also any value_strings while +#.USER_DEFINED will emit declarations instead of definitions. + +I.e. #.USER_DEFINED will emit declarations such +as +`extern const value_string Type_vals[];` +and +`[static] int dissect_Proto_Type(...);` + +Use #.NO_EMIT if you dont need to call this function at all from anywhere (except from the template itself) and use #.USER_DEFINED is better if you implement the function inside the template but still want to allow it to be called from other places. +// (need much better explanation here) + +[#ASN1CnfDirectiveNO_EMITSyntax] +===== Syntax + +---- +#.USER_DEFINED +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +... +#.END +---- + +---- +#.NO_EMIT +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +... +#.END +---- + +Options: + +* WITH_VALS (default): Both dissection function and value string table are user defined and not emitted. +* WITHOUT_VALS: Only dissection function is user defined and not emitted. +* ONLY_VALS: Only value string table is user defined and not emitted. + +[#ASN1CnfDirectivePDUAndPDU_NEW] +==== #.PDU and #.PDU_NEW + +This directive in the Asn2wrs conformation file will +generate a wrapper function around an object dissector. +This is useful if there is an object inside the +ASN.1 definition that we really want to register as a protocol dissector +or if we want it to have a well known signature. + +[#ASN1CnfDirectivePDUFunctionNames] +===== Function Names + +The wrapper functions that are created will all be named and have the +following signature: + +---- +static void dissect_ProtocolName_ObjectName(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); +---- + +Notice that this is exactly the same signature as `dissector_t` which is used by all dissector entry points. + +[#ASN1CnfDirectivePDUUsage] +===== Usage + +To get Asn2wrs to generate such wrapper functions you +just have to list all objects one by one on the lines following the +#.PDU declaration. + +[#ASN1CnfDirectivePDUExample] +===== Example + +---- +#.PDU +SomeObject +---- + +This will result in Asn2wrs creating this wrapper function in the packet-foo.c dissector file: + +[source,c] +---- +static void dissect_SomeObject_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { + dissect_foo_SomeObject(false, ... +} +---- + +This function can then later be called or referenced from the template file or even exported. + +[#ASN1CnfDirectiveREGISTERAndREGISTER_NEW] +==== #.REGISTER and #.REGISTER_NEW + +This directive in the Asn2wrs conformation file can be used to register a dissector for an object to an OID. +This is very useful for X.509 and similar protocols where structures and objects are frequently associated with an OID. +In particular, some of the structures here encode an OID in a field and then the content in a different field later, and how that field is to be dissected depends on the previously seen OID. + +One such example can be seen in the ASN.1 description for X.509/AuthenticationFramework which has a structure defined such as + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm ALGORITHM.&id({SupportedAlgorithms}), + parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL +} +---- + +Which means that the parameters field in this structure, what this field contains and how it is to be dissected depends entirely upon what OID is stored inside algorithm. +A whole bunch of protocols use similar types of constructs. +While dissection of this particular structure itself currently has to be hand implemented inside the template (see x509af for examples of how this very structure is handled there). +The #.REGISTER option in the conformance file will at least make it easy and painless to attach the actual OID to dissector mappings. + +[#ASN1CnfDirectiveREGISTERUsage] +===== Usage + +To get Asn2wrs to generate such automatic registration of +OID to dissector mappings just use the #.REGISTER directive in the +conformation file. + +[#ASN1CnfDirectiveREGISTERExample] +===== Example + +---- +#.REGISTER +Certificate B "2.5.4.36" "id-at-userCertificate" +---- + +Which will generate the extra code to make sure that anytime Wireshark needs to dissect the blob associated to the OID "2.5.4.36" it now knows that that is done by calling the subroutine to dissect a Certificate in the current protocol file. +The "id-at-userCertificate" is just a free form text string to make Wireshark print a nice name together with the OID when it presents it in the decode pane. While this can be just about anything you want I would STRONGLY use the name used to this object/oid in the actual ASN.1 definition file. + +[#ASN1CnfDirectiveREGISTERIncludeFile] +===== Include File + +During the compilation phase Asn2wrs will put all the extra registration code for this in the include file +packet-protocol-dis-tab.c. +Make sure that you include this file from the template file or the registration to an OID will never occur. `#include "packet-protocol-dis-tab.c"` should be included from the proto_reg_handoff_protocol function in the template file. + +[#ASN1CnfDirectiveREGISTERSeeAlso] +===== See Also + +The various dissectors we have for X.509 such as the X.509AF which contains several examples of how to use this option. +That dissector can also serve as an example on how one would handle structures of the type AlgorithmIdentifier above. +Asn2wrs can NOT handle these types of structures so we need to implement them by hand inside the template. diff --git a/doc/wsdg_src/wsdg_build_intro.adoc b/doc/wsdg_src/wsdg_build_intro.adoc new file mode 100644 index 00000000..d4ededb1 --- /dev/null +++ b/doc/wsdg_src/wsdg_build_intro.adoc @@ -0,0 +1,52 @@ +// WSDG Chapter Build Introduction + +[#ChapterBuildIntro] + +== Introduction + +[#ChCodeOverview] + +=== Source overview + +Wireshark consists of the following major parts: + +* Packet dissection - in the _/epan/dissectors_ and +_/plugins/epan/{asterisk}_ directories + +* Capture file I/O - using Wireshark’s own wiretap library + +* Capture - using the libpcap and Npcap libraries, in _dumpcap.c_ and +the _/capture_ directory + +* User interface - using Qt and associated libraries + +* Utilities - miscellaneous helper code + +* Help - using an external web browser and text output + +[#ChCodeStyle] + +=== Coding Style + +The coding style guides for Wireshark can be found in the “Portability” +section of the file _doc/README.developer_. + +[#ChCodeGLib] + +=== The GLib library + +GLib is used as a basic platform abstraction library. It doesn't provide +any direct GUI functionality. + +To quote the GLib Reference Manual: +____ +GLib provides the core application building blocks for libraries and +applications written in C. It provides the core object system used in GNOME, the +main loop implementation, and a large set of utility functions for strings and +common data structures. +____ + +GLib contains lots of useful things for platform independent development. +See https://developer.gnome.org/glib/ and https://docs.gtk.org/glib/ for details about GLib. + +// End of WSDG Chapter Build Introduction diff --git a/doc/wsdg_src/wsdg_capture.adoc b/doc/wsdg_src/wsdg_capture.adoc new file mode 100644 index 00000000..868f2a0f --- /dev/null +++ b/doc/wsdg_src/wsdg_capture.adoc @@ -0,0 +1,505 @@ +// WSDG Chapter Capture + +[#ChapterCapture] + +== Packet Capture + +**** +This chapter needs to be reviewed and extended. +**** + +[#ChCaptureAddLibpcap] + +=== Adding A New Capture Type To Libpcap + +For this discussion, let's assume you're working with libpcap 1.0 or +later. You probably don't want to work with a version older than 1.0, +even if whatever OS you're using happens to include libpcap - older +versions are not as friendly towards adding support for devices other +than standard network interfaces. + +First, read +link:https://www.tcpdump.org/libpcap-module-HOWTO.html[the +libpcap documentation on writing a new libpcap module] + +(It's currently incomplete, but I'll be finishing it up over time. If +you have contributions, feel free to submit pull requests for it.) + +If you had to introduce one or more new `{dlt-glob}` values, you will +also have to add support in Wireshark for those `{dlt-glob}` values to +_wiretap/pcap-common.c_, which might mean adding one or more +_WTAP_ENCAP_ types to _wtap.h_ and to the `encap_table[]` table in +_wiretap/wtap.c_. You'd then have to write a dissector or dissectors for +the link-layer protocols or protocols and have them register themselves +with the `wtap_encap` dissector table, with the appropriate _WTAP_ENCAP_ +values by calling `dissector_add_uint()`. + +[#ChCaptureExtcap] + +=== Adding Capture Interfaces And Log Sources Using Extcap + +The extcap interface is a versatile plugin interface that allows external binaries +to act as capture interfaces directly in Wireshark. It is used in scenarios, where +the source of the capture is not a traditional capture model (live capture from an +interface, from a pipe, from a file, etc). The typical example is connecting esoteric +hardware of some kind to the main Wireshark app. + +Without extcap, a capture can always be achieved by directly writing to a capture file: + +.Bash example for traditional capture with a capture file. +[source,bash] +---- +$ the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap & +$ wireshark dumpfile.pcap +---- + +but the extcap interface allows for such a connection to be easily established and +configured using the Wireshark GUI. + +The extcap subsystem is made of multiple extcap binaries that are automatically +called by the GUI in a row. In the following chapters we will refer to them as +“the extcaps”. + +Extcaps may be any binary or script within the extcap directory. Please note, that +scripts need to be executable without prefacing a script interpreter before the call. + +IMPORTANT: *Windows Users* Because of restrictions directly calling the script may not always work. +In such a case, a batch file may be provided, which then in turn executes the script. +Please refer to <<ChCaptureExtcapWindowsShell>> for more information. + +When Wireshark launches an extcap, it automatically adds its installation path +(normally _C:\Program Files\Wireshark\_) to the DLL search path so that the extcap library dependencies +can be found (it is not designed to be launched by hand). This is done on purpose. There should +only be extcap programs (executables, Python scripts, etc.) in the extcap folder to reduce the startup +time and not have Wireshark trying to execute other file types. + +[#ChCaptureExtcapProcess] + +==== Extcap Command Line Interface + +The actual capture is run after a setup process that can be done manually by the +user or automatically by the GUI. All the steps performed are done for every extcap. + +Let's go through those steps. + +===== Query For Available Interfaces + +In the first step the extcap is queried for its interfaces. + +[source,bash] +---- +$ extcapbin --extcap-interfaces +---- + +This call must print the existing interfaces for this extcap and must return 0. +The output must conform to the grammar specified for extcap, and it is specified +in the doc/extcap.4 generated man page (in the build dir). + +Wireshark 2.9 and later also pass `--extcap-version=x.x`, which provides the calling Wireshark's major and minor version. +This can be used to change behavior depending on the Wireshark version in question. + +.Example call for interface query +[source,bash] +---- +$ extcap_example.py --extcap-interfaces --extcap-version=4.0 +extcap {version=1.0}{help=Some help url} +interface {value=example1}{display=Example interface 1 for extcap} +interface {value=example2}{display=Example interface 2 for extcap} +---- + +The *version* for the extcap sentence (which may exist as many times as is needed, but only +the last one will be used) will be used for displaying the version information of +the extcap interface in the about dialog of Wireshark. + +The value for each interface will be used in subsequent calls as the interface name <iface>. + +Using the help argument, an interface may provide a generic help URL for the extcap +utility. + +===== Ask For DLTs For Each Interface + +Next, the extcap binary is queried for all valid DLTs for all the interfaces returned by step 1. + +[source,bash] +---- +$ extcap_example.py --extcap-dlts --extcap-interface <iface> +---- + +This call must print the valid DLTs for the interface specified. This call is +made for all the interfaces and must return 0. + +.Example for the DLT query +[source,bash] +---- +$ extcap_example.py --extcap-interface IFACE --extcap-dlts +dlt {number=147}{name=USER1}{display=Demo Implementation for Extcap} +---- + +A binary or script which neither provides an interface list or a DLT list will not show up in the extcap interfaces list. + +===== The Extcap Configuration Interface + +The extcap binary is next asked for the configuration of each specific interface + +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> --extcap-config +---- + +Each interface can have custom options that are valid for this interface only. +Those config options are specified on the command line when running the actual +capture. To allow an end-user to specify certain options, such options may be +provided using the extcap config argument. + +To share which options are available for an interface, the extcap responds to the command `--extcap-config`, which shows all the available options (aka additional command line options). + +Those options are used to build a configuration dialog for the interface. + +.Example for interface options +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> --extcap-config +arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{required=true} +arg {number=1}{call=--message}{display=Message}{tooltip=Package message content}{placeholder=Please enter a message here ...}{type=string} +arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag} +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector} +arg {number=4}{call=--server}{display=IP address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b} +value {arg=3}{value=if1}{display=Remote1}{default=true} +value {arg=3}{value=if2}{display=Remote2}{default=false} +---- + +Now the user can click on the options and change them. They are sent to the +extcap when the capture is launched. + +There are several kind of options available: + +[horizontal] +File:: +A path to a file displayed as a text entry and file selector. + +Flag:: +A boolean value displayed as a checkbox. +_boolflag_ for instance expects the option to be present resulting in the corresponding entry set to true or false. + +Selection:: +A set of fixed values displayed as a combobox, radio group, or selection list. +Selections can be presented multiple times in the command line. +Subsequent _value_ items must be provided in the config list. + +Timestamp:: +A time value displayed as a date/time editor. + +Value:: +A text or numeric value displayed as an entry box. +Values are passed as a single value via the command-line call. + +===== The Extcap Capture Process + +Once the interfaces are listed and configuration is customized by the user the capture can be started. + +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> [params] --capture [--extcap-capture-filter <cfilter>] + --fifo FIFO +---- + +To run the capture, the extcap must implement the `--capture`, `--extcap-capture-filter` +and `--fifo` options. + +They are automatically added by Wireshark, which opens the fifo for reading. +All the other options are automatically added to run the capture. +The extcap interface is used like all other interfaces (meaning that capture on multiple interfaces, as well as stopping and restarting the capture is supported). + +[#ChCaptureExtcapWindowsShell] + +====== Execute A Script-based Extcap On Windows + +Although Windows will run batch and PowerShell scripts directly, other scripting languages require extra effort. +In most cases this involves creating a wrapper script which runs the appropriate interpreter. +For example, in order to run a Python-based extcap, you can create _scriptname.bat_ inside your extcap folder with the following content: + +[source,batch] +---- +@echo off +C:\Windows\py.exe C:\Path\to\my\extcap.py %* +---- + +==== Extcap Arguments + +The extcap interface provides the possibility for generating a GUI dialog to +set and adapt settings for the extcap binary. + +All options must provide a number, by which they are identified. +No number may be provided twice. +All options must present the elements _call_ and _display_, with _call_ specifying the argument’s name on the command line and _display_ specifying the name in the GUI. + +Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field. + +These options do have types, for which the following types are being supported: + +[horizontal] +_integer_, _unsigned_, _long_, _double_:: +This provides a field for entering a numeric value of the given data type. +A _default_ value may be provided, as well as a _range_. ++ +[source,python] +---- +arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{default=0} +---- + +_string_:: +This provides a field for entering a text value. ++ +[source,python] +---- +arg {number=1}{call=--server}{display=IP Address}{tooltip=IP Address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b} +---- ++ +`validation` allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b) + +_password_:: +Lets the user provide a masked string to the capture. +Password strings are not saved with other capture settings. ++ +[source,python] +---- +arg {number=0}{call=--password}{display=The user password}{tooltip=The password for the connection}{type=password} +---- + +_boolean_, _boolflag_:: +This provides the possibility to set a true/false value. +_boolflag_ values will only appear in the command line if set to true, otherwise they will not be added to the command-line call for the extcap interface. ++ +[source,python] +---- +arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag} +---- + +_fileselect_:: +Lets the user provide a file path. +If _mustexist=true_ is provided, the GUI shows the user a dialog for selecting a file. +When _mustexist=false_ is used, the GUI shows the user a file dialog for saving a file. ++ +[source,python] +---- +arg {number=3}{call=--logfile}{display=Logfile}{tooltip=A file for log messages}{type=fileselect}{mustexist=false} +---- + +_selector_, __editselector__, _radio_, _multicheck_:: +Option fields where the user may choose from one or more options. +If _parent_ is provided for the value items, the option fields for _multicheck_ and _selector_ are presented in a tree-like structure. +_selector_ and _radio_ values must present a default value, which will be the value provided to the extcap binary for this argument. +_editselector_ option fields let the user select from a list of items or enter a custom value. ++ +[source,python] +---- +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector} +value {arg=3}{value=if1}{display=Remote1}{default=true} +value {arg=3}{value=if2}{display=Remote2}{default=false} +---- + +===== Reload A Selector + +A selector may be reloaded from the configuration dialog of the extcap application within Wireshark. With the reload argument (defaults to false), the entry can be marked as reloadable. + +[source,python] +---- +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector}{reload=true}{placeholder=Load interfaces...} +---- + +After this has been defined, the user will get a button displayed in the configuration dialog for this extcap application, with the text "Load interfaces..." in this case, and a generic "Reload" text if no text has been provided. + +The extcap utility is then called again with all filled out arguments and the additional parameter `--extcap-reload-option <option_name>`. It is expected to return a value section for this option, as it would during normal configuration. The provided option list is then presented as the selection, a previous selected option will be reselected if applicable. + +===== Validation Of Arguments + +Arguments may be set with `{required=true}` which enforces a value being provided, before +a capture can be started using the extcap options dialog. This is not being checked, if +the extcap is started via a simple double-click. The necessary fields are marked for the +customer, to ensure a visibility for the end customer of the required argument. + +Additionally text and number arguments may also be checked using a regular expression, +which is provided using the validation attribute (see example above). The syntax for +such a check is the same as for Qt RegExp classes. This feature is only active in the +Qt version of Wireshark. + + +==== Toolbar Controls + +An extcap utility can provide configuration for controls to use in an interface toolbar. +These controls are bidirectional and can be used to control the extcap utility while +capturing. + +This is useful in scenarios where configuration can be done based on findings in the +capture process, setting temporary values or give other inputs without restarting the +current capture. + +.Example of interface definition with toolbar controls +[source,bash] +---- +$ extcap_example.py --extcap-interfaces +extcap {version=1.0}{display=Example extcap interface} +interface {value=example1}{display=Example interface 1 for extcap} +interface {value=example2}{display=Example interface 2 for extcap} +control {number=0}{type=string}{display=Message}{tooltip=Package message content. Must start with a capital letter.}{validation=[A-Z]+}{required=true} +control {number=1}{type=selector}{display=Time delay}{tooltip=Time delay between packages} +control {number=2}{type=boolean}{display=Verify}{default=true}{tooltip=Verify package content} +control {number=3}{type=button}{display=Turn on}{tooltip=Turn on or off} +control {number=4}{type=button}{role=logger}{display=Log}{tooltip=Show capture log} +value {control=1}{value=1}{display=1 sec} +value {control=1}{value=2}{display=2 sec}{default=true} +---- + +All controls will be presented as GUI elements in a toolbar specific to the extcap +utility. The extcap must not rely on using those controls (they are optional) because +of other capturing tools not using GUI (e.g. tshark, tfshark). + + +===== Controls + +The controls are similar to the _arguments_, but without the _call_ element. +All controls may be given a default value at startup and most can be changed during capture, both by the extcap and the user (depending on the type of control). + +All controls must provide a _number_, by which they are identified. +No _number_ may be provided twice. +All options must present the elements _type_ and _display_, where _type_ provides the type of control to add to the toolbar and _display_ providing the name in the GUI. + +Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field. + +All controls, except from the logger, help and restore buttons, may be disabled +(and enabled) in GUI by the extcap during capture. This can be because of set-once +operations, or operations which takes some time to complete. + +All control values which are changed by the user (not equal to the default value) will +be sent to the extcap utility when starting a capture. The extcap utility may choose +to discard initial values and set new values, depending on implementation. + +These __type__s are defined as controls: + +[horizontal] +_boolean_:: +This provides a checkbox which lets the user set a true/false value. ++ +The extcap utility can set a default value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is one byte with binary value 0 or 1. ++ +Valid Commands: Set value, Enable, Disable. + +_button_:: This provides a button with different __role__s: + +_control_:::: +This button will send a signal when pressed. This is the default if no role is configured. +The button is only enabled when capturing. ++ +The extcap utility can set the button text at startup, and can change (set) the button text and receive button press signals while capturing. The button is disabled and the button text is restored to the default text when not capturing. ++ +The payload is either the button text or empty (signal). ++ +Valid Commands: Set value, Enable, Disable. + +_logger_:::: +This provides a logger mechanism where the extcap utility can send log entries to be presented in a log window. +This communication is unidirectional. ++ +The payload is the log entry, and should be ended with a newline. Maximum length is 65535 bytes. ++ +Valid Commands: Set log entry, Add log entry. ++ +The Set command will clear the log before adding the entry. + +_help_:::: +This button opens the help page, if configured. +This role has no controls and will not be used in communication. ++ +Valid Commands: None. + +_restore_:::: +This button will restore all control values to default. +This role has no controls and will not be used in communication. The button is only enabled when not capturing. ++ +Valid Commands: None. + +_selector_:: +This provides a combo box with fixed values which can be selected. ++ +The extcap utility can set default values at startup, and add and remove values and receive change in value selection while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is a string with the value, and optionally a string with a display value if this is different from the value. This two string values are separated by a null character. ++ +Valid Commands: Set selected value, Add value, Remove value, Enable, Disable. ++ +If value is empty the Remove command will remove all entries. + +_string_:: +This provides a text edit line with the possibility to set a string or any value which can be represented in a string (integer, float, date, etc.). ++ +The extcap utility can set a default string value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is a string with the value. Maximum length is 32767 bytes. ++ +Valid Commands for control: Set value, Enable, Disable. ++ +The element VALIDATION allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b). + +===== Messages + +In addition to the controls it’s possible to send a single message from the extcap +utility to the user. This message can be put in the status bar or displayed in a +information, warning or error dialog which must be accepted by the user. This message +does not use the NUMBER argument so this can have any value. + +====== Control Protocol + +The protocol used to communicate over the control pipes has a fixed size header of +6 bytes and a payload with 0 - 65535 bytes. + +.Control packet: +[cols="^m", width="50%"] +|=== +|Sync Pipe Indication (1 byte) +|Message Length + + (3 bytes network order) +|Control Number (1 byte) +|Command (1 byte) +|Payload + + (0 - 65535 bytes) +|=== + +.Sync Pipe Indication +The common sync pipe indication. This protocol uses the value “T”. + +.Message Length +Payload length + 2 bytes for control number and command. + +.Control Number +Unique number to identify the control. This number also gives the order of the controls in the interface toolbar. + +.Commands and application for controls +[cols="1,2,3"] +|=== +|Command Byte|Command Name|Control type + +|0 |Initialized |none +|1 |Set |boolean / button / logger / selector / string +|2 |Add |logger / selector +|3 |Remove |selector +|4 |Enable |boolean / button / selector / string +|5 |Disable |boolean / button / selector / string +|6 |Statusbar message |none +|7 |Information message |none +|8 |Warning message |none +|9 |Error message |none +|=== + +The `Initialized` command will be sent from the GUI to the extcap utility when all +user changed control values are sent after starting a capture. This is an indication +that the GUI is ready to receive control values. + +The GUI will only send `Initialized` and `Set` commands. The extcap utility shall not +send the `Initialized` command. + +Messages with unknown control number or command will be silently ignored. + + +// End of WSDG Chapter Capture diff --git a/doc/wsdg_src/wsdg_dissection.adoc b/doc/wsdg_src/wsdg_dissection.adoc new file mode 100644 index 00000000..0717a045 --- /dev/null +++ b/doc/wsdg_src/wsdg_dissection.adoc @@ -0,0 +1,1511 @@ +// WSDG Chapter Dissection + +[#ChapterDissection] + +== Packet Dissection + +[#ChDissectWorks] + +=== How packet dissection works + +Each dissector decodes its part of the protocol and then hands off +decoding to subsequent dissectors for an encapsulated protocol. + +Every dissection starts with the Frame dissector which dissects the +details of the capture file itself (e.g. timestamps). From there it passes the +data on to the lowest-level data dissector, e.g. the Ethernet dissector for +the Ethernet header. The payload is then passed on to the next dissector (e.g. +IP) and so on. At each stage, details of the packet are decoded and +displayed. + +Dissectors can either be built-in to Wireshark or written as a self-registering +plugin (a shared library or DLL). +There is little difference in having your dissector as either a plugin +or built-in. You have limited function access through the ABI exposed +by functions declared as WS_DLL_PUBLIC. + +The big benefit of writing a dissector as a plugin is that rebuilding +a plugin is much faster than rebuilding wireshark after editing a built-in +dissector. +As such, starting with a plugin often makes initial development quicker, while +the finished code may make more sense as a built-in dissector. + +[NOTE] +.Read README.dissector +==== +The file _doc/README.dissector_ contains detailed information about writing +a dissector. In many cases it is more up to date than this document. +==== + +[#ChDissectAdd] + +=== Adding a basic dissector + +Let’s step through adding a basic dissector. We'll start with the made up "foo" +protocol. It consists of the following basic items. + +* A packet type - 8 bits. Possible values: 1 - initialisation, 2 - terminate, 3 - data. + +* A set of flags stored in 8 bits. 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet. + +* A sequence number - 16 bits. + +* An IPv4 address. + +[#ChDissectSetup] + +==== Setting up the dissector + +The first decision you need to make is if this dissector will be a +built-in dissector and included in the main program, or a plugin. + +Plugins are easier to write initially, so let’s start with that. +With a little care, the plugin can be converted into a built-in dissector. + +.Dissector Initialisation. +[source,c] +---- +#include "config.h" +#include <epan/packet.h> + +#define FOO_PORT 1234 + +static int proto_foo; + +void +proto_register_foo(void) +{ + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short name */ + "foo" /* filter_name */ + ); +} +---- + +Let’s go through this a bit at a time. First we have some boilerplate +include files. These will be pretty constant to start with. + +Then a `#define` for the UDP port that carries _foo_ traffic. + +Next we have `proto_foo`, an int that stores our protocol handle and is +initialised to `-1`. +This handle will be set when the dissector is registered within the main program. +It’s good practice to make all variables and functions that aren't exported +static to minimize name space pollution. This normally isn't a problem unless your +dissector gets so big that it spans multiple files. + +Now that we have the basics in place to interact with the main program, we'll +start with two protocol dissector setup functions: `proto_register_XXX` and +`proto_reg_handoff_XXX`. + +Each protocol must have a register function with the form "proto_register_XXX". +This function is used to register the protocol in Wireshark. +The code to call the register routines is generated automatically and is +called when Wireshark starts. In this example, the function is named +`proto_register_foo`. + +`proto_register_foo` calls `proto_register_protocol()`, which takes a `name`, +`short name`, and `filter_name`. The +name and short name are used in the "Preferences" and "Enabled protocols" +dialogs and the documentation's generated field name list. The +`filter_name` is used as the display filter name. `proto_register_protocol()` +returns a protocol handle, which can be used to refer to the protocol and +obtain a handle to the protocol's dissector. + + +Next we need a handoff routine. + +.Dissector Handoff. +[source,c] +---- +void +proto_reg_handoff_foo(void) +{ + static dissector_handle_t foo_handle; + + foo_handle = create_dissector_handle(dissect_foo, proto_foo); + dissector_add_uint("udp.port", FOO_PORT, foo_handle); +} +---- + +A handoff routine associates a protocol handler with the protocol's +traffic. It consists of two major steps: The first step is to create a +dissector handle, which is a handle associated with the protocol and the +function called to do the actual dissecting. +The second step is to register the dissector handle so that traffic +associated with the protocol calls the dissector. + +In this example, `proto_reg_handoff_foo()` calls `create_dissector_handle()` +to obtain a dissector handle for the foo protocol. It then uses +`dissector_add_uint()` to associate traffic on UDP port FOO_PORT (1234) +with the foo protocol, so that Wireshark will call `dissect_foo()` when +it receives UDP traffic on port 1234. + +Wireshark's dissector convention is to put `proto_register_foo()` and +`proto_reg_handoff_foo()` as the last two functions in the dissector source. + +The next step is to write the dissecting function, `dissect_foo()`. +We'll start with a basic placeholder. + +.Dissection. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + return tvb_captured_length(tvb); +} +---- + +`dissect_foo()` is called to dissect the packets presented to it. The packet data +is held in a special buffer referenced here as `tvb`. The packet_info structure +contains general data about the protocol and we can update +information here. The tree parameter is where the detail dissection takes place. +Note that the `\_U_` following `tree` and `data` signals to the compiler that the +parameters are unused, so that the compiler does not print a warning. + +For now we'll do the minimum we can get away with. `col_set_str()` is used to set +Wireshark's Protocol column to "FOO" so everyone can see it’s being +recognised. The +only other thing we do is to clear out any data in the INFO column if it’s being +displayed. + +At this point we have a basic dissector ready to compile and install. +The dissector doesn't do anything other than identify the protocol and label it. +Here is the dissector's complete code: + +.Complete _packet-foo.c_:. +[source,c] +---- +#include "config.h" +#include <epan/packet.h> + +#define FOO_PORT 1234 + +static int proto_foo; + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) +{ + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short_name */ + "foo" /* filter_name */ + ); +} + +void +proto_reg_handoff_foo(void) +{ + static dissector_handle_t foo_handle; + + foo_handle = create_dissector_handle(dissect_foo, proto_foo); + dissector_add_uint("udp.port", FOO_PORT, foo_handle); +} + +---- + +To compile this dissector and create a plugin a few support files +are required, besides the dissector source in _packet-foo.c_: + +* _CMakeLists.txt_ - Contains the CMake file and version info for this plugin. + +* _packet-foo.c_ - Your dissector source. + +* _plugin.rc.in_ - Contains the DLL resource template for Windows. (optional) + +Samples of these files are available in the gryphon plugin directory +(plugins/epan/gryphon). +If you copy the files from the gryphon plugin, _CMakeLists.txt_ will need +to be updated with the correct plugin name, version +info, and the relevant files to compile. + +In the main top-level source directory, copy _CMakeListsCustom.txt.example_ to +_CMakeListsCustom.txt_ and add the path of your plugin to the list in +`CUSTOM_PLUGIN_SRC_DIR`. + +Compile the dissector to a DLL or shared library and either run Wireshark from +the build directory as detailed in <<ChSrcRunFirstTime>> or copy the plugin +binary into the plugin directory of your Wireshark installation and run that. + +[#ChDissectDetails] + +==== Dissecting the protocol's details + +Now that we have our basic dissector up and running, let’s do something with it. +The simplest thing to start with is labeling the payload. We can label the +payload by building a subtree to decode our results into. +This subtree will hold all the protocol's details and +helps keep things looking nice in the detailed display. + +We add the new subtree with `proto_tree_add_item()`, as is depicted below: + +.Plugin Packet Dissection. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + + return tvb_captured_length(tvb); +} +---- + +As the `FOO` protocol does not encapsulate another protocol, we +consume all of the tvb's data, from `0` to the end (`-1`). + +The final parameter specifies the "encoding" and is set to +`ENC_NA` ("not applicable"), as the protocol doesn't specifically +use big endian (`ENC_BIG_ENDIAN`) or little endian (`ENC_LITTLE_ENDIAN`). + +After adding the call to +`proto_tree_add_item()` +, there should be a label `FOO` in the protocol's detailed display. +Selecting this label will highlight the remaining contents of the packet. + +Now let’s go to the next step and add some protocol dissection. To do this +we'll need to construct tables to define which fields will be present in the +packet and to store the opened/closed state of the subtree. We'll +add these statically allocated arrays to the beginning of the file +and name them +`hf_register_info` ('hf' is short for 'header field') and `ett`. +The arrays wil then registered after the call to +`proto_register_protocol()` by calling `proto_register_field_array()` +and `proto_register_subtree_array()`: + +.Registering data structures. +[source,c] +---- +static int hf_foo_pdu_type; +static int ett_foo; + +/* ... */ + +void +proto_register_foo(void) +{ + static hf_register_info hf[] = { + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + } + }; + + /* Setup protocol subtree array */ + static int *ett[] = { + &ett_foo + }; + + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short_name */ + "foo" /* filter_name*/ + ); + + proto_register_field_array(proto_foo, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} +---- + +As you can see, a field `foo.type` was defined inside the array of +header fields. + +Now we can dissect the `FOO PDU Type` (referenced as `foo.type`) +field in `dissect_foo()` by adding +the FOO Protocol's subtree with `proto_item_add_subtree()` and +then calling `proto_tree_add_item()` to add the field: + +.Dissector starting to dissect the packets. +[source,c] +---- + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN); +---- + +As mentioned earlier, the foo protocol begins with an 8-bit `packet type` +which can have three possible values: 1 - initialisation, 2 - terminate, 3 - data. +Here's how we can add the packet details: + +The `proto_item_add_subtree()` call has added a child node +to the protocol tree which is where we will do our detail dissection. +The expansion of this node is controlled by the `ett_foo` +variable. This remembers if the node should be expanded or not as you move +between packets. All subsequent dissection will be added to this tree, +as you can see from the next call. +A call to `proto_tree_add_item()` in the foo_tree, +this time using the `hf_foo_pdu_type` to control the formatting +of the item. The pdu type is one byte of data, starting at 0. We assume it is +in network order (also called big endian), so that is why we use `ENC_BIG_ENDIAN`. +For a 1-byte quantity, there is no order issue, but it is good practice to +make this the same as any multibyte fields that may be present, and as we will +see in the next section, this particular protocol uses network order. + +If we look in detail at the `hf_foo_pdu_type` declaration in +the static array we can see the details of the definition. + +---- +static hf_register_info hf[] = { + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + } +}; +---- + +* _hf_foo_pdu_type_ - The node's index. + +* _FOO PDU Type_ - The item's label. + +* _foo.type_ - The item's abbreviated name, for use in the display filter +(e.g., `foo.type=1`). + +* _FT_UINT8_ - The item's type: An 8bit unsigned integer. +This tallies with our call above where we tell it to only look at one byte. + +* _BASE_DEC_ - For an integer type, this tells it to be printed as a decimal +number. It could be hexadecimal (BASE_HEX) or octal (BASE_OCT) if that made more sense. + +We'll ignore the rest of the structure for now. + +If you install this plugin and try it out, you'll see something that begins to look +useful. + +Now let’s finish off dissecting the simple protocol. We need to add a few +more variables to the hfarray, and a couple more procedure calls. + +.Wrapping up the packet dissection. +[source,c] +---- +... +static int hf_foo_flags; +static int hf_foo_sequenceno; +static int hf_foo_initialip; +... + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + int offset = 0; + + ... + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + ... + + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) { + ... + ... + { &hf_foo_flags, + { "FOO PDU Flags", "foo.flags", + FT_UINT8, BASE_HEX, + NULL, 0x0, + NULL, HFILL } + }, + { &hf_foo_sequenceno, + { "FOO PDU Sequence Number", "foo.seqn", + FT_UINT16, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + }, + { &hf_foo_initialip, + { "FOO PDU Initial IP", "foo.initialip", + FT_IPv4, BASE_NONE, + NULL, 0x0, + NULL, HFILL } + }, + ... + ... +} +... +---- + +This dissects all the bits of this simple hypothetical protocol. We've +introduced a new variable offsetinto the mix to help keep track of where we are +in the packet dissection. With these extra bits in place, the whole protocol is +now dissected. + +==== Improving the dissection information + +We can certainly improve the display of the protocol with a bit of extra data. +The first step is to add some text labels. Let’s start by labeling the packet +types. There is some useful support for this sort of thing by adding a couple of +extra things. First we add a simple table of type to name. + + +.Naming the packet types. +[source,c] +---- +static const value_string packettypenames[] = { + { 1, "Initialise" }, + { 2, "Terminate" }, + { 3, "Data" }, + { 0, NULL } +}; +---- + +This is a handy data structure that can be used to look up a name for a value. +There are routines to directly access this lookup table, but we don't need to +do that, as the support code already has that added in. We just have to give +these details to the appropriate part of the data, using the `VALS` macro. + +.Adding Names to the protocol. +[source,c] +---- + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + VALS(packettypenames), 0x0, + NULL, HFILL } + } +---- + +This helps in deciphering the packets, and we can do a similar thing for the +flags structure. For this we need to add some more data to the table though. + +.Adding Flags to the protocol. +[source,c] +---- +#define FOO_START_FLAG 0x01 +#define FOO_END_FLAG 0x02 +#define FOO_PRIORITY_FLAG 0x04 + +static int hf_foo_startflag; +static int hf_foo_endflag; +static int hf_foo_priorityflag; + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + ... + ... + static int* const bits[] = { + &hf_foo_startflag, + &hf_foo_endflag, + &hf_foo_priorityflag, + NULL + }; + + proto_tree_add_bitmask(foo_tree, tvb, offset, hf_foo_flags, ett_foo, bits, ENC_BIG_ENDIAN); + offset += 1; + ... + ... + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) { + ... + ... + { &hf_foo_startflag, + { "FOO PDU Start Flags", "foo.flags.start", + FT_BOOLEAN, 8, + NULL, FOO_START_FLAG, + NULL, HFILL } + }, + { &hf_foo_endflag, + { "FOO PDU End Flags", "foo.flags.end", + FT_BOOLEAN, 8, + NULL, FOO_END_FLAG, + NULL, HFILL } + }, + { &hf_foo_priorityflag, + { "FOO PDU Priority Flags", "foo.flags.priority", + FT_BOOLEAN, 8, + NULL, FOO_PRIORITY_FLAG, + NULL, HFILL } + }, + ... + ... +} +... +---- + +Some things to note here. For the flags, as each bit is a different flag, we use +the type `FT_BOOLEAN`, as the flag is either on or off. Second, we include the flag +mask in the 7th field of the data, which allows the system to mask the relevant bit. +We've also changed the 5th field to 8, to indicate that we are looking at an 8 bit +quantity when the flags are extracted. Then finally we add the extra constructs +to the dissection routine. + +This is starting to look fairly full featured now, but there are a couple of +other things we can do to make things look even more pretty. At the moment our +dissection shows the packets as "Foo Protocol" which whilst correct is a little +uninformative. We can enhance this by adding a little more detail. First, let’s +get hold of the actual value of the protocol type. We can use the handy function +`tvb_get_uint8()` to do this. With this value in hand, there are a couple of +things we can do. First we can set the INFO column of the non-detailed view to +show what sort of PDU it is - which is extremely helpful when looking at +protocol traces. Second, we can also display this information in the dissection +window. + +.Enhancing the display. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + int offset = 0; + uint8_t packet_type = tvb_get_uint8(tvb, 0); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo,COL_INFO); + col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s", + val_to_str(packet_type, packettypenames, "Unknown (0x%02x)")); + + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_item_append_text(ti, ", Type %s", + val_to_str(packet_type, packettypenames, "Unknown (0x%02x)")); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + + return tvb_captured_length(tvb); +} +---- + +So here, after grabbing the value of the first 8 bits, we use it with one of the +built-in utility routines `val_to_str()`, to lookup the value. If the value +isn't found we provide a fallback which just prints the value in hex. We use +this twice, once in the INFO field of the columns -- if it’s displayed, and +similarly we append this data to the base of our dissecting tree. + +[#ChDissectExpertInfo] + +=== How to add an expert item + +A dissector showing the protocol fields and interpretation of their values is +very informative. It can be even more helpful if the dissector can draw your +attention to fields where something noteworthy can be seen. This can be something +as simple as the start flag of a session, or something more severe as an invalid +value. + +Here we take our dissector for `FOO` and add an expert item for the sequence +number being zero (assuming that's a noteworthy thing for this protocol). + +.Expert item setup. +[source,c] +---- +#include <epan/expert.h> + +static expert_field ei_foo_seqn_zero; + +/* ... */ + +void +proto_register_foo(void) +{ + /* ... */ + expert_module_t* expert_foo; + + /* ... */ + static ei_register_info ei[] = { + { + &ei_foo_seqn_zero, + { "foo.seqn_zero", PI_SEQUENCE, PI_CHAT, + "Sequence number is zero", EXPFILL } + } + }; + + /* ... */ + expert_foo = expert_register_protocol(proto_foo); + expert_register_field_array(expert_foo, ei, array_length(ei)); +} +---- + +Let's go through this step by step. The data structures and functions needed for +expert items are found in epan/expert.h, so we have to include that file. + +Next we have to allocate an `expert_field` structure for every type of expert item +we would like to add to the dissection. This structure is initialised with `EI_INIT`. + +Now we have to register with the protocol we are providing expert info for. Since +we already have a function to register our protocol, we add the expert info +registration there too. This is done by calling `expert_register_protocol()` with +the handle for the protocol we received earlier in this function. + +Next we need to register an array of definitions of expert items that we would +like to add to the dissection. This array, not unlike the array of header fields +before, contains all the data the dissection engine needs to create and handle +the expert items. + +The expert item definition consists of a pointer to the `expert_field` structure +we defined before and a structure with data elements of the expert item itself. + +* _"foo.seqn_zero"_ - The expert items display filter + +* _PI_SEQUENCE_ - The group to which the expert item belongs + +* _PI_CHAT_ - The severity of the expert item + +* _"Sequence number is zero"_ - The text string added to the dissection + +We'll ignore the rest of the structure for now. + +To keep an overview of lots of expert items it helps to categorize them into groups. +Currently there are several types of groups defined, e.g. `checksum`, `sequence`, +`protocol`, etc. All these are defined in the epan/proto.h header file. + +Not every noteworthy field value is of equal severity. The start of a session +is nice to know, while an invalid value may be significant error in the protocol. +To differentiate between these severties the expert item is assigned one of them: +`comment`, `chat`, `note`, `warn` or `error`. Try to choose the lowest one which +is suitable. The topic you're currently working on seems probably more important +than it will look like in a few weeks. + +With the expert item array setup, we add this to the dissection engine with a +call to `expert_register_field_array()`. + +Now that all information of the expert item is defined and registered it's time +to actually add the expert item to the dissection. + +.Expert item use. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + uint32_t sequenceno = 0xFFFF; + + /* ... */ + + ti = proto_tree_add_item_ret_uint(foo_tree, hf_foo_sequenceno, + tvb, offset, 2, ENC_BIG_ENDIAN, &sequenceno); + if (sequenceno == 0) { + expert_add_info(pinfo, ti, &ei_foo_seqn_zero); + } + + /* ... */ +} +---- + +There's been a slight alteration to the function used to add the sequence number +dissection. First the proto_item created by the function is saved in previously +defined variable `ti`, and the actual value of the field is stored in the variable +`sequenceno`. We can now use the value of this field to determine wether to add +the expert item. + +Adding the expert item is simply done by calling `expert_add_info()` with reference +to the `packet_info` structure, the proto item `ti` to add the expert item to and +the previously defined and registered expert item information. + +[#ChDissectTransformed] + +=== How to handle transformed data + +Some protocols do clever things with data. They might possibly +encrypt the data, or compress data, or part of it. If you know +how these steps are taken it is possible to reverse them within the +dissector. + +As encryption can be tricky, let’s consider the case of compression. +These techniques can also work for other transformations of data, +where some step is required before the data can be examined. + +What basically needs to happen here, is to identify the data that needs +conversion, take that data and transform it into a new stream, and then call a +dissector on it. Often this needs to be done "on-the-fly" based on clues in the +packet. Sometimes this needs to be used in conjunction with other techniques, +such as packet reassembly. The following shows a technique to achieve this +effect. + +.Decompressing data packets for dissection. +[source,c] +---- + uint8_t flags = tvb_get_uint8(tvb, offset); + offset ++; + if (flags & FLAG_COMPRESSED) { /* the remainder of the packet is compressed */ + uint16_t orig_size = tvb_get_ntohs(tvb, offset); + unsigned char *decompressed_buffer = (unsigned char*)wmem_alloc(pinfo->pool, orig_size); + offset += 2; + decompress_packet(tvb_get_ptr(tvb, offset, -1), + tvb_captured_length_remaining(tvb, offset), + decompressed_buffer, orig_size); + /* Now re-setup the tvb buffer to have the new data */ + next_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, orig_size, orig_size); + add_new_data_source(pinfo, next_tvb, "Decompressed Data"); + } else { + next_tvb = tvb_new_subset_remaining(tvb, offset); + } + offset = 0; + /* process next_tvb from here on */ +---- + +The first steps here are to recognise the compression. In this case a flag byte +alerts us to the fact the remainder of the packet is compressed. Next we +retrieve the original size of the packet, which in this case is conveniently +within the protocol. If it’s not, it may be part of the compression routine to +work it out for you, in which case the logic would be different. + +So armed with the size, a buffer is allocated to receive the uncompressed data +using `wmem_alloc()` in pinfo->pool memory, and the packet is decompressed into +it. The `tvb_get_ptr()` function is useful to get a pointer to the raw data of +the packet from the offset onwards. In this case the decompression routine also +needs to know the length, which is given by the +`tvb_captured_length_remaining()` function. + +Next we build a new tvb buffer from this data, using the +`tvb_new_child_real_data()` call. This data is a child of our original data, so +calling this function also acknowledges that. No need to call +`tvb_set_free_cb()` as the pinfo->pool was used (the memory block will be +automatically freed when the pinfo pool lifetime expires). Finally we add this +tvb as a new data source, so that the detailed display can show the +decompressed bytes as well as the original. + +After this has been set up the remainder of the dissector can dissect the buffer +next_tvb, as it’s a new buffer the offset needs to be 0 as we start again from +the beginning of this buffer. To make the rest of the dissector work regardless +of whether compression was involved or not, in the case that compression was not +signaled, we use `tvb_new_subset_remaining()` to deliver us a new buffer based +on the old one but starting at the current offset, and extending to the end. +This makes dissecting the packet from this point on exactly the same regardless +of compression. + +[#ChDissectReassemble] + +=== How to reassemble split packets + +Some protocols have times when they have to split a large packet across +multiple other packets. In this case the dissection can't be carried out correctly +until you have all the data. The first packet doesn't have enough data, +and the subsequent packets don't have the expect format. +To dissect these packets you need to wait until all the parts have +arrived and then start the dissection. + +The following sections will guide you through two common cases. For a +description of all possible functions, structures and parameters, see +_epan/reassemble.h_. + +[#ChDissectReassembleUdp] + +==== How to reassemble split UDP packets + +As an example, let’s examine a protocol that is layered on top of UDP that +splits up its own data stream. If a packet is bigger than some given size, it +will be split into chunks, and somehow signaled within its protocol. + +To deal with such streams, we need several things to trigger from. We need to +know that this packet is part of a multi-packet sequence. We need to know how +many packets are in the sequence. We also need to know when we have all the +packets. + +For this example we'll assume there is a simple in-protocol signaling mechanism +to give details. A flag byte that signals the presence of a multi-packet +sequence and also the last packet, followed by an ID of the sequence and a +packet sequence number. + +---- +msg_pkt ::= SEQUENCE { + ..... + flags ::= SEQUENCE { + fragment BOOLEAN, + last_fragment BOOLEAN, + ..... + } + msg_id INTEGER(0..65535), + frag_id INTEGER(0..65535), + ..... +} +---- + +.Reassembling fragments - Part 1 +[source,c] +---- +#include <epan/reassemble.h> + ... +save_fragmented = pinfo->fragmented; +flags = tvb_get_uint8(tvb, offset); offset++; +if (flags & FL_FRAGMENT) { /* fragmented */ + tvbuff_t* new_tvb = NULL; + fragment_data *frag_msg = NULL; + uint16_t msg_seqid = tvb_get_ntohs(tvb, offset); offset += 2; + uint16_t msg_num = tvb_get_ntohs(tvb, offset); offset += 2; + + pinfo->fragmented = true; + frag_msg = fragment_add_seq_check(msg_reassembly_table, + tvb, offset, pinfo, + msg_seqid, NULL, /* ID for fragments belonging together */ + msg_num, /* fragment sequence number */ + tvb_captured_length_remaining(tvb, offset), /* fragment length - to the end */ + flags & FL_FRAG_LAST); /* More fragments? */ +---- + +We start by saving the fragmented state of this packet, so we can restore it +later. Next comes some protocol specific stuff, to dig the fragment data out of +the stream if it’s present. Having decided it is present, we let the function +`fragment_add_seq_check()` do its work. We need to provide this with a certain +amount of parameters: + +* The `msg_reassembly_table` table is for bookkeeping and is described later. + +* The tvb buffer we are dissecting. + +* The offset where the partial packet starts. + +* The provided packet info. + +* The sequence number of the fragment stream. There may be several streams of + fragments in flight, and this is used to key the relevant one to be used for + reassembly. + +* Optional additional data for identifying the fragment. Can be set to `NULL` + (as is done in the example) for most dissectors. + +* msg_num is the packet number within the sequence. + +* The length here is specified as the rest of the tvb as we want the rest of the packet data. + +* Finally a parameter that signals if this is the last fragment or not. This + might be a flag as in this case, or there may be a counter in the protocol. + +.Reassembling fragments part 2 +[source,c] +---- + new_tvb = process_reassembled_data(tvb, offset, pinfo, + "Reassembled Message", frag_msg, &msg_frag_items, + NULL, msg_tree); + + if (frag_msg) { /* Reassembled */ + col_append_str(pinfo->cinfo, COL_INFO, + " (Message Reassembled)"); + } else { /* Not last packet of reassembled Short Message */ + col_append_fstr(pinfo->cinfo, COL_INFO, + " (Message fragment %u)", msg_num); + } + + if (new_tvb) { /* take it all */ + next_tvb = new_tvb; + } else { /* make a new subset */ + next_tvb = tvb_new_subset_remaining(tvb, offset); + } +} +else { /* Not fragmented */ + next_tvb = tvb_new_subset_remaining(tvb, offset); +} + +..... +pinfo->fragmented = save_fragmented; +---- + +Having passed the fragment data to the reassembly handler, we can now check if +we have the whole message. If there is enough information, this routine will +return the newly reassembled data buffer. + +After that, we add a couple of informative messages to the display to show that +this is part of a sequence. Then a bit of manipulation of the buffers and the +dissection can proceed. Normally you will probably not bother dissecting further +unless the fragments have been reassembled as there won't be much to find. +Sometimes the first packet in the sequence can be partially decoded though if +you wish. + +Now the mysterious data we passed into the `fragment_add_seq_check()`. + +.Reassembling fragments - Initialisation +[source,c] +---- +static reassembly_table reassembly_table; + +static void +proto_register_msg(void) +{ + reassembly_table_register(&msg_reassemble_table, + &addresses_ports_reassembly_table_functions); +} +---- + +First a `reassembly_table` structure is declared and initialised in the protocol +initialisation routine. The second parameter specifies the functions that should +be used for identifying fragments. We will use +`addresses_ports_reassembly_table_functions` in order to identify fragments by +the given sequence number (`msg_seqid`), the source and destination addresses +and ports from the packet. + +Following that, a `fragment_items` structure is allocated and filled in with a +series of ett items, hf data items, and a string tag. The ett and hf values +should be included in the relevant tables like all the other variables your +protocol may use. The hf variables need to be placed in the structure something +like the following. Of course the names may need to be adjusted. + +.Reassembling fragments - Data +[source,c] +---- +... +static int hf_msg_fragments; +static int hf_msg_fragment; +static int hf_msg_fragment_overlap; +static int hf_msg_fragment_overlap_conflicts; +static int hf_msg_fragment_multiple_tails; +static int hf_msg_fragment_too_long_fragment; +static int hf_msg_fragment_error; +static int hf_msg_fragment_count; +static int hf_msg_reassembled_in; +static int hf_msg_reassembled_length; +... +static int ett_msg_fragment; +static int ett_msg_fragments; +... +static const fragment_items msg_frag_items = { + /* Fragment subtrees */ + &ett_msg_fragment, + &ett_msg_fragments, + /* Fragment fields */ + &hf_msg_fragments, + &hf_msg_fragment, + &hf_msg_fragment_overlap, + &hf_msg_fragment_overlap_conflicts, + &hf_msg_fragment_multiple_tails, + &hf_msg_fragment_too_long_fragment, + &hf_msg_fragment_error, + &hf_msg_fragment_count, + /* Reassembled in field */ + &hf_msg_reassembled_in, + /* Reassembled length field */ + &hf_msg_reassembled_length, + /* Tag */ + "Message fragments" +}; +... +static hf_register_info hf[] = +{ +... +{&hf_msg_fragments, + {"Message fragments", "msg.fragments", + FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment, + {"Message fragment", "msg.fragment", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_overlap, + {"Message fragment overlap", "msg.fragment.overlap", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_overlap_conflicts, + {"Message fragment overlapping with conflicting data", + "msg.fragment.overlap.conflicts", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_multiple_tails, + {"Message has multiple tail fragments", + "msg.fragment.multiple_tails", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_too_long_fragment, + {"Message fragment too long", "msg.fragment.too_long_fragment", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_error, + {"Message defragmentation error", "msg.fragment.error", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_count, + {"Message fragment count", "msg.fragment.count", + FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_reassembled_in, + {"Reassembled in", "msg.reassembled.in", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_reassembled_length, + {"Reassembled length", "msg.reassembled.length", + FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, +... +static int *ett[] = +{ +... +&ett_msg_fragment, +&ett_msg_fragments +... +---- + +These hf variables are used internally within the reassembly routines to make +useful links, and to add data to the dissection. It produces links from one +packet to another, such as a partial packet having a link to the fully +reassembled packet. Likewise there are back pointers to the individual packets +from the reassembled one. The other variables are used for flagging up errors. + +[#TcpDissectPdus] + +==== How to reassemble split TCP Packets + +A dissector gets a `tvbuff_t` pointer which holds the payload +of a TCP packet. This payload contains the header and data +of your application layer protocol. + +When dissecting an application layer protocol you cannot assume +that each TCP packet contains exactly one application layer message. +One application layer message can be split into several TCP packets. + +You also cannot assume that a TCP packet contains only one application layer message +and that the message header is at the start of your TCP payload. +More than one messages can be transmitted in one TCP packet, +so that a message can start at an arbitrary position. + +This sounds complicated, but there is a simple solution. +`tcp_dissect_pdus()` does all this tcp packet reassembling for you. +This function is implemented in _epan/dissectors/packet-tcp.h_. + +.Reassembling TCP fragments +[source,c] +---- +#include "config.h" + +#include <epan/packet.h> +#include <epan/prefs.h> +#include "packet-tcp.h" + +... + +#define FRAME_HEADER_LEN 8 + +/* This method dissects fully reassembled messages */ +static int +dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) +{ + /* TODO: implement your dissecting code */ + return tvb_captured_length(tvb); +} + +/* determine PDU length of protocol foo */ +static unsigned +get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) +{ + /* TODO: change this to your needs */ + return (unsigned)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */ +} + +/* The main dissecting routine */ +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + tcp_dissect_pdus(tvb, pinfo, tree, true, FRAME_HEADER_LEN, + get_foo_message_len, dissect_foo_message, data); + return tvb_captured_length(tvb); +} + +... +---- + +As you can see this is really simple. Just call `tcp_dissect_pdus()` in your +main dissection routine and move you message parsing code into another function. +This function gets called whenever a message has been reassembled. + +The parameters tvb, pinfo, tree and data are just handed over to +`tcp_dissect_pdus()`. The 4th parameter is a flag to indicate if the data should +be reassembled or not. This could be set according to a dissector preference as +well. Parameter 5 indicates how much data has at least to be available to be +able to determine the length of the foo message. Parameter 6 is a function +pointer to a method that returns this length. It gets called when at least the +number of bytes given in the previous parameter is available. Parameter 7 is a +function pointer to your real message dissector. Parameter 8 is the data +passed in from parent dissector. + +Protocols which need more data before the message length can be determined can +return zero. Other values smaller than the fixed length will result in an +exception. + +[#ChDissectTap] + +=== How to tap protocols + +Adding a Tap interface to a protocol allows it to do some useful things. +In particular you can produce protocol statistics from the tap interface. + +A tap is basically a way of allowing other items to see what’s happening as +a protocol is dissected. A tap is registered with the main program, and +then called on each dissection. Some arbitrary protocol specific data +is provided with the routine that can be used. + +To create a tap, you first need to register a tap. A tap is registered with an +integer handle, and registered with the routine `register_tap()`. This takes a +string name with which to find it again. + +.Initialising a tap +[source,c] +---- +#include <epan/packet.h> +#include <epan/tap.h> + +static int foo_tap; + +void proto_register_foo(void) +{ + ... + foo_tap = register_tap("foo"); +---- + +Whilst you can program a tap without protocol specific data, it is generally not +very useful. Therefore it’s a good idea to declare a structure that can be +passed through the tap. This needs to be allocated in packet scope as it will be used +after the dissection routine has returned. It’s generally best to pick out some +generic parts of the protocol you are dissecting into the tap data. A packet +type, a priority or a status code maybe. The structure really needs to be +included in a header file so that it can be included by other components that +want to listen in to the tap. + +Once you have these defined, it’s simply a case of populating the protocol +specific structure and then calling `tap_queue_packet`, probably as the last part +of the dissector. + +.Calling a protocol tap +[source,c] +---- +struct FooTap { + int packet_type; + int priority; + ... +}; + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + ... + struct FooTap *fooinfo = wmem_new0(pinfo->pool, struct FooTap); + fooinfo->packet_type = tvb_get_uint8(tvb, 0); + fooinfo->priority = tvb_get_ntohs(tvb, 8); + ... + tap_queue_packet(foo_tap, pinfo, fooinfo); + + return tvb_captured_length(tvb); +} +---- + +[TIP] +==== +Allocate your structure using `wmem_new0()`, so it sets all values of your structure +to zero. This way, if you add members later but forget to initialize them, they will +have a consistent value, making troubleshooting easier. +==== + +This now enables those interested parties to listen in on the details +of this protocol conversation. + +[#ChDissectStats] + +=== How to produce protocol statistics (stats) + +Given that you have a tap interface for the protocol, you can use this +to produce some interesting statistics (well presumably interesting!) from +protocol traces. + +This can be done in a separate plugin, or in the same plugin that is +doing the dissection. The latter scheme is better, as the tap and stats +module typically rely on sharing protocol specific data, which might get out +of step between two different plugins. + +Here is a mechanism to produce statistics from the above TAP interface. + +.Initialising a stats interface +[source,c] +---- +#include <epan/stats_tree.h> + +void proto_reg_handoff_foo(void) { + ... + stats_tree_register("foo", "foo", "Foo" STATS_TREE_MENU_SEPARATOR "Packet Types", 0, + foo_stats_tree_packet, foo_stats_tree_init, NULL); +} +---- + +The interface entry point, `proto_reg_handoff_foo()`, +calls the `stats_tree_register()` function, which takes three +strings, an integer, and three callback functions: + +. This is the tap name that was registered using `register_tap()`. + +. An abbreviation of the stats name. + +. The name of the stats module. `STATS_TREE_MENU_SEPARATOR` can be used to make sub menus. + +. Flags for per-packet callback, taken from `epan/stats_tree.h`. + +. The function that will called to generate the stats. + +. A function that can be called to initialise the stats data. + +. A function that will be called to clean up the stats data. + +In this case we only need the first two functions, as there is nothing specific to clean up. + +[NOTE] +==== +If you are registering statistics from a plugin, then your plugin should have +a plugin interface entry point called `plugin_register_tap_listener()`, +which should call `stats_tree_register_plugin()` instead of `stats_tree_register()`. +==== + +.Initialising a stats session +[source,c] +---- +static const uint8_t* st_str_packets = "Total Packets"; +static const uint8_t* st_str_packet_types = "FOO Packet Types"; +static int st_node_packets = -1; +static int st_node_packet_types = -1; + +static void foo_stats_tree_init(stats_tree* st) +{ + st_node_packets = stats_tree_create_node(st, st_str_packets, 0, STAT_DT_INT, true); + st_node_packet_types = stats_tree_create_pivot(st, st_str_packet_types, st_node_packets); +} +---- + +In this case we create a new tree node, to handle the total packets, +and as a child of that we create a pivot table to handle the stats about +different packet types. + + +.Generating the stats +[source,c] +---- +static tap_packet_status foo_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt, const void* p, tap_flags_t flags) +{ + struct FooTap *pi = (struct FooTap *)p; + tick_stat_node(st, st_str_packets, 0, false); + stats_tree_tick_pivot(st, st_node_packet_types, + val_to_str(pi->packet_type, packettypenames, "Unknown packet type (%d)")); + return TAP_PACKET_REDRAW; +} +---- + +In this case the processing of the stats is quite simple. First we call the +`tick_stat_node` for the `st_str_packets` packet node, to count packets. Then a +call to `stats_tree_tick_pivot()` on the `st_node_packet_types` subtree allows +us to record statistics by packet type. + +[NOTE] +==== +Notice that stats trees and pivots are identified by their name string, +_not_ by the identifier returned by +`stats_tree_create_node()`/`stats_tree_create_pivot()`. +==== + +[#ChDissectConversation] + +=== How to use conversations + +Some info about how to use conversations in a dissector can be found in the file +_doc/README.dissector_, chapter 2.2. + +[#ChDissectIdl2wrs] + +=== __idl2wrs__: Creating dissectors from CORBA IDL files + +Many of Wireshark’s dissectors are automatically generated. This section shows +how to generate one from a CORBA IDL file. + +==== What is it? + +As you have probably guessed from the name, `idl2wrs` takes a user specified IDL +file and attempts to build a dissector that can decode the IDL traffic over +GIOP. The resulting file is “C” code, that should compile okay as a Wireshark +dissector. + +`idl2wrs` parses the data struct given to it by the `omniidl` compiler, +and using the GIOP API available in packet-giop.[ch], generates get_CDR_xxx +calls to decode the CORBA traffic on the wire. + +It consists of 4 main files. + +README.idl2wrs:: +This document + +wireshark_be.py:: +The main compiler backend + +wireshark_gen.py:: +A helper class, that generates the C code. + +idl2wrs:: +A simple shell script wrapper that the end user should use to generate the +dissector from the IDL file(s). + +==== Why do this? + +It is important to understand what CORBA traffic looks like over GIOP/IIOP, and +to help build a tool that can assist in troubleshooting CORBA interworking. This +was especially the case after seeing a lot of discussions about how particular +IDL types are represented inside an octet stream. + +I have also had comments/feedback that this tool would be good for say a CORBA +class when teaching students what CORBA traffic looks like “on the wire”. + +It is also COOL to work on a great Open Source project such as the case with +“Wireshark” ({wireshark-main-url}). + + +==== How to use idl2wrs + +To use the idl2wrs to generate Wireshark dissectors, you need the following: + +* Python must be installed. See link:https://python.org/[] + +* `omniidl` from the omniORB package must be available. See link:http://omniorb.sourceforge.net/[] + +* Of course you need Wireshark installed to compile the code and tweak it if +required. idl2wrs is part of the standard Wireshark distribution + +To use idl2wrs to generate an Wireshark dissector from an idl file use the following procedure: + +* To write the C code to stdout. ++ +-- +---- +$ idl2wrs <your_file.idl> +---- + +e.g.: + +---- +$ idl2wrs echo.idl +---- +-- + +* To write to a file, just redirect the output. ++ +-- +---- +$ idl2wrs echo.idl > packet-test-idl.c +---- + +You may wish to comment out the register_giop_user_module() code and that will +leave you with heuristic dissection. + +If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. +-- + +* To write the C code to stdout. ++ +-- +---- +$ omniidl -p ./ -b wireshark_be <your file.idl> +---- + +e.g.: + +---- +$ omniidl -p ./ -b wireshark_be echo.idl +---- +-- + +* To write to a file, just redirect the output. ++ +-- +---- +$ omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c +---- + +You may wish to comment out the register_giop_user_module() code and that will +leave you with heuristic dissection. +-- + +* Copy the resulting C code to subdirectory epan/dissectors/ inside your +Wireshark source directory. ++ +-- +---- +$ cp packet-test-idl.c /dir/where/wireshark/lives/epan/dissectors/ +---- + +The new dissector has to be added to CMakeLists.txt in the same directory. Look +for the declaration DISSECTOR_SRC and add the new dissector there. For +example, + +---- +DISSECTOR_SRC = \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-2dparityfec.c + ${CMAKE_CURRENT_SOURCE_DIR}/packet-3com-njack.c + ... +---- + +becomes + +---- +DISSECTOR_SRC = \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-test-idl.c \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-2dparityfec.c \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-3com-njack.c \ + ... +---- +-- + +For the next steps, go up to the top of your Wireshark source directory. + +* Create a build dir ++ +-- +---- +$ mkdir build && cd build +---- +-- + +* Run cmake ++ +-- +---- +$ cmake .. +---- +-- + +* Build the code ++ +-- +---- +$ make +---- +-- + +* Good Luck !! + +==== TODO + +* Exception code not generated (yet), but can be added manually. + +* Enums not converted to symbolic values (yet), but can be added manually. + +* Add command line options etc + +* More I am sure :-) + +==== Limitations + +See the TODO list inside _packet-giop.c_ + +==== Notes + +The `-p ./` option passed to omniidl indicates that the wireshark_be.py and +wireshark_gen.py are residing in the current directory. This may need tweaking +if you place these files somewhere else. + +If it complains about being unable to find some modules (e.g. tempfile.py), you +may want to check if PYTHONPATH is set correctly. + + +// End of WSDG Chapter Dissection diff --git a/doc/wsdg_src/wsdg_env_intro.adoc b/doc/wsdg_src/wsdg_env_intro.adoc new file mode 100644 index 00000000..2bf6a922 --- /dev/null +++ b/doc/wsdg_src/wsdg_env_intro.adoc @@ -0,0 +1,525 @@ +// WSDG Chapter Introduction + +[#ChapterIntroduction] + +== Introduction + +[#ChIntroIntro] + +=== Introduction + +This chapter will provide a general overview of Wireshark development. + +[#ChIntroWhatIs] + +=== What Is Wireshark? + +Well, if you want to start Wireshark development, you might already +know what Wireshark is doing. If not, please have a look at the +link:{wireshark-users-guide-url}[Wireshark User’s Guide], +which will provide a lot of general information about it. + +[#ChIntroPlatforms] + +=== Supported Platforms + +Wireshark currently runs on most UNIX-like platforms and various Windows +platforms. It requires Qt, GLib, libpcap and some other libraries in +order to run. + +As Wireshark is developed in a platform independent way and uses libraries (such +as the Qt GUI library) which are available for many different platforms, +it’s thus available on a wide variety of platforms. + +If a binary package is not available for your platform, you should +download the source and try to build it. Please report your experiences +to mailto:{wireshark-dev-list-email}[]. + +Binary packages are available for the following platforms along with many +others: + +==== Unix And Unix-like Platforms + +* Apple macOS + +* FreeBSD + +* HP-UX + +* IBM AIX + +* NetBSD + +* OpenBSD + +* Oracle Solaris + +===== Linux + +* Arch Linux + +* Debian GNU/Linux + +* Ubuntu + +* Fedora + +* Gentoo Linux + +* IBM S/390 Linux (Red Hat) + +* Mandriva Linux + +* PLD Linux + +* Red Hat Linux + +* Slackware Linux + +* Suse Linux + +==== Microsoft Windows + +Wireshark supports Windows natively via the https://en.wikipedia.org/wiki/Windows_API[Windows API]. +Note that in this documentation and elsewhere we tend to use the terms “Win32”, “Win”, and “Windows” interchangeably to refer to the Windows API. +“Win64” refers to the Windows API on 64-bit platforms. +Wireshark runs on and can be compiled on the following Windows versions: + +* Windows 11 / Windows Server 2022 + +* Windows 10 / Windows Server 2016 / Windows Server 2019 + +* Windows 8.1 / Windows Server 2012 R2 + +* Windows 8 / Windows Server 2012 + +Development on Windows 7, Server 2008 R2, Vista, Server 2008, and older versions may be possible but is not supported. + +Some versions of Windows support https://devblogs.microsoft.com/commandline/per-directory-case-sensitivity-and-wsl/[case sensitive directories]. +We don’t officially support building or running Wireshark in this environment, but we will accept patches to fix any issues that might arise. + +[#ChIntroDevelopment] + +=== Development And Maintenance Of Wireshark + +Wireshark was initially developed by Gerald Combs. Ongoing development +and maintenance of Wireshark is handled by the Wireshark core developers, +a loose group of individuals who fix bugs and provide new functionality. + +There have also been a large number of people who have contributed +protocol dissectors and other improvements to Wireshark, and it is +expected that this will continue. You can find a list of the people who +have contributed code to Wireshark by checking the About dialog box of +Wireshark, or have a look at the {wireshark-authors-url} page on the +Wireshark web site. + +The communication between the developers is usually done through the developer +mailing list, which can be joined by anyone interested in the development +activities. At the time this document was written, more than 500 persons were +subscribed to this mailing list! + +It is strongly recommended to join the developer mailing list, if you are going +to do any Wireshark development. See <<ChIntroMailingLists>> about the different +Wireshark mailing lists available. + +==== Programming Languages Used + +Most of Wireshark is implemented in C. +A notable exception is the code in _ui/qt_, which is written in {cpp}. + +The typical task for a new Wireshark developer is to extend an existing dissector, or write a new dissector for a specific network protocol. +Most dissectors are written in C11, so a good knowledge of C will be sufficient for Wireshark development in almost any case. +Dissectors can also be written in Lua, which might be more suitable for your specific needs. +As noted above, if you’re going to modify Wireshark’s user interface you will need a knowledge of {cpp}. + +Modifying the build system and support tooling might requires knowledge of CMake, Python, PowerShell, Bash, or Perl. +Note that these are required to build Wireshark, but not to run it. +If Wireshark is installed from a binary package, none of these helper tools are needed on the target system. + +==== Open Source Software + +Wireshark is an https://opensource.org/[open source] software (OSS) project, and is released under +the link:{gplv2-url}[GNU General Public License] (GPL). +You can freely use Wireshark on any number of computers you like, without +worrying about license keys or fees or such. In addition, all source +code is freely available under the GPL. Because of that, it is very easy +for people to add new protocols to Wireshark, either as plugins, or built +into the source, and they often do! + +You are welcome to modify Wireshark to suit your own needs, and it would be +appreciated if you contribute your improvements back to the Wireshark community. + +You gain three benefits by contributing your improvements back to the +community: + +* Other people who find your contributions useful will appreciate them, and you + will know that you have helped people in the same way that the developers of + Wireshark have helped you and other people. + +* The developers of Wireshark might improve your changes even more, as there’s + always room for improvement. Or they may implement some advanced things on top + of your code, which can be useful for yourself too. + +* The maintainers and developers of Wireshark will maintain your code as well, + fixing it when API changes or other changes are made, and generally keeping it + in tune with what is happening with Wireshark. So if Wireshark is updated + (which is done often), you can get a new Wireshark version from the website + and your changes will already be included without any effort for you. + + +The Wireshark source code and binary packages for some platforms are all +available on the download page of the Wireshark website: +{wireshark-download-url}. + + +[#ChIntroReleases] + +=== Releases And Distributions + +Official Wireshark releases can be found at {wireshark-download-url}. +Minor releases typically happen every six weeks and typically include bug fixes and security updates. +Major releases happen about once a year and include new features and new protocol support. +Official releases include binary packages for Windows and macOS along with source code. + +[#ChIntroReleaseBinary] + +==== Binary Distributions + +The Wireshark development team would like to make it as easy as possible for people to obtain and use Wireshark. +This means that we need to support the software installation systems that different operating systems provide. +We currently offer the following types of precompiled packages as part of each official release: + +* Windows .exe installer. + This is an executable file that installs Wireshark, and optionally Npcap and USBPcap, created using https://nsis.sourceforge.io/Main_Page[NSIS]. + It is the most popular installation method on Windows. + +* Windows https://portableapps.com/[PortableApps] .paf.exe file. + This is a self-contained package that can be run from anywere, either standalone or under the PortableApps.com Platform. + +* Windows .msi installer. + This installs Wireshark using Microsoft’s https://docs.microsoft.com/en-us/windows/win32/msi/installer-database[Installer Database], created using the https://wixtoolset.org/[WiX toolset]. + It does not yet include Npcap or USBPcap and is somewhat https://gitlab.com/wireshark/wireshark/-/issues/8814[experimental]. + +* macOS .dmg. + This is a disk image which includes a drag-installable Wireshark application bundle along with utility packages for installing ChmodBPF and adding Wireshark to your PATH environment variable. + +Most Linux and UNIX distributions have their own packaging systems which usually include Wireshark. +The Wireshark sources include support for creating the following types of packages: + +* Debian .deb files. + Packaging assets can be found in the _debian_ directory in the Wireshark sources. + +* Red Hat .rpm files. + Packaging assets can be found in the _packaging/rpm_ directory in the Wireshark sources. + +You can also create your own binary packages. See <<ChSrcBinary>> for details. + +[#ChIntroReleaseSource] + +==== The Source Code Distribution + +Wireshark is and will always be https://opensource.org/[open source]. +You’re welcome to download a source tarball, build it, and modify it under the terms of the {gplv2-url}[GPLv2]. +However, it’s usually much easier to use a binary package if you want to get up and running quickly in a production environment. + +Source tarballs are commonly used for building the binary packages for UNIX and UNIX-like platforms. +However, if you are going to modify the Wireshark sources, e.g. to contribute changes back or to develop an in-house version of Wireshark we recommend that you use the latest Git sources. +For details about the different ways to get the Wireshark source code see <<ChSrcObtain>>. + +Before building Wireshark from a source distribution, make sure you have all the tools and libraries required to build. +Later chapters describe the required tools and libraries in detail. + +[#ChIntroAutomated] + +=== Automated Builds (GitLab CI) + +The Wireshark development team uses GitLab’s continuous integration (CI) system to automatically build Wireshark for each Git merge request and commit. +Automated builds provide several useful services: + +* Cross-platform testing. + Inbound merge requests and commits can be tested on each of our supported platforms, which ensures that a developer on one platform doesn’t break the build on other platforms. + +* A health indicator for the source code. + The CI badges at {wireshark-gitlab-project-url} can quickly tell you how healthy the latest code is. + Green is good, red is bad. + +* Fast code delivery. + After a change is committed to the repository, an installer is usually available within an hour at https://www.wireshark.org/download/automated/. + This can be quite helpful for resolving issues, e.g. a bug reporter can easily verify a bugfix by installing a recent build. + +* Automated regression tests. + We run a comprehensive test suite as part of each build and continuously run fuzz tests that try to crash the dissection engine. + +==== What Do The Automated Builds Do? + +GitLab’s CI operates by running a series of steps and reporting success or failure. +A typical CI job might do the following: + +. Check out Wireshark from the source repository. + +. Build Wireshark. + +. Create a source tarball, binary package, or installer. + +. Run regression tests. + +GitLab’s CI marks successful jobs with a green checkmark and failed jobs with a red “X”. +Jobs provide a link to the corresponding console logfile which provides additional information. + +Release packages are built on the following platforms: + +* Windows Server 2022 x64, Visual Studio 2022 + +* Windows 11 Arm64, Visual Studio 2022 + +* Ubuntu 22.04 x64, gcc + +* macOS x64, clang + +* macOS Arm64, clang + +Static code analysis and fuzz tests are run on the following platforms: + +* Visual Studio Code Analysis, Visual Studio 2022 + +* Clang Code Analysis, Coverity Scan, and fuzz tests, clang + +[#ChIntroHelp] + +=== Reporting problems and getting help + +If you have problems, or need help with Wireshark, there are several +places that may be of interest to you (well, beside this guide of +course). + +[#ChIntroHomepage] + +==== Website + +You will find lots of useful information on the Wireshark homepage at +{wireshark-main-url}. + +[#ChIntroWiki] + +==== Wiki + +The Wireshark Wiki at {wireshark-wiki-url} provides a wide range +of information related to Wireshark and packet capturing in general. +You will find a lot of information not part of this developer’s guide. For +example, there is an explanation how to capture on a switched network, +an ongoing effort to build a protocol reference and a lot more. + +And best of all, if you would like to contribute your knowledge on a +specific topic (maybe a network protocol you know well), you can edit the +Wiki pages by simply using your webbrowser. + +[#ChIntroFAQ] + + +==== FAQ + +The "Frequently Asked Questions" will list often asked questions and +the corresponding answers. + +Before sending any mail to the mailing lists below, be sure to read the +FAQ, as it will often answer any questions you might have. This will save +yourself and others a lot of time. Keep in mind that a lot of people are +subscribed to the mailing lists. + +You will find the FAQ inside Wireshark by clicking the menu item +Help/Contents and selecting the FAQ page in the upcoming dialog. + +An online version is available at the Wireshark website: +{wireshark-faq-url}. You might prefer this online version as it’s +typically more up to date and the HTML format is easier to use. + +[#ChIntroOtherSources] + +==== Other sources + +If you don't find the information you need inside this book, there are +various other sources of information: + +* The file _doc/README.developer_ and all the other README.xxx files in the + source code. These are various documentation files on different topics + +[NOTE] +.Read the README +==== +_README.developer_ is packed full with all kinds of details relevant +to the developer of Wireshark source code. Its companion file +_README.dissector_ advises you around common +pitfalls, shows you basic layout of dissector code, shows details of the +APIs available to the dissector developer, etc. +==== + +* The Wireshark source code + +* Tool documentation of the various tools used +(e.g. manpages of sed, gcc, etc.) + +* The different mailing lists. See <<ChIntroMailingLists>> + +[#ChIntroQA] + +==== Q&A Site + +The Wireshark Q&A site at {wireshark-qa-url} offers a resource where +questions and answers come together. You have the option to search what +questions were asked before and what answers were given by people who +knew about the issue. Answers are graded, so you can pick out the best +ones easily. If your issue isn't discussed before you can post one +yourself. + +[#ChIntroMailingLists] + +==== Mailing Lists + +There are several mailing lists available on specific Wireshark topics: + +wireshark-announce:: This mailing list will inform you about new program +releases, which usually appear about every 4-8 weeks. + +wireshark-users:: This list is for users of Wireshark. People post +questions about building and using Wireshark, others (hopefully) +provide answers. + +wireshark-dev:: This list is for Wireshark developers. People post questions about +the development of Wireshark, others (hopefully) provide answers. +If you want to start developing a protocol dissector, join this list. + +wireshark-bugs:: This list is for Wireshark developers. Every time a change to the bug +database occurs, a mail to this mailing list is generated. +If you want to be notified about all the changes to the bug +database, join this list. Details about the bug database can be +found in <<ChIntroBugDatabase>>. + +wireshark-commits:: This list is for Wireshark developers. Every time a change to the Git +repository is checked in, a mail to this mailing list is generated. +If you want to be notified about all the changes to the Git +repository, join this list. Details about the Git repository can be +found in <<ChSrcGitRepository>>. + +You can subscribe to each of these lists from the Wireshark web site: +{wireshark-mailing-lists-url}. From there, you can choose which mailing +list you want to subscribe to by clicking on the +Subscribe/Unsubscribe/Options button under the title of the relevant +list. The links to the archives are included on that page as well. + +[TIP] +.The archives are searchable +==== +You can search in the list archives to see if someone previously asked the same +question and maybe already got an answer. That way you don't have to wait until +someone answers your question. +==== + +[#ChIntroBugDatabase] + +==== Bug Database (GitLab Issues) + +The Wireshark community collects bug reports in an issues database at {wireshark-bugs-url}. +This database is filled with manually filed bug reports, usually after some discussion on wireshark-dev, and automatic bug reports from continuous integration jobs. + +[#ChIntroReportProblems] + +==== Reporting Problems + +[NOTE] +.Test with the latest version +==== +Before reporting any problems, please make sure you have installed the +latest version of Wireshark. Reports on older maintenance releases are +usually met with an upgrade request. +==== + +If you report problems, provide as much information as possible. In general, +just think about what you would need to find that problem, if someone else sends +you such a problem report. Also keep in mind that people compile/run Wireshark +on a lot of different platforms. + +When reporting problems with Wireshark, it is helpful if you supply the +following information: + +. The version number of Wireshark and the dependent libraries linked with +it, e.g. Qt, GLib, etc. You can obtain this with the command +`wireshark -v`. + +. Information about the platform you run Wireshark on. + +. A detailed description of your problem. + +. If you get an error/warning message, copy the text of that message (and +also a few lines before and after it, if there are some), so others may +find the build step where things go wrong. +Please don't give something like: "I get a warning when compiling x" +as this won't give any direction to look at. + +[NOTE] +.Don't send large files +==== +Do not send large files (>100KB) to the mailing lists, just place a note +that further data is available on request. Large files will only annoy a +lot of people on the list who are not interested in your specific problem. +If required, you will be asked for further data by the persons who really +can help you. +==== + +[WARNING] +.Don't send confidential information +==== +If you send captured data to the mailing lists, or add it to your bug report, +be sure it doesn't contain any sensitive or confidential information, +such as passwords. Visibility of such files can be limited to certain +groups in the GitLab Issues database by marking the issue confidential. +==== + +==== Reporting Crashes on UNIX-like platforms + +When reporting crashes with Wireshark, it is helpful if you supply the +traceback information (besides the information mentioned in +<<ChIntroReportProblems>>). + +You can obtain this traceback information with the following commands: + +---- +$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt +backtrace +^D +$ +---- + +[NOTE] +.Using GDB +==== +Type the characters in the first line verbatim. Those are +back-tics there. + +`backtrace` is a `gdb` command. You should +enter it verbatim after the first line shown above, but it will not be +echoed. The ^D +(Control-D, that is, press the Control key and the D key +together) will cause `gdb` to exit. This will +leave you with a file called +_bt.txt_ in the current directory. +Include the file with your bug report. + +If you do not have `gdb` available, you +will have to check out your operating system’s debugger. +==== + +You should mail the traceback to mailto:{wireshark-dev-list-email}[] or attach it +to your bug report. + +==== Reporting Crashes on Windows platforms + +You can download Windows debugging symbol files (.pdb) from the following locations: + +* 64-bit Windows: https://www.wireshark.org/download/win64/all-versions/ + +Files are named "Wireshark-pdb-win__bits__-_x_._y_._z_.zip" to match their +corresponding "Wireshark-win__bits__-_x_._y_._z_.exe" installer packages. + +// XXX Show how to use the Visual Studio debugger + +// End of WSDG Chapter Introduction diff --git a/doc/wsdg_src/wsdg_libraries.adoc b/doc/wsdg_src/wsdg_libraries.adoc new file mode 100644 index 00000000..28bc52d5 --- /dev/null +++ b/doc/wsdg_src/wsdg_libraries.adoc @@ -0,0 +1,353 @@ +// WSDG Chapter Libraries + +[#ChapterLibraries] + +== Library Reference + +[#ChLibIntro] + +=== Introduction + +Like most applications, Wireshark depends on libraries provided by your operating system and by third parties, including the C runtime library, GLib, libpcap, and Qt. +While running Wireshark only requires the libraries themselves, building it requires header files, import libraries, and related resources. + +Binary libraries are available in different formats and are specific to the target operating system, platform, and compiler. +They can be compiled by hand, but are most often installed as pre-built packages. + +On most Linux systems, the required binary and development libraries can be installed using your package manager. +We provide setup scripts that will install the required packages for most distributions. +See <<ChSetupUNIXBuildEnvironmentSetup>> for details. + +On macOS, you can install pre-built packages using a third party package manager such as Homebrew or MacPorts. +As with Linux, we provide `tools/macos-setup-brew.sh`, which will install the required Homebrew packages. +We also provide `tools/macos-setup.sh`, which will download, build, and install required packages. +Note that `tools/macos-setup.sh` installs into _/usr/local_ by default; you can change this with the `-p` flag. + +Windows doesn't have a good library package manager at the present time, so we provide our own pre-built libraries. +They can be installed using `tools/win-setup.ps1` and are automatically installed when you run CMake. +With the exception of Qt, all libraries required to build Wireshark on Windows are available for download at +https://dev-libs.wireshark.org/windows/[]. +See <<ChLibsSetup>> for details. + +[#ChLibsSetup] + +=== Windows Automated Library Download + +The required libraries (apart from Qt) are automatically downloaded as part of +the CMake generation step, and subsequently as required when libraries are updated. + +The libraries are downloaded into the directory indicated by the environment +variable WIRESHARK_BASE_DIR, this must be set appropriately for your environment. +The libraries are downloaded and extracted into WIRESHARK_BASE_DIR\wireshark-x64-libs or WIRESHARK_BASE_DIR\wireshark-arm64-libs depending on your target platform. + +You may also set the library directory to a custom value with the environment variable WIRESHARK_LIB_DIR, but you may run into problems if you switch between major versions or target platforms. + +[#ChLibsQt] + +=== Qt + +The Qt library is used to build the UI for Wireshark and is used to provide a platform independent UI. +Wireshark can be built with Qt 5.12 or later, but looks for Qt 6 as the default version. + +To enable builds with Qt 5.x, the command-line option `-DUSE_qt6=OFF` has to be set for cmake. + +For more information on the Qt libraries, see <<ChUIQt>>. + +[#ChLibsUnixQt] + +[discrete] +==== Unix + +Most Linux distributions provide Qt and its development libraries as standard packages. +The required libraries and tools will likely be split across several packages. For example, +building on Ubuntu requires _qt6-tools-dev_, _qt6-tools-dev-tools_, _libqt6svg6-dev_, +_qt6-multimedia-dev_, and possibly others. + +The Qt Project provides an installation tool for macOS, similar to Windows. +It is available at https://www.qt.io/download-open-source/#section-2[]. + +[#ChLibsWindowsQt] + +[discrete] +==== Windows + +Qt 6 must be installed manually from the Qt installers page https://www.qt.io/download-open-source/#section-2[] using the version of Qt appropriate for your compiler. + +The CMake variable CMAKE_PREFIX_PATH (see `https://doc.qt.io/qt-6/cmake-get-started.html`) should be set to your Qt installation directory, e.g. _C:\Qt{backslash}{qt6-lts-version}\msvc2019_64_. +Alternatively you can also use the environment variable WIRESHARK_QT6_PREFIX_PATH. + +[#ChLibsGLib] + +=== GLib And Supporting Libraries + +The GLib library is used as a basic platform abstraction library and can +be used in both CLI and GUI applications. For a detailed description +about GLib see <<ChCodeGLib>>. + +GLib depends on GNU libiconv, GNU gettext, and other libraries. You will +typically not come into contact with these while doing Wireshark +development. Wireshark's build system check for and require both GLib +and its dependencies. + +[#ChLibsUnixGLib] + +[discrete] +==== Unix + +The GLib library is available for most Linux distributions and UNIX +flavors. If it isn't already installed and isn't available as a package +for your platform, you can get it at https://wiki.gnome.org/Projects/GLib[]. + +[#ChLibsWindowsGLib] + +[discrete] +==== Windows + +GLib is part of our vcpkg-export bundles and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsCares] + +=== c-ares + +C-Ares is used for asynchronous DNS resolution and lets us resolve names with a minimal performance impact. + +[#ChLibsUnixCares] + +[discrete] +==== Unix + +If this library isn't already installed or available as a package for your +platform, you can get it at https://c-ares.org/[]. + +[#ChLibsWindowsCares] + +[discrete] +==== Windows + +C-Ares is built using {vcpkg-main-url}[vcpkg] and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsSMI] + +=== SMI (Optional) + +LibSMI is used for MIB and PIB parsing and for OID resolution. + +[#ChLibsUnixSMI] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://www.ibr.cs.tu-bs.de/projects/libsmi/[]. + +[#ChLibsWindowsSMI] + +[discrete] +==== Windows + +Wireshark uses the source libSMI distribution at +https://www.ibr.cs.tu-bs.de/projects/libsmi/[]. +LibSMI is cross-compiled using MinGW32. +It’s stored in the libsmi zip archives at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsZlib] + +=== zlib (Optional) + +[quote, The zlib web site, https://www.zlib.net/] +____ +zlib is designed to be a +https://www.zlib.net/zlib_license.html[free], +general-purpose, legally unencumbered -- that is, not covered by any +patents -- lossless data-compression library for use on virtually any computer +hardware and operating system. +____ + +[#ChLibsUnixZlib] + +[discrete] +==== Unix + +This library is almost certain to be installed on your system. If it isn't or +you don't want to use the default library you can download it from +https://www.zlib.net/[]. + +[#ChLibsWindowsZlib] + +[discrete] +==== Windows + +zlib is part of our vcpkg-export bundles and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsPcap] + +=== libpcap or Npcap (Optional, But Strongly Recommended) + +Libpcap and Npcap provide the packet capture capabilities that are central +to Wireshark’s core functionality. + +[#ChLibsLibpcap] + +[discrete] +==== Unix: libpcap + +If this library isn't already installed or available as a package for your +platform, you can get it at {tcpdump-main-url}. + +[#ChLibsWinpPcap] + +[discrete] +==== Windows: Npcap + +The Windows build environment compiles and links against a libpcap SDK built using {vcpkg-main-url}[vcpkg] and includes the {npcap-main-url}[Npcap packet capture driver] with the .exe installer. +Both are <<ChLibsSetup,automatically downloaded by CMake>>. + +You can download the Npcap Windows packet capture library manually from +{npcap-main-url}. + +[WARNING] +.Npcap has its own license with its own restrictions +==== +Insecure.Com LLC, aka “The Nmap Project” has granted the Wireshark +Foundation the right to include Npcap with the installers that we +distribute from wireshark.org. If you wish to distribute your own +Wireshark installer or any other package that includes Npcap you must +comply with the {npcap-license-url}[Npcap license] and may be required +to purchase a redistribution license. Please see {npcap-main-url} for +more details. +==== + +[#ChLibsGNUTLS] + +=== GnuTLS (Optional) + +The GNU Transport Layer Security Library is used to enable TLS decryption +using an RSA private key. + +[#ChLibsUnixGNUTLS] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://gnutls.org/[]. + +[#ChLibsWindowsGNUTLS] + +[discrete] +==== Windows + +We provide packages cross-compiled using MinGW32 at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsGcrypt] + +=== Gcrypt + +The Gcrypt Library is a low-level cryptographic library that provides +support for many ciphers and message authentication codes, such as DES, 3DES, +AES, Blowfish, SHA-1, SHA-256, and others. + +[#ChLibsUnixGcrypt] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://directory.fsf.org/wiki/Libgcrypt[]. + +[#ChLibsWindowsGcrypt] + +[discrete] +==== Windows + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsKerberos] + +=== Kerberos (Optional) + +The Kerberos library is used to dissect Kerberos, sealed DCERPC and +secure LDAP protocols. + +[#ChLibsUnixKerberos] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://web.mit.edu/Kerberos/dist/[]. + +[#ChLibsWindowsKerberos] + +[discrete] +==== Windows + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsLua] + +=== Lua (Optional) + +The Lua library is used to add scripting support to Wireshark. +Wireshark 4.2.x and earlier support Lua versions 5.1 and 5.2. +Recent versions of Wireshark have added support for Lua 5.3 and 5.4 +as well. + +[#ChLibsUnixLua] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://www.lua.org/download.html[]. + +[#ChLibsWindowsLua] + +[discrete] +==== Windows + +We provide packages for Windows, patched for UTF-8 support, at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsMaxMindDB] + +=== MaxMindDB (Optional) + +MaxMind Inc. publishes a set of IP geolocation databases and related +open source libraries. They can be used to map IP addresses to +geographical locations and other information. + +If libmaxminddb library isn't already installed or available as a +package for your platform, you can get it at +https://github.com/maxmind/libmaxminddb[]. + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsSparkle] + +=== WinSparkle (Optional) + +WinSparkle is an easy-to-use software update library for Windows developers. + +[#ChLibsWinSparkle] + +[discrete] +==== Windows + +We provide copies of the WinSparkle package at +https://dev-libs.wireshark.org/windows/packages/[]. + +// End of WSDG Chapter Libraries diff --git a/doc/wsdg_src/wsdg_lua_support.adoc b/doc/wsdg_src/wsdg_lua_support.adoc new file mode 100644 index 00000000..26c3849d --- /dev/null +++ b/doc/wsdg_src/wsdg_lua_support.adoc @@ -0,0 +1,436 @@ +[#wsluarm] + +// Attributes +:build_dir: .. + +== Lua Support in Wireshark + +[#wsluarm_intro] + +=== Introduction + +Lua is a powerful light-weight programming language designed for extending +applications. Wireshark contains an embedded Lua interpreter which can +be used to write dissectors, taps, and capture file readers and writers. +Wireshark versions 4.2.x and earlier support Lua 5.1 and 5.2, and newer +versions support Lua 5.3 and 5.4. The Lua BitOp library is bundled with +all version of Wireshark; Lua 5.3 and later also have native support for +https://www.lua.org/manual/5.4/manual.html#3.4.2[bitwise operators]. + +If Lua is enabled, Wireshark will first try to load a file named `init.lua` +from the global link:{wireshark-users-guide-url}ChPluginFolders.html[_plugins directory_]. +and then from the user’s +link:{wireshark-users-guide-url}ChAppFilesConfigurationSection.html[_personal plugins directory_]. +Then all files ending with _.lua_ are loaded from the global plugins +directory and its subdirectories. Then all files ending with _.lua_ in the +personal Lua plugins directory and its subdirectories are loaded. The +files are processed in ASCIIbetical order (compared byte-by-byte, as `strcmp`), +descending into each subdirectory depth-first in order. + +Whether or not Lua scripts are enabled can be controlled via the +_$$enable_lua$$_ variable. Lua scripts are enabled by +default. To disable Lua scripts, set the _$$enable_lua$$_ variable to _false_. +Wireshark 2.6 and earlier enabled or disabled Lua scripts using +the variable _$$disable_lua$$_ (deprecated). If both _$$enable_lua$$_ and +_$$disable_lua$$_ are present, _$$disable_lua$$_ is ignored. + +.Example for init.lua +[source,lua] +---- +-- Set enable_lua to false to disable Lua support. +enable_lua = true + +if not enable_lua then + return +end + +-- If false and Wireshark was started as (setuid) root, then the user +-- will not be able to execute custom Lua scripts from the personal +-- configuration directory, the -Xlua_script command line option or +-- the Lua Evaluate menu option in the GUI. +-- Note: Not checked on Windows. running_superuser is always false. +run_user_scripts_when_superuser = true +---- + +The command line option _$$-X lua_script:$$++file.lua++_ can also be used to load +specific Lua scripts. Arguments can be given to a script loaded at the command +line with the option _$$-X lua_scriptN:$$++arg++_, where _N_ is the ordinal +index of the script on the command line. For example, if two scripts were loaded +on the command line with _$$-X lua_script:$$++my.lua++_ and +_$$-X lua_script:$$++other.lua++_ in that order, then _$$-X lua_script1:$$++foo++_ +would pass _foo_ to _my.lua_ and _$$-X lua_script2:$$++bar++_ would pass _bar_ to +_other.lua_. Multiple command line options could be passed to _my.lua_ by +repeating the option _$$-X lua_script1:$$_. Arguments are available in a script in +a global table called _arg_, similar to when +link:https://www.lua.org/manual/5.4/manual.html#7[running Lua standalone]. + +[IMPORTANT] +.Loading order matters +==== +Lua dissectors, unlike <<ChapterDissection,compiled protocol dissectors>>, do +not have separate <<ChDissectSetup,registration and handoff>> stages yet +(see wsbuglink:15907[]). Each Lua dissector's registration and handoff is +completed before moving to the next Lua file in turn. +That means that the order in which Lua files are read is quite important; +in order for a Lua dissector to register in a dissector table set up by another +dissector, the latter dissector must have been already processed. The easiest +way to ensure this is to put Lua dissectors that need to be registered first +in files whose name is earlier in ASCIIbetical order (the name of the script +does not necessarily need to relate to the name of the dissector.) + +The Lua code is executed after all compiled dissectors, both built-in and plugin, +are initialized and before reading any file. +This means that Lua dissectors can add themselves to tables registered by compiled +dissectors, but not vice versa; compiled dissectors cannot add themselves to +dissector tables registered by Lua dissectors. +==== + +Wireshark for Windows uses a modified Lua runtime +(link:https://github.com/Lekensteyn/lua-unicode[lua-unicode]) to +support Unicode (UTF-8) filesystem paths. This brings consistency with other +platforms (for example, Linux and macOS). + +[#wslua_menu_example] + +=== Example: Creating a Menu with Lua + +The code below adds a menu "Lua Dialog Test" under the Tools menu. +When selected, it opens a dialog prompting the user for input +and then opens a text window with the output. + +[source,lua] +---- + +-- Define the menu entry's callback +local function dialog_menu() + local function dialog_func(person,eyes,hair) + local window = TextWindow.new("Person Info"); + local message = string.format("Person %s with %s eyes and %s hair.", person, eyes, hair); + window:set(message); + end + + new_dialog("Dialog Test",dialog_func,"A Person","Eyes","Hair") +end + +-- Create the menu entry +register_menu("Lua Dialog Test",dialog_menu,MENU_TOOLS_UNSORTED) + +-- Notify the user that the menu was created +if gui_enabled() then + local splash = TextWindow.new("Hello!"); + splash:set("Wireshark has been enhanced with a useless feature.\n") + splash:append("Go to 'Tools->Lua Dialog Test' and check it out!") +end + +---- + +[#wslua_dissector_example] + +=== Example: Dissector written in Lua + +[source,lua] +---- +local p_multi = Proto("multi", "MultiProto"); + +local vs_protos = { + [2] = "mtp2", + [3] = "mtp3", + [4] = "alcap", + [5] = "h248", + [6] = "ranap", + [7] = "rnsap", + [8] = "nbap" +} + +local f_proto = ProtoField.uint8("multi.protocol", "Protocol", base.DEC, vs_protos) +local f_dir = ProtoField.uint8("multi.direction", "Direction", base.DEC, { [1] = "incoming", [0] = "outgoing"}) +local f_text = ProtoField.string("multi.text", "Text") + +p_multi.fields = { f_proto, f_dir, f_text } + +local data_dis = Dissector.get("data") + +local protos = { + [2] = Dissector.get("mtp2"), + [3] = Dissector.get("mtp3"), + [4] = Dissector.get("alcap"), + [5] = Dissector.get("h248"), + [6] = Dissector.get("ranap"), + [7] = Dissector.get("rnsap"), + [8] = Dissector.get("nbap"), + [9] = Dissector.get("rrc"), + [10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua + [11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp +} + +function p_multi.dissector(buf, pkt, tree) + + local subtree = tree:add(p_multi, buf(0,2)) + subtree:add(f_proto, buf(0,1)) + subtree:add(f_dir, buf(1,1)) + + local proto_id = buf(0,1):uint() + + local dissector = protos[proto_id] + + if dissector ~= nil then + -- Dissector was found, invoke subdissector with a new Tvb, + -- created from the current buffer (skipping first two bytes). + dissector:call(buf(2):tvb(), pkt, tree) + elseif proto_id < 2 then + subtree:add(f_text, buf(2)) + -- pkt.cols.info:set(buf(2, buf:len() - 3):string()) + else + -- fallback dissector that just shows the raw data. + data_dis:call(buf(2):tvb(), pkt, tree) + end + +end + +local wtap_encap_table = DissectorTable.get("wtap_encap") +local udp_encap_table = DissectorTable.get("udp.port") + +wtap_encap_table:add(wtap.USER15, p_multi) +wtap_encap_table:add(wtap.USER12, p_multi) +udp_encap_table:add(7555, p_multi) +---- + +[#wslua_tap_example] + +=== Example: Listener written in Lua + +[source,lua] +---- +-- This program will register a menu that will open a window with a count of occurrences +-- of every address in the capture + +local function menuable_tap() + -- Declare the window we will use + local tw = TextWindow.new("Address Counter") + + -- This will contain a hash of counters of appearances of a certain address + local ips = {} + + -- this is our tap + local tap = Listener.new(); + + local function remove() + -- this way we remove the listener that otherwise will remain running indefinitely + tap:remove(); + end + + -- we tell the window to call the remove() function when closed + tw:set_atclose(remove) + + -- this function will be called once for each packet + function tap.packet(pinfo,tvb) + local src = ips[tostring(pinfo.src)] or 0 + local dst = ips[tostring(pinfo.dst)] or 0 + + ips[tostring(pinfo.src)] = src + 1 + ips[tostring(pinfo.dst)] = dst + 1 + end + + -- this function will be called once every few seconds to update our window + function tap.draw(t) + tw:clear() + for ip,num in pairs(ips) do + tw:append(ip .. "\t" .. num .. "\n"); + end + end + + -- this function will be called whenever a reset is needed + -- e.g. when reloading the capture file + function tap.reset() + tw:clear() + ips = {} + end + + -- Ensure that all existing packets are processed. + retap_packets() +end + +-- using this function we register our function +-- to be called when the user selects the Tools->Test->Packets menu +register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED) +---- + +[#wslua_require_example] + +=== Example: Lua scripts with shared modules + +Lua plugins that depend on protocols, dissectors, dissector tables, and other +items registered with Wireshark by other Lua scripts can access those through +the Wireshark Lua API. The key is ensuring that the providing script is +read first, as previously mentioned. + +It is also possible to depend on Lua functions defined in other Lua scripts. +The recommended method is to load those scripts as +link:https://www.lua.org/manual/5.4/manual.html#6.3[modules] via +link:https://www.lua.org/manual/5.4/manual.html#pdf-require[require]. +Modules preferably should avoid defining globals, and should return a +table containing functions indexed by name. Globals defined in modules will +leak into the global namespace when `require()` is used, and name collisions +can cause unexpected results. (As an aside, local variables are faster in +Lua because global variables require extra table lookups.) Directories +containing loaded Lua scripts (including those specified on the command line +with _$$-X lua_script:$$++my.lua++_) are automatically added to the `require()` +search path. + +For example, suppose there is a Lua script in the personal plugins directory +named _bar.lua_ as follows: + +[source,lua] +---- +-- bar.lua +-- Converts an integer representing an IPv4 address into its dotted quad +-- string representation. + +-- This is the module object, which will be returned at the end of this file. +local M = { +} + +M.GetIPAddressString = function(ip) + -- Lua BitOp library, included in all versions of Wireshark + --local octet1 = bit.rshift(bit.band(0xFF000000, ip), 24) + --local octet2 = bit.rshift(bit.band(0x00FF0000, ip), 16) + --local octet3 = bit.rshift(bit.band(0x0000FF00, ip), 8) + --local octet4 = bit.band(0x000000FF, ip) + + -- Lua >= 5.3 native bit operators, supported in Wireshark >= 4.4 + local octet1 = ip >> 24 + local octet2 = ip >> 16 & 0xFF + local octet3 = ip >> 8 & 0xFF + local octet4 = ip & 0xFF + + return octet1 .. "." .. octet2 .. "." .. octet3 .. "." .. octet4 +end + +-- Return the table we've created, which will be accessible as the return +-- value of require() or dofile(), and at the global package.loaded["bar"] +return M +---- + +Other Lua plugins that wish to use the module can then `require()` it +(note that the _.lua_ extension is not used in `require()`, unlike the +similar `dofile()`): + +[source,lua] +---- +-- Foo dissector +local p_foo = Proto("foo", "Foo") + +local bar = require("bar") + +local f_ip = ProtoField.ipv4("foo.ip", "IP") +local f_ipint = ProtoField.uint32("foo.ipint", "IP as Uint32") +local f_ipstr = ProtoField.string("foo.ipstr", "IP as String") + +p_foo.fields = { f_ip, f_ipint, f_ipstr } + +function p_foo.dissector(tvbuf, pktinfo, tree) + + -- Set the protocol column to show this name + pktinfo.cols.protocol:set("FooMessage") + + local pktlen = tvbuf:reported_length_remaining() + + local subtree = tree:add(p_foo, tvbuf:range(0,pktlen)) + + local child, ipaddr = subtree:add_packet_field(f_ip, tvbuf(8, 4), ENC_BIG_ENDIAN) + local child, ipint = subtree:add_packet_field(f_ipint, tvbuf(8, 4), ENC_BIG_ENDIAN) + + -- These two are the same string + subtree:add(f_ipstr, tvbuf(8,4), bar.GetIPAddressString(ipint)) + subtree:add(f_ipstr, tvbuf(8,4), tostring(ipaddr)) + + return pktlen +end + +DissectorTable.get("udp.port"):add(2012, p_foo) +---- + +Using `require()` is another way to control the order in which files are loaded. +Lua `require()` ensures that a module is only executed once. Subsequent calls +will return the same table already loaded. + +[IMPORTANT] +.Avoid duplicate registration +==== +In versions of Wireshark before 4.4, the initial loading of Lua plugins in the +plugins directory does not register them in the table of already loaded modules +used by `require()`. This means that Lua script in the plugins directory that +are initially loaded can be executed a second time by `require()`. For scripts +that register dissectors or tables with Wireshark, this will result in errors like +`Proto new: there cannot be two protocols with the same description`. It is +safer to `require()` only Lua scripts that define common functions but do not +call the Wireshark Lua API to register protocols, dissectors, etc. + +In 4.4 and later, scripts in the plugin directories are loaded using the same +internal methods as `require()`, which eliminates duplicate registration errors +from loading of files in the plugin directory and using `require()`. This also +means that the order in which plugins are loaded can be adjusted by using +`require()` in addition to changing file names. However, duplicate registration +errors can still happen with other methods of executing a file that do +not check if it has already been loaded, like `dofile()`. +==== + +Lua scripts loaded on the command line are sandboxed into their own environment +and globals defined in them do not leak in the general global environment. +Modules loaded via `require()` within those scripts can escape that sandboxing, +however. Plugins in the personal (but not global) directory had similar +sandboxing prior to Wireshark 4.4, but now globals defined in plugins in the +personal directory will enter the global namespace for other plugins, as has +always been the case for plugins in the global plugin directory. + +[#wsluarm_modules] + +== Wireshark’s Lua API Reference Manual + +This Part of the User Guide describes the Wireshark specific functions in the embedded Lua. + +Classes group certain functionality, the following notational conventions are +used: + +* _Class.function()_ represents a class method (named _function_) on class + _Class_, taking no arguments. + +* _Class.function(a)_ represents a class method taking one argument. + +* _Class.function(...)_ represents a class method taking a variable number of + arguments. + +* _class:method()_ represents an instance method (named _method_) on an instance + of class _Class_, taking no arguments. Note the lowercase notation in the + documentation to clarify an instance. + +* _class.prop_ represents a property _prop_ on the instance of class _Class_. + +Trying to access a non-existing property, function or method currently gives an +error, but do not rely on it as the behavior may change in the future. + + +include::{build_dir}/wsluarm_src/wslua_utility.adoc[] +include::{build_dir}/wsluarm_src/wslua_gui.adoc[] +include::{build_dir}/wsluarm_src/wslua_proto.adoc[] +include::{build_dir}/wsluarm_src/wslua_field.adoc[] +include::{build_dir}/wsluarm_src/wslua_pinfo.adoc[] +include::{build_dir}/wsluarm_src/wslua_tvb.adoc[] +include::{build_dir}/wsluarm_src/wslua_tree.adoc[] +include::{build_dir}/wsluarm_src/wslua_listener.adoc[] +include::{build_dir}/wsluarm_src/wslua_dumper.adoc[] +include::{build_dir}/wsluarm_src/wslua_wtap.adoc[] +include::{build_dir}/wsluarm_src/wslua_file.adoc[] +include::{build_dir}/wsluarm_src/wslua_dir.adoc[] +include::{build_dir}/wsluarm_src/wslua_int64.adoc[] +include::{build_dir}/wsluarm_src/wslua_struct.adoc[] + +[#lua_module_PCRE2] + +=== PCRE2 Regular Expressions + +Lua has its own native _pattern_ syntax in the string library, but sometimes a +real regex engine is more useful. Wireshark comes with Perl Compatible Regular +Expressions version 2 (PCRE2). This engine is exposed into Wireshark’s Lua engine through the +well-known Lrexlib library. The module is loaded in the global environment using +the "rex_pcre2" table. The manual is available at https://rrthomas.github.io/lrexlib/manual.html. diff --git a/doc/wsdg_src/wsdg_preface.adoc b/doc/wsdg_src/wsdg_preface.adoc new file mode 100644 index 00000000..6b20969c --- /dev/null +++ b/doc/wsdg_src/wsdg_preface.adoc @@ -0,0 +1,84 @@ +[#Preface] +["preface",id="Preface"] +== Preface + +[#PreForeword] + +=== Foreword + +This book tries to give you a guide to start your own experiments into +the wonderful world of Wireshark development. + +Developers who are new to Wireshark often have a hard time getting their development environment up and running. +This is especially true for Windows developers, as a lot of the tools and methods used when building Wireshark are much more common in the UNIX world than on Windows. + +The first part of this book will describe how to set up the environment +needed to develop Wireshark. + +The second part of this book will describe how to change the Wireshark +source code. + +We hope that you find this book useful, and look forward to your comments. + +[#PreAudience] + +=== Who should read this document? + +The intended audience of this book is anyone going into the development of +Wireshark. + +This book is not intended to explain the usage of Wireshark in general. +Please refer the +{wireshark-users-guide-url}[Wireshark User’s Guide] about Wireshark usage. + +By reading this book, you will learn how to develop Wireshark. It will +hopefully guide you around some common problems that frequently appear for +new (and sometimes even advanced) developers of Wireshark. + +[#PreAck] + +=== Acknowledgements + +The authors would like to thank the whole Wireshark team for their +assistance. In particular, the authors would like to thank: + +* Gerald Combs, for initiating the Wireshark project. + +* Guy Harris, for many helpful hints and his effort in maintaining +the various contributions on the mailing lists. + +* Frank Singleton from whose `README.idl2wrs` <<ChDissectIdl2wrs>> is derived. + +The authors would also like to thank the following people for their +helpful feedback on this document: + +* XXX - Please give feedback :-) + +And of course a big thank you to the many, many contributors of the +Wireshark development community! + +[#PreAbout] + +=== About this document + +This book was developed by mailto:{wsdg-author-email}[Ulf Lamping], +updated for VS2013 by mailto:{wsdg-author-email2}[Graham Bloice], +and updated for later versions of Visual Studio by various contributors. + +It is written in AsciiDoc. + +[#PreDownload] + +=== Where to get the latest copy of this document? + +The latest copy of this documentation can always be found at +{wireshark-developers-guide-url}. + +[#PreFeedback] + +=== Providing feedback about this document + +Should you have any feedback about this document, please send it to the +authors through mailto:{wireshark-dev-list-email}[]. + + diff --git a/doc/wsdg_src/wsdg_quick_setup.adoc b/doc/wsdg_src/wsdg_quick_setup.adoc new file mode 100644 index 00000000..7cfc636b --- /dev/null +++ b/doc/wsdg_src/wsdg_quick_setup.adoc @@ -0,0 +1,967 @@ +// WSDG Chapter Setup + +[#ChapterSetup] + +== Setup and Build Instructions + +[#ChSetupUNIX] + +=== UN*X + +[#ChSetupUNIXBuildEnvironmentSetup] + +==== Build environment setup + +The following must be installed in order to build Wireshark: + +* a C compiler and a C++ compiler; +* the Flex lexical analyzer; +* Python 3; +* CMake; +* several required libraries. + +Either make or Ninja can be used to build Wireshark; at least one of +those must be installed. + +To build the manual pages, Developer's Guide and User's Guide, Asciidoctor, Xsltproc, and DocBook must be installed. + +Perl is required to generate some code and run some code analysis checks. + +Some features of Wireshark require additional libraries to be installed. +The processes for doing so on various UN*X families is shown here. + +There are shell scripts in the `tools` directory to install the packages +and libraries required to build Wireshark. Usage is available with the +`--help` option. `root` permission is required to run the scripts. +The available scripts and their options for a given family of UN*Xes are +shown in the section for that family. + +[discrete] +==== Alpine Linux + +The setup script is `tools/alpine-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-all` install everything +* `[other]` other options are passed as-is to apk + +[discrete] +==== Arch Linux and pacman-based systems + +The setup script is `tools/arch-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-test-deps` install packages required to run all tests +* `--install-all` install everything +* `[other]` other options are passed as-is to pacman + +[discrete] +==== BSD systems such as FreeBSD, NetBSD, OpenBSD, and DragonFly BSD + +The setup script is `tools/bsd-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `[other]` other options are passed as-is to pkg manager + +[discrete] +==== Debian, and Linux distributions based on Debian, such as Ubuntu + +The setup script is `tools/debian-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-deb-deps` install packages required to build the .deb file +* `--install-test-deps` install packages required to run all tests +* `--install-qt5-deps` force installation of packages required to use Qt5 +* `--install-qt6-deps` force installation of packages required to use Qt6 +* `--install-all` install everything +* `[other]` other options are passed as-is to apt + +[discrete] +==== RPM-based Linux distributions such as Red Hat, Centos, Fedora, and openSUSE + + +The setup script is `tools/rpm-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-rpm-deps` install packages required to build the .rpm file +* `--install-qt5-deps` force installation of packages required to use Qt5 +* `--install-qt6-deps` force installation of packages required to use Qt6 +* `--install-all` install everything +* `[other]` other options are passed as-is to the packet manager + +[discrete] +==== macOS + +You must first install Xcode. + +After installing Xcode, the setup script `tools/macos-setup.sh` will +install the rest of the tools and libraries required to build Wireshark, +except for Qt 6, as well as the additional tools required to build the +documentation and the libraries required for all Wireshark features. If +you're using Homebrew, the script `tools/macos-setup-brew.sh` will +install the same tools and libraries from Homebrew. + +If you will be building Wireshark with Qt 6, which is the default for +Wireshark 4.0 and later, you will also have to install Qt; the +`tools/macos-setup.sh` script will not install Qt 6. To install +Qt, go to the https://www.qt.io/download-qt-installer-oss[Download Qt +for open source use page], select “macOS” if it's not already selected, +and then select “Qt online installer for macOS“. This will download a +.dmg for the installer; launch the installer. It will require that you +log into your Qt account; if you don't have an account, select “Sign up“ +to create one. The next page will require you to accept the LGPL (Lesser +GNU Public License); do so. Continue to the “Installation Folder“ page +of the installer screen, and select the “Custom installation“ option. +On the “Select Components“ screen of the installer, select, for the +desired Qt version, the “macOS” component. For example, at the time of +this writing the Qt {qt6-lts-version} “macOS” component is used to build +the official packages. The “Qt Debug Information Files” component +contains dSYM files which can be used for debugging. You can deselect +all of the other the components such as “Qt Charts” or “Android xxxx” +as they aren’t required. + +Qt 6 needs the "Qt 5 Compatibility Module" to be installed as well. Additionally, the module +"Qt Multimedia" may be installed, to support advanced controls for playing back streams in the +RTP Player dialog. + +[#ChSetupUNIXBuild] + +==== Building + +Before building: + +On macOS, you will need to set the Qt installation directory in the +environment: + +[subs="attributes+"] +---- +WIRESHARK_QT6_PREFIX_PATH=~/Qt/{qt6-lts-version}/macos +export WIRESHARK_QT6_PREFIX_PATH +---- + +If you want to append a custom string to the package version, run the +command + +[subs="attributes+"] +---- +WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo +export WIRESHARK_VERSION_EXTRA +---- + +The recommended (and fastest) way to build Wireshark is with CMake +and Ninja. Building with make took nearly 2x time as Ninja in one +experiment. + +CMake builds are best done in a separate build directory, such as a +`build` subdirectory of the top-level source directory. + +If that directory is a subdirectory of the top-level source directory, +to generate the build files, change to the build directory and enter the +following command: + +---- +cmake .. +---- + +to use make as the build tool or + +---- +cmake -G Ninja .. +---- + +to use Ninja as the build tool. + +If you created the build directory in the +same directory that contains the top-level Wireshark source directory, +to generate the build files, change to the build directory and enter the +following command: + +---- +cmake ../{source directory} +---- + +to use make as the build tool or + +---- +cmake -G Ninja ../{source directory} +---- + +to use Ninja as the build tool. + +`{source directory}` is the name of the +top-level Wireshark source directory. + +If you need to build with a non-standard configuration, you can run + +[source,sh] +---- +cmake -LH ../{source directory} +---- + +to see what options you have. + +You can then run Ninja or make to build Wireshark. + +---- +ninja +# or +make +---- + +Once you have build Wireshark with `ninja` or `make` above, you should be able to test it +by entering `run/wireshark`. + +==== Optional: Install + +Install Wireshark in its final destination: + +---- +make install +---- + +Once you have installed Wireshark with `make install` above, you should be able +to run it by entering `wireshark`. + +==== Optional: Create User’s and Developer’s Guide + +To build the Wireshark User's Guide and the Wireshark Developer's Guide, +build the `all_guides` target, e.g. `make all_guides` or `ninja +all_guides`. Detailed information to build these guides can be found in +the file _doc/README.documentation.adoc_ in the Wireshark sources. + +==== Optional: Create an installable or source code package + +You can create packages using the following build targets and commands: + +Source code tarball:: + Build the `dist` target. + +deb (Debian) package:: + Create a symlink named _debian_ in the top-level source directory to _packaging/debian_, then run `dpkg-buildpackage`. + +RPM package:: + Build the `wireshark_rpm` target. + +https://appimage.org[AppImage] package:: + Build the `wireshark_appimage` target. + +macOS .dmg package containing an application bundle:: + Build the `wireshark_dmg` or `logray_dmg` targets. + +Installable packages typically require building Wireshark first. + +==== Troubleshooting during the build and install on Unix + +A number of errors can occur during the build and installation process. +Some hints on solving these are provided here. + +If the `cmake` stage fails you will need to find out why. You can check the +file `CMakeOutput.log` and `CMakeError.log` in the build directory to find +out what failed. The last few lines of this file should help in determining the +problem. + +The standard problems are that you do not have a required development package on +your system or that the development package isn’t new enough. Note that +installing a library package isn’t enough. You need to install its development +package as well. + +If you cannot determine what the problems are, send an email to the +_wireshark-dev_ mailing list explaining your problem. Include the output from +`cmake` and anything else you think is relevant such as a trace of the +`make` stage. + + +// Retain ChSetupWin32 for backward compatibility +[#ChSetupWindows] +=== Windows + +A quick setup guide for Windows development with recommended configurations. + +[#ChSetupWindowsMSVC] +==== Using Microsoft Visual Studio[[ChSetupWin32]] + +[WARNING] +==== +Unless you know exactly what you are doing, you +should strictly follow the recommendations below. They are known to work +and if the build breaks, please re-read this guide carefully. + +Known traps are: + +. Not using the correct (x64 or x86) version of the Visual Studio command prompt. + +. Not using a supported version of Windows. Please check + https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet[here] + that your installed version is supported and updated. + +==== + +[#ChSetupChocolatey] + +===== Recommended: Install Chocolatey + +https://chocolatey.org/[Chocolatey] is a native package manager for +Windows. There are https://chocolatey.org/packages[packages] for most of +the software listed below. Along with traditional Windows packages it +supports the Python Package Index. + +Chocolatey tends to install packages into its own path (%ChocolateyInstall%), although packages are free to use their own preferences. +You can install Chocolatey packages using the command `choco install` (or its shorthand, `cinst`), e.g. + +[source,cmd] +---- +rem Flex is required. +choco install -y winflexbison3 +rem Git, CMake, Python, etc are also required, but can be installed +rem via their respective installation packages. +choco install -y git cmake python3 +---- + + +[#ChSetupMSVC] + +===== Install Microsoft Visual Studio + +Download and install https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=17[“Microsoft Visual Studio 2022 Community Edition”]. +If you prefer you can instead download and install https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=16[“Microsoft Visual Studio 2019 Community Edition”]. +The examples below are for Visual Studio 2022 but can be adapted for Visual Studio 2019. +These are small utilities that download all the other required parts (which are quite large). + +Check the checkbox for “Desktop development with {cpp}” and then uncheck +all the optional components other than + +* “MSVC ... VS 2022 {cpp}” item with the “... build tools (Latest)” +* “Windows 11 SDK” +* “{cpp} CMake tools for Windows” +* “MSVC ... Spectre-mitigated libs” (optional) + +(unless you want to use them for purposes other than Wireshark). + +You can alternatively use Chocolatey to install Visual Studio, using the Visual Studio Community and Native Desktop workload packages. +Note that this includes Visual Studio’s CMake component. + +---- +choco install -y visualstudio2022community visualstudio2022-workload-nativedesktop +---- + +// winget has basic VS 2022 and 2019 packages, but no native desktop workload packages. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/m/Microsoft/VisualStudio + +You can use other Microsoft C compiler variants, but VS2022 is used to +build the development releases for Windows and is the preferred option +on Windows. It’s possible to compile Wireshark with a wide range of +Microsoft C compiler variants. For details see <<ChToolsMSChain>>. + +You may have to do this as Administrator. + +It might be possible to build Wireshark using https://clang.llvm.org/docs/MSVCCompatibility.html[clang-cl], but this has not been tested. +Compiling with plain gcc or Clang is not recommended and will certainly not work (at least not without a lot of advanced tweaking). +For further details on this topic, see <<ChToolsGNUChain>>. This may change in future as releases of Visual Studio add more cross-platform support. + +// XXX - mention the compiler and PSDK web installers - +// which significantly reduce download size - and find out the +// required components + +Why is this recommended? +While this is a huge download, the Community Editions of Visual Studio are free (as in beer) and include the Visual Studio integrated debugger. +Visual Studio 2022 is also used to create official Wireshark builds for Windows, so it will likely have fewer development-related problems. + +[#ChSetupQt] + +===== Install Qt + +The main Wireshark application uses the Qt windowing toolkit. To install +Qt, go to the https://www.qt.io/download[“Download Qt” page], select +"Download open source", then "Download Qt Online Installer", and download +"*Qt Online Installer for Windows*". When executing it, sign up or log in, +and use Next button to proceed. When asked, select "*Custom installation*". + +In the "Select Components" page, select your desired Qt version. We recommend +the latest LTS version, and the stable Windows installers currently ship with Qt {qt6-lts-version}. +Select the following components: + +* MSVC 2019 64-bit +* Qt 5 Compatibility Module +* Qt Debug Information Files (contains PDB files which can be used for debugging) +* Under "Additional Libraries" select "Qt Multimedia" to support advanced +controls for playing back streams in the RTP Player dialog +* You can deselect all of the other the components +such as “Qt Charts” or “Android xxxx” as they aren’t required. + +The CMake variable CMAKE_PREFIX_PATH (see `https://doc.qt.io/qt-6/cmake-get-started.html`) should be set as appropriate for your environment and should point to the Qt installation directory, e.g. _C:\Qt{backslash}{qt6-lts-version}\msvc2019_64_ +Alternatively you can also use the environment variable WIRESHARK_QT6_PREFIX_PATH. + +Qt 6 is the default option for building Wireshark, but Wireshark has support for Qt 5.12 and later. To enable Wireshark to build with Qt 5 pass `-DUSE_qt6=OFF` +to cmake. + +[#ChSetupPython] + +===== Install Python + +Get a Python 3 installer from https://python.org/download/[] and install Python. +Its installation location varies depending on the options selected in the installer and on the version of Python that you are installing. +At the time of this writing the latest version of Python is 3.10, and common installation directories are +_C:\Users{backslash}**username**\AppData\Local\Programs\Python\Python310_, _C:\Program Files\Python310_, and _C:\Python310_. + +Alternatively you can install Python using Chocolatey: + +---- +choco install -y python3 +---- + +// Not sure how to document Chocolatey's installation location other than "could be anywhere, LOL" +// https://community.chocolatey.org/packages/python3/#discussion +Chocolatey will likely install Python in one of the locations above, or possibly in _C:\Tools\Python3_. + +// winget has Python 3 packages. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/p/Python/Python/3 + +[#ChSetupGit] + +===== Install Git + +Please note that the following is not required to build Wireshark but can be +quite helpful when working with the sources. + +Working with the Git source repositories is highly recommended, as described in +<<ChSrcObtain>>. It is much easier to update a personal source tree (local repository) with Git +rather than downloading a zip file and merging new sources into a personal +source tree by hand. It also makes first-time setup easy and enables the +Wireshark build process to determine your current source code revision. + +There are several ways in which Git can be installed. Most packages are +available at the URLs below or via https://chocolatey.org/[Chocolatey]. +Note that many of the GUI interfaces depend on the command line version. + +If installing the Windows version of git select the +_Use Git from the Windows Command Prompt_ (in chocolatey the _/GitOnlyOnPath_ +option). Do *not* select the _Use Git and optional Unix tools from the Windows Command Prompt_ +option (in chocolatey the _/GitAndUnixToolsOnPath_ option). + +====== The Official Windows Installer + +The official command-line installer is available at https://git-scm.com/download/win. + +====== Git Extensions + +Git Extensions is a native Windows graphical Git client for +Windows. You can download the installer from +https://github.com/gitextensions/gitextensions/releases/latest. + +====== TortoiseGit + +TortoiseGit is a native Windows graphical Git +similar to TortoiseSVN. You can download the installer from +https://tortoisegit.org/download/. + +====== Command Line client via Chocolatey + +The command line client can be installed (and updated) using Chocolatey: +---- +choco install -y git +---- + +// winget has git. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/g/Git/Git + +====== Others + +A list of other GUI interfaces for Git can be found at +https://git-scm.com/downloads/guis + + +[#ChSetupCMake] + +===== Install CMake + +While CMake is required to build Wireshark, it might have been installed as a component of either Visual Studio or Qt. +If that’s the case you can skip this step. +If you do want or need to install CMake, you can get it from https://cmake.org/download/[]. +Installing CMake into the default location is recommended. +Ensure the directory containing cmake.exe is added to your path. + +Alternatively you can install it using Chocolatey: + +---- +choco install -y cmake +---- + +// winget has CMake. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/k/Kitware/CMake + +Chocolatey ensures cmake.exe is on your path. + +[#ChSetupAsciidoctor] + +===== Install Asciidoctor, Xsltproc, And DocBook + +https://asciidoctor.org/[Asciidoctor] can be run directly as a Ruby script or via a Java wrapper (AsciidoctorJ). +The JavaScript flavor (Asciidoctor.js) isn’t yet supported. +It is used in conjunction with Xsltproc and DocBook to generate the documentation you're reading and the User’s Guide. + +You can install AsciidoctorJ, Xsltproc, and DocBook using Chocolatey. +AsciidoctorJ requires a Java runtime and there are https://en.wikipedia.org/wiki/List_of_Java_virtual_machines[many to choose from]. +Chocolatey doesn't support alternative package dependencies at the present time, including dependencies on Java. +As a result, installing the asciidoctorj package won't automatically install a Java runtime -- you must install one separately. + +---- +choco install -y <your favorite Java runtime> +choco install -y asciidoctorj xsltproc docbook-bundle +---- + +Chocolatey ensures that asciidoctorj.exe and xsltproc.exe is on your +path and that xsltproc uses the DocBook catalog. + +// winget has no Asciidoctor, xsltproc, or DocBook packages. + +===== Install winflexbison + +Get the winFlexBison installer from +https://sourceforge.net/projects/winflexbison/ +and install into the default location. +Ensure the directory containing win_flex.exe is on your path. + +Alternatively you can install Winflexbison using Chocolatey: + +---- +choco install -y winflexbison3 +---- + +Chocolatey ensures win_flex.exe is on your path. + +// winget has no bison package. + +===== Optional: Install Perl + +If needed you can get a Perl installer from +http://strawberryperl.com/ +or +https://www.activestate.com/ +and install Perl into the default location. + +Alternatively you can install Perl using Chocolatey: + +---- +choco install -y strawberryperl +# ...or... +choco install -y activeperl +---- + +// winget has StrawberryPerl. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/s/StrawberryPerl/StrawberryPerl + +===== Install and Prepare Sources + +[TIP] +.Make sure everything works +==== +It’s a good idea to make sure Wireshark compiles and runs at least once before +you start hacking the Wireshark sources for your own project. This example uses +Git Extensions but any other Git client should work as well. +==== + +*Download sources* Download Wireshark sources into +_C:\Development\wireshark_ using either the command line or Git Extensions: + +Using the command line: + +---- +cd C:\Development +git clone https://gitlab.com/wireshark/wireshark.git +---- + +Using Git extensions: + +. Open the Git Extensions application. By default Git Extensions + will show a validation checklist at startup. If anything needs to + be fixed do so now. You can bring up the checklist at any time + via menu:Tools[Settings]. + +. In the main screen select _Clone repository_. Fill in the following: ++ +Repository to clone: *`https://gitlab.com/wireshark/wireshark.git`* ++ +Destination: Your top-level development directory, e.g. _C:\Development_. ++ +Subdirectory to create: Anything you’d like. Usually _wireshark_. ++ +[TIP] +.Check your paths +==== +Make sure your repository path doesn't contain spaces. +==== + +. Click the btn:[Clone] button. Git Extensions should start cloning the + Wireshark repository. + +[#ChSetupPrepareCommandCom] + +===== Open a Visual Studio Command Prompt + +From the Start Menu (or Start Screen), navigate to the “Visual Studio 2022” folder and choose the https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line?view=msvc-170#developer_command_prompt_shortcuts[Command Prompt] appropriate for the build you wish to make, e.g. “x64 Native Tools Command Prompt for VS 2022” for a 64-bit version. +Depending on your version of Windows the Command Prompt list might be directly under “Visual Studio 2022” or you might have to dig for it under multiple folders, e.g. menu:Visual Studio 2022[Visual Studio Tools,Windows Desktop Command Prompts]. + +You can set up a build environment in your own command prompt by running the appropriate `vcvars__ARCHITECTURE__.bat` command. +See https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line?view=msvc-170#use-the-developer-tools-in-an-existing-command-window[Use the Microsoft C++ toolset from the command line] for details. + +[TIP] +.Pin the items to the Task Bar +==== +Pin the Command Prompt you use to the Task Bar for easy access. +==== + +All subsequent operations take place in this Command Prompt window. + +. Set environment variables to control the build. ++ +-- +Set the following environment variables, using paths and values suitable for your installation: + +[subs="attributes+"] +---- +rem Let CMake determine the library download directory name under +rem WIRESHARK_BASE_DIR or set it explicitly by using WIRESHARK_LIB_DIR. +rem Set *one* of these. +set WIRESHARK_BASE_DIR=C:\Development +rem set WIRESHARK_LIB_DIR=c:\wireshark-x64-libs +rem Set the Qt installation directory +set WIRESHARK_QT6_PREFIX_PATH=C:\Qt{backslash}{qt6-lts-version}\msvc2019_64 +rem Append a custom string to the package version. Optional. +set WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo +---- + +Setting these variables could be added to a batch file to be run after you open +the Visual Studio Tools Command Prompt. + +[TIP] +.Use of Qt’s LTS branch +==== +It is generally recommended to use a LTS ("long term support") version for Qt. The current LTS version for Qt 6 is +{qt6-lts-version}. +==== + +-- + +. Create and change to the correct build directory. +CMake is best used in an out-of-tree build configuration where the build is done in a separate directory from the source tree, leaving the source tree in a pristine state. +64 and 32 bit builds require a separate build directory. +Create (if required) and change to the appropriate build directory. ++ +-- +// XXX Our CI builds are in-tree in <src dir>/build. +---- +mkdir C:\Development\wsbuild64 +cd C:\Development\wsbuild64 +---- +to create and jump into the build directory. + +The build directory can be deleted at any time and the build files regenerated as detailed in <<ChWindowsGenerate>>. +-- + +[#ChWindowsGenerate] + +===== Generate the build files + +CMake is used to process the CMakeLists.txt files in the source tree and produce build files appropriate +for your system. + +You can generate Visual Studio solution files to build either from within Visual Studio, or from the command +line with MSBuild. CMake can also generate other build types but they aren't supported. + +The initial generation step is only required the first time a build directory is created. Subsequent +builds will regenerate the build files as required. + +If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. + +To generate the build files enter the following at the Visual Studio command prompt: +---- +cmake -G "Visual Studio 17 2022" -A x64 ..\wireshark +---- + +Adjusting the path to the Wireshark source tree as required. +To use a different generator modify the `-G` parameter. +`cmake -G` lists all the CMake supported generators, but only Visual Studio is supported for Wireshark builds. +32-bit builds are no longer supported. + +The CMake generation process will download the required 3rd party libraries (apart from Qt) +as required, then test each library for usability before generating the build files. + +At the end of the CMake generation process the following should be displayed: +---- +-- Configuring done +-- Generating done +-- Build files have been written to: C:/Development/wsbuild64 +---- + +If you get any other output, there is an issue in your environment that must be rectified before building. +Check the parameters passed to CMake, especially the `-G` option and the path to the Wireshark sources and +the environment variables `WIRESHARK_BASE_DIR` and `CMAKE_PREFIX_PATH`. + +[#ChWindowsBuild] + +===== Build Wireshark + +Now it’s time to build Wireshark! + +. If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. + +. Run ++ +-- +---- +msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln +---- +to build Wireshark. +-- + +. Wait for Wireshark to compile. This will take a while, and there will be a lot of text output in the command prompt window + +. Run _C:\Development\wsbuild64\run\RelWithDebInfo\Wireshark.exe_ and make sure it starts. + +. Open menu:Help[About]. If it shows your "private" program +version, e.g.: Version {wireshark-version}-myprotocol123 +congratulations! You have compiled your own version of Wireshark! + +You may also open the Wireshark solution file (_Wireshark.sln_) in the Visual Studio IDE and build there. + +TIP: If compilation fails for suspicious reasons after you changed some source +files try to clean the build files by running `msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln /t:Clean` +and then building the solution again. + +The build files produced by CMake will regenerate themselves if required by changes in the source tree. + +===== Debug Environment Setup + +You can debug using the Visual Studio Debugger or WinDbg. See the section +on using the <<ChToolsDebugger, Debugger Tools>>. + +===== Optional: Create User’s and Developer’s Guide + +To build the Wireshark User's Guide and the Wireshark Developer's Guide, +build the `all_guides` target, e.g. `msbuild all_guides.vcxproj`. +Detailed information to build these guides can be found in the file +_doc\README.documentation.adoc_ in the Wireshark sources. + +===== Optional: Create a Wireshark Installer + +Note: You should have successfully built Wireshark +before doing the following. + +If you want to build your own +_Wireshark-{wireshark-version}-myprotocol123-x64.exe_, you'll need +NSIS. You can download it from http://nsis.sourceforge.net[]. + +Note that the 32-bit version of NSIS will work for both 64-bit and 32-bit versions of Wireshark. +NSIS version 3 is required. + +If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. Run + +---- +msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis.vcxproj +---- + +to build a Wireshark installer. +If you sign your executables you should do so between the “wireshark_nsis_prep” and “wireshark_nsis” steps. +To sign your installer you should place the signing batch script on the path. It must be named "sign-wireshark.bat". +It should be autodetected by CMake, to always require signing set the -DENABLE_SIGNED_NSIS=On CMake option. + +Run + +---- +packaging\nsis\wireshark-{wireshark-version}-myprotocol123-x64.exe +---- + +to test your new installer. +It’s a good idea to test on a different machine than the developer machine. + +[#ChSetupMSYS2] + +==== Using MinGW-w64 with MSYS2 + +MSYS2 comes with different environments/subsystems and the first thing you +have to decide is which one to use. The differences among the environments +are mainly environment variables, default compilers/linkers, architecture, +system libraries used etc. If you are unsure, go with UCRT64. + +===== Building from source + +. Open the shell for the selected 64-bit environment. + +. Download the Wireshark source code using Git, if you haven't done so already, + and cd into that directory. + +. Install needed dependencies: + + tools/msys2-setup.sh --install-all + +. Build using CMake + Ninja: + + mkdir build && cd build + # Ninja generator is the default + cmake -DENABLE_CCACHE=On -DFETCH_lua=Yes .. + ninja + ninja test # optional, to run the test suite + ninja install # optional, install to the MSYS2 shell path + +The application should be launched using the same shell. + +===== Building an .exe installer + +. Follow the instructions above to compile Wireshark from source. + +. Build the NSIS installer target. + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If successful the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +Alternatively you can also use the PKGBUILD included in the Wireshark +source distribution to compile Wireshark into a binary package that can be +https://www.msys2.org/wiki/Creating-Packages/[installed using pacman]. + +===== Comparison with MSVC toolchain + +The official Wireshark Windows installer is compiled using Microsoft Visual +Studio (MSVC). Currently the MSYS2 build has the following limitations compared to +the build using MSVC: + +* Lua does not have https://github.com/Lekensteyn/lua-unicode[custom UTF-8 patches]. + +* The Event Tracing for Windows (ETW) extcap cannot be compiled using MinGW-w64. + +* Enhanced Kerberos dissection with decryption is not available. + +* AirPcap is not supported. + +[#ChSetupCross] + +==== Cross-compilation using Linux + +It is possible to compile Wireshark for Microsoft Windows using Linux and MinGW. +This way developers can deploy Wireshark on Windows systems without requiring +a Windows host machine. Building for Windows using a Linux host is also +easier for devs already familiar with Linux, the build itself is faster and it +uses a very mature C/C++ compiler (GCC) and debugger (GDB). + +===== Using Fedora Linux + +https://fedoraproject.org/[Fedora Linux] provides the best out-of-the-box +support for MinGW cross-compilation. Fedora is what the project uses to test +the build and it's what we recommend. While any other reasonably modern Linux +distribution can be used, that will make the process more time consuming and +involve some trial and error to setup. + +The build instructions on Fedora follow the familiar recipe for building Wireshark +using Linux. + +====== Building from source + +. Install needed dependencies: + + tools/mingw-rpm-setup.sh --install-all + +. Build using CMake + Ninja: + + mkdir build && cd build + mingw64-cmake -G Ninja -DENABLE_CCACHE=Yes -DFETCH_lua=Yes .. + ninja ++ +Note that currently it is not possible to run the test-suite when cross-compiling. + +. Build the NSIS installer + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If successful the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +====== Notes and comparison with MSVC builds + +* Only the MSVCRT C library for Microsoft Windows can be used. Support for the + UCRT (Universal C Runtime) library on Fedora Linux is in the initial stages of + deployment and not ready for prime-time (at the time of this writing). + +* Some optional dependencies are missing from Fedora repositories and must be + compiled from source if desired. An up-to-date complete list can be found in + the bug tracker (https://gitlab.com/wireshark/wireshark/-/issues/19108[issue 19108]). + +* Lua does not have https://github.com/Lekensteyn/lua-unicode[custom UTF-8 patches]. + +* The Event Tracing for Windows (ETW) extcap cannot be compiled using MinGW-w64. + +* Enhanced Kerberos dissection with decryption is not available. + +* AirPcap is not supported. + +===== Using Arch Linux + +https://archlinux.org/[Arch Linux] has good support for MinGW using packages +from the https://aur.archlinux.org/[AUR]. Note that the mingw-w64 AUR packages +sometimes break. If that happens you may be required to fix it or skip the +package until it is fixed by the maintainer, if it's an optional dependency. +You may also want to consider using an +https://wiki.archlinux.org/title/unofficial_user_repositories[unofficial user repository] +(such as the https://martchus.no-ip.biz/repo/arch/ownstuff/[ownstuff] repository) +to provide pre-compiled packages. This will greatly simplify the initial setup +and subsequent upgrades. + +CAUTION: AUR packages and unofficial user repositories are user-produced +content. These packages are completely unofficial and have not been thoroughly +vetted. It is your decision whether to trust their maintainers and you take +full responsibility for choosing to use them. + +You will need to install an https://wiki.archlinux.org/title/AUR_helpers[AUR helper]. +This guide assumes `paru` is being used. + +. Install required dependencies from official repositories: + + pacman -S mingw-w64 nsis lemon qt6-tools ccache + +. Install required dependencies from the AUR: + + paru -S mingw-w64-cmake + paru -S mingw-w64-glib2 + paru -S mingw-w64-libgcrypt + paru -S mingw-w64-c-ares + paru -S mingw-w64-speexdsp + paru -S mingw-w64-libpcap + +. Install Qt6: + + paru -S mingw-w64-qt6-base mingw-w64-qt6-5compat mingw-w64-qt6-multimedia + +. Install optional dependencies: + + paru -S mingw-w64-gnutls + paru -S mingw-w64-lz4 + paru -S mingw-w64-snappy + paru -S mingw-w64-opus + paru -S mingw-w64-opencore-amr + paru -S mingw-w64-libxml2 + paru -S mingw-w64-libnghttp2 + paru -S mingw-w64-libssh + paru -S mingw-w64-minizip ++ +Search the AUR for other dependencies not listed above. + +. Build Wireshark using CMake + Ninja. From the directory containing the + Wireshark source tree run: + + mkdir build && cd build + x86_64-w64-mingw32-cmake -G Ninja -DENABLE_CCACHE=Yes -DFETCH_lua=Yes \ + -DMINGW_SYSROOT=/usr/x86_64-w64-mingw32 .. + ninja ++ +This will automatically download and build Lua as a static library. ++ +To reconfigure the CMake build you may to do it explicitly by running +`x86_64-w64-mingw32-cmake .` in the build directory, +instead of letting `ninja` do it for you automatically. + +. Build the NSIS installer + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If everything goes well the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +The same notes as the build using Fedora apply. diff --git a/doc/wsdg_src/wsdg_sources.adoc b/doc/wsdg_src/wsdg_sources.adoc new file mode 100644 index 00000000..38078f37 --- /dev/null +++ b/doc/wsdg_src/wsdg_sources.adoc @@ -0,0 +1,1422 @@ +[#ChapterSources] + +== Work with the Wireshark sources + +[#ChSrcIntro] + +=== Introduction + +This chapter will explain how to work with the Wireshark source code. +It will show you how to: + +* Get the source + +* Compile it on your machine + +* Submit changes for inclusion in the official release + +This chapter will not explain the source file contents in detail, +such as where to find specific functionality. This is done in +<<ChCodeOverview>>. + +[#ChSrcGitRepository] + +=== The Wireshark Git repository + +https://git-scm.com/[Git] is used to keep track of the changes made to the Wireshark source code. +The official repository is hosted at {wireshark-gitlab-project-url}[GitLab], and incoming changes are evaluated and reviewed there. +For more information on GitLab see https://docs.gitlab.com/ee/[their documentation]. + +.Why Git? + +Git is a fast, flexible way of managing source code. +It allows large scale distributed development and ensures data integrity. + +.Why GitLab? + +GitLab makes it easy to contribute. +You can make changes locally and push them to your own work area at gitlab.com, or if your change is minor you can make changes entirely within your web browser. + +.Historical trivia: GitLab is the *fourth* iteration of our source code repository and code review system. +// Five if you include "sending patches to Gerald." + +Wireshark originally used https://www.nongnu.org/cvs/[Concurrent Versions System] (CVS) and migrated to https://subversion.apache.org/[Subversion] in July 2004. +We migrated from Subversion to Git and https://www.gerritcodereview.com/[Gerrit] in January 2014, and from Gerrit to GitLab in August 2020. + +Using Wireshark’s GitLab project you can: + +* Keep your private sources up to date with very little effort. +* Receive notifications about code reviews and issues. +* Get the source files from any previous release (or any other point in time). +* Browse and search the source code using a web interface. +* See which person changed a specific piece of code. + +[#ChSrcWebInterface] + +==== Git Naming Conventions + +Like most revision control systems, Git uses +https://en.wikipedia.org/wiki/Branching_%28revision_control%29[branching] +to manage different copies of the source code and allow parallel development. +Wireshark uses the following branch naming conventions: + +.master. +Main feature development and odd-numbered development releases. + +.release-x.y, master-x.y. +Stable release maintenance. For example, release-3.4 is used to manage the 3.4.x official releases. + +Tags for major releases and release candidates consist of a “v” followed by a version number such as “v3.2.1” or “v3.2.3rc0”. +Major releases additionally have a tag prefixed with “wireshark-” followed by a version number, such as “wireshark-3.2.0”. + +Tags created after August 1, 2024 are signed using SSH. This includes the tags for versions 4.4.0rc1, 4.4.0, 4.2.7, and 4.0.17. If you wish to verify these tags, you must have the following entry in __~/.ssh/allowed_signers__: + + gerald@wireshark.org namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHe1qOxwBietT54lZ3qawTc8B9unWP+T3JVR9l2rQaP + +Tags were signed using GPG prior to August 2024. + +[#ChSrcGitWeb] +=== Browsing And Searching The Source Code + +If you need a quick look at the Wireshark source code you can browse the repository files in GitLab at + +{wireshark-code-browse-url} + +You can view commit logs, branches, and tags, find files and search the repository contents. +You can also download individual files. + +[#ChSrcObtain] +=== Obtaining The Wireshark Sources + +There are two primary ways to obtain Wireshark’s source code: Git and compressed .tar archives. +Each is described in more detail below. +We recommend using Git for day to day development, particularly if you wish to contribute changes back to the project. +The age mentioned in the following sections indicates the age of the most recent change in that set of the sources. + + +[#ChSrcGit] +==== Git Over SSH Or HTTPS + +This method is strongly recommended for day to day development. + +You can use a Git client to download the source code from Wireshark’s code review system. +Anyone can clone from the anonymous HTTP git URL: + +{wireshark-git-anonhttp-url} + +If you have a GitLab account you can also clone using SSH: + +{wireshark-git-ssh-url} + +If wish to make changes to Wireshark you must create a GitLab account, create a fork of the official Wireshark repository, update your fork, and create a merge request. +See <<ChSrcContribute>> for details. + +The following example shows how to get up and running on the command line. +See <<ChToolsGit>> for information on installing and configuring graphical Git clients. + +. Now on to the command line. +First, make sure `git` works: ++ +-- +[source,sh] +---- +$ git --version +---- +-- + +. If this is your first time using Git, make sure your username and email address are configured. +This is particularly important if you plan on uploading changes: ++ +-- +[source,sh] +---- +$ git config --global user.name "Henry Perry" +$ git config --global user.email henry.perry@example.com +---- +-- + +. Next, clone the Wireshark repository: ++ +-- +[source,sh] +---- +# If you have a GitLab account, you can use the SSH URL: +$ git clone -o upstream git@gitlab.com:wireshark/wireshark.git +# If you don't you can use the HTTPS URL: +$ git clone -o upstream https://gitlab.com/wireshark/wireshark.git +# You can speed up cloning in either case by adding --shallow-since=1year or --depth=5000. +---- +The clone only has to be done once. +This will copy all the sources (including directories) from the server to your machine and check out the latest version. + +The `-o upstream` flag uses the origin name “upstream” for the repository instead of the default “origin” as described in the https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[GitLab documentation]. + +Cloning may take some time depending on the speed of your internet connection. + +The `--shallow-since=1year` option limits cloned commits to the last 1 year. + +The `--depth=5000` option limits cloned commits to the last 5000. +-- + +[#ChSrcDevelopmentSnapshots] +==== Development Snapshots + +This method is useful for one-off builds or if Git is inaccessible (e.g. because of a restrictive firewall). + +Our GitLab CI configuration automatically generates development packages, including source packages. +They can be found at {wireshark-snapshots-url}. +Packages are available for recent commits in the master branch and each release branch. + +[#ChSrcReleased] +==== Official Source Releases + +This method is recommended for building downstream release packages. + +The official source releases can be found at {wireshark-download-url}. +You should use these sources if you want to build Wireshark on your platform based on an official release with minimal or no changes, such as Linux distribution packages. + +[#ChSrcUpdating] +=== Update Your Wireshark Sources + +After you've obtained the Wireshark sources for the first time, +you might want to keep them in sync with the sources at the upstream +Git repository. + +[TIP] +.Take a look at the recent commits first +==== +As development evolves, the Wireshark sources are compilable most of the time -- but not always. +You should take a look at {wireshark-commits-url} before fetching or pulling to make sure the builds are in good shape. +==== + +[#ChSrcGitUpdate] +==== Update Using Git + +From time to time you will likely want to synchronize your master branch with the upstream repository. +You can do so by running: + +[source,sh] +---- +$ git pull --rebase upstream master +---- + +[#ChSrcBuildFirstTime] +=== Build Wireshark + +The sources contain several documentation files. It’s a good idea to read these +files first. After obtaining the sources, tools and libraries, the first place +to look at is _doc/README.developer_. Inside you will find the latest +information for Wireshark development for all supported platforms. + +.Build Wireshark before changing anything +[TIP] +==== +It is a very good idea to first test your complete build environment +(including running and debugging Wireshark) before making any changes +to the source code (unless otherwise noted). +==== + +Building Wireshark for the first time depends on your platform. + +==== Building on Unix + +Follow the build procedure in <<ChSetupUNIX>> to build Wireshark. + +==== Windows Native + +Follow the build procedure in <<ChSetupWindows>> to build Wireshark. + +After the build process has successfully finished, you should find a +`Wireshark.exe` and some other files in the `run\RelWithDebInfo` directory. + +[#ChSrcBuildType] +==== Build Type + +CMake can compile Wireshark for several different build types: + +.Build Types +|=== +|Type |Compiler Flags |Description + +|`RelWithDebInfo` +|`-O2 -g -DNDEBUG` +|Build with optimizations and generate debug symbols. +Disables assertions and disables debug level logs + +|`Debug` +|`-g -DWS_DEBUG` +|For development, no optimization. Enables assertions and debug level logs + +|`Release` +|`-O3 -DNDEBUG` +|Optimized for speed, no debug symbols or debug level logs or assertions + +|`MinSizeRel` +|`-Os -DNDEBUG` +|Optimized for size, no debug symbols or debug level logs or assertions +|=== + +The default is `RelWithDebInfo`, which provides a good compromise of +some optimization (`-O2`) along with including debug symbols (`-g`) +for release builds. For normal development coding you probably want to be +using `Debug` build type or set -DENABLE_DEBUG=On, to enable full +<<ChSrcLogging,logging capabilities>> and debug code. + +CMake will automatically add the -DNDEBUG option to certain build +types. This macro is used to disable assertions but it can be overruled +using ENABLE_ASSERT, which can be used to unconditionally enable assertions +if defined. + +To change the build type, set the CMake variable `CMAKE_BUILD_TYPE`, e.g.: + +[source,sh] +---- +$ cmake .. -DCMAKE_BUILD_TYPE=Debug +---- + +or on Windows, + +[source,cmd] +---- +> msbuild /m /p:Configuration=Debug Wireshark.sln +---- + +[#ChSrcRunFirstTime] +=== Run Your Version Of Wireshark + + +[TIP] +.Beware of multiple Wiresharks +==== +An already installed Wireshark may interfere with your newly generated +version in various ways. If you have any problems getting your Wireshark +running the first time, it might be a good idea to remove the previously +installed version first. +==== + +[#ChSrcRunFirstTimeUnix] +==== Unix-Like Platforms + +After a successful build you can run Wireshark right from the `run` directory. +There's no need to install it first. + +[source,sh] +---- +$ ./run/wireshark +---- + +There’s no need to run Wireshark as root user, but depending on your platform you might not be able to capture. +Running Wireshark this way can be helpful since debugging output will be displayed in your terminal. +You can also change Wireshark’s behavior by setting various environment variables. +See the {wireshark-man-page-url}wireshark.html#ENVIRONMENT-VARIABLES[ENVIRONMENT VARIABLES] section of the Wireshark man page for more details. + +On macOS, Wireshark is built as an application bundle (_run/Wireshark.app_) by default, and _run/wireshark_ will be a wrapper script that runs _Wireshark.app/Contents/MacOS/Wireshark_. +Along with running `./run/wireshark` as shown above you can also run it on the command line with `open run/Wireshark.app`. + +[#ChSrcRunFirstTimeWindows] +==== Windows Native + +By default the CMake-generated Visual {cpp} project places all of the files necessary to run Wireshark in the subdirectory `run\RelWithDebInfo`. +As with the Unix-like build described above, you can run Wireshark from the build directory without installing it first. + +[source,cmd] +---- +> .\run\RelWithDebInfo\Wireshark +---- + + +[#ChSrcDebug] +=== Debug Your Version Of Wireshark + +Optimization can make debugging a bit more difficult, e.g. by changing the +execution order of statements. To disable optimization, set the +<<ChSrcBuildType,build type>> to `Debug`. + +Full debug logs can be invaluable to investigate any issues with the code. +By default debug level logs are only enabled with `Debug` build type. You +can enable full debug logs and extra debugging code by configuring the +ENABLE_DEBUG CMake option. This in turn will define the macro symbol +`WS_DEBUG` and enable the full range of debugging code in Wireshark. + +There is an additional CMake knob called ENABLE_DEBUG_UTF_8 that can be used to +control specifically the extra validation Wireshark performs internally +for invalid UTF-8 encodings in internal strings, which should never happen +and can be somewhat expensive to check during normal usage. + +Conversely, the `Release` or `MinSizeRel` build types can be used to optimize +further for speed or size, but do not include debug symbols for use with +debuggers, and completely disable <<ChSrcLoggingLevels,lower level logging>> +and asserts, optimizing away the code path. Ensure that you have not built with +one of those types before attempting debugging. + +[#ChSrcLogging] +==== Wireshark Logging + +Wireshark has a flexible logging system to assist in development and troubleshooting. +Logging configuration takes into account what, when and where to output diagnostic messages. + +* The 'what generates log messages' is defined through logging domain(s). +* The 'when it generates log messages' is defined through the logging level. +* The 'where it outputs log messages' is defined through the output channel(s). + +The details to configure and use the logging system are explained in the following sections. + +[#ChSrcLoggingDomains] +===== Logging Domains + +Any part of Wireshark can be assigned a logging domain. This is already done for most of the internals of Wireshark, +e.g., "Main", "Capture", "Epan", "GUI". The domains are defined in the `ws_log_defs.h` header but dissectors should +define their own logging domain. Any string can be used as ID for a logging domain. + +[#ChSrcLoggingLevels] +===== Logging Levels + +The following logging levels are defined from highest to lowest: + +* error +* critical +* warning +* message +* info +* debug +* noisy + +By default logging output is generated for logging level "message" and above. If the logging level is lowered or raised +all log output generated at or above this level is sent to the log output. +Note that if the <<ChSrcBuildType,build type>> is not set to `Debug` +then by default all log output for the logging levels "debug" and +"noisy" will be optimized away by the compiler and cannot be emitted to the log +output, regardless of the logging settings. To enable debug logging for all build +types, set the CMake variable `-DENABLE_DEBUG=ON`. + +There is also a special "echo" logging level used exclusively for temporary debugging print outs (usually +via the `WS_DEBUG_HERE` macro). + +[#ChSrcLoggingOutput] +===== Logging Output + +By default logging output is sent to stderr. In addition to that it is possible to configure a log file. This collects all log output to the +file, besides the normal output streams. The output can then be read in a text editor or used with other text processing tools. + +A program can also register its own log writer when the standard facilities are insufficient or special handling is required. + +[#ChSrcConfigureLogging] +===== Configure Logging + +Logging can be configured through either environment variables or command line parameters. + +The following environment variables and command line parameters are used by the logging system: + +WIRESHARK_LOG_DOMAIN, WIRESHARK_LOG_DOMAINS, or --log-domain, --log-domains:: +This is a filter for the domain(s) which are to generate log messages. +WIRESHARK_LOG_LEVEL, or --log-level:: +This is the level (below critical) for which log messages are to be generated. This is used for all configured domains. +WIRESHARK_LOG_DEBUG, or --log-debug:: +These domain(s) will generate debug level log messages regardless of the log level and log domains configured. +WIRESHARK_LOG_NOISY, or --log_noisy:: +These domain(s) will generate noisy level log messages regardless of the log level and log domains configured. + +Multiple domains can be concatenated using commas or semicolons. The match can be inverted by prefixing the domain(s) list with an exclamation mark. + +[#ChSrcTrapsLogging] +==== Traps Set By Logging + +Sometimes it can be helpful to abort the program right after a log message of a certain level or a certain domain is output. + +The following environment variables are used to configure a trap by the logging system: + +WIRESHARK_LOG_FATAL, or --log_fatal:: +This is the level for which log messages are fatal. This can either be "critical" or "warning" level. + +WIRESHARK_LOG_FATAL_DOMAIN, WIRESHARK_LOG_FATAL_DOMAINS, or --log-fatal-domain, --log-fatal-domains:: +These are the domain(s) where output of a log message is fatal. This is less commonly used than the fatal log level setting above. + +[#ChSrcLoggingApi] +==== Logging APIs + +The logging API can be found in `wsutil/wslog.h`. + +To use the logging API for your code add the definition of the ID of your logging domain right after including `config.h`. For example: + +[source,c] +---- +/* My code doing something awesome */ +#include "config.h" +#define WS_LOG_DOMAIN "MyCode" + +#include <wireshark.h> + +... +---- + +Populate your code with the applicable function calls to generate log messages when enabled. The following convenience macros are provided: + +* `ws_error()` +* `ws_critical()` +* `ws_warning()` +* `ws_message()` +* `ws_info()` +* `ws_debug()` +* `ws_noisy()` + +All these take `printf()` style parameters. There is also a `WS_DEBUG_HERE` macro that is always active and outputs to a special "echo" +domain for temporary debug print outs. `WS_DEBUG_HERE` should be used for development purposes only and not appear in final delivery of the code. + +[#ChSrcUnixDebug] +==== Unix-Like Platforms + +You can debug using command-line debuggers such as gdb, dbx, or lldb. +If you prefer a graphic debugger, you can use an IDE or debugging frontend +such as Qt Creator, CLion, or Eclipse. + +Additional traps can be set on Wireshark, see <<ChSrcTrapsLogging>> + +[#ChSrcMemorySafety] +===== Memory Safety and Leaks + +Wireshark's wmem memory management framework makes it easy to allocate +memory in pools with a certain scope that is freed automatically at +a certain point (such as the end of dissecting a packet or when closing +a file), even if a dissector raises an exception after allocating the +memory. Memory in a pool is also freed collectively, which can be +considerably faster than calling `free()` individually on each individual +allocation. Proper use of wmem makes a dissector faster and less prone +to memory leaks with unexpected data, which happens frequently with +capture files. + +However, wmem's block allocation can obscure issues that memory checkers +might otherwise catch. Fortunately, the `WIRESHARK_DEBUG_WMEM_OVERRIDE` +environment variable can be set at runtime to instruct wmem to use a specific +memory allocator for all allocations, some of which are more compatible with +memory checkers: + +* `simple` - Uses `malloc()` only, no block allocation, compatible with Valgrind +* `strict` - Finds invalid memory via canaries and scrubbing freed memory +* `block` - Standard block allocator for file and epan scopes +* `block_fast` - Block allocator for short-lived scope, e.g. packet, (`free()` is a no-op) + +The `simple` allocator produces the most accurate results with tools like +https://valgrind.org[Valgrind] and can be enabled as follows: + +[source,sh] +---- +$ export WIRESHARK_DEBUG_WMEM_OVERRIDE=simple +---- + +Wireshark uses GLib's GSlice memory allocator, either indirectly via wmem or via various GLib API calls. +GLib provides a `G_SLICE` environment variable that can be set to `always-malloc` (similar to `simple`) or `debug-blocks` (similar to `strict`). +See https://developer-old.gnome.org/glib/stable/glib-running.html for details. +The C libraries on FreeBSD, Linux, and macOS also support memory allocation debugging via various environment variables. +You can enable many of them by running `source tools/debug-alloc.env` in a POSIX shell. + +If you're encountering memory safety bugs, you might want to build with +https://github.com/google/sanitizers/wiki/AddressSanitizer[Address Sanitizer] +(ASAN) so that Wireshark will immediately alert you to any detected issues. +It works with GCC or Clang, provided that the appropriate libraries are installed. + +[source,sh] +---- +$ cmake .. -G Ninja -DENABLE_ASAN=1 +$ source ../tools/debug-alloc.env +$ ./run/tshark ... +---- + +TIP: ASAN slows things down by a factor of 2 (or more), so having a different +build directory for an ASAN build can be useful. + +ASAN will catch more errors when run with either the `simple` or `strict` +wmem allocator than with the defaults. (It is more compatible with the +`strict` allocator and the analogous GSlice `debug-blocks` option than +Valgrind is.) + +For additional instrumentation, ASAN supports a number of +https://github.com/google/sanitizers/wiki/AddressSanitizerFlags[options]. + +For further investigating memory leaks, the following can be useful: + +[source,sh] +---- +# This slows things down a lot more but results in more precise backtraces, +# especially when calling third party libraries (such as the C++ standard +# library): +$ export ASAN_OPTIONS=fast_unwind_on_malloc=0 +# This causes LeakSanitizer to print the addresses of leaked objects for +# inspection in a debugger: +$ export LSAN_OPTIONS=report_objects=1 +---- + +LeakSanitizer and AddressSanitizer can detect issues in third-party libraries +that you cannot do anything about. For example, internal Qt library calls to +the fontconfig library can produce leaks. To ignore them, create a +https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions[suppressions file] with an appropriate entry, e.g. `leak:libfontconfig`. + +If you are just interested in memory safety checking, but not memory +leak debugging, disable the included https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer[LeakSanitizer] with: + +[source,sh] +---- +$ export ASAN_OPTIONS=detect_leaks=0 +---- + +[#ChSrcWindowsDebug] +==== Windows Native + +You can debug using the Visual Studio Debugger or WinDbg. See the section +on using the <<ChToolsDebugger, Debugger Tools>>. + +[#ChSrcChange] +=== Make Changes To The Wireshark Sources + +There are several reasons why you might want to change Wireshark’s sources: + +* Add support for a new protocol (i.e., add a new dissector) + +* Change or extend an existing dissector + +* Fix a bug + +* Implement a glorious new feature + +Wireshark’s developers work on a variety of different platforms and use a variety of different development environments. +Although we don't enforce or recommend a particular environment, your editor should support https://editorconfig.org/[EditorConfig] in order to make sure you pick up the correct indentation style for any files that you might edit. + +The internal structure of the Wireshark sources are described in <<PartDevelopment>>. + +.Ask the {wireshark-dev-list-email} mailing list before you start a new development task. +[TIP] +==== +If you have an idea what you want to add or change it’s a good idea to +contact the developer mailing list +(see <<ChIntroMailingLists>>) +and explain your idea. Someone else might already be working on the same +topic, so a duplicated effort can be reduced. Someone might also give you tips that +should be thought about (like side effects that are sometimes very +hard to see). +==== + +// XXX - Add a section on branching. + +[#ChSrcContribute] +=== Contribute Your Changes + +If you have finished changing the Wireshark sources to suit your needs, you might want to contribute your changes back to the Wireshark community. +You gain the following benefits by contributing your improvements: + +.It’s the right thing to do. +Other people who find your contributions useful will appreciate them, and you will know that you have helped people in the same way that the developers of Wireshark have helped you. + +.You get free enhancements. +By making your code public, other developers have a chance to make improvements, as there’s always room for improvements. +In addition someone may implement advanced features on top of your code, which can be useful for yourself too. + +You save time and effort. +The maintainers and developers of Wireshark will maintain your code as well, updating it when API changes or other changes are made, and generally keeping it in tune with what is happening with Wireshark. +So if Wireshark is updated (which is done often), you can get a new Wireshark version from the website and your changes will already be included without any effort for you. + +There’s no direct way to push changes to the {wireshark-gitlab-project-url}[main repository]. +Only a few people are authorised to actually make changes to the source code (check-in changed files). +If you want to submit your changes, you should upload them to the code review system at {wireshark-code-review-url}. +This requires you to set up git as described at <<ChSrcGit>>. + +[#ChSrcCreatingMergeRequests] +==== Creating Merge Requests + +// To do: +// - Note that you can mirror your fork: https://about.gitlab.com/blog/2016/12/01/how-to-keep-your-fork-up-to-date-with-its-origin/ +// - Mention CLI utilities. + +GitLab uses a https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[forking workflow], which looks like this: + +.GitLab Workflow +image::images/git-triangular-workflow.svg[] + +In the diagram above, your fork can created by pressing the “Fork” button at {wireshark-gitlab-project-url}. +Your local repository can be created as described in <<ChSrcGit>>. +You only need to do this once. +You should pull from the main repository on a regular basis in order to ensure that your sources are current. +You should push any time you want to make a merge request or otherwise make your code public. +The “Pull”, “Push”, and “Merge Request” parts of the workflow are important, so let’s look at them in more detail. + +First, you need to set up your environment. +For the steps below we’ll pretend that your username is “henry.perry”. + +. Sign in to {wireshark-gitlab-project-url} by clicking “Sign in / Register” in the upper right corner of the web page and following the login instructions. + +. https://docs.gitlab.com/ee/user/ssh.html[Add an SSH key to your account] as described in the GitLab documentation. + +. Make sure you have a clone of the main repository as described in <<ChSrcGit>>. + +. Create your own personal fork of the Wireshark project by https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[pressing the “Fork” button] at {wireshark-gitlab-project-url}. ++ +-- +WARNING: If you want to make merge requests you must keep your fork public. +Making it private will disassociate it from the main Wireshark repository. +-- + +. Add a remote for your personal repository. +The main repository remote is named “upstream”, so we'll name this one “downstream”. ++ +-- +[source,sh] +---- +$ git remote add downstream git@gitlab.com:henry.perry/wireshark.git +---- +-- + +. Double-check your remotes: ++ +-- +[source,sh] +---- +$ git remote -v +$ downstream git@gitlab.com:henry.perry/wireshark.git (fetch) +$ downstream git@gitlab.com:henry.perry/wireshark.git (push) +$ upstream git@gitlab.com:wireshark/wireshark.git (fetch) +$ upstream git@gitlab.com:wireshark/wireshark.git (push) +---- +-- + +Before you begin it’s a good idea to synchronize your local repository with the main repository. +This is the *Pull* part of the workflow. +You should do this periodically in order to stay up to date and avoid merge conflicts later on. + +. Fetch and optionally apply the latest changes. ++ +-- +[source,sh] +---- +# Fetch changes from upstream and apply them to the current branch... +$ git pull --rebase upstream master +# ...or fetch changes and leave the current branch alone +$ git fetch upstream +---- +-- + +Now you’re ready to create a merge request (the *Push* and *Merge Request* parts of the workflow above). + +. First, create a branch for your change: ++ +-- +[source,sh] +---- +$ git checkout -b my-glorious-new-feature upstream/master +---- +-- + +. Write some code! +See <<ChSrcGoodPatch>> and <<ChSrcCodeRequirements>> for details. + +. Commit your changes. +See <<ChSrcGoodCommitMessage>> for details. ++ +-- +[source,sh] +---- +$ git commit -a +---- +-- + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +$ git push downstream HEAD +---- +-- + +. Go to {wireshark-merge-request-url}. +You should see a https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html#create-merge-request-button[“Create merge request”] button. +Press it. + +. In the merge request page, make sure “Allow commits from members who can merge to the target branch” is selected so that core developers can rebase your change. You might want to select “Delete source branch when merge request is accepted” as well. Click the “Submit merge request” button. + +// XXX Add command line instructions for one or more of the following: +// https://docs.gitlab.com/ee/user/project/push_options.html +// https://github.com/zaquestion/lab - Go (single binary). +// https://invent.kde.org/sdk/git-lab - Developed by the KDE team. +// https://github.com/vishwanatharondekar/gitlab-cli - Might work well for people who don't mind using NPM. + + +[#ChSrcUpdatingMergeRequests] +==== Updating Merge Requests + +At this point various automated tests will be run and someone will review your change. +If you need to make changes you can do so by force-pushing it to the same branch in your personal repository. + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +# First, make sure you're on the right branch. +$ git status +On branch my-glorious-new-feature +---- +-- + +. Update your code. + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +# Modify the current commit and force-push... +$ git commit --amend ... +$ git push downstream +HEAD +# ...or keep the current commit as-is add another commit on top of it +$ git commit ... +$ git push downstream HEAD +---- +The `+` sign is shorthand for forcing the push (`-f`). +-- + +[#ChSrcGoodPatch] +==== Some Tips For A Good Patch + +Some tips that will make the merging of your changes into Git much more likely +(and you want exactly that, don't you?): + +.Use the latest Git sources. +It’s a good idea to work with the same sources that are used by the other developers. +This usually makes it much easier to apply your patch. +For information about the different ways to get the sources, see <<ChSrcObtain>>. + +.Update your sources just before making a patch. +For the same reasons as the previous point. + +.Inspect your patch carefully. +Run `git diff` or `git show` as appropriate and make sure you aren't adding, removing, or omitting anything you shouldn't. + +.Give your branch a brief but descriptive name. +Short, specific names such as _snowcone-machine-protocol_ are preferred. + +.Don't put unrelated things into one large change. +Merge requests should be limited in scope. +For example, updates to the Snowcone Machine Protocol dissector and the Coloring Rules dialog box should be in separate merge requests. + +In general, making it easier to understand and apply your patch by one of the maintainers will make it much more likely (and faster) that it will actually be applied. + +.Thank you in advance for your patience. +Wireshark is a volunteer effort. +As a result, we can’t guarantee a quick turnaround time. + +.Preview the final product. +Wireshark’s GitLab CI jobs are disabled by default for forks, but if you need to test any CI jobs you can do so under the “Pipelines” section in your repository. +For example, if your change might affect Debian (apt) packaging you can run the “build:debian-stable” job. + +[#ChSrcGoodCommitMessage] +==== Writing a Good Commit Message + +When running `git commit`, you will be prompted to describe your change. +Here are some guidelines on how to make that message more useful to other people (and to scripts that may try to parse it): + +.Provide a brief description (under 60 characters or so) of the change in the first line. +If the change is specific to a single protocol, start this line with the abbreviated name of the protocol and a colon. +If the change is not yet complete prefix the line with “WIP:” to inform this change not to be submitted yet. +This be removed when the change is ready to be merged. + +.Insert a single blank line after the first line. +This is required by various formatting tools and helpful to humans. + +.Provide a detailed description of the change in the lines that follow. +Break paragraphs where needed. +Limit each line to 80 characters. + +You can also reference and close issues in a commit message by prefixing the issue number with a https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically[number sign]. +For example, “closes #5” will close issue number 5. + +Putting all that together, we get the following example: + +[source] +---- +MIPv6: Fix dissection of Service Selection Identifier + +APN field is not encoded as a dotted string so the first character is not a +length. Closes #10323. +---- + +[#ChSrcCodeRequirements] + +==== Code Requirements + +To ensure Wireshark’s code quality and to reduce friction in the code review process, there are some things you should consider before submitting a patch: + +.Follow the Wireshark source code style guide. +Wireshark runs on many platforms, and can be compiled with a number of different compilers. +It’s easy to write code that compiles on your machine, but doesn’t compile elsewhere. +The guidelines at <<ChCodeStyle>> describe the techniques and APIs that you can use to write high-quality, portable, and maintainable code in our environment. + +.Submit dissectors as built-in whenever possible. +Developing a new dissector as a plugin can make compiling and testing quicker, but it’s usually best to convert it to built-in before submitting for review. +This reduces the number of files that must be installed with Wireshark and ensures your dissector will be available on all platforms. + +Dissectors vary, so this is not a hard-and-fast rule. +Most dissectors are single C modules that can easily be put into “the big pile.” +Some (most notably ASN.1 dissectors) are generated using templates and configuration files. +Others are split across multiple source files and are often more suitable to be placed in a separate plugin directory. + +.Ensure that the Wireshark Git Pre-Commit Hook is in the repository. +In your local repository directory, there will be a __.git/hooks/__ directory, with sample git hooks for running automatic actions before and after git commands. +You can also optionally install other hooks that you find useful. + +In particular, the _pre-commit_ hook will run every time you commit a change and can be used to automatically check for various errors in your code. +The sample git pre-commit hook simply detects whitespace errors such as mixed tabs and spaces. +To install it just remove the .sample suffix from the existing _pre-commit.sample_ file. + +Wireshark provides a custom pre-commit hook which does additional Wireshark-specific API and formatting checks, but it might return false positives. +If you want to install it, copy the pre-commit file from the tools directory (`cp ./tools/pre-commit .git/hooks/`) and make sure it is executable or it will not be run. + +If the pre-commit hook is preventing you from committing what you believe is a valid change, you can run `git commit --no-verify` to skip running the hooks. +Warning: using --no-verify avoids the commit-msg hook, and thus if you have setup this hook it will not run. + +Additionally, if your system supports symbolic links, as all UNIX-like platforms do, you can use them instead of copying files. +Running `ln -s ../../tools/pre-commit .git/hooks` creates a symbolic link that will make the hook to be up-to-date with the current master. + +.Choose a compatible license. +Wireshark is released under the {spdx-license-url}GPL-2.0-or-later.html[GPL version 2 or later], and it is strongly recommended that incoming code use that license. +If that is not possible, it *must* use a compatible license. +The following licenses are currently allowed: + +* BSD {spdx-license-url}BSD-1-Clause.html[1], {spdx-license-url}BSD-2-Clause.html[2], {spdx-license-url}BSD-3-Clause.html[3] clause +* {spdx-license-url}ISC.html[ISC] +* {spdx-license-url}LGPL-2.0-or-later.html[LGPL v2 or later], including {spdx-license-url}LGPL-2.1-or-later.html[v2.1] +* {spdx-license-url}MIT.html[MIT] / {spdx-license-url}X11.html[X11] +* {wikipedia-main-url}Public_domain[Public domain] +* {spdx-license-url}Zlib.html[zlib/libpng] + +Notable incompatible licenses include {spdx-license-url}Apache-2.0.html[Apache 2.0], {spdx-license-url}GPL-3.0-or-later.html[GPL 3.0], and {spdx-license-url}LGPL-3.0-or-later.html[LGPL 3.0]. + +.Fuzz test your changes. +Fuzz testing is a very effective way of finding dissector related bugs. +In our case fuzzing involves making random changes to capture files and feeding them to TShark in order to try to make it crash or hang. +There are tools available to automatically do this on any number of input files. +See {wireshark-wiki-url}FuzzTesting for details. + +[#ChSrcUpload] + +//// +==== Uploading your changes + +When you're satisfied with your changes (and obtained any necessary +approval from your organization) you can upload them for review at +{wireshark-code-review-url}. This requires a GitLab account +as described at <<ChSrcGitRepository>>. + +You need to fork your repository which will became yours, and you will have write access to it. Once +you are done with your changes, push them to a branch of your choice (as snowcone-machine). Now in the +GitLab's UI a message will tell you that you created a new branch and a button to create a merge request. + + +[source,sh] +---- +$ git push https://gitlab.com/wireshark/<my.username>.git HEAD:<branchname> +---- + +The username `my.username` is the one which was given during registration with +the review system. + +You can push using any Git client. + +You might get one of the following responses to your patch request: + +* Your patch is checked into the repository. Congratulations! + +* You are asked to provide additional information, capture files, or other + material. If you haven't fuzzed your code, you may be asked to do so. + +* Your patch is rejected. You should get a response with the reason for + rejection. Common reasons include not following the style guide, buggy or + insecure code, and code that won't compile on other platforms. In each case + you'll have to fix each problem and upload another patch. + +* You don't get any response to your patch. Possible reason: All + the core developers are busy (e.g., with their day jobs or family or other commitments) and + haven't had time to look at your patch. Don't worry, if + your patch is in the review system it won't get lost. + +If you're concerned, feel free to add a comment to the patch or send an email +to the developer’s list asking for status. But please be patient: most if not +all of us do this in our spare time. +//// + +[#ChSrcBackport] +==== Backporting A Change + +:example-branch: master-3.2 +When a bug is fixed in the master branch it’s sometimes desirable or necessary to backport the fix to a release branch. +You can do this in Git by cherry-picking the change from one branch to another. +Suppose you want to backport change 1ab2c3d4 from the master branch to {example-branch}. +You can do so as follows: + +[source,sh,subs="attributes+"] +---- +# Create a new topic branch for the backport. +$ git checkout -b backport-1ab2c3d4 upstream/{example-branch} + +# Cherry-pick the change. Include a "cherry picked from..." line. +$ git cherry-pick -x 1ab2c3d4 + +# If there are conflicts, fix them. + +# Compile and test the change. +$ ninja +$ ... + +# OPTIONAL: Add entries to doc/release-notes.adoc. +$EDITOR doc/release-notes.adoc + +# If you made any changes, update your commit. +git commit --amend -a + +# Push the change to your working repository. +git push downstream HEAD +---- + +You can also cherry-pick changes in the https://docs.gitlab.com/ee/user/project/merge_requests/cherry_pick_changes.html[GitLab web UI]. + +//// +// XXX Is this relevant any more? +[#ChSrcPatchApply] +=== Apply a patch from someone else + +Sometimes you need to apply a patch to your private source tree. Maybe +because you want to try a patch from someone on the developer mailing +list, or you want to check your own patch before submitting. + + +.Beware line endings +[WARNING] +==== +If you have problems applying a patch, make sure the line endings (CR/LF) +of the patch and your source files match. +==== + +[#ChSrcPatchUse] +==== Using patch + +Given the file _new.diff_ containing a unified diff, +the right way to call the patch tool depends on what the pathnames in +_new.diff_ look like. +If they're relative to the top-level source directory (for example, if a +patch to _prefs.c_ just has _prefs.c_ as the file name) you’d run it as: + +[source,sh] +---- +$ patch -p0 < new.diff +---- + +If they're relative to a higher-level directory, you’d replace 0 with the +number of higher-level directories in the path, e.g. if the names are +_wireshark.orig/prefs.c_ and +_wireshark.mine/prefs.c_, you’d run it with: + +[source,sh] +---- +$ patch -p1 < new.diff +---- + +If they're relative to a _subdirectory_ of the top-level +directory, you’d run `patch` in _that_ directory and run it with `-p0`. + +If you run it without `-pat` all, the patch tool +flattens path names, so that if you +have a patch file with patches to _CMakeLists.txt_ and +_wiretap/CMakeLists.txt_, +it'll try to apply the first patch to the top-level +_CMakeLists.txt_ and then apply the +_wiretap/CMakeLists.txt_ patch to the top-level +_CMakeLists.txt_ as well. + +At which position in the filesystem should the patch tool be called? + +If the pathnames are relative to the top-level source directory, or to a +directory above that directory, you’d run it in the top-level source +directory. + +If they're relative to a *subdirectory* -- for example, +if somebody did a patch to _packet-ip.c_ and ran `diff` or `git diff` in +the _epan/dissectors_ directory -- you’d run it in that subdirectory. +It is preferred that people *not* submit patches like +that, especially if they're only patching files that exist in multiple +directories such as _CMakeLists.txt_. +//// + +[#ChSrcBinary] + +=== Binary Packaging + +Delivering binary packages makes it much easier for the end-users to +install Wireshark on their target system. This section will explain how +the binary packages are made. + +[#ChSrcVersioning] + +==== Packaging Guidelines + +The following guidelines should be followed by anyone creating and +distributing third-party Wireshark packages or redistributing official +Wireshark packages. + +[discrete] +===== Spelling And Capitalization + +Wireshark is spelled with a capital “W”, and with everything else lower +case. “WireShark” in particular is incorrect. + +[discrete] +===== Main URL + +The official Wireshark project URL is https://www.wireshark.org/. + +[discrete] +===== Download URLs + +Official packages are distributed on the main web server +(www.wireshark.org) and a +https://www.wireshark.org/download.html#spelunking[number of download +mirrors]. The canonical locations for packages are in the _all_versions_ +subdirectories on each server. + +For example, if your packaging system links to or downloads the +source tarball and you want to download from 1.na.dl.wireshark.org, +use + +https://1.na.dl.wireshark.org/download/src/all-versions/wireshark-{wireshark-version}.tar.xz + +instead of + +https://1.na.dl.wireshark.org/download/src/wireshark-{wireshark-version}.tar.xz + +[discrete] +===== Staying Current + +Wireshark releases are announced on the link:{wireshark-mailing-lists-url}[wireshark-announce] mailing list. +A https://appvisor.com/pad/[PAD] file is also published at https://www.wireshark.org/wireshark-pad.xml which contains the current stable version and release date. + +[discrete] +===== Artwork + +Logo and icon artwork can be found in the _image_ directory in the +distribution. This is available online at + +{wireshark-code-browse-url}/image + +[discrete] +===== Licensing + +Wireshark is released under the GNU General Public License version 2 or +later. Make sure you and your package comply with this license. + +[discrete] +===== Trademarks + +Wireshark and the “fin” logo are registered trademarks of the Wireshark +Foundation. Make sure you and your package comply with trademark law. + +[discrete] +===== Privileges + +All function calls that require elevated privileges are in dumpcap. + +WIRESHARK CONTAINS OVER THREE MILLION LINES OF SOURCE CODE. DO NOT RUN +THEM AS ROOT. + +Warnings are displayed when Wireshark and TShark are run as root. + +There are two <<ChToolsCMake,configure-time options>> on non-Windows +systems that affect the privileges a normal user needs to capture +traffic and list interfaces: + +-DDUMPCAP_INSTALL_OPTION=capabilities:: +Install dumpcap with cap_net_admin and cap_net_raw capabilities. Linux +only. + +-DDUMPCAP_INSTALL_OPTION=suid:: +Install dumpcap setuid root. + +These are necessary for non-root users to be able to capture on most +systems, e.g. on Linux or FreeBSD if the user doesn't have permissions +to access /dev/bpf*. Setcap installation is preferred over setuid on +Linux. If `-DDUMPCAP_INSTALL_OPTION=capabilities` is used it will +override any setuid settings. + +The `-DENABLE_CAP` option is only useful when dumpcap is installed +setuid. If it is enabled dumpcap will try to drop any setuid privileges +it may have while retaining the `CAP_NET_ADMIN` and `CAP_NET_RAW` +capabilities. It is enabled by default, if the Linux capabilities +library (on which it depends) is found. + +Note that enabling setcap or setuid installation allows packet capture +for ALL users on your system. If this is not desired, you can restrict +dumpcap execution to a specific group or user. The following two examples +show how to restrict access using setcap and setuid respectively: + +[source,sh] +---- +# groupadd -g packetcapture +# chmod 750 /usr/bin/dumpcap +# chgrp packetcapture /usr/bin/dumpcap +# setcap cap_net_raw,cap_net_admin+ep /usr/bin/dumpcap + +# groupadd -g packetcapture +# chgrp packetcapture /usr/bin/dumpcap +# chmod 4750 /usr/bin/dumpcap +---- + +[discrete] +===== Customization + +Custom version information can be added by running +`tools/make-version.py`. If your package contains significant changes we +recommend that you use this to differentiate it from official Wireshark +releases. + +[source, sh] +---- +tools/make-version.py --set-release --untagged-version-extra=-{vcsinfo}-FooCorp --tagged-version-extra=-FooCorp . +---- + +See `tools/make-version.py` for details. + +The Git version corresponding to each release is in _version.h_. It's +defined as a string. If you need a numeric definition, let us know. + +If you have a question not addressed here, please contact +{wireshark-dev-list-email}. + + +[#ChSrcDeb] + +==== Debian: .deb Packages + +The Debian Package is built using dpkg-buildpackage, based on information found in the source tree under _packaging/debian_. +You must create a top-level symbolic link to _packaging/debian_ before building. +See https://www.debian.org/doc/manuals/maint-guide/build.en.html for a more in-depth discussion of the build process. + + +In the wireshark directory, type: + +[source,sh] +---- +ln -snf packaging/debian +export DEB_BUILD_OPTIONS="nocheck" +dpkg-buildpackage -b -us -uc -jauto +---- + +to build the Debian Package. + +[#ChSrcRpm] + +==== Red Hat: .rpm Packages + +You can build an RPM package using the `wireshark_rpm` target. If you +are building from a git checkout, the package version is derived from +the current git HEAD. If you are building from source extracted from a +tarball created with `git archive` (such as those downloaded from +http://www.wireshark.org/download.html), you must place the original +tarball into your build directory. + +The package is built using https://rpm.org/[rpmbuild], which comes as +standard on many flavours of Linux, including Red Hat, Fedora, and +openSUSE. The process creates a clean build environment in +_$\{CMAKE_BINARY_DIR}/packaging/rpm/BUILD_ each time the RPM is built. +The settings that control the build are in +_$\{CMAKE_SOURCE_DIR}/packaging/rpm/wireshark.spec.in_. The generated +SPEC file contains CMake flags and other settings for the RPM build +environment. Many of these come from the parent CMake environment. +Notable ones are: + +* _prefix_ is set to _CMAKE_INSTALL_PREFIX_. By default this is + _/usr/local_. Pass `-DCMAKE_INSTALL_PREFIX=/usr` to create a package + that installs into _/usr_. + +* Whether or not to create the “wireshark-qt” package + (`-DBUILD_wireshark`). + +* Lua, c-ares, nghttp2, and other library support (`-DENABLE_...`). + +* Building with Ninja (`-G Ninja`). + +In your build directory, type: + +[source,sh] +---- +ninja wireshark_rpm +# ...or, if you're using GNU make... +make wireshark_rpm +---- + +to build the binary and source RPMs. When it is finished there will be a +message stating where the built RPM can be found. + +.This might take a while +[TIP] +==== +This creates a tarball, extracts it, compiles Wireshark, and constructs +a package. This can take quite a long time. You can speed up the process +by using Ninja. If you're using GNU make you can add the following to +your `~/.rpmmacros` file to enable parallel builds: + +---- +%_smp_mflags -j %(grep -c processor /proc/cpuinfo) +---- +==== + +Building the RPM package requires quite a few packages and libraries +including GLib, `gcc`, `flex`, Asciidoctor, and Qt development +tools such as `uic` and `moc`. The required Qt packages can usually be +obtained by installing the _qt5-devel_ package. For a complete list of +build requirements, look for the “BuildRequires” lines in +_packaging/rpm/wireshark.spec.in_. + +[#ChSrcOSX] + +==== macOS: .dmg Packages + +The macOS Package is built using macOS packaging tools, based on information found in the source tree under _packaging/macosx_. +It requires https://asciidoctor.org/[Asciidoctor] and https://pypi.org/project/dmgbuild/[dmgbuild]. + +In your build directory, type: + +[source,sh] +---- +ninja wireshark_dmg logray_dmg # (Modify as needed) +# ...or, if you're using GNU make... +make wireshark_dmg logray_dmg # (Modify as needed) +---- + +to build the macOS Packages. + +[#ChSrcNSIS] + +==== Windows: NSIS .exe Installer + +The _Nullsoft Install System_ is a free installer generator for Windows systems. +Instructions on installing it can be found in <<ChToolsNSIS>>. +NSIS is script based. You can find the main Wireshark installer generation script at _packaging/nsis/wireshark.nsi_. + +When building with CMake you must first build the _wireshark_nsis_prep_ target, followed by the _wireshark_nsis_ target, e.g. + +[source,cmd] +---- +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis.vcxproj +---- + +Splitting the packaging projects in this way allows for code signing. + +[TIP] +.This might take a while +==== +Please be patient while the package is compressed. +It might take some time, even on fast machines. +==== + +If everything went well, you will now find something like: +_wireshark-setup-{wireshark-version}.exe_ in +the _packaging/nsis_ directory in your build directory. + +[#ChSrcPortableApps] + +==== Windows: PortableApps .paf.exe Package + +_PortableApps.com_ is an environment that lets users run popular applications +from portable media such as flash drives and cloud drive services. + +* Install the _PortableApps.com Platform_. Install for “all users”, which +will place it in `C:\PortableApps`. + + +* Add the following apps: + +** PortableApps.com Installer +** PortableApps.com Launcher + +When building with CMake you must first build the _wireshark_nsis_prep_ target +(which takes care of general packaging dependencies), followed by the +_wireshark_portableapps_ target, e.g. + +[source,cmd] +---- +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_portableapps.vcxproj +---- + +[TIP] +.This might take a while +==== +Please be patient while the package is compressed. +It might take some time, even on fast machines. +==== + +If everything went well, you will now find something like: +_WiresharkPortable64{underscore}{wireshark-version}.paf.exe_ in +the _packaging/portableapps_ directory. + +[#ChSrcMimeTypes] + +=== Mime Types + +Wireshark uses various mime-types for dragging dropping as well as file formats. +This chapter gives an overview over all the mimetypes being used, as well as the +data format in which data has to be provided for each individual mimetype. + +If not otherwise stated, the data is encoded as a JSON Object. + +==== Display Filter + +**MimeType**: application/vnd.wireshark.displayfilter + +Display filters are being dragged and dropped by utilizing this mime type. + +[source,json] +---- +{ + "filter": "udp.port == 8080", + "field": "udp.port", + "description": "UDP Port" +} +---- + +==== Coloring Rules + +**MimeType**: application/vnd.wireshark.coloringrules + +Coloring Rules are being used for dragging and dropping color rules inside the +coloring rules dialog. + +[source,json] +---- +{ + "coloringrules" : + [ + { + "disabled": false, + "name": "UDP Ports for 8080", + "filter": "udp.port == 8080", + "foreground": "[0x0000, 0x0000, 0x0000]", + "background": "[0xFFFF, 0xFFFF, 0xFFFF]" + } + ] +} +---- + +==== Filter List + +**MimeType**: application/vnd.wireshark.filterlist + +*_Internal Use only_* - used on the filter list for moving entries within the +list + +==== Column List + +**MimeType**: application/vnd.wireshark.columnlist + +*_Internal Use only_* - used on the column list for moving entries within the +list + + +// End of WSDG Chapter Sources + +// vim: set syntax=asciidoc: diff --git a/doc/wsdg_src/wsdg_tests.adoc b/doc/wsdg_src/wsdg_tests.adoc new file mode 100644 index 00000000..a9435ca7 --- /dev/null +++ b/doc/wsdg_src/wsdg_tests.adoc @@ -0,0 +1,298 @@ +// WSDG Chapter Tests + +[#ChapterTests] +== Wireshark Tests + +The Wireshark sources include a collection of Python scripts that test +the features of Wireshark, TShark, Dumpcap, and other programs that +accompany Wireshark. These are located in the `test` directory of the +Wireshark source tree. + +The command line options of Wireshark and its companion command line +tools are numerous. These tests help to ensure that we don't introduce +bugs as Wireshark grows and evolves. + +[#TestsQuickStart] +=== Quick Start + +The recommended steps to prepare for and run tests with a UN*X toolchain: + +* Install two Python packages, pytest: `pip install pytest pytest-xdist` +* Build programs (“wireshark”, “tshark”, etc.): `ninja` +* Build additional programs for the “unittests” suite: `ninja test-programs` +* Run tests in the build directory: `pytest` + +Replace `ninja` by `make` as needed. + +If building with <<#ChWindowsBuild,Microsoft Visual Studio>> the analogous steps are: + +* Install pytest Python packages: `python -m pip install pytest pytest-xdist` +* Build programs: `msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln` +* Build test-programs: `msbuild /m /p:Configuration=RelWithDebInfo test-programs.vcxproj` +* Run tests: `python -m pytest` + +TIP: Depending on your PATH, you may need to run the pytest module as a +script from your Python interpreter, e.g, `python -m pytest` or +`python3 -m pytest` instead of `pytest`. + +The test suite will attempt to test as much as possible and skip tests +when its dependencies are not satisfied. For example, packet capture +tests require a Loopback interface and capture privileges. To avoid +capture tests, pass the `--disable-capture` option. + +List available tests with `pytest --collectonly`. Enable verbose output +with `pytest --verbose`. For more details, see <<ChTestsRun>>. + +You can also run the "ninja test" target instead of invoking pytest +directly. This will automatically build the test programs dependency, +so it may be preferred for that reason. + +[#ChTestsStructure] +=== Test suite structure + +The following sections describes how the test suite is organized. + +[#TestCoverage] +==== Test Coverage And Availability + +The testing framework can run programs and check their stdout, stderr, +and exit codes. It cannot interact with the Wireshark UI. Tests cover +capture, command line options, decryption, file format support and +conversion, Lua scripting, and other functionality. + +Available tests depend on the libraries with which Wireshark was built. +For example, some decryption tests depend on a minimum version of +Libgcrypt and Lua tests depend on Lua. + +Capture tests depend on the permissions of the user running the test +script. We assume that the test user has capture permissions on Windows +and macOS and capture tests are enabled by default on those platforms. + +TIP: Build the "test-capture" target on Linux (using sudo) to set dumpcap +permissions and enable capture tests. + +If a feature is unavailable, the test will be skipped. For example, if +an old version of Libgcrypt is in use, then some decryption tests will +be skipped while other tests can still run to completion. + +[#TestsLayout] +==== Suites, Cases, and Tests + +The test suite uses pytest as a test runner. Tests are organized according to +suites, cases, and individual tests. Suites correspond to Python modules +that match the pattern “suite_*.py”. Cases correspond to one or more +classes in each module, and case class methods matching the pattern +”test_*” correspond to individual tests. For example, the invalid +capture filter test in the TShark capture command line options test case +in the command line options suite has the ID +“suite_clopts.py::TestTsharkCaptureClopts::test_tshark_invalid_capfilter”. + +[#TestsPytest] +==== pytest fixtures + +A test has typically additional dependencies, like the path to an +executable, the path to a capture file, a configuration directory, the +availability of an optional library, and so on. + +https://pytest.org/[pytest] is a test framework which has full +parallelization support (test-level instead of just suite-level), +provides nice test reports, and allows +https://docs.pytest.org/en/latest/fixture.html[modular fixtures]. + +A fixture is a function decorated with `@pytest.fixture` and can +either call `pytest.skip("reason")` to skip tests that depend on the +fixture, or return/yield a value. +Test functions (and other fixture functions) can receive the fixture +value by using the name of the fixture function as function parameters. +Common fixtures are available in `fixtures_ws.py` and includes +`cmd_tshark` for the path to the `tshark` executable and `capture_file` +for a factory function that produces the path to a capture file. + +[#ChTestsRun] +=== Listing And Running Tests + +Tests are run with https://pytest.org/[pytest]. Pytest features versus the +"unittest" standard library module include finer +test selection, full parallelism, nicer test execution summaries, better output +in case of failures (containing the contents of variables) and the ability to +open the PDB debugger on failing tests. + +To get started, install pytest 3.0 or newer and +https://pypi.org/project/pytest-xdist/[pytest-xdist]: + +[source,sh] +---- +# Install required packages on Ubuntu 18.04 or Debian jessie-backports +$ sudo apt install python3-pytest python3-pytest-xdist + +# Install required packages on other systems +$ pip install pytest pytest-xdist +---- + +Run `pytest` in the Wireshark build directory, Wireshark binaries are assumed to +be present in the `run` subdirectory (or `run\RelWithDebInfo` on Windows). + +[source,sh] +---- +# Run all tests +$ cd /path/to/wireshark/build +$ pytest + +# Run all except capture tests +$ pytest --disable-capture + +# Run all tests with "decryption" in its name +$ pytest -k decryption + +# Run all tests with an explicit path to the Wireshark executables +$ pytest --program-path /path/to/wireshark/build/run +---- + +To list tests without actually executing them, use the `--collect-only` option: + +[source,sh] +---- +# List all tests +$ pytest --collect-only + +# List only tests containing both "dfilter" and "tvb" +$ pytest --collect-only -k "dfilter and tvb" +---- + +The test suite will fail tests when programs are missing. When only a +subset of programs are built or when some programs are disabled, then +the test suite can be instructed to skip instead of fail tests: + +[source,sh] +---- +# Run tests when libpcap support is disabled (-DENABLE_PCAP=OFF) +$ pytest --skip-missing-programs dumpcap,rawshark + +# Run tests and ignore all tests with missing program dependencies +$ pytest --skip-missing-programs all +---- + +To open a Python debugger (PDB) on failing tests, use the `--pdb` option and +disable parallelism with the `-n0` option: + +[source,sh] +---- +# Run decryption tests sequentially and open a debugger on failing tests +$ pytest -n0 --pdb -k decryption +---- + +[#ChTestsDevelop] +=== Adding Or Modifying Tests + +Tests must be in a Python module whose name matches “suite_*.py”. The +module must contain one or more subclasses with a name starting with +"Test" something, for example "class TestDissectionHttp2:". Each test case +method whose name starts with “test_” constitutes an individual test. + +Success or failure conditions are signalled using regular assertions +with the "assert" Python keyword. + +Test dependencies (such as programs, directories, or the environment +variables) are injected through method parameters. Commonly used +fixtures include `cmd_tshark` and `capture_file`. + +Processes (tshark, capinfos, etc.) are run using the "subprocess" Python module, +or the Wireshark `subprocesstest` module with some convenience functions. +Possible functions include `subprocesstest.run()`, `subprocesstest.check_run()` +or creating `subprocess.Popen` object if the utility functions are not sufficient for some reason. +Usually this is only required if two-way communication is performed with +the child process. `subprocesstest.check_run()` is exactly the same as +calling `subprocesstest.run()` with `check=True` as an argument, only +a bit more expressive. + +Check the documentation for the Python subprocess module for a full description +of the arguments available to the `subprocesstest.run()` convenience wrapper +and the `subprocess.Popen` object. + +All of the current tests run one or more of Wireshark's suite of +executables and either check their return code or their output. A +simple example is “suite_clopts.py::TestBasicClopts::test_existing_file”, +which reads a capture file using TShark and checks its exit code. + +[source,python] +---- +import subprocesstest +import pytest + +class TestBasicClopts: + def test_existing_file(self, cmd_tshark, capture_file, test_env): + subprocess.check_run((cmd_tshark, '-r', capture_file('dhcp.pcap')), env=test_env) +---- + +Output can be checked using `assert subprocesstest.grep_output()`, +`assert subprocesstest.count_output()` or any other `assert` statement. +`subprocesstest.check_run()` also asserts that the child process returns +the value 0 as exit code. + +[source,python] +---- +import subprocesstest +import pytest + +class TestDecrypt80211: + def test_80211_wpa_psk(self, cmd_tshark, capture_file, test_env): + tshark_proc = subprocesstest.run((cmd_tshark, + '-o', 'wlan.enable_decryption: TRUE', + '-Tfields', + '-e', 'http.request.uri', + '-r', capture_file('wpa-Induction.pcap.gz'), + '-Y', 'http', + ), capture_output=True, env=test_env) + assert 'favicon.ico' in tshark_proc.stdout +---- + +Tests can be run in parallel. This means that any files you create must +be unique for each test. Filenames based on the current test name are +generated using fixtures such as "capture_file" and "result_file". By default +pytest generates paths in the system's temporary directory and the last three +pytest runs are kept. Temporary files from older runs are automatically deleted. + +[#ChTestsExternal] +=== External Tests + +You can create your own Python test files outside of the Wireshark source tree. +To include your tests when running the Wireshark test suite, simply add the +directory containing your test files to the `pytest` command line. Note that +filenames must match the same conventions as discussed above. + +In order for your tests to have access to the Wireshark test fixtures, you will +need this line in each test file: + +[source,python] +---- +from fixtures_ws import * +---- + +[#ChTestsExtFixtures] +==== Custom Fixtures + +You may wish to define your own test fixtures -- for example, a fixture similar +to `capture_file` but which gives the path to a file in your external test +directory. Here is an example Python file containing such a fixture. It presumes +a subdirectory named `extra_captures` which exists in the same directory, and +which contains your extra capture files. + +[source,python] +---- +# my_fixtures.py +# To use in your own tests, import like so: +# from my_fixtures import * + +from pathlib import Path +import pytest + +@pytest.fixture(scope='session') +def extra_file(): + def resolver(filename): + return Path(__file__).parent.joinpath("extra_captures", filename) + return resolver +---- + +NOTE: If you give your fixture the same name as an existing Wireshark fixture, +any tests using your fixture library will lose access to the Wireshark fixture +of the same name. This can lead to confusing behavior and is not recommended. diff --git a/doc/wsdg_src/wsdg_tools.adoc b/doc/wsdg_src/wsdg_tools.adoc new file mode 100644 index 00000000..09f1b576 --- /dev/null +++ b/doc/wsdg_src/wsdg_tools.adoc @@ -0,0 +1,1041 @@ +// WSDG Chapter Tools + +[#ChapterTools] + +== Tool Reference + +[#ChToolsIntro] + +=== Introduction + +This chapter will provide you with information about the various tools +needed for Wireshark development. None of the tools mentioned in this +chapter are needed to run Wireshark. They are only needed to build it. + +Most of these tools have their roots on UNIX or UNIX-like platforms such +as Linux, but Windows ports are also available. Therefore the tools are +available in different "flavours": + +* UNIX and UNIX-like platforms: The tools should be commonly available + on the supported UNIX and UNIX-like platforms. Cygwin is unsupported. +* Windows native: Some tools are available as native Windows tools, no + special emulation is required. Many of these tools can be installed + (and updated) using https://chocolatey.org[Chocolatey], a Windows + package manager similar to the Linux package managers apt-get or yum. + +[WARNING] +.Follow the directions +==== +Unless you know exactly what you are doing, you should strictly follow the recommendations given in <<ChapterSetup>>. +==== + +The following sections give a very brief description of +what a particular tool is doing, how it is used in the +Wireshark project and how it can be installed and +tested. + +Documentation for these tools is outside the scope of this document. If you need +further information on using a specific tool you should find lots of useful +information on the web, as these tools are commonly used. You can also get help +for the UNIX based tools with `**toolname** --help` or the man page via `man +**toolname**`. + +You will find explanations of the tool usage for some of the specific +development tasks in <<ChapterSources>>. + +[#ChToolsChocolatey] +=== Chocolatey + +Chocolatey is a Windows package manager that can be used to install (and update) +many of the packages required for Wireshark development. Chocolatey can be +obtained from the https://chocolatey.org[website] or from a Command Prompt: + +[source,cmd] +---- +C:\>@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString(_https://chocolatey.org/install.ps1_))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin +---- + +or a Powershell prompt: + +[source,cmd] +---- +PS:\>iex ((new-object net.webclient).DownloadString(_https://chocolatey.org/install.ps1_)) +---- + +Chocolatey sometimes installs packages in unexpected locations. Python +is a notable example. While it's typically installed in a top-level +directory, e.g. _C:\Python37_ or in %PROGRAMFILES%, e.g. _C:\Program +Files\Python37_, Chocolatey tends to install it under +_C:\ProgramData\chocolatey_ or _C:\Tools_. If you want to avoid this +behavior you'll probably want to install Python using the packages from +python.org. + +Other package managers for Windows include the https://docs.microsoft.com/en-us/windows/package-manager/[Windows Package Manager (winget)] and https://scoop.sh/[Scoop]. +As of January 2022 neither option provides all of the packages we require, but that might change in the future. + +[#ChToolsCMake] + +=== CMake + +Wireshark’s build environment can be configured using CMake on various UNIX-like platforms, including Linux, macOS, and *BSD, and on Windows. +CMake is designed to support out-of-tree builds - so much so that in-tree builds do not work properly in all cases. +Along with being cross-platform, CMake supports many build tools and environments including traditional make, Ninja, and MSBuild. + +Building with CMake typically includes creating a build directory and +specifying a *generator*, aka a build tool. For example, to build +Wireshark using Ninja in the directory _wireshark-ninja_ you might +run the following commands: + +[source,sh] +---- +# Starting from your Wireshark source directory, create a build directory +# alongside it. +$ cd .. +$ mkdir wireshark-ninja +$ cd wireshark-ninja +# Assumes your source directory is named "wireshark". +$ cmake -G Ninja ../wireshark +$ ninja (or cmake --build .) +---- + +Using CMake on Windows is described further in <<ChWindowsGenerate>>. + +Along with specifying a generator with the `-G` flag you can set variables +using the `-D` flag. Useful variables and generators include the following: + +-DBUILD_wireshark=OFF:: Don't build the Wireshark GUI application. +Each command line utility has its own BUILD_xxx flag as well. For +example, you can use -DBUILD_mmdbresolve=OFF to disable mmdbresolve. + +-DENABLE_CCACHE=ON:: Build using the ccache compiler cache. + +-DENABLE_CAP=OFF:: Disable the POSIX capabilities check + +-DCMAKE_BUILD_TYPE=Debug:: Enable debugging symbols + +-DCARES_INCLUDE_DIR=/your/custom/cares/include, -DCARES_LIBRARY=/your/custom/cares/lib/libcares.so:: +Let you set the path to a locally-compiled version of c-ares. Most +optional libraries have xxx_INCLUDE_DIR and xxx_LIB flags that let you +control their discovery. + +-DCMAKE_OSX_DEPLOYMENT_TARGET=10.12:: +Specify the minimum macOS version for Wireshark and each command line utility. +Note that this doesn’t affect the minimum target for third-party libraries. +For example, if you’re building for macOS 10.12 you’ll need to install https://doc.qt.io/archives/qt-5.13/supported-platforms.html[Qt 5.14 or earlier] and ensure that other libraries support macOS 10.12, for example by running `tools/macos-setup.sh -t 10.12`. + +-DENABLE_APPLICATION_BUNDLE=OFF:: Disable building an application bundle (Wireshark.app) on macOS + +You can list all build variables (with help) by running `cmake -LH [options] +../<Name_of_WS_source_dir>`. This lists the cache of build variables +after the cmake run. To only view the current cache, add option `-N`. + +Depending on your needs, it might be useful to save your CMake configuration options in a file outside your build directory. +CMake supports this via its https://cmake.org/cmake/help/v3.23/manual/cmake-presets.7.html[presets] option. +For example, adding the following to `CMakeUserPresets.json` would let you build using Ninja in the `build` directory, enable ccache, and set a custom Qt directory by running `cmake --preset mydev`: + +[source,json] +---- +{ + "version": 4, + "configurePresets": [ + { + "name": "mydev", + "displayName": "Local development", + "generator": "Ninja", + "binaryDir": "${sourceDir}/build", + "cacheVariables": { + "ENABLE_CCACHE": "ON" + }, + "environment": { + "CMAKE_PREFIX_PATH": "/usr/local/Qt6" + } + } + ] +} +---- + +After running cmake, you can always run `make help` to see a list of all possible make targets. + +Note that CMake honors user umask for creating directories as of now. You should set +the umask explicitly before running the `install` target. + +CMake links: + +The home page of the CMake project: https://cmake.org/ + +Official documentation: https://cmake.org/documentation/ + +About CMake in general and why KDE4 uses it: https://lwn.net/Articles/188693/ + +Useful variables: https://gitlab.kitware.com/cmake/community/wikis/doc/cmake/Useful-Variables + +Frequently Asked Questions: https://gitlab.kitware.com/cmake/community/wikis/FAQ + +[#ChToolsGNUChain] + +=== GNU Compiler Toolchain (UNIX And UNIX-like Platforms) + +[#ChToolsGCC] + +==== gcc (GNU Compiler Collection) + +The GCC C compiler is available for most UNIX and UNIX-like operating +systems. + +If GCC isn't already installed or available +as a package for your platform, you can get it at: +https://gcc.gnu.org/[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ gcc --version +---- + +should result in something like + +---- +gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1 +Copyright (C) 2014 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +---- + +Your version string may vary, of course. + +[#ChToolsGDB] + +==== gdb (GNU Project Debugger) + +GDB is the debugger for the GCC compiler. It is +available for many (if not all) UNIX-like platforms. + +If you don't like debugging using the command line, many +https://sourceware.org/gdb/wiki/GDB%20Front%20Ends[GUI frontends for it +available], including Qt Creator, CLion, and Eclipse. + +If gdb isn't already installed or available +as a package for your platform, you can get it at: +https://www.gnu.org/software/gdb/gdb.html[]. + +After correct installation: + +[source,sh] +---- +$ gdb --version +---- + +should result in something like: + +---- +GNU gdb (GDB) 8.3 +Copyright (C) 2019 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +---- + +Your version string may vary, of course. + +[#ChToolsGNUmake] + +==== make (GNU Make) + +[NOTE] +.GNU make isn't supported either for Windows + +GNU Make is available for most of the UNIX-like +platforms. + +If GNU Make isn't already installed or +available as a package for your platform, you can get it at: +https://www.gnu.org/software/make/[]. + +After correct installation: + +[source,sh] +---- +$ make --version +---- + +should result in something like: + +---- +GNU Make 4.0 +Built for x86_64-pc-linux-gnu +Copyright (C) 1988-2013 Free Software Foundation, Inc. +Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +---- + +Your version string may vary, of course. + +==== Ninja + +Ninja is an alternative to make, and is available for many of the +UNIX-like platforms. It runs builds faster than make does. + +It is designed to have its build files generated by tools such as CMake; +to generate build files for Ninja, run CMake with the `-G Ninja` flag. + +If Ninja isn't already installed, see the list of suggestions for Ninja +packages at: +https://github.com/ninja-build/ninja/wiki/Pre-built-Ninja-packages. + +If Ninja isn't already installed and isn't +available as a package for your platform, you can get it from: +https://ninja-build.org. You can download the source code or binaries +for Linux, macOS, and Windows (we have not tested Ninja on Windows). + +[#ChToolsMSChain] + +=== Microsoft compiler toolchain (Windows native) + +To compile Wireshark on Windows using the Microsoft C/{cpp} +compiler (MSVC), you'll need: + +. C compiler (_cl.exe_) + +. Assembler (_ml.exe_ for 32-bit targets and _ml64.exe_ for 64-bit targets) + +. Linker (_link.exe_) + +. Resource Compiler (_rc.exe_) + +. C runtime headers and libraries (e.g. _stdio.h_, _vcruntime140.lib_) + +. Windows platform headers and libraries (e.g. +_windows.h_, _WS2_32.lib_) + +==== Official Toolchain Packages And Alternatives + +Official releases are or were built with the following Visual {cpp} versions: + +* Wireshark 4.2.x: Microsoft Visual {cpp} 2022. +* Wireshark 4.0.x: Microsoft Visual {cpp} 2022. +* Wireshark 3.6.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.4.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.2.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.0.x: Microsoft Visual {cpp} 2017. +* Wireshark 2.6.x: Microsoft Visual {cpp} 2017. +* Wireshark 2.4.x: Microsoft Visual {cpp} 2015. +* Wireshark 2.2.x: Microsoft Visual {cpp} 2013. +* Wireshark 2.0.x: Microsoft Visual {cpp} 2013. +* Wireshark 1.12.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.10.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.8.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.6.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.4.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.2.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.0.x and earlier: Microsoft Visual {cpp} 6.0. + +Using the release compilers is recommended for Wireshark development work. + +“Community” editions of Visual Studio such as “Visual Studio Community +2022” can be used to compile Wireshark but any PortableApps packages you +create with them might require the installation of a separate Visual +{cpp} Redistributable package on any machine on which the PortableApps +package is to be used. See <<msvc-runtime-redistributable>> below for +more details. + +However, you might already have a different Microsoft {cpp} compiler +installed. It should be possible to use any of the following with the +considerations listed. You will need to sign up for a +https://visualstudio.microsoft.com/dev-essentials/[Visual Studio Dev +Essentials] account if you don't have a Visual Studio (MSDN) +subscription. The older versions can be downloaded from +https://visualstudio.microsoft.com/vs/older-downloads/[]. + +==== Visual {cpp} 2022 Community Edition + +IDE + Debugger?:: Yes + +SDK required for 64-bit builds?:: No + +CMake Generator: *`Visual Studio 17`* + +You can use Chocolatey to install Visual Studio, e.g: + +[source,cmd] +---- +PS:\> choco install visualstudiocommunity2022 visualstudio2022-workload-nativedesktop +---- + +If you wish to build Arm64 executables you must install the following components: + +Microsoft.VisualStudio.Component.VC.Tools.ARM64:: MSVC v143 - VS 2022 C++ ARM64/ARM64EC build tools (Latest) + +Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre:: MSVC v143 - VS 2022 C++ ARM64/ARM64EC Spectre-mitigated libs (Latest) + +==== cl.exe (C Compiler) + +The following table gives an overview of the possible +Microsoft toolchain variants and their specific C compiler +versions ordered by release date. + +|=== +| Compiler Package | V{cpp} | _MSC_VER +| Visual Studio 2022 (17.4.2) | 14.34 | 1934 +|=== + +A description of `_MSC_VER` and `_MSC_FULL_VER`, and their relation to Visual Studio and compiler versions, +can be found at +https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170[Microsoft-specific predefined macros]. + +Information on the V{cpp} version can be found in the file _wsutil/version_info.c_. + +After correct installation of the toolchain, typing +at the Visual Studio Command line prompt (cmd.exe): + +[source,cmd] +---- +> cl +---- + +should result in something like: + +---- +Microsoft (R) C/C++ Optimizing Compiler Version 19.23.28106.4 for x64 +Copyright (C) Microsoft Corporation. All rights reserved. + +usage: cl [ option... ] filename... [ /link linkoption... ] +---- + +However, the version string may vary. + +Documentation on recent versions of the compiler can be found at +https://docs.microsoft.com/en-us/cpp/build/reference/compiling-a-c-cpp-program[Microsoft Docs] + +==== link.exe (Linker) + +After correct installation, typing at the Visual Studio Command line prompt (cmd.exe): + +[source,cmd] +---- +> link +---- + +should result in something like: + +---- +Microsoft (R) Incremental Linker Version 14.23.28106.4 +Copyright (C) Microsoft Corporation. All rights reserved. + + usage: LINK [options] [files] [@commandfile] + ... +---- + +However, the version string may vary. + +Documentation on recent versions of the linker can be found at +https://docs.microsoft.com/en-us/cpp/build/reference/linking[Microsoft Docs] + +[#msvc-runtime-redistributable] + +==== Visual {cpp} Runtime “Redistributable” Files + +Please note: The following is not legal advice. Ask your preferred +lawyer instead. It’s the authors view and this view might be wrong. + +Wireshark and its libraries depend on POSIX functions such as fopen() +and malloc(). On Windows, these functions are provided by the Microsoft +Visual {cpp} C Runtime (CRT). There are many different versions of the CRT and +Visual {cpp} 2015 and later use the _Universal CRT_ (UCRT). + +The Universal CRT comes standard with Windows 10 and is installed as part +of Windows Update on earlier versions of Windows. The Wireshark .exe +installers include redistributables (_vc_redist.x64.exe_ or +_vc_redist.x86.exe_) which ensure that the Universal CRT is installed and +up to date. + +[NOTE] +.Make sure you're allowed to distribute this file +==== +The files to redistribute must be mentioned in the +redist.txt file of the compiler package. Otherwise it +can't be legally redistributed by third parties like +us. +==== + +The following Microsoft Docs link is recommended for the +interested reader: + +https://docs.microsoft.com/en-us/cpp/windows/redistributing-visual-cpp-files[Redistributing Visual {cpp} Files] + +In all cases where _vc_redist.x64.exe_ or _vc_redist.x86.exe_ is +downloaded it should be downloaded to the directory into which the +support libraries for Wireshark have been downloaded and installed. This +directory is specified by the `WIRESHARK_BASE_DIR` or +`WIRESHARK_LIB_DIR` environment variables. It need not, and should not, +be run after being downloaded. + +==== Windows Platform SDK + +The Windows Platform SDK (PSDK) or Windows SDK is a free +(as in beer) download and contains platform specific headers and +libraries (e.g. _windows.h_, _WSock32.lib_, etc.). As new Windows +features evolve in time, updated SDKs become available that +include new and updated APIs. + +When you purchase a commercial Visual Studio or use the Community +Edition, it will include an SDK. + +[#ChToolsDocumentationToolchain] +=== Documentation Toolchain + +Wireshark’s documentation is split across two directories. +The `doc` directory contains man pages, User’s Guide, Developer’s Guide, and the release notes, which are written in Asciidoctor markup. + +Our various output formats are generated using the following tools. +Intermediate formats are in _italics_. + +Man page roff:: Asciidoctor +Man page HTML:: Asciidoctor + +Guide HTML:: Asciidoctor → _DocBook XML_ → xsltproc + DocBook XSL +Guide PDF:: Asciidoctor + +Release notes HTML:: Asciidoctor +Release notes text:: Asciidoctor → _HTML_ → html2text.py + +==== Asciidoctor + +https://asciidoctor.org/[Asciidoctor] comes in several flavors: a Ruby gem (Asciidoctor), a Java bundle (AsciidoctorJ), and transpiled JavaScript (Asciidoctor.js). +The Ruby and Java flavors can be used to build Wireshark’s documentation, but the JavaScript flavor doesn’t support all of the features that we require. +// We need docbook5, PDF & EPUB output and macros + +The guides and release notes were originally written in DocBook (hence the directory name). +They were later converted to AsciiDoc and then migrated to Asciidoctor. +The man pages were originally in Perl’s POD (Plain Old Documentation) format and were later converted to Asciidoctor. +We use Asciidoctor’s modern (>= 1.5.0) syntax. + +PDF output requires Asciidoctor’s PDF backend. +It is included with AsciidoctorJ but _not_ with Asciidoctor. + +==== DocBook XML and XSL + +Converting from DocBook to HTML requires the DocBook DTD +(http://www.sagehill.net/docbookxsl/ToolsSetup.html) +and DocBook stylesheets +(http://www.sagehill.net/docbookxsl/InstallStylesheets.html). +These are available via installable packages on most Linux distributions, Chocolatey, and Homebrew. + +==== xsltproc + +http://xmlsoft.org/xslt/[xsltproc] converts DocBook XML to various formats based on XSL stylesheets. +It either ships as part of the operating system or is available via an installable package on most Linux distributions, Chocolatey, and Homebrew. + +[#ChToolsDebugger] + +=== Debugger + +Using a good debugger can save you a lot of development time. + +The debugger you use must match the C compiler Wireshark was compiled with, +otherwise the debugger will simply fail or you will only see a lot of garbage. + +[#ChToolsMSVCDebugger] + +==== Visual Studio Integrated Debugger + +You can use the integrated debugger of Visual Studio if your toolchain includes +it. Open the solution in your build directory and build and debug as normal +with a Visual Studio solution. + +To set the correct paths for Visual Studio when running Wireshark under the +debugger, add the build output directory to the path before opening Visual +Studio from the same command prompt, e.g. + +[source,cmd] +---- +C:\Development\wsbuild64>set PATH="%PATH%;C:\Development\wsbuild64\run\RelwithDebInfo" +C:\Development\wsbuild64>wireshark.sln +---- + +for PowerShell use + +[source,cmd] +---- +PS C:\Development\wsbuild64>$env:PATH += ";$(Convert-Path run\RelWithDebInfo)" +PS C:\Development\wsbuild64>wireshark.sln +---- + +When Visual Studio has finished loading the solution, set the executable to +be run in the debugger, e.g. Executables\Wireshark, by right clicking it in +the Solution Explorer window and selecting "Set as StartUp Project". Also +set the Solution Configuration (usually RelWithDebInfo) from the droplist on +the toolbar. + +NOTE: Currently Visual Studio regards a command line build as incomplete, so +will report that some items need to be built when starting the debugger. These +can either be rebuilt or ignored as you wish. + + +The normal build is an optimised release version so debugging can be a bit +difficult as variables are optimised out into registers and the execution +order of statements can jump around. + +If you require a non-optimised version, then build using a debug configuration. + +[#ChToolsMSDebuggingTools] + +==== Debugging Tools For Windows + +You can also use the Microsoft Debugging Tools for Windows toolkit, which is a +standalone GUI debugger. Although it’s not that comfortable compared to +debugging with the Visual Studio integrated debugger it can be helpful if you +have to debug on a machine where an integrated debugger is not available. + +You can get it free of charge from Microsoft in several ways, see the +https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/[Debugging tools for Windows] page. + +You can also use Chocolatey to install WinDbg: + +[source,cmd] +---- +PS:\> choco install windbg +---- + +To debug Wireshark using WinDbg, open the built copy of Wireshark using +the File -> Open Executable... menu, +i.e. C:\Development\wsbuild64\run\RelWithDebInfo\Wireshark.exe. To set a +breakpoint open the required source file using the File -> Open Source File... +menu and then click on the required line and press F9. To run the program, +press F5. + +If you require a non-optimised version, then build using a debug configuration, e.g. +*`msbuild /m /p:Configuration=Debug Wireshark.sln`*. The build products will be found +in C:\Development\wsbuild64\run\Debug\. + +[#ChToolsBash] + +=== bash + +The bash shell is needed to run several shell scripts. + +[#ChToolsGNUBash] + +[discrete] +==== Unix + +Bash (the GNU Bourne-Again SHell) is available for most UNIX and +UNIX-like platforms. If it isn't already installed or available as a +package for your platform, you can get it at +https://www.gnu.org/software/bash/bash.html[]. + +After correct installation, typing at the bash command line prompt: + +[source,sh] +---- +$ bash --version +---- + +should result in something like: + +---- +GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu) +Copyright (C) 2016 Free Software Foundation, Inc. +---- + +Your version string will likely vary. + +[#ChToolsPython] + +=== Python + +https://python.org/[Python] is an interpreted programming language. +It is used to generate some source files, documentation, testing and other tasks. +Python 3.6 and later is required. +Python 2 is no longer supported. + +Python is either included or available as a package on most UNIX-like platforms. +Windows packages and source are available at https://python.org/download/[]. + +You can also use Chocolatey to install Python: + +[source,cmd] +---- +PS:\> choco install python3 +---- + +Chocolatey installs Python into _C:\Python37_ by +default. You can verify your Python version by running + +[source,sh] +---- +$ python3 --version +---- + +on UNIX-like platforms and + +[source,cmd] +---- +rem Official package +C:> cd python35 +C:Python35> python --version + +rem Chocolatey +C:> cd \tools\python3 +C:\tools\python3> python --version +---- + +on Windows. You should see something like + +---- +Python 3.5.1 +---- + +Your version string may vary of course. + +[#ChToolsFlex] + +=== Flex + +Flex is a lexical analyzer generator used for Wireshark’s display filters, some +file formats, and other features. + +[#ChToolsUnixFlex] + +[discrete] +==== Unix + +Flex is available for most UNIX and UNIX-like platforms. See the next +section for native Windows options. + +If GNU flex isn't already installed or available as a package for your platform +you can get it at https://www.gnu.org/software/flex/[]. + +After correct installation running the following + +[source,sh] +---- +$ flex --version +---- + +should result in something like: + +---- +flex version 2.5.4 +---- + +Your version string may vary. + +[#ChToolsWindowsFlex] + +[discrete] +==== Windows + +A native Windows version of flex is available in the _winflexbison3_ +https://chocolatey.org/[Chocolatey] package. Note that the executable is named +_win_flex_. + +[source,cmd] +---- +PS:\> choco install winflexbison3 +---- + +Native packages are available from other sources such as +http://gnuwin32.sourceforge.net/packages/flex.htm[GnuWin]. They aren't +officially supported but _should_ work. + +[#ChToolsGit] + +=== Git client + +The Wireshark project uses its own Git repository to keep track of all +the changes done to the source code. Details about the usage of Git in +the Wireshark project can be found in <<ChSrcGitRepository>>. + +If you want to work with the source code and are planning to commit your +changes back to the Wireshark community, it is recommended to use a Git +client to get the latest source files. For detailed information about +the different ways to obtain the Wireshark sources, see <<ChSrcObtain>>. + +You will find more instructions in <<ChSrcGit>> on how to use the Git +client. + +[#ChToolsUnixGit] + +[discrete] +==== Unix + +Git is available for most UNIX and UNIX-like platforms. If Git isn't +already installed or available as a package for your platform, you can +get it at: https://git-scm.com/[]. + +After correct installation, typing at the bash command line prompt: + +[source,sh] +---- +$ git --version +---- + +should result in something like: + +---- +git version 2.14.1 +---- + +Your version will likely be different. + +[#ChToolsWindowsGit] + +[discrete] +==== Windows + +The Git command line tools for Windows can be found at +https://git-scm.com/download/win[] and can also be installed using Chocolatey: + +[source,cmd] +---- +PS:\> choco install git +---- + +After correct installation, typing at the command +line prompt (cmd.exe): + +[source,cmd] +---- +> git --version +---- + +should result in something like: + +---- +git version 2.16.1.windows.1 +---- + +However, the version string may vary. + +[#ChToolsGitPowerShellExtensions] + +=== Git Powershell Extensions (Optional) + +A useful tool for command line git on Windows is https://github.com/dahlbyk/posh-git[PoshGit]. +Poshgit provides git command completion and alters the prompt to indicate the local working +copy status. You can install it using Chocolatey: + +[source,cmd] +---- +PS:\> choco install poshgit +---- + +[#ChToolsGitGUI] + +=== Git GUI Client (Optional) + +Along with the traditional command-line client, several +GUI clients are available for a number of platforms. See +https://git-scm.com/downloads/guis[] for details. + +// [[ChToolsUnixGitGUI]] +// XXX Add Gui client section + +[#ChToolsPerl] + +=== Perl (Optional) + +https://www.perl.org[Perl] is an interpreted programming language. +Perl is used to convert various text files into usable source code and for various source code checks. +Perl version 5.6 and above should work fine. + +[#ChToolsUnixPerl] + +[discrete] +==== Unix + +Perl is available for most UNIX and UNIX-like platforms. If it isn't +already installed or available as a package for your platform, you can +get it at https://www.perl.org/[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ perl --version +---- + +should result in something like: + +---- +This is perl 5, version 26, subversion 0 (v5.26.0) built for x86_64-linux-gnu-thread-multi +(with 62 registered patches, see perl -V for more detail) + +Copyright 1987-2017, Larry Wall + +Perl may be copied only under the terms of either the Artistic License or the +GNU General Public License, which may be found in the Perl 5 source kit. + +Complete documentation for Perl, including FAQ lists, should be found on +this system using "man perl" or "perldoc perl". If you have access to the +Internet, point your browser at http://www.perl.org/, the Perl Home Page. +---- + +However, the version string may vary. + +[#ChToolsWindowsPerl] + +[discrete] +==== Windows + +A native Windows Perl package can be obtained from +http://strawberryperl.com/[Strawberry Perl] or +https://www.activestate.com[Active State]. The installation should be +straightforward. + +You may also use Chocolatey to install either package: + +---- +PS:\> choco install strawberryperl +---- + +or + +---- +PS:\> choco install activeperl +---- + +After correct installation, typing at the command +line prompt (cmd.exe): + +---- +> perl -v +---- + +should result in something like: + +---- +This is perl, v5.8.0 built for MSWin32-x86-multi-thread +(with 1 registered patch, see perl -V for more detail) + +Copyright 1987-2002, Larry Wall + +Binary build 805 provided by ActiveState Corp. http://www.ActiveState.com +Built 18:08:02 Feb 4 2003 +... +---- + +However, the version string may vary. + +[#ChToolsPatch] + +=== patch (Optional) + +The patch utility is used to merge a diff file into your own source tree. This +tool is only needed, if you want to apply a patch (diff file) from someone else +(probably from the developer mailing list) to try out in your own private source +tree. + +It most cases you may not need the patch tool installed. Git should +handle patches for you. + +// You will find more instructions in <<ChSrcPatchApply>>on how to use the patch tool. + +[#ChToolsUnixPatch] + +[discrete] +==== Unix + +Patch is available for most UNIX and UNIX-like platforms. If GNU patch +isn't already installed or available as a package for your platform, you +can get it at https://www.gnu.org/software/patch/patch.html[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ patch --version +---- + +should result in something like: + +---- +patch 2.5.8 +Copyright (C) 1988 Larry Wall +Copyright (C) 2002 Free Software Foundation, Inc. + +This program comes with NO WARRANTY, to the extent permitted by law. +You may redistribute copies of this program +under the terms of the GNU General Public License. +For more information about these matters, see the file named COPYING. + +written by Larry Wall and Paul Eggert +---- + +However, the version string may vary. + +[#ChToolsWindowsPatch] + +[discrete] +==== Windows + +The Windows native Git tools provide patch. A native Windows patch package can be obtained from +http://gnuwin32.sourceforge.net/[]. The +installation should be straightforward. + +[#ChToolsNSIS] + +=== Windows: NSIS (Optional) + +The NSIS (Nullsoft Scriptable Install System) is used to generate +_Wireshark-{wireshark-version}-x64.exe_ from all the files +needed to be installed, including all required DLLs, plugins, and supporting +files. + +To install it, download the latest released version from +https://nsis.sourceforge.net[]. NSIS v3 is required. You can also install +it using Chocolatey: + +[source,cmd] +---- +PS$> choco install nsis +---- + +You can find more instructions on using NSIS in <<ChSrcNSIS>>. + +[#ChToolsWiX] + +=== Windows: WiX Toolset (Optional) + +The Wix Toolset can be used to generate Windows Installer (_.msi_) packages. +You can download it from the link:https://wixtoolset.org/[WiX web site] or install it using Chocolatey: + +[source,cmd] +---- +PS$> choco install wixtoolset +---- + +This also requires the Visual C++ redistributable merge modules, which can be installed by selecting “Individual Components -> {cpp} 2022 Redistributable MSMs” or “...2019 Redistributable MSMs” as appropriate for your compiler in the Visual Studio installer. + +Wireshark’s .msi packaging is currently experimental and the generated packages may be incomplete. + +[#ChToolsPortableApps] +=== Windows: PortableApps (Optional) + +The PortableApps.com Installer is used to generate +_WiresharkPortable64{underscore}{wireshark-version}.paf.exe_ from all the files +needed to be installed, including all required DLLs, plugins, and supporting +files. + +To install it, do the following: + +* Download the latest PortableApps.com Platform release from + https://portableapps.com/[]. + +* Install the following applications in the PortableApps.com environment: + +** PortableApps.com Installer + +** PortableApps.com Launcher + +You can find more instructions on using the PortableApps.com Installer in +<<ChSrcPortableApps>>. + +// End of WSDG Chapter Tools + +// vim: set syntax=asciidoc: diff --git a/doc/wsdg_src/wsdg_userinterface.adoc b/doc/wsdg_src/wsdg_userinterface.adoc new file mode 100644 index 00000000..a4fe17a3 --- /dev/null +++ b/doc/wsdg_src/wsdg_userinterface.adoc @@ -0,0 +1,318 @@ +// WSDG Chapter User Interface + +[#ChapterUserInterface] + +== User Interface + +[#ChUIIntro] + +=== Introduction + +Wireshark can be logically separated into the backend (dissecting protocols, +file loading and saving, capturing, etc.) and the frontend (the user interface). + +The following frontends are currently maintained by the Wireshark +development team: + +* Wireshark, Qt based + +* TShark, console based + +This chapter is focused on the Wireshark frontend, and especially on +the Qt interface. + +[#ChUIQt] + +=== The Qt Application Framework + +Qt is a cross-platform application development framework. While we mainly use +the core (QtCore) and user interface (QtWidgets) modules, it also supports a +number of other modules for specialized application development, such as +networking (QtNetwork) and web browsing (QtWebKit). + +At the time of this writing (September 2016) most of the main Wireshark +application has been ported to Qt. The sections below provide an +overview of the application and tips for Qt development in our +environment. + +==== User Experience Considerations + +When creating or modifying Wireshark try to make sure that it will work +well on Windows, macOS, and Linux. See <<ChUIGUIDocs>> for details. +Additionally, try to keep the following in mind: + +*Workflow*. Excessive navigation and gratuitous dialogs should be +avoided or reduced. For example, compared to the legacy UI many alert +dialogs have been replaced with status bar messages. Statistics dialogs +are displayed immediately instead of requiring that options be +specified. + +*Discoverability and feedback*. Most users don't like to read +documentation and instead prefer to learn an application as they use it. +Providing feedback increases your sense of control and awareness, and +makes the application more enjoyable to use. Most of the Qt dialogs +provide a “hint” area near the bottom which shows useful information. +For example, the “Follow Stream” dialog shows the packet corresponding +to the text under the mouse. The profile management dialog shows a +clickable path to the current profile. The main welcome screen shows +live interface traffic. Most dialogs have a context menu that shows +keyboard shortcuts. + +==== Qt Creator + +Qt Creator is a full-featured IDE and user interface editor. It makes +adding new UI features much easier. It doesn't work well on Windows at +the present time, so it’s recommended that you use it on macOS or Linux. + +To edit and build Wireshark using Qt Creator, open the top-level +_CMakeLists.txt_ within Qt Creator. It should ask you to choose a build +location. Do so. It should then ask you to run CMake. Fill in any +desired build arguments (e.g. <<ChSrcBuildType,`-D CMAKE_BUILD_TYPE=Debug`>> or +`-D ENABLE_CCACHE=ON`) and click the btn:[Run CMake] button. When that +completes select menu:Build[Open Build and Run Kit Selector...] and make +sure _wireshark_ is selected. + +Note that Qt Creator uses output created by CMake’s “CodeBlocks” +generator. If you run CMake outside of Qt Creator you should use the +“CodeBlocks - Unix Makefiles” generator, otherwise Qt Creator will +prompt you to re-run CMake. + +==== Source Code Overview + +Wireshark’s `main` entry point is in _ui/qt/main.cpp_. Command-line arguments +are processed there and the main application class (`WiresharkApplication`) +instance is created there along with the main window. + +The main window along with the rest of the application resides in _ui/qt_. Due +to its size the main window code is split into several modules, _main_window.cpp_, +_wireshark_main_window.cpp_ and _wireshark_main_window_slots.cpp_. + +Most of the modules in _ui/qt_ are dialogs. Although we follow Qt naming +conventions for class names, we follow our own conventions by separating file +name components with underscores. For example, ColoringRulesDialog is defined in +_coloring_rules_dialog.cpp_, _coloring_rules_dialog.h_, and +_coloring_rules_dialog.ui_. + +General-purpose dialogs are subclasses of `QDialog`. Dialogs that rely on the +current capture file can subclass `WiresharkDialog`, which provides methods and +members that make it easier to access the capture file and to keep the dialog +open when the capture file closes. + +==== Coding Practices and Naming Conventions + +===== Names + +The code in _ui/qt_ directory uses three APIs: Qt (which uses upper camel case), GLib (which uses snake_case), and the Wireshark +API (which also uses snake_case). + +As a general rule, for names, Wireshark’s Qt code: + +- uses upper camel case, in which words in the name are not separated by underscores, and the first letter of each word is capitalized, for classes, for example, `PacketList`; +- uses lower camel case, in which words in the name are not separated by underscores, and the first letter of each word other than the first word is capitalized, for methods, for example, `resetColumns`; +- uses snake case, in which words in the name are separated by underscores, and the first letter of the word is not capitalized, for variables, with a trailing underscore used for member variables, for example, `packet_list_model_`. + +===== Dialogs + +Dialogs that work with capture file information shouldn't close just because the +capture file closes. Subclassing `WiresharkDialog` as described above can make +it easier to persist across capture files. + +When you create a window with a row of standard “OK” and “Close” buttons at +the bottom using Qt Creator you will end up with a subclass of QDialog. This is +fine for traditional modal dialogs, but many times the “dialog” needs to behave +like a QWindow instead. + +Modal dialogs should be constructed with `QDialog(parent)`. Modeless dialogs +(windows) should be constructed with `QDialog(NULL, Qt::Window)`. Other +combinations (particularly `QDialog(parent, Qt::Window)`) can lead to odd and +inconsistent behavior. Again, subclassing `WiresharkDialog` will take care of +this for you. + +Most of the dialogs in ui/qt share many similarities, including method names, +widget names, and behavior. Most dialogs should have the following, although +it’s not strictly required: + +- An `updateWidgets()` method, which enables and disables widgets depending on + the current state and constraints of the dialog. For example, the Coloring + Rules dialog disables the *Save* button if the user has entered an + invalid display filter. +- A `hintLabel()` widget subclassed from `QLabel` or `ElidedLabel`, placed just + above the dialog button box. The hint label provides guidance and feedback to + the user. +- A context menu (`ctx_menu_`) for additional actions not present in the + button box. +- If the dialog box contains a `QTreeWidget` you might want to add your own + `QTreeWidgetItem` subclass with the following methods: + `drawData()`:: Draws column data with any needed formatting. + `colData()`:: Returns the data for each column as a `QVariant`. Used for + copying as CSV, YAML, etc. + `operator<()`:: Allows sorting columns based on their raw data. + +===== Strings + +Wireshark’s C code and GLib use UTF-8 encoded character arrays. Qt +(specifically QString) uses UTF-16. You can convert a `char *` to a +`QString` using simple assignment. You can convert a `QString` to a +`const char *` using `qUtf8Printable`. + +If you're using GLib string functions or plain old C character array +idioms in Qt-only code you're probably doing something wrong, +particularly if you're manually allocating and releasing memory. +QStrings are generally *much* safer and easier to use. They also make +translations easier. + +If you need to pass strings between Qt and GLib you can use a number +of convenience routines which are defined in _ui/qt/utils/qt_ui_utils.h_. + +If you're calling a function that returns wmem-allocated memory it might make +more sense to add a wrapper function to _qt_ui_utils_ than to call wmem_free in +your code. + +===== Mixing C and {cpp} + +Sometimes we have to call {cpp} functions from one of +Wireshark’s C callbacks and pass {cpp} objects to or from C. Tap +listeners are a common example. The {cpp} FAQ +https://www.parashift.com/c++-faq/mixing-c-and-cpp.html[describes how to do +this safely]. + +Tapping usually involves declaring static methods for callbacks, passing `this` +as the tap data. + +[#ChUII18N] +===== Internationalization and Translation + +Qt provides a convenient method for translating text: `Qobject::tr()`, +usually available as `tr()`. + +However, please avoid using `tr()` for static strings and define them in _*.ui_ +files instead. `tr()` on manually created objects like `QMenu` are not +automatically retranslated and must instead be manually translated using +`changeEvent()` and `retranslateUi()`. See _ui/qt/wireshark_main_window.cpp_ for an example +of this. + +NOTE: If your object life is short and your components are (re)created +dynamically then it is ok to use `tr()`. + +In most cases you should handle the changeEvent in order to catch +`QEvent::LanguageChange`. + +Qt makes translating the Wireshark UI into different languages easy. To add a new +translation, do the following: + +- Add your translation (_ui/qt/wireshark_XX.ts_) to _ui/qt/CMakeLists.txt_ +- (Recommended) Add a flag image for your language in _resources/languages/XX.svg_. Update _resources/languages/languages.qrc_ accordingly. +- Run `lupdate ui/qt -ts ui/qt/wireshark_XX.ts` to generate/update your translation file. +- Add ui/qt/wireshark_XX.ts to `.tx/config`. +- Translate with Qt Linguist: `linguist ui/qt/wireshark_XX.ts`. +- Do a test build and make sure the generated _wireshark_XX.qm_ binary file is included. +- Push your translation to GitLab for review. See <<ChSrcContribute>> for details. + +Alternatively you can put your QM and flag files in the _languages_ +directory in the Wireshark user configuration directory +(_$XDG_CONFIG_HOME/wireshark/languages/_ or _$HOME/.wireshark/languages/_ on +UNIX). + +For more information about Qt Linguist see +https://doc.qt.io/qt-5/qtlinguist-index.html[its manual]. + +You can also manage translations online with +https://www.transifex.com/wireshark/wireshark/[Transifex]. +Translation resources are organized by type of translation and development branch: + +master:: +Qt Linguist resources in the _ui/qt_ in the master branch. + +debian:: +GNU gettext resources in the _debian_ directory in the master branch. + +qt-_XY_, master-_XY_:: +Qt Linguist resources in the _ui/qt_ in the _X.Y_ release branch. +For example, qt-34 matches the Wireshark 3.2 release branch. + +po-_XY_, debian-_XY_:: +GNU gettext (.po) resources in the _debian_ directory in the _X.Y_ release branch. +For example, po-34 matches the Wireshark 3.4 release branch. + +Each week translations are automatically synchronized with the source code through the following steps: + +- Pull changes from Transifex by running `tx pull -f`. +- Run `lupdate` on the ts files. +- Push and commit on GitLab. +- Push changes to Transifex by running `tx push`. + +===== Colors And Themes + +Qt provides a number of colors via the https://doc.qt.io/qt-5/qpalette.html[QPalette] +class. Use this class when you need a standard color provided by the +underlying operating system. + +Wireshark uses an extended version of the +https://en.wikipedia.org/wiki/Tango_Desktop_Project[Tango Color Palette] +for many interface elements that require custom colors. This includes the +I/O graphs, sequence diagrams, and RTP streams. Please use this palette +(defined in `tango_colors.h` and the *ColorUtils* class) if *QPalette* +doesn't meet your needs. + +Wireshark supports dark themes (aka “dark mode”) on some platforms. We +leverage Qt's dark theme support when possible, but have implemented our +own support and workarounds in some cases. You can ensure that your code +includes proper dark theme support by doing the following: + +* You can use a macOS-style template icon by creating a monochrome SVG +document with “.template” appended to the name, e.g. +`resources/stock_icons/24x24/edit-find.template.svg`. +* Qt draws unvisited links *Qt::blue* no matter what. You can work +around this by using `ColorUtils::themeLinkBrush()` and +`ColorUtils::themeLinkStyle()`. +* You can catch dark and light mode changes by handling +`QEvent::ApplicationPaletteChange`. + +==== Other Issues and Information + +The main window has many QActions which are shared with child widgets. See +_ui/qt/proto_tree.cpp_ for an example of this. + +To demonstrate the functionality of the plugin interface options, a +demonstration plugin exists (pluginifdemo). See _doc/README.plugins_ and +_plugins/epan/pluginifdemo_. + +https://www.kdab.com/development-resources/qt-tools/gammaray/[GammaRay] lets you inspect +the internals of a running Qt application similar to $$Spy++$$ on Windows. + +[#ChUIGUIDocs] + +=== Human Interface Reference Documents + +Wireshark runs on a number of platforms, primarily Windows, macOS, and +Linux. It should conform to the Windows, macOS, GNOME, and KDE human +interface guidelines as much as possible. Unfortunately, creating a +feature that works well across these platforms can sometimes be a +juggling act since the human interface guidelines for each platform +often contradict one another. If you run into trouble you can ask the +_wireshark-dev_ mailing list as well as the User Experience Stack +Exchange listed below. + +For further reference, see the following: + +* Android Design: +https://developer.android.com/design/[]. Wireshark doesn't have +a mobile frontend (not yet, at least) but there is still useful +information here. + +* GNOME Human Interface Guidelines: +https://developer.gnome.org/hig/[] + +* KDE Human Interface Guidelines: +https://hig.kde.org[] + +* macOS Human Interface Guidelines: +https://developer.apple.com/design/human-interface-guidelines/macos/overview/themes/[] + +* Design guidelines for the Windows desktop: +https://docs.microsoft.com/en-us/windows/desktop/uxguide/guidelines[] + +* User Experience Stack Exchange: +https://ux.stackexchange.com/[] + +// End of WSDG Chapter User Interface diff --git a/doc/wsdg_src/wsdg_works.adoc b/doc/wsdg_src/wsdg_works.adoc new file mode 100644 index 00000000..88c2f7a5 --- /dev/null +++ b/doc/wsdg_src/wsdg_works.adoc @@ -0,0 +1,119 @@ +// WSDG Chapter Works + +[#ChapterWorks] + +== How Wireshark Works + +[#ChWorksIntro] + +=== Introduction + +This chapter will give you a short overview of how Wireshark works. + +[#ChWorksOverview] + +=== Overview + +The following will give you a simplified overview of Wireshark’s function blocks: + +[#ChWorksFigOverview] + +.Wireshark function blocks +image::images/ws-function-blocks.svg[{pdf-scaledwidth}] + +The function blocks in more detail: + +GUI:: Handling of all user input/output (all windows, dialogs and such). +Source code can be found in the _ui/qt_ directory. + +Core:: Main "glue code" that holds the other blocks together. Source +code can be found in the root directory. + +Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine. +Source code can be found in the _epan_ directory. Epan provides +the following APIs: + +* Protocol Tree. Dissection information for an individual packet. + +* Dissectors. The various protocol dissectors in +_epan/dissectors_. + +* Dissector Plugins - Support for implementing dissectors as separate modules. +Source code can be found in _plugins_. + +* Display Filters - The display filter engine at +_epan/dfilter_. + +Wiretap:: The wiretap library is used to read and write capture files in libpcap, +pcapng, and many other file formats. Source code is in the +_wiretap_ directory. + +Capture:: The interface to the capture engine. Source code is in the +root directory. + +Dumpcap:: The capture engine itself. This is the only part that executes with +elevated privileges. Source code is in the root directory. + +Npcap and libpcap:: These are external libraries that provide packet capture +and filtering support on different platforms. The filtering in Npcap and libpcap +works at a much lower level than Wireshark’s display filters and uses a +significantly different mechanism. That’s why there are different display and +capture filter syntaxes. + + +[#ChWorksCapturePackets] + +=== Capturing packets + +Capturing takes packets from a network adapter and saves them to a file +on your hard disk. + +Since raw network adapter access requires elevated privileges, these functions +are isolated to the `dumpcap` program. Placing the capture functionality +into `dumpcap` allows the rest of the code (dissectors, user interface, +etc.) to run with normal user privileges. + +To hide all the low-level machine dependent details from Wireshark, the libpcap +and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a +general purpose interface to capture packets and are used by a wide variety of +applications. + +[#ChWorksCaptureFiles] + +=== Capture Files + +Wireshark can read and write capture files in its natural file formats, pcapng +and pcap, which are used by many other network capturing tools, such as tcpdump. +Additionally, Wireshark supports reading and writing packet capture files +in formats used by other network capture tools. This support is implemented in +Wireshark's wiretap library, which provides a general purpose interface for +reading and writing packet capture formats and supports more than twenty +packet capture formats. + +[#ChWorksDissectPackets] + +=== Dissect packets + +Wireshark dissects packets in what it calls 'two-pass' dissection. + +Wireshark performs a first pass of dissecting all packets as they are loaded +from the file. All packets are dissected sequentially and this information +is used to populate Wireshark's packet list pane and to build state and +other information needed when displaying the packet. + +Wireshark later performs 'second pass' ad-hoc dissections on the +packets that it needs data from. This enables Wireshark to fill in fields that +require future knowledge, like the 'response in frame #' fields, +and correctly calculate reassembly frame dependencies. + +For example, Wireshark will perform an ad-hoc dissection when a user selects +a packet (to display the packet details), +calculates a statistic (so all values are computed), +or performs another action that requires packet data. +However, because Wireshark may only dissect +the packets that are needed, there is no guarantee that +Wireshark will dissect all packets again, nor is there any guarantee as to the +order that the packets will be dissected after the first pass. + +// End of WSDG Chapter Works + diff --git a/doc/wsug_src/capinfos-h.txt b/doc/wsug_src/capinfos-h.txt new file mode 100644 index 00000000..caff07c7 --- /dev/null +++ b/doc/wsug_src/capinfos-h.txt @@ -0,0 +1,68 @@ +Capinfos (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Print various information (infos) about capture files. +See https://www.wireshark.org for more information. + +Usage: capinfos [options] <infile> ... + +General infos: + -t display the capture file type + -E display the capture file encapsulation + -I display the capture file interface information + -F display additional capture file information + -H display the SHA256 and SHA1 hashes of the file + -k display the capture comment + -p display individual packet comments + +Size infos: + -c display the number of packets + -s display the size of the file (in bytes) + -d display the total length of all packets (in bytes) + -l display the packet size limit (snapshot length) + +Time infos: + -u display the capture duration (in seconds) + -a display the timestamp of the earliest packet + -e display the timestamp of the latest packet + -o display the capture file chronological status (True/False) + -S display earliest and latest packet timestamps as seconds + +Statistic infos: + -y display average data rate (in bytes/sec) + -i display average data rate (in bits/sec) + -z display average packet size (in bytes) + -x display average packet rate (in packets/sec) + +Metadata infos: + -n display number of resolved IPv4 and IPv6 addresses + -D display number of decryption secrets + +Output format: + -L generate long report (default) + -T generate table report + -M display machine-readable values in long reports + +Table report options: + -R generate header record (default) + -r do not generate header record + + -B separate infos with TAB character (default) + -m separate infos with comma (,) character + -b separate infos with SPACE character + + -N do not quote infos (default) + -q quote infos with single quotes (') + -Q quote infos with double quotes (") + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -C cancel processing if file open fails (default is to continue) + -A generate all infos (default) + -K disable displaying the capture comment + -P disable displaying individual packet comments + +Options are processed from left to right order with later options superseding +or adding to earlier options. + +If no options are given the default is to display all infos in long report +output format. diff --git a/doc/wsug_src/dumpcap-h.txt b/doc/wsug_src/dumpcap-h.txt new file mode 100644 index 00000000..d24cd18b --- /dev/null +++ b/doc/wsug_src/dumpcap-h.txt @@ -0,0 +1,93 @@ +Dumpcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Capture network packets and dump them into a pcapng or pcap file. +See https://www.wireshark.org for more information. + +Usage: dumpcap [options] ... + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback), + or for remote capturing, use this format: + TCP@<host>:<port> + --ifname <name> name to use in the capture file for a pipe from which + we're capturing + --ifdescr <description> + description to use in the capture file for a pipe + from which we're capturing + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer in MiB (def: 2MiB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + --update-interval interval between updates with new packets (def: 100ms) + -d print generated BPF code for capture filter + -k <freq>,[<type>],[<center_freq1>],[<center_freq2>] + set channel on wifi interface + -S print statistics for each interface once per second + -M for -D, -L, and -S, produce machine-readable output + +Stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM kB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Output (files): + -w <filename> name of file to save (def: tempfile) + -g enable group read access on the output file(s) + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM kB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - ringbuffer: replace after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs + printname:FILE - print filename to FILE when written + (can use 'stdout' or 'stderr') + -n use pcapng format instead of pcap (default) + -P use libpcap format instead of pcapng + --capture-comment <comment> + add a capture comment to the output file + (only for pcapng) + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -N <packet_limit> maximum number of packets buffered within dumpcap + -C <byte_limit> maximum number of bytes used for buffering packets + within dumpcap + -t use a separate thread per interface + -q don't report packet capture counts + -v, --version print version information and exit + -h, --help display this help and exit + +Dumpcap can benefit from an enabled BPF JIT compiler if available. +You might want to enable it by executing: + "echo 1 > /proc/sys/net/core/bpf_jit_enable" +Note that this can make your system less secure! + +Example: dumpcap -i eth0 -a duration:60 -w output.pcapng +"Capture packets from interface eth0 until 60s passed into output.pcapng" + +Use Ctrl-C to stop capturing at any time. diff --git a/doc/wsug_src/editcap-F.txt b/doc/wsug_src/editcap-F.txt new file mode 100644 index 00000000..4f2bf7f8 --- /dev/null +++ b/doc/wsug_src/editcap-F.txt @@ -0,0 +1,40 @@ +editcap: The available capture file types for the "-F" flag are: + pcap - Wireshark/tcpdump/... - pcap + pcapng - Wireshark/... - pcapng + 5views - InfoVista 5View capture + btsnoop - Symbian OS btsnoop + commview-ncf - TamoSoft CommView NCF + commview-ncfx - TamoSoft CommView NCFX + dct2000 - Catapult DCT2000 trace (.out format) + erf - Endace ERF capture + eyesdn - EyeSDN USB S0/E1 ISDN trace format + k12text - K12 text file + lanalyzer - Novell LANalyzer + logcat - Android Logcat Binary format + logcat-brief - Android Logcat Brief text format + logcat-long - Android Logcat Long text format + logcat-process - Android Logcat Process text format + logcat-tag - Android Logcat Tag text format + logcat-thread - Android Logcat Thread text format + logcat-threadtime - Android Logcat Threadtime text format + logcat-time - Android Logcat Time text format + modpcap - Modified tcpdump - pcap + mp2t - MPEG2 transport stream + netmon1 - Microsoft NetMon 1.x + netmon2 - Microsoft NetMon 2.x + nettl - HP-UX nettl trace + ngsniffer - Sniffer (DOS) + ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 + ngwsniffer_2_0 - Sniffer (Windows) 2.00x + nokiapcap - Nokia tcpdump - pcap + nsecpcap - Wireshark/tcpdump/... - nanosecond pcap + nstrace10 - NetScaler Trace (Version 1.0) + nstrace20 - NetScaler Trace (Version 2.0) + nstrace30 - NetScaler Trace (Version 3.0) + nstrace35 - NetScaler Trace (Version 3.5) + observer - Viavi Observer + rf5 - Tektronix K12xx 32-bit .rf5 format + rh6_1pcap - RedHat 6.1 tcpdump - pcap + snoop - Sun snoop + suse6_3pcap - SuSE 6.3 tcpdump - pcap + visual - Visual Networks traffic capture diff --git a/doc/wsug_src/editcap-T.txt b/doc/wsug_src/editcap-T.txt new file mode 100644 index 00000000..af5214ba --- /dev/null +++ b/doc/wsug_src/editcap-T.txt @@ -0,0 +1,227 @@ +editcap: The available encapsulation types for the "-T" flag are: + alp - ATSC Link-Layer Protocol (A/330) packets + ap1394 - Apple IP-over-IEEE 1394 + arcnet - ARCNET + arcnet_linux - Linux ARCNET + ascend - Lucent/Ascend access equipment + atm-pdus - ATM PDUs + atm-pdus-untruncated - ATM PDUs - untruncated + atm-rfc1483 - RFC 1483 ATM + auerlog - Auerswald Log + autosardlt - AUTOSAR DLT + ax25 - Amateur Radio AX.25 + ax25-kiss - AX.25 with KISS header + bacnet-ms-tp - BACnet MS/TP + bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info + ber - ASN.1 Basic Encoding Rules + bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF + bluetooth-h4 - Bluetooth H4 + bluetooth-h4-linux - Bluetooth H4 with linux header + bluetooth-hci - Bluetooth without transport layer + bluetooth-le-ll - Bluetooth Low Energy Link Layer + bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF + bluetooth-linux-monitor - Bluetooth Linux Monitor + can20b - Controller Area Network 2.0B + chdlc - Cisco HDLC + chdlc-with-direction - Cisco HDLC with Directional Info + cosine - CoSine L2 debug log + dbus - D-Bus + dct2000 - Catapult DCT2000 + dect_nr - DECT-2020 New Radio (NR) MAC layer + docsis - Data Over Cable Service Interface Specification + docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header + dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header + dpnss_link - Digital Private Signalling System No 1 Link Layer + dvbci - DVB-CI (Common Interface) + ebhscr - Elektrobit High Speed Capture and Replay + ems - EMS (EGNOS Message Server) file + enc - OpenBSD enc(4) encapsulating interface + epon - Ethernet Passive Optical Network + erf - Extensible Record Format + eri_enb_log - Ericsson eNode-B raw log + ether - Ethernet + ether-mpacket - IEEE 802.3br mPackets + ether-nettl - Ethernet with nettl headers + etw - Event Tracing for Windows messages + fc2 - Fibre Channel FC-2 + fc2sof - Fibre Channel FC-2 With Frame Delimiter + fddi - FDDI + fddi-nettl - FDDI with nettl headers + fddi-swapped - FDDI with bit-swapped MAC addresses + fira-uci - FiRa UWB Controller Interface (UCI) protocol. + flexray - FlexRay + frelay - Frame Relay + frelay-with-direction - Frame Relay with Directional Info + gcom-serial - GCOM Serial + gcom-tie1 - GCOM TIE1 + gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode + gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode + gprs-llc - GPRS LLC + gsm_um - GSM Um Interface + hhdlc - HiPath HDLC + i2c-linux - I2C with Linux-specific pseudo-header + ieee-802-11 - IEEE 802.11 Wireless LAN + ieee-802-11-avs - IEEE 802.11 plus AVS radio header + ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header + ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header + ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information + ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header + ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer + infiniband - InfiniBand + ios - Cisco IOS internal + ip-ib - IP over IB + ip-over-fc - RFC 2625 IP-over-Fibre Channel + ip-over-ib - IP over InfiniBand + ipfix - RFC 5655/RFC 5101 IPFIX + ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header + ipmi-trace - IPMI Trace Data Collection + ipnet - Solaris IPNET + irda - IrDA + isdn - ISDN + iso14443 - ISO 14443 contactless smartcard standards + ixveriwave - IxVeriWave header and stats block + jfif - JPEG/JFIF + json - JavaScript Object Notation + juniper-atm1 - Juniper ATM1 + juniper-atm2 - Juniper ATM2 + juniper-chdlc - Juniper C-HDLC + juniper-ether - Juniper Ethernet + juniper-frelay - Juniper Frame-Relay + juniper-ggsn - Juniper GGSN + juniper-mlfr - Juniper MLFR + juniper-mlppp - Juniper MLPPP + juniper-ppp - Juniper PPP + juniper-pppoe - Juniper PPPoE + juniper-st - Juniper Secure Tunnel Information + juniper-svcs - Juniper Services + juniper-vn - Juniper VN + juniper-vp - Juniper Voice PIC + k12 - K12 protocol analyzer + lapb - LAPB + lapd - LAPD + layer1-event - EyeSDN Layer 1 event + lin - Local Interconnect Network + linux-atm-clip - Linux ATM CLIP + linux-lapd - LAPD with Linux pseudo-header + linux-sll - Linux cooked-mode capture v1 + linux-sll2 - Linux cooked-mode capture v2 + log_3GPP - 3GPP Phone Log + logcat - Android Logcat Binary format + logcat_brief - Android Logcat Brief text format + logcat_long - Android Logcat Long text format + logcat_process - Android Logcat Process text format + logcat_tag - Android Logcat Tag text format + logcat_thread - Android Logcat Thread text format + logcat_threadtime - Android Logcat Threadtime text format + logcat_time - Android Logcat Time text format + loop - OpenBSD loopback + loratap - LoRaTap + ltalk - Localtalk + mdb - MDB (Multi-Drop Bus) + message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4 + message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6 + message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4 + message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6 + message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4 + message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6 + mime - MIME + most - Media Oriented Systems Transport + mp2ts - ISO/IEC 13818-1 MPEG2-TS + mp4 - MP4 files + mpeg - MPEG + mtp2 - SS7 MTP2 + mtp2-with-phdr - MTP2 with pseudoheader + mtp3 - SS7 MTP3 + mux27010 - MUX27010 + netanalyzer - Hilscher netANALYZER + netanalyzer-transparent - Hilscher netANALYZER-Transparent + netlink - Linux Netlink + netmon_event - Network Monitor Network Event + netmon_filter - Network Monitor Filter + netmon_header - Network Monitor Header + netmon_network_info - Network Monitor Network Info + nfc-llcp - NFC LLCP + nflog - NFLOG + nordic_ble - nRF Sniffer for Bluetooth LE + nstrace10 - NetScaler Encapsulation 1.0 of Ethernet + nstrace20 - NetScaler Encapsulation 2.0 of Ethernet + nstrace30 - NetScaler Encapsulation 3.0 of Ethernet + nstrace35 - NetScaler Encapsulation 3.5 of Ethernet + null - NULL/Loopback + packetlogger - Apple Bluetooth PacketLogger + pflog - OpenBSD PF Firewall logs + pflog-old - OpenBSD PF Firewall logs, pre-3.4 + pktap - Apple PKTAP + ppi - Per-Packet Information header + ppp - PPP + ppp-with-direction - PPP with Directional Info + pppoes - PPP-over-Ethernet session + raw-icmp-nettl - Raw ICMP with nettl headers + raw-icmpv6-nettl - Raw ICMPv6 with nettl headers + raw-telnet-nettl - Raw telnet with nettl headers + rawip - Raw IP + rawip-nettl - Raw IP with nettl headers + rawip4 - Raw IPv4 + rawip6 - Raw IPv6 + redback - Redback SmartEdge + rfc7468 - RFC 7468 file + rtac-serial - RTAC serial-line + ruby_marshal - Ruby marshal object + s4607 - STANAG 4607 + s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU) + sccp - SS7 SCCP + sctp - SCTP + sdh - SDH + sdjournal - systemd journal + sdlc - SDLC + silabs-dch - Silabs Debug Channel + sita-wan - SITA WAN packets + slip - SLIP + socketcan - SocketCAN + symantec - Symantec Enterprise Firewall + tnef - Transport-Neutral Encapsulation Format + tr - Token Ring + tr-nettl - Token Ring with nettl headers + tzsp - Tazmen sniffer protocol + unknown - Unknown + unknown-nettl - Unknown link-layer type with nettl headers + usb-20 - USB 2.0/1.1/1.0 packets + usb-20-full - Full-Speed USB 2.0/1.1/1.0 packets + usb-20-high - High-Speed USB 2.0 packets + usb-20-low - Low-Speed USB 2.0/1.1/1.0 packets + usb-darwin - USB packets with Darwin (macOS, etc.) headers + usb-freebsd - USB packets with FreeBSD header + usb-linux - USB packets with Linux header + usb-linux-mmap - USB packets with Linux header and padding + usb-usbpcap - USB packets with USBPcap header + user0 - USER 0 + user1 - USER 1 + user2 - USER 2 + user3 - USER 3 + user4 - USER 4 + user5 - USER 5 + user6 - USER 6 + user7 - USER 7 + user8 - USER 8 + user9 - USER 9 + user10 - USER 10 + user11 - USER 11 + user12 - USER 12 + user13 - USER 13 + user14 - USER 14 + user15 - USER 15 + v5-ef - V5 Envelope Function + vpp - Vector Packet Processing graph dispatch trace + vsock - Linux vsock + whdlc - Wellfleet HDLC + wireshark-upper-pdu - Wireshark Upper PDU export + wpan - IEEE 802.15.4 Wireless PAN + wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present + wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY + wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header + x2e-serial - X2E serial line capture + x2e-xoraya - X2E Xoraya + x25-nettl - X.25 with nettl headers + xeth - Xerox 3MB Ethernet + zbncp - ZBOSS NCP + zwave-serial - Z-Wave Serial API packets diff --git a/doc/wsug_src/editcap-h.txt b/doc/wsug_src/editcap-h.txt new file mode 100644 index 00000000..93edff0b --- /dev/null +++ b/doc/wsug_src/editcap-h.txt @@ -0,0 +1,122 @@ +Editcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Edit and/or translate the format of capture files. +See https://www.wireshark.org for more information. + +Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] + +<infile> and <outfile> must both be present; use '-' for stdin or stdout. +A single packet or a range of packets can be selected. + +Packet selection: + -r keep the selected packets; default is to delete them. + -A <start time> only read packets whose timestamp is after (or equal + to) the given time. + -B <stop time> only read packets whose timestamp is before the + given time. + Time format for -A/-B options is + YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm] + Unix epoch timestamps are also supported. + +Duplicate packet removal: + --novlan remove vlan info from packets before checking for duplicates. + -d remove packet if duplicate (window == 5). + -D <dup window> remove packet if duplicate; configurable <dup window>. + Valid <dup window> values are 0 to 1000000. + NOTE: A <dup window> of 0 with -V (verbose option) is + useful to print MD5 hashes. + -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR + LESS THAN <dup time window> prior to current packet. + A <dup time window> is specified in relative seconds + (e.g. 0.000001). + NOTE: The use of the 'Duplicate packet removal' options with + other editcap options except -V may not always work as expected. + Specifically the -r, -t or -S options will very likely NOT have the + desired effect if combined with the -d, -D or -w. + --skip-radiotap-header skip radiotap header when checking for packet duplicates. + Useful when processing packets captured by multiple radios + on the same channel in the vicinity of each other. + --set-unused set unused byts to zero in sll link addr. + +Packet manipulation: + -s <snaplen> truncate each packet to max. <snaplen> bytes of data. + -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values + chop at the packet beginning, negative values at the + packet end. If an optional offset precedes the length, + then the bytes chopped will be offset from that value. + Positive offsets are from the packet beginning, + negative offsets are from the packet end. You can use + this option more than once, allowing up to 2 chopping + regions within a packet provided that at least 1 + choplen is positive and at least 1 is negative. + -L adjust the frame (i.e. reported) length when chopping + and/or snapping. + -t <time adjustment> adjust the timestamp of each packet. + <time adjustment> is in relative seconds (e.g. -0.5). + -S <strict adjustment> adjust timestamp of packets if necessary to ensure + strict chronological increasing order. The <strict + adjustment> is specified in relative seconds with + values of 0 or 0.000001 being the most reasonable. + A negative adjustment value will modify timestamps so + that each packet's delta time is the absolute value + of the adjustment specified. A value of -0 will set + all packets to the timestamp of the first packet. + -E <error probability> set the probability (between 0.0 and 1.0 incl.) that + a particular packet byte will be randomly changed. + -o <change offset> When used in conjunction with -E, skip some bytes from the + beginning of the packet. This allows one to preserve some + bytes, in order to have some headers untouched. + --seed <seed> When used in conjunction with -E, set the seed to use for + the pseudo-random number generator. This allows one to + repeat a particular sequence of errors. + -I <bytes to ignore> ignore the specified number of bytes at the beginning + of the frame during MD5 hash calculation, unless the + frame is too short, then the full frame is used. + Useful to remove duplicated packets taken on + several routers (different mac addresses for + example). + e.g. -I 26 in case of Ether/IP will ignore + ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). + -a <framenum>:<comment> Add or replace comment for given frame number + +Output File(s): + if the output file(s) have the .gz extension, then + gzip compression will be used + -c <packets per file> split the packet output to different files based on + uniform packet counts with a maximum of + <packets per file> each. + -i <seconds per file> split the packet output to different files based on + uniform time intervals with a maximum of + <seconds per file> each. + -F <capture type> set the output file type; default is pcapng. + An empty "-F" option will list the file types. + -T <encap type> set the output file encapsulation type; default is the + same as the input file. An empty "-T" option will + list the encapsulation types. + --inject-secrets <type>,<file> Insert decryption secrets from <file>. List + supported secret types with "--inject-secrets help". + --extract-secrets Extract decryption secrets into the output file instead. + Incompatible with other options besides -V. + --discard-all-secrets Discard all decryption secrets from the input file + when writing the output file. Does not discard + secrets added by "--inject-secrets" in the same + command line. + --capture-comment <comment> + Add a capture file comment, if supported. + --discard-capture-comment + Discard capture file comments from the input file + when writing the output file. Does not discard + comments added by "--capture-comment" in the same + command line. + --discard-packet-comments + Discard all packet comments from the input file + when writing the output file. Does not discard + comments added by "-a" in the same command line. + --compress <type> Compress the output file using the type compression format. + +Miscellaneous: + -h, --help display this help and exit. + -V verbose output. + If -V is used with any of the 'Duplicate Packet + Removal' options (-d, -D or -w) then Packet lengths + and MD5 hashes are printed to standard-error. + -v, --version print version information and exit. diff --git a/doc/wsug_src/images/caution.svg b/doc/wsug_src/images/caution.svg new file mode 100644 index 00000000..793c6020 --- /dev/null +++ b/doc/wsug_src/images/caution.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightning-charge" viewBox="0 0 16 16"> + <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09zM4.157 8.5H7a.5.5 0 0 1 .478.647L6.11 13.59l5.732-6.09H9a.5.5 0 0 1-.478-.647L9.89 2.41 4.157 8.5z"/> +</svg> diff --git a/doc/wsug_src/images/important.svg b/doc/wsug_src/images/important.svg new file mode 100644 index 00000000..a2ee7012 --- /dev/null +++ b/doc/wsug_src/images/important.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-circle" viewBox="0 0 16 16"> + <path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/> + <path d="M7.002 11a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 4.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 4.995z"/> +</svg> diff --git a/doc/wsug_src/images/note.svg b/doc/wsug_src/images/note.svg new file mode 100644 index 00000000..803dc13e --- /dev/null +++ b/doc/wsug_src/images/note.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-sticky" viewBox="0 0 16 16"> + <path d="M2.5 1A1.5 1.5 0 0 0 1 2.5v11A1.5 1.5 0 0 0 2.5 15h6.086a1.5 1.5 0 0 0 1.06-.44l4.915-4.914A1.5 1.5 0 0 0 15 8.586V2.5A1.5 1.5 0 0 0 13.5 1h-11zM2 2.5a.5.5 0 0 1 .5-.5h11a.5.5 0 0 1 .5.5V8H9.5A1.5 1.5 0 0 0 8 9.5V14H2.5a.5.5 0 0 1-.5-.5v-11zm7 11.293V9.5a.5.5 0 0 1 .5-.5h4.293L9 13.793z"/> +</svg> diff --git a/doc/wsug_src/images/related-ack.png b/doc/wsug_src/images/related-ack.png Binary files differnew file mode 100644 index 00000000..a60c5fbb --- /dev/null +++ b/doc/wsug_src/images/related-ack.png diff --git a/doc/wsug_src/images/related-current.png b/doc/wsug_src/images/related-current.png Binary files differnew file mode 100644 index 00000000..02578c5e --- /dev/null +++ b/doc/wsug_src/images/related-current.png diff --git a/doc/wsug_src/images/related-dup-ack.png b/doc/wsug_src/images/related-dup-ack.png Binary files differnew file mode 100644 index 00000000..a73dc646 --- /dev/null +++ b/doc/wsug_src/images/related-dup-ack.png diff --git a/doc/wsug_src/images/related-first.png b/doc/wsug_src/images/related-first.png Binary files differnew file mode 100644 index 00000000..03e44ac0 --- /dev/null +++ b/doc/wsug_src/images/related-first.png diff --git a/doc/wsug_src/images/related-last.png b/doc/wsug_src/images/related-last.png Binary files differnew file mode 100644 index 00000000..9f740ebe --- /dev/null +++ b/doc/wsug_src/images/related-last.png diff --git a/doc/wsug_src/images/related-other.png b/doc/wsug_src/images/related-other.png Binary files differnew file mode 100644 index 00000000..3bde3ace --- /dev/null +++ b/doc/wsug_src/images/related-other.png diff --git a/doc/wsug_src/images/related-request.png b/doc/wsug_src/images/related-request.png Binary files differnew file mode 100644 index 00000000..472b850d --- /dev/null +++ b/doc/wsug_src/images/related-request.png diff --git a/doc/wsug_src/images/related-response.png b/doc/wsug_src/images/related-response.png Binary files differnew file mode 100644 index 00000000..883274eb --- /dev/null +++ b/doc/wsug_src/images/related-response.png diff --git a/doc/wsug_src/images/related-segment.png b/doc/wsug_src/images/related-segment.png Binary files differnew file mode 100644 index 00000000..9fff8a7e --- /dev/null +++ b/doc/wsug_src/images/related-segment.png diff --git a/doc/wsug_src/images/tip.svg b/doc/wsug_src/images/tip.svg new file mode 100644 index 00000000..1a60b74a --- /dev/null +++ b/doc/wsug_src/images/tip.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightbulb" viewBox="0 0 16 16"> + <path d="M2 6a6 6 0 1 1 10.174 4.31c-.203.196-.359.4-.453.619l-.762 1.769A.5.5 0 0 1 10.5 13a.5.5 0 0 1 0 1 .5.5 0 0 1 0 1l-.224.447a1 1 0 0 1-.894.553H6.618a1 1 0 0 1-.894-.553L5.5 15a.5.5 0 0 1 0-1 .5.5 0 0 1 0-1 .5.5 0 0 1-.46-.302l-.761-1.77a1.964 1.964 0 0 0-.453-.618A5.984 5.984 0 0 1 2 6zm6-5a5 5 0 0 0-3.479 8.592c.263.254.514.564.676.941L5.83 12h4.342l.632-1.467c.162-.377.413-.687.676-.941A5 5 0 0 0 8 1z"/> +</svg> diff --git a/doc/wsug_src/images/toolbar/document-open.png b/doc/wsug_src/images/toolbar/document-open.png Binary files differnew file mode 100644 index 00000000..516a261c --- /dev/null +++ b/doc/wsug_src/images/toolbar/document-open.png diff --git a/doc/wsug_src/images/toolbar/edit-find.png b/doc/wsug_src/images/toolbar/edit-find.png Binary files differnew file mode 100644 index 00000000..f739ea98 --- /dev/null +++ b/doc/wsug_src/images/toolbar/edit-find.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-add.png b/doc/wsug_src/images/toolbar/filter-toolbar-add.png Binary files differnew file mode 100644 index 00000000..ca3454e4 --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-add.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-apply.png b/doc/wsug_src/images/toolbar/filter-toolbar-apply.png Binary files differnew file mode 100644 index 00000000..262646e7 --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-apply.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png b/doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png Binary files differnew file mode 100644 index 00000000..c7c4c951 --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-bookmark.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-clear.png b/doc/wsug_src/images/toolbar/filter-toolbar-clear.png Binary files differnew file mode 100644 index 00000000..1122947f --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-clear.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-input.png b/doc/wsug_src/images/toolbar/filter-toolbar-input.png Binary files differnew file mode 100644 index 00000000..98962abd --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-input.png diff --git a/doc/wsug_src/images/toolbar/filter-toolbar-recent.png b/doc/wsug_src/images/toolbar/filter-toolbar-recent.png Binary files differnew file mode 100644 index 00000000..fff2d034 --- /dev/null +++ b/doc/wsug_src/images/toolbar/filter-toolbar-recent.png diff --git a/doc/wsug_src/images/toolbar/go-first.png b/doc/wsug_src/images/toolbar/go-first.png Binary files differnew file mode 100644 index 00000000..95b485a0 --- /dev/null +++ b/doc/wsug_src/images/toolbar/go-first.png diff --git a/doc/wsug_src/images/toolbar/go-jump.png b/doc/wsug_src/images/toolbar/go-jump.png Binary files differnew file mode 100644 index 00000000..cc13792d --- /dev/null +++ b/doc/wsug_src/images/toolbar/go-jump.png diff --git a/doc/wsug_src/images/toolbar/go-last.png b/doc/wsug_src/images/toolbar/go-last.png Binary files differnew file mode 100644 index 00000000..78ea4b70 --- /dev/null +++ b/doc/wsug_src/images/toolbar/go-last.png diff --git a/doc/wsug_src/images/toolbar/go-next.png b/doc/wsug_src/images/toolbar/go-next.png Binary files differnew file mode 100644 index 00000000..0bc6a156 --- /dev/null +++ b/doc/wsug_src/images/toolbar/go-next.png diff --git a/doc/wsug_src/images/toolbar/go-previous.png b/doc/wsug_src/images/toolbar/go-previous.png Binary files differnew file mode 100644 index 00000000..6870ea2f --- /dev/null +++ b/doc/wsug_src/images/toolbar/go-previous.png diff --git a/doc/wsug_src/images/toolbar/x-capture-file-close.png b/doc/wsug_src/images/toolbar/x-capture-file-close.png Binary files differnew file mode 100644 index 00000000..dab2f84c --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-file-close.png diff --git a/doc/wsug_src/images/toolbar/x-capture-file-reload.png b/doc/wsug_src/images/toolbar/x-capture-file-reload.png Binary files differnew file mode 100644 index 00000000..22e6edb2 --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-file-reload.png diff --git a/doc/wsug_src/images/toolbar/x-capture-file-save.png b/doc/wsug_src/images/toolbar/x-capture-file-save.png Binary files differnew file mode 100644 index 00000000..48ef2525 --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-file-save.png diff --git a/doc/wsug_src/images/toolbar/x-capture-options.png b/doc/wsug_src/images/toolbar/x-capture-options.png Binary files differnew file mode 100644 index 00000000..a3384e6a --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-options.png diff --git a/doc/wsug_src/images/toolbar/x-capture-restart.png b/doc/wsug_src/images/toolbar/x-capture-restart.png Binary files differnew file mode 100644 index 00000000..eb5eb0b6 --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-restart.png diff --git a/doc/wsug_src/images/toolbar/x-capture-start.png b/doc/wsug_src/images/toolbar/x-capture-start.png Binary files differnew file mode 100644 index 00000000..ac0a3d2b --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-start.png diff --git a/doc/wsug_src/images/toolbar/x-capture-stop.png b/doc/wsug_src/images/toolbar/x-capture-stop.png Binary files differnew file mode 100644 index 00000000..7a64753d --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-capture-stop.png diff --git a/doc/wsug_src/images/toolbar/x-colorize-packets.png b/doc/wsug_src/images/toolbar/x-colorize-packets.png Binary files differnew file mode 100644 index 00000000..624b7eae --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-colorize-packets.png diff --git a/doc/wsug_src/images/toolbar/x-reset-layout_2.png b/doc/wsug_src/images/toolbar/x-reset-layout_2.png Binary files differnew file mode 100644 index 00000000..8d3287ef --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-reset-layout_2.png diff --git a/doc/wsug_src/images/toolbar/x-resize-columns.png b/doc/wsug_src/images/toolbar/x-resize-columns.png Binary files differnew file mode 100644 index 00000000..f79cf321 --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-resize-columns.png diff --git a/doc/wsug_src/images/toolbar/x-stay-last.png b/doc/wsug_src/images/toolbar/x-stay-last.png Binary files differnew file mode 100644 index 00000000..eba7ae54 --- /dev/null +++ b/doc/wsug_src/images/toolbar/x-stay-last.png diff --git a/doc/wsug_src/images/toolbar/zoom-in.png b/doc/wsug_src/images/toolbar/zoom-in.png Binary files differnew file mode 100644 index 00000000..0025c34c --- /dev/null +++ b/doc/wsug_src/images/toolbar/zoom-in.png diff --git a/doc/wsug_src/images/toolbar/zoom-original.png b/doc/wsug_src/images/toolbar/zoom-original.png Binary files differnew file mode 100644 index 00000000..c8bb23e3 --- /dev/null +++ b/doc/wsug_src/images/toolbar/zoom-original.png diff --git a/doc/wsug_src/images/toolbar/zoom-out.png b/doc/wsug_src/images/toolbar/zoom-out.png Binary files differnew file mode 100644 index 00000000..e582655d --- /dev/null +++ b/doc/wsug_src/images/toolbar/zoom-out.png diff --git a/doc/wsug_src/images/warning.svg b/doc/wsug_src/images/warning.svg new file mode 100644 index 00000000..80c0ba5c --- /dev/null +++ b/doc/wsug_src/images/warning.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-triangle" viewBox="0 0 16 16"> + <path d="M7.938 2.016A.13.13 0 0 1 8.002 2a.13.13 0 0 1 .063.016.146.146 0 0 1 .054.057l6.857 11.667c.036.06.035.124.002.183a.163.163 0 0 1-.054.06.116.116 0 0 1-.066.017H1.146a.115.115 0 0 1-.066-.017.163.163 0 0 1-.054-.06.176.176 0 0 1 .002-.183L7.884 2.073a.147.147 0 0 1 .054-.057zm1.044-.45a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566z"/> + <path d="M7.002 12a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 5.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995z"/> +</svg> diff --git a/doc/wsug_src/images/ws-about-codecs.png b/doc/wsug_src/images/ws-about-codecs.png Binary files differnew file mode 100644 index 00000000..5f5c46fa --- /dev/null +++ b/doc/wsug_src/images/ws-about-codecs.png diff --git a/doc/wsug_src/images/ws-analyze-menu.png b/doc/wsug_src/images/ws-analyze-menu.png Binary files differnew file mode 100644 index 00000000..5147d7aa --- /dev/null +++ b/doc/wsug_src/images/ws-analyze-menu.png diff --git a/doc/wsug_src/images/ws-asap-statistics.png b/doc/wsug_src/images/ws-asap-statistics.png Binary files differnew file mode 100644 index 00000000..d1a33072 --- /dev/null +++ b/doc/wsug_src/images/ws-asap-statistics.png diff --git a/doc/wsug_src/images/ws-bluetooth-devices.png b/doc/wsug_src/images/ws-bluetooth-devices.png Binary files differnew file mode 100644 index 00000000..b6d1e3c9 --- /dev/null +++ b/doc/wsug_src/images/ws-bluetooth-devices.png diff --git a/doc/wsug_src/images/ws-bt-hci-summary.png b/doc/wsug_src/images/ws-bt-hci-summary.png Binary files differnew file mode 100644 index 00000000..16b7bec6 --- /dev/null +++ b/doc/wsug_src/images/ws-bt-hci-summary.png diff --git a/doc/wsug_src/images/ws-bytes-pane-popup-menu.png b/doc/wsug_src/images/ws-bytes-pane-popup-menu.png Binary files differnew file mode 100644 index 00000000..bee43bfc --- /dev/null +++ b/doc/wsug_src/images/ws-bytes-pane-popup-menu.png diff --git a/doc/wsug_src/images/ws-bytes-pane-tabs.png b/doc/wsug_src/images/ws-bytes-pane-tabs.png Binary files differnew file mode 100644 index 00000000..b9817a2c --- /dev/null +++ b/doc/wsug_src/images/ws-bytes-pane-tabs.png diff --git a/doc/wsug_src/images/ws-bytes-pane.png b/doc/wsug_src/images/ws-bytes-pane.png Binary files differnew file mode 100644 index 00000000..70d1291a --- /dev/null +++ b/doc/wsug_src/images/ws-bytes-pane.png diff --git a/doc/wsug_src/images/ws-calcappprotocol-statistics.png b/doc/wsug_src/images/ws-calcappprotocol-statistics.png Binary files differnew file mode 100644 index 00000000..3c9d9fe9 --- /dev/null +++ b/doc/wsug_src/images/ws-calcappprotocol-statistics.png diff --git a/doc/wsug_src/images/ws-capture-file-properties.png b/doc/wsug_src/images/ws-capture-file-properties.png Binary files differnew file mode 100644 index 00000000..816987b3 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-file-properties.png diff --git a/doc/wsug_src/images/ws-capture-info.png b/doc/wsug_src/images/ws-capture-info.png Binary files differnew file mode 100644 index 00000000..e82ec0ad --- /dev/null +++ b/doc/wsug_src/images/ws-capture-info.png diff --git a/doc/wsug_src/images/ws-capture-interfaces-main-macos.png b/doc/wsug_src/images/ws-capture-interfaces-main-macos.png Binary files differnew file mode 100644 index 00000000..38698864 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-interfaces-main-macos.png diff --git a/doc/wsug_src/images/ws-capture-interfaces-main-win32.png b/doc/wsug_src/images/ws-capture-interfaces-main-win32.png Binary files differnew file mode 100644 index 00000000..a50b64e8 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-interfaces-main-win32.png diff --git a/doc/wsug_src/images/ws-capture-menu.png b/doc/wsug_src/images/ws-capture-menu.png Binary files differnew file mode 100644 index 00000000..5d001e18 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-menu.png diff --git a/doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png b/doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png Binary files differnew file mode 100644 index 00000000..14501e0e --- /dev/null +++ b/doc/wsug_src/images/ws-capture-options-compile-selected-bpfs.png diff --git a/doc/wsug_src/images/ws-capture-options-options.png b/doc/wsug_src/images/ws-capture-options-options.png Binary files differnew file mode 100644 index 00000000..b72a54f9 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-options-options.png diff --git a/doc/wsug_src/images/ws-capture-options-output.png b/doc/wsug_src/images/ws-capture-options-output.png Binary files differnew file mode 100644 index 00000000..097c7f0a --- /dev/null +++ b/doc/wsug_src/images/ws-capture-options-output.png diff --git a/doc/wsug_src/images/ws-capture-options.png b/doc/wsug_src/images/ws-capture-options.png Binary files differnew file mode 100644 index 00000000..8a12d436 --- /dev/null +++ b/doc/wsug_src/images/ws-capture-options.png diff --git a/doc/wsug_src/images/ws-choose-color-rule.png b/doc/wsug_src/images/ws-choose-color-rule.png Binary files differnew file mode 100644 index 00000000..263aa551 --- /dev/null +++ b/doc/wsug_src/images/ws-choose-color-rule.png diff --git a/doc/wsug_src/images/ws-coloring-fields.png b/doc/wsug_src/images/ws-coloring-fields.png Binary files differnew file mode 100644 index 00000000..9a5171ab --- /dev/null +++ b/doc/wsug_src/images/ws-coloring-fields.png diff --git a/doc/wsug_src/images/ws-coloring-rules-dialog.png b/doc/wsug_src/images/ws-coloring-rules-dialog.png Binary files differnew file mode 100644 index 00000000..ac6d28e5 --- /dev/null +++ b/doc/wsug_src/images/ws-coloring-rules-dialog.png diff --git a/doc/wsug_src/images/ws-column-header-popup-menu.png b/doc/wsug_src/images/ws-column-header-popup-menu.png Binary files differnew file mode 100644 index 00000000..d895dd8a --- /dev/null +++ b/doc/wsug_src/images/ws-column-header-popup-menu.png diff --git a/doc/wsug_src/images/ws-csp-statistics.png b/doc/wsug_src/images/ws-csp-statistics.png Binary files differnew file mode 100644 index 00000000..cbade243 --- /dev/null +++ b/doc/wsug_src/images/ws-csp-statistics.png diff --git a/doc/wsug_src/images/ws-decode-as.png b/doc/wsug_src/images/ws-decode-as.png Binary files differnew file mode 100644 index 00000000..2b37e567 --- /dev/null +++ b/doc/wsug_src/images/ws-decode-as.png diff --git a/doc/wsug_src/images/ws-details-pane-popup-menu.png b/doc/wsug_src/images/ws-details-pane-popup-menu.png Binary files differnew file mode 100644 index 00000000..c0980ba1 --- /dev/null +++ b/doc/wsug_src/images/ws-details-pane-popup-menu.png diff --git a/doc/wsug_src/images/ws-details-pane.png b/doc/wsug_src/images/ws-details-pane.png Binary files differnew file mode 100644 index 00000000..cc0b9176 --- /dev/null +++ b/doc/wsug_src/images/ws-details-pane.png diff --git a/doc/wsug_src/images/ws-diagram-pane-popup-menu.png b/doc/wsug_src/images/ws-diagram-pane-popup-menu.png Binary files differnew file mode 100644 index 00000000..1e17628d --- /dev/null +++ b/doc/wsug_src/images/ws-diagram-pane-popup-menu.png diff --git a/doc/wsug_src/images/ws-diagram-pane.png b/doc/wsug_src/images/ws-diagram-pane.png Binary files differnew file mode 100644 index 00000000..117f1f58 --- /dev/null +++ b/doc/wsug_src/images/ws-diagram-pane.png diff --git a/doc/wsug_src/images/ws-display-filter-tcp.png b/doc/wsug_src/images/ws-display-filter-tcp.png Binary files differnew file mode 100644 index 00000000..181f41d0 --- /dev/null +++ b/doc/wsug_src/images/ws-display-filter-tcp.png diff --git a/doc/wsug_src/images/ws-dns.png b/doc/wsug_src/images/ws-dns.png Binary files differnew file mode 100644 index 00000000..4458e3cb --- /dev/null +++ b/doc/wsug_src/images/ws-dns.png diff --git a/doc/wsug_src/images/ws-edit-menu.png b/doc/wsug_src/images/ws-edit-menu.png Binary files differnew file mode 100644 index 00000000..204e2194 --- /dev/null +++ b/doc/wsug_src/images/ws-edit-menu.png diff --git a/doc/wsug_src/images/ws-enabled-protocols.png b/doc/wsug_src/images/ws-enabled-protocols.png Binary files differnew file mode 100644 index 00000000..a7d149b1 --- /dev/null +++ b/doc/wsug_src/images/ws-enabled-protocols.png diff --git a/doc/wsug_src/images/ws-enrp-statistics.png b/doc/wsug_src/images/ws-enrp-statistics.png Binary files differnew file mode 100644 index 00000000..df0db91d --- /dev/null +++ b/doc/wsug_src/images/ws-enrp-statistics.png diff --git a/doc/wsug_src/images/ws-expert-colored-tree.png b/doc/wsug_src/images/ws-expert-colored-tree.png Binary files differnew file mode 100644 index 00000000..a203ff67 --- /dev/null +++ b/doc/wsug_src/images/ws-expert-colored-tree.png diff --git a/doc/wsug_src/images/ws-expert-column.png b/doc/wsug_src/images/ws-expert-column.png Binary files differnew file mode 100644 index 00000000..66941afb --- /dev/null +++ b/doc/wsug_src/images/ws-expert-column.png diff --git a/doc/wsug_src/images/ws-expert-information.png b/doc/wsug_src/images/ws-expert-information.png Binary files differnew file mode 100644 index 00000000..8fa63107 --- /dev/null +++ b/doc/wsug_src/images/ws-expert-information.png diff --git a/doc/wsug_src/images/ws-export-objects.png b/doc/wsug_src/images/ws-export-objects.png Binary files differnew file mode 100644 index 00000000..fc9a0244 --- /dev/null +++ b/doc/wsug_src/images/ws-export-objects.png diff --git a/doc/wsug_src/images/ws-export-packet-dissections.png b/doc/wsug_src/images/ws-export-packet-dissections.png Binary files differnew file mode 100644 index 00000000..4be7c958 --- /dev/null +++ b/doc/wsug_src/images/ws-export-packet-dissections.png diff --git a/doc/wsug_src/images/ws-export-pdus-to-file.png b/doc/wsug_src/images/ws-export-pdus-to-file.png Binary files differnew file mode 100644 index 00000000..a4969229 --- /dev/null +++ b/doc/wsug_src/images/ws-export-pdus-to-file.png diff --git a/doc/wsug_src/images/ws-export-selected.png b/doc/wsug_src/images/ws-export-selected.png Binary files differnew file mode 100644 index 00000000..1c20f76f --- /dev/null +++ b/doc/wsug_src/images/ws-export-selected.png diff --git a/doc/wsug_src/images/ws-export-specified-packets.png b/doc/wsug_src/images/ws-export-specified-packets.png Binary files differnew file mode 100644 index 00000000..e8bb8aef --- /dev/null +++ b/doc/wsug_src/images/ws-export-specified-packets.png diff --git a/doc/wsug_src/images/ws-fgp-statistics.png b/doc/wsug_src/images/ws-fgp-statistics.png Binary files differnew file mode 100644 index 00000000..bfe4d50f --- /dev/null +++ b/doc/wsug_src/images/ws-fgp-statistics.png diff --git a/doc/wsug_src/images/ws-file-import-regex.png b/doc/wsug_src/images/ws-file-import-regex.png Binary files differnew file mode 100644 index 00000000..3f57eb16 --- /dev/null +++ b/doc/wsug_src/images/ws-file-import-regex.png diff --git a/doc/wsug_src/images/ws-file-import.png b/doc/wsug_src/images/ws-file-import.png Binary files differnew file mode 100644 index 00000000..e957d14e --- /dev/null +++ b/doc/wsug_src/images/ws-file-import.png diff --git a/doc/wsug_src/images/ws-file-menu.png b/doc/wsug_src/images/ws-file-menu.png Binary files differnew file mode 100644 index 00000000..d7e8d43a --- /dev/null +++ b/doc/wsug_src/images/ws-file-menu.png diff --git a/doc/wsug_src/images/ws-file-set-dialog.png b/doc/wsug_src/images/ws-file-set-dialog.png Binary files differnew file mode 100644 index 00000000..fb470d2b --- /dev/null +++ b/doc/wsug_src/images/ws-file-set-dialog.png diff --git a/doc/wsug_src/images/ws-filter-add-expression.png b/doc/wsug_src/images/ws-filter-add-expression.png Binary files differnew file mode 100644 index 00000000..e4f99703 --- /dev/null +++ b/doc/wsug_src/images/ws-filter-add-expression.png diff --git a/doc/wsug_src/images/ws-filter-macros.png b/doc/wsug_src/images/ws-filter-macros.png Binary files differnew file mode 100644 index 00000000..001e724e --- /dev/null +++ b/doc/wsug_src/images/ws-filter-macros.png diff --git a/doc/wsug_src/images/ws-filter-toolbar.png b/doc/wsug_src/images/ws-filter-toolbar.png Binary files differnew file mode 100644 index 00000000..1c680c64 --- /dev/null +++ b/doc/wsug_src/images/ws-filter-toolbar.png diff --git a/doc/wsug_src/images/ws-filters.png b/doc/wsug_src/images/ws-filters.png Binary files differnew file mode 100644 index 00000000..afbb36ef --- /dev/null +++ b/doc/wsug_src/images/ws-filters.png diff --git a/doc/wsug_src/images/ws-find-packet.png b/doc/wsug_src/images/ws-find-packet.png Binary files differnew file mode 100644 index 00000000..e773d94c --- /dev/null +++ b/doc/wsug_src/images/ws-find-packet.png diff --git a/doc/wsug_src/images/ws-flow-graph.png b/doc/wsug_src/images/ws-flow-graph.png Binary files differnew file mode 100644 index 00000000..17dacdaf --- /dev/null +++ b/doc/wsug_src/images/ws-flow-graph.png diff --git a/doc/wsug_src/images/ws-follow-http2-stream.png b/doc/wsug_src/images/ws-follow-http2-stream.png Binary files differnew file mode 100644 index 00000000..616dfd7f --- /dev/null +++ b/doc/wsug_src/images/ws-follow-http2-stream.png diff --git a/doc/wsug_src/images/ws-follow-sip-stream.png b/doc/wsug_src/images/ws-follow-sip-stream.png Binary files differnew file mode 100644 index 00000000..52f8181c --- /dev/null +++ b/doc/wsug_src/images/ws-follow-sip-stream.png diff --git a/doc/wsug_src/images/ws-follow-stream.png b/doc/wsug_src/images/ws-follow-stream.png Binary files differnew file mode 100644 index 00000000..1c926aff --- /dev/null +++ b/doc/wsug_src/images/ws-follow-stream.png diff --git a/doc/wsug_src/images/ws-go-menu.png b/doc/wsug_src/images/ws-go-menu.png Binary files differnew file mode 100644 index 00000000..d0231c9f --- /dev/null +++ b/doc/wsug_src/images/ws-go-menu.png diff --git a/doc/wsug_src/images/ws-goto-packet.png b/doc/wsug_src/images/ws-goto-packet.png Binary files differnew file mode 100644 index 00000000..10092fc5 --- /dev/null +++ b/doc/wsug_src/images/ws-goto-packet.png diff --git a/doc/wsug_src/images/ws-gui-config-profiles.png b/doc/wsug_src/images/ws-gui-config-profiles.png Binary files differnew file mode 100644 index 00000000..b1e22541 --- /dev/null +++ b/doc/wsug_src/images/ws-gui-config-profiles.png diff --git a/doc/wsug_src/images/ws-help-menu.png b/doc/wsug_src/images/ws-help-menu.png Binary files differnew file mode 100644 index 00000000..f083a851 --- /dev/null +++ b/doc/wsug_src/images/ws-help-menu.png diff --git a/doc/wsug_src/images/ws-list-pane.png b/doc/wsug_src/images/ws-list-pane.png Binary files differnew file mode 100644 index 00000000..8770bc45 --- /dev/null +++ b/doc/wsug_src/images/ws-list-pane.png diff --git a/doc/wsug_src/images/ws-main-toolbar.png b/doc/wsug_src/images/ws-main-toolbar.png Binary files differnew file mode 100644 index 00000000..27fe78d1 --- /dev/null +++ b/doc/wsug_src/images/ws-main-toolbar.png diff --git a/doc/wsug_src/images/ws-main.png b/doc/wsug_src/images/ws-main.png Binary files differnew file mode 100644 index 00000000..a975b9ef --- /dev/null +++ b/doc/wsug_src/images/ws-main.png diff --git a/doc/wsug_src/images/ws-manage-interfaces.png b/doc/wsug_src/images/ws-manage-interfaces.png Binary files differnew file mode 100644 index 00000000..ff37aa28 --- /dev/null +++ b/doc/wsug_src/images/ws-manage-interfaces.png diff --git a/doc/wsug_src/images/ws-mate-analysis.png b/doc/wsug_src/images/ws-mate-analysis.png Binary files differnew file mode 100644 index 00000000..bb33b4f9 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-analysis.png diff --git a/doc/wsug_src/images/ws-mate-dns_pane.png b/doc/wsug_src/images/ws-mate-dns_pane.png Binary files differnew file mode 100644 index 00000000..99e5a075 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-dns_pane.png diff --git a/doc/wsug_src/images/ws-mate-dns_pdu.png b/doc/wsug_src/images/ws-mate-dns_pdu.png Binary files differnew file mode 100644 index 00000000..15063035 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-dns_pdu.png diff --git a/doc/wsug_src/images/ws-mate-ftp_over_gre.png b/doc/wsug_src/images/ws-mate-ftp_over_gre.png Binary files differnew file mode 100644 index 00000000..b7aa6371 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-ftp_over_gre.png diff --git a/doc/wsug_src/images/ws-mate-gop_analysis.png b/doc/wsug_src/images/ws-mate-gop_analysis.png Binary files differnew file mode 100644 index 00000000..6086fa76 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-gop_analysis.png diff --git a/doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png b/doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png Binary files differnew file mode 100644 index 00000000..a6e2baf1 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png diff --git a/doc/wsug_src/images/ws-mate-mmse_over_http.png b/doc/wsug_src/images/ws-mate-mmse_over_http.png Binary files differnew file mode 100644 index 00000000..4ee2d4e7 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-mmse_over_http.png diff --git a/doc/wsug_src/images/ws-mate-pdu_analysis.png b/doc/wsug_src/images/ws-mate-pdu_analysis.png Binary files differnew file mode 100644 index 00000000..cf126e8e --- /dev/null +++ b/doc/wsug_src/images/ws-mate-pdu_analysis.png diff --git a/doc/wsug_src/images/ws-mate-tcp-output.png b/doc/wsug_src/images/ws-mate-tcp-output.png Binary files differnew file mode 100644 index 00000000..c6688867 --- /dev/null +++ b/doc/wsug_src/images/ws-mate-tcp-output.png diff --git a/doc/wsug_src/images/ws-mate-transform.png b/doc/wsug_src/images/ws-mate-transform.png Binary files differnew file mode 100644 index 00000000..a943011d --- /dev/null +++ b/doc/wsug_src/images/ws-mate-transform.png diff --git a/doc/wsug_src/images/ws-menu.png b/doc/wsug_src/images/ws-menu.png Binary files differnew file mode 100644 index 00000000..3f7f847d --- /dev/null +++ b/doc/wsug_src/images/ws-menu.png diff --git a/doc/wsug_src/images/ws-merge-qt5.png b/doc/wsug_src/images/ws-merge-qt5.png Binary files differnew file mode 100644 index 00000000..e5d03684 --- /dev/null +++ b/doc/wsug_src/images/ws-merge-qt5.png diff --git a/doc/wsug_src/images/ws-merge-win32.png b/doc/wsug_src/images/ws-merge-win32.png Binary files differnew file mode 100644 index 00000000..c3233baf --- /dev/null +++ b/doc/wsug_src/images/ws-merge-win32.png diff --git a/doc/wsug_src/images/ws-netperfmeter-statistics.png b/doc/wsug_src/images/ws-netperfmeter-statistics.png Binary files differnew file mode 100644 index 00000000..15a0c7aa --- /dev/null +++ b/doc/wsug_src/images/ws-netperfmeter-statistics.png diff --git a/doc/wsug_src/images/ws-open-qt5.png b/doc/wsug_src/images/ws-open-qt5.png Binary files differnew file mode 100644 index 00000000..01acf864 --- /dev/null +++ b/doc/wsug_src/images/ws-open-qt5.png diff --git a/doc/wsug_src/images/ws-open-win32.png b/doc/wsug_src/images/ws-open-win32.png Binary files differnew file mode 100644 index 00000000..182942a2 --- /dev/null +++ b/doc/wsug_src/images/ws-open-win32.png diff --git a/doc/wsug_src/images/ws-packet-format.png b/doc/wsug_src/images/ws-packet-format.png Binary files differnew file mode 100644 index 00000000..74a24d46 --- /dev/null +++ b/doc/wsug_src/images/ws-packet-format.png diff --git a/doc/wsug_src/images/ws-packet-pane-popup-menu.png b/doc/wsug_src/images/ws-packet-pane-popup-menu.png Binary files differnew file mode 100644 index 00000000..6a2cc4d5 --- /dev/null +++ b/doc/wsug_src/images/ws-packet-pane-popup-menu.png diff --git a/doc/wsug_src/images/ws-packet-range.png b/doc/wsug_src/images/ws-packet-range.png Binary files differnew file mode 100644 index 00000000..a35a008a --- /dev/null +++ b/doc/wsug_src/images/ws-packet-range.png diff --git a/doc/wsug_src/images/ws-packet-selected.png b/doc/wsug_src/images/ws-packet-selected.png Binary files differnew file mode 100644 index 00000000..bafc07cd --- /dev/null +++ b/doc/wsug_src/images/ws-packet-selected.png diff --git a/doc/wsug_src/images/ws-packet-sep-win.png b/doc/wsug_src/images/ws-packet-sep-win.png Binary files differnew file mode 100644 index 00000000..f9e507ff --- /dev/null +++ b/doc/wsug_src/images/ws-packet-sep-win.png diff --git a/doc/wsug_src/images/ws-pingpongprotocol-statistics.png b/doc/wsug_src/images/ws-pingpongprotocol-statistics.png Binary files differnew file mode 100644 index 00000000..d67b7cdd --- /dev/null +++ b/doc/wsug_src/images/ws-pingpongprotocol-statistics.png diff --git a/doc/wsug_src/images/ws-pref-advanced.png b/doc/wsug_src/images/ws-pref-advanced.png Binary files differnew file mode 100644 index 00000000..c7c44499 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-advanced.png diff --git a/doc/wsug_src/images/ws-pref-appearance-columns.png b/doc/wsug_src/images/ws-pref-appearance-columns.png Binary files differnew file mode 100644 index 00000000..84db3d9f --- /dev/null +++ b/doc/wsug_src/images/ws-pref-appearance-columns.png diff --git a/doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png b/doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png Binary files differnew file mode 100644 index 00000000..538a20f4 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-appearance-fonts-and-colors.png diff --git a/doc/wsug_src/images/ws-pref-appearance-layout.png b/doc/wsug_src/images/ws-pref-appearance-layout.png Binary files differnew file mode 100644 index 00000000..6f896d1e --- /dev/null +++ b/doc/wsug_src/images/ws-pref-appearance-layout.png diff --git a/doc/wsug_src/images/ws-pref-appearance.png b/doc/wsug_src/images/ws-pref-appearance.png Binary files differnew file mode 100644 index 00000000..ffc52e21 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-appearance.png diff --git a/doc/wsug_src/images/ws-pref-capture.png b/doc/wsug_src/images/ws-pref-capture.png Binary files differnew file mode 100644 index 00000000..5c76d286 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-capture.png diff --git a/doc/wsug_src/images/ws-pref-expert.png b/doc/wsug_src/images/ws-pref-expert.png Binary files differnew file mode 100644 index 00000000..fe1594b9 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-expert.png diff --git a/doc/wsug_src/images/ws-pref-filter-buttons.png b/doc/wsug_src/images/ws-pref-filter-buttons.png Binary files differnew file mode 100644 index 00000000..e45e736a --- /dev/null +++ b/doc/wsug_src/images/ws-pref-filter-buttons.png diff --git a/doc/wsug_src/images/ws-pref-name-resolution.png b/doc/wsug_src/images/ws-pref-name-resolution.png Binary files differnew file mode 100644 index 00000000..3fdc7d55 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-name-resolution.png diff --git a/doc/wsug_src/images/ws-pref-protocols.png b/doc/wsug_src/images/ws-pref-protocols.png Binary files differnew file mode 100644 index 00000000..2b73d3e6 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-protocols.png diff --git a/doc/wsug_src/images/ws-pref-rsa-keys.png b/doc/wsug_src/images/ws-pref-rsa-keys.png Binary files differnew file mode 100644 index 00000000..21cb6200 --- /dev/null +++ b/doc/wsug_src/images/ws-pref-rsa-keys.png diff --git a/doc/wsug_src/images/ws-pref-statistics.png b/doc/wsug_src/images/ws-pref-statistics.png Binary files differnew file mode 100644 index 00000000..2bef021e --- /dev/null +++ b/doc/wsug_src/images/ws-pref-statistics.png diff --git a/doc/wsug_src/images/ws-print.png b/doc/wsug_src/images/ws-print.png Binary files differnew file mode 100644 index 00000000..9c3b79ec --- /dev/null +++ b/doc/wsug_src/images/ws-print.png diff --git a/doc/wsug_src/images/ws-resolved-addr.png b/doc/wsug_src/images/ws-resolved-addr.png Binary files differnew file mode 100644 index 00000000..c3868215 --- /dev/null +++ b/doc/wsug_src/images/ws-resolved-addr.png diff --git a/doc/wsug_src/images/ws-rlc-graph.png b/doc/wsug_src/images/ws-rlc-graph.png Binary files differnew file mode 100644 index 00000000..e14bb72a --- /dev/null +++ b/doc/wsug_src/images/ws-rlc-graph.png diff --git a/doc/wsug_src/images/ws-save-as-qt5.png b/doc/wsug_src/images/ws-save-as-qt5.png Binary files differnew file mode 100644 index 00000000..64d2eec5 --- /dev/null +++ b/doc/wsug_src/images/ws-save-as-qt5.png diff --git a/doc/wsug_src/images/ws-save-as-win32.png b/doc/wsug_src/images/ws-save-as-win32.png Binary files differnew file mode 100644 index 00000000..e50619f9 --- /dev/null +++ b/doc/wsug_src/images/ws-save-as-win32.png diff --git a/doc/wsug_src/images/ws-sctp-1-association.png b/doc/wsug_src/images/ws-sctp-1-association.png Binary files differnew file mode 100644 index 00000000..0573ae84 --- /dev/null +++ b/doc/wsug_src/images/ws-sctp-1-association.png diff --git a/doc/wsug_src/images/ws-sctp.png b/doc/wsug_src/images/ws-sctp.png Binary files differnew file mode 100644 index 00000000..884a91e2 --- /dev/null +++ b/doc/wsug_src/images/ws-sctp.png diff --git a/doc/wsug_src/images/ws-ssp-statistics.png b/doc/wsug_src/images/ws-ssp-statistics.png Binary files differnew file mode 100644 index 00000000..8c6817b6 --- /dev/null +++ b/doc/wsug_src/images/ws-ssp-statistics.png diff --git a/doc/wsug_src/images/ws-statistics-menu.png b/doc/wsug_src/images/ws-statistics-menu.png Binary files differnew file mode 100644 index 00000000..e772bffa --- /dev/null +++ b/doc/wsug_src/images/ws-statistics-menu.png diff --git a/doc/wsug_src/images/ws-stats-conversations.png b/doc/wsug_src/images/ws-stats-conversations.png Binary files differnew file mode 100644 index 00000000..fb4cd9e3 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-conversations.png diff --git a/doc/wsug_src/images/ws-stats-endpoints.png b/doc/wsug_src/images/ws-stats-endpoints.png Binary files differnew file mode 100644 index 00000000..917726a2 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-endpoints.png diff --git a/doc/wsug_src/images/ws-stats-hierarchy.png b/doc/wsug_src/images/ws-stats-hierarchy.png Binary files differnew file mode 100644 index 00000000..f904ece4 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-hierarchy.png diff --git a/doc/wsug_src/images/ws-stats-http-requestsequences.png b/doc/wsug_src/images/ws-stats-http-requestsequences.png Binary files differnew file mode 100644 index 00000000..8365673b --- /dev/null +++ b/doc/wsug_src/images/ws-stats-http-requestsequences.png diff --git a/doc/wsug_src/images/ws-stats-iographs.png b/doc/wsug_src/images/ws-stats-iographs.png Binary files differnew file mode 100644 index 00000000..80e4cf7f --- /dev/null +++ b/doc/wsug_src/images/ws-stats-iographs.png diff --git a/doc/wsug_src/images/ws-stats-lte-mac-traffic.png b/doc/wsug_src/images/ws-stats-lte-mac-traffic.png Binary files differnew file mode 100644 index 00000000..441ab970 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-lte-mac-traffic.png diff --git a/doc/wsug_src/images/ws-stats-lte-rlc-traffic.png b/doc/wsug_src/images/ws-stats-lte-rlc-traffic.png Binary files differnew file mode 100644 index 00000000..9fb13647 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-lte-rlc-traffic.png diff --git a/doc/wsug_src/images/ws-stats-packet-lengths.png b/doc/wsug_src/images/ws-stats-packet-lengths.png Binary files differnew file mode 100644 index 00000000..7b22e4d1 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-packet-lengths.png diff --git a/doc/wsug_src/images/ws-stats-srt-smb2.png b/doc/wsug_src/images/ws-stats-srt-smb2.png Binary files differnew file mode 100644 index 00000000..6e05af05 --- /dev/null +++ b/doc/wsug_src/images/ws-stats-srt-smb2.png diff --git a/doc/wsug_src/images/ws-stats-wlan-traffic.png b/doc/wsug_src/images/ws-stats-wlan-traffic.png Binary files differnew file mode 100644 index 00000000..8186b4ac --- /dev/null +++ b/doc/wsug_src/images/ws-stats-wlan-traffic.png diff --git a/doc/wsug_src/images/ws-statusbar-empty.png b/doc/wsug_src/images/ws-statusbar-empty.png Binary files differnew file mode 100644 index 00000000..953acedc --- /dev/null +++ b/doc/wsug_src/images/ws-statusbar-empty.png diff --git a/doc/wsug_src/images/ws-statusbar-filter.png b/doc/wsug_src/images/ws-statusbar-filter.png Binary files differnew file mode 100644 index 00000000..1e09e0b1 --- /dev/null +++ b/doc/wsug_src/images/ws-statusbar-filter.png diff --git a/doc/wsug_src/images/ws-statusbar-loaded.png b/doc/wsug_src/images/ws-statusbar-loaded.png Binary files differnew file mode 100644 index 00000000..8b19b02c --- /dev/null +++ b/doc/wsug_src/images/ws-statusbar-loaded.png diff --git a/doc/wsug_src/images/ws-statusbar-profile.png b/doc/wsug_src/images/ws-statusbar-profile.png Binary files differnew file mode 100644 index 00000000..dcc309b6 --- /dev/null +++ b/doc/wsug_src/images/ws-statusbar-profile.png diff --git a/doc/wsug_src/images/ws-statusbar-selected.png b/doc/wsug_src/images/ws-statusbar-selected.png Binary files differnew file mode 100644 index 00000000..fd10c24c --- /dev/null +++ b/doc/wsug_src/images/ws-statusbar-selected.png diff --git a/doc/wsug_src/images/ws-tcp-analysis.png b/doc/wsug_src/images/ws-tcp-analysis.png Binary files differnew file mode 100644 index 00000000..9a376c51 --- /dev/null +++ b/doc/wsug_src/images/ws-tcp-analysis.png diff --git a/doc/wsug_src/images/ws-tel-playlist.dia b/doc/wsug_src/images/ws-tel-playlist.dia Binary files differnew file mode 100644 index 00000000..28eced58 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-playlist.dia diff --git a/doc/wsug_src/images/ws-tel-playlist.png b/doc/wsug_src/images/ws-tel-playlist.png Binary files differnew file mode 100644 index 00000000..4c586d05 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-playlist.png diff --git a/doc/wsug_src/images/ws-tel-rtp-player_1.png b/doc/wsug_src/images/ws-tel-rtp-player_1.png Binary files differnew file mode 100644 index 00000000..9e7249dc --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_1.png diff --git a/doc/wsug_src/images/ws-tel-rtp-player_1.xcf b/doc/wsug_src/images/ws-tel-rtp-player_1.xcf Binary files differnew file mode 100644 index 00000000..c48a0cad --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_1.xcf diff --git a/doc/wsug_src/images/ws-tel-rtp-player_2.png b/doc/wsug_src/images/ws-tel-rtp-player_2.png Binary files differnew file mode 100644 index 00000000..8ec513e9 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_2.png diff --git a/doc/wsug_src/images/ws-tel-rtp-player_2.xcf b/doc/wsug_src/images/ws-tel-rtp-player_2.xcf Binary files differnew file mode 100644 index 00000000..4411c7cb --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_2.xcf diff --git a/doc/wsug_src/images/ws-tel-rtp-player_3.png b/doc/wsug_src/images/ws-tel-rtp-player_3.png Binary files differnew file mode 100644 index 00000000..6eb5c15d --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_3.png diff --git a/doc/wsug_src/images/ws-tel-rtp-player_button.png b/doc/wsug_src/images/ws-tel-rtp-player_button.png Binary files differnew file mode 100644 index 00000000..a4a5183c --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-player_button.png diff --git a/doc/wsug_src/images/ws-tel-rtp-streams.png b/doc/wsug_src/images/ws-tel-rtp-streams.png Binary files differnew file mode 100644 index 00000000..d9ce9592 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtp-streams.png diff --git a/doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png Binary files differnew file mode 100644 index 00000000..48b3de47 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_1.png diff --git a/doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png Binary files differnew file mode 100644 index 00000000..2819ede0 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_2.png diff --git a/doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png b/doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png Binary files differnew file mode 100644 index 00000000..cf3dccce --- /dev/null +++ b/doc/wsug_src/images/ws-tel-rtpstream-analysis_3.png diff --git a/doc/wsug_src/images/ws-tel-seq-dialog.png b/doc/wsug_src/images/ws-tel-seq-dialog.png Binary files differnew file mode 100644 index 00000000..18f78cc3 --- /dev/null +++ b/doc/wsug_src/images/ws-tel-seq-dialog.png diff --git a/doc/wsug_src/images/ws-tel-voip-calls.png b/doc/wsug_src/images/ws-tel-voip-calls.png Binary files differnew file mode 100644 index 00000000..a8d8909c --- /dev/null +++ b/doc/wsug_src/images/ws-tel-voip-calls.png diff --git a/doc/wsug_src/images/ws-telephony-menu.png b/doc/wsug_src/images/ws-telephony-menu.png Binary files differnew file mode 100644 index 00000000..38facaaf --- /dev/null +++ b/doc/wsug_src/images/ws-telephony-menu.png diff --git a/doc/wsug_src/images/ws-time-reference.png b/doc/wsug_src/images/ws-time-reference.png Binary files differnew file mode 100644 index 00000000..656dfab1 --- /dev/null +++ b/doc/wsug_src/images/ws-time-reference.png diff --git a/doc/wsug_src/images/ws-time-shift-details.png b/doc/wsug_src/images/ws-time-shift-details.png Binary files differnew file mode 100644 index 00000000..8872a306 --- /dev/null +++ b/doc/wsug_src/images/ws-time-shift-details.png diff --git a/doc/wsug_src/images/ws-time-shift.png b/doc/wsug_src/images/ws-time-shift.png Binary files differnew file mode 100644 index 00000000..dcfb6f7e --- /dev/null +++ b/doc/wsug_src/images/ws-time-shift.png diff --git a/doc/wsug_src/images/ws-tls-session-keys.png b/doc/wsug_src/images/ws-tls-session-keys.png Binary files differnew file mode 100644 index 00000000..ba0084f1 --- /dev/null +++ b/doc/wsug_src/images/ws-tls-session-keys.png diff --git a/doc/wsug_src/images/ws-tools-menu.png b/doc/wsug_src/images/ws-tools-menu.png Binary files differnew file mode 100644 index 00000000..edc753de --- /dev/null +++ b/doc/wsug_src/images/ws-tools-menu.png diff --git a/doc/wsug_src/images/ws-udp-multicast-stream.png b/doc/wsug_src/images/ws-udp-multicast-stream.png Binary files differnew file mode 100644 index 00000000..b2bcbdec --- /dev/null +++ b/doc/wsug_src/images/ws-udp-multicast-stream.png diff --git a/doc/wsug_src/images/ws-user-guide-cover.png b/doc/wsug_src/images/ws-user-guide-cover.png Binary files differnew file mode 100644 index 00000000..7aeda92a --- /dev/null +++ b/doc/wsug_src/images/ws-user-guide-cover.png diff --git a/doc/wsug_src/images/ws-view-menu.png b/doc/wsug_src/images/ws-view-menu.png Binary files differnew file mode 100644 index 00000000..78e932b1 --- /dev/null +++ b/doc/wsug_src/images/ws-view-menu.png diff --git a/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png b/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png Binary files differnew file mode 100644 index 00000000..327ca1d3 --- /dev/null +++ b/doc/wsug_src/images/ws-wireless-ieee-80211-pref.png diff --git a/doc/wsug_src/images/ws-wireless-key-examples.png b/doc/wsug_src/images/ws-wireless-key-examples.png Binary files differnew file mode 100644 index 00000000..5e85b5ed --- /dev/null +++ b/doc/wsug_src/images/ws-wireless-key-examples.png diff --git a/doc/wsug_src/images/ws-wireless-key-type.png b/doc/wsug_src/images/ws-wireless-key-type.png Binary files differnew file mode 100644 index 00000000..cdce5d7d --- /dev/null +++ b/doc/wsug_src/images/ws-wireless-key-type.png diff --git a/doc/wsug_src/images/ws-wireless-menu.png b/doc/wsug_src/images/ws-wireless-menu.png Binary files differnew file mode 100644 index 00000000..002289ed --- /dev/null +++ b/doc/wsug_src/images/ws-wireless-menu.png diff --git a/doc/wsug_src/mergecap-h.txt b/doc/wsug_src/mergecap-h.txt new file mode 100644 index 00000000..ffe8dd66 --- /dev/null +++ b/doc/wsug_src/mergecap-h.txt @@ -0,0 +1,22 @@ +Mergecap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Merge two or more capture files into one. +See https://www.wireshark.org for more information. + +Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] + +Output: + -a concatenate rather than merge files. + default is to merge based on frame timestamps. + -s <snaplen> truncate packets to <snaplen> bytes of data. + -w <outfile>|- set the output filename to <outfile> or '-' for stdout. + if the output filename has the .gz extension, it will be compressed to a gzip archive + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. + an empty "-I" option will list the merge modes. + --compress <type> compress the output file using the type compression format. + +Miscellaneous: + -h, --help display this help and exit. + -V verbose output. + -v, --version print version information and exit. diff --git a/doc/wsug_src/rawshark-h.txt b/doc/wsug_src/rawshark-h.txt new file mode 100644 index 00000000..c7435001 --- /dev/null +++ b/doc/wsug_src/rawshark-h.txt @@ -0,0 +1,63 @@ +Rawshark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: rawshark [options] ... + +Input file: + -r <infile>, --read-file <infile> + set the pipe or file name to read from + +Processing: + -d <encap:linktype>|<proto:protoname> + packet encapsulation or protocol + -F <field> field to display + -m virtual memory limit, in bytes + -n disable all name resolutions (def: "mNd" enabled, or + as set in preferences) + -N <name resolve flags> enable specific name resolution(s): "mnNtdv" + -p use the system's packet header format + (which may have 64-bit timestamps) + -R <read filter>, --read-filter <read filter> + packet filter in Wireshark display filter syntax + -s skip PCAP header on input + -Y <display filter>, --display-filter <display filter> + packet filter in Wireshark display filter syntax + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <protocols> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol + +Output: + -l flush output after each packet + -S format string for fields + (%D - name, %S - stringval, %N numval) + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -o <name>:<value> ... override preference setting + -K <keytab> keytab file to use for kerberos decryption diff --git a/doc/wsug_src/reordercap-h.txt b/doc/wsug_src/reordercap-h.txt new file mode 100644 index 00000000..a12e9fe3 --- /dev/null +++ b/doc/wsug_src/reordercap-h.txt @@ -0,0 +1,10 @@ +Reordercap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Reorder timestamps of input file frames into output file. +See https://www.wireshark.org for more information. + +Usage: reordercap [options] <infile> <outfile> + +Options: + -n don't write to output file if the input file is ordered. + -h, --help display this help and exit. + -v, --version print version information and exit. diff --git a/doc/wsug_src/text2pcap-h.txt b/doc/wsug_src/text2pcap-h.txt new file mode 100644 index 00000000..934b2fe3 --- /dev/null +++ b/doc/wsug_src/text2pcap-h.txt @@ -0,0 +1,111 @@ +Text2pcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Generate a capture file from an ASCII hexdump of packets. +See https://www.wireshark.org for more information. + +Usage: text2pcap [options] <infile> <outfile> + +where <infile> specifies input filename (use - for standard input) + <outfile> specifies output filename (use - for standard output) + +Input: + -o hex|oct|dec|none parse offsets as (h)ex, (o)ctal, (d)ecimal, or (n)one; + default is hex. + -t <timefmt> treat the text before the packet as a date/time code; + <timefmt> is a format string supported by strptime, + with an optional %f descriptor for fractional seconds. + Example: The time "10:15:14.5476" has the format code + "%H:%M:%S.%f" + The special format string ISO supports ISO-8601 times. + NOTE: Date/time fields from the current date/time are + used as the default for unspecified fields. + -D the text before the packet starts with an I or an O, + indicating that the packet is inbound or outbound. + This is used when generating dummy headers if the + output format supports it (e.g. pcapng). + -a enable ASCII text dump identification. + The start of the ASCII text dump can be identified + and excluded from the packet data, even if it looks + like a HEX dump. + NOTE: Do not enable it if the input file does not + contain the ASCII text dump. + -r <regex> enable regex mode. Scan the input using <regex>, a Perl + compatible regular expression matching a single packet. + Named capturing subgroups are used to identify fields: + <data> (mand.), and <time>, <dir>, and <seqno> (opt.) + The time field format is taken from the -t option + Example: -r '^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$' + could match a file with lines like + > 0:00:00.265620 a130368b000000080060 + < 0:00:00.295459 a2010800000000000000000800000000 + -b 2|8|16|64 encoding base (radix) of the packet data in regex mode + (def: 16: hexadecimal) No effect in hexdump mode. + +Output: + if the output file(s) have the .gz extension, then + gzip compression will be used. + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + -E <encap type> set the output file encapsulation type; default is + ether (Ethernet). An empty "-E" option will list + the encapsulation types. + -l <typenum> set the output file encapsulation type via link-layer + type number; default is 1 (Ethernet). See + https://www.tcpdump.org/linktypes.html for a list of + numbers. + Example: -l 7 for ARCNet packets. + -m <max-packet> max packet length in output; default is 262144 + -N <intf-name> assign name to the interface in the pcapng file. + --compress <type> Compress the output file using the type compression format. + +Prepend dummy header: + -e <ethertype> prepend dummy Ethernet II header with specified EtherType + (in HEX). + Example: -e 0x806 to specify an ARP packet. + -i <proto> prepend dummy IP header with specified IP protocol + (in DECIMAL). + Automatically prepends Ethernet header as well if + link-layer type is Ethernet. + Example: -i 46 + -4 <srcip>,<destip> prepend dummy IPv4 header with specified + source and destination addresses. + Example: -4 10.0.0.1,10.0.0.2 + -6 <srcip>,<destip> prepend dummy IPv6 header with specified + source and destination addresses. + Example: -6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334 + -u <srcp>,<destp> prepend dummy UDP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -u 1000,69 to make the packets look like + TFTP/UDP packets. + -T <srcp>,<destp> prepend dummy TCP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -T 50,60 + -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified + source/destination ports and verification tag (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -s 30,40,34 + -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified + source/destination ports and verification tag 0. + Automatically prepends a dummy SCTP DATA + chunk header with payload protocol identifier ppi. + Example: -S 30,40,34 + -P <dissector> prepend EXPORTED_PDU header with specified dissector + as the payload DISSECTOR_NAME tag. + Automatically sets link type to Upper PDU Export. + EXPORTED_PDU payload defaults to "data" otherwise. + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version print version information and exit + -q don't report processed packet counts diff --git a/doc/wsug_src/tshark-h.txt b/doc/wsug_src/tshark-h.txt new file mode 100644 index 00000000..e7c12a2d --- /dev/null +++ b/doc/wsug_src/tshark-h.txt @@ -0,0 +1,172 @@ +TShark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: tshark [options] ... + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback) + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer (def: 2MB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + --update-interval interval between updates with new packets (def: 100ms) + +Capture stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Capture output: + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - switch to next file after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs + printname:FILE - print filename to FILE when written + (can use 'stdout' or 'stderr') +Input file: + -r <infile>, --read-file <infile> + set the filename to read from (or '-' for stdin) + +Processing: + -2 perform a two-pass analysis + -M <packet count> perform session auto reset + -R <read filter>, --read-filter <read filter> + packet Read filter in Wireshark display filter syntax + (requires -2) + -Y <display filter>, --display-filter <display filter> + packet displaY filter in Wireshark display filter + syntax + -n disable all name resolutions (def: "mNd" enabled, or + as set in preferences) + -N <name resolve flags> enable specific name resolution(s): "mtndsNvg" + -d <layer_type>==<selector>,<decode_as_protocol> ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + -H <hosts file> read a list of entries from a hosts file, which will + then be written to a capture file. (Implies -W n) + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <protocols> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol +Output: + -w <outfile|-> write packets to a pcapng-format file named "outfile" + (or '-' for stdout). If the output filename has the + .gz extension, it will be compressed to a gzip archive + --capture-comment <comment> + add a capture file comment, if supported + -C <config profile> start with specified configuration profile + --global-profile use the global profile instead of personal profile + -F <output file type> set the output file type; default is pcapng. + an empty "-F" option will list the file types + -V add output of packet tree (Packet Details) + -O <protocols> Only show packet details of these protocols, comma + separated + -P, --print print packet summary even when writing to a file + -S <separator> the line separator to print between packets + -x add output of hex and ASCII dump (Packet Bytes) + --hexdump <hexoption> add hexdump, set options for data source and ASCII dump + all dump all data sources (-x default) + frames dump only frame data source + ascii include ASCII dump text (-x default) + delimit delimit ASCII dump text with '|' characters + noascii exclude ASCII dump text + help display help for --hexdump and exit + -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? + format of text output (def: text) + -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected + (e.g. "ip ip.flags text", filter does not expand child + nodes, unless child is specified also in the filter) + -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected + (e.g. "http tcp", filter which expands all child nodes) + -e <field> field to print if -Tfields selected (e.g. tcp.port, + _ws.col.info) + this option can be repeated to print multiple fields + -E<fieldsoption>=<value> set options for output when -Tfields selected: + bom=y|n print a UTF-8 BOM + header=y|n switch headers on and off + separator=/t|/s|<char> select tab, space, printable character as separator + occurrence=f|l|a print first, last or all occurrences of each field + aggregator=,|/s|<char> select comma, space, printable character as + aggregator + quote=d|s|n select double, single, no quotes for values + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -l flush standard output after each packet + (implies --update-interval 0) + -q be more quiet on stdout (e.g. when using statistics) + -Q only log true errors to stderr (quieter than -q) + -g enable group read access on the output file(s) + -W n Save extra information in the file, if supported. + n = write network address resolution information + -X <key>:<value> eXtension options, see the man page for details + -U tap_name PDUs export mode, see the man page for details + -z <statistics> various statistics, see the man page for details + --export-objects <protocol>,<destdir> + save exported objects for a protocol to a directory + named "destdir" + --export-tls-session-keys <keyfile> + export TLS Session Keys to a file named "keyfile" + --color color output text similarly to the Wireshark GUI, + requires a terminal with 24-bit color support + Also supplies color attributes to pdml and psml formats + (Note that attributes are nonstandard) + --no-duplicate-keys If -T json is specified, merge duplicate keys in an object + into a single key with as value a json array containing all + values + --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the + specified protocols within the mapping file + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + --compress <type> compress the output file using the type compression format + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -o <name>:<value> ... override preference setting + -K <keytab> keytab file to use for kerberos decryption + -G [report] dump one of several available reports and exit + default report="fields" + use "-G help" for more help + +Dumpcap can benefit from an enabled BPF JIT compiler if available. +You might want to enable it by executing: + "echo 1 > /proc/sys/net/core/bpf_jit_enable" +Note that this can make your system less secure! diff --git a/doc/wsug_src/user-guide-docinfo.xml b/doc/wsug_src/user-guide-docinfo.xml new file mode 100644 index 00000000..4c1d50c7 --- /dev/null +++ b/doc/wsug_src/user-guide-docinfo.xml @@ -0,0 +1,150 @@ +<!-- Document information for the User's Guide. --> + +<!-- Updated by tools/make-version.py --> +<subtitle>For Wireshark 4.4</subtitle> + +<!-- + <title><inlinegraphic entityref="WiresharkLogo" valign="middle" format="PNG"/> &DocumentTitle;</title> +--> + +<authorgroup> + + <author><firstname>Ulf</firstname><surname>Lamping</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>ulf.lamping[AT]web.de</email> + </author> + + <author><firstname>Richard</firstname><surname>Sharpe</surname> + <affiliation><jobtitle>Director</jobtitle><orgname>NS Computer Software and Services P/L</orgname></affiliation> + <email>rsharpe[AT]ns.aus.com</email> + </author> + + <author><firstname>Ed</firstname><surname>Warnicke</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>hagbard[AT]physics.rutgers.edu</email> + </author> + +</authorgroup> + + +<!-- Author information as listed in the old DocBook version. --> +<!-- Author's Names --> +<!-- + <!ENTITY AuthorFullName "Ulf Lamping"> + <!ENTITY AuthorFirstName "Ulf"> + <!ENTITY AuthorOtherName ""> + <!ENTITY AuthorSurname "Lamping"> + + <!ENTITY AuthorFullName2 "Richard Sharpe"> + <!ENTITY AuthorFirstName2 "Richard"> + <!ENTITY AuthorOtherName2 ""> + <!ENTITY AuthorSurname2 "Sharpe"> + + <!ENTITY AuthorFullName3 "Ed Warnicke"> + <!ENTITY AuthorFirstName3 "Ed"> + <!ENTITY AuthorOtherName3 ""> + <!ENTITY AuthorSurname3 "Warnicke"> + + <!ENTITY AuthorFullName4 "Luis E. Garcia Ontanon"> + <!ENTITY AuthorFirstName4 "Luis"> + <!ENTITY AuthorOtherName4 "Enrique"> + <!ENTITY AuthorSurname4 "Garcia Ontanon"> +--> + +<!--Author's Affiliation --> +<!-- + <!ENTITY AuthorShortAffiliation ""> + <!ENTITY AuthorJobTitle ""> + <!ENTITY AuthorOrgName ""> + <!ENTITY AuthorOrgDiv ""> + <!ENTITY AuthorEmail "ulf.lamping[AT]web.de"> + + <!ENTITY AuthorShortAffiliation2 ""> + <!ENTITY AuthorJobTitle2 "Director"> + <!ENTITY AuthorOrgName2 "NS Computer Software and Services P/L"> + <!ENTITY AuthorOrgDiv2 ""> + <!ENTITY AuthorEmail2 "rsharpe[AT]ns.aus.com"> + + <!ENTITY AuthorShortAffiliation3 ""> + <!ENTITY AuthorJobTitle3 ""> + <!ENTITY AuthorOrgName3 ""> + <!ENTITY AuthorOrgDiv3 ""> + <!ENTITY AuthorEmail3 "hagbard[AT]physics.rutgers.edu"> + + <!ENTITY AuthorShortAffiliation4 ""> + <!ENTITY AuthorJobTitle4 ""> + <!ENTITY AuthorOrgName4 ""> + <!ENTITY AuthorOrgDiv4 ""> + <!ENTITY AuthorEmail4 "luis [at] ontanon.org"> +--> + +<copyright><year>2004-2014</year> + <holder>Ulf Lamping</holder> + <holder>Richard Sharpe</holder> + <holder>Ed Warnicke</holder> +</copyright> + +<revhistory> + +<revision> + <revnumber>3.2</revnumber> + <date>9 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Converted from DocBook to AsciiDoc.</revremark> +</revision> + +<revision> + <revnumber>3.1</revnumber> + <date>2 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Moved Lua reference from User's Guide to Developer's Guide.</revremark> +</revision> + +<revision><!-- ge10e4fb --> + <revnumber>3.0.2</revnumber> + <date>31 May 2006</date> + <authorinitials>jk</authorinitials> + <revremark>Further cleanup of Wireshark User Guide</revremark> +</revision> + +<revision> + <revnumber>2.0.2</revnumber> + <date>29 Jan 2005</date> + <authorinitials>ul</authorinitials> + <revremark>Add links to wiki example pages</revremark> +</revision> + +<!-- We removed the protocol pages without incrementing revnumber --> + +<revision> + <revnumber>2.0</revnumber> + <date>6 Aug 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Review updates</revremark> +</revision> + +<!-- 1.91 - 1.94 were review updates. Should we include them? --> + +<revision> + <revnumber>1.90</revnumber> + <date>19 Jul 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Updated for Ethereal 0.10.5.</revremark> +</revision> + +<!-- Earlier versions in https://anonsvn.wireshark.org/wireshark-doc/ --> + +</revhistory> + +<legalnotice> + <simpara> + Permission is granted to copy, distribute + and/or modify this document under the terms of the GNU General Public + License, Version 2 or any later version published by the Free Software + Foundation. + </simpara> + <simpara> + All logos and trademarks in this document are property of their + respective owner. + </simpara> +</legalnotice> diff --git a/doc/wsug_src/user-guide.adoc b/doc/wsug_src/user-guide.adoc new file mode 100644 index 00000000..7c80cf7b --- /dev/null +++ b/doc/wsug_src/user-guide.adoc @@ -0,0 +1,64 @@ +:doctype: book +include::../attributes.adoc[] + +// Electronic book attributes +:author: Richard Sharpe, Ed Warnicke, Ulf Lamping +:description: Wireshark User’s Guide +:keywords: Wireshark User Guide +ifdef::ebook-format-epub3[] +:front-cover-image: images/ws-user-guide-cover.png +:toc: +endif::[] + += Wireshark User’s Guide: Version {wireshark-version} + +:source-highlighter: coderay + +include::wsug_preface.adoc[] + +include::../common_src/typographic_conventions.adoc[] + +// Chapters + +include::wsug_introduction.adoc[] + +include::wsug_build_install.adoc[] + +include::wsug_use.adoc[] + +include::wsug_capture.adoc[] + +include::wsug_io.adoc[] + +include::wsug_work.adoc[] + +include::wsug_advanced.adoc[] + +include::wsug_statistics.adoc[] + +include::wsug_telephony.adoc[] + +include::wsug_wireless.adoc[] + +include::wsug_customize.adoc[] + +include::wsug_mate.adoc[] + +// Needs to be reworked +//include::wsug_troubleshoot.adoc[] + +// Appendices +include::wsug_messages.adoc[] + +include::wsug_files.adoc[] + +include::wsug_protocols.adoc[] + +// Needs to be reworked +//include::wsug_howitworks.adoc[] + +include::wsug_tools.adoc[] + +// License + +include::../common_src/gpl_appendix.adoc[] diff --git a/doc/wsug_src/wireshark-h.txt b/doc/wsug_src/wireshark-h.txt new file mode 100644 index 00000000..954b0965 --- /dev/null +++ b/doc/wsug_src/wireshark-h.txt @@ -0,0 +1,114 @@ +Wireshark 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Interactively dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: wireshark [options] ... [ <infile> ] + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback) + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer (def: 2MB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + +Capture display: + -k start capturing immediately (def: do nothing) + -S update packet display when new packets are captured + --update-interval interval between updates with new packets (def: 100ms) + -l turn on automatic scrolling while -S is in use +Capture stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Capture output: + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - switch to next file after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs +Input file: + -r <infile>, --read-file <infile> + set the filename to read from (no pipes or stdin!) + +Processing: + -R <read filter>, --read-filter <read filter> + packet filter in Wireshark display filter syntax + -n disable all name resolutions (def: all enabled) + -N <name resolve flags> enable specific name resolution(s): "mtndsNvg" + -d <layer_type>==<selector>,<decode_as_protocol> ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <proto_name> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol + +User interface: + -C <config profile> start with specified configuration profile + -H hide the capture info dialog during packet capture + -Y <display filter>, --display-filter <display filter> + start with the given display filter + -g <packet number> go to specified packet number after "-r" + -J <jump filter> jump to the first packet matching the (display) + filter + -j search backwards for a matching packet after "-J" + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -X <key>:<value> eXtension options, see man page for details + -z <statistics> show various statistics, see man page for details + +Output: + -w <outfile|-> set the output filename (or '-' for stdout) + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + --capture-comment <comment> + add a capture file comment, if supported + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -P <key>:<path> persconf:path - personal configuration files + persdata:path - personal data files + -o <name>:<value> ... override preference or recent setting + -K <keytab> keytab file to use for kerberos decryption + --display <X display> X display to use + --fullscreen start Wireshark in full screen diff --git a/doc/wsug_src/wsug_advanced.adoc b/doc/wsug_src/wsug_advanced.adoc new file mode 100644 index 00000000..7550ee2c --- /dev/null +++ b/doc/wsug_src/wsug_advanced.adoc @@ -0,0 +1,1339 @@ +// WSUG Chapter Advanced + +[#ChapterAdvanced] + +== Advanced Topics + +[#ChAdvIntroduction] + +=== Introduction + +This chapter will describe some of Wireshark’s advanced features. + +// We switched from FollowTCP to FollowStream in June 2018. +// This is apparently how you assign multiple anchors. +// https://docs.asciidoctor.org/asciidoc/latest/attributes/id/#add-additional-anchors-to-a-section + +[#ChAdvFollowStreamSection] +=== [[ChAdvFollowTCPSection]]Following Protocol Streams + +It can be very helpful to see a protocol in the way that the application +layer sees it. Perhaps you are looking for passwords in a Telnet stream, +or you are trying to make sense of a data stream. Maybe you just need a +display filter to show only the packets in a TLS or SSL stream. If so, +Wireshark’s ability to follow protocol streams will be useful to you. + +To filter to a particular stream, +select a TCP, UDP, DCCP, TLS, HTTP, HTTP/2, QUIC or SIP packet in the packet list of the stream/connection you are +interested in and then select the menu item menu:Analyze[Follow > TCP Stream] +(or use the context menu in the packet list). Wireshark will set an +appropriate display filter and display a dialog box with the data from the +stream laid out, as shown in <<ChAdvFollowStream>>. + +[TIP] +==== +Following a protocol stream applies a display filter which selects all +the packets in the current stream. Some people open the “Follow TCP +Stream” dialog and immediately close it as a quick way to isolate a +particular stream. Closing the dialog with the “Back” button will reset +the display filter if this behavior is not desired. +==== + +[#ChAdvFollowStream] + +.The “Follow TCP Stream” dialog box +image::images/ws-follow-stream.png[{screenshot-attrs}] + +The stream content is displayed in the same sequence as it appeared on the +network. Non-printable characters are replaced by dots. +Traffic from the client to the server is colored red, while traffic +from the server to the client is +colored blue. These colors can be changed by opening menu:Edit[Preferences] and +under menu:Appearance[Font and Colors], selecting different colors for the +btn:[Sample "Follow Stream" client text] and btn:[Sample "Follow Stream" server text] +options. + + + +// XXX - What about line wrapping (maximum line length) and CRNL conversions? + +The stream content won’t be updated while doing a live capture. To get the +latest content you’ll have to reopen the dialog. + +You can choose from the following actions: + +btn:[Help]:: Show this help. + +btn:[Filter out this stream]:: Apply a display filter removing the current + stream data from the display. + +btn:[Print]:: Print the stream data in the currently selected format. + +btn:[Save as...]:: Save the stream data in the currently selected format. + +btn:[Back]:: Close this dialog box and restore the previous display filter. + +btn:[Close]:: Close this dialog box, leaving the current display filter in + effect. + +By default, Wireshark displays both client and server data. You can select the +menu:Entire conversation[] to switch between both, client to server, or +server to client data. + +You can choose to view the data in one of the following formats: + +menu:ASCII[]:: In this view you see the data from each direction in ASCII. + Obviously best for ASCII based protocols, e.g., HTTP. + +menu:C Arrays[]:: This allows you to import the stream data into your own C + program. + +menu:EBCDIC[]:: For the big-iron freaks out there. + +menu:HEX Dump[]:: This allows you to see all the data. This will require a lot of + screen space and is best used with binary protocols. + +menu:UTF-8[]:: Like ASCII, but decode the data as UTF-8. + +menu:UTF-16[]:: Like ASCII, but decode the data as UTF-16. + +menu:YAML[]:: This allows you to load the stream as YAML. + +The YAML output is divided into 2 main sections: + +* The `peers` section where for each `peer` you found the peer index, the `host` address and the `port` number. + +* The `packets` section where for each `packet` you found the packet number in the original capture, the `peer` index, +the packet `index` for this peer, the `timestamp` in seconds and the `data` in base64 encoding. + +.Follow Stream YAML output +==== +[source,yaml] +---- +peers: + - peer: 0 + host: 127.0.0.1 + port: 54048 + - peer: 1 + host: 127.0.10.1 + port: 5000 +packets: + - packet: 1 + peer: 0 + index: 0 + timestamp: 1599485409.693955274 + data: !!binary | + aGVsbG8K + - packet: 3 + peer: 1 + index: 0 + timestamp: 1599485423.885866692 + data: !!binary | + Ym9uam91cgo= +---- +==== + +The same example but in old YAML format (before version 3.5): +[source,yaml] +---- +# Packet 1 +peer0_0: !!binary | + aGVsbG8K +# Packet 3 +peer1_0: !!binary | + Ym9uam91cgo= +---- + +How the old format data can be found in the new format: +[options="header"] +|=== +|New YAML format |Old YAML format | +a| +---- +... +packets: + - packet: AAA + peer: BBB + index: CCC + data: !!binary \| + DDD +---- +a| +---- +# Packet AAA +peerBBB_CCC !!binary \| + DDD +---- +a| + AAA: packet number in the original capture + BBB: peer index + CCC: packet index for this peer + DDD: data in base64 encoding +|=== + +menu:Raw[]:: This allows you to load the unaltered stream data into a different + program for further examination. The display will show the data as strings + of hex characters with each frame on a separate line, but “Save As” + will result in a binary file without any added line separators. + +You can optionally show the delta time each time the direction changes (turns) or for every packet or event. + +You can switch between streams using the “Stream” selector. + +You can search for text by entering it in the “Find” entry box and +pressing btn:[Find Next]. + +.The “Follow HTTP/2 Stream” dialog box +image::images/ws-follow-http2-stream.png[{screenshot-attrs}] + +The HTTP/2 Stream dialog is similar to the "Follow TCP Stream" dialog, except +for an additional "Substream" dialog field. HTTP/2 Streams are identified by +a HTTP/2 Stream Index (field name `http2.streamid`) which are unique within a +TCP connection. The “Stream” selector determines the TCP connection whereas the +“Substream” selector is used to pick the HTTP/2 Stream ID. + +The QUIC protocol is similar, the first number selects the QUIC connection number +while the "Substream" field selects the QUIC Stream ID. + +.The “Follow SIP Call” dialog box +image::images/ws-follow-sip-stream.png[{screenshot-attrs}] + +The SIP call is shown with same dialog, just filter is based on sip.Call-ID +field. Count of streams is fixed to 0 and the field is disabled. + +[#ChAdvShowPacketBytes] + +=== Show Packet Bytes + +If a selected packet field does not show all the bytes (i.e., they are truncated +when displayed) or if they are shown as bytes rather than string or if they require +more formatting because they contain an image or HTML then this dialog can be used. + +This dialog can also be used to decode field bytes from base64, various compressed +formats or quoted-printable and show the decoded bytes as configurable output. +It’s also possible to select a subset of bytes setting the start byte and end byte. + +You can choose from the following actions: + +btn:[Help]:: Show this help. + +btn:[Print]:: Print the bytes in the currently selected format. + +btn:[Copy]:: Copy the bytes to the clipboard in the currently selected format. + +btn:[Save As]:: Save the bytes in the currently selected format. + +btn:[Close]:: Close this dialog box. + +You can choose to decode the data from one of the following formats: + +menu:None[]:: This is the default which does not decode anything. + +menu:Base64[]:: This will decode from Base64 or Base64Url. + +menu:Compressed[]:: This will decompress the buffer using lz77, lz77huff, lznt1, snappy, zlib or zstd. + +menu:Hex Digits[]:: This will decode from a string of hex digits. Non-hex characters are skipped. + +menu:Percent-Encoding[]:: This will decode from a Percent-Encoded string. + +menu:Quoted-Printable[]:: This will decode from a Quoted-Printable string. + +menu:ROT-13[]:: This will decode ROT-13 encoded text. + +You can choose to view the data in one of the following formats: + +menu:ASCII[]:: In this view you see the bytes as ASCII. + All control characters and non-ASCII bytes are replaced by dot. + +menu:ASCII & Control[]:: In this view all control characters are shown using a + UTF-8 symbol and all non-ASCII bytes are replaced by dot. + +menu:C Array[]:: This allows you to import the field data into your own C program. + +menu:EBCDIC[]:: For the big-iron freaks out there. + +menu:Hex Dump[]:: This allows you to see all the data. This will require a lot of + screen space and is best used with binary protocols. + +menu:HTML[]:: This allows you to see all the data formatted as a HTML document. + The HTML supported is what’s supported by the Qt QTextEdit class. + +menu:Image[]:: This will try to convert the bytes into an image. + Most popular formats are supported including PNG, JPEG, GIF, and BMP. + +menu:ISO 8859-1[]:: In this view you see the bytes as ISO 8859-1. + +menu:Raw[]:: This allows you to load the bytes into a different + program for further examination. The display will show HEX data, but + “Save As” will result in a binary file. + +menu:UTF-8[]:: In this view you see the bytes as UTF-8. + +menu:UTF-16[]:: In this view you see the bytes as UTF-16. + +menu:YAML[]:: This will show the bytes as a YAML binary dump. + +You can search for text by entering it in the “Find” entry box and +pressing btn:[Find Next]. + +[#ChAdvExpert] + +=== Expert Information + +Wireshark keeps track of any anomalies and other items of interest it finds in a capture file and shows them in the Expert Information dialog. +The goal is to give you a better idea of uncommon or notable network behavior and to let novice and expert users find network problems faster than manually scanning through the packet list. + +[WARNING] +.Expert information is only a hint +==== +Expert information is the starting point for investigation, not the stopping point. +Every network is different, and it's up to you to verify that Wireshark’s expert information applies to your particular situation. +The presence of expert information doesn't necessarily indicate a problem and absence of expert information doesn’t necessarily mean everything is OK. +==== + +The amount of expert information largely depends on the protocol being used. +While dissectors for some common protocols like TCP and IP will show detailed information, other dissectors will show little or none. + +The following describes the components of a single expert information entry along with the expert user interface. + +[#ChAdvExpertInfoEntries] + +==== Expert Information Entries + +Expert information entries are grouped by severity level (described below) and contain the following: + +[#ChAdvTabExpertInfoEntries] + +.Example expert information items +[options="header"] +|=== +|Packet #|Summary|Group|Protocol +|592|TCP: [TCP Out-Of-Order] ...|Malformed|TCP +|1202|DNS: Standard query response ...|Protocol|DNS +|443|TCP: 80 → 59322 [RST] Seq=12761 Win=0 Len=0|Sequence|TCP +|=== + +[#ChAdvExpertSeverity] + +===== Severity + +Every expert information item has a severity level. +The following levels are used, from lowest to highest. +Wireshark marks them using different colors, which are shown in parentheses: + +Chat [white blue-background]#(blue)#:: +Information about usual workflow, e.g., a TCP packet with the SYN flag set. + +Note [black aqua-background]#(cyan)#:: +Notable events, e.g., an application returned a common error code such as HTTP 404. + +Warn [black yellow-background]#(yellow)#:: +Warnings, e.g., application returned an unusual error code like a connection problem. + +Error [white red-background]#(red)#:: +Serious problems, such as malformed packets. + +[#ChAdvExpertGroup] + +===== Summary + +Short explanatory text for each expert information item. + +===== Group + +Along with severity levels, expert information items are categorized by group. +The following groups are currently implemented: + +Assumption:: +The protocol field has incomplete data and was dissected based on assumed value. + +Checksum:: +A checksum was invalid. + +Comment:: +Packet comment. + +Debug:: +Debugging information. +You shouldn’t see this group in release versions of Wireshark. + +Decryption:: +A decryption issue. + +Deprecated:: +The protocol field has been deprecated. + +Malformed:: +Malformed packet or dissector has a bug. +Dissection of this packet aborted. + +Protocol:: +Violation of a protocol’s specification (e.g., invalid field values or illegal lengths). +Dissection of this packet probably continued. + +Reassemble:: +Problems while reassembling, e.g., not all fragments were available or an exception happened during reassembly. + +Request Code:: +An application request (e.g., File Handle == _x_). Usually assigned the Chat severity level. + +Response Code:: +An application response code indicates a potential problem, e.g., HTTP 404 page not found. + +Security:: +A security problem, e.g., an insecure implementation. + +Sequence:: +A protocol sequence number was suspicious, e.g., it wasn’t continuous or a retransmission was detected. + +Undecoded:: +Dissection incomplete or data can’t be decoded for other reasons. + +It’s possible that more groups will be added in the future. + +[#ChAdvExpertProtocol] + +===== Protocol + +The protocol dissector that created the expert information item. + +[#ChAdvExpertSummary] + +[#ChAdvExpertDialog] + +==== The “Expert Information” Dialog + +You can open the expert info dialog by selecting menu:Analyze[Expert Info] or by clicking the expert level indicator in the main status bar. + +Right-clicking on an item will allow you to apply or prepare a filter based on the item, copy its summary text, and other tasks. + +.The “Expert Information” dialog box +image::images/ws-expert-information.png[{screenshot-attrs}] + +You can choose from the following actions: + +Limit to display filter:: +Only show expert information items present in packets that match the current display filter. + +Group by summary:: +Group items by their summary instead of the groups described above. + +Search:: +Only show items that match the search string, such as “dns”. +Regular expressions are supported. + +menu:Show...[]:: +Lets you show or hide each severity level. +For example, you can deselect Chat and Note severities if desired. + +btn:[Help]:: +Takes you to this section of the User’s Guide. + +btn:[Close]:: +Closes the dialog + +// ===== Errors / Warnings / Notes / Chats tabs + +// An easy and quick way to find the most interesting infos (rather than using the +// Details tab), is to have a look at the separate tabs for each severity level. As +// the tab label also contains the number of existing entries, it’s easy to find +// the tab with the most important entries. + +// There are usually a lot of identical expert infos only differing in the packet +// number. These identical infos will be combined into a single line - with a count +// column showing how often they appeared in the capture file. Clicking on the plus +// sign shows the individual packet numbers in a tree view. + +// [[ChAdvExpertDialogDetails]] + +// ===== Details tab + +// The Details tab provides the expert infos in a “log like” view, each entry on +// its own line (much like the packet list). As the amount of expert infos for a +// capture file can easily become very large, getting an idea of the interesting +// infos with this view can take quite a while. The advantage of this tab is to +// have all entries in the sequence as they appeared, this is sometimes a help to +// pinpoint problems. + +[#ChAdvExpertColorizedTree] + +==== “Colorized” Protocol Details Tree + +.The “Colorized” protocol details tree +image::images/ws-expert-colored-tree.png[{screenshot-attrs}] + +The packet detail tree marks fields with expert information based on their severity level color, e.g., “Warning” severities have a yellow background. +This color is propagated to the top-level protocol item in the tree in order to make it easy to find the field that created the expert information. + +For the example screenshot above, the IP “Time to live” value is very low (only 1), so the corresponding protocol field is marked with a cyan background. +To make it easier find that item in the packet tree, the IP protocol toplevel item is marked cyan as well. + +[#ChAdvExpertColumn] + +==== “Expert” Packet List Column (Optional) + +.The “Expert” packet list column +image::images/ws-expert-column.png[{screenshot-attrs}] + +An optional “Expert Info Severity” packet list column is available that +displays the most significant severity of a packet or stays empty if everything +seems OK. This column is not displayed by default but can be easily added using +the Preferences Columns page described in <<ChCustPreferencesSection>>. + +[#ChAdvTCPAnalysis] + +=== TCP Analysis + +By default, Wireshark’s TCP dissector tracks the state of each TCP +session and provides additional information when problems or potential +problems are detected. Analysis is done once for each TCP packet when a +capture file is first opened. Packets are processed in the order in +which they appear in the packet list. You can enable or disable this +feature via the “Analyze TCP sequence numbers” TCP dissector preference. + +For analysis of data or protocols layered on top of TCP (such as HTTP), see +<<ChAdvReassemblyTcp>>. + +.“TCP Analysis” packet detail items +image::images/ws-tcp-analysis.png[{screenshot-attrs}] + +TCP Analysis flags are added to the TCP protocol tree under “SEQ/ACK +analysis”. Each flag is described below. Terms such as “next expected +sequence number” and “next expected acknowledgment number” refer to +the following”: + +// tcp_analyze_seq_info->nextseq +Next expected sequence number:: The last-seen sequence number plus +segment length. Set when there are no analysis flags and for zero +window probes. This is initially zero and calculated based on the +previous packet in the same TCP flow. Note that this may not be the same +as the tcp.nxtseq protocol field. + +// tcp_analyze_seq_info->maxseqtobeacked +Next expected acknowledgment number:: The last-seen sequence number for +segments. Set when there are no analysis flags and for zero window probes. + +// tcp_analyze_seq_info->lastack +Last-seen acknowledgment number:: Always updated for each packet. Note +that this is not the same as the next expected acknowledgment number. + +// TCP_A_ACK_LOST_PACKET +[discrete] +==== TCP ACKed unseen segment + +Set when the expected next acknowledgment number is set for the reverse +direction and it’s less than the current acknowledgment number. + +// TCP_A_DUPLICATE_ACK +[discrete] +==== TCP Dup ACK __<frame>__#__<acknowledgment number>__ + +Set when all of the following are true: + +* The segment size is zero. +* The window size is non-zero and hasn’t changed, or there is valid SACK data. +* The next expected sequence number and last-seen acknowledgment number are non-zero (i.e., the connection has been established). +* SYN, FIN, and RST are not set. + +// TCP_A_FAST_RETRANSMISSION +[discrete] +==== TCP Fast Retransmission + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment size is greater than zero or the SYN or FIN is set. +* The next expected sequence number is greater than the current sequence number. +* We have at least two duplicate ACKs in the reverse direction. +* The current sequence number equals the next expected acknowledgment number. +* We saw the last acknowledgment less than 20ms ago. + +Supersedes “Out-Of-Order” and “Retransmission”. + +// TCP_A_KEEP_ALIVE +[discrete] +==== TCP Keep-Alive + +Set when the segment size is zero or one, the current sequence number +is one byte less than the next expected sequence number, and none of SYN, +FIN, or RST are set. + +Supersedes “Fast Retransmission”, “Out-Of-Order”, “Spurious +Retransmission”, and “Retransmission”. + +// TCP_A_KEEP_ALIVE_ACK +[discrete] +==== TCP Keep-Alive ACK + +Set when all of the following are true: + +* The segment size is zero. +* The window size is non-zero and hasn’t changed. +* The current sequence number is the same as the next expected sequence number. +* The current acknowledgment number is the same as the last-seen acknowledgment number. +* The most recently seen packet in the reverse direction was a keepalive. +* The packet is not a SYN, FIN, or RST. + +Supersedes “Dup ACK” and “ZeroWindowProbeAck”. + +// TCP_A_OUT_OF_ORDER +[discrete] +==== TCP Out-Of-Order + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment length is greater than zero or the SYN or FIN is set. +* The next expected sequence number is greater than the current sequence number. +* The next expected sequence number and the next sequence number differ. +* The last segment arrived within the Out-Of-Order RTT threshold. + The threshold is either the value shown in the “iRTT” (tcp.analysis.initial_rtt) field under “SEQ/ACK analysis” if it is present, or the default value of 3ms if it is not. + +Supersedes “Retransmission”. + +// TCP_A_REUSED_PORTS +[discrete] +==== TCP Port numbers reused + +Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same addresses and ports, and the sequence number is different than the existing conversation’s initial sequence number. + +// TCP_A_LOST_PACKET +[discrete] +==== TCP Previous segment not captured + +Set when the current sequence number is greater than the next expected sequence number. + +// TCP_A_SPURIOUS_RETRANSMISSION +[discrete] +==== TCP Spurious Retransmission + +Checks for a retransmission based on analysis data in the reverse +direction. Set when all of the following are true: + +* The SYN or FIN flag is set. +* This is not a keepalive packet. +* The segment length is greater than zero. +* Data for this flow has been acknowledged. That is, the last-seen acknowledgment number has been set. +* The next sequence number is less than or equal to the last-seen acknowledgment number. + +Supersedes “Fast Retransmission”, “Out-Of-Order”, and “Retransmission”. + +// TCP_A_RETRANSMISSION +[discrete] +==== TCP Retransmission + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment length is greater than zero or the SYN or FIN flag is set. +* The next expected sequence number is greater than the current sequence number. + +// TCP_A_WINDOW_FULL +[discrete] +==== TCP Window Full + +Set when the segment size is non-zero, we know the window size in the +reverse direction, and our segment size exceeds the window size in the +reverse direction. + +// TCP_A_WINDOW_UPDATE +[discrete] +==== TCP Window Update + +Set when the all of the following are true: + +* The segment size is zero. +* The window size is non-zero and not equal to the last-seen window size, and there is no valid SACK data. +* The sequence number is equal to the next expected sequence number. +* The acknowledgment number is equal to the last-seen acknowledgment number, +* or to the next expected sequence number when answering to a ZeroWindowProbe. +* None of SYN, FIN, or RST are set. + +// TCP_A_ZERO_WINDOW +[discrete] +==== TCP ZeroWindow + +Set when the receive window size is zero and none of SYN, FIN, or RST are set. + +The _window_ field in each TCP header advertises the amount of data a receiver can accept. +If the receiver can’t accept any more data it will set the window value to zero, which tells the sender to pause its transmission. +In some specific cases this is normal -- for example, a printer might use a zero window to pause the transmission of a print job while it loads or reverses a sheet of paper. +However, in most cases this indicates a performance or capacity problem on the receiving end. +It might take a long time (sometimes several minutes) to resume a paused connection, even if the underlying condition that caused the zero window clears up quickly. + +// TCP_A_ZERO_WINDOW_PROBE +[discrete] +==== TCP ZeroWindowProbe + +Set when the sequence number is equal to the next expected sequence +number, the segment size is one, and last-seen window size in the +reverse direction was zero. + +If the single data byte from a Zero Window Probe is dropped by the receiver (not +ACKed), then a subsequent segment should not be flagged as retransmission if all +of the following conditions are true for that segment: +* The segment size is larger than one. +* The next expected sequence number is one less than the current sequence number. + +This affects “Fast Retransmission”, “Out-Of-Order”, or “Retransmission”. + +// TCP_A_ZERO_WINDOW_PROBE_ACK +[discrete] +==== TCP ZeroWindowProbeAck + +Set when the all of the following are true: + +* The segment size is zero. +* The window size is zero. +* The sequence number is equal to the next expected sequence number. +* The acknowledgment number is equal to the last-seen acknowledgment number. +* The last-seen packet in the reverse direction was a zero window probe. + +Supersedes “TCP Dup ACK”. + +// TCP_A_AMBIGUOUS_INTERPRETATIONS +[discrete] +==== TCP Ambiguous Interpretations + +Some captures are quite difficult to analyze automatically, particularly when the +time frame may cover both Fast Retransmission and Out-Of-Order packets. A TCP +preference allows to switch the precedence of these two interpretations at the +protocol level. + +// TCP_A_CONVERSATION_COMPLETENESS +[discrete] +==== TCP Conversation Completeness + +TCP conversations are said to be complete when they have both opening and closing +handshakes, independently of any data transfer. However, we might be interested in +identifying complete conversations with some data sent, and we are using the +following bit values to build a filter value on the tcp.completeness field : + +* 1 : SYN +* 2 : SYN-ACK +* 4 : ACK +* 8 : DATA +* 16 : FIN +* 32 : RST + +For example, a conversation containing only a three-way handshake will be found +with the filter 'tcp.completeness==7' (1+2+4) while a complete conversation with +data transfer will be found with a longer filter as closing a connection can be +associated with FIN or RST packets, or even both : +'tcp.completeness==31 or tcp.completeness==47 or tcp.completeness==63' + +Another way to select specific conversation values is to filter on individual +flags, the summary field, or a combination of them. +Thus, '(tcp.completeness.fin==1 || tcp.completeness.rst==1) && tcp.completeness.str contains "DASS"' +will find all 'Complete, WITH_DATA' conversations, while the 'Complete, NO_DATA' +ones will be found with +'(tcp.completeness.fin==1 || tcp.completeness.rst==1) && tcp.completeness.data==0 && tcp.completeness.str contains "ASS"'. + +[#ChAdvTimestamps] + +=== Time Stamps + +Time stamps, their precisions and all that can be quite confusing. This section +will provide you with information about what’s going on while Wireshark +processes time stamps. + +While packets are captured, each packet is time stamped as it comes in. These +time stamps will be saved to the capture file, so they also will be available +for (later) analysis. + +So where do these time stamps come from? While capturing, Wireshark gets the +time stamps from the libpcap (Npcap) library, which in turn gets them from the +operating system kernel. If the capture data is loaded from a capture file, +Wireshark obviously gets the data from that file. + +==== Wireshark Internals + +The internal format that Wireshark uses to keep a packet time stamp consists of +the date (in days since 1.1.1970) and the time of day (in nanoseconds since +midnight). You can adjust the way Wireshark displays the time stamp data in the +packet list, see the “Time Display Format” item in the +<<ChUseViewMenuSection>> for details. + +While reading or writing capture files, Wireshark converts the time stamp data +between the capture file format and the internal format as required. + +While capturing, Wireshark uses the libpcap (Npcap) capture library which +supports nanosecond resolution for both pcapng and pcap files, though some +devices may only provide microsecond resolution, in which case that will be +used. Unless you are working with specialized capturing hardware, this +resolution should be adequate. + +==== Capture File Formats + +The vast majority of capture file formats that Wireshark knows support time +stamps. The time stamp precision supported by a specific capture file format +differs widely and varies from one second “0” to one nanosecond “0.123456789”. +Most file formats store the time stamps with a fixed precision (e.g., microseconds, +“0.123456”), while some file formats are capable of storing the time stamp +precision itself or even having a different precision for different records +in the file (whatever the benefit may be). + +The pcapng capture file format supports a wide range of time stamp resolutions, +which can be different for each interface in the file, as well as records without +time stamps. The common libpcap capture file format, which is widely supported by +many other tools, supports two possible fixed resolutions, microsecond or +nanosecond, indicated by a magic number at the start of the file. Wireshark and +tools like editcap can convert pcap files with nanosecond resolution to microsecond +resolution for use with tools that only support the original time stamp precision. + +Writing data into a capture file format that doesn’t provide the capability to +store the actual precision will lead to loss of information. For example, if you +load a capture file with nanosecond resolution and store the capture data in a +libpcap file (with microsecond resolution) Wireshark obviously must reduce the +precision from nanosecond to microsecond. + +==== Accuracy + +People often ask “Which time stamp accuracy is provided by Wireshark?”. Well, +Wireshark doesn’t create any time stamps itself but simply gets them from +“somewhere else” and displays them. So accuracy will depend on the capture +system (operating system, performance, etc.) that you use. Because of this, the +above question is difficult to answer in a general way. + +[NOTE] +==== +USB connected network adapters often provide a very bad time stamp accuracy. The +incoming packets have to take “a long and winding road” to travel through the +USB cable until they actually reach the kernel. As the incoming packets are time +stamped when they are processed by the kernel, this time stamping mechanism +becomes very inaccurate. + +Don’t use USB connected NICs when you need precise time stamp +accuracy. +==== + +// (XXX - are there any such NIC’s that generate time stamps on the USB +// hardware?) + +[#ChAdvTimezones] + +=== Time Zones + +If you travel across the planet, time zones can be confusing. If you get a +capture file from somewhere around the world time zones can even be a lot more +confusing ;-) + +First of all, there are two reasons why you may not need to think about time +zones at all: + +* You are only interested in the time differences between the packet time stamps + and don’t need to know the exact date and time of the captured packets (which + is often the case). + +* You don’t get capture files from different time zones than your own, so there + are simply no time zone problems. For example, everyone in your team is + working in the same time zone as yourself. + +.What are time zones? +**** +People expect that the time reflects the sunset. Dawn should be in the morning +maybe around 06:00 and dusk in the evening maybe at 20:00. These times will +obviously vary depending on the season. It would be very confusing if everyone +on earth would use the same global time as this would correspond to the sunset +only at a small part of the world. + +For that reason, the earth is split into several different time zones, each zone +with a local time that corresponds to the local sunset. + +The time zone’s base time is UTC (Coordinated Universal Time) or Zulu Time +(military and aviation). The older term GMT (Greenwich Mean Time) shouldn’t be +used as it is slightly incorrect (up to 0.9 seconds difference to UTC). The UTC +base time equals to 0 (based at Greenwich, England) and all time zones have an +offset to UTC between -12 to +14 hours! + +For example: If you live in Berlin, you are in a time zone one hour earlier than +UTC, so you are in time zone “+1” (time difference in hours compared to UTC). +If it’s 3 o’clock in Berlin it’s 2 o’clock in UTC “at the same moment”. + +Be aware that at a few places on earth don’t use time zones with even hour +offsets (e.g., New Delhi uses UTC+05:30)! + +Further information can be found at: {wikipedia-main-url}Time_zone and +{wikipedia-main-url}Coordinated_Universal_Time. +**** + +.What is daylight saving time (DST)? +**** +Daylight Saving Time (DST), also known as Summer Time is intended to “save” +some daylight during the summer months. To do this, a lot of countries (but not +all!) add a DST hour to the already existing UTC offset. So you may need to take +another hour (or in very rare cases even two hours!) difference into your “time +zone calculations”. + +Unfortunately, the date at which DST actually takes effect is different +throughout the world. You may also note, that the northern and southern +hemispheres have opposite DST’s (e.g., while it’s summer in Europe it’s winter in +Australia). + +Keep in mind: UTC remains the same all year around, regardless of DST! + +Further information can be found at +link:{wikipedia-main-url}Daylight_saving[]. +**** + +Further time zone and DST information can be found at +{greenwichmeantime-main-url} and {timeanddate-main-url}. + +[discrete] +==== Set your computer’s time correctly! + +If you work with people around the world it’s very helpful to set your +computer’s time and time zone right. + +You should set your computers time and time zone in the correct sequence: + +. Set your time zone to your current location + +. Set your computer’s clock to the local time + +This way you will tell your computer both the local time and also the time +offset to UTC. Many organizations simply set the time zone on their servers and +networking gear to UTC in order to make coordination and troubleshooting easier. + +[TIP] +==== +If you travel around the world, it’s an often-made mistake to adjust the hours +of your computer clock to the local time. Don’t adjust the hours but your time +zone setting instead! For your computer, the time is essentially the same as +before, you are simply in a different time zone with a different local time. +==== + +You can use the Network Time Protocol (NTP) to automatically adjust your +computer to the correct time, by synchronizing it to Internet NTP clock servers. +NTP clients are available for all operating systems that Wireshark supports (and +for a lot more), for examples see {ntp-main-url}. + + +==== Wireshark and Time Zones + +So what’s the relationship between Wireshark and time zones anyway? + +Wireshark’s native capture file format (libpcap format), and some +other capture file formats, such as the Windows Sniffer, *Peek, Sun +snoop formats, and newer versions of the Microsoft Network Monitor and +Network Instruments/Viavi Observer formats, save the arrival time of +packets as UTC values. UN*X systems, and “Windows NT based” systems +represent time internally as UTC. When Wireshark is capturing, no +conversion is necessary. However, if the system time zone is not set +correctly, the system’s UTC time might not be correctly set even if +the system clock appears to display correct local time. When capturing, +Npcap has to convert the time to UTC before supplying it to Wireshark. +If the system’s time zone is not set correctly, that conversion will +not be done correctly. + +Other capture file formats, such as the OOS-based Sniffer format and +older versions of the Microsoft Network Monitor and Network +Instruments/Viavi Observer formats, save the arrival time of packets as +local time values. + +Internally to Wireshark, time stamps are represented in UTC. This means that +when reading capture files that save the arrival time of packets as local time +values, Wireshark must convert those local time values to UTC values. + +Wireshark in turn will display the time stamps always in local time. The +displaying computer will convert them from UTC to local time and displays this +(local) time. For capture files saving the arrival time of packets as UTC +values, this means that the arrival time will be displayed as the local time in +your time zone, which might not be the same as the arrival time in the time zone +in which the packet was captured. For capture files saving the arrival time of +packets as local time values, the conversion to UTC will be done using your time +zone’s offset from UTC and DST rules, which means the conversion will not be +done correctly; the conversion back to local time for display might undo this +correctly, in which case the arrival time will be displayed as the arrival time +in which the packet was captured. + +[#ChAdvTabTimezones] + +.Time zone examples for UTC arrival times (without DST) +[options="header"] +|=== +||Los Angeles|New York|Madrid|London|Berlin|Tokyo +|_Capture File (UTC)_|10:00|10:00|10:00|10:00|10:00|10:00 +|_Local Offset to UTC_|-8|-5|-1|0|+1|+9 +|_Displayed Time (Local Time)_|02:00|05:00|09:00|10:00|11:00|19:00 +|=== + +For example, let’s assume that someone in Los Angeles captured a packet with +Wireshark at exactly 2 o’clock local time and sends you this capture file. The +capture file’s time stamp will be represented in UTC as 10 o’clock. You are +located in Berlin and will see 11 o’clock on your Wireshark display. + +Now you have a phone call, video conference or Internet meeting with that one to +talk about that capture file. As you are both looking at the displayed time on +your local computers, the one in Los Angeles still sees 2 o’clock but you in +Berlin will see 11 o’clock. The time displays are different as both Wireshark +displays will show the (different) local times at the same point in time. + +__Conclusion__: You may not bother about the date/time of the time stamp you +currently look at unless you must make sure that the date/time is as expected. +So, if you get a capture file from a different time zone and/or DST, you’ll have +to find out the time zone/DST difference between the two local times and +“mentally adjust” the time stamps accordingly. In any case, make sure that +every computer in question has the correct time and time zone setting. + +[#ChAdvReassemblySection] + + +=== Packet Reassembly + +==== What Is It? + +Network protocols often need to transport large chunks of data which are +complete in themselves, e.g., when transferring a file. The underlying protocol +might not be able to handle that chunk size (e.g., limitation of the network +packet size), or is stream-based like TCP, which doesn’t know data chunks at +all. + +In that case the network protocol has to handle the chunk boundaries itself and +(if required) spread the data over multiple packets. It obviously also needs a +mechanism to determine the chunk boundaries on the receiving side. + +Wireshark calls this mechanism reassembly, although a specific protocol +specification might use a different term for this (e.g., desegmentation, +defragmentation, etc.). + +==== How Wireshark Handles It + +For some of the network protocols Wireshark knows of, a mechanism is implemented +to find, decode and display these chunks of data. Wireshark will try to find the +corresponding packets of this chunk, and will show the combined data as +additional tabs in the “Packet Bytes” pane (for information about this pane. +See <<ChUsePacketBytesPaneSection>>). + +[#ChAdvWiresharkBytesPaneTabs] + +.The “Packet Bytes” pane with a reassembled tab +image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}] + +Reassembly might take place at several protocol layers, so it’s possible that +multiple tabs in the “Packet Bytes” pane appear. + +[NOTE] +==== +You will find the reassembled data in the last packet of the chunk. +==== + +For example, in a _HTTP_ GET response, the requested data (e.g., an HTML page) is +returned. Wireshark will show the hex dump of the data in a new tab +“Uncompressed entity body” in the “Packet Bytes” pane. + +Reassembly is enabled in the preferences by default but can be disabled in the +preferences for the protocol in question. Enabling or disabling reassembly +settings for a protocol typically requires two things: + +. The lower-level protocol (e.g., TCP) must support reassembly. Often this + reassembly can be enabled or disabled via the protocol preferences. + +. The higher-level protocol (e.g., HTTP) must use the reassembly mechanism to + reassemble fragmented protocol data. This too can often be enabled or disabled + via the protocol preferences. + +The tooltip of the higher-level protocol setting will notify you if and which +lower-level protocol setting also has to be considered. + +[#ChAdvReassemblyTcp] + +==== TCP Reassembly + +Protocols such as HTTP or TLS are likely to span multiple TCP segments. The +TCP protocol preference “Allow subdissector to reassemble TCP streams” (enabled +by default) makes it possible for Wireshark to collect a contiguous sequence of +TCP segments and hand them over to the higher-level protocol (for example, to +reconstruct a full HTTP message). All but the final segment will be marked with +“[TCP segment of a reassembled PDU]” in the packet list. + +Disable this preference to reduce memory and processing overhead if you are only +interested in TCP sequence number analysis (<<ChAdvTCPAnalysis>>). Keep in mind, +though, that higher-level protocols might be wrongly dissected. For example, +HTTP messages could be shown as “Continuation” and TLS records could be shown as +“Ignored Unknown Record”. Such results can also be observed if you start +capturing while a TCP connection was already started or when TCP segments +are lost or delivered out-of-order. + +To reassemble of out-of-order TCP segments, the TCP protocol preference +“Reassemble out-of-order segments” (currently disabled by default) must be +enabled in addition to the previous preference. +If all packets are received in-order, this preference will not have any effect. +Otherwise (if missing segments are encountered while sequentially processing a +packet capture), it is assuming that the new and missing segments belong to the +same PDU. Caveats: + +* Lost packets are assumed to be received out-of-order or retransmitted later. + Applications usually retransmit segments until these are acknowledged, but if + the packet capture drops packets, then Wireshark will not be able to + reconstruct the TCP stream. In such cases, you can try to disable this + preference and hopefully have a partial dissection instead of seeing just + “[TCP segment of a reassembled PDU]” for every TCP segment. +// See test/suite_decryption.py (suite_decryption.case_decrypt_80211) +// which would break when enabling the preference. +* When doing a capture in monitor mode (IEEE 802.11), packets are more likely to + get lost due to signal reception issues. In that case it is recommended to + disable the option. +// See test/suite_dissection.py (case_dissect_tcp.check_tcp_out_of_order) +* If the new and missing segments are in fact part of different PDUs, + then processing is currently delayed until no more segments are missing, even + if the begin of the missing segments completed a PDU. For example, assume six + segments forming two PDUs `ABC` and `DEF`. When received as `ABECDF`, an + application can start processing the first PDU after receiving `ABEC`. + Wireshark however requires the missing segment `D` to be received as well. + This issue will be addressed in the future. +// See test/suite_dissection.py (case_dissect_tcp.test_tcp_out_of_order_twopass) +* In the GUI and during a two-pass dissection (`tshark -2`), the previous + scenario will display both PDUs in the packet with last segment (`F`) rather + than displaying it in the first packet that has the final missing segment of a + PDU. This issue will be addressed in the future. +* When enabled, fields such as the SMB “Time from request” (`smb.time`) might be + smaller if the request follows other out-of-order segments (this reflects + application behavior). If the previous scenario however occurs, then the time + of the request is based on the frame where all missing segments are received. + +Regardless of the setting of these two reassembly-related preferences, you can +always use the “Follow TCP Stream” option (<<ChAdvFollowStreamSection>>) which +displays segments in the expected order. + +[#ChAdvNameResolutionSection] + +=== Name Resolution + +Name resolution tries to convert some of the numerical address values into a +human readable format. There are two possible ways to do these conversions, +depending on the resolution to be done: calling system/network services (like +the gethostname() function) and/or resolving from Wireshark specific +configuration files. For details about the configuration files Wireshark uses +for name resolution and alike, see <<AppFiles>>. + +The name resolution feature can be enabled individually for the protocol layers +listed in the following sections. + +==== Name Resolution Drawbacks + +Name resolution can be invaluable while working with Wireshark and may even save +you hours of work. Unfortunately, it also has its drawbacks. + +* _Name resolution can often fail._ The name to be resolved might simply be + unknown by the name servers asked, or the servers are just not available and + the name is also not found in Wireshark’s configuration files. + +* _Resolved names might not be available._ +Wireshark obtains name resolution information from a variety of sources, including DNS servers, the capture file itself (e.g., for a pcapng file), and the _hosts_ files on your system and in your <<ChAppFilesConfigurationSection,profile directory>>. +The resolved names might not be available if you open the capture file later or on a different machine. As a result, each time you or someone else opens a particular capture file it may look slightly different due to changing environments. + +* _DNS may add additional packets to your capture file._ +You might run into the link:{wikipedia-main-url}Observer_effect_(information_technology)[observer effect] if the extra traffic from Wireshark’s DNS queries and responses affects the problem you're trying to troubleshoot or any subsequent analysis. ++ +The same sort of thing can happen when capturing over a remote connection, e.g., SSH or RDP. + +// XXX Are there any other such packets than DNS ones? + +* _Resolved DNS names are cached by Wireshark._ This is required for acceptable + performance. However, if the name resolution information should change while + Wireshark is running, Wireshark won’t notice a change in the name resolution + information once it gets cached. If this information changes while Wireshark + is running, e.g., a new DHCP lease takes effect, Wireshark won’t notice it. + +// XXX Is this true for all or only for DNS info? + +Name resolution in the packet list is done while the list is filled. If a name +can be resolved after a packet is added to the list, its former entry won’t be +changed. As the name resolution results are cached, you can use +menu:View[Reload] to rebuild the packet list with the correctly resolved names. +However, this isn’t possible while a capture is in progress. + +// XXX Add information about the address editor frame (View -> Name Resolution -> Edit Resolved Name) + +==== Ethernet Name Resolution (MAC Layer) + +Try to resolve an Ethernet MAC address (e.g., 00:09:5b:01:02:03) to a human readable name. + +__ARP name resolution (system service)__: Wireshark will ask the operating +system to convert an Ethernet address to the corresponding IP address (e.g. +00:09:5b:01:02:03 → 192.168.0.1). + +__Ethernet codes (ethers file)__: If the ARP name resolution failed, Wireshark +tries to convert the Ethernet address to a known device name, which has been +assigned by the user using an _ethers_ file (e.g., 00:09:5b:01:02:03 → +homerouter). + +__Ethernet manufacturer codes (manuf file)__: If neither ARP or ethers returns a +result, Wireshark tries to convert the first 3 bytes of an ethernet address to +an abbreviated manufacturer name, which has been assigned by the IEEE (e.g. +00:09:5b:01:02:03 → Netgear_01:02:03). + +==== IP Name Resolution (Network Layer) + +Try to resolve an IP address (e.g., 216.239.37.99) to a human readable name. + +__DNS name resolution (system/library service)__: Wireshark will use a name +resolver to convert an IP address to the hostname associated with it +(e.g., 216.239.37.99 -> www.1.google.com). + +Most applications use synchronously DNS name resolution. +For example, your web browser must resolve the host name portion of a URL before it can connect to the server. +Capture file analysis is different. +A given file might have hundreds, thousands, or millions of IP addresses so for usability and performance reasons Wireshark uses asynchronous resolution. +Both mechanisms convert IP addresses to human readable (domain) names and typically use different sources such as the system hosts file (__/etc/hosts__) and any configured DNS servers. + +Since Wireshark doesn’t wait for DNS responses, the host name for a given address might be missing from a given packet when you view it the first time but be present when you view it subsequent times. + +You can adjust name resolution behavior in the Name Resolution section in the <<ChCustPreferencesSection,Preferences Dialog>>. +You can control resolution itself by adding a __hosts__ file to your <<ChAppFilesConfigurationSection,personal configuration directory>>. +You can also edit your system __hosts__ file, but that isn’t generally recommended. + +==== TCP/UDP Port Name Resolution (Transport Layer) + +Try to resolve a TCP/UDP port (e.g., 80) to a human readable name. + +__TCP/UDP port conversion (system service)__: Wireshark will ask the operating +system to convert a TCP or UDP port to its well-known name (e.g., 80 -> http). + +==== VLAN ID Resolution + +To get a descriptive name for a VLAN tag ID a vlans file can be used. + +==== SS7 Point Code Resolution + +To get a node name for a SS7 point code a ss7pcs file can be used. + +// XXX - mention the role of the /etc/services file (but don’t forget the files and folders section)! + +[#ChAdvChecksums] + +=== Checksums + +Several network protocols use checksums to ensure data integrity. Applying +checksums as described here is also known as _redundancy checking_. + + +.What are checksums for? +**** +Checksums are used to ensure the integrity of data portions for data +transmission or storage. A checksum is basically a calculated summary of such a +data portion. + +Network data transmissions often produce errors, such as toggled, missing or +duplicated bits. As a result, the data received might not be identical to the +data transmitted, which is obviously a bad thing. + +Because of these transmission errors, network protocols very often use checksums +to detect such errors. The transmitter will calculate a checksum of the data and +transmits the data together with the checksum. The receiver will calculate the +checksum of the received data with the same algorithm as the transmitter. If the +received and calculated checksums don’t match a transmission error has occurred. + +Some checksum algorithms are able to recover (simple) errors by calculating +where the expected error must be and repairing it. + +If there are errors that cannot be recovered, the receiving side throws away the +packet. Depending on the network protocol, this data loss is simply ignored or +the sending side needs to detect this loss somehow and retransmits the required +packet(s). + +Using a checksum drastically reduces the number of undetected transmission +errors. However, the usual checksum algorithms cannot guarantee an error +detection of 100%, so a very small number of transmission errors may remain +undetected. + +There are several different kinds of checksum algorithms; an example of an often +used checksum algorithm is CRC32. The checksum algorithm actually chosen for a +specific network protocol will depend on the expected error rate of the network +medium, the importance of error detection, the processor load to perform the +calculation, the performance needed and many other things. + +Further information about checksums can be found at: +{wikipedia-main-url}Checksum. +**** + +==== Wireshark Checksum Validation + +Wireshark will validate the checksums of many protocols, e.g., IP, TCP, UDP, etc. + +It will do the same calculation as a “normal receiver” would do, and shows the +checksum fields in the packet details with a comment, e.g., [correct] or +[invalid, must be 0x12345678]. + +Checksum validation can be switched off for various protocols in the Wireshark +protocol preferences, e.g., to (very slightly) increase performance. + +If the checksum validation is enabled and it detected an invalid checksum, +features like packet reassembly won’t be processed. This is avoided as +incorrect connection data could “confuse” the internal database. + +==== Checksum Offloading + +The checksum calculation might be done by the network driver, protocol driver or +even in hardware. + +For example: The Ethernet transmitting hardware calculates the Ethernet CRC32 +checksum and the receiving hardware validates this checksum. If the received +checksum is wrong Wireshark won’t even see the packet, as the Ethernet hardware +internally throws away the packet. + +Higher-level checksums are “traditionally” calculated by the protocol +implementation and the completed packet is then handed over to the hardware. + +Recent network hardware can perform advanced features such as IP checksum +calculation, also known as checksum offloading. The network driver won’t +calculate the checksum itself but will simply hand over an empty (zero or +garbage filled) checksum field to the hardware. + +[NOTE] +==== +Checksum offloading often causes confusion as network packets to be +transmitted are given to Wireshark before they are handed over to the +hardware. Wireshark gets these “empty” checksums and displays them as +invalid, even though the packets will contain valid checksums when they +transit the network. + +This only applies to packets that are locally generated by the capture +point. Received packets will have traveled through network hardware +and should have correct checksums. +==== + + +Checksum offloading can be confusing and having a lot of [invalid] messages on +the screen can be quite annoying. As mentioned above, invalid checksums may lead +to unreassembled packets, making the analysis of the packet data much harder. + +You can do two things to avoid this checksum offloading problem: + +* Turn off the checksum offloading in the network driver, if this option is available. + +* Turn off checksum validation of the specific protocol in the Wireshark preferences. + Recent releases of Wireshark disable checksum validation by default due to the + prevalence of offloading in modern hardware and operating systems. + +==== Partial Checksums + +TCP and UDP checksums are calculated over both the payload and from selected +elements from the IPv4 or IPv6 header, known as the pseudo header. Linux +and Windows, when offloading checksums, will calculate the contribution from +the pseudo header and place it in the checksum field. The driver then directs +the hardware to calculate the checksum over the payload area, which will +produce the correct result including the pseudo header's portion of the sum +as a matter of mathematics. + +This precomputation speeds up the hardware checksum calculation later, +allows the driver to direct the hardware to do checksums over encapsulated +payloads (__Local Checksum Offload__), and allows applications to send +the kernel large "superpacket" buffers that will be later divided by +the hardware into multiple maximum size packets when sent on the network +(__TCP Segmentation Offload (TSO)__ and __Generic Segmentation Offload (GSO)__). + +[NOTE] +==== +Wireshark 4.2.0 and later can calculate the partial checksum contribution +from the pseudo header, and when validating TCP and UDP checksums will +mark partial checksums as valid but partial. The packets with partial +checksums will not be colored as Bad Checksums by the default coloring rules, +and will still be used for reassembly. This eliminates spurious checksum +errors seen on packets transmitted from the capturing host on those platforms +that use partial checksums when offloading. +==== + +// End of WSUG Chapter Advanced diff --git a/doc/wsug_src/wsug_build_install.adoc b/doc/wsug_src/wsug_build_install.adoc new file mode 100644 index 00000000..33035bde --- /dev/null +++ b/doc/wsug_src/wsug_build_install.adoc @@ -0,0 +1,350 @@ +// WSUG Chapter BuildInstall + +[#ChapterBuildInstall] + +== Building and Installing Wireshark + +[#ChBuildInstallIntro] + +=== Introduction + +As with all things there must be a beginning and so it is with Wireshark. To +use Wireshark you must first install it. If you are running Windows or macOS +you can download an official release at {wireshark-download-url}, install it, +and skip the rest of this chapter. + +If you are running another operating system such as Linux or FreeBSD you might +want to install from source. Several Linux distributions offer Wireshark +packages but they commonly provide out-of-date versions. No other versions of UNIX +ship Wireshark so far. For that reason, you will need to know where to get the +latest version of Wireshark and how to install it. + +This chapter shows you how to obtain source and binary packages and how to +build Wireshark from source should you choose to do so. + +The general steps are the following: + +. Download the relevant package for your needs, e.g., source or binary + distribution. + +. For source distributions, compile the source into a binary. + This may involve building and/or installing other necessary packages. + +. Install the binaries into their final destinations. + +[#ChBuildInstallDistro] + +=== Obtaining the source and binary distributions + +You can obtain both source and binary distributions from the Wireshark {wireshark-main-url}[main page] or the download page at {wireshark-download-url}. +Select the package most appropriate for your system. + +// +// Windows +// + +[#ChBuildInstallWinInstall] + +=== Installing Wireshark under Windows + +The official Windows packages can be downloaded from the Wireshark {wireshark-main-url}[main page] or the {wireshark-download-url}[download page]. +Installer names contain the version and platform. +For example, Wireshark-{wireshark-version}-x64.exe installs Wireshark {wireshark-version} for Windows on 64-bit Intel processors. +The Wireshark installer includes Npcap which is required for packet capture. +Windows packages automatically update. +See <<ChBuildInstallUpdatingWireshark>> for details. + +Simply download the Wireshark installer from {wireshark-download-url} and execute it. +Official packages are signed by *Wireshark Foundation*. +You can choose to install several optional components and select the location of the installed package. +The default settings are recommended for most users. + +[#ChBuildInstallWinComponents] + +==== Installation Components + +On the _Choose Components_ page of the installer you can select from the following: + +* *Wireshark* - The network protocol analyzer that we all know and mostly love. + +* *TShark* - A command-line network protocol analyzer. If you haven’t tried it + you should. + +* *External Capture (extcap)* - External Capture Interfaces + + - *Androiddump* - Provide capture interfaces from Android devices. + + - *Etwdump* - Provide an interface to read Event Tracing for Windows (ETW) event trace (ETL). + + - *Randpktdump* - Provide an interface to the random packet generator. (see also randpkt) + + - *Sshdump, Ciscodump, and Wifidump* - Provide remote capture through SSH. (tcpdump, Cisco EPC, wifi) + + - *UDPdump* - Provide capture interface to receive UDP packets streamed from network devices. + +[#ChBuildInstallWinAdditionalTasks] + +==== Additional Tasks + +* *Wireshark Start Menu Item* - Add a shortcut to the start menu. + +* *Wireshark Desktop Icon* - Add a Wireshark icon to the desktop. + +* *Associate trace file extensions with Wireshark* - Associate standard network trace files to Wireshark. + +[#ChBuildInstallWinLocation] + +==== Install Location + +By default Wireshark installs into `%ProgramFiles%\Wireshark` on 32-bit Windows +and `%ProgramFiles64%\Wireshark` on 64-bit Windows. This expands to `C:\Program +Files\Wireshark` on most systems. + +[#ChBuildInstallNpcap] + +==== Installing Npcap + +The Wireshark installer contains the latest Npcap installer. + +If you don’t have Npcap installed you won’t be able to capture live network +traffic but you will still be able to open saved capture files. By default the +latest version of Npcap will be installed. If you don’t wish to do this or if +you wish to reinstall Npcap you can check the _Install Npcap_ box as needed. + +For more information about Npcap see {npcap-main-url} and +{wireshark-wiki-url}Npcap. + + +[#ChBuildInstallWinWiresharkCommandLine] + +==== Windows installer command line options + +For special cases, there are some command line parameters available: + +* `/S` runs the installer or uninstaller silently with default values. The + silent installer *will not* install Npcap. + +* `/desktopicon` installation of the desktop icon, `=yes` - force installation, + `=no` - don’t install, otherwise use default settings. This option can be + useful for a silent installer. + +* `/quicklaunchicon` installation of the quick launch icon, `=yes` - force + installation, `=no` - don’t install, otherwise use default settings. + +* `/D` sets the default installation directory ($INSTDIR), overriding InstallDir + and InstallDirRegKey. It must be the last parameter used in the command line + and must not contain any quotes even if the path contains spaces. + +* `/NCRC` disables the CRC check. We recommend against using this flag. + +* `/EXTRACOMPONENTS` comma separated list of optional components to install. +The following extcap binaries are supported. + + +** `androiddump` - Provide interfaces to capture from Android devices + +** `ciscodump` - Provide interfaces to capture from a remote Cisco router through SSH + +** `randpktdump` - Provide an interface to generate random captures using randpkt + +** `sshdump` - Provide interfaces to capture from a remote host through SSH using a remote capture binary + +** `udpdump` - Provide a UDP receiver that gets packets from network devices + +Example: +---- +> Wireshark-4.2.5-x64.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo + +> Wireshark-4.2.5-x64.exe /S /EXTRACOMPONENTS=sshdump,udpdump +---- + +Running the installer without any parameters shows the normal interactive installer. + +[#ChBuildInstallNpcapManually] + +==== Manual Npcap Installation + +As mentioned above, the Wireshark installer also installs Npcap. +If you prefer to install Npcap manually or want to use a different version than the +one included in the Wireshark installer, you can download Npcap from +the main Npcap site at {npcap-main-url}. + +[#ChBuildInstallNpcapUpdate] + +==== Update Npcap + +Wireshark updates may also include a new version of Npcap. +Manual Npcap updates instructions can be found on the Npcap web +site at {npcap-main-url}. You may have to reboot your machine after installing +a new Npcap version. + +[#ChBuildInstallWinUninstall] + +==== Uninstall Wireshark + +You can uninstall Wireshark using the _Programs and Features_ control panel. +Select the “Wireshark” entry to start the uninstallation procedure. + +The Wireshark uninstaller provides several options for removal. The default is +to remove the core components but keep your personal settings and Npcap. +Npcap is kept in case other programs need it. + +[#ChBuildInstallNpcapUninstall] + +==== Uninstall Npcap + +You can uninstall Npcap independently of Wireshark using the _Npcap_ entry +in the _Programs and Features_ control panel. Remember that if you uninstall +Npcap you won’t be able to capture anything with Wireshark. + +[#ChBuildInstallWinBuild] + +=== Building from source under Windows + +We strongly recommended using the binary installer for Windows unless you +want to start developing Wireshark on the Windows platform. + +For further information how to obtain sources and build Wireshark for Windows +from the sources see the Developer’s Guide at: + +* {wireshark-developers-guide-url}ChSrcObtain + +* {wireshark-developers-guide-url}ChSetupWindows + +You may also want to have a look at the Development Wiki +({wireshark-wiki-url}Development) for the latest available development +documentation. + +// +// macOS +// + +[#ChBuildInstallOSXInstall] + +=== Installing Wireshark under macOS + +The official macOS packages can be downloaded from the Wireshark {wireshark-main-url}[main page] or the {wireshark-download-url}[download page]. +They are signed by *Wireshark Foundation*. +Packages are distributed as disk images (.dmg) containing the application bundle. +Package names contain the platform and version. +To install Wireshark simply open the disk image and drag _Wireshark_ to your _/Applications_ folder. +macOS packages automatically update. +See <<ChBuildInstallUpdatingWireshark>> for details. + +In order to capture packets, you must install the “ChmodBPF” launch daemon. +You can do so by opening the _Install ChmodBPF.pkg_ file in the Wireshark .dmg or from Wireshark itself by opening menu:Wireshark[About Wireshark] selecting the “Folders” tab, and double-clicking “macOS Extras”. + +The installer package includes Wireshark along with ChmodBPF and system path packages. +See the included _Read me first.html_ file for more details. + +[#ChBuildInstallUnixInstallBins] + +=== Installing the binaries under UNIX + +In general installing the binary under your version of UNIX will be specific to +the installation methods used with your version of UNIX. For example, under AIX, +you would use _smit_ to install the Wireshark binary package, while under Tru64 +UNIX (formerly Digital UNIX) you would use _setld_. + +==== Installing from RPMs under Red Hat and alike + +Building RPMs from Wireshark’s source code results in several packages (most +distributions follow the same system): + +* The `wireshark` package contains the core Wireshark libraries and command-line + tools. + +* The `wireshark` or `wireshark-qt` package contains the Qt-based GUI. + +Many distributions use `yum` or a similar package management tool to make +installation of software (including its dependencies) easier. If your +distribution uses `yum`, use the following command to install Wireshark +together with the Qt GUI: + +---- +yum install wireshark wireshark-qt +---- + +If you’ve built your own RPMs from the Wireshark sources you can install them +by running, for example: + +---- +rpm -ivh wireshark-2.0.0-1.x86_64.rpm wireshark-qt-2.0.0-1.x86_64.rpm +---- + +If the above command fails because of missing dependencies, install the +dependencies first, and then retry the step above. + +==== Installing from debs under Debian, Ubuntu and other Debian derivatives + +If you can just install from the repository then use + +---- +apt install wireshark +---- + +Apt should take care of all of the dependency issues for you. + +[NOTE] +.Capturing requires privileges +==== +By installing Wireshark packages non-root, users won’t gain rights automatically +to capture packets. To allow non-root users to capture packets follow the +procedure described in {wireshark-code-file-url}packaging/debian/README.Debian +(file:///usr/share/doc/wireshark-common/README.Debian.gz[/usr/share/doc/wireshark-common/README.Debian.gz]) +==== + +==== Installing from portage under Gentoo Linux + +Use the following command to install Wireshark under Gentoo Linux with all of +the extra features: + +---- +USE="c-ares ipv6 snmp ssl kerberos threads selinux" emerge wireshark +---- + +==== Installing from packages under FreeBSD + +Use the following command to install Wireshark under FreeBSD: + +---- +pkg_add -r wireshark +---- + +pkg_add should take care of all of the dependency issues for you. + +[#ChBuildInstallUnixBuild] + +=== Building from source under UNIX or Linux + +We recommended using the binary installer for your platform unless you +want to start developing Wireshark. + +Building Wireshark requires the proper build environment including a +compiler and many supporting libraries. For more information, see the Developer’s Guide at: + +* {wireshark-developers-guide-url}ChSrcObtain + +* {wireshark-developers-guide-url}ChapterSetup#ChSetupUNIX + +[#ChBuildInstallUpdatingWireshark] + +=== Updating Wireshark + +By default, Wireshark on Windows and macOS will check for new versions and notify you when they are available. +If you have the _Check for updates_ preference disabled or if you run Wireshark in an isolated environment you should subscribe to the _wireshark-announce_ mailing list to be notified of new versions. +See <<ChIntroMailingLists>> for details on subscribing to this list. + +New versions of Wireshark are usually released every four to six weeks. +Updating Wireshark is done the same way as installing it. +Simply download and run the installer on Windows, or download and drag the application on macOS. +A reboot is usually not required and all your personal settings will remain unchanged. + +We offer two update channels, _Stable_ and _Development_. +The Stable channel is the default, and only installs packages from stable (even-numbered) release branches. +The Development channel installs development and release candidate packages when they are available, and stable releases otherwise. +To configure your release channel, go to menu:Preferences[Advanced] and search for “update.channel”. +See <<ChCustPreferencesSection>> for details. + +// End of WSUG ChapterBuildInstall + diff --git a/doc/wsug_src/wsug_capture.adoc b/doc/wsug_src/wsug_capture.adoc new file mode 100644 index 00000000..7ac3faf4 --- /dev/null +++ b/doc/wsug_src/wsug_capture.adoc @@ -0,0 +1,737 @@ +// WSUG Chapter Capture + +[#ChapterCapture] + +== Capturing Live Network Data + +[#ChCapIntroduction] + +=== Introduction + +Capturing live network data is one of the major features of Wireshark. + +The Wireshark capture engine provides the following features: + +* Capture from different kinds of network hardware such as Ethernet or 802.11. + +* Simultaneously capture from multiple network interfaces. + +* Stop the capture on different triggers such as the amount of captured data, + elapsed time, or the number of packets. + +* Simultaneously show decoded packets while Wireshark is capturing. + +* Filter packets, reducing the amount of data to be captured. See + <<ChCapCaptureFilterSection>>. + +* Save packets in multiple files while doing a long-term capture, optionally + rotating through a fixed number of files (a “ringbuffer”). See + <<ChCapCaptureFiles>>. + +The capture engine still lacks the following features: + +* Stop capturing (or perform some other action) depending on the captured data. + +[#ChCapPrerequisitesSection] + +=== Prerequisites + +Setting up Wireshark to capture packets for the first time can be +tricky. A comprehensive guide “How To setup a Capture” is available at +{wireshark-wiki-url}CaptureSetup. + +Here are some common pitfalls: + +* You may need special privileges to start a live capture. + +* You need to choose the right network interface to capture packet data from. + +* You need to capture at the right place in the network to see the traffic you + want to see. + +If you have any problems setting up your capture environment, you should have a +look at the guide mentioned above. + +[#ChCapCapturingSection] + +=== Start Capturing + +The following methods can be used to start capturing packets with Wireshark: + +* You can double-click on an interface in the <<ChCapInterfaceSection,welcome screen>>. + +* You can select an interface in the <<ChCapInterfaceSection,welcome screen>>, then select menu:Capture[Start] or click the first toolbar button. + +* You can get more detailed information about available interfaces using <<ChCapCaptureOptions>> (menu:Capture[Options...]). + +* If you already know the name of the capture interface you can start Wireshark from the command line: +-- +---- +$ wireshark -i eth0 -k +---- +-- +This will start Wireshark capturing on interface `eth0`. More details can be found at <<ChCustCommandLine>>. + +[#ChCapInterfaceSection] + +=== The “Capture” Section Of The Welcome Screen + +When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces. +Network activity for each interface will be shown in a sparkline next to the interface name. +It is possible to select more than one interface and capture from them simultaneously. + +[#ChCapCaptureInterfacesMainWin32] + +.Capture interfaces on Microsoft Windows +image::images/ws-capture-interfaces-main-win32.png[{screenshot-attrs}] + +[#ChCapCaptureInterfacesMainMacos] + +.Capture interfaces on macOS +image::images/ws-capture-interfaces-main-macos.png[{screenshot-attrs}] + +Some interfaces allow or require configuration prior to capture. +This will be indicated by a configuration icon +(image:images/toolbar/x-capture-options.png[height=16,width=16]) +to the left of the interface name. +Clicking on the icon will show the configuration dialog for that interface. + +Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter. + +Wireshark isn't limited to just network interfaces -- on most systems you can also capture USB, Bluetooth, and other types of packets. +Note also that an interface might be hidden if it’s inaccessible to Wireshark or if it has been hidden as described in <<ChCapManageInterfacesSection>>. + +[#ChCapCaptureOptions] + +=== The “Capture Options” Dialog Box + +When you select menu:Capture[Options...] (or use the corresponding item in the +main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in +<<ChCapCaptureOptionsDialog>>. +If you are unsure which options to choose in this dialog box, leaving the defaults settings as they are should work well in many cases. + +[#ChCapCaptureOptionsDialog] +.The “Capture Options” input tab +image::images/ws-capture-options.png[{screenshot-attrs}] + +The “Input” tab contains the “Interface” table, which shows the following columns: + +Interface:: +The interface name. ++ +Some interfaces allow or require configuration prior to capture. +This will be indicated by a configuration icon +(image:images/toolbar/x-capture-options.png[height=16,width=16]) +to the left of the interface name. +Clicking on the icon will show the configuration dialog for that interface. + +Traffic:: +A sparkline showing network activity over time. + +Link-layer Header:: +The type of packet captured by this interface. +In some cases it is possible to change this. +See <<ChCapLinkLayerHeader>> for more details. + +Promiscuous:: +Lets you put this interface in promiscuous mode while capturing. +Note that another application might override this setting. + +Snaplen:: +The snapshot length, or the number of bytes to capture for each packet. +You can set an explicit length if needed, e.g., for performance or privacy reasons. + +Buffer:: +The size of the kernel buffer that is reserved for capturing packets. +You can increase or decrease this as needed, but the default is usually sufficient. + +Monitor Mode:: +Lets you capture full, raw 802.11 headers. +Support depends on the interface type, hardware, driver, and OS. +Note that enabling this might disconnect you from your wireless network. + +Capture Filter:: +The capture filter applied to this interface. +You can edit the filter by double-clicking on it. +See <<ChCapCaptureFilterSection>> for more details about capture filters. + +Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses. + +If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings above will be overridden. + +“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same time. + +btn:[Manage Interfaces] opens the <<ChCapManageInterfacesDialog>> where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added. + +btn:[Compile Selected BPFs] opens <<ChCapCompiledFilterOutputDialog>>, which shows you the compiled bytecode for your capture filter. +This can help to better understand the capture filter you created. + + +[TIP] +.Linux power user tip +==== +The execution of BPFs can be sped up on Linux by turning on BPF Just In Time compilation by executing + +---- +$ echo 1 >/proc/sys/net/core/bpf_jit_enable +---- + +if it is not enabled already. To make the change persistent you can use +link:{sysfs-main-url}[sysfsutils]. +==== + +.The “Capture Options” output tab +image::images/ws-capture-options-output.png[{screenshot-attrs}] + +The “Output” tab shows the following information: + +Capture to a permanent file:: + +File::: +This field allows you to specify the file name that will be used for the capture file. +It is left blank by default. +If left blank, the capture data will be stored in a temporary file. +See <<ChCapCaptureFiles>> for details. +You can also click on the button to the right of this field to browse through the filesystem. + +Output format::: +Allows you to set the format of the capture file. +pcapng is the default and is more flexible than pcap. +pcapng might be required, e.g., if more than one interface is chosen for capturing. +See {wireshark-wiki-url}Development/PcapNg for more details on pcapng. + +Create a new file automatically...:: +Sets the conditions for switching a new capture file. +A new capture file can be created based on the following conditions: + * The number of packets in the capture file. + * The size of the capture file. + * The duration of the capture file. + * The wall clock time. + +Use a ring buffer with:: +Multiple files only. +Form a ring buffer of the capture files with the given number of files. + +More details about capture files can be found in <<ChCapCaptureFiles>>. + +.The “Capture Options” options tab +image::images/ws-capture-options-options.png[{screenshot-attrs}] + +The “Options” tab shows the following information: + +Display Options:: + +Update list of packets in real-time::: +Updates the packet list pane in real time during capture. +If you do not enable this, Wireshark will not display any packets until you stop the capture. +When you check this, Wireshark captures in a separate process and feeds the captures to the display process. + +Automatically scroll during live capture::: +Scroll the packet list pane as new packets come in, so you are always looking at the most recent packet. +Automatic scrolling is temporarily disabled when manually scrolling upwards or performing a <<ChUseTabGo,"Go" action>> so that the selected packet can be examined. +It will resume upon manually scrolling to the end of the packet list. +If you do not specify this Wireshark adds new packets to the packet list but does not scroll the packet list pane. +This option has no effect if “Update list of packets in real-time” is disabled. + +Show capture information during capture::: +If this option is enabled, the capture information dialog described in <<ChCapRunningSection>> will be shown while packets are captured. + +Name Resolution:: + +Resolve MAC addresses::: +Translate MAC addresses into names. + +Resolve network names::: +Translate network addresses into names. + +Resolve transport names::: +Translate transport names (port numbers). + +See <<ChAdvNameResolutionSection>> for more details on each of these options. + +Stop capture automatically after...:: + +Capturing can be stopped based on the following conditions: + +* The number of packets in the capture file. +* The number of capture files. +* The capture file size. +* The capture file duration. + +You can double click on an interface row in the “Input“ tab or click btn:[Start] from any tab to commence the capture. You can click btn:[Cancel] to apply your changes and close the dialog. + +[#ChCapManageInterfacesSection] + +=== The “Manage Interfaces” Dialog Box + +[#ChCapManageInterfacesDialog] +.The “Manage Interfaces” dialog box +image::images/ws-manage-interfaces.png[{screenshot-attrs}] + +The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage the following: + +Show:: +Whether or not to show or hide this interface in the welcome screen and the “Capture Options” dialog. + +Friendly Name:: +A name for the interface that is human readable. + +Interface Name:: +The device name of the interface. + +Comment:: +Can be used to add a descriptive comment for the interface. + +// [[ChCapManageInterfacesPipesDialog]] + +// .The “Pipes” tab +// image::images/ws-capture-options-manage-interfaces-pipes.png[{screenshot-attrs}] + +The “Pipes” tab lets you capture from a named pipe. +To successfully add a pipe, its associated named pipe must have already been created. +Click btn:[{plus}] and type the name of the pipe including its path. +Alternatively, btn:[Browse] can be used to locate the pipe. + +To remove a pipe from the list of interfaces, select it and press btn:[-]. + +// [[ChCapManageInterfacesDialog]] + +// === The “Add New Interfaces” dialog box + +// As a central point to manage interfaces this dialog box consists of three tabs +// to add or remove interfaces. + +// .The “Add New Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces.png[{screenshot-attrs}] + +// ==== Add or hide local interfaces + +// [[ChCapManageInterfacesLocalDialog]] +// .The “Add New Interfaces - Local Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-local.png[{screenshot-attrs}] + +// The tab “Local Interfaces” contains a list of available local interfaces, +// including the hidden ones, which are not shown in the other lists. + +// If a new local interface is added, for example, a wireless interface has been +// activated, it is not automatically added to the list to prevent the constant +// scanning for a change in the list of available interfaces. To renew the list a +// rescan can be done. + +// One way to hide an interface is to change the preferences. If the “Hide” +// checkbox is activated and the btn:[Apply] button clicked, the interface will +// not be seen in the lists of the “Capture Interfaces” dialog box any more. The +// changes are also saved in the `preferences` file. + +// ==== Add or hide remote interfaces + +// [[ChCapManageInterfacesRemoteDialog]] +// .The “Add New Interfaces - Remote Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-remote.png[{screenshot-attrs}] + +On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different machine. +The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it. + +On Linux or Unix you can capture (and do so more securely) through an SSH tunnel. + +To add a new remote capture interface, click btn:[{plus}] and specify the following: + +Host:: +The IP address or host name of the target platform where the Remote Packet Capture Protocol service is listening. +The drop-down list contains the hosts that have previously been successfully contacted. +The list can be emptied by choosing “Clear list” from the drop-down list. + +Port:: +Set the port number where the Remote Packet Capture Protocol service is listening on. +Leave blank to use the default port (2002). + +Null authentication:: +Select this if you don’t need authentication to take place for a remote capture to be started. +This depends on the target platform. +This is exactly as secure as it appears, i.e., it is not secure at all. + +Password authentication:: +Lets you specify the username and password required to connect to the Remote Packet Capture Protocol service. + +Each interface can optionally be hidden. +In contrast to the local interfaces, they are not saved in the `preferences` file. + +[NOTE] +==== +Make sure you have outside access to port 2002 on the target platform. +This is the default port used by the Remote Packet Capture Protocol service. +==== + +To remove a host including all its interfaces from the list, select it and click the btn:[-] button. + +// To access the Remote Capture Interfaces dialog use the “Remote Interfaces” tab of the “Manage Interfaces” dialog. See <<ChCapManageInterfacesRemoteDialog>> and select btn:[Add]. + +// [[ChCapInterfaceRemoteDialog]] +// .The “Remote Capture Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-remote-plus.png[{screenshot-attrs}] + + +// ==== Remote Capture Settings + +// The remote capture can be further fine tuned to match your situation. The +// btn:[Remote Interfaces] button in <<ChCapManageInterfacesDialog>> gives +// you this option. It pops up the dialog shown in +// <<ChCapInterfaceRemoteSettingsDialog>>. + +// [[ChCapInterfaceRemoteSettingsDialog]] +// .The “Remote Capture Settings” dialog box +// image::images/ws-capture-options-remote-settings.png[{screenshot-attrs}] + +// You can set the following parameters in this dialog: + +// _Do not capture own RPCAP traffic_:: +// This option sets a capture filter so that the traffic flowing back from the +// Remote Packet Capture Protocol service to Wireshark isn’t captured as well and +// also send back. The recursion in this saturates the link with duplicate traffic. +// + +// You only should switch this off when capturing on an interface other than the +// interface connecting back to Wireshark. + +// _Use UDP for data transfer_:: +// Remote capture control and data flows over a TCP connection. This option allows +// you to choose a UDP stream for data transfer. + +// _Sampling option None_:: +// This option instructs the Remote Packet Capture Protocol service to send back +// all captured packets which have passed the capture filter. This is usually not a +// problem on a remote capture session with sufficient bandwidth. + +// _Sampling option 1 of x packets_:: +// This option limits the Remote Packet Capture Protocol service to send only a sub +// sampling of the captured data, in terms of number of packets. This allows +// capture over a narrow band remote capture session of a higher bandwidth +// interface. + + +// _Sampling option 1 every x milliseconds_:: +// This option limits the Remote Packet Capture Protocol service to send only a sub +// sampling of the captured data in terms of time. This allows capture over a +// narrow band capture session of a higher bandwidth interface. + +// [[ChCapInterfaceDetailsSection]] + +// === The “Interface Details” dialog box + +// When you select Details from the Capture Interface menu, Wireshark pops up the +// “Interface Details” dialog box as shown in <<ChCapInterfaceDetailsDialog>>. This +// dialog shows various characteristics and statistics for the selected interface. + +// [NOTE] +// .Microsoft Windows only +// ==== +// This dialog is only available on Microsoft Windows +// ==== + +// [[ChCapInterfaceDetailsDialog]] +// .The “Interface Details” dialog box +// image::images/ws-capture-interface-details.png[{screenshot-attrs}] + +[#ChCapCompiledFilterOutputSection] + +=== The “Compiled Filter Output” Dialog Box + +This figure shows the results of compiling the BPF filter for the selected interfaces. + +[#ChCapCompiledFilterOutputDialog] + +.The “Compiled Filter Output” dialog box +image::images/ws-capture-options-compile-selected-bpfs.png[{medium-screenshot-attrs}] + +In the list on the left the interface names are listed. +The results of compiling a filter for the selected interface are shown on the right. + +[#ChCapCaptureFiles] + +=== Capture files and file modes + +While capturing, the underlying libpcap capturing engine will grab the packets +from the network card and keep the packet data in a (relatively) small kernel +buffer. This data is read by Wireshark and saved into a capture file. + +By default, Wireshark saves packets to a temporary file. You can also tell +Wireshark to save to a specific (“permanent”) file and switch to a +different file after a given time has elapsed or a given number of packets +have been captured. These options are controlled in the +“Capture Options” dialog's “Output” tab. + +[#ChCapCaptureOptionsOutputDialog] +.Capture output options +image::images/ws-capture-options-output.png[{screenshot-attrs}] + +[TIP] +==== +Working with large files (several hundred MB) can be quite slow. If you plan to do +a long-term capture or capturing from a high traffic network, think about using +one of the “Multiple files” options. This will spread the captured packets over +several smaller files which can be much more pleasant to work with. +==== + +Using the “Multiple files” option may cut context related information. Wireshark keeps +context information of the loaded packet data, so it can report context related +problems (like a stream error) and keeps information about context related +protocols (e.g., where data is exchanged at the establishing phase and only +referred to in later packets). As it keeps this information only for the loaded +file, using one of the multiple file modes may cut these contexts. If the +establishing phase is saved in one file and the things you would like to see is +in another, you might not see some of the valuable context related information. + +Information about the folders used for capture files can be found in +<<AppFiles>>. + +[#ChCapTabCaptureFiles] +.Capture file mode selected by capture options +[options="header",cols="2,2,2,3,5"] +|=== +|File Name|“Create a new file...”|“Use a ring buffer...”|Mode|Resulting filename(s) used +|-|-|-|Single temporary file|wireshark_<interface name>XXXXXX.pcap[ng] +(<interface name> is the "friendly name" of the capture interface if available +and the system name if not, when capturing on a single interface, and +"N_interfaces" where N is the number of interfaces, when capturing on +multiple interfaces; XXXXXX is a unique 6 character alphanumeric sequence.) +|foo.cap|-|-|Single named file|foo.cap +|foo.cap|x|-|Multiple files, continuous|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ... +|foo.cap|x|x|Multiple files, ring buffer|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ... +|=== + +Single temporary file:: +A temporary file will be created and used (this is the default). +After capturing is stopped this file can be saved later under a user specified name. + +Single named file:: +A single capture file will be used. +Choose this mode if you want to place the new capture file in a specific folder. + +Multiple files, continuous:: +Like the “Single named file” mode, but a new file is created and used after reaching one of the multiple file switch conditions (one of the “Next file every...” values). + +Multiple files, ring buffer:: +Much like “Multiple files continuous”, reaching one of the multiple files switch +conditions (one of the “Next file every ...” values) will switch to the next +file. This will be a newly created file if value of “Ring buffer with n files” +is not reached, otherwise it will replace the oldest of the formerly used files +(thus forming a “ring”). ++ +This mode will limit the maximum disk usage, even for an unlimited amount of +capture input data, only keeping the latest captured data. + +[#ChCapLinkLayerHeader] + +=== Link-layer header type + +In most cases you won’t have to modify link-layer header type. Some exceptions +are as follows: + +If you are capturing on an Ethernet device you might be offered a choice of +“Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable +Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be +captured, select “DOCSIS”, otherwise select “Ethernet”. + +If you are capturing on an 802.11 device on some versions of BSD you might be +offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the +captured packets to have fake (“cooked”) Ethernet headers. “802.11” will +cause them to have full IEEE 802.11 headers. Unless the capture needs to be read +by an application that doesn’t support 802.11 headers you should select +“802.11”. + +If you are capturing on an Endace DAG card connected to a synchronous serial +line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If +the protocol on the serial line is PPP, select “PPP over serial” and if the +protocol on the serial line is Cisco HDLC, select “Cisco HDLC”. + +If you are capturing on an Endace DAG card connected to an ATM network you might +be offered a choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only +traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs +to be read by an application that doesn’t support SunATM headers, select “RFC +1483 IP-over-ATM”, otherwise select “Sun raw ATM”. + +[#ChCapCaptureFilterSection] + +=== Filtering while capturing + +Wireshark supports limiting the packet capture to packets that match a +_capture filter_. Wireshark capture filters are written in +libpcap filter language. Below is a brief overview of the libpcap filter +language's syntax. Complete documentation can be found at +the link:{pcap-filter-man-page-url}[pcap-filter man page]. You can find +many Capture Filter examples at {wireshark-wiki-url}CaptureFilters. + +You enter the capture filter into the “Filter” field of the Wireshark +“Capture Options” dialog box, as shown in <<ChCapCaptureOptionsDialog>>. + +A capture filter takes the form of a series of primitive expressions connected +by conjunctions (__and/or__) and optionally preceded by __not__: + +---- +[not] primitive [and|or [not] primitive ...] +---- + +An example is shown in <<ChCapExFilt1>>. + +[#ChCapExFilt1] +.A capture filter for telnet that captures traffic to and from a particular host +==== +---- +tcp port 23 and host 10.0.0.5 +---- +==== + +This example captures telnet traffic to and from the host 10.0.0.5, and shows +how to use two primitives and the __and__ conjunction. Another example is shown +in <<ChCapExFilt2>>, and shows how to capture all telnet traffic except that +from 10.0.0.5. + +[#ChCapExFilt2] +.Capturing all telnet traffic not from 10.0.0.5 +==== +---- +tcp port 23 and not src host 10.0.0.5 +---- +==== + +// XXX - add examples to the following list. + +A primitive is simply one of the following: _[src|dst] host <host>_:: +This primitive allows you to filter on a host IP address or name. You can +optionally precede the primitive with the keyword _src|dst_ to specify that you +are only interested in source or destination addresses. If these are not +present, packets where the specified address appears as either the source or the +destination address will be selected. + +ether [src|dst] host <ehost>:: +This primitive allows you to filter on Ethernet host addresses. You can +optionally include the keyword _src|dst_ between the keywords _ether_ and _host_ +to specify that you are only interested in source or destination addresses. If +these are not present, packets where the specified address appears in either the +source or destination address will be selected. + +gateway host <host>:: +This primitive allows you to filter on packets that used _host_ as a gateway. +That is, where the Ethernet source or destination was _host_ but neither the +source nor destination IP address was _host_. + +[src|dst] net <net> [{mask <mask>}|{len <len>}]:: +This primitive allows you to filter on network numbers. You can optionally +precede this primitive with the keyword _src|dst_ to specify that you are only +interested in a source or destination network. If neither of these are present, +packets will be selected that have the specified network in either the source or +destination address. In addition, you can specify either the netmask or the CIDR +prefix for the network if they are different from your own. + + +[tcp|udp] [src|dst] port <port>:: +This primitive allows you to filter on TCP and UDP port numbers. You can +optionally precede this primitive with the keywords _src|dst_ and _tcp|udp_ +which allow you to specify that you are only interested in source or destination +ports and TCP or UDP packets respectively. The keywords _tcp|udp_ must appear +before _src|dst_. ++ +If these are not specified, packets will be selected for both the TCP and UDP +protocols and when the specified address appears in either the source or +destination port field. + +less|greater <length>:: +This primitive allows you to filter on packets whose length was less than or +equal to the specified length, or greater than or equal to the specified length, +respectively. + +ip|ether proto <protocol>:: +This primitive allows you to filter on the specified protocol at either the +Ethernet layer or the IP layer. + +ether|ip broadcast|multicast:: +This primitive allows you to filter on either Ethernet or IP broadcasts or +multicasts. + +<expr> relop <expr>:: +This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. +Please see the pcap-filter man page at {pcap-filter-man-page-url} for more details. + + +[#ChCapCaptureAutoFilterSection] + +==== Automatic Remote Traffic Filtering + +If Wireshark is running remotely (using e.g., SSH, an exported X11 window, a +terminal server, ...), the remote content has to be transported over the +network, adding a lot of (usually unimportant) packets to the actually +interesting traffic. + +To avoid this, Wireshark tries to figure out if it’s remotely connected (by +looking at some specific environment variables) and automatically creates a +capture filter that matches aspects of the connection. + +The following environment variables are analyzed: + +`SSH_CONNECTION` (ssh):: +<remote IP> <remote port> <local IP> <local port> + + +`SSH_CLIENT` (ssh):: +<remote IP> <remote port> <local port> + + +`REMOTEHOST` (tcsh, others?):: +<remote name> + +`DISPLAY` (x11):: +[remote name]:<display num> + + +`SESSIONNAME` (terminal server):: +<remote name> + +On Windows it asks the operating system if it’s running in a Remote Desktop Services environment. + +[#ChCapRunningSection] + +=== While a Capture is running ... + +You might see the following dialog box while a capture is running: + +[#ChCapCaptureInfoDialog] +.The “Capture Information” dialog box +image::images/ws-capture-info.png[{small-screenshot-attrs}] + +This dialog box shows a list of protocols and their activity over time. +It can be enabled via the “capture.show_info” setting in the “Advanced” +preferences. + +[#ChCapStopSection] + +==== Stop the running capture + +A running capture session will be stopped in one of the following ways: + +. The btn:[Stop Capture] button in the “Capture Information” dialog box. + +. The menu:Capture[Stop] menu item. + +. The btn:[Stop] toolbar button. + +. Pressing kbd:[Ctrl+E]. + +. The capture will be automatically stopped if one of the _Stop Conditions_ is + met, e.g., the maximum amount of data was captured. + +[#ChCapRestartSection] + +==== Restart a running capture + +A running capture session can be restarted with the same capture options as the +last time, this will remove all packets previously captured. This can be useful, +if some uninteresting packets are captured and there’s no need to keep them. + +Restart is a convenience function and equivalent to a capture stop following by +an immediate capture start. A restart can be triggered in one of the following +ways: + +. Using the menu:Capture[Restart] menu item. + +. Using the btn:[Restart] toolbar button. + +// End of WSUG Chapter Capture diff --git a/doc/wsug_src/wsug_customize.adoc b/doc/wsug_src/wsug_customize.adoc new file mode 100644 index 00000000..21b95ef2 --- /dev/null +++ b/doc/wsug_src/wsug_customize.adoc @@ -0,0 +1,1745 @@ +// WSUG Chapter Customizing + +[#ChapterCustomize] + +== Customizing Wireshark + +[#ChCustIntroduction] + +=== Introduction + +Wireshark’s default behavior will usually suit your needs pretty well. However, +as you become more familiar with Wireshark, it can be customized in various ways +to suit your needs even better. In this chapter we explore: + +* How to start Wireshark with command line parameters + +* How to colorize the packet list + +* How to control protocol dissection + +* How to use the various preference settings + +[#ChCustCommandLine] + +=== Start Wireshark from the command line + +You can start Wireshark from the command line, but it can also be started from +most Window managers as well. In this section we will look at starting it from +the command line. + +Wireshark supports a large number of command line parameters. To see what they +are, simply enter the command _wireshark -h_ and the help information shown in +<<ChCustEx1>> (or something similar) should be printed. + +[#ChCustEx1] +.Help information available from Wireshark +---- +include::wireshark-h.txt[] +---- + +We will examine each of the command line options in turn. + +The first thing to notice is that issuing the command `wireshark` by itself will +launch Wireshark. However, you can include as many of the command line +parameters as you like. Their meanings are as follows ( in alphabetical order ): + +// XXX - is the alphabetical order a good choice? Maybe better task based? + +-a <capture autostop condition>:: +--autostop <capture autostop condition>:: +Specify a criterion that specifies when Wireshark is to stop writing +to a capture file. The criterion is of the form test:value, where test +is one of: ++ +-- + duration:value:: + Stop writing to a capture file after value of seconds have elapsed. + + filesize:value:: + Stop writing to a capture file after it reaches a size of value + kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If + this option is used together with the -b option, Wireshark will + stop writing to the current capture file and switch to the next + one if filesize is reached. + + files:value:: + Stop writing to capture files after value number of files were + written. + + packets:value:: + Stop writing to a capture file after value number of packets were written. +-- + +-b <capture ring buffer option>:: +If a maximum capture file size was specified, this option causes Wireshark to +run in “ring buffer” mode, with the specified number of files. In “ring +buffer” mode, Wireshark will write to several capture files. Their +name is based on the number of the file and on the creation date and +time. ++ +When the first capture file fills up Wireshark will switch to writing +to the next file, and so on. With the files option it’s +also possible to form a “ring buffer.” This will fill up new files until the +number of files specified, at which point the data in the first file will be +discarded so a new file can be written. ++ +If the optional duration is specified, Wireshark will also +switch to the next file when the specified number of seconds has elapsed even +if the current file is not completely filled up. ++ +-- + duration:value:: + Switch to the next file after value seconds have elapsed, even + if the current file is not completely filled up. + + filesize:value:: + Switch to the next file after it reaches a size of value kilobytes + (where a kilobyte is 1000 bytes, not 1024 bytes). + + files:value:: + Begin again with the first file after value number of files were + written (form a ring buffer). + + packets:value:: + Switch to the next file after value number of packets were written, even + if the current file is not completely filled up. + + interval:value:: + Switch to the next file when the time is an exact multiple of value seconds. +-- + +-B <capture buffer size>:: +--buffer-size <capture buffer size>:: +Set capture buffer size (in MB, default is 2MB). This is used by the capture +driver to buffer packet data until that data can be written to disk. If you +encounter packet drops while capturing, try to increase this size. Not supported +on some platforms. + +-C <config profile>:: +Start with the specified configuration profile. + +-c <capture packet count>:: +This option specifies the maximum number of packets to capture when capturing +live data. It would be used in conjunction with the `-k` option. + +--capture-comment <comment>:: +Add the comment string to the capture file, if supported by the file format. + +-d <layer_type>==<selector>,<decode_as_protocol>:: +"Decode As", see <<ChAdvDecodeAs>> for details. Example: tcp.port==8888,http + +-D:: +--list-interfaces:: +Print a list of the interfaces on which Wireshark can capture, then exit. For +each network interface, a number and an interface name, possibly followed by a +text description of the interface, is printed. The interface name or the number +can be supplied to the `-i` flag to specify an interface on which to capture. ++ +This can be useful on systems that don’t have a command to list them (e.g., +Windows systems, or UNIX systems lacking `ifconfig -a`). The number can be +especially useful on Windows, where the interface name is a GUID. ++ +Note that “can capture” means that Wireshark was able to open that device to +do a live capture. If, on your system, a program doing a network capture must be +run from an account with special privileges, then, if +Wireshark is run with the `-D` flag and is not run from such an account, it will +not list any interfaces. + +--display <DISPLAY>:: +Set the X display to use, instead of the one defined in the environment, or +the default display. + +--enable-protocol <proto_name>:: +--disable-protocol <proto_name>:: +Enable and disable the dissection of the protocol. + +--enable-heuristic <short_name>:: +--disable-heuristic <short_name>:: +Enable and disable the dissection of the heuristic protocol. + +-f <capture filter>:: +This option sets the initial capture filter expression to be used when capturing +packets. + +--fullscreen:: +Start Wireshark in full screen. + +-g <packet number>:: +After reading in a capture file using the -r flag, go to the given packet +number. + +-h:: +--help:: +This option requests Wireshark to print its version and usage instructions +(as shown here) and exit. + +-H:: +Hide the capture info dialog during live packet capture. + +-i <capture interface>:: +--interface <capture interface>:: +Set the name of the network interface or pipe to use for live packet capture. ++ +Network interface names should match one of the names listed in `wireshark -D` +(described above). A number, as reported by `wireshark -D`, can also be used. If +you’re using UNIX, `netstat -i`, `ifconfig -a` or `ip link` might also work to +list interface names, although not all versions of UNIX support the `-a` flag to +`ifconfig`. ++ +If no interface is specified, Wireshark searches the list of interfaces, +choosing the first non-loopback interface if there are any non-loopback +interfaces, and choosing the first loopback interface if there are no +non-loopback interfaces; if there are no interfaces, Wireshark reports an error +and doesn’t start the capture. ++ +Pipe names should be either the name of a FIFO (named pipe) or “-” to read +data from the standard input. Data read from pipes must be in standard libpcap +format. + +-J <jump filter>:: +After reading in a capture file using the `-r` flag, jump to the first packet +which matches the filter expression. The filter expression is in display filter +format. If an exact match cannot be found the first packet afterwards is +selected. + +-I:: +--monitor-mode:: +Capture wireless packets in monitor mode if available. + +-j:: +Use this option after the `-J` option to search backwards for a first packet to +go to. + +-k:: +The `-k` option specifies that Wireshark should start capturing packets +immediately. This option requires the use of the `-i` parameter to specify the +interface that packet capture will occur from. + +-K <keytab file>:: +Use the specified file for Kerberos decryption. + +-l:: +This option turns on automatic scrolling if the packet list pane is being +updated automatically as packets arrive during a capture (as specified by the +`-S` flag). + +-L:: +--list-data-link-types:: +List the data link types supported by the interface and exit. + +--list-time-stamp-types:: +List timestamp types configurable for the interface and exit. + +-m <font>:: +This option sets the name of the font used for most text displayed by Wireshark. + +// XXX - add an example! + +-n:: +Disable network object name resolution (such as hostname, TCP and UDP port +names). + +-N <name resolving flags>:: +Turns on name resolving for particular types of addresses and port numbers. The +argument is a string that may contain the following letters: ++ +-- + N:: + Use external name resolver. + + d:: + Enable name resolution from captured DNS packets. + + m:: + Enable MAC address resolution. + + n:: + Enable network address resolution. + + t:: + Enable transport layer port number resolution. + + v:: + Enable VLAN ID resolution. +-- + +-o <preference or recent settings>:: +Sets a preference or recent value, overriding the default value and any value +read from a preference or recent file. The argument to the flag is a string of +the form _prefname:value_, where _prefname_ is the name of the preference (which +is the same name that would appear in the `preferences` or `recent` file), and +_value_ is the value to which it should be set. Multiple instances of `-o +<preference settings> ` can be given on a single command line. ++ +-- + +[NOTE] +.Preferences and Profiles +==== +The preferences you specify on the command line will override any settings +you have changed in any of your profiles; this includes when switching from +one profile to another. + +If you change a setting using the Preferences dialog +(see <<ChCustPreferencesSection>>) that you have also set on the command line, +the command line option will then be ignored, and the setting will change +as normal when you switch profiles. +==== + +An example of setting a single preference would be: + +---- +wireshark -o mgcp.display_dissect_tree:TRUE +---- + +An example of setting multiple preferences would be: +---- +wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627 +---- + +You can get a list of all available preference strings from the +preferences file. See <<AppFiles>> for details. + +<<ChUserTable,User Accessible Tables>> can be overridden using “uat,” +followed by the UAT file name and a valid record for the file: + +---- +wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\"" +---- + +The example above would dissect packets with a libpcap data link type 147 as +HTTP, just as if you had configured it in the DLT_USER protocol preferences. +-- + +-p:: +--no-promiscuous-mode:: +Don’t put the interface into promiscuous mode. Note that the interface might be +in promiscuous mode for some other reason. Hence, `-p` cannot be used to ensure +that the only traffic that is captured is traffic sent to or from the machine on +which Wireshark is running, broadcast traffic, and multicast traffic to +addresses received by that machine. + +-P <path setting>:: +Special path settings usually detected automatically. This is used for special +cases, e.g., starting Wireshark from a known location on an USB stick. ++ +The criterion is of the form key:path, where key is one of: ++ +-- + persconf:path:: + Path of personal configuration files, like the preferences files. + + persdata:path:: + Path of personal data files, it’s the folder initially opened. After the + initialization, the recent file will keep the folder last used. +-- + +-r <infile>:: +--read-file <infile>:: +This option provides the name of a capture file for Wireshark to read and +display. This capture file can be in one of the formats Wireshark understands. + +-R <read (display) filter>:: +--read-filter <read (display) filter>:: +This option specifies a display filter to be applied when reading packets from a +capture file. The syntax of this filter is that of the display filters discussed +in <<ChWorkDisplayFilterSection>>. Packets not matching the filter +are discarded. + +-s <capture snapshot length>:: +--snapshot-length <capture snapshot length>:: +This option specifies the snapshot length to use when capturing packets. +Wireshark will only capture _snaplen_ bytes of data for each packet. + +-S:: +This option specifies that Wireshark will display packets as it captures them. +This is done by capturing in one process and displaying them in a separate +process. This is the same as “Update list of packets in real time” in the +“Capture Options” dialog box. + +-t <time stamp format>:: +This option sets the format of packet timestamps that are displayed in the +packet list window. The format can be one of: ++ +-- +r:: Relative, which specifies timestamps are +displayed relative to the first packet captured. + +a:: Absolute, which specifies that actual times +be displayed for all packets. + +ad:: Absolute with date, which specifies that +actual dates and times be displayed for all packets. + +adoy:: Absolute with YYYY/DOY date, which specifies that +actual dates and times be displayed for all packets. + +d:: Delta, which specifies that timestamps +are relative to the previous packet. + +dd: Delta, which specifies that timestamps +are relative to the previous displayed packet. + +e:: Epoch, which specifies that timestamps +are seconds since epoch (Jan 1, 1970 00:00:00) + +u:: Absolute, which specifies that actual times +be displayed for all packets in UTC. + +ud:: Absolute with date, which specifies that +actual dates and times be displayed for all packets in UTC. + +udoy:: Absolute with YYYY/DOY date, which specifies that +actual dates and times be displayed for all packets in UTC. +-- + +-u <s | hms>:: +Show timesamps as seconds (“s”, the default) or hours, minutes, and seconds (“hms”) + +-v:: +--version:: +This option requests Wireshark to print out its version information and +exit. + +-w <savefile>:: +This option sets the name of the file to be used to save captured packets. +This can be '-' for stdout. + +-y <capture link type>:: +--link-type <capture like types>:: +If a capture is started from the command line with `-k`, set the data +link type to use while capturing packets. The values reported by `-L` +are the values that can be used. + +--time-stamp-type <type>:: +If a capture is started from the command line with `-k`, set the time +stamp type to use while capturing packets. The values reported by +`--list-time-stamp-types` are the values that can be used. + +-X <eXtension option>:: +Specify an option to be passed to a Wireshark/TShark module. The eXtension +option is in the form extension_key:value, where extension_key can be: ++ +-- +lua_script:<lua_script_filename>:: +Tells Wireshark to load the given script in addition to the default Lua scripts. + +lua_script[num]:argument:: +Tells Wireshark to pass the given argument to the lua script identified by +_num_, which is the number indexed order of the _lua_script_ command. For +example, if only one script was loaded with `-X lua_script:my.lua`, then `-X +lua_script1:foo` will pass the string _foo_ to the _my.lua_ script. If two +scripts were loaded, such as `-X lua_script:my.lua -X lua_script:other.lua` +in that order, then a `-X lua_script2:bar` would pass the +string _bar_ to the second lua script, ie., _other.lua_. + +read_format:<file_type>:: +Tells Wireshark to use a specific input file type, instead of determining it +automatically. + +stdin_descr:<description>:: +Define a description for the standard input interface, instead of the default: +"Standard input". +-- + +-Y <display filter>:: +--display-filter <display filter>:: +Start with the given display filter. + +-z <statistics-string>:: +Get Wireshark to collect various types of statistics and display the +result in a window that updates in semi-real time. For the currently +implemented statistics consult the Wireshark manual page. + +// XXX - add more details here! + + +[#ChCustColorizationSection] + +=== Packet colorization + +A very useful mechanism available in Wireshark is packet colorization. +You can set up Wireshark so that it will colorize packets according to a +display filter. This allows you to emphasize the packets you might be +interested in. + +You can find a lot of coloring rule examples at the _Wireshark Wiki +Coloring Rules page_ at {wireshark-wiki-url}ColoringRules. + +There are two types of coloring rules in Wireshark: temporary rules that +are only in effect until you quit the program, and permanent rules that +are saved in a preference file so that they are available the next time +you run Wireshark. + +Temporary rules can be added by selecting a packet and pressing the kbd:[Ctrl] +key together with one of the number keys. This will create a coloring rule based +on the currently selected conversation. It will try to create a conversation +filter based on TCP first, then UDP, then IP and at last Ethernet. Temporary +filters can also be created by selecting the menu:Colorize with Filter[Color X] +menu items when right-clicking in the packet detail pane. + +To permanently colorize packets, select menu:View[Coloring Rules...]. Wireshark +will display the “Coloring Rules” dialog box as shown in +<<ChCustColoringRulesDialog>>. + +[#ChCustColoringRulesDialog] +.The “Coloring Rules” dialog box +image::images/ws-coloring-rules-dialog.png[{screenshot-attrs}] + +If this is the first time using the Coloring Rules dialog and you’re using the +default configuration profile you should see the default rules, shown above. + +[NOTE] +.The first match wins +==== +More specific rules should usually be listed before more general rules. For +example, if you have a coloring rule for UDP before the one for DNS, the rule +for DNS may not be applied (DNS is typically carried over UDP and the UDP rule +will match first). +==== + +You can create a new rule by clicking on the btn:[+] button. You can delete +one or more rules by clicking the btn:[-] button. The “copy” button will +duplicate a rule. + +You can edit a rule by double-clicking on its name or filter. In +<<ChCustColoringRulesDialog>> the name of the rule “Checksum Errors” is being +edited. Clicking on the btn:[Foreground] and btn:[Background] buttons will +open a color chooser (<<ChCustChooseColorDialog>>) for the foreground (text) and +background colors respectively. + +[#ChCustChooseColorDialog] +.A color chooser +image::images/ws-choose-color-rule.png[{small-screenshot-attrs}] + +The color chooser appearance depends on your operating system. The macOS color +picker is shown. Select the color you desire for the selected packets and click +btn:[OK]. + +<<ChCustColorFilterMany>> shows an example of several color filters being used +in Wireshark. Note that the frame detail shows that the “Bad TCP” rule +was applied, along with the matching filter. + +[#ChCustColorFilterMany] +.Using color filters with Wireshark +image::images/ws-coloring-fields.png[{screenshot-attrs}] + + +[#ChCustProtocolDissectionSection] + +=== Control Protocol Dissection + +The user can control how protocols are dissected. + +Each protocol has its own dissector, so dissecting a complete packet will +typically involve several dissectors. As Wireshark tries to find the right +dissector for each packet (using static “routes” and heuristics “guessing”), +it might choose the wrong dissector in your specific case. For example, +Wireshark won’t know if you use a common protocol on an uncommon TCP port, e.g., +using HTTP on TCP port 800 instead of the standard port 80. + +There are two ways to control the relations between protocol dissectors: disable +a protocol dissector completely or temporarily divert the way Wireshark calls +the dissectors. + +[#ChAdvEnabledProtocols] + +==== The “Enabled Protocols” dialog box + +The Enabled Protocols dialog box lets you enable or disable specific protocols. +Most protocols are enabled by default. When a protocol is disabled, Wireshark +stops processing a packet whenever that protocol is encountered. + +[NOTE] +==== +Disabling a protocol will prevent information about higher-layer protocols from +being displayed. For example, suppose you disabled the IP protocol and selected +a packet containing Ethernet, IP, TCP, and HTTP information. The Ethernet +information would be displayed, but the IP, TCP and HTTP information would not - +disabling IP would prevent it and the higher-layer protocols from being displayed. +==== + +To enable or disable protocols select menu:Analyze[Enabled Protocols...]. +Wireshark will pop up the “Enabled Protocols” dialog box as shown in +<<ChAdvEnabledProtocolsFig>>. + +[#ChAdvEnabledProtocolsFig] +.The “Enabled Protocols” dialog box +image::images/ws-enabled-protocols.png[{screenshot-attrs}] + +To disable or enable a protocol, simply click the checkbox using the mouse. +Note that typing a few letters of the protocol name in the search box will limit +the list to those protocols that contain these letters. + +You can choose from the following actions: + +btn:[Enable All]:: Enable all protocols in the list. + +btn:[Disable All]:: Disable all protocols in the list. + +btn:[Invert]:: Toggle the state of all protocols in the list. + +btn:[OK]:: Save and apply the changes and close the dialog box, see <<AppFiles>> for details. + +btn:[Cancel]:: Cancel the changes and close the dialog box. + +[#ChAdvDecodeAs] + +==== User Specified Decodes + +The “Decode As” functionality lets you temporarily divert specific protocol +dissections. This might be useful for example, if you do some uncommon +experiments on your network. + +Decode As is accessed by selecting the menu:Analyze[Decode As...]. Wireshark +will pop up the “Decode As” dialog box as shown in <<ChAdvDecodeAsFig>>. + +[#ChAdvDecodeAsFig] +.The “Decode As” dialog box +image::images/ws-decode-as.png[{screenshot-attrs}] + +In this dialog you are able to edit entries by means of the edit buttons on the +left. + +You can also pop up this dialog box from the context menu in the packet list or +packet details. It will then contain a new line based on the currently selected +packet. + +These settings will be lost if you quit Wireshark or change profile unless you +save the entries. + +btn:[+]:: Add new entry for selected packet + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[Clear]:: Clear the list of user specified decodes. + +btn:[OK]:: Apply the user specified decodes and close the dialog box. + +btn:[Save]:: Save and apply the user specified decodes and close the dialog box. + +btn:[Cancel]:: Cancel the changes and close the dialog box. + +[#ChCustPreferencesSection] + +=== Preferences + +There are a large number of preferences you can set. Simply select the menu:Edit[Preferences...] (menu:Wireshark[Preferences...] on macOS) and Wireshark will pop up the Preferences dialog box as shown in <<ChCustGUIPrefPage>>, with the “Appearance” page as default. +On the left side is a tree where you can select the page to be shown. + +* The btn:[OK] button will apply the preferences settings and close the dialog. + +// Uncomment if bug 12566 is ever fixed. +// * The btn:[Apply] button will apply the preferences settings and keep the dialog open. + +* The btn:[Cancel] button will restore all preferences settings to the last saved state. + +==== Appearance + +These preferences give you the option to control the makeup of the GUI. + +[#ChCustGUIPrefPage] +.The preferences dialog box +image::images/ws-pref-appearance.png[{screenshot-attrs}] + +Selecting _Remember main window size and placement_ allow for a repeatable experience when restarting Wireshark. + +Selecting _Open files in_ allows you to determine where to start the file selection dialog when opening capture files. + +The preference _Show up to_ allows you to determine how much history is tracked for display filter entries and recent files shown in the main application window. + +Selecting _Confirm unsaved capture files_ causes a dialog to appear when closing a capture file when it was not yet saved. +This may help preventing inadvertent loss of data, eg., when Wireshark is closed. + +Selecting _Display autocompletion for filter text_ causes a drop down list to appear when you enter a display filter. +This drop down list contains known display filters for easy selection. + +The preference _Main toolbar style_ allows you to tailor the toolbar style in one of three ways. + +The Wireshark main window title is replaced by the name of the opened capture file. +The preferences _Window title_ and _Prepend window title_ allow you to add bracketed strings after and before the window title. +These window title strings can contain variables which will be replaced by their respective values. + +The following variables are available. + +* %C = Capture comment from command line +* %F = File path of the capture file +* %P = Currently selected profile name +* %S = Conditional separator (dash) that only shows when surrounded by variables with values or static text +* %V = Wireshark version info + +The _Language_ preference allows you to select the language used in the GUI. +Note that the protocol information and details are kept in the language commonly used in this field, that being English. + +==== Columns + +These preferences give you the option to control the definition of the columns shown in the packet list, once a capture file is loaded. + +.Column preferences +image::images/ws-pref-appearance-columns.png[{screenshot-attrs}] + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +Selecting _Show displayed columns only_ hides all non-displayed columns from the list, possibly making navigating the list easier. + +The rows can be dragged and dropped to arrange them in the desired order. + +The columns in the entries are as follows. + +Selecting _Displayed_ causes the column to be shown in the packet list. + +The _Title_ is the text shown in the header of the column in the packet list. + +The _Type_ is the type of value to be shown. This can be a predefined type, ie. a value in a defined format, or custom. + +The following settings are applicable when the _Type_ is set to "custom" + +The _Fields_ setting is the display filter name of the field to be shown in the column in the packet list. + +The _Field Occurrence_ setting is count of the given field in the frame, for fields that appear more than once in a frame. + +Selecting _Resolved_ causes name resolution to be applied to the field value, when available. + +==== Font and Colors + +These preferences give you the option to select the font and colors used in the various packet panes. +Most usable is to select a mono spaced font, which allows for a cleaner presentation, but using a proportional font is possible too. + +.Font and colors preferences +image::images/ws-pref-appearance-fonts-and-colors.png[{screenshot-attrs}] + +==== Layout + +These preferences allow you to define the layout of the GUI once a capture file is loaded. + +.Layout preferences +image::images/ws-pref-appearance-layout.png[{screenshot-attrs}] + +Make sure that you have at least one pane configured to contain the Packet list. +Three panes can be active at the same time and they can be laid out as shown in the top layer. +The exact sizes of these panes can be changed as needed once a capture file is opened. + +Selecting _Show packet list separator_ causes the packet list entries to be slightly set apart, which may improve readability at the cost of the amount of packets shown in the packet list. + +Selecting _Show column definition in column context menu_ make the column context menu wider to show the currently configured field type for the column. +This may help identify the column to select or modify. + +Selecting _Allow the list to be sorted_ enables the sort operator on all the columns. +This may prevent inadvertently triggering a sort, which may take considerable time for larger capture files. + +The _Maximum number of cached rows_ setting determines how much packet list information is cached to speed up sort operations, where a larger number causes more memory to be consumed by the cache. +Be aware that changing other dissection settings may invalidate the cache content. + +Selecting _Enable mouse-over colorization_ enables the highlighting of the currently pointed to packet in the packet list. +The currently selected packet is always highlighted. + +Selecting _Show selected packet number_ adds the selected packet number to the capture file details in the status bar, taking up some space in the status bar. + +Selecting _Show file load time_ adds the time it took to load the capture file to the status bar, taking up some space in the status bar. + +==== Capture + +These preferences allow you to set the default conditions for packet capture. + +.Capture preferences +image::images/ws-pref-capture.png[{screenshot-attrs}] + +The default interface is the interface used for packet capture in case no other is selected on the opening page of GUI. +Note that this can be multiple interfaces separated by a comma. + +Selecting _Capture packets in promiscuous mode_ causes the network interface(s) to capture on to be configured in promiscuous mode. +This allows all (Ethernet) frames to be received by the network interface to be capture, not only those that are addressed to the capture interface. + +Selecting _Capture packets in pcapng format_ causes the Next-Generation packet capture file format to be used when capturing. +This much more capable packet capture file format has many advantages over the original format, although not every external tool may be capable of handling packet captures in this format. + +Selecting _Update list of packets in real time_ causes the packet list to fill up and possibly scroll up during the packet capture process. +This does give an insight in the packets captured, although it takes processing power to dissect the capture packets. + +The preference _Interval between updates (ms)_ allows you to configure how often the packet list is updated during the packet capture process. +A higher interval reduces processing, but causes more delay between capture and display in the packet list. + +Selecting _Don't load interfaces on startup_ prevents Wireshark from spawning dumpcap to populate the list of capture interfaces on the local system. +This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue. +The interface list can always be populated after Wireshark is started via menu:Capture[Refresh Interfaces]. + +Selecting _Disable external capture interfaces_ prevents Wireshark from spawning extcap programs to list off their capture interfaces. +This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue. + +[#ChCustPrefsExpertSection] + +==== Expert Items + +These preferences allow you to modify the severity set for expert items. + +.Expert item preferences +image::images/ws-pref-expert.png[{screenshot-attrs}] + +If, for whatever reason, you find that the severity for certain expert items does not match your needs you can change them here and have them used as such, showing up in the appropriate lists and overviews. +Get the Field name from selecting the field in the packet details pane, then observe the name shown in the status bar. +This is the name you enter on a new line in the list, while setting the desired _Severity_ in the next column. + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[⌃]:: Move the selected entry up in the list. + +btn:[⌄]:: Move the selected entry down in the list. + +btn:[Clear]:: Clear the list of user specified expert item severities. + +btn:[Copy from]:: Copy the list of user specified expert item severities from another profile. + +[#ChCustFilterButtons] +==== Filter Buttons + +Having quick access to regularly used display filter expressions can be a real productivity boost. +Here you can define your own display filter buttons. + +.Filter buttons +image::images/ws-pref-filter-buttons.png[{screenshot-attrs}] + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[⌃]:: Move the selected entry up in the list. + +btn:[⌄]:: Move the selected entry down in the list. + +btn:[Clear]:: Clear the list of user specified display filter buttons. + +btn:[Copy from]:: Copy the list of user specified display filter buttons from another profile. + +The columns in the entries are as follows. + +Selecting _Show in toolbar_ causes the button to be shown in the toolbar besides the display filter text entry. + +The _Button Label_ is the text shown on the button in the toolbar. +The use of a double slash causes the button to create a dropdown list to allow grouping of multiple buttons, e.g. TCP//Syn and TCP//Res. + +The _Filter Expression_ is the <<ChWorkBuildDisplayFilterSection,display filter expression>> entered into the display filter text entry when the button is clicked. + +The _Comment_ is the comment text which appears in a bubble when the mouse hovers over the button. + +[#ChCustPrefsNameSection] + +==== Name Resolution + +These preferences allow you to configure which numeric identifiers in protocols are translated into human readable text. +For some of these identifiers the readable texts are read from configurable external sources. + +.Name resolution preferences +image::images/ws-pref-name-resolution.png[{screenshot-attrs}] + +Selecting _Resolve MAC addresses_ causes the OUI (Organizationally Unique Identifier) at the start of an Ethernet address to be translated into the name registered with the IEEE for that OUI. + +Selecting _Resolve transport names_ causes the UDP and TCP port numbers to be translated into the service registered to these ports by IANA. + +Selecting _Resolve network (IP) addresses_ causes IPv4, IPv6 and IPX addresses to be translated into their corresponding host name. +To do this Wireshark reaches out to DNS servers to request names for addresses it finds in packets. +There are several way to do this, which can be controlled through the following preferences. + +Selecting _Use captured DNS packet data for name resolution_ causes DNS response packets in the capture file to fill the network address resolution table. +These can then be used to resolve addresses found in the packets. + +Selecting _Use your system's DNS settings for name resolution_ causes DNS requests to be made as would be for other network applications. + +Selecting _Use a custom list of DNS servers for name resolution_ causes DNS requests to be made to manually configured DNS servers. + +The _DNS Servers_ btn:[Edit...] button provides access to the dialog to manage these manually configured DNS servers. + +The _Maximum concurrent requests_ input field allows you to limit the amount of DNS queries made at the same time. + +Selecting _Resolve VLAN IDs_ causes the file "vlans" to be read and used to name VLANs. +This file has the simple format of one line per VLAN, starting wit VLAN ID, a tab character, followed by the name of the VLAN. + +Selecting _Resolve SS7 PCs_ causes the file "ss7pcs" to be read and used to name SS7 Point Codes. +This file has the simple format of one line per Point Code, starting with Network Indicator, a dash, the Point Code in decimal, a tab character, followed by the name of the Point Code. + +Selecting _Enable OID resolution_ causes the SMI library to be initialized. +This library is capable of loading MIB/PIB files to provide name resolution for SMI objects, as present in SNMP packets. + +Selecting _Suppress SMI errors_ prevents the SMI library from emitting error messages while loading MIB/PIB files. +The SMI library is very sensitive to irregularities in these files often resulting in harmless error being emitted. + +The _SMI (MIB and PIB) paths_ btn:[Edit...] button provides access to the dialog to manage the directories where the MIB/PIB files to be loaded can be found. + +The _SMI (MIB and PIB) modules_ btn:[Edit...] button provides access to the dialog to manage the MIB/PIB modules to be loaded. + +Selecting _Enable IP geolocation_ causes the background MaxMind database IP geolocation resolver to be used to attempt to geolocate IP addresses in the packets. + +The _MaxMind database directories_ btn:[Edit...] button provides access to the dialog to manage the directories where the MaxMind database files can be found. See <<ChMaxMindDbPaths>>. + +[#ChCustPrefsProtocolsSection] + +==== Protocols + +Wireshark supports quite a few protocols, which is reflected in the long list of child entries of the “Protocols” pane. +You can jump to the preferences for a specific protocol by expanding “Protocols” and typing the first few letters of the protocol name. + +.Protocol preferences +image::images/ws-pref-protocols.png[{screenshot-attrs}] + +There are a few general protocol related preferences, listed below. + +Selecting _Display hidden protocol items_ influences what is shown in the packet details pane of the packet selected from the packet list. +Some protocol dissectors add hidden protocol items that provide additional interpretations of the packet data, or with different display filter strings. +These may or may not provide valuable information to the user and may clutter the output, therefor these items can be hidden. + +Selecting _Display byte fields with a space character between bytes_ influences the way a byte field in shown in the packet details pane of the packet selected in the packet list, if the dissector creates a byte field that is. +The bytes in the byte field are normally shown as a concatenated sequence of hexadecimals. +This preference allows you to get the representation of each byte separated by a space. +This may improve readability of the individual bytes in the byte field. + +Selecting _Look for incomplete dissectors_ causes expert items to be added to the dissection of packet data for which the dissector does not create an interpretation. +Dissectors should strive to not skip packet bytes and this preference allows you to be made aware of this. + +Selecting _Enable stricter conversation tracking heuristics_ allows dissectors to take more identifiers into consideration when creating "conversations". +These are used to track related packets. +The heuristics for these conversations are sensitive to mis-identification of packets, possibly corrupting conversation analysis. +Adding more identifiers can reduce the change of this happening. +Currently only the IPv4, ICMP and ICMPv6 dissector use this preference. + +Selecting _Ignore duplicate frames_ causes a duplicate frame to appear in the packet list, but flagged as ignored, hence not dissected. +The determination of a duplicate frame is made based on the SHA256 hash of the bytes in the frame. + +The preference _Deinterlacing conversations key_ gives you options for deinterlacing the conversations. While _NONE_ keeps the historical behaviour, the other options +are built on three keys with the following meanings: _V_ (VLAN), _M_ (Mac Address), _I_ (Interface). Packets which seem identical because they have the +same payload but have a different value for their VLAN Tag, a MAC Address, or were captured on different interfaces, will then be part of different conversations +if the respective deinterlacing key is activated. + +The preference _The max number of hashes to keep in memory for determining duplicate frames_ allows you to set how large the set of frames to consider for duplication is. + +[#ChCustPrefsRSASection] + +==== RSA Keys + +For more information see {wireshark-wiki-url}TLS. + +.RSA keys +image::images/ws-pref-rsa-keys.png[{screenshot-attrs}] + +==== Statistics + +These preference have influence on the Statistics Tree (stats_tree) based dialogs accessible via the _Statistics_ menu. + +.Statistics preferences +image::images/ws-pref-statistics.png[{screenshot-attrs}] + +The preference _Tap update interval in ms_ allows you to set how quickly protocol taps are being updated, partially determining the update speed of various dialogs and graphs. + +Selecting _Enable the calculation of burst information_ allows the Statistics Tree system to calculate burst information. + +Selecting _Show burst count for item rather than rate_ allows the statistics nodes to show the count of events within the burst window instead of a burst rate. +Burst rate is calculated as number of events within burst window divided by the burst window length. + +The preference _Burst rate resolution (ms)_ sets the duration of the time interval into which events are grouped when calculating the burst rate. +Setting a higher resolution (ie., a smaller number) increases processing overhead. + +The preference _Burst rate window size (ms)_ sets the duration of the sliding window during which the burst rate is measured. +Longer window relative to burst rate resolution increases processing overhead. +This value will be truncated to a multiple of the _Burst rate resolution_ preference setting. + +The preference _Default sort column for stats_tree stats_ gives you to option to select one of the columns to sort on. + +Selecting _Default stats_tree sort order is descending_ causes a descending sort order based on the previously selected column. + +Selecting _Case sensitive sort of stats_tree item names_ causes a case sensitive sort based on the previous selected order and column. + +Selecting _Always sort 'range' nodes by name_ causes the sort to take place by name rather than values. + +Selecting _Always sort 'range' nodes in ascending order_ makes an exception for range nodes to the previously selected sort order. + +Selecting _Display the full stats_tree plug-in name_ causes the full menu path of the Statistics Tree plugin to be shown in the title. + +==== Advanced + +The “Advanced” pane will let you view and edit all of Wireshark’s preferences, similar to link:about:config[] and link:chrome:flags[] in the Firefox and Chrome web browsers. + +.Advanced preferences +image::images/ws-pref-advanced.png[{screenshot-attrs}] + +You can search for a preference by typing text into the “Search” entry. +You can also pass preference names to Wireshark and TShark on the command line. +For example, the __gui.prepend_window_title__ can be used to differentiate between different instances of Wireshark on your screen: + +[source,sh] +---- +$ wireshark -o "gui.prepend_window_title:LAN" & +$ wireshark -o "gui.prepend_window_title:External Network" & +---- + +[#ChCustConfigProfilesSection] + +=== Configuration Profiles + +Configuration Profiles can be used to configure and use more than one set of +preferences and configurations. Select the menu:Edit[Configuration Profiles...] menu item +or press kbd:[Shift+Ctrl+A] or kbd:[Shift+Cmd+A] (macOS) and Wireshark will pop up +the Configuration Profiles dialog box as shown in +<<ChCustGUIConfigProfilesPage>>. It is also possible to click in the “Profile” +part of the statusbar to popup a menu with available Configuration Profiles +(<<ChUseWiresharkStatusbarProfile>>). + +Configuration files stored in each profile include: + +* Preferences (preferences) (<<ChCustPreferencesSection>>) + +* Capture Filters (cfilters) (<<ChWorkDefineFilterSection>>) + +* Display Filters (dfilters) (<<ChWorkDefineFilterSection>>) + +* Display Filter Macros (dmacros) (<<ChWorkDefineFilterMacrosSection>>) + +* Coloring Rules (colorfilters) (<<ChCustColorizationSection>>) + +* Disabled Protocols (disabled_protos) (<<ChAdvEnabledProtocols>>) + +* Most User Accessible Tables (<<ChUserTable>>) + +* Changed dissector assignments (__decode_as_entries__), which can be set in the “Decode + As...” dialog box (<<ChAdvDecodeAs>>). + +* Some recent settings (recent), such as pane sizes in the Main window + (<<ChUseMainWindowSection>>), column widths in the packet list + (<<ChUsePacketListPaneSection>>), all selections in the menu:View[] menu + (<<ChUseViewMenuSection>>) and the last directory navigated to in the “File + Open” dialog. + +All other configurations are stored in the personal configuration folder and +are common to all profiles. + +[#ChCustGUIConfigProfilesPage] +.The configuration profiles dialog box +image::images/ws-gui-config-profiles.png[{medium-screenshot-attrs}] + +Search for profile ...:: +The list of profiles can be filtered by entering part of the profile's name +into the search box. + +Type selection:: +Profiles can be filtered between displaying "All profiles", "Personal profiles" +and "Global profiles" +* Personal profiles - these are profiles stored in the user's configuration directory +* Global profiles - these are profiles provided with Wireshark + +New (+):: +Create a new profile. The name of the created profile is “New profile” +and is highlighted so that you can more easily change it. + +Delete (-):: +Deletes the selected profile. This includes all configuration files used +in this profile. Multiple profiles can be selected and deleted at the same time. +It is not possible to delete the “Default” profile or global profiles. +Deletion of the "Default" profile will reset this profile. + +Copy:: +Copies the selected profile. This copies the configuration of the +profile currently selected in the list. The name of the created profile +is the same as the copied profile, with the text “(copy)” and is +highlighted so that you can more easily change it. + +Auto switch packet limit:: +The number of packets to check for automatic profile switching, described below. +Setting this to zero disables automatic profile switching. + +btn:[Import]:: +Profiles can be imported from zip-archives as well as directly from directory +structures. Profiles, which already exist by name will be skipped, as well as +profiles named "Default". + +btn:[Export]:: +Profiles can be exported to a zip-archive. Global profiles, as well as the default +profile will be skipped during export. Profiles can be selected in the list individually +and only the selected profiles will be exported + +btn:[OK]:: +This button saves all changes, applies the selected profile and closes the +dialog. + +btn:[Cancel]:: +Close this dialog. This will discard unsaved settings, new profiles will not be +added and deleted profiles will not be deleted. + +btn:[Help]:: +Show this help page. + +==== Automatic Profile Switching + +You can configure Wireshark to automatically change configuration profiles by adding a display filter to the "Auto Switch Filter" setting for a profile. +When you open a capture file, Wireshark will check each filter against a limited number of packets and will switch to the first profile with a matching filter. +The number of packets is determined by the "Auto switch packet limit" setting, and a limit of 0 will disable this feature. +Manually changing your profile will disable this behavior until you open a different capture file. + +[#ChUserTable] + +=== User Accessible Tables + +User Accessible Tables are a type of preference table which may be +associated with particular <<ChCustPrefsProtocolsSection,protocols>> or +with the application as a whole. + +User Accessible Tables have a common editor dialog which works as described +in <<ChCustPrefsExpertSection>> and <<ChCustFilterButtons>>. Note that +the name of the file appears in the lower right corner of the dialog. + +The files are saved in a CSV format, where values are either double quoted +ASCII strings (using C-style backslash escapes for non-printable characters) +or unquoted hexstrings, depending on the field type. They can be edited directly +when Wireshark is not running, though this is discouraged. Entries can +also be appended to the table by passing an appropriate CSV formatted +record string <<ChCustCommandLine,on the command line>>. + +// There's a number of newer dissector UATs that aren't mentioned here +// and could use help sections. + +Most UATs are stored in the +<<ChCustConfigProfilesSection,configuration profile>>: + +-- +* Custom HTTP headers (custom_http_header_fields) + +* Custom IMF headers (imf_header_fields) + +* Custom LDAP AttributeValue types (custom_ldap_attribute_types) + +* <<ChCustFilterButtons,Display Filter Buttons>> (dfilter_buttons) + +* <<ChWorkDefineFilterMacrosSection,Display Filter Macros>> (dfilter_macros), prior to Wireshark 4.4 + +* <<ChCustPrefsNameSection,DNS Servers>> (addr_resolve_dns_servers) + +* <<ChEssCategoryAttributes,ESS Category Attributes>> (ess_category_attributes) + +* <<ChCustPrefsExpertSection,Expert Item Severity>> (expert_severity) + +* <<Ch80211Keys,IEEE 802.11 WLAN Decryption Keys>> (80211_keys) + +* <<ChIKEv2DecryptionSection,IKEv2 decryption table>> (ikev2_decryption_table) + +* <<ChStatIOGraphs,I/O Graphs>> (io_graphs) + +* <<ChK12ProtocolsSection,K12 Protocols>> (k12_protos) + +* <<ChObjectIdentifiers,Object Identifier Names and Associated Syntaxes>> () + +* <<ChStatPacketLengths,Packet Lengths>> (packet_lengths) + +* <<ChPresContextList,PRES Users Context List>> (pres_context_list) + +* <<ChSccpUsers,SCCP Users Table>> (sccp_users) + +* <<ChSNMPEnterpriseSpecificTrapTypes,SNMP Enterprise Specific Trap Types>> (snmp_specific_traps) + +* <<ChSNMPUsersSection,SNMP Users>> (snmp_users) + +* <<ChUserDLTsSection,User DLTs Table>> (user_dlts) + +* <<ChProtobufSearchPaths,Protobuf Search Paths>> (protobuf_search_paths) + +* <<ChProtobufUDPMessageTypes,Protobuf UDP Message Types>> (protobuf_udp_message_types) +-- + +Other UATs are stored in the personal configuration directory and are +common to all profiles: + +-- +* <<ChMaxMindDbPaths,MaxMind Database Paths>> (maxmind_db_paths) + +* <<ChCustPrefsRSASection,RSA Private Keys>> (rsa_keys) and <<ChCustPrefsRSASection,PKCS #11 Provider Libraries>> (pkcs11_libs) + +* <<ChCustPrefsNameSection,SMI Modules>> (smi_modules) and <<ChCustPrefsNameSection,SMI Paths>> (smi_paths) +-- + +[#ChEssCategoryAttributes] + +=== ESS Category Attributes + +Wireshark uses this table to map ESS Security Category attributes to textual representations. The values to put in this table are usually found in an http://www.xmlspif.org/[XML SPIF], which is used for defining security labels. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Tag Set:: +An Object Identifier representing the Category Tag Set. + +Value:: +The value (Label And Cert Value) representing the Category. + +Name:: +The textual representation for the value. + +[#ChMaxMindDbPaths] + +=== MaxMind Database Paths + +If your copy of Wireshark supports https://www.maxmind.com/[MaxMind’s] MaxMindDB library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, and other bits of information. +Some databases are https://dev.maxmind.com/geoip/geoip2/geolite2/[available at no cost for registered users], while others require a licensing fee. +See https://www.maxmind.com/[the MaxMind web site] for more information. + +The configuration for the MaxMind database is a user table, as described +in <<ChUserTable>>, with the following fields: + +Database pathname:: +This specifies a directory containing MaxMind data files. Any files +ending with _.mmdb_ will be automatically loaded. + +By default Wireshark will always search for data files in +`/usr/share/GeoIP` and `/var/lib/GeoIP` on non-Windows platforms +and in `C:\ProgramData\GeoIP` and `C:\GeoIP` on Windows. You can +put any additional search paths here, e.g. `C:\Program Files\Wireshark\GeoIP` +might be a good choice on Windows. + +[NOTE] +==== +While the default search paths are not listed in the user table, they +are in the list viewable by opening menu:Help[About Wireshark] and +selecting the "Folders" tab. +==== + +[#ChGeoIPDbPaths] + +Previous versions of Wireshark supported MaxMind's original GeoIP Legacy +database format. They were configured similar to MaxMindDB files above, +except GeoIP files must begin with _Geo_ and end with _.dat_. They are +no longer supported and MaxMind stopped distributing GeoLite Legacy +databases in April 2018. + +[#Ch80211Keys] + +=== IEEE 802.11 WLAN Decryption Keys + +Wireshark can decrypt WEP and WPA/WPA2/WPA3 in pre-shared (or personal) mode, +as well as in enterprise mode. Security improvements in more recent 802.11 +releases require distinct session keys, instead of being able to decipher +all traffic to a given access point with a single known password and SSID. + +You can add decryption keys using Wireshark's IEEE 802.11 preferences. +Up to 64 keys are supported. + +==== Adding Keys + +Go to menu:Edit[Preferences >Protocols >IEEE 802.11], or, from the pop-up menu +in the "Packet List" or "Packet Details" pane from a frame that contains IEEE +802.11, menu:Protocol Preferences[IEEE 802.11 wireless LAN]. +You should see a window that looks like this: + +."IEEE 802.11 wireless LAN" preferences +image::images/ws-wireless-ieee-80211-pref.png[{screenshot-attrs}] + +Click on the "Edit..." button next to "Decryption Keys" to add keys. +You should see a window that looks like this: + +.802.11 Decryption Key Types +image::images/ws-wireless-key-type.png[{screenshot-attrs}] + +When you click the **+** button to add a new key, there are five key types you +can choose from: **wep**, **wpa-pwd**, **wpa-psk**, **tk**, or **msk**. +The correct key type(s) depend on the Cipher Suite and Authentication and +Key Management Suite (AKMS) used to encrypt the wireless traffic. + +wep:: The key must be provided as a string of hexadecimal numbers, with or +without colons, and will be parsed as a WEP key. WEP keys can be 40-bit +(5 bytes, or 10 hexadecimal characters), 104-bit, or occasionally 128-bit: + + a1:b2:c3:d4:e5 + + 0102030405060708090a0b0c0d + +wpa-pwd:: The password and SSID are used to create a raw pre-shared WPA key. +The password can be between 8 and 63 characters, and the SSID can be up to +32 bytes. (Typically both are printable ASCII, but that is not a hard +limitation of the specification, only a recommendation.) + + MyPassword:MySSID + +You can optionally omit the colon and SSID, and Wireshark will try to decrypt +packets using the last-seen SSID. This may not work for captures taken in busy +environments, since the last-seen SSID may not be correct. + + MyPassword + +[NOTE] +==== +The WPA passphrase and SSID let you encode non-printable or otherwise troublesome +characters using URI-style percent escapes, e.g., `%20` for a space. As a result +you have to escape the percent characters themselves using `%25`. You also *must* +escape colons in the passphrase or SSID themselves as `%3a`, in order to +distinguish them from a colon as a separator between the passphrase and SSID. +==== + +[WARNING] +==== +The WPA pass-phrase and SSID method is for WPA/WPA2-Personal only. It will +not work for WPA3-Personal, which uses SAE (Simultaneous Authentication of +Equals), nor for the Enterprise / 802.1X / EAP modes. +==== + +wpa-psk:: The key must be provided as a hexadecimal string, and is parsed as a +PSK (Pre-Shared Key) or PMK (Pairwise Master Key). For WPA/WPA2-Personal, +the PSK and the PMK are identical, and directly derived from the passphrase +and SSID above. The keys can be 256 bits (32 bytes, 64 hex characters) or +384 bits (48 bytes, 96 hex characters). + + 0102030405060708091011...6061626364 + +tk:: The key must be provided as a hexadecimal string, and is parsed as a +PTK (Pairwise Transient Key) or GTK (Group Temporal Key). The keys can +be 16 or 32 bytes (128 or 256 bits), depending on the cipher suite used. +(5 and 13 byte WEP TKs are not yet supported.) + +msk:: The key must be provided as a hexadecimal string, and is parsed as +a MSK (Master Session Key). This is used for FT-EAP (IEEE 802.11r +Fast BSS Transition with EAP authentication). The key can be 64 or 128 +bytes. + +.802.11 Decryption Key Examples +image::images/ws-wireless-key-examples.png[{screenshot-attrs}] + +//// +AirPcap was discontinued so this sections from the Wiki isn't relevant for many people currently +==== Adding Keys: Wireless Toolbar + +If you are using the Windows version of Wireshark and you have an [AirPcap](/AirPcap) adapter you can add decryption keys using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting *View-\>Wireless Toolbar*. Click on the *Decryption Keys...* button on the toolbar: + + + +This will open the decryption key management window. As shown in the window you can select between three decryption modes: **None**, **Wireshark**, and **Driver**: + + + +Selecting **None** disables decryption. Selecting **Wireshark** uses Wireshark's built-in decryption features. **Driver** will pass the keys on to the [AirPcap](/AirPcap) adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode only supports WEP keys. +//// + +==== Gotchas + +Along with decryption keys there are other preference settings that affect decryption. + + - Make sure *Enable decryption* is selected. + + - You may have to toggle *Assume Packets Have FCS* and *Ignore the Protection bit* depending on how your 802.11 driver delivers frames. + +===== Capturing the 4-way Handshake + +WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless **all four** handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter **eapol** to locate EAPOL packets in your capture. + +In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need to do this for all machines whose traffic you want to see. + +If a TK is provided as a key, then the EAPOL 4-way handshake is not necessary, +as the TK is what the handshake derives. However, all available TKs will be +tried agi + +===== Too Many Associations + +WPA and WPA2 use individual keys for each device. Wireshark is able to handle +up to 256 active associations, which should be enough in most circumstances. +Nevertheless, if a capture has too many devices and too many associations, then +while the packet list may show all packets decoded on the first pass, randomly +accessing different packets in the packet details will result in some packets +failing to be properly deciphered. + +Filtering out only the relevant packets (e.g. with "wlan.addr") and saving into +a new file should get decryption working in all cases, though it may require +editing keys in the preferences or restarting Wireshark in order to free used +associations. For the same reason, it is possible to be able to decode packets +in a capture file without any EAPOL packets in it, as long as Wireshark did see +the handshake for this communication in another capture without being +restarted or editing keys. This can sometimes lead to exporting selected +packets to a new file, opening that file and decoding seeming to work, but +then decoding suddenly fail on the new file after Wireshark is restarted or keys +are edited. If decoding suddenly stops working on a capture make sure the needed +EAPOL packets are still in it. + +===== WPA/WPA2 Enterprise/Rekeys + +As long as you can somehow extract the PMK from either the client or the Radius +Server and configure the key (as PSK) all supported Wireshark versions will decode +the traffic just fine up to the first EAPOL rekey. + +EAPoL rekey is often enabled for WPA/WPA2 enterprise and will change the used +encryption key similar to the procedure for the initial connect, but it can also +be configured and used for pre-shared (personal) mode. + +Decrypting IEEE 802.11r Fast BSS Transition roaming requires capturing +reassociation frames for similar reasons, and is supported by recent +Wireshark versions. + +===== WPA3 Per-Connection Decryption + +In WPA3, a different PMK is used for each connection in order to achieve forward +secrecy. Capturing the 4-way handshake and knowing the network password is not +enough to decrypt packets; you must obtain the PMK from either the client or +access point (typically by enabling logging in `wpa_supplicant` or `hostapd` +with the `-d -K` flags) and use this as the decryption key in Wireshark. Even +then, the decryption will only work for packets between that client and access +point, not for all devices on that network. + +===== TKs and Performance + +The TKs are the actual transient keys used to encrypt packets, which are derived +during the handshake. If known, they can decrypt packets without having the +handshake packets in a capture. However, having TKs as encryption keys in the +table will affect IEEE 802.11 dissector performance as each encrypted +packet will be tested against every TK until decryption is successful. +If the table is configured with many TKs, none of which match any +encrypted frame in the capture, performance can be slow. + +Once a match is found, an association is formed similar to in the usual +method and decryption of other frames with the same key should be on +par with normal decryption flow. Thus, if most frames in the capture +match TKs (or other keys), and only a limited number of TKs are configured, +the performance impact is slight. + +[#ChIKEv2DecryptionSection] + +=== IKEv2 decryption table + +Wireshark can decrypt Encrypted Payloads of IKEv2 (Internet Key Exchange version +2) packets if necessary information is provided. Note that you can decrypt only +IKEv2 packets with this feature. If you want to decrypt IKEv1 packets or ESP +packets, use Log Filename setting under ISAKMP protocol preference or settings +under ESP protocol preference respectively. + +This is handled by a user table, as described in <<ChUserTable>>, +with the following fields: + +Initiator’s SPI:: +Initiator’s SPI of the IKE_SA. This field takes hexadecimal string without +“0x” prefix and the length must be 16 hex chars (represents 8 octets). + +Responder’s SPI:: +Responder’s SPI of the IKE_SA. This field takes hexadecimal string without +“0x” prefix and the length must be 16 hex chars (represents 8 octets). + +SK_ei:: +Key used to encrypt/decrypt IKEv2 packets from initiator to responder. This +field takes hexadecimal string without “0x” prefix and its length must meet +the requirement of the encryption algorithm selected. + + +SK_er:: +Key used to encrypt/decrypt IKEv2 packets from responder to initiator. This +field takes hexadecimal string without “0x” prefix and its length must meet +the requirement of the encryption algorithm selected. + +Encryption Algorithm:: +Encryption algorithm of the IKE_SA. + +$$SK_ai$$:: +Key used to calculate Integrity Checksum Data for IKEv2 packets from responder +to initiator. This field takes hexadecimal string without “0x” prefix and its +length must meet the requirement of the integrity algorithm selected. + +$$SK_ar$$:: +Key used to calculate Integrity Checksum Data for IKEv2 packets from initiator +to responder. This field takes hexadecimal string without “0x” prefix and its +length must meet the requirement of the integrity algorithm selected. + +Integrity Algorithm:: +Integrity algorithm of the IKE_SA. + +[#ChObjectIdentifiers] + +=== Object Identifiers + +// This table appears under the BER dissector, perhaps it should be moved +// to the "Name Resolution" preference section? + +Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify +certain pieces of information. In many cases, they are used in an extension +mechanism so that new object identifiers (and associated values) may be defined +without needing to change the base standard. + +While Wireshark has knowledge about many of the OIDs and the syntax of their +associated values, the extensibility means that other values may be encountered. + +Wireshark uses this table to allow the user to define the name and syntax of +Object Identifiers that Wireshark does not know about (for example, a privately +defined X.400 extension). It also allows the user to override the name and +syntax of Object Identifiers that Wireshark does know about (e.g., changing the +name “id-at-countryName” to just “c”). + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +OID:: +The string representation of the Object Identifier e.g., “2.5.4.6”. + +Name:: +The name that should be displayed by Wireshark when the Object Identifier is +dissected e.g., (“c”); + +Syntax:: +The syntax of the value associated with the Object Identifier. This must be one +of the syntaxes that Wireshark already knows about (e.g., “PrintableString”). + +[#ChPresContextList] + +=== PRES Users Context List + +Wireshark uses this table to map a presentation context identifier to a given +object identifier when the capture does not contain a PRES package with a +presentation context definition list for the conversation. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Context Id:: +An Integer representing the presentation context identifier for which this +association is valid. + +Syntax Name OID:: +The object identifier representing the abstract syntax name, which defines the +protocol that is carried over this association. + +[#ChSccpUsers] + +=== SCCP users Table + +Wireshark uses this table to map specific protocols to a certain DPC/SSN +combination for SCCP. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Network Indicator:: +An Integer representing the network indicator for which this association is +valid. + +Called DPCs:: +A range of integers representing the dpcs for which this association is valid. + +Called SSNs:: +A range of integers representing the ssns for which this association is valid. + +User protocol:: +The protocol that is carried over this association + +[#ChSNMPSMIModules] + +=== SMI (MIB and PIB) Modules + +If your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB +modules here. The COPS and SNMP dissectors can use them to resolve OIDs. + +Module name:: +The name of the module, e.g., IF-MIB. + +[#ChSNMPSMIPaths] + +=== SMI (MIB and PIB) Paths + +If your copy of Wireshark supports libSMI, you can specify one or more paths to +MIB and PIB modules here. + +Directory name:: +A module directory, e.g., `/usr/local/snmp/mibs`. Wireshark automatically uses +the standard SMI path for your system, so you usually don’t have to add anything +here. + +[#ChSNMPEnterpriseSpecificTrapTypes] + +=== SNMP Enterprise Specific Trap Types + +Wireshark uses this table to map specific-trap values to user defined +descriptions in a Trap PDU. The description is shown in the packet details +specific-trap element. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Enterprise OID:: +The object identifier representing the object generating the trap. + + +Trap Id:: +An Integer representing the specific-trap code. + + +Description:: +The description to show in the packet details. + +[#ChSNMPUsersSection] + +=== SNMP users Table + +Wireshark uses this table to verify authentication and to decrypt encrypted +SNMPv3 packets. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Engine ID:: +If given this entry will be used only for packets whose engine id is this. This +field takes a hexadecimal string in the form 0102030405. + +Username:: +This is the userName. When a single user has more than one password for +different SNMP-engines the first entry to match both is taken, if you need a +catch all engine-id (empty) that entry should be the last one. + +Authentication model:: +Which auth model to use (either “MD5”, “SHA1”, "SHA2-224", "SHA2-256", "SHA2-384" or "SHA2-512"). + +Password:: +The authentication password. Use _\xDD_ for unprintable characters. A +hexadecimal password must be entered as a sequence of _\xDD_ characters. For +example, the hex password 010203040506 must be entered as +_\x01\x02\x03\x04\x05\x06_. The _\_ character must be treated as an unprintable +character, i.e., it must be entered as _\x5C_ or _\x5c_. + +Privacy protocol:: +Which encryption algorithm to use (either “DES”, “AES”, "AES192" or "AES256"). + +Privacy password:: +The privacy password. Use _\xDD_ for unprintable characters. A hexadecimal +password must be entered as a sequence of _\xDD_ characters. For example, the hex +password 010203040506 must be entered as _\x01\x02\x03\x04\x05\x06_. The _\_ +character must be treated as an unprintable character, i.e., it must be entered +as _\x5C_ or _\x5c_. + +Key expansion method:: +Which method to use to expand the key when the generated key provides too few bytes +for the selected encryption method (either based on "draft-reeder-snmpv3-usm-3desede-00" or +as implemented in AGENT++). + +[#ChK12ProtocolsSection] + +=== Tektronix K12xx/15 RF5 protocols Table + +The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the +various protocols that are used by a certain interface. Wireshark doesn’t read +these stk files, it uses a table that helps it identify which lowest layer +protocol to use. + +Stk file to protocol matching is handled by a user table, as described +in <<ChUserTable>>, with the following fields: + +Match string:: +A partial match for an stk filename, the first match wins, so if you have a +specific case and a general one the specific one must appear first in the list. + +Protocol:: +This is the name of the encapsulating protocol (the lowest layer in the packet +data) it can be either just the name of the protocol (e.g., mtp2, eth_withoutfcs, +sscf-nni ) or the name of the encapsulation protocol and the “application” +protocol over it separated by a colon (e.g., sscop:sscf-nni, sscop:alcap, +sscop:nbap, ...) + +[#ChUserDLTsSection] + +=== User DLTs dissector table + +When a pcap file uses one of the user DLTs (147 to 162) Wireshark uses this +table to know which dissector(s) to use for each user DLT. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +DLT:: +One of the user dlts. + +Payload dissector:: +This is the name of the payload dissector (the lowest layer in the packet data). +(e.g., “eth_withfcs, "eth_withoutfcs”, and "eth_maybefcs" respectively for Ethernet frames that do, do not, or might possibly include the FCS at the end, “ip” for trying IPv4 then IPv6) + +Header size:: +If there is a header (before the payload) this tells which +size this header is. A value of 0 disables the header dissector. + +Header dissector:: +The name of the header dissector to be used (uses “data” as default). + +Trailer size:: +If there is a trailer (after the payload) this tells which +size this trailer is. A value of 0 disables the trailer dissector. + +Trailer dissector:: +The name of the trailer dissector to be used (uses “data” as default). + +[#ChProtobufSearchPaths] + +=== Protobuf Search Paths + +The +https://developers.google.com/protocol-buffers/docs/encoding[binary wire format] +of Protocol Buffers (Protobuf) messages are not self-described protocol. For +example, the `varint` wire type in protobuf packet may be converted to int32, int64, +uint32, uint64, sint32, sint64, bool or enum field types of +https://developers.google.com/protocol-buffers/docs/proto3[protocol buffers language]. +Wireshark should be configured with Protocol Buffers language files (*.proto) to +enable proper dissection of protobuf data (which may be payload of +https://grpc.io/[gRPC]) based on the message, enum and field definitions. + +You can specify protobuf search paths at the Protobuf protocol preferences. +For example, if you defined a proto file with path `d:/my_proto_files/helloworld.proto` +and the `helloworld.proto` contains a line of `import "google/protobuf/any.proto";` +because the `any` type of official protobuf library is used. And the real path of +`any.proto` is `d:/protobuf-3.4.1/include/google/protobuf/any.proto`. You should +add the `d:/protobuf-3.4.1/include/` and `d:/my_proto_files` paths into protobuf +search paths. + +The configuration for the protobuf search paths is a user table, as described +in <<ChUserTable>>, with the following fields: + +Protobuf source directory:: +This specifies a directory containing protobuf source files. For example, +`d:/protobuf-3.4.1/include/` and `d:/my_proto_files` in Windows, or +`/usr/include/` and `/home/alice/my_proto_files` in Linux/UNIX. + +Load all files:: +If this option is enabled, Wireshark will load all *.proto files in this directory +and its subdirectories when Wireshark startup or protobuf search paths preferences +changed. Note that the source directories that configured to protobuf official or third +libraries path (like `d:/protobuf-3.4.1/include/`) should not be set to load all +files, that may cause unnecessary memory use. + +[#ChProtobufUDPMessageTypes] + +=== Protobuf UDP Message Types + +If the payload of UDP on certain ports is Protobuf encoding, Wireshark use this table +to know which Protobuf message type should be used to parsing the data on the specified +UDP port(s). + +The configuration for UDP Port(s) to Protobuf message type maps is a user table, as +described in <<ChUserTable>>, with the following fields: + +UDP Ports:: +The range of UDP ports. The format may be "8000" or "8000,8008-8088,9080". + +Message Type:: +The Protobuf message type as which the data on the specified udp port(s) should be parsed. +The message type is allowed to be empty, that means let Protobuf to dissect the data on +specified UDP ports as normal wire type without precise definitions. + +Tips: You can create your own dissector to call Protobuf dissector. If your dissector is +written in C language, you can pass the message type to Protobuf dissector by `data` +parameter of call_dissector_with_data() function. If your dissector is written in Lua, you +can pass the message type to Protobuf dissector by `pinfo.private["pb_msg_type"]`. The format +of `data` and `pinfo.private["pb_msg_type"]` is + +---- + "message," message_type_name +---- + +For example: + +---- + message,helloworld.HelloRequest +---- + +the `helloworld` is package name, `HelloRequest` is message type. + +// End of WSUG Chapter Customizing diff --git a/doc/wsug_src/wsug_files.adoc b/doc/wsug_src/wsug_files.adoc new file mode 100644 index 00000000..7819d484 --- /dev/null +++ b/doc/wsug_src/wsug_files.adoc @@ -0,0 +1,702 @@ +// WSUG Appendix Files + +[#AppFiles] + +[appendix] +== Files and Folders + +[#ChAppFilesCaptureFilesSection] + +=== Capture Files + +To understand which information will remain available after the captured packets +are saved to a capture file, it’s helpful to know a bit about the capture file +contents. + +Wireshark uses the +link:https://github.com/pcapng/pcapng[pcapng] file +format as the default format to save captured packets. It is very flexible +but other tools may not support it. + +Wireshark also supports the +{wireshark-wiki-url}/Development/LibpcapFileFormat[libpcap] file +format. This is a much simpler format and is well established. However, it has +some drawbacks: it’s not extensible and lacks some information that would be +really helpful (e.g., being able to add a comment to a packet such as “the +problems start here” would be really nice). + +In addition to the libpcap format, Wireshark supports several different capture +file formats. However, the problems described above also applies for these +formats. + +[#ChIOFileContentSection] + +==== Libpcap File Contents + +At the start of each libpcap capture file some basic information is stored like +a magic number to identify the libpcap file format. The most interesting +information of this file start is the link layer type (Ethernet, 802.11, +MPLS, etc.). + +The following data is saved for each packet: + +* The timestamp with millisecond resolution + +* The packet length as it was “on the wire” + +* The packet length as it’s saved in the file + +* The packet’s raw bytes + +A detailed description of the libpcap file format can be found at +{wireshark-wiki-url}Development/LibpcapFileFormat + +[#ChIOFileNotContentSection] + +==== Not Saved in the Capture File + +You should also know the things that are _not saved_ in capture files: + +* Current selections (selected packet, ...) + +* Name resolution information. See <<ChAdvNameResolutionSection>> for details ++ +-- +Pcapng files can optionally save name resolution information. Libpcap files +can’t. Other file formats have varying levels of support. +-- + +* The number of packets dropped while capturing + +* Packet marks set with “Edit/Mark Packet” + +* Time references set with “Edit/Time Reference” + +* The current display filter + +[#ChConfigurationPluginFolders] + +=== Configuration File and Plugin Folders + +To match the different policies for Unix-like systems and Windows, and +different policies used on different Unix-like systems, the folders +containing configuration files and plugins are different on different +platforms. We indicate the location of the top-level folders under +which configuration files and plugins are stored here, giving them +placeholder names independent of their actual location, and use those +names later when giving the location of the folders for configuration +files and plugins. + +[TIP] +==== +A list of the folders Wireshark actually uses can be found under the _Folders_ +tab in the dialog box shown when you select _About Wireshark_ from the _Help_ +menu. +==== + +==== Folders on Windows + +_%APPDATA%_ is the personal application data folder, e.g.: +_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_ (details can be +found at: <<ChWindowsProfiles>>). + +_WIRESHARK_ is the Wireshark program folder, e.g.: _C:\Program +Files\Wireshark_. + +==== Folders on Unix-like systems + +_$XDG_CONFIG_HOME_ is the folder for user-specific configuration files. +It’s usually _$HOME/.config_, where _$HOME_ is the user’s home folder, which +is usually something such as _/home/**username**_, or +_/Users/**username**_ on macOS. + +If you are using macOS and you are running a copy of Wireshark +installed as an application bundle, _APPDIR_ is the top-level directory +of the Wireshark application bundle, which will typically be +_/Applications/Wireshark.app_. Otherwise, _INSTALLDIR_ is the top-level +directory under which reside the subdirectories in which components of +Wireshark are installed. This will typically be `/usr` if Wireshark is +bundled with the system (for example, provided as a package with a Linux +distribution) and _/usr/local_ if, for example, you’ve built Wireshark +from source and installed it. + +[#ChAppFilesConfigurationSection] + +=== Configuration Files + +Wireshark uses a number of configuration files while it is running. Some of these +reside in the personal configuration folder and are used to maintain information +between runs of Wireshark, while some of them are maintained in system areas. + +The content format of the configuration files is the same on all platforms. + +On Windows: + +* The personal configuration folder for Wireshark is the +_Wireshark_ sub-folder of that folder, i.e., _%APPDATA%\Wireshark_. + +* The global configuration folder for Wireshark is the Wireshark program +folder and is also used as the system configuration folder. + +On Unix-like systems: + +* The personal configuration folder is +_$XDG_CONFIG_HOME/wireshark_. For backwards compatibility with +Wireshark before 2.2, if _$XDG_CONFIG_HOME/wireshark_ does not +exist and _$HOME/.wireshark_ is present, then the latter will be used. + +* If you are using macOS and you are running a copy of Wireshark +installed as an application bundle, the global configuration folder is +_APPDIR/Contents/Resources/share/wireshark_. Otherwise, the +global configuration folder is _INSTALLDIR/share/wireshark_. + +* The _/etc_ folder is the system configuration folder. The folder +actually used on your system may vary, maybe something like: +_/usr/local/etc_. + +[#AppFilesTabFolders] +.Configuration files overview +[options="header"] +|=== +|File/Folder|Description +|_cfilters_|Capture filters. +|_colorfilters_|Coloring rules. +|__dfilter_buttons__|Display filter buttons. +|_dfilters_|Display filters. +|__disabled_protos__|Disabled protocols. +|__dmacros__|Display filter macros. +|_ethers_|Ethernet name resolution. +|_hosts_|IPv4 and IPv6 name resolution. +|_ipxnets_|IPX name resolution. +|_manuf_|Ethernet name resolution. +|_preferences_|Settings from the Preferences dialog box. +|_recent_|Per-profile GUI settings. +|__recent_common__|Common GUI settings. +|_services_|Network services. +|_ss7pcs_|SS7 point code resolution. +|_subnets_|IPv4 subnet name resolution. +|_vlans_|VLAN ID name resolution. +|_wka_|Well-known MAC addresses. +|=== + +[discrete] +===== File contents + +cfilters:: ++ +-- +This file contains all the capture filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +"<filter name>" <filter string> +---- + +At program start, if there is a _cfilters_ file in the personal +configuration folder, it is read. If there isn’t a _cfilters_ file in +the personal configuration folder, then, if there is a _cfilters_ file +in the global configuration folder, it is read. + +When you press the Save button in the “Capture Filters” dialog box, +all the current capture filters are written to the personal capture +filters file. +-- + +colorfilters:: ++ +-- +This file contains all the color filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>] +---- + +At program start, if there is a _colorfilters_ file in the personal +configuration folder, it is read. If there isn’t a _colorfilters_ file +in the personal configuration folder, then, if there is a _colorfilters_ +file in the global configuration folder, it is read. + +When you press the Save button in the “Coloring Rules” dialog box, +all the current color filters are written to the personal color filters +file. +-- + +dfilter_buttons:: ++ +-- +This file contains all the display filter buttons that you have defined and +saved. It consists of one or more lines, where each line has the following +format: + +---- +"TRUE/FALSE","<button label>","<filter string>","<comment string>" +---- + +where the first field is TRUE if the button is enabled (shown). + +At program start, if there is a __dfilter_buttons__ file in the personal +configuration folder, it is read. If there isn’t a __dfilter_buttons__ file +in the personal configuration folder, then, if there is a __dfilter_buttons__ +file in the global configuration folder, it is read. + +When you save any changes to the filter buttons, all the current display +filter buttons are written to the personal display filter buttons file. +-- + +dfilters:: ++ +-- +This file contains all the display filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +"<filter name>" <filter string> +---- + +At program start, if there is a _dfilters_ file in the personal +configuration folder, it is read. If there isn’t a _dfilters_ file in +the personal configuration folder, then, if there is a _dfilters_ file +in the global configuration folder, it is read. + +When you press the Save button in the “Display Filters” dialog box, +all the current display filters are written to the personal display +filters file. +-- + +disabled_protos:: ++ +-- +Each line in this file specifies a disabled protocol name. The following are +some examples: + +---- +tcp +udp +---- + +At program start, if there is a __disabled_protos__ file in the global +configuration folder, it is read first. Then, if there is a +__disabled_protos__ file in the personal configuration folder, that is +read; if there is an entry for a protocol set in both files, the setting +in the personal disabled protocols file overrides the setting in the +global disabled protocols file. + +When you press the Save button in the “Enabled Protocols” dialog box, +the current set of disabled protocols is written to the personal +disabled protocols file. +-- + +dmacros:: ++ +-- +This file contains all the display filter macros that you have defined and saved. +It consists of one or more lines, where each line has the following format: + +---- +"<macro name>" <macro expression> +---- + +At program start, if there is a __dmacros__ file in the personal +configuration folder, it is read. If there isn’t a __dmacros__ file +in the personal configuration folder, then, if there is a __dmacros__ +file in the global configuration folder, it is read. + +In versions of Wireshark prior to 4.4, the display filter macros were +stored in a __dfilter_macros__ file with a somewhat different format, +a <<ChUserTable,UAT>>. At program start if the __dmacros__ file +is not found a __dfilter_macros__ file is looked for in the personal and +global configuration folders and converted to the new format. + +When you press the Save button in the "Display Filter Macros" dialog box, +all the current display filter macros are written to the personal display +filter macros file. + +More information about Display Filter Macros is available in +<<ChWorkDefineFilterMacrosSection>> +-- + +ethers:: ++ +-- +When Wireshark is trying to translate a hardware MAC address to +a name, it consults the _ethers_ file in the personal configuration +folder first. If the address is not found in that file, Wireshark +consults the _ethers_ file in the system configuration folder. + +This file has a similar format to the _/etc/ethers_ file on some Unix-like systems. +Each line in these files consists of one hardware address and name separated by +whitespace (tabs or spaces). The hardware addresses are expressed as pairs +of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with +the same separator used in the entire address. A `#` can be used to indicate +a comment that extends to the rest of the line. NIS lookups, as in some +UNIX-like systems, are not supported. The following are some examples: + +---- +ff-ff-ff-ff-ff-ff Broadcast +c0-00-ff-ff-ff-ff TR_broadcast +00.2b.08.93.4b.a1 Freds_machine +---- + +The settings from this file are read in when a MAC address is to be +translated to a name, and never written by Wireshark. +-- + +hosts:: ++ +-- +Wireshark uses the entries in the _hosts_ files to translate IPv4 and +IPv6 addresses into names. + +At program start, if there is a _hosts_ file in the global configuration +folder, it is read first. Then, if there is a _hosts_ file in the +personal configuration folder, that is read; if there is an entry for a +given IP address in both files, the setting in the personal hosts file +overrides the entry in the global hosts file. + +This file has the same format as the usual _/etc/hosts_ file on Unix systems. + +An example is: + +---- +# Comments must be prepended by the # sign! +192.168.0.1 homeserver +---- + +The settings from this file are read in at program start and never written by +Wireshark. +-- + +ipxnets:: ++ +-- +When Wireshark is trying to translate an IPX network number to +a name, it consults the _ipxnets_ file in the personal configuration +folder first. If the address is not found in that file, Wireshark +consults the _ipxnets_ file in the system configuration folder. + + +An example is: +---- +C0.A8.2C.00 HR +c0-a8-1c-00 CEO +00:00:BE:EF IT_Server1 +110f FileServer3 +---- + +The settings from this file are read in when an IPX network number is to +be translated to a name, and never written by Wireshark. +-- + +manuf:: ++ +-- +At program start, if there is a _manuf_ file in the global configuration +folder, it is read first. Then, if there is a _manuf_ file in the personal +configuration folder, that is read; if there is an entry for a given address +prefix in both files, the setting in the personal file overrides the entry +in the global file. + +The entries in this file are used to translate MAC address prefixes into short and long manufacturer names. +Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name. +Prefixes 24 bits long by default and may be followed by an optional length. +Note that this is not the same format as the _ethers_ file, which does not +allow prefix lengths. + +Examples are: + +---- +00:00:01 Xerox Xerox Corporation +00:50:C2:00:30:00/36 Microsof Microsoft +---- + +In earlier versions of Wireshark, official information from the IEEE +Registration Authority was distributed in this format as the _manuf_ file +in the global configuration folder. In current versions of Wireshark, this +information is compiled into the program to speed startup, but if a file +is present in the global configuration folder it is still read, and can +be used to supplement or replace the official data just as the personal +file does. The compiled-in information can be written out in this format +as a report with `tshark -G manuf`. + +The settings from this file are read in at program start and never written by Wireshark. +-- + +preferences:: ++ +-- +This file contains your Wireshark preferences, including defaults for capturing +and displaying packets. It is a simple text file containing statements of the +form: + +---- +variable: value +---- + +At program start, if there is a _preferences_ file in the global +configuration folder, it is read first. Then, if there is a +_preferences_ file in the personal configuration folder, that is read; +if there is a preference set in both files, the setting in the personal +preferences file overrides the setting in the global preference file. + +If you press the Save button in the “Preferences” dialog box, all the +current settings are written to the personal preferences file. +-- + +recent:: ++ +-- +This file contains GUI settings that are specific to the current profile, such as column widths and toolbar visibility. +It is a simple text file containing statements of the form: + +---- +variable: value +---- + +It is read at program start and written when preferences are saved and at program exit. +It is also written and read whenever you switch to a different profile. +-- + +recent_common:: ++ +-- +This file contains common GUI settings, such as recently opened capture files, recently used filters, and window geometries. +It is a simple text file containing statements of the form: + +---- +variable: value +---- + +It is read at program start and written when preferences are saved and at program exit. +-- + +services:: ++ +-- +Wireshark uses the _services_ files to translate port numbers into names. + +At program start, if there is a _services_ file in the global +configuration folder, it is read first. Then, if there is a _services_ +file in the personal configuration folder, that is read; if there is an +entry for a given port number in both files, the setting in the personal +_services_ file overrides the entry in the global _services_ file. +The format is that of the standard _services(5)_ file on UNIX-compatible +systems. + +An example is: + +---- +mydns 5045/udp # My own Domain Name Server +mydns 5045/tcp # My own Domain Name Server +---- + +In earlier versions of Wireshark, official information from the IANA +Service Name and Transport Protocol Port Number Registry was distributed +in this format as the _services_ file in the global configuration folder. +In current versions of Wireshark, this information is compiled into the +program to speed startup, but if a file is present in the global configuration +folder it is still read, and can be used to supplement or replace the official +data just as the personal file does. The compiled-in information can be +written out in this format as a report with `tshark -G services`. + +The settings from these files are read in at program start and never +written by Wireshark. +-- + +ss7pcs:: ++ +-- +Wireshark uses the _ss7pcs_ file to translate SS7 point codes to node names. + +At program start, if there is a _ss7pcs_ file in the personal +configuration folder, it is read. + +Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab. + +An example is: +---- +2-1234 MyPointCode1 +---- + +The settings from this file are read in at program start and never written by +Wireshark. +-- + +subnets:: ++ +-- +Wireshark uses the __subnets__ file to translate an IPv4 address into a +subnet name. If no exact match from a __hosts__ file or from DNS is +found, Wireshark will attempt a partial match for the subnet of the +address. + +At program start, if there is a _subnets_ file in the personal +configuration folder, it is read first. Then, if there is a _subnets_ +file in the global configuration folder, that is read; if there is a +preference set in both files, the setting in the global preferences file +overrides the setting in the personal preference file. + +Each line in one of these files consists of an IPv4 address, a subnet +mask length separated only by a “/” and a name separated by whitespace. +While the address must be a full IPv4 address, any values beyond the +mask length are subsequently ignored. + +An example is: +---- +# Comments must be prepended by the # sign! +192.168.0.0/24 ws_test_network +---- + +A partially matched name will be printed as “subnet-name.remaining-address”. +For example, “192.168.0.1” under the subnet above would be printed as +“ws_test_network.1”; if the mask length above had been 16 rather than 24, the +printed address would be “ws_test_network.0.1”. + +The settings from these files are read in at program start and never +written by Wireshark. + +The __subnets__ file also changes the behavior of the Endpoints and +Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user +preference _Aggregate subnets in Statistics Dialogs_ is enabled. In this +case, when an IPv4 address matches a subnet, the statistics dialog will +show this subnet instead of the IPv4 address. +-- + +vlans:: ++ +-- +Wireshark uses the _vlans_ file to translate VLAN tag IDs into names. + +If there is a _vlans_ file in the currently active profile folder, it is used. Otherwise, the _vlans_ file in the personal configuration folder is used. + +Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab. + +An example is: +---- +123 Server-LAN +2049 HR-Client-LAN +---- + +The settings from this file are read in at program start or when changing +the active profile and are never written by Wireshark. +-- + +wka:: ++ +-- +At program start, if there is a _wka_ file in the global configuration folder, +it is read. + +The entries in this file are used to translate MAC addresses and MAC address +prefixes into names. The format is that of the _manuf_ file. This file is +distributed with Wireshark, and contains data assembled from various non IEEE +but respected sources. + +The settings from this file are read in at program start and never written by Wireshark. +-- + +[#ChPluginFolders] + +=== Plugin folders + +Wireshark supports plugins for various purposes. Plugins can either be +scripts written in Lua or code written in C or {cpp} and compiled to +machine code. + +Wireshark looks for plugins in both a personal plugin folder and a +global plugin folder. Lua plugins are stored in the plugin folders; +compiled plugins are stored in subfolders of the plugin folders, with +the subfolder name being the Wireshark minor version number (X.Y). There is +another hierarchical level for each Wireshark plugin type (libwireshark, +libwiretap and codecs). So for example the location for a libwireshark plugin +_foo.so_ (_foo.dll_ on Windows) would be _PLUGINDIR/X.Y/epan_ +(libwireshark used to be called libepan; the other folder names are _codecs_ +and _wiretap_). + +On Windows: + +* The personal plugin folder is _%APPDATA%\Wireshark\plugins_. + +* The global plugin folder is _WIRESHARK\plugins_. + +On Unix-like systems: + +* The personal plugin folder is _~/.local/lib/wireshark/plugins_. + +[NOTE] +==== +To provide better support for binary plugins this folder changed in Wireshark 2.5. +It is recommended to use the new folder but *for lua scripts only* you may +continue to use _$XDG_CONFIG_HOME/wireshark/plugins_ for backward-compatibility. +This is useful to have older versions of Wireshark installed side-by-side. In case +of duplicate file names between old and new the new folder wins. +==== + +* If you are running on macOS and Wireshark is installed as an +application bundle, the global plugin folder is +_%APPDIR%/Contents/PlugIns/wireshark_, otherwise it’s +_INSTALLDIR/lib/wireshark/plugins_. + +[#ChWindowsFolder] + +=== Windows folders + +Here you will find some details about the folders used in Wireshark on different +Windows versions. + +As already mentioned, you can find the currently used folders in the “About +Wireshark” dialog. + +[#ChWindowsProfiles] + +==== Windows profiles + +Windows uses some special directories to store user configuration files which +define the “user profile”. This can be confusing, as the default directory +location changed from Windows version to version and might also be different for +English and internationalized versions of Windows. + +[NOTE] +==== +If you’ve upgraded to a new Windows version, your profile might be kept in the +former location. The defaults mentioned here might not apply. +==== + +The following guides you to the right place where to look for Wireshark’s +profile data. + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions:: +_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_. + +Windows XP and Windows Server 2003 footnote:historical[No longer supported by Wireshark. For historical reference only.]:: +_C:\Documents and Settings{backslash}**username**\Application Data_. “Documents and +Settings” and “Application Data” might be internationalized. + +[#ChWindowsRoamingProfiles] + +==== Windows roaming profiles + +Some larger Windows environments use roaming profiles. If this is the case the +configurations of all programs you use won’t be saved on your local hard drive. +They will be stored on the domain server instead. + +Your settings will travel with you from computer to computer with one exception. +The “Local Settings” folder in your profile data (typically something like: +_C:\Documents and Settings{backslash}**username**\Local Settings_) will not be +transferred to the domain server. This is the default for temporary capture +files. + +[#ChWindowsTempFolder] + +==== Windows temporary folder + +Wireshark uses the folder which is set by the TMPDIR or TEMP environment +variable. This variable will be set by the Windows installer. + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions:: +_C:\Users{backslash}**username**\AppData\Local\Temp_ + +Windows XP and Windows Server 2003 footnote:historical[]:: +_C:\Documents and Settings{backslash}**username**\Local Settings\Temp_ + +// End of WSUG Appendix Files diff --git a/doc/wsug_src/wsug_howitworks.adoc b/doc/wsug_src/wsug_howitworks.adoc new file mode 100644 index 00000000..13cb8176 --- /dev/null +++ b/doc/wsug_src/wsug_howitworks.adoc @@ -0,0 +1,75 @@ +// WSUG Appendix How it Works + +[#AppHowItWorks] + +[appendix] +== How Wireshark Works + +When using such a complex program like Wireshark, it’s sometimes useful to +understand the mechanisms and concepts behind the surface. This is an approach +to shed some light on the inner workings of Wireshark. + +=== Program start + +When Wireshark starts, a lot of things are done: + +* Initialize the dissectors (register the protocol tree), including plugins + +* Load and set values from the preferences file + +* Load the capture filters from the cfilters file + +* Load the display filters from the dfilters file + +* Load and set the disabled protocols from the disabled_protos file + +* Init libpcap/Npcap (the capturing engine) + +* Process command line parameters + +* Load and set the recently used GUI settings from the recent file + +* Init and show the main screen + +* If specified by command line, load a capture file or start capturing + +=== Protocol dissectors + +Each protocol has its own protocol dissector. When processing network data, +Wireshark calls the dissector that seems relevant to the packet data. The +dissector will then process the packet data and send any unprocessed data +back to Wireshark for further dissection. + +So Wireshark will dissect a packet from the lowest to the highest protocol +layers. + +But how does Wireshark know which dissector to use? + +When Wireshark starts each dissector registers itself in one of two ways: + +* _Static_. If the dissector knows a specific value of a lower layer, it can + directly register itself there (e.g., the HTTP dissector “knows”, that + typically the well-known TCP port 80 is used to transport HTTP data). + +* _Heuristic_. If no such well-known way exists, the dissector + can register itself for the heuristic mechanism. If a lower-layer dissector + has to handle some packet data where no well-known way exists, it can + handover the packet to Wireshark’s heuristic mechanism. This will ask all + registered upper layer dissectors, if they “like” that data. These + dissectors typically look at the first few bytes of the packet, to see if they + contain some characteristic data of that protocol and then + decide whether or not to dissect that packet. + +Let’s look at an example. We’ll assume, Wireshark loads a TCP/IP/Ethernet +packet. Wireshark will call the Ethernet dissector, which will dissect the +Ethernet related data (usually the first 6 + 6 + 2 bytes). The Ethernet +dissector then passes the rest of the data back to Wireshark. +Wireshark in turn will call the next related dissector, in our case the IP +dissector (because of the value 0x800 in the Ethernet type field). This +will continue until no more data has to be dissected, or the data is +unknown to Wireshark. + +You can control the way Wireshark calls its dissectors, see +<<ChAdvProtocolDissectionSection>> for details. + +// End of WSUG Appendix How it Works diff --git a/doc/wsug_src/wsug_introduction.adoc b/doc/wsug_src/wsug_introduction.adoc new file mode 100644 index 00000000..1cfbfe4f --- /dev/null +++ b/doc/wsug_src/wsug_introduction.adoc @@ -0,0 +1,521 @@ +// WSUG Chapter Introduction + +[#ChapterIntroduction] + +== Introduction + +[#ChIntroWhatIs] + +=== What is Wireshark? + +Wireshark is a network packet analyzer. A network packet analyzer +presents captured packet data in as much detail as possible. + +You could think of a network packet analyzer as a measuring device for +examining what’s happening inside a network cable, just like an electrician uses +a voltmeter for examining what’s happening inside an electric cable (but at a +higher level, of course). + +In the past, such tools were either very expensive, proprietary, or both. +However, with the advent of Wireshark, that has changed. Wireshark is +available for free, is open source, and is one of the best packet +analyzers available today. + +[#ChIntroPurposes] + +==== Some intended purposes + +Here are some reasons people use Wireshark: + +* Network administrators use it to _troubleshoot network problems_ + +* Network security engineers use it to _examine security problems_ + +* QA engineers use it to _verify network applications_ + +* Developers use it to _debug protocol implementations_ + +* People use it to _learn network protocol_ internals + +Wireshark can also be helpful in many other situations. + +[#ChIntroFeatures] + +==== Features + +The following are some of the many features Wireshark provides: + +* Available for _UNIX_ and _Windows_. + +* _Capture_ live packet data from a network interface. + +* _Open_ files containing packet data captured with tcpdump/WinDump, +Wireshark, and many other packet capture programs. + +* _Import_ packets from text files containing hex dumps of packet data. + +* Display packets with _very detailed protocol information_. + +* _Save_ packet data captured. + +* _Export_ some or all packets in a number of capture file formats. + +* _Filter packets_ on many criteria. + +* _Search_ for packets on many criteria. + +* _Colorize_ packet display based on filters. + +* Create various _statistics_. + +* ...and _a lot more!_ + +However, to really appreciate its power you have to start using it. + +<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you +to examine them. + +[#ChIntroFig1] +.Wireshark captures packets and lets you examine their contents. +image::images/ws-main.png[{screenshot-attrs}] + +==== Live capture from many different network media + +Wireshark can capture traffic from many different network media types, +including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific media +types supported may be limited by several factors, including your hardware +and operating system. An overview of the supported media types can be found at +link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +==== Import files from many other capture programs + +Wireshark can open packet captures from a large number of capture +programs. For a list of input formats see <<ChIOInputFormatsSection>>. + +==== Export files for many other capture programs + +Wireshark can save captured packets in many formats, including those used by other +capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>. + +==== Many protocol dissectors + +There are protocol dissectors (or decoders, as they are known in other products) +for a great many protocols: see <<AppProtocols>>. + +==== Open Source Software + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL). You can freely use +Wireshark on any number of computers you like, without worrying about license +keys or fees or such. In addition, all source code is freely available under the +GPL. Because of that, it is very easy for people to add new protocols to +Wireshark, either as plugins, or built into the source, and they often do! + +[#ChIntroNoFeatures] + +==== What Wireshark is not + +Here are some things Wireshark does not provide: + +* Wireshark isn’t an intrusion detection system. It will not warn you when + someone does strange things on your network that he/she isn’t allowed to do. + However, if strange things happen, Wireshark might help you figure out what is + really going on. + +* Wireshark will not manipulate things on the network, it will only “measure” + things from it. Wireshark doesn’t send packets on the network or do other + active things (except domain name resolution, but that can be disabled). + +[#ChIntroPlatforms] + +=== System Requirements + +The amount of resources Wireshark needs depends on your environment and on the +size of the capture file you are analyzing. The values below should be fine for +small to medium-sized capture files no more than a few hundred MB. Larger +capture files will require more memory and disk space. + +[NOTE] +.Busy networks mean large captures +==== +A busy network can produce huge capture files. Capturing on +even a 100 megabit network can produce hundreds of megabytes of +capture data in a short time. A computer with a fast processor, and lots of +memory and disk space is always a good idea. +==== + +If Wireshark runs out of memory it will crash. See +{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds. + +Although Wireshark uses a separate process to capture packets, the packet +analysis is single-threaded and won’t benefit much from multi-core systems. + +==== Microsoft Windows + +Wireshark should support any version of Windows that is still within its +https://windows.microsoft.com/en-us/windows/lifecycle[extended support +lifetime]. At the time of writing this includes Windows 11, 10, +Server 2022, +Server 2019, +and Server 2016. +It also requires the following: + +* The Universal C Runtime. This is included with Windows 10 and Windows + Server 2019 and is installed automatically on earlier versions if + Microsoft Windows Update is enabled. Otherwise you must install + https://support.microsoft.com/kb/2999226[KB2999226] or + https://support.microsoft.com/kb/3118401[KB3118401]. + +* Any modern 64-bit Intel or Arm processor. + +* 500 MB available RAM. Larger capture files require more RAM. + +* 500 MB available disk space. Capture files require additional disk space. + +* Any modern display. 1280 {multiplication} 1024 or higher resolution is + recommended. Wireshark will make use of HiDPI or Retina resolutions if + available. Power users will find multiple monitors useful. + +* A supported network card for capturing + + - Ethernet. Any card supported by Windows should work. See the wiki pages on + link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and + link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that + may affect your environment. + + - 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark + wiki page]. Capturing raw 802.11 information may be difficult without + special equipment. + + - Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +Older versions of Windows which are outside Microsoft’s extended lifecycle +support window are no longer supported. It is often difficult or impossible to +support these systems due to circumstances beyond our control, such as third +party libraries on which we depend or due to necessary features that are only +present in newer versions of Windows such as hardened security or memory +management. + +* Wireshark 4.0 was the last release branch to officially support Windows 8.1 and Windows Server 2012. +* Wireshark 3.6 was the last release branch to officially support 32-bit Windows. +* Wireshark 3.2 was the last release branch to officially support Windows 7 and Windows Server 2008 R2. +* Wireshark 2.2 was the last release branch to support Windows Vista and Windows Server 2008 sans R2 +* Wireshark 1.12 was the last release branch to support Windows Server 2003. +* Wireshark 1.10 was the last release branch to officially support Windows XP. + +See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark +release lifecycle] page for more details. + +==== macOS + +Wireshark supports macOS 10.14 and later. +Similar to Windows, supported macOS versions depend on third party libraries and on Apple’s requirements. +Apple Silicon hardware is supported natively starting with version 4.0 + +// Wireshark 4.0 ships with Qt 6.2.4, which requires macOS 10.14 and later +// Wireshark 3.6 ships with Qt 5.15, which requires macOS 10.13 and later. +// Wireshark 3.4, 3.2 and 3.0 ship with Qt 5.12, which requires macOS 10.12 and later. +// Wireshark 2.6 ships with Qt 5.3, which was the last release to support 10.6: https://wiki.qt.io/New_Features_in_Qt_5.3 +// "Mac OS 10.6 support is deprecated and scheduled for removal in Qt 5.4" + +* Wireshark 3.6 was the last release branch to support macOS 10.13. +* Wireshark 3.4 was the last release branch to support macOS 10.12. +* Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and OS X 10.8 to 10.11. +* Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel. +* Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC. + +The system requirements should be comparable to the specifications listed above for Windows. + +==== UNIX, Linux, and BSD + +Wireshark runs on most UNIX and UNIX-like platforms including Linux and most BSD variants. +The system requirements should be comparable to the specifications listed above for Windows. + +Binary packages are available for most Unices and Linux distributions +including the following platforms: + +* Alpine Linux + +* Arch Linux + +* Canonical Ubuntu + +* Debian GNU/Linux + +* FreeBSD + +* Gentoo Linux + +* HP-UX + +* NetBSD + +* OpenPKG + +* Oracle Solaris + +* Red Hat Enterprise Linux / CentOS / Fedora + +If a binary package is not available for your platform you can download +the source and try to build it. Please report your experiences to +mailto:{wireshark-dev-list-email}[]. + +[#ChIntroDownload] + +=== Where To Get Wireshark + +You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}. +The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. +Official Windows and macOS installers are signed by *Wireshark Foundation* using trusted certificates on those platforms. +macOS installers are additionally notarized. + +A new Wireshark version typically becomes available every six weeks. + +If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. +You will find more details in <<ChIntroMailingLists>>. + +Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt. +Announcement messages are archived at https://lists.wireshark.org/archives/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. +Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. +As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems. + +[#ChIntroHistory] + +=== A Brief History Of Wireshark + +In late 1997 Gerald Combs needed a tool for tracking down network problems +and wanted to learn more about networking so he started writing Ethereal (the +original name of the Wireshark project) as a way to solve both problems. + +Ethereal was initially released after several pauses in development in July +1998 as version 0.2.0. Within days patches, bug reports, and words of +encouragement started arriving and Ethereal was on its way to success. + +Not long after that Gilbert Ramirez saw its potential and contributed a +low-level dissector to it. + +In October, 1998 Guy Harris was looking for something better than tcpview so he +started applying patches and contributing dissectors to Ethereal. + +In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential +on such courses and started looking at it to see if it supported the protocols +he needed. While it didn’t at that point new protocols could be easily added. +So he started contributing dissectors and contributing patches. + +The list of people who have contributed to the project has become very long +since then, and almost all of them started with a protocol that they needed that +Wireshark did not already handle. So they copied an existing dissector and +contributed the code back to the team. + +In 2006 the project moved house and re-emerged under a new name: Wireshark. + +In 2008, after ten years of development, Wireshark finally arrived at version +1.0. This release was the first deemed complete, with the minimum features +implemented. Its release coincided with the first Wireshark Developer and User +Conference, called Sharkfest. + +In 2015 Wireshark 2.0 was released, which featured a new user interface. + +In 2023 Wireshark moved to the link:{wireshark-foundation-url}[Wireshark Foundation], a nonprofit corporation that operates under section 501(c)(3) of the U.S. tax code. +The foundation provides the project's infrastructure, hosts link:{sharkfest-url}[SharkFest], our developer and user conference, and promotes low level network education. + +[#ChIntroMaintenance] + +=== Development And Maintenance Of Wireshark + +Wireshark was initially developed by Gerald Combs. Ongoing development and +maintenance of Wireshark is handled by the Wireshark team, a loose group of +individuals who fix bugs and provide new functionality. + +There have also been a large number of people who have contributed +protocol dissectors to Wireshark, and it is expected that this will +continue. You can find a list of the people who have contributed code to +Wireshark by checking the about dialog box of Wireshark, or at the +link:{wireshark-authors-url}[authors] page on the Wireshark web site. + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is +freely available under the GPL. You are welcome to modify Wireshark to suit your +own needs, and it would be appreciated if you contribute your improvements back +to the Wireshark team. + +You gain three benefits by contributing your improvements back to the community: + +. Other people who find your contributions useful will appreciate them, and you + will know that you have helped people in the same way that the developers of + Wireshark have helped you. + +. The developers of Wireshark can further improve your changes or implement + additional features on top of your code, which may also benefit you. + +. The maintainers and developers of Wireshark will maintain your code, + fixing it when API changes or other changes are made, and generally keeping it + in tune with what is happening with Wireshark. So when Wireshark is updated + (which is often), you can get a new Wireshark version from the website + and your changes will already be included without any additional effort from you. + +The Wireshark source code and binary kits for some platforms are all +available on the download page of the Wireshark website: +{wireshark-download-url}. + +[#ChIntroHelp] + +=== Reporting Problems And Getting Help + +If you have problems or need help with Wireshark there are several places that +may be of interest (besides this guide, of course). + +[#ChIntroHomepage] + +==== Website + +You will find lots of useful information on the Wireshark homepage at +{wireshark-main-url}. + +[#ChIntroWiki] + +==== Wiki + +The Wireshark Wiki at {wireshark-wiki-url} provides a +wide range of information related to Wireshark and packet capture in general. +You will find a lot of information not part of this user’s guide. For example, +it contains an explanation how to capture on a switched network, an ongoing effort +to build a protocol reference, protocol-specific information, and much more. + +And best of all, if you would like to contribute your knowledge on a specific +topic (maybe a network protocol you know well), you can edit the wiki pages +with your web browser. + +[#ChIntroQA] + +==== Q&A Site + +The Wireshark Q&A site at {wireshark-qa-url} offers a resource where +questions and answers come together. You can search for +questions asked before and see what answers were given by people who +knew about the issue. Answers are ranked, so you can easily pick out the best +ones. If your question hasn’t been discussed before you can post +one yourself. + +[#ChIntroFAQ] + +==== FAQ + +The Frequently Asked Questions lists often asked questions and their +corresponding answers. + +[NOTE] +.Read the FAQ +==== +Before sending any mail to the mailing lists below, be sure to read the FAQ. It +will often answer any questions you might have. This will save yourself and +others a lot of time. Keep in mind that a lot of people are subscribed to the +mailing lists. +==== + +You will find the FAQ inside Wireshark by clicking the menu item Help/Contents +and selecting the FAQ page in the dialog shown. + +An online version is available at the Wireshark website at +{wireshark-faq-url}. You might prefer this online version, as it’s +typically more up to date and the HTML format is easier to use. + +[#ChIntroMailingLists] + +==== Mailing Lists + +There are several mailing lists of specific Wireshark topics available: + +link:{wireshark-mailing-lists-url}wireshark-announce[wireshark-announce]:: + Information about new program releases, which usually appear about every six weeks. + +link:{wireshark-mailing-lists-url}wireshark-users[wireshark-users]:: + Topics of interest to users of Wireshark. + People typically post questions about using Wireshark and others (hopefully) provide answers. + +link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev]:: + Topics of interest to developers of Wireshark. + If you want to develop a protocol dissector or update the user interface, join this list. + +You can subscribe to each of these lists from the Wireshark web site: +{wireshark-mailing-lists-url}. From there, you can choose which mailing +list you want to subscribe to by clicking on the +Subscribe/Unsubscribe/Options button under the title of the relevant +list. The links to the archives are included on that page as well. + +[TIP] +.The lists are archived +==== +You can search in the list archives to see if someone asked the same question +some time before and maybe already got an answer. That way you don’t have to +wait until someone answers your question. +==== + +==== Reporting Problems + +[NOTE] +==== +Before reporting any problems, please make sure you have installed the latest +version of Wireshark. +==== + + +When reporting problems with Wireshark please supply the following information: + +. The version number of Wireshark and the dependent libraries linked with it, + such as Qt or GLib. You can obtain this from Wireshark’s about box or the + command _wireshark -v_. + +. Information about the platform you run Wireshark on +(Windows, Linux, etc. and 32-bit, 64-bit, etc.). + +. A detailed description of your problem. + +. If you get an error/warning message, copy the text of that message (and also a + few lines before and after it, if there are some) so others may find the + place where things go wrong. Please don’t give something like: “I get a + warning while doing x” as this won’t give a good idea where to look. + +[WARNING] +.Don’t send confidential information! +==== +If you send capture files to the mailing lists be sure they don’t contain any +sensitive or confidential information like passwords or personally identifiable +information (PII). + +In many cases you can use a tool like link:https://www.tracewrangler.com/[TraceWrangler] to sanitize a capture file before sharing it. +==== + +[NOTE] +.Don’t send large files +==== +Do not send large files (> 1 MB) to the mailing lists. Instead, provide a +download link. For bugs and feature requests, you can create an issue on +link:{wireshark-bugs-url}[GitLab Issues] and upload the file there. +==== + +==== Reporting Crashes on UNIX/Linux platforms + +When reporting crashes with Wireshark it is helpful if you supply the traceback +information along with the information mentioned in “Reporting Problems”. + +You can obtain this traceback information with the following commands on UNIX or +Linux (note the backticks): + +---- +$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt +backtrace +^D +---- + +If you do not have _gdb_ available, you will have to check out your operating system’s debugger. + +Email _backtrace.txt_ to mailto:{wireshark-dev-list-email}[]. + +==== Reporting Crashes on Windows platforms + +The Windows distributions don’t contain the symbol files (.pdb) because they are +very large. You can download them separately at +{wireshark-main-url}download/win64/all-versions/ . + +// End of WSUG Chapter 1 diff --git a/doc/wsug_src/wsug_io.adoc b/doc/wsug_src/wsug_io.adoc new file mode 100644 index 00000000..5cf4b038 --- /dev/null +++ b/doc/wsug_src/wsug_io.adoc @@ -0,0 +1,1257 @@ +// WSUG Chapter IO + +[#ChapterIO] + +== File Input, Output, And Printing + +[#ChIOIntroductionSection] + +=== Introduction + +This chapter will describe input and output of capture data. + +* Open capture files in various capture file formats + +* Save and export capture files in various formats + +* Merge capture files together + +* Import text files containing hex dumps of packets + +* Print packets + +[#ChIOOpenSection] + +=== Open Capture Files + +Wireshark can read in previously saved capture files. To read them, simply +select the menu:File[Open] menu or toolbar item. Wireshark will then pop up +the “File Open” dialog box, which is discussed in more detail in <<ChIOOpen>>. + +[TIP] +.You can use drag and drop to open files +==== +On most systems you can open a file by simply dragging it in your file manager and dropping it onto Wireshark’s main window. +==== + +If you haven’t previously saved the current capture file you will be asked to +do so to prevent data loss. This warning can be disabled in the preferences. + +In addition to its native file format (pcapng), Wireshark can read and write +capture files from a large number of other packet capture programs as well. See +<<ChIOInputFormatsSection>> for the list of capture formats Wireshark +understands. + +[#ChIOOpen] + +==== The “Open Capture File” Dialog Box + +The “Open Capture File” dialog box allows you to search for a capture file +containing previously captured packets for display in Wireshark. The following +sections show some examples of the Wireshark “Open File” dialog box. The +appearance of this dialog depends on the system. However, the functionality +should be the same across systems. + +Common dialog behavior on all systems: + +* Select files and directories. + +* Click the btn:[Open] button to accept your selected file and open it. + +* Click the btn:[Cancel] button to go back to Wireshark and not load a capture file. + +* The btn:[Help] button will take you to this section of the “User’s Guide”. + +Wireshark adds the following controls: + +* View file preview information such as the size and the number of packets in a selected a capture file. + +// XXX - we need a better description of these read filters +* Specify a read filter with the “Read filter” field. + This filter will be used when opening the new file. + The text field background will turn green for a valid filter string and red for an invalid one. + Read filters can be used to exclude various types of traffic, which can be useful for large capture files. + They use the same syntax as display filters, which are discussed in detail in <<ChWorkDisplayFilterSection>>. + +* Optionally force Wireshark to read a file as a particular type using the “Automatically detect file type” drop-down. + +[#ChIOOpenFileDialogWin32] + +.“Open” on Microsoft Windows +image::images/ws-open-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file open dialog along with some Wireshark extensions. + +[#ChIOOpenFileDialog] + +.“Open” - Linux and UNIX +image::images/ws-open-qt5.png[{medium-screenshot-attrs}] + +This is the common Qt file open dialog along with some Wireshark extensions. + +// XXX Add macOS + +[#ChIOInputFormatsSection] + + +==== Input File Formats + +The native capture file formats used by Wireshark are: + +* pcap. The default format used by the _libpcap_ packet capture library. Used + by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools. + +* pcapng. A flexible, extensible successor to the pcap format. + Wireshark 1.8 and later save files as pcapng by default. Versions + prior to 1.8 used pcap. Used by Wireshark and by _tcpdump_ in newer + versions of macOS. + +The following file formats from other capture tools can be opened by Wireshark: + +* Oracle (previously Sun) _snoop_ and _atmsnoop_ captures + +* Finisar (previously Shomiti) _Surveyor_ captures + +* Microsoft _Network Monitor_ captures + +* Novell _LANalyzer_ captures + +* AIX _iptrace_ captures + +* Cinco Networks NetXray captures + +* NETSCOUT (previously Network Associates/Network General) Windows-based + Sniffer and Sniffer Pro captures + +* Network General/Network Associates DOS-based Sniffer captures + (compressed or uncompressed) captures + +* LiveAction (previously WildPackets/Savvius) + *Peek/EtherHelp/PacketGrabber captures + +* RADCOM’s WAN/LAN Analyzer captures + +* Viavi (previously Network Instruments) Observer captures + +* Lucent/Ascend router debug output + +* captures from HP-UX nettl + +* Toshiba’s ISDN routers dump output + +* output from _i4btrace_ from the ISDN4BSD project + +* traces from the EyeSDN USB S0 + +* the IPLog format output from the Cisco Secure Intrusion Detection System + +* pppd logs (pppdump format) + +* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities + +* the text output from the DBS Etherwatch VMS utility + +* Visual Networks’ Visual UpTime traffic capture + +* the output from CoSine L2 debug + +* the output from InfoVista (previously Accellent) 5Views LAN agents + +* Endace Measurement Systems’ ERF format captures + +* Linux Bluez Bluetooth stack hcidump -w traces + +* Catapult (now Ixia/Keysight) DCT2000 .out files + +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode + +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) + +* Juniper Netscreen snoop captures + +* Symbian OS btsnoop captures + +* Tamosoft CommView captures + +* Tektronix K12xx 32bit .rf5 format captures + +* Tektronix K12 text file format captures + +* Apple PacketLogger captures + +* Captures from Aethra Telecommunications’ PC108 software for their test instruments + +* Citrix NetScaler Trace files + +* Android Logcat binary and text format logs + +* Colasoft Capsa and PacketBuilder captures + +* Micropross mplog files + +* Unigraf DPA-400 DisplayPort AUX channel monitor traces + +* 802.15.4 traces from Daintree's Sensor Network Analyzer + +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 + +* Log files from the _candump_ utility + +* Logs from the BUSMASTER tool + +* Ixia IxVeriWave raw captures + +* Rabbit Labs CAM Inspector files + +* _systemd_ journal files + +* 3GPP TS 32.423 trace files + +New file formats are added from time to time. + +It may not be possible to read some formats dependent on the packet types +captured. Ethernet captures are usually supported for most file formats but it +may not be possible to read other packet types such as PPP or IEEE 802.11 from +all file formats. + +[#ChIOSaveSection] + +=== Saving Captured Packets + +You can save captured packets by using the menu:File[Save] or menu:File[Save As...] menu items. +You can choose which packets to save and which file format to be used. + +Not all information will be saved in a capture file. For example, most file +formats don’t record the number of dropped packets. See +<<ChAppFilesCaptureFilesSection>> for details. + +[#ChIOSaveAs] + +==== The “Save Capture File As” Dialog Box + +The “Save Capture File As” dialog box allows you to save the current capture to a file. +The exact appearance of this dialog depends on your system. +However, the functionality is the same across systems. +Examples are shown below. + +[#ChIOSaveAsFileWin32] + +.“Save” on Microsoft Windows +image::images/ws-save-as-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file save dialog with some additional Wireshark extensions. + +[#ChIOSaveAsFile2] + +.“Save” on Linux and UNIX +image::images/ws-save-as-qt5.png[{medium-screenshot-attrs}] + +This is the common Qt file save dialog with additional Wireshark extensions. + +// XXX Add macOS + +You can perform the following actions: + +* Type in the name of the file in which you wish to save the captured packets. + +* Select the directory to save the file into. + +* Specify the format of the saved capture file by clicking on the “Save as” drop-down box. + You can choose from the types described in <<ChIOOutputFormatsSection>>. + Some capture formats may not be available depending on the packet types captured. + +* The btn:[Help] button will take you to this section of the “User’s Guide”. + +* “Compress with gzip” will compress the capture file as it is being written to disk. + +* Click the btn:[Save] button to accept your selected file and save it. + +* Click on the btn:[Cancel] button to go back to Wireshark without saving any packets. + +If you don’t provide a file extension to the filename (e.g., `.pcap`) Wireshark will append the standard file extension for that file format. + +[TIP] +.Wireshark can convert file formats +==== +You can convert capture files from one format to another by opening a capture and saving it as a different format. +==== + +If you wish to save some of the packets in your capture file you can do so via <<ChIOExportSpecifiedPacketsDialog>>. + +[#ChIOOutputFormatsSection] + +==== Output File Formats + +Wireshark can save the packet data in its native file format (pcapng) and in the +file formats of other protocol analyzers so other tools can read the capture +data. + +[NOTE] +.Saving in a different format might lose data +==== +Saving your file in a different format might lose information such as comments, name resolution, and time stamp resolution. +See <<ChAdvTimestamps>> for more information on time stamps. +==== + +The following file formats can be saved by Wireshark (with the known file extensions): + +* pcapng ({asterisk}.pcapng). A flexible, extensible successor to the + libpcap format. Wireshark 1.8 and later save files as pcapng by + default. Versions prior to 1.8 used libpcap. + +* pcap ({asterisk}.pcap). The default format used by the _libpcap_ + packet capture library. Used by _tcpdump, _Snort_, _Nmap_, _Ntop_, + and many other tools. + +* Accellent 5Views ({asterisk}.5vw) + +* captures from HP-UX nettl ({asterisktrc0,{asterisk}.trc1) + +* Microsoft Network Monitor - NetMon ({asterisk}.cap) + +* Network Associates Sniffer - DOS + ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,{asterisk}.fdc,{asterisk}.syc) + +* Cinco Networks NetXray captures ({asterisk}.cap) + +* Network Associates Sniffer - Windows ({asterisk}.cap) + +* Network Instruments/Viavi Observer ({asterisk}.bfr) + +* Novell LANalyzer ({asterisk}.tr1) + +* Oracle (previously Sun) snoop ({asterisk}.snoop,{asterisk}.cap) + +* Visual Networks Visual UpTime traffic ({asterisk}.{asterisk}) + +* Symbian OS btsnoop captures ({asterisk}.log) + +* Tamosoft CommView captures ({asterisk}.ncf) + +* Catapult (now Ixia/Keysight) DCT2000 .out files ({asterisk}.out) + +* Endace Measurement Systems’ ERF format capture({asterisk}.erf) + +* EyeSDN USB S0 traces ({asterisk}.trc) + +* Tektronix K12 text file format captures ({asterisk}.txt) + +* Tektronix K12xx 32bit .rf5 format captures ({asterisk}.rf5) + +* Android Logcat binary logs ({asterisk}.logcat) + +* Android Logcat text logs ({asterisk}.{asterisk}) + +* Citrix NetScaler Trace files ({asterisk}.cap) + +New file formats are added from time to time. + +Whether or not the above tools will be more helpful than Wireshark is a different question ;-) + +[NOTE] +.Third party protocol analyzers may require specific file extensions +==== +Wireshark examines a file’s contents to determine its type. Some other protocol +analyzers only look at a file's extension. For example, you might need to use +the `.cap` extension in order to open a file using the Windows version +of _Sniffer_. +==== + +[#ChIOMergeSection] + +=== Merging Capture Files + +Sometimes you need to merge several capture files into one. For example, this can +be useful if you have captured simultaneously from multiple interfaces at once +(e.g., using multiple instances of Wireshark). + +There are three ways to merge capture files using Wireshark: + +* Use the menu:File[Merge] menu to open the “Merge” dialog. + See <<ChIOMergeDialog>> for details. + This menu item will be disabled unless you have loaded a capture file. + +* Use _drag and drop_ to drop multiple files on the main window. + Wireshark will try to merge the packets in chronological order from the dropped files into a newly created temporary file. + If you drop a single file, it will simply replace the existing capture. + +* Use the `mergecap` tool from the command line to merge capture files. + This tool provides the most options to merge capture files. + See <<AppToolsmergecap>> for details. + +[#ChIOMergeDialog] + +==== The “Merge With Capture File” Dialog Box + +This lets you select a file to be merged into the currently loaded file. +If your current data has not been saved you will be asked to save it first. + +Most controls of this dialog will work the same way as described in the “Open Capture File” dialog box. +See <<ChIOOpen>> for details. + +Specific controls of this merge dialog are: + +Prepend packets:: +Prepend the packets from the selected file before the currently loaded packets. + +Merge chronologically:: +Merge both the packets from the selected and currently loaded file in chronological order. + +Append packets:: +Append the packets from the selected file after the currently loaded packets. + +[#ChIOMergeFileTab] + +.“Merge Capture File As” dialog box examples + +[#ChIOMergeFileWin32] + +.“Merge” on Microsoft Windows +image::images/ws-merge-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file open dialog with additional Wireshark extensions. + +[#ChIOMergeFile2] + +.“Merge” on Linux and UNIX +image::images/ws-merge-qt5.png[{medium-screenshot-attrs}] + +This is the Qt file open dialog with additional Wireshark extensions. + +// XXX Add macOS + +[#ChIOImportSection] + +=== Import Hex Dump + +Wireshark can read in a hex dump and write the data described into a +temporary libpcap capture file. It can read hex dumps with multiple packets in +them, and build a capture file of multiple packets. It is also capable of +generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build +fully processable packet dumps from hexdumps of application-level data only. +Alternatively, a Dummy PDU header can be added to specify a dissector the data +should be passed to initially. + +Two methods for converting the input are supported: + +==== Standard ASCII Hexdumps + +Wireshark understands a hexdump of the form generated by `od -Ax -tx1 -v`. +In other words, each byte is individually displayed, with spaces separating +the bytes from each other. Hex digits can be upper or lowercase. + +In normal operation, each line must begin with an offset describing the +position in the packet, followed a colon, space, or tab separating it from +the bytes. There is no limit on the width or number of bytes per line, but +lines with only hex bytes without a leading offset are ignored (i.e., +line breaks should not be inserted in long lines that wrap.) Offsets are more +than two digits; they are in hex by default, but can also be in octal or +decimal. Each packet must begin with offset zero, and an offset +zero indicates the beginning of a new packet. Offset values must be correct; +an unexpected value causes the current packet to be aborted and the next +packet start awaited. There is also a single packet mode with no offsets. + +Packets may be preceded by a direction indicator ('I' or 'O') and/or a +timestamp if indicated. If both are present, the direction indicator precedes +the timestamp. The format of the timestamps must be specified. If no timestamp +is parsed, in the case of the first packet the current system time is used, +while subsequent packets are written with timestamps one microsecond later than +that of the previous packet. + +Other text in the input data is ignored. Any text before the offset is +ignored, including email forwarding characters '>'. Any text on a line +after the bytes is ignored, e.g., an ASCII character dump (but see *-a* to +ensure that hex digits in the character dump are ignored). Any line where +the first non-whitespace character is a '#' will be ignored as a comment. +Any lines of text between the bytestring lines are considered preamble; +the beginning of the preamble is scanned for the direction indicator and +timestamp as mentioned above and otherwise ignored. + +Any line beginning with #TEXT2PCAP is a directive and options +can be inserted after this command to be processed by Wireshark. +Currently there are no directives implemented; in the future, these may +be used to give more fine-grained control on the dump and the way it +should be processed e.g., timestamps, encapsulation type etc. + +In general, short of these restrictions, Wireshark is pretty liberal +about reading in hexdumps and has been tested with a variety of +mangled outputs (including being forwarded through email multiple +times, with limited line wrap etc.) + +Here is a sample dump that can be imported, including optional +directional indicator and timestamp: + +---- +I 2019-05-14T19:04:57Z +000000 00 e0 1e a7 05 6f 00 10 ........ +000008 5a a0 b9 12 08 00 46 00 ........ +000010 03 68 00 00 00 00 0a 2e ........ +000018 ee 33 0f 19 08 7f 0f 19 ........ +000020 03 80 94 04 00 00 10 01 ........ +000028 16 a2 0a 00 03 50 00 0c ........ +000030 01 01 0f 19 03 80 11 01 ........ +---- + +==== Regular Text Dumps + +Wireshark is also capable of scanning the input using a custom Perl regular +expression as specified by GLib's https://developer-old.gnome.org/glib/stable/glib-regex-syntax.html[GRegex here]. +Using a regex capturing a single packet in the given file +Wireshark will search the given file from start to the second to last character +(the last character has to be `\n` and is ignored) +for non-overlapping (and non-empty) strings matching the given regex and then +identify the fields to import using named capturing subgroups. Using provided +format information for each field they are then decoded and translated into a +standard libpcap file retaining packet order. + +Note that each named capturing subgroup has to match _exactly_ once a packet, +but they may be present multiple times in the regex. + +For example, the following dump: +---- +> 0:00:00.265620 a130368b000000080060 +> 0:00:00.280836 a1216c8b00000000000089086b0b82020407 +< 0:00:00.295459 a2010800000000000000000800000000 +> 0:00:00.296982 a1303c8b00000008007088286b0bc1ffcbf0f9ff +> 0:00:00.305644 a121718b0000000000008ba86a0b8008 +< 0:00:00.319061 a2010900000000000000001000600000 +> 0:00:00.330937 a130428b00000008007589186b0bb9ffd9f0fdfa3eb4295e99f3aaffd2f005 +> 0:00:00.356037 a121788b0000000000008a18 +---- +could be imported using these settings: +---- +regex: ^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$ +timestamp: %H:%M:%S.%f +dir: in: < out: > +encoding: HEX +---- + +Caution has to be applied when discarding the anchors `^` and `$`, as the input +is searched, not parsed, meaning even most incorrect regexes will produce valid +looking results when not anchored (however, anchors are not guaranteed to prevent +this). It is generally recommended to sanity check any files created using +this conversion. + +Supported fields: + +* data: Actual captured frame data ++ +The only mandatory field. This should match the encoded binary data captured and +is used as the actual frame data to import. ++ +* time: timestamp for the packet ++ +The captured field will be parsed according to the given timestamp format into a +timestamp. ++ +If no timestamp is present an arbitrary counter will count up seconds and +nanoseconds by one each packet. + +* dir: the direction the packet was sent over the wire ++ +The captured field is expected to be one character in length, any remaining +characters are ignored (e.g., given "Input" only the 'I' is looked at). This +character is compared to lists of characters corresponding to inbound and +outbound and the packet is assigned the corresponding direction. +If neither list yields a match, the direction is set to unknown. ++ +If this field is not specified the entire file has no directional information. ++ +* seqno: an ID for this packet ++ +Each packet can be assigned an arbitrary ID that can used as field by Wireshark. +This field is assumed to be a positive integer base 10. This field can e.g. +be used to reorder out of order captures after the import. ++ +If this field is not given, no IDs will be present in the resulting file. ++ + +[#ChIOImportDialog] + + +==== The “Import From Hex Dump” Dialog Box + +This dialog box lets you select a text file, containing a hex dump of packet +data, to be imported and set import parameters. + +[#ChIOFileImportDialog] + +.The “Import from Hex Dump” dialog in Hex Dump mode +image::images/ws-file-import.png[{medium-screenshot-attrs}] + +Specific controls of this import dialog are split in three sections: + +File Source:: Determine which input file has to be imported + +Input Format:: Determine how the input file has to be interpreted. + +Encapsulation:: Determine how the data is to be encapsulated. + +==== File source + +Filename / Browse:: +Enter the name of the text file to import. You can use _Browse_ to browse for a +file. + +==== Input Format + +This section is split in the two alternatives for input conversion, accessible in +the two Tabs "Hex Dump" and "Regular Expression" + +In addition to the conversion mode specific inputs, there are also common +parameters, currently only the timestamp format. + +===== The Hex Dump tab + +Offsets:: +Select the radix of the offsets given in the text file to import. This is +usually hexadecimal, but decimal and octal are also supported. Select _None_ +when only the bytes are present. These will be imported as a single packet. + +Direction indication:: +Tick this box if the text file to import has direction indicators before each +frame. These are on a separate line before each frame and start with either +_I_ or _i_ for input and _O_ or _o_ for output. + +===== The Regular Expression tab + +.The "Regular Expression" tab inside the "Import from Hex Dump” dialog. +image::images/ws-file-import-regex.png[{medium-screenshot-attrs}] + +Packet format regular expression:: +This is the regex used for searching packets and metadata inside the input file. +Named capturing subgroups are used to find the individual fields. Anchors `^` and +`$` are set to match directly before and after newlines `\n` or `\r\n`. See +https://developer-old.gnome.org/glib/stable/glib-regex-syntax.html[GRegex] for a full +documentation. + +Data encoding:: +The Encoding used for the binary data. Supported encodings are plain-hexadecimal, +-octal, -binary and base64. Plain here means no additional +characters are present in the data field beyond whitespaces, which are ignored. +Any unexpected characters abort the import process. ++ +Ignored whitespaces are `\r`, `\n`, `\t`, `\v`, ` ` and only for hex `:`, only +for base64 `=`. ++ +Any incomplete bytes at the field's end are assumed to be padding to fill the +last complete byte. These bits should be zero, however, this is not checked. + +Direction indication:: +The lists of characters indicating incoming vs. outgoing packets. These fields +are only available when the regex contains a `(?<dir>...)` group. + +===== Common items + +Timestamp Format:: +This is the format specifier used to parse the timestamps in the text file to +import. It uses the same format as `strptime(3)` with the addition of `%f` for +zero padded fractions of seconds. The precision of `%f` is determined from its +length. The most common fields are `%H`, `%M` and `%S` for hours, minutes and +seconds. The straightforward HH:MM:SS format is covered by %T. For a full +definition of the syntax look for `strptime(3)`, ++ +In Regex mode this field is only available when a `(?<time>...)` group is present. ++ +In Hex Dump mode if there are no timestamps in the text file to import, leave this +field empty and timestamps will be generated based on the time of import. + +==== Encapsulation + +Encapsulation type:: +Here you can select which type of frames you are importing. This all depends on +from what type of medium the dump to import was taken. It lists all types that +Wireshark understands, so as to pass the capture file contents to the right +dissector. + +Dummy header:: +When Ethernet encapsulation is selected you have to option to prepend dummy +headers to the frames to import. These headers can provide artificial Ethernet, +IP, UDP, TCP or SCTP headers or SCTP data chunks. When selecting a type of +dummy header, the applicable entries are enabled, others are greyed out and +default values are used. +When the _Wireshark Upper PDU export_ encapsulation is selected the option +_ExportPDU_ becomes available. This allows you to select the name of the +dissector these frames are to be directed to. + +Maximum frame length:: +You may not be interested in the full frames from the text file, just the first +part. Here you can define how much data from the start of the frame you want to +import. If you leave this open the maximum is set to 256kiB. + +Once all input and import parameters are setup click btn:[Import] to start the +import. If your current data wasn’t saved before you will be asked to save it +first. + +If the import button doesn't unlock, make sure all encapsulation parameters are +in the expected range and all unlocked fields are populated when using regex mode +(the placeholder text is not used as default). + +When completed there will be a new capture file loaded with the frames imported +from the text file. + +[#ChIOFileSetSection] + +=== File Sets + +When using the “Multiple Files” option while doing a capture (see: +<<ChCapCaptureFiles>>), the capture data is spread over several capture files, +called a file set. + +As it can become tedious to work with a file set by hand, Wireshark provides +some features to handle these file sets in a convenient way. + +.How does Wireshark detect the files of a file set? +**** +A filename in a file set uses the format Prefix_Number_DateTimeSuffix (or, +in Wireshark 4.4.0 and later, Prefix_DateTime_NumberSuffix) which might +look something like `test_00001_20240714183910.pcap`. All files of a file +set share the same prefix (e.g., “test”) and suffix (e.g., “.pcap”) and a +varying middle part. Files are also allowed to have a second compression +suffix of types that Wireshark can open; the compression suffix does not +have to match for all files in a set. + +To find the files of a file set, Wireshark scans the directory where the +currently loaded file resides and checks for files matching the filename pattern +(prefix and suffix) of the currently loaded file. + +This simple mechanism usually works well but has its drawbacks. If several file +sets were captured with the same prefix and suffix, Wireshark will detect them +as a single file set. If files were renamed or spread over several directories +the mechanism will fail to find all files of a set. +**** + +The following features in the menu:File[File Set] submenu are available to work +with file sets in a convenient way: + +* The “List Files” dialog box will list the files Wireshark has recognized as + being part of the current file set. + +* btn:[Next File] closes the current and opens the next file in the file + set. + +* btn:[Previous File] closes the current and opens the previous file in the + file set. + +[#ChIOFileSetListDialog] + +==== The “List Files” Dialog Box + +.The “List Files” dialog box +image::images/ws-file-set-dialog.png[{medium-screenshot-attrs}] + +Each line contains information about a file of the file set: + +Filename:: +The name of the file. If you click on the filename (or the radio +button left to it), the current file will be closed and the corresponding +capture file will be opened. + +Created:: +The creation time of the file. + +Last Modified:: +The last time the file was modified. + +Size:: +The size of the file. + +The last line will contain info about the currently used directory where all of +the files in the file set can be found. + +The content of this dialog box is updated each time a capture file is +opened/closed. + +The btn:[Close] button will, well, close the dialog box. + +[#ChIOExportSection] + +// - Add {missing} for other exports? + +=== Exporting Data + +Wireshark provides a variety of options for exporting packet data. +This section describes general ways to export data from the main Wireshark application. +There are many other ways to export or extract data from capture files, including processing <<AppToolstshark,tshark>> output and customizing Wireshark and TShark using Lua scripts. + +[#ChIOExportSpecifiedPacketsDialog] + +==== The “Export Specified Packets” Dialog Box + +.The “Export Specified Packets” dialog box +image::images/ws-export-specified-packets.png[{medium-screenshot-attrs}] + +This is similar to the “<<ChIOSaveAs,Save>>” dialog box, but it lets you save specific packets. +This can be useful for trimming irrelevant or unwanted packets from a capture file. +See <<ChIOPacketRangeSection,Packet Range>> for details on the range controls. + +[#ChIOExportPacketDissectionsDialog] + +==== The “Export Packet Dissections” Dialog Box + +This lets you save the packet list, packet details, and packet bytes as plain text, CSV, JSON, and other formats. + +.The “Export Packet Dissections” dialog box +image::images/ws-export-packet-dissections.png[{medium-screenshot-attrs}] + +The format can be selected from the “Export As” drop-down and further customized using the “<<ChIOPacketRangeSection,Packet Range>>” and “<<ChIOPacketRangeSection,Packet Format>>” controls. +Some controls are unavailable for some formats, notably CSV and JSON. +The following formats are supported: + +* Plain text as shown in the main window +* link:{wikipedia-main-url}Comma-separated_values[Comma-separated values (CSV)] +* link:{wikipedia-main-url}C_(programming_language)[C-compatible] byte arrays +* link:https://web.archive.org/web/20141115200425/http://www.nbee.org/doku.php?id=netpdl:psml_specification[PSML] (summary XML) +* link:https://web.archive.org/web/20140416072301/http://www.nbee.org/doku.php?id=netpdl:pdml_specification[PDML] (detailed XML) +* link:{wikipedia-main-url}JSON[JavaScript Object Notation (JSON)] + +Here are some examples of exported data: + +.Plain text +---- +No. Time Source Destination Protocol Length SSID Info + 1 0.000000 200.121.1.131 172.16.0.122 TCP 1454 10554 → 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU] + +Frame 1: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits) +Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13 +Internet Protocol Version 4, Src: 200.121.1.131 (200.121.1.131), Dst: 172.16.0.122 (172.16.0.122) + 0100 .... = Version: 4 + .... 0101 = Header Length: 20 bytes (5) + Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) + Total Length: 1440 + Identification: 0x0141 (321) + Flags: 0x0000 + ...0 0000 0000 0000 = Fragment offset: 0 + Time to live: 106 + Protocol: TCP (6) + Header checksum: 0xd390 [validation disabled] + [Header checksum status: Unverified] + Source: 200.121.1.131 (200.121.1.131) + Destination: 172.16.0.122 (172.16.0.122) + [Source GeoIP: PE, ASN 6147, Telefonica del Peru S.A.A.] +Transmission Control Protocol, Src Port: 10554, Dst Port: 80, Seq: 1, Ack: 1, Len: 1400 +---- + + +[TIP] +==== +If you would like to be able to <<ChIOImportSection,import>> any previously exported packets from a plain text file it is recommended that you do the following: + +* Add the “Absolute date and time” column. + +* Temporarily hide all other columns. + +* Disable the menu:Edit[Preferences,Protocols,Data] “Show not dissected data + on new Packet Bytes pane” preference. More details are provided in + <<ChCustPreferencesSection>> + +* Include the packet summary line. + +* Exclude column headings. + +* Exclude packet details. + +* Include the packet bytes. +==== + +.CSV +---- +"No.","Time","Source","Destination","Protocol","Length","SSID","Info","Win Size" +"1","0.000000","200.121.1.131","172.16.0.122","TCP","1454","","10554 > 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +"2","0.000011","172.16.0.122","200.121.1.131","TCP","54","","[TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=53200 Len=0","53200" +"3","0.025738","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=1401 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +"4","0.025749","172.16.0.122","200.121.1.131","TCP","54","","[TCP Window Update] [TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=63000 Len=0","63000" +"5","0.076967","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Previous segment not captured] [TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=4201 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +---- + +.JSON +---- +{ + "_index": "packets-2014-06-22", + "_type": "doc", + "_score": null, + "_source": { + "layers": { + "frame": { + "frame.encap_type": "1", + "frame.time": "Jun 22, 2014 13:29:41.834477000 PDT", + "frame.offset_shift": "0.000000000", + "frame.time_epoch": "1403468981.834477000", + "frame.time_delta": "0.450535000", + "frame.time_delta_displayed": "0.450535000", + "frame.time_relative": "0.450535000", + "frame.number": "2", + "frame.len": "86", + "frame.cap_len": "86", + "frame.marked": "0", + "frame.ignored": "0", + "frame.protocols": "eth:ethertype:ipv6:icmpv6", + "frame.coloring_rule.name": "ICMP", + "frame.coloring_rule.string": "icmp || icmpv6" + }, + "eth": { + "eth.dst": "33:33:ff:9e:e3:8e", + "eth.dst_tree": { + "eth.dst_resolved": "33:33:ff:9e:e3:8e", + "eth.dst.oui": "3355647", + "eth.addr": "33:33:ff:9e:e3:8e", + "eth.addr_resolved": "33:33:ff:9e:e3:8e", + "eth.addr.oui": "3355647", + "eth.dst.lg": "1", + "eth.lg": "1", + "eth.dst.ig": "1", + "eth.ig": "1" + }, + "eth.src": "00:01:5c:62:8c:46", + "eth.src_tree": { + "eth.src_resolved": "00:01:5c:62:8c:46", + "eth.src.oui": "348", + "eth.src.oui_resolved": "Cadant Inc.", + "eth.addr": "00:01:5c:62:8c:46", + "eth.addr_resolved": "00:01:5c:62:8c:46", + "eth.addr.oui": "348", + "eth.addr.oui_resolved": "Cadant Inc.", + "eth.src.lg": "0", + "eth.lg": "0", + "eth.src.ig": "0", + "eth.ig": "0" + }, + "eth.type": "0x000086dd" + }, + "ipv6": { + "ipv6.version": "6", + "ip.version": "6", + "ipv6.tclass": "0x00000000", + "ipv6.tclass_tree": { + "ipv6.tclass.dscp": "0", + "ipv6.tclass.ecn": "0" + }, + "ipv6.flow": "0x00000000", + "ipv6.plen": "32", + "ipv6.nxt": "58", + "ipv6.hlim": "255", + "ipv6.src": "2001:558:4080:16::1", + "ipv6.addr": "2001:558:4080:16::1", + "ipv6.src_host": "2001:558:4080:16::1", + "ipv6.host": "2001:558:4080:16::1", + "ipv6.dst": "ff02::1:ff9e:e38e", + "ipv6.addr": "ff02::1:ff9e:e38e", + "ipv6.dst_host": "ff02::1:ff9e:e38e", + "ipv6.host": "ff02::1:ff9e:e38e", + "ipv6.geoip.src_summary": "US, ASN 7922, Comcast Cable Communications, LLC", + "ipv6.geoip.src_summary_tree": { + "ipv6.geoip.src_country": "United States", + "ipv6.geoip.country": "United States", + "ipv6.geoip.src_country_iso": "US", + "ipv6.geoip.country_iso": "US", + "ipv6.geoip.src_asnum": "7922", + "ipv6.geoip.asnum": "7922", + "ipv6.geoip.src_org": "Comcast Cable Communications, LLC", + "ipv6.geoip.org": "Comcast Cable Communications, LLC", + "ipv6.geoip.src_lat": "37.751", + "ipv6.geoip.lat": "37.751", + "ipv6.geoip.src_lon": "-97.822", + "ipv6.geoip.lon": "-97.822" + } + }, + "icmpv6": { + "icmpv6.type": "135", + "icmpv6.code": "0", + "icmpv6.checksum": "0x00005b84", + "icmpv6.checksum.status": "1", + "icmpv6.reserved": "00:00:00:00", + "icmpv6.nd.ns.target_address": "2001:558:4080:16:be36:e4ff:fe9e:e38e", + "icmpv6.opt": { + "icmpv6.opt.type": "1", + "icmpv6.opt.length": "1", + "icmpv6.opt.linkaddr": "00:01:5c:62:8c:46", + "icmpv6.opt.src_linkaddr": "00:01:5c:62:8c:46" + } + } + } + } + } +] +---- + +[#ChIOExportSelectedDialog] + +==== The “Export Selected Packet Bytes” Dialog Box + +Export the bytes selected in the “Packet Bytes” pane into a raw binary file. + +.The “Export Selected Packet Bytes” dialog box +image::images/ws-export-selected.png[{medium-screenshot-attrs}] + +File name:: +The file name to export the packet data to. + +Save as type:: +The file extension. + +[#ChIOExportPDUSDialog] + +==== The “Export PDUs to File...” Dialog Box + +The “Export PDUs to File...” dialog box allows you to filter the captured Protocol Data Units (PDUs) and export them into the file. It allows you to export reassembled PDUs avoiding lower layers such as HTTP without TCP, and decrypted PDUs without the lower protocols such as HTTP without TLS and TCP. + +. In the main menu select menu:File[Export PDUs to File...]. Wireshark will open a corresponding dialog <<ExportPDUsToFile>>. ++ +[#ExportPDUsToFile] ++ +.Export PDUs to File window +image::images/ws-export-pdus-to-file.png[{screenshot-attrs}] + +. To select the data according to your needs, optionally type a filter value into the `Display Filter` field. For more information about filter syntax, see the link:https://www.wireshark.org/docs/man-pages/wireshark-filter.html[Wireshark Filters] man page. + +. In the field below the `Display Filter` field you can choose the level from which you want to export the PDUs to the file. There are seven levels: ++ +.. `DLT User`. You can export a protocol, which is framed in the user data link type table without the need to reconfigure the DLT user table. For more information, see the link:https://gitlab.com/wireshark/wireshark/-/wikis/HowToDissectAnything[How to Dissect Anything] page. ++ +.. `DVB-CI`. You can use it for the Digital Video Broadcasting (DVB) protocol. ++ +.. `Logcat` and `Logcat Text`. You can use them for the Android logs. ++ +.. `OSI layer 3`. You can use it to export PDUs encapsulated in the IPSec or SCTP protocols. ++ +.. `OSI layer 4`. You can use it to export PDUs encapsulated in the TCP or UDP protocols. ++ +.. `OSI layer 7`. You can use it to export the following protocols: CredSSP over TLS, Diameter, protocols encapsulated in TLS and DTLS, H.248, Megaco, RELOAD framing, SIP, SMPP. ++ +NOTE: As a developer you can add any dissector to the existing list or define a new entry in the list by using the functions in `epan/exported_pdu.h`. + +. To finish exporting PDUs to file, click the btn:[OK] button in the bottom-right corner. This will close the originally captured file and open the exported results instead as a temporary file in the main Wireshark window. + +. You may save the temporary file just like any captured file. See <<ChIOSaveSection>> for details. ++ +NOTE: The file produced has a `Wireshark Upper PDU` encapsulation type that has somewhat limited support outside of Wireshark, but is very flexible and can contain PDUs for any protocol for which there is a Wireshark dissector. + +[#ChIOStripHeadersDialog] + +==== The “Strip Headers...” Dialog Box + +The “Strip Headers...” dialog box allows you to filter known encapsulation types on whatever protocol layer they appear and export them into a new capture file, removing lower-level protocols. It allows you to export reassembled packets and frames without lower layers such as GPF, GRE, GSE, GTP-U, MPLS, MPE, PPP, and more. If Wireshark has performed decryption, then you can export decrypted IP from protocols like IEEE 802.11 or IPSec without having to save encryption keys. + +The procedure is similar to that of <<ChIOExportPDUSDialog>>: + +. In the main menu select menu:File[Strip Headers...]. Wireshark will open a corresponding dialog. + +. To select the data according to your needs, optionally type a filter value into the `Display Filter` field. For more information about filter syntax, see the link:https://www.wireshark.org/docs/man-pages/wireshark-filter.html[Wireshark Filters] man page. + +. In the field below the `Display Filter` field you can choose the encapsulation type you want to find and export to the file. There are two encapsulations supported: ++ +.. `Ethernet`. You can use it to export Ethernet encapsulated in other protocols. ++ +.. `IP`. You can use it to export IPv4 and IPv6 encapsulated in other protocols. ++ +NOTE: As a developer you can add encapsulations to the list by using the functions in `epan/exported_pdu.h`. + +. To finish exporting to file, click the btn:[OK] button in the bottom-right corner. This will close the originally captured file and open the exported results instead as a temporary file in the main Wireshark window. + +. You may save the temporary file just like any captured file. See <<ChIOSaveSection>> for details. ++ +NOTE: The new capture files produced have standard encapsulation types and can be read in nearly any tool. + +[#ChIOExportTLSSessionKeys] + +==== The “Export TLS Session Keys...” Dialog Box + +Transport Layer Security (TLS) encrypts the communication between a client and a server. The most common use for it is web browsing via HTTPS. + +Decryption of TLS traffic requires TLS secrets. You can get them in the form of stored session keys in a "key log file", or by using an RSA private key file. For more details, see the link:{wireshark-wiki-url}TLS[TLS wiki page]. + +The menu:File[Export TLS Session Keys…] menu option generates a new "key log file" which contains TLS session secrets known by Wireshark. This feature is useful if you typically decrypt TLS sessions using the RSA private key file. The RSA private key is very sensitive because it can be used to decrypt other TLS sessions and impersonate the server. Session keys can be used only to decrypt sessions from the packet capture file. However, session keys are the preferred mechanism for sharing data over the Internet. + +To export captured TLS session keys, follow the steps below: + +. In the main menu select menu:File[Export TLS Session Keys...]. Wireshark will open a corresponding dialog <<TlsSessionKeys>>. ++ +[#TlsSessionKeys] ++ +.Export TLS Session Keys window +image::images/ws-tls-session-keys.png[{screenshot-attrs}] + +. Type the desired file name in the `Save As` field. + +. Choose the destination folder for your file in the `Where` field. + +. Press the btn:[Save] button to complete the export file procedure. + +[#ChIOExportObjectsDialog] + +==== The “Export Objects” Dialog Box + +This feature scans through the selected protocol's streams in the currently +open capture file or running capture and allows the user to export reassembled +objects to the disk. For example, if you select HTTP, you can export HTML +documents, images, executables, and any other files transferred over HTTP +to the disk. If you have a capture running, this list is automatically +updated every few seconds with any new objects seen. The saved objects can then +be opened or examined independently of Wireshark. + +.The “Export Objects” dialog box +image::images/ws-export-objects.png[{screenshot-attrs}] + +Columns: + +Packet:: +The packet number in which this object was found. In some +cases, there can be multiple objects in the same packet. + +Hostname:: +The hostname of the server that sent this object. + +Content Type:: +The content type of this object. + +Size:: +The size of this object in bytes. + +Filename: +The filename for this object. Each protocol generates +the filename differently. For example, HTTP uses the +final part of the URI and IMF uses the subject of the email. + +Inputs: + +Text Filter:: +Only displays objects containing the specified text string. + +Help:: +Opens this section of the “User’s Guide”. + +Save All:: +Saves all objects (including those not displayed) using the filename from the +filename column. You will be asked what directory or folder to save them in. + +Close:: +Closes the dialog without exporting. + +Save:: +Saves the currently selected object as a filename you specify. The +default filename to save as is taken from the filename column of the objects +list. + +[#ChIOPrintSection] + +=== Printing Packets + +To print packets, select the menu:File[Print...] menu item. +Wireshark will display the “Print” dialog box as shown below. + +[WARNING] +.It’s easy to waste paper doing this +==== +Printed output can contain lots of text, particularly if you print packet details and bytes. +==== + +==== The “Print” Dialog Box + +[#ChIOPrintDialogBox] + +.The “Print” dialog box +image::images/ws-print.png[{medium-screenshot-attrs}] + +The “Print” dialog box shows a preview area which shows the result of changing the packet format settings. +You can zoom in and out using the kbd:[{plus}] and kbd:[-] keys and reset the zoom level using the kbd:[0] key. +The following settings are available in the Print dialog box: + +Packet Format:: +Lets you specify what gets printed. See <<ChIOPacketFormatFrame>> for details. + +Summary line::: +Include a summary line for each packet. +The line will contain the same fields as the packet list. + +Details::: +Print details for each packet. + +Bytes::: +Print a hex dump of each packet. + +Packet Range:: +Select the packets to be printed. See <<ChIOPacketRangeSection>> for details. + +btn:[Page Setup...] lets you select the page size and orientation. + +btn:[Print...] prints to your default printer. + +btn:[Cancel] will close the dialog without printing. + +btn:[Help] will display this section of the “User’s Guide”. + +[#ChIOPacketRangeSection] + +=== The “Packet Range” Frame + +The packet range frame is a part of the “<<ChIOExportSpecifiedPacketsDialog,Export Specified Packets>>,” “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>,” and “<<ChIOPrintSection,Print>>” dialog boxes. +You can use it to specify which packets will be exported or printed. + +[#ChIOPacketRangeFrame] + +.The “Packet Range” frame +image::images/ws-packet-range.png[{medium-screenshot-attrs}] + +By default, the btn:[Displayed] button is set, which only exports or prints the packets that match the current display filter. +Selecting btn:[Captured] will export or print all packets. +You can further limit what you export or print to the following: + +All packets:: +All captured or displayed packets depending on the primary selection above. + +Selected packet:: +Only the selected packet. + +Marked packets:: +Only marked packets. See <<ChWorkMarkPacketSection>>. + +First to last marked:: +Lets you mark an inclusive range of packets. + +Range:: +Lets you manually specify a range of packets, e.g., _5,10-15,20-_ will process the packet number five, the packets from packet number ten to fifteen (inclusive) and every packet from number twenty to the end of the capture. + +Remove ignored packets:: +Don't export or print ignored packets. +See <<ChWorkIgnorePacketSection>>. + +[#ChIOPacketFormatSection] + +=== The Packet Format Frame + +The packet format frame is also a part of the “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>” and “<<ChIOPrintSection,Print>>” dialog boxes. +You can use it to specify which parts of dissection are exported or printed. + +[#ChIOPacketFormatFrame] + +.The “Packet Format” frame +image::images/ws-packet-format.png[{small-screenshot-attrs}] + +Each of the settings below correspond to the packet list, packet detail, and packet bytes in the main window. + +Packet summary line:: +Export or print each summary line as shown in the “Packet List” pane. + +Packet details:: +Export or print the contents of the “Packet Details” tree. + +All collapsed::: +Export or print as if the “Packet Details” tree is in the “all collapsed” state. + +As displayed::: +Export or print as if the “Packet Details” tree is in the “as displayed” state. + +All expanded::: +Export or print as if the “Packet Details” tree is in the “all expanded” state. + +Packet Bytes:: +Export or print the contents of the “Packet Bytes” pane. + +Each packet on a new page:: +For printing and some export formats, put each packet on a separate page. +For example, when exporting to a text file this will put a form feed character between each packet. + +Capture information header:: +Add a header to each page with capture filename and the number of total packets and shown packets. + +// End of WSUG Chapter IO diff --git a/doc/wsug_src/wsug_mate.adoc b/doc/wsug_src/wsug_mate.adoc new file mode 100644 index 00000000..9df35551 --- /dev/null +++ b/doc/wsug_src/wsug_mate.adoc @@ -0,0 +1,2401 @@ +[#ChMate] + +== MATE + +[#ChMateIntroduction] + +=== Introduction + +MATE: Meta Analysis and Tracing Engine + +What is MATE? Well, to keep it very short, with MATE you can create user +configurable extension(s) of the display filter engine. + +MATE's goal is to enable users to filter frames based on information extracted +from related frames or information on how frames relate to each other. MATE +was written to help troubleshooting gateways and other systems where a "use" +involves more protocols. However, MATE can be used as well to analyze other +issues regarding an interaction between packets like response times, +incompleteness of transactions, presence/absence of certain attributes in a +group of Protocol Data Units (PDUs) and more. + +MATE is a Wireshark plugin that allows the user to specify how different +frames are related to each other. To do so, MATE extracts data from the frames' +tree and then, using that information, tries to group the frames based on how +MATE is configured. Once the PDUs are related, MATE will create a "protocol" +tree with fields the user can filter with. The fields will be almost the same +for all the related frames, so one can filter a complete session spanning +several frames containing more protocols based on an attribute appearing in +some related frame. Other than that MATE allows to filter frames based on +response times, number of PDUs in a group and a lot more. + +So far MATE has been used to: + +* Filter all packets of a call using various protocols knowing just the +calling number. (MATE's original goal) +* Filter all packets of all calls using various protocols based on the release +cause of one of its "segments". +* Extrapolate slow transactions from very "dense" captures. (finding requests +that timeout) +* Find incomplete transactions (no responses) +* Follow requests through more gateways/proxies. +* more... + +[#ChMateGettingStarted] + +=== Getting Started + +These are the steps to try out MATE: + +* Run Wireshark and check if the plugin is installed (MATE should +appear in Help->About Wireshark:Plugins) +* Get a configuration file e.g., <<File_tcp_mate,tcp.mate>> (see {wireshark-wiki-url}Mate/Examples[Mate/Examples] +for more) and place it somewhere on your harddisk. +* Go to Edit->Preferences...->Protocols->MATE and set the Configuration Filename to the file +you want to use and restart Wireshark. +* Load a corresponding capture file (e.g., +{wireshark-wiki-url}uploads/27707187aeb30df68e70c8fb9d614981/http.cap[http.cap]) and see if MATE +has added some new display filter fields, something like: `mate tcp_pdu:1->tcp_ses:1` +or, at prompt: `path_to/wireshark -o "mate.config: tcp.mate" -r http.cap`. + +If everything went well, your packet details might look something like this: + +.Packet Details - MATE TCP Session (tcp.mate) +image::images/ws-mate-tcp-output.png[] + +[#ChMateManual] + +=== MATE Overview + +==== Introduction + +MATE creates a filterable tree based on information contained in frames that +share some relationship with information obtained from other frames. The way +these relationships are made is described in a configuration file. The +configuration file tells MATE what makes a PDU and how to relate it to other +PDUs. + +MATE analyzes each frame to extract relevant information from the "protocol" +tree of that frame. The extracted information is contained in MATE PDUs; +these contain a list of relevant attributes taken from the tree. From now on, I +will use the term "PDU" to refer to the objects created by MATE containing the +relevant information extracted from the frame; I'll use "frame" to refer to the +"raw" information extracted by the various dissectors that pre-analyzed the frame. + +For every PDU, MATE checks if it belongs to an existing "Group of PDUs" (GOP). +If it does, it assigns the PDU to that GOP and moves any new relevant attributes +to the GOP's attribute list. How and when do PDUs belong to GOPs is described +in the configuration file as well. + +Every time a GOP is assigned a new PDU, MATE will check if it matches the +conditions to make it belong to a "Group of Groups" (GOG). Naturally the +conditions that make a GOP belong to a GOG are taken from the configuration +file as well. + +Once MATE is done analyzing the frame it will be able to create a "protocol" +tree for each frame based on the PDUs, the GOPs they belong to and naturally any +GOGs the former belongs to. + +How to tell MATE what to extract, how to group it and then how to relate those +groups is made using AVPs and AVPLs. + +Information in MATE is contained in Attribute Value Pairs (AVPs). AVPs are made +of two strings: the name and the value. AVPs are used in the configuration and +there they have an operator as well. There are various ways AVPs can be matched +against each other using those operators. + +AVPs are grouped into AVP Lists (AVPLs). PDUs, GOPs and GOGs have an AVPL each. +Their AVPLs will be matched in various ways against others coming from the +configuration file. + +MATE will be instructed how to extract AVPs from frames in order to create a PDU +with an AVPL. It will be instructed as well, how to match that AVPL against the +AVPLs of other similar PDUs in order to relate them. In MATE the relationship +between PDUs is a GOP, it has an AVPL as well. MATE will be configured with other +AVPLs to operate against the GOP's AVPL to relate GOPs together into GOGs. + +A good understanding on how AVPs and AVPLs work is fundamental to understand how +MATE works. + +===== About MATE + +MATE was originally written by Luis Ontanon, a Telecommunications systems +troubleshooter, as a way to save time filtering out the packets of a single call +from huge capture files using just the calling number. Later he used the time he +had saved to make it flexible enough to work with protocols other than the ones +he was directly involved with. + +[#AVP] +==== Attribute Value Pairs (AVP) + +Information used by MATE to relate different frames is contained in Attribute +Value Pairs (AVPs). AVPs are made of two strings - the name and the value. When +AVPs are used in the configuration, an operator is defined as well. There are +various ways AVPs can be matched against each other using those operators. + +---- + avp_name="avp's value" + another_name= "1234 is the value" +---- + +The name is a string used to refer to a "type" of an AVP. Two AVPs won't match +unless their names are identical. + + +The name must start with a lowercase letter (a-z) and can contain only alphanumeric characters +(a-zA-Z0-9) and the special characters "_", "-", and ".". The name ends with an operator. + +You should not use uppercase characters in names, or names that start with “.” or +“_”. Capitalized names are reserved for configuration parameters (we'll call them +keywords); nothing forbids you from using capitalized strings for other things as +well but it probably would be confusing. I'll avoid using capitalized words for +anything but the keywords in this document, the reference manual, the examples +and the base library. Names that start with a “.” would be very confusing as well +because in the old grammar, AVPL transforms use names starting with a “.” to +indicate they belong to the replacement AVPL. + +The value is a string that is either set in the configuration (for configuration +AVPs) or by Wireshark while extracting interesting fields from a frame's tree. +The values extracted from fields use the same representation as they do in filter +strings except that no quotes are used. + +*The value will be dealt with as a string even if it is a number.* If there are +any spaces in the value, the value must be between quotes "". +Values that are also keywords such as True and False should also be wrapped +in quotes ("True", "False"). + +---- + ip_addr=10.10.10.11 + tcp_port=1234 + binary_data=01:23:45:67:89:ab:cd:ef + parameter12=0x23aa + parameter_with_spaces="this value has spaces" +---- + +The way two AVPs with the same name might match is described by the operator. +Remember two AVPs won't match unless their names are identical. In MATE, match +operations are always made between the AVPs extracted from frames (called data +AVPs) and the configuration's AVPs. + +Currently defined MATE AVP match operators are: + +* <<Equal,Equal>> _=_ will match if the string given completely matches the data +AVP's value string +* <<NotEqual,Not Equal>> _!_ will match only if the given value string is not equal to +the data AVP's value string +* <<OneOf,One Of>> _{}_ will match if one of the possible strings listed is equal to +the data AVP's value string +* <<StartsWith,Starts With>> _^_ will match if the string given matches the first +characters of the data AVP's value string +* <<EndsWith,Ends With>> _$_ will match if the string given matches the last characters +of the data AVP's value string +* <<Contains,Contains>> _~_ will match if the string given matches any substring of the +data AVP's value string +* <<LowerThan,Lower Than>> _<_ will match if the data AVP's value string is semantically +lower than the string given +* <<HigherThan,Higher Than>> _>_ will match if the data AVP's value string is semantically +higher than the string given +* <<Exists,Exists>> _?_ (the ? can be omitted) will match as far as a data AVP of the +given name exists + +==== AVP lists (AVPL) + +An AVPL is a set of diverse AVPs that can be matched against other AVPLs. Every +PDU, GOP and GOG has an AVPL that contains the information regarding it. The +rules that MATE uses to group PDUs and GOPs are AVPL operations. + +*There will never be two identical AVPs in a given AVPL.* However, we can have +more than one AVP with the same name in an AVPL as long as their values are +different. + +Some AVPL examples: +---- + ( addr=10.20.30.40, addr=192.168.0.1, tcp_port=21, tcp_port=32534, user_cmd=PORT, + data_port=12344, data_addr=192.168.0.1 ) + ( addr=10.20.30.40, addr=192.168.0.1, channel_id=22:23, message_type=Setup, + calling_number=1244556673 ) + ( addr=10.20.30.40, addr=192.168.0.1, ses_id=01:23:45:67:89:ab:cd:ef ) + ( user_id=pippo, calling_number=1244556673, assigned_ip=10.23.22.123 ) +---- + +In MATE there are two types of AVPLs: + +* data AVPLs that contain information extracted from frames. +* configuration AVPLs that come from the configuration and are used to tell MATE how +to relate items based on their data AVPLs. + +Data AVPLs can be operated against configuration AVPLs in various ways: + +* <<Loose,Loose Match>>: Will match if at least one of the AVPs of each AVPL +match. If it matches it will return an AVPL containing all AVPs from the data +AVPL that did match the configuration AVPs. +* <<Every,"Every" Match>>: Will match if none of the AVPs of the configuration AVPL +fails to match a present AVP in the data AVPL, even if not all of the +configuration AVPs have a match. If it matches it will return an AVPL containing +all AVPs from the data AVPL that did match one AVP in the configuration AVPL. +* <<Strict,Strict Match>>: Will match if and only if every one of the configuration +AVPs have at least one match in the data AVPL. If it matches it will return +an AVPL containing the AVPs from the data AVPL that matched. +* There's also a <<Merge,Merge>> operation that is to be performed between AVPLs +where all the AVPs that don't exist in the data AVPL but exist in the configuration +will be added to the data AVPL. +* Other than that, there are <<Transform,Transforms>> - a combination +of a match AVPL and an AVPL to merge. + +=== MATE Frame Analysis + +MATE's analysis of a frame is performed in three phases: + +* In the first phase, MATE attempts to extract a MATE PDU from the frame's +protocol tree. MATE will create a PDU if MATE's config has a _Pdu_ declaration +whose _Proto_ is contained in the frame. + +* In the second phase, if a PDU has been extracted from the frame, MATE will try +to group it to other PDUs into a GOP (Group of PDUs) by matching the key +criteria given by a _Gop_ declaration. If there is no GOP yet with the key +criteria for the PDU, MATE will try to create a new GOP for it if it matches the +_Start_ criteria given in the _Gop_ declaration. + +* In the third phase, if there's a GOP for the PDU, MATE will try to group this +GOP with other GOPs into a GOG (Group of Groups) using the criteria given by the +_Member_ criteria of a _Gog_ declaration. + +.MATE Analysis (PDU->GOP->GOG) flowchart +image::images/ws-mate-analysis.png[] + +The extraction and matching logic comes from MATE's configuration; MATE's +configuration file is specified by the _mate.config_ preference. By default it is +an empty string which means: do not configure MATE. + +The config file tells MATE what to look for in frames; How to make PDUs out of +it; How will PDUs be related to other similar PDUs into GOPs; And how GOPs +relate into GOGs. + +The MATE configuration file is a list of declarations. There are 4 types of +declarations: _Transform_, _Pdu_, _Gop_, and _Gog_. A _Transform_ block must be +before any of the other block declarations that may use it. + +==== Create PDUs (Phase 1) + +MATE will look in the tree of every frame to see if there is useful data to +extract, and if there is, it will create one or more PDU objects containing the +useful information. + +The first part of MATE's analysis is the "PDU extraction". + +===== PDU data extraction + +MATE will make a PDU for each different proto field of _Proto_ type present in the +frame. MATE will fetch from the field's tree those fields that are defined in +the <<Pdu>> declaration whose initial offset in the frame is within the +boundaries of the current _Proto_ and those of the given _Transport_ and _Payload_ +statements. + +---- +Pdu dns_pdu Proto dns Transport ip { + Extract addr From ip.addr; + Extract dns_id From dns.id; + Extract dns_resp From dns.flags.response; +}; +---- + +.Wireshark window - fields for PDU extraction +image::images/ws-mate-dns_pane.png[] + +Once MATE has found a _Proto_ field for which to create a PDU from the frame it +will move backwards in the frame looking for the respective _Transport_ fields. +After that it will create AVPs named as each of those given in the rest of the +AVPL for every instance of the fields declared as its values. + +.Frame fields mapped to PDU attributes +image::images/ws-mate-dns_pdu.png[] + +Sometimes we need information from more than one _Transport_ protocol. In that +case MATE will check the frame looking backwards to look for the various +_Transport_ protocols in the given stack. MATE will choose only the closest +transport boundary per "protocol" in the frame. + +This way we'll have all PDUs for every _Proto_ that appears in a frame match its +relative transports. + +---- +Pdu isup_pdu Proto isup Transport mtp3/ip { + Extract addr From ip.addr; + + Extract m3pc From mtp3.dpc; + Extract m3pc From mtp3.opc; + + Extract cic From isup.cic; + Extract isup_msg From isup.message_type; +}; +---- + +.Frame containing multiple PDUs +image::images/ws-mate-isup_over_mtp3_over_ip.png[] + +This allows to assign the right _Transport_ to the PDU avoiding duplicate +transport protocol entries (in case of tunneled ip over ip for example). + +---- +Pdu ftp_pdu Proto ftp Transport tcp/ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract ftp_cmd From ftp.command; +}; +---- + +.Frame with encapsulated (tunneled) fields +image::images/ws-mate-ftp_over_gre.png[] + +Other than the mandatory _Transport_ there is also an optional _Payload_ +statement, which works pretty much as _Transport_ but refers to elements after +the _Proto_'s range. It is useful in those cases where the payload protocol +might not appear in a PDU but nevertheless the PDU belongs to the same category. + +---- +Pdu mmse_over_http_pdu Proto http Transport tcp/ip { + + Payload mmse; + + Extract addr From ip.addr; + Extract port From tcp.port; + + Extract content From http.content_type; + Extract host From http.host; + Extract http_rq From http.request; + Extract method From http.request.method; + Extract resp From http.response.code; + + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Extract trx From mmse.transaction_id; +}; +---- + +.Extract from Payload fields +image::images/ws-mate-mmse_over_http.png[] + +===== Conditions on which to create PDUs + +There might be cases in which we won't want MATE to create a PDU unless some of +its extracted attributes meet or do not meet some criteria. For that we use the +_Criteria_ statements of the _Pdu_ declarations. + +---- +Pdu isup_pdu Proto isup Transport mtp3/ip { + ... + + // MATE will create isup_pdu PDUs only when there is not a point code '1234' + Criteria Reject Strict (m3pc=1234); +}; + +Pdu ftp_pdu Proto ftp Transport tcp/ip { + ... + + // MATE will create ftp_pdu PDUs only when they go to port 21 of our ftp_server + Criteria Accept Strict (addr=10.10.10.10, port=21); +}; +---- + +The _Criteria_ statement is given an action (_Accept_ or _Reject_), a match type +(_Strict_, _Loose_ or _Every_) and an AVPL against which to match the currently +extracted one. + +===== Transforming the attributes of a PDU + +Once the fields have been extracted into the PDU's AVPL, MATE will apply any +declared _Transform_ to it. The way transforms are applied and how they work +is described later on. However, it's useful to know that once the AVPL for the +PDU is created, it may be transformed before being analyzed. That way we can +massage the data to simplify the analysis. + +===== MATE's PDU tree + +Every successfully created PDU will add a MATE tree to the frame dissection. If +the PDU is not related to any GOP, the tree for the PDU will contain just the +PDU's info. If it is assigned to a GOP, the tree will also contain the GOP items, +and the same applies for the GOG level. + +---- +mate dns_pdu:1 + dns_pdu: 1 + dns_pdu time: 3.750000 + dns_pdu Attributes + dns_resp: False + dns_id: 0x8cac + addr: 10.194.4.11 + addr: 10.194.24.35 +---- + +The PDU's tree contains some filterable fields + +* _mate.dns_pdu_ will contain the number of the "dns_pdu" PDU +* _mate.dns_pdu.RelativeTime_ will contain the time passed since the beginning +of the capture in seconds +* the tree will contain the various attributes of the PDU as well, these will +all be strings (to be used in filters as "10.0.0.1", not as 10.0.0.1) +** mate.dns_pdu.dns_resp +** mate.dns_pdu.dns_id +** mate.dns_pdu.addr + +==== Grouping PDUs together (GOP) (Phase 2) + +Once MATE has created the PDUs it passes to the PDU analysis phase. During the +PDU analysis phase MATE will try to group PDUs of the same type into 'Groups of +PDUs' (aka *GOP*++s++) and copy some AVPs from the PDU's AVPL to the GOP's AVPL. + +.Grouping PDUs (GOP) flowchart +image::images/ws-mate-pdu_analysis.png[] + +===== What can belong to a GOP + +Given a PDU, the first thing MATE will do is to check if there is any GOP +declaration in the configuration for the given PDU type. If so, it will use its +_Match_ AVPL to match it against the PDU's AVPL; if they don't match, the +analysis phase is done. If there is a match, the AVPL is the GOP's candidate key +which will be used to search the index of GOPs for the GOP to which to assign +the current PDU. If there is no such GOP and this PDU does not match the +_Start_ criteria of a _Gop_ declaration for the PDU type, the PDU will remain +unassigned and only the analysis phase will be done. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) {...}; +Gop dns_req On dns_pdu Match (addr, addr, dns_id) {...}; +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) {...}; +---- + +===== Start of a GOP + +If there was a match, the candidate key will be used to search the index of GOPs +to see if there is already a GOP matching the GOP's key the same way. If there +is such a match in the GOPs collection, and the PDU doesn't match the _Start_ +AVPL for its type, the PDU will be assigned to the matching GOP. If it is a +_Start_ match, MATE will check whether or not that GOP has been already +stopped. If the GOP has been stopped, a new GOP will be created and will replace +the old one in the index of GOPs. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); +}; + +Gop dns_req On dns_pdu Match (addr, addr, dns_id) { + Start (dns_resp="True"); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); +}; +---- + +If no _Start_ is given for a GOP, a PDU whose AVPL matches an existing GOP's +key will act as the start of a GOP. + +===== What goes into the GOP's AVPL + +Once we know a GOP exists and the PDU has been assigned to it, MATE will copy +into the GOP's AVPL all the attributes matching the key plus any AVPs of the +PDU's AVPL matching the _Extra_ AVPL. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); + Extra (pasv_prt, pasv_addr); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); + Extra (calling, called); +}; +---- + +===== End of a GOP + +Once the PDU has been assigned to the GOP, MATE will check whether or not the +PDU matches the _Stop_, if it happens, MATE will mark the GOP as stopped. Even +after stopped, a GOP may get assigned new PDUs matching its key, unless such +PDU matches _Start_. If it does, MATE will instead create a new GOP starting +with that PDU. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); + Stop (ftp_cmd=QUIT); // The response to the QUIT command will be assigned to the same GOP + Extra (pasv_prt, pasv_addr); +}; + +Gop dns_req On dns_pdu Match (addr, addr, dns_id) { + Start (dns_resp="False"); + Stop (dns_resp="True"); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); // IAM + Stop (isup_msg=16); // RLC + Extra (calling, called); +}; +---- + +If no _Stop_ criterium is stated for a given GOP, the GOP will be stopped as +soon as it is created. However, as with any other GOP, PDUs matching the GOP's +key will still be assigned to the GOP unless they match a _Start_ condition, +in which case a new GOP using the same key will be created. To group multiple +PDUs that match the _Start_, add a bogus _Stop_ such as +---- +Gop frame_ses On frame_pdu Match (frame_time) { + Start (frame_time); + Stop (frame_time="FOO"); +}; +---- + +===== GOP's tree + +For every frame containing a PDU that belongs to a GOP, MATE will create a tree +for that GOP. + +The example below represents the tree created by the _dns_pdu_ and _dns_req_ +examples. + +---- +... +MATE dns_pdu:6->dns_req:1 + dns_pdu: 6 + dns_pdu time: 2.103063 + dns_pdu time since beginning of Gop: 2.103063 + dns_pdu Attributes + dns_resp: True + dns_id: 0x8cac + addr: 10.194.4.11 + addr: 10.194.24.35 + dns_req: 1 + GOP Key: addr=10.194.4.11; addr=10.194.24.35; dns_id=0x8cac; + dns_req Attributes + dns_id: 0x8cac + addr: 10.194.4.11 + addr: 10.194.24.35 + dns_req Times + dns_req start time: 0.000000 + dns_req hold time: 2.103063 + dns_req duration: 2.103063 + dns_req number of PDUs: 2 + Start PDU: in frame 1 + Stop PDU: in frame 6 (2.103063 : 2.103063) + +---- + +Other than the PDU's tree, this one contains information regarding the +relationship between the PDUs that belong to the GOP. That way we have: + +* mate.dns_req which contains the id of this dns_req GOP. This will be present +in frames that belong to dns_req GOPs. +* mate.dns_req.dns_id and mate.dns_req.addr which represent the values of the +attributes copied into the GOP. +* the timers of the GOP +** mate.dns_req.StartTime time (in seconds) passed since beginning of capture +until GOP's start. +** mate.dns_req.Time time passed between the start PDU and the stop PDU assigned +to this GOP (only created if a Stop criterion has been declared for the GOP and +a matching PDU has arrived). +** mate.dns_req.Duration time passed between the start PDU and the last PDU +assigned to this GOP. +* mate.dns_req.NumOfPdus the number of PDUs that belong to this GOP +** mate.dns_req.Pdu a filterable list of frame numbers of the PDUs of this GOP + +===== GOP's timers + +Note that there are two "timers" for a GOP: + +* *Time*, which is defined only for GOPs that have been Stopped, and gives the +time passed between the _Start_ and the _Stop_ PDUs. +* *Duration*, which is defined for every GOP regardless of its state, and give +the time passed between its _Start_ PDU and the last PDU that was assigned to +that GOP. + +So: + +* we can filter for PDUs that belong to GOPs that have been Stopped with +*mate.xxx.Time* +* we can filter for PDUs that belong to unstopped GOPs with *mate.xxx && +!mate.xxx.Time* +* we can filter for PDUs that belong to stopped GOPs using *mate.xxx.Duration* +* we can filter for PDUs that belong to GOPs that have taken more (or less) time +that 0.5s to complete with *mate.xxx.Time > 0.5* (you can try these also as +color filters to find out when response times start to grow) + +==== Grouping GOPs together (GOG) (Phase 3) + +When GOPs are created, or whenever their AVPL changes, GOPs are (re)analyzed to +check if they match an existent group of groups (GOG) or can create a new one. +The GOP analysis is divided into two phases. In the first phase, the still +unassigned GOP is checked to verify whether it belongs to an already existing +GOG or may create a new one. The second phase eventually checks the GOG and +registers its keys in the index of GOGs. + +.Grouping GOPs (GOG) flowchart +image::images/ws-mate-gop_analysis.png[] + +There are several reasons for the author to believe that this feature needs to +be reimplemented, so probably there will be deep changes in the way this is done +in the near future. This section of the documentation reflects the version of +MATE as of Wireshark 0.10.9; in future releases this will change. + +===== Declaring a Group Of Groups (GOG) + +The first thing we have to do configuring a GOG is to tell MATE that it exists. + +---- +Gog http_use { + ... +}; +---- + +===== Telling MATE what could be a GOG member + +Then we have to tell MATE what to look for a match in the candidate GOPs. + +---- +Gog http_use { + Member http_ses (host); + Member dns_req (host); +}; +---- + +===== Getting interesting data into the GOG + +Most often, also other attributes than those used for matching would be +interesting. In order to copy from GOP to GOG other interesting attributes, we +might use _Extra_ like we do for GOPs. + +---- +Gog http_use { + ... + Extra (cookie); +}; +---- + +===== GOG's tree + +---- +mate http_pdu:4->http_req:2->http_use:1 + http_pdu: 4 + http_pdu time: 1.309847 + http_pdu time since beginning of Gop: 0.218930 + http_req: 2 + ... (the gop's tree for http_req: 2) .. + http_use: 1 + http_use Attributes + host: www.example.com + http_use Times + http_use start time: 0.000000 + http_use duration: 1.309847 + number of GOPs: 3 + dns_req: 1 + ... (the gop's tree for dns_req: 1) .. + http_req: 1 + ... (the gop's tree for http_req: 1) .. + http_req of current frame: 2 +---- + +We can filter on: + +* the timers of the GOG +** *mate.http_use.StartTime* time (in seconds) passed since beginning of capture until GOG's start. +** *mate.http_use.Duration* time elapsed between the first frame of a GOG and the last one assigned to it. +* the attributes passed to the GOG +** *mate.http_use.host* +* *mate.http_use.NumOfGops* the number of GOPs that belong to this GOG +* *mate.http_use.GopStart* the start frame of a GOP +* *mate.http_use.GopStop* the stop frame of a GOP + +==== Adjust data (AVPL Transforms) + +A Transform is a sequence of Match rules optionally completed with modification +of the match result by an additional AVPL. Such modification may be an Insert +(merge) or a Replace. Transforms can be used as helpers to manipulate an item's +AVPL before it is processed further. They come to be very helpful in several +cases. + +===== Syntax + +AVPL Transforms are declared in the following way: + +---- +Transform name { + Match [Strict|Every|Loose] match_avpl [Insert|Replace] modify_avpl; + ... +}; +---- + +The *name* is the handle to the AVPL transform. It is used to refer to the +transform when invoking it later. + +The _Match_ declarations instruct MATE what and how to match against the data +AVPL and how to modify the data AVPL if the match succeeds. They will be +executed in the order they appear in the config file whenever they are invoked. + +The optional match type qualifier (_Strict_, _Every_, or _Loose_) is used +to choose the <<Match,Match type>>; _Strict_ is the default value which +may be omitted. + +The optional modification mode qualifier instructs MATE how the modify AVPL +should be used: + +* the default value _Insert_ (which may be omitted) causes the _modify_avpl_ +to be *merged* to the existing data AVPL, +* _Replace_ causes all the matching AVPs from the data AVPL to be +*replaced* by the _modify_avpl_. + +The _modify_avpl_ may be an empty one; this comes useful in some cases for +both _Insert_ and _Replace_ modification modes. + +---- +Transform rm_client_from_http_resp1 { + Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted + Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing +}; +---- + +Examples: + +---- +Transform insert_name_and { + Match Strict (host=10.10.10.10, port=2345) Insert (name=JohnDoe); +}; +---- + +adds name=JohnDoe to the data AVPL if it contains host=10.10.10.10 *and* +port=2345 + +---- +Transform insert_name_or { + Match Loose (host=10.10.10.10, port=2345) Insert (name=JohnDoe); +}; +---- + +adds name=JohnDoe to the data AVPL if it contains host=10.10.10.10 *or* +port=2345 + +---- +Transform replace_ip_address { + Match (host=10.10.10.10) Replace (host=192.168.10.10); +}; +---- + +replaces the original host=10.10.10.10 by host=192.168.10.10 + +---- +Transform add_ip_address { + Match (host=10.10.10.10) (host=192.168.10.10); +}; +---- + +adds (inserts) host=192.168.10.10 to the AVPL, keeping the original +host=10.10.10.10 in it too + +---- + Transform replace_may_be_surprising { + Match Loose (a=aaaa, b=bbbb) Replace (c=cccc, d=dddd); + }; +---- + +gives the following results: + +* (a=aaaa, b=eeee) gets transformed to (b=eeee, c=cccc, d=dddd) because a=aaaa +did match so it got replaced while b=eeee did not match so it has been left +intact, +* (a=aaaa, b=bbbb) gets transformed to (c=cccc, d=dddd) because both a=aaaa and +b=bbbb did match. + +===== Usage + +Once declared, Transforms can be added to the declarations of PDUs, GOPs or +GOGs. This is done by adding the _Transform name_list_ statement to the +declaration: + +---- +Pdu my_proto_pdu Proto my_proto Transport ip { + Extract addr From ip.addr; + ... + Transform my_pdu_transform[, other_pdu_transform[, yet_another_pdu_transform]]; +}; +---- + +* In case of PDU, the list of transforms is applied against the PDU's AVPL +after its creation. +* In case of GOP and GOG, the list of transforms is applied against their +respective AVPLs when they are created and every time they change. + +===== Operation + +.Applying Transform flowchart +image::images/ws-mate-transform.png[] + +* A list of previously declared Transforms may be given to every Item (_Pdu_, _Gop_, +or _Gog_), using the _Transform_ statement. +* Every time the AVPL of an item changes, it will be operated against *all* the +Transforms on the list given to that item. The Transforms on the list are +applied left to right. +* Inside each of the Transforms, the item's AVPL will be operated against the +Transform's Match clauses starting from the topmost one, until all have been +tried or until one of them succeeds. + +MATE's Transforms can be used for many different things, like: + +===== Multiple Start/Stop conditions for a GOP + +Using _Transforms_ we can add more than one start or stop condition to a GOP. + +---- +Transform start_cond { + Match (attr1=aaa,attr2=bbb) (msg_type=start); + Match (attr3=www,attr2=bbb) (msg_type=start); + Match (attr5^a) (msg_type=stop); + Match (attr6$z) (msg_type=stop); +}; + +Pdu pdu ... { + ... + Transform start_cond; +} + +Gop gop ... { + Start (msg_type=start); + Stop (msg_type=stop); + ... +} +---- + +===== Marking GOPs and GOGs to filter them easily + +---- +Transform marks { + Match (addr=10.10.10.10, user=john) (john_at_host); + Match (addr=10.10.10.10, user=tom) (tom_at_host); +} + +... + +Gop my_gop ... { + ... + Transform marks; +} +---- + +After that we can use a display filter *mate.my_gop.john_at_host* or +*mate.my_gop.tom_at_host* + +===== Adding (Insert) direction knowledge to MATE + +---- +Transform direction_as_text { + Match (src=192.168.0.2, dst=192.168.0.3) Insert (direction=from_2_to_3); + Match (src=192.168.0.3, dst=192.168.0.2) Insert (direction=from_3_to_2); +}; + +Pdu my_pdu Proto my_proto Transport tcp/ip { + Extract src From ip.src; + Extract dst From ip.dst; + Extract addr From ip.addr; + Extract port From tcp.port; + Extract start From tcp.flags.syn; + Extract stop From tcp.flags.fin; + Extract stop From tcp.flags.rst; + Transform direction_as_text; +} + +Gop my_gop On my_pdu Match (addr,addr,port,port) { + ... + Extra (direction); +} +---- + +The original example (below) would delete _src_ and _dst_ then add _direction_. +---- +Transform direction_as_text { + Match (src=192.168.0.2, dst=192.168.0.3) Replace (direction=from_2_to_3); + Match (src=192.168.0.3, dst=192.168.0.2) Replace (direction=from_3_to_2); +}; +---- + +===== NAT + +NAT can create problems when tracing, but we can easily work around it by +Transforming the NATed IP address and the Ethernet address of the router into +the non-NAT address: + +---- +Transform denat { + Match (addr=192.168.0.5, ether=01:02:03:04:05:06) Replace (addr=123.45.67.89); + Match (addr=192.168.0.6, ether=01:02:03:04:05:06) Replace (addr=123.45.67.90); + Match (addr=192.168.0.7, ether=01:02:03:04:05:06) Replace (addr=123.45.67.91); +} + +Pdu my_pdu Proto my_proto transport tcp/ip/eth { + Extract ether From eth.addr; + Extract addr From ip.addr; + Extract port From tcp.port; + Transform denat; +} +---- + +[#ChMateConfigurationTutorial] + +=== MATE's configuration tutorial + +We'll show a MATE configuration that first creates GOPs for every DNS and HTTP +request, then it ties the GOPs together in a GOG based on the host. Finally, +we'll separate into different GOGs request coming from different users. + +With this MATE configuration loaded we can: + +* use *mate.http_use.Duration > 5.5* to filter frames based on the time it takes +to load a complete page from the DNS request to resolve its name until the last +image gets loaded. +* use *mate.http_use.client == "10.10.10.20" && mate.http_use.host == "www.example.com"* +to isolate DNS and HTTP packets related to a visit of a certain user. +* use *mate.http_req.Duration > 1.5* to filter all the packets of HTTP requests +that take more than 1.5 seconds to complete. + +The complete config file is available on the Wireshark Wiki: +{wireshark-wiki-url}Mate/Tutorial + +Note: This example uses _dns.qry.name_ which is defined since Wireshark +version 0.10.9. Supposing you have a MATE plugin already installed you can test +it with the current Wireshark version. + +==== A GOP for DNS requests + +First we'll tell MATE how to create a GOP for each DNS request/response. + +MATE needs to know what makes a DNS PDU. We describe it using a _Pdu_ +declaration: + +---- +Pdu dns_pdu Proto dns Transport ip { + Extract addr From ip.addr; + Extract dns_id From dns.id; + Extract dns_resp From dns.flags.response; +}; +---- + +Using _Proto dns_ we tell MATE to create PDUs every time it finds _dns_. Using +_Transport ip_ we inform MATE that some of the fields we are interested are +in the _ip_ part of the frame. Finally, we tell MATE to import _ip.addr_ as +_addr_, _dns.id_ as _dns_id_ and _dns.flags.response_ as _dns_resp_. + +Once we've told MATE how to extract _dns_pdus_ we'll tell it how to match +requests and responses and group them into a GOP. For this we'll use a _Gop_ +declaration to define the GOP, and then, _Start_ and _Stop_ statements to +tell it when the GOP starts and ends. + +---- +Gop dns_req On dns_pdu Match (addr,addr,dns_id) { + Start (dns_resp="False"); + Stop (dns_resp="True"); +}; +---- + +Using the *Gop* declaration we tell MATE that the *Name* of the GOP is _dns_req_, +that _dns_pdus_s can become members of the GOP, and what is the key used to match +the PDUs to the GOP. + +The key for this GOP is _"addr, addr, dns_id"_. That means that in order to +belong to the same GOP, _dns_pdus_ have to have both addresses and the +_request id_ identical. We then instruct MATE that a _dns_req_ starts whenever +a _dns_pdu_ matches _"dns_resp=++"++False++"++"_ and that it stops when another _dns_pdu_ +matches _"dns_resp=++"++True++"++"_. + +At this point, if we open a capture file using this configuration, we are able +to use a display filter *mate.dns_req.Time > 1* to see only the packets of +DNS requests that take more than one second to complete. + +We can use a display filter *mate.dns_req && ! mate.dns_req.Time* to find +requests for which no response was given. *mate.xxx.Time* is set only for GOPs +that have being stopped. + +==== A GOP for HTTP requests + +This other example creates a GOP for every HTTP request. + +---- +Pdu http_pdu Proto http Transport tcp/ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request.method; + Extract http_rs From http.response; + DiscardPduData true; +}; + +Gop http_req On http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); +}; +---- + +So, if we open a capture using this configuration + +* filtering with *mate.http_req.Time > 1* will give all the requests where the +response header takes more than one second to come +* filtering with *mate.http_req.Duration > 1.5* will show those request that +take more than 1.5 seconds to complete. + +You have to know that *mate.xxx.Time* gives the time in seconds between the PDU +matching the GOP *Start* clause and the PDU matching the GOP *Stop* clause (yes, you can create +timers using this!). On the other hand, *mate.xxx.Duration* gives you the time +passed between the GOP *Start* and the last PDU assigned to that GOP regardless +whether it is a *Stop* or not. After the GOP *Stop*, PDUs matching the GOP's Key will +still be assigned to the same GOP as far as they don't match the GOP *Start*, in +which case a new GOP with the same key will be created. + +==== Getting DNS and HTTP together into a GOG + +We'll tie together to a single GOG all the HTTP packets belonging to requests +and responses to a certain host and the DNS request and response used to resolve +its domain name using the _Pdu_ and _Gop_ definitions of the previous examples + +To be able to group DNS and HTTP requests together, we need to import into the +PDUs and GOPs some part of information that both those protocols share. Once the +PDUs and GOPs have been defined, we can use _Extract_ (for PDUs) and +_Extract_ (for GOPs) statements to tell MATE what other protocol fields are to +be added to PDU's and GOP's AVPLs. We add the following statements to the +appropriate declarations: + +---- + Extract host From http.host; // to Pdu http_pdu as the last Extract in the list + Extra (host); // to Gop http_req after the Stop + + Extract host From dns.qry.name; // to Pdu dns_pdu as the last Extract in the list + Extra (host); // to Gop dns_req after the Stop +---- + +Here we've told MATE to import _http.host_ into _http_pdu_ and _dns.qry.name_ +into _dns_pdu_ as _host_. We also have to tell MATE to copy the _host_ +attribute from the PDUs to the GOPs - we do this using _Extra_. + +Once we have all the data we need in PDUs and GOPs, we tell MATE what makes +different GOPs belong to a certain GOG. + +---- +Gog http_use { + Member http_req (host); + Member dns_req (host); + Expiration 0.75; +}; +---- + +Using the _Gog_ declaration, we tell MATE to define a GOG type named +_http_use_ whose expiration is 0.75 seconds after all the GOPs that belong to it +had been stopped. After that time, an eventual new GOP with the same key match +will create a new GOG instead of been added to the previous GOG. + +Using the _Member_ statements, we tell MATE that *http_req*s with the same +*host* belong to the same GOG, same thing for *dns_req*s. + +So far we have instructed MATE to group every packet related to sessions towards +a certain host. At this point if we open a capture file and: + +* a display filter *mate.http_use.Duration > 5* will show only those requests +that have taken more than 5 seconds to complete starting from the DNS request +and ending with the last packet of the HTTP responses. + +* a display filter *mate.http_use.host == "www.w3c.org"* will show all the +packets (both DNS and HTTP) related to the requests directed to www.w3c.org + +==== Separating requests from multiple users + +"Houston: we've had a problem here." + +This configuration works fine if used for captures taken at the client's side +but deeper in the network we'd got a real mess. Requests from many users get +mixed together into _http_uses_. GOGs are created and stopped almost randomly +(depending on the timing in which GOPs start and stop). How do we get requests +from individual users separated from each other? + +MATE has a tool that can be used to resolve this kind of grouping issues. This +tool are the _Transforms_. Once defined, they can be applied against PDUs, +GOPs and GOGs and they might replace or insert more attributes based on what's +there. We'll use them to create an attribute named *client*, using which we'll +separate different requests. + +For DNS we need the ip.src of the request moved into the GOP only from the DNS +request. + +So we first tell MATE to import ip.src as client: + +---- + Extract client From ip.src; +---- + +Next, we tell MATE to replace ( *dns_resp="True", client* ) with just *dns_resp="True"* in +the PDU. That way, we'll keep the attribute *client* only in the DNS request +PDUs (i.e., packets coming from the client).To do so, we have to add a +_Transform_ declaration (in this case, with just one clause) before the _Pdu_ +declaration which uses it: + +---- +Transform rm_client_from_dns_resp { + Match (dns_resp="True", client) Replace (dns_resp="True"); +}; +---- + +Next, we invoke the transform by adding the following line after the _Extract_ +list of the dns_pdu PDU: + +---- + Transform rm_client_from_dns_resp; +---- + +HTTP is a little trickier. We have to remove the attribute carrying ip.src from +both the response and the "continuations" of the response, but as there is +nothing to filter on for the continuations, we have to add a fake attribute +first. And then we have to remove *client* when the fake attribute appears. +This is possible due to the fact that the _Match_ clauses in the _Transform_ +are executed one by one until one of them succeeds. First, we declare another +two _Transforms_: + +---- +Transform rm_client_from_http_resp1 { + Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted + Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing (will happen only in the response and eventual parts of it) +}; +---- + +Next, we add another _Extract_ statement to the _http_pdu_ declaration, and +apply both _Transforms_ declared above in a proper order: + +---- + Extract client From ip.src; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; +---- + +In MATE, all the _Transform_s listed for an item will be evaluated, while +inside a single _Transform_, the evaluation will stop at the first successful +_Match_ clause. That's why we first just match _http_rq_ to get out of the +first sequence before adding the _not_rq_ attribute. Then we apply the second +_Transform_ which removes both _not_rq_ and _client_ if both are there. Yes, +_Transform_s are cumbersome, but they are very useful. + +Once we got all what we need in the PDUs, we have to tell MATE to copy the +attribute _client_ from the PDUs to the respective GOPs, by adding client to +_Extra_ lists of both _Gop_ declarations: + +---- + Extra (host, client); +---- + +On top of that, we need to modify the old declarations of GOP key to new ones +that include both _client_ and _host_. So we change the _Gog_ *Member* +declarations the following way: + +---- + Member http_req (host, client); + Member dns_req (host, client); +---- + +Now we got it, every "usage" gets its own GOG. + +[#ChMateConfigurationExamples] + +=== MATE configuration examples + +The following is a collection of various configuration examples for MATE. Many +of them are useless because the "conversations" facility does a better job. +Anyway they are meant to help users understanding how to configure MATE. + +[#File_tcp_mate] +==== TCP session (tcp.mate) + +The following example creates a GOP out of every TCP session. + +---- +Transform add_tcp_stop { + Match (tcp_flags_reset="True") Insert (tcp_stop="True"); + Match (tcp_flags_fin="True") Insert (tcp_stop="True"); +}; + +Pdu tcp_pdu Proto tcp Transport ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_flags_reset From tcp.flags.reset; + Extract tcp_flags_fin From tcp.flags.fin; + Transform add_tcp_stop; +}; + +Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) { + Start (tcp_start="True"); + Stop (tcp_stop="True"); +}; + +Done; +---- + +This probably would do fine in 99.9% of the cases but 10.0.0.1:20->10.0.0.2:22 and 10.0.0.1:22->10.0.0.2:20 would both fall into the same gop if they happen to overlap in time. + +* filtering with *mate.tcp_ses.Time > 1* will give all the sessions that last more than one second +* filtering with *mate.tcp_ses.NumOfPdus < 5* will show all tcp sessions that have less than 5 packets. +* filtering with *mate.tcp_ses.Id == 3* will show all the packets for the third tcp session MATE has found + +==== a GOG for a complete FTP session + +This configuration allows to tie a complete passive FTP session (including the +data transfer) in a single GOG. + +---- +Pdu ftp_pdu Proto ftp Transport tcp/ip { + Extract ftp_addr From ip.addr; + Extract ftp_port From tcp.port; + Extract ftp_resp From ftp.response.code; + Extract ftp_req From ftp.request.command; + Extract server_addr From ftp.passive.ip; + Extract server_port From ftp.passive.port; + + LastPdu true; +}; + +Pdu ftp_data_pdu Proto ftp-data Transport tcp/ip{ + Extract server_addr From ip.src; + Extract server_port From tcp.srcport; + +}; + +Gop ftp_data On ftp_data_pdu Match (server_addr, server_port) { + Start (server_addr); +}; + +Gop ftp_ctl On ftp_pdu Match (ftp_addr, ftp_addr, ftp_port, ftp_port) { + Start (ftp_resp=220); + Stop (ftp_resp=221); + Extra (server_addr, server_port); +}; + +Gog ftp_ses { + Member ftp_ctl (ftp_addr, ftp_addr, ftp_port, ftp_port); + Member ftp_data (server_addr, server_port); +}; + +Done; +---- + +Note: not having anything to distinguish between ftp-data packets makes this +config to create one GOP for every ftp-data packet instead of each transfer. +Pre-started GOPs would avoid this. + +==== using RADIUS to filter SMTP traffic of a specific user + +Spying on people, in addition to being immoral, is illegal in many countries. +This is an example meant to explain how to do it not an invitation to do so. +It's up to the police to do this kind of job when there is a good reason to do +so. + +---- +Pdu radius_pdu On radius Transport udp/ip { + Extract addr From ip.addr; + Extract port From udp.port; + Extract radius_id From radius.id; + Extract radius_code From radius.code; + Extract user_ip From radius.framed_addr; + Extract username From radius.username; +} + +Gop radius_req On radius_pdu (radius_id, addr, addr, port, port) { + Start (radius_code {1|4|7} ); + Stop (radius_code {2|3|5|8|9} ); + Extra (user_ip, username); +} + +// we define the smtp traffic we want to filter +Pdu user_smtp Proto smtp Transport tcp/ip { + Extract user_ip From ip.addr; + Extract smtp_port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_stop From tcp.flags.reset; +} + +Gop user_smtp_ses On user_smtp (user_ip, user_ip, smtp_port!25) { + Start (tcp_start=1); + Stop (tcp_stop=1); +} + +// with the following group of groups we'll group together the radius and the smtp +// we set a long expiration to avoid the session expire on long pauses. +Gog user_mail { + Expiration 1800; + Member radius_req (user_ip); + Member user_smtp_ses (user_ip); + Extra (username); +} + +Done; +---- + +Filtering the capture file with *mate.user_mail.username == "theuser"* will +filter the RADIUS packets and SMTP traffic for _"theuser"_. + +==== H323 Calls + +This configuration will create a GOG out of every call. + +---- +Pdu q931 Proto q931 Transport ip { + Extract addr From ip.addr; + Extract call_ref From q931.call_ref; + Extract q931_msg From q931.message_type; + Extract calling From q931.calling_party_number.digits; + Extract called From q931.called_party_number.digits; + Extract guid From h225.guid; + Extract q931_cause From q931.cause_value; +}; + +Gop q931_leg On q931 Match (addr, addr, call_ref) { + Start (q931_msg=5); + Stop (q931_msg=90); + Extra (calling, called, guid, q931_cause); +}; + +Pdu ras Proto h225.RasMessage Transport ip { + Extract addr From ip.addr; + Extract ras_sn From h225.requestSeqNum; + Extract ras_msg From h225.RasMessage; + Extract guid From h225.guid; +}; + +Gop ras_req On ras Match (addr, addr, ras_sn) { + Start (ras_msg {0|3|6|9|12|15|18|21|26|30} ); + Stop (ras_msg {1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31}); + Extra (guid); +}; + +Gog call { + Member ras_req (guid); + Member q931_leg (guid); + Extra (called,calling,q931_cause); +}; + +Done; +---- + +with this we can: + +* filter all signalling for a specific caller: *mate.call.caller == "123456789"* +* filter all signalling for calls with a specific release cause: *mate.call.q931_cause == 31* +* filter all signalling for very short calls: *mate.q931_leg.Time < 5* + +==== MMS + +With this example, all the components of an MMS send or receive will be tied +into a single GOG. Note that this example uses the _Payload_ clause because +MMS delivery uses MMSE over either HTTP or WSP. As it is not possible to relate +the retrieve request to a response by the means of MMSE only (the request is +just an HTTP GET without any MMSE), a GOP is made of HTTP PDUs but MMSE data +need to be extracted from the bodies. + +---- +## WARNING: this example has been blindly translated from the "old" MATE syntax +## and it has been verified that Wireshark accepts it. However, it has not been +## tested against any capture file due to lack of the latter. + +Transform rm_client_from_http_resp1 { + Match (http_rq); + Match Every (addr) Insert (not_rq); +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq,ue) Replace (); +}; + +Pdu mmse_over_http_pdu Proto http Transport tcp/ip { + Payload mmse; + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request; + Extract content From http.content_type; + Extract resp From http.response.code; + Extract method From http.request.method; + Extract host From http.host; + Extract content From http.content_type; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; +}; + +Gop mmse_over_http On mmse_over_http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); + Extra (host, ue, resp, notify_status, send_status, trx); +}; + +Transform mms_start { + Match Loose() Insert (mms_start); +}; + +Pdu mmse_over_wsp_pdu Proto wsp Transport ip { + Payload mmse; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform mms_start; +}; + +Gop mmse_over_wsp On mmse_over_wsp_pdu Match (trx) { + Start (mms_start); + Stop (never); + Extra (ue, notify_status, send_status); +}; + +Gog mms { + Member mmse_over_http (trx); + Member mmse_over_wsp (trx); + Extra (ue, notify_status, send_status, resp, host, trx); + Expiration 60.0; +}; +---- + +[#ChMateConfigurationLibrary] + +=== MATE's configuration library + +The MATE library (will) contains GOP definitions for several protocols. Library +protocols are included in your MATE config using: +_Action=Include; +Lib=proto_name;_+. + +For Every protocol with a library entry, we'll find defined what from the PDU is +needed to create a GOP for that protocol, eventually any criteria and the very +essential GOP definition (i.e., __Gop__, _Start_ and _Stop_). + +[NOTE] +==== +It seems that this code is written in the old syntax of MATE. So far it has not +been transcribed into the new format. It may still form the basis to recreate +these in the new format. +==== + +==== General use protocols + +===== TCP + +It will create a GOP for every TCP session. If it is used it should be the last +one in the list. And every other proto on top of TCP should be declared with +_LastPdu=TRUE;_ so that a TCP PDU is not created where another pdu type exists. + +---- +Transform add_tcp_stop { + Match (tcp_flags_reset="True") Insert (tcp_stop="True"); + Match (tcp_flags_fin="True") Insert (tcp_stop="True"); +}; + +Pdu tcp_pdu Proto tcp Transport ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_flags_reset From tcp.flags.reset; + Extract tcp_flags_fin From tcp.flags.fin; + Transform add_tcp_stop; +}; + +Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) { + Start (tcp_start="True"); + Stop (tcp_stop="True"); +}; + +Done; +---- + +===== DNS + +will create a GOP containing every request and its response (eventually +retransmissions too). + +---- +Action=PduDef; Name=dns_pdu; Proto=dns; Transport=udp/ip; addr=ip.addr; port=udp.port; dns_id=dns.id; dns_rsp=dns.flags.response; + +Action=GopDef; Name=dns_req; On=dns_pdu; addr; addr; port!53; dns_id; +Action=GopStart; For=dns_req; dns_rsp=0; +Action=GopStop; For=dns_req; dns_rsp=1; +---- + +===== RADIUS + +A GOP for every transaction. + +---- +Action=PduDef; Name=radius_pdu; Proto=radius; Transport=udp/ip; addr=ip.addr; port=udp.port; radius_id=radius.id; radius_code=radius.code; + +Action=GopDef; Name=radius_req; On=radius_pdu; radius_id; addr; addr; port; port; +Action=GopStart; For=radius_req; radius_code|1|4|7; +Action=GopStop; For=radius_req; radius_code|2|3|5|8|9; +---- + +===== RTSP + +---- +Action=PduDef; Name=rtsp_pdu; Proto=rtsp; Transport=tcp/ip; addr=ip.addr; port=tcp.port; rtsp_method=rtsp.method; +Action=PduExtra; For=rtsp_pdu; rtsp_ses=rtsp.session; rtsp_url=rtsp.url; + +Action=GopDef; Name=rtsp_ses; On=rtsp_pdu; addr; addr; port; port; +Action=GopStart; For=rtsp_ses; rtsp_method=DESCRIBE; +Action=GopStop; For=rtsp_ses; rtsp_method=TEARDOWN; +Action=GopExtra; For=rtsp_ses; rtsp_ses; rtsp_url; +---- + +==== VoIP/Telephony + +Most protocol definitions here will create one GOP for every Call Leg unless +stated. + +===== ISUP + +---- +Action=PduDef; Name=isup_pdu; Proto=isup; Transport=mtp3; mtp3pc=mtp3.dpc; mtp3pc=mtp3.opc; cic=isup.cic; isup_msg=isup.message_type; + +Action=GopDef; Name=isup_leg; On=isup_pdu; ShowPduTree=TRUE; mtp3pc; mtp3pc; cic; +Action=GopStart; For=isup_leg; isup_msg=1; +Action=GopStop; For=isup_leg; isup_msg=16; +---- + +===== Q931 + +---- +Action=PduDef; Name=q931_pdu; Proto=q931; Stop=TRUE; Transport=tcp/ip; addr=ip.addr; call_ref=q931.call_ref; q931_msg=q931.message_type; + +Action=GopDef; Name=q931_leg; On=q931_pdu; addr; addr; call_ref; +Action=GopStart; For=q931_leg; q931_msg=5; +Action=GopStop; For=q931_leg; q931_msg=90; +---- + +===== H225 RAS + +---- +Action=PduDef; Name=ras_pdu; Proto=h225.RasMessage; Transport=udp/ip; addr=ip.addr; ras_sn=h225.RequestSeqNum; ras_msg=h225.RasMessage; +Action=PduExtra; For=ras_pdu; guid=h225.guid; + +Action=GopDef; Name=ras_leg; On=ras_pdu; addr; addr; ras_sn; +Action=GopStart; For=ras_leg; ras_msg|0|3|6|9|12|15|18|21|26|30; +Action=GopStop; For=ras_leg; ras_msg|1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31; +Action=GopExtra; For=ras_leg; guid; +---- + +===== SIP + +---- +Action=PduDef; Proto=sip_pdu; Transport=tcp/ip; addr=ip.addr; port=tcp.port; sip_method=sip.Method; sip_callid=sip.Call-ID; calling=sdp.owner.username; + +Action=GopDef; Name=sip_leg; On=sip_pdu; addr; addr; port; port; +Action=GopStart; For=sip; sip_method=INVITE; +Action=GopStop; For=sip; sip_method=BYE; +---- + +===== MEGACO + +Will create a GOP out of every transaction. + +To "tie" them to your call's GoG use: _Action=GogKey; Name=your_call; On=mgc_tr; +addr!mgc_addr; megaco_ctx;_ + +---- +Action=PduDef; Name=mgc_pdu; Proto=megaco; Transport=ip; addr=ip.addr; megaco_ctx=megaco.context; megaco_trx=megaco.transid; megaco_msg=megaco.transaction; term=megaco.termid; + +Action=GopDef; Name=mgc_tr; On=mgc_pdu; addr; addr; megaco_trx; +Action=GopStart; For=mgc_tr; megaco_msg|Request|Notify; +Action=GopStop; For=mgc_tr; megaco_msg=Reply; +Action=GopExtra; For=mgc_tr; term^DS1; megaco_ctx!Choose one; +---- + +[#ChMateReferenceManual] + +=== MATE's reference manual + +==== Attribute Value Pairs (AVP) + +MATE uses AVPs for almost everything: to keep the data it has extracted from the +frames' trees as well as to keep the elements of the configuration. + +These "pairs" (actually tuples) are made of a name, a value and, in case of +configuration AVPs, an operator. Names and values are strings. AVPs with +operators other than '=' are used only in the configuration and are used for +matching AVPs of PDUs, GOPs and GOGs in the analysis phase. + +===== Name + +The name is a string used to refer to a type of AVP. Two attributes won't +match unless their names are identical. Capitalized names are reserved for +keywords (you can use them for your elements if you want but I think it's not +the case). MATE attribute names can be used in Wireshark's display filters the +same way like names of protocol fields provided by dissectors, but they are not +just references to (or aliases of) protocol fields. + +===== Value + +The value is a string. It is either set in the configuration (for configuration +AVPs) or by MATE while extracting interesting fields from a dissection tree +and/or manipulating them later. The values extracted from fields use the same +representation as they do in filter strings. + +==== AVP Operators (=,!,{},^,$,~,<,>,?) + +Currently only match operators are defined (there are plans to (re)add transform +attributes but some internal issues have to be solved before that). The match +operations are always performed between two operands: the value of an AVP stated +in the configuration and the value of an AVP (or several AVPs with the same name) +extracted from packet data (called "data AVPs"). It is not possible to match +data AVPs to each other. + +The defined match operators are: + +* <<Equal,Equal>> _=_ test for equality, that is: either the value strings are identical +or the match will fail. +* <<NotEqual,Not Equal>> _!_ will match only if the value strings aren't equal. +* <<OneOf,One Of>> _{}_ will match if one of the value strings listed is equal to the +data AVP's string. Items inside the list's curly braces are +separated with the | character. +* <<StartsWith,Starts With>> _^_ will match if the configuration value string matches the +first characters of the data AVP's value string. +* <<EndsWith,Ends With>> _$_ will match if the configuration value string matches the +last characters of the data AVP's value string. +* <<Contains,Contains>> _~_ will match if the configuration value string matches a +substring of the characters of the data AVP's value string. +* <<LowerThan,Lower Than>> _<_ will match if the data AVP's value string is semantically +lower than the configuration value string. +* <<HigherThan,Higher Than>> _>_ will match if the data AVP's value string is semantically +higher than the configuration value string. +* <<Exists,Exists>> _?_ (can be omitted) will match if the AVP name matches, regardless +what the value string is. + +[#Equal] +===== Equal AVP Operator (=) + +This operator tests whether the values of the operator and the operand AVP are +equal. + +Example:: +attrib=aaa *matches* attrib=aaa + +attrib=aaa *does not match* attrib=bbb + +[#NotEqual] +===== Not equal AVP operator (!) + +This operator matches if the value strings of two AVPs are not equal. + +Example:: +attrib=aaa matches attrib!bbb + +attrib=aaa does not match attrib!aaa + +[#OneOf] +===== "One of" AVP operator ({}) + +The "one of" operator matches if the data AVP value is equal to one of the +values listed in the "one of" AVP. + +Example:: +attrib=1 matches attrib{1|2|3} + +attrib=2 matches attrib{1|2|3} + +attrib=4 does not match attrib{1|2|3} + +[#StartsWith] +===== "Starts with" AVP operator (^) + +The "starts with" operator matches if the first characters of the data AVP +value are identical to the configuration AVP value. + +Example:: +attrib=abcd matches attrib^abc + +attrib=abc matches attrib^abc + +attrib=ab does not match attrib^abc + +attrib=abcd does not match attrib^bcd + +attrib=abc does not match attrib^abcd + + +[#EndsWith] +===== "Ends with" operator ($) + +The ends with operator will match if the last bytes of the data AVP value are +equal to the configuration AVP value. + +Example:: +attrib=wxyz matches attrib$xyz + +attrib=yz does not match attrib$xyz + +attrib=abc...wxyz does not match attrib$abc + +[#Contains] +===== Contains operator (~) + +The "contains" operator will match if the data AVP value contains a string +identical to the configuration AVP value. + +Example:: +attrib=abcde matches attrib~bcd + +attrib=abcde matches attrib~abc + +attrib=abcde matches attrib~cde + +attrib=abcde does not match attrib~xyz + +[#LowerThan] +===== "Lower than" operator (<) + +The "lower than" operator will match if the data AVP value is semantically lower +than the configuration AVP value. + +Example:: +attrib=abc matches attrib<bcd + +attrib=1 matches attrib<2 + +but beware: attrib=10 does not match attrib<9 + +attrib=bcd does not match attrib<abc + +attrib=bcd does not match attrib<bcd + + +BUGS + +It should check whether the values are numbers and compare them numerically + +[#HigherThan] +===== "Higher than" operator (>) + +The "higher than" operator will match if the data AVP value is semantically +higher than the configuration AVP value. + +Examples + +attrib=bcd matches attrib>abc + +attrib=3 matches attrib>2 + +but beware: attrib=9 does not match attrib>10 + +attrib=abc does not match attrib>bcd + +attrib=abc does not match attrib>abc + + +BUGS + +It should check whether the values are numbers and compare them numerically + +[#Exists] +===== Exists operator (?) + +The exists operator will always match as far as the two operands have the same +name. + +Examples + +attrib=abc matches attrib? + +attrib=abc matches attrib (this is just an alternative notation of the previous example) + +obviously attrib=abc does not match other_attrib? + + +==== Attribute Value Pair List (AVPL) +PDUs, GOPs and GOGs use an AVPL to contain the tracing information. An AVPL is +an unsorted set of <<AVP,AVPs>> that can be matched against other AVPLs. + +[#Match] +==== Operations between AVPLs (Match) + +There are three types of match operations that can be performed between AVPLs. +The PDU's/GOP's/GOG's AVPL will be always one of the operands; the AVPL operator +(match type) and the second operand AVPL will always come from the +<<Config,configuration>>. +Note that a diverse AVP match operator may be specified for each AVP in the +configuration AVPL. + +An AVPL match operation returns a result AVPL. In <<Transform,Transform>>s, the +result AVPL may be replaced by another AVPL. The replacement means that the +existing data AVPs are dropped and the replacement AVPL from the +<<Config,configuration>> is <<Merge,Merged>> to the data AVPL of the +PDU/GOP/GOG. + +* <<Loose,Loose Match>>: Will match if at least one of the AVPs of the two +operand AVPLs match. If it matches, it returns a result AVPL containing all AVPs +from the data AVPL that did match the configuration's AVPs. +* <<Every,"Every" Match>>: Will match if none of the AVPs of the configuration +AVPL fails to match an AVP in the data AVPL, even if not all of the +configuration AVPs have a match. If it matches, it returns a result AVPL +containing all AVPs from the data AVPL that did match an AVP in the +configuration AVPL. +* <<Strict,Strict Match>>: Will match if and only if each of the AVPs in the +configuration AVPL has at least one match in the data AVPL. If it matches, it +returns a result AVPL containing those AVPs from the data AVPL that matched. + +[#Loose] +===== Loose Match + +A loose match between AVPLs succeeds if at least one of the data AVPs matches at +least one of the configuration AVPs. Its result AVPL contains all the data AVPs +that matched. + +Loose matches are used in Extra operations against the <<Pdu,PDU>>'s AVPL to +merge the result into <<Gop,GOP>>'s AVPL, and against <<Gop,GOP>>'s AVPL to +merge the result into <<Gog,GOG>>'s AVPL. They may also be used in +<<Criteria,Criteria>> and <<Transform,Transform>>s. + +[NOTE] +==== +As of current (2.0.1), Loose Match does not work as described here, see +https://gitlab.com/wireshark/wireshark/issues/12184[issue 12184]. Only use +in Transforms and Criteria is effectively affected by the bug. +==== + +Loose Match Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c=ccc) ==> (attr_a=aaa) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a=xxx; attr_c=ccc) ==> No Match! + +[#Every] +===== Every Match + +An "every" match between AVPLs succeeds if none of the configuration's AVPs that +have a counterpart in the data AVPL fails to match. Its result AVPL contains all +the data AVPs that matched. + +These may only be used in <<Criteria,Criteria>> and <<Transform,Transform>>s. + +[NOTE] +==== +As of current (2.0.1), Loose Match does not work as described here, see +https://gitlab.com/wireshark/wireshark/-/issues/12184[issue 12184]. +==== + +"Every" Match Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?, attr_d=ddd) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c=ccc) ==> No Match! + +(attr_a=aaa; attr_b=bbb; attr_c=xxx) Match Every (attr_a=xxx, attr_c=ccc) ==> No Match! + +[#Strict] +===== Strict Match + +A Strict match between AVPLs succeeds if and only if every AVP in the +configuration AVPL has at least one counterpart in the data AVPL and none of the +AVP matches fails. The result AVPL contains all the data AVPs that matched. + +These are used between GOP keys (key AVPLs) and PDU AVPLs. They may also be used +in <<Criteria,Criteria>> and <<Transform,Transform>>s. + +Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=xxx) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_c=yyy) Match Strict (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx, attr_c=yyy) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=ccc) ==> No Match! + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c?, attr_d?) ==> No Match! + +[#Merge] +==== AVPL Merge + +An AVPL may be merged into another one. That would add to the latter every AVP +from the former that does not already exist there. + +This operation is done + +* between the result of a key match and the GOP's or GOG's AVPL, +* between the result of an Extra match and the GOP's or GOG's AVPL, +* between the result of a <<Transform,Transform>> match and PDU's/GOP's AVPL. If +the operation specified by the Match clause is Replace, the result AVPL of the +match is removed from the item's AVPL before the modify_avpl is merged into it. + +Examples + +(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_c=xxx) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx) + +Can't have multiple "attr_a" with same value "aaa" + +(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_a=xxx) former becomes (attr_a=aaa, attr_a=xxx, attr_b=bbb) + +Multiple "attr_a" with different values "aaa" and "xxx" + +(attr_a=aaa, attr_b=bbb) "merge" (attr_c=xxx, attr_d=ddd) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_d=ddd) + +All AVP names are unique so resulting AVPL contains all AVPs from both AVPLs + +[#Config] +=== Configuration Reference (mate.config) +[#Pdu] +==== PDU declaration block + +The following configuration AVPLs deal with PDU creation and data extraction. + +===== _Pdu_ declaration block header + +In each frame of the capture, MATE will look for source _proto_name_'s PDUs in +the order in which the declarations appear in its configuration and will create +PDUs of every type it can from that frame, unless specifically instructed that +some PDU type is the last one to be looked for in the frame. If told so for a +given type, MATE will extract all PDUs of that type and the previously declared +types it finds in the frame but not those declared later. + +The complete declaration of a _Pdu_ looks as below; the mandatory order of the +diverse clauses is as shown. + +---- +Pdu name Proto proto_name Transport {proto1[/proto2/proto3[/...]|mate}; { + Payload proto; //optional, no default value + Extract attribute From proto.field ; //may occur multiple times, at least once + Transform transform1[, transform2[, ...]]; //optional + Criteria {Accept|Reject} {Strict|Every|Loose} match_avpl; //optional + DropUnassigned {TRUE|FALSE}; //optional, default=FALSE + DiscardPduData {TRUE|FALSE}; //optional, default=FALSE + LastPdu {TRUE|FALSE}; //optional, default=FALSE +}; +---- + +====== Pdu name + +The _name_ is a mandatory attribute of a _Pdu_ declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_ +is also used as part of the filterable fields' names related to this type of PDU +which MATE creates. + +However, several _Pdu_ declarations may share the same _name_. In such case, all +of them are created from each source PDU matching their _Proto_, _Transport_, +and _Payload_ clauses, while the bodies of their declarations may be totally +different from each other. Together with the _Accept_ (or _Reject_) clauses, +this feature is useful when it is necessary to build the PDU's AVPL from +different sets of source fields depending on contents (or mere presence) of +other source fields. + +====== Proto and Transport clauses + +Every instance of the protocol _proto_name_ PDU in a frame will generate one +PDU with the AVPs extracted from fields that are in the _proto_name_'s range +and/or the ranges of underlying protocols specified by the _Transport_ list. +It is a mandatory attribute of a _Pdu_ declaration. The _proto_name_ is the name +of the protocol as used in Wireshark display filter. + +The PDU's _Proto_, and its _Transport_ list of protocols separated by / tell +MATE which fields of a frame can get into the PDU's AVPL. In order that MATE +would extract an attribute from a frame's protocol tree, the area representing +the field in the hex display of the frame must be within the area of either the +_Proto_ or its relative _Transport_++s++. _Transport_++s++ are chosen moving backwards +from the protocol area, in the order they are given. + +_Proto http Transport tcp/ip_ does what you'd expect it to - it selects the +nearest tcp range that precedes the current http range, and the nearest ip range +that precedes that tcp range. If there is another ip range before the nearest +one (e.g., in case of IP tunneling), that one is not going to be selected. +_Transport_ tcp/ip/ip that "logically" should select the encapsulating IP header +too doesn't work so far. + +Once we've selected the _Proto_ and _Transport_ ranges, MATE will fetch those +protocol fields belonging to them whose extraction is declared using the +_Extract_ clauses for the PDU type. The _Transport_ list is also mandatory, +if you actually don't want to use any transport protocol, use _Transport mate_. +(This didn't work until 0.10.9). + +===== Payload clause + +Other than the PDU's _Proto_ and its _Transport_ protocols, there is also a +_Payload_ attribute to tell MATE from which ranges of _Proto_'s payload to +extract fields of a frame into the PDU. In order to extract an attribute from a +frame's tree the highlighted area of the field in the hex display must be within +the area of the _Proto_'s relative payload(s). _Payload_++s++ are chosen moving +forward from the protocol area, in the order they are given. +_Proto http Transport tcp/ip Payload mmse_ will select the first mmse range +after the current http range. Once we've selected the _Payload_ ranges, MATE +will fetch those protocol fields belonging to them whose extraction is declared +using the _Extract_ clauses for the PDU type. + +===== Extract clause + +Each _Extract_ clause tells MATE which protocol field value to extract as an AVP +value and what string to use as the AVP name. The protocol fields are referred +to using the names used in Wireshark display filters. If there is more than one +such protocol field in the frame, each instance that fulfills the criteria +stated above is extracted into its own AVP. The AVP names may be chosen +arbitrarily, but to be able to match values originally coming from different +PDUs (e.g., hostname from DNS query and a hostname from HTTP GET request) later +in the analysis, identical AVP names must be assigned to them and the dissectors +must provide the field values in identical format (which is not always the case). + +===== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_++s++ to +be performed on the PDU's AVPL after all protocol fields have been extracted to +it. The list is always executed completely, left to right. On the contrary, the +list of Match clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +[#Criteria] +===== Criteria clause + +This clause tells MATE whether to use the PDU for analysis. It specifies a match +AVPL, an AVPL <<Match,Match type>> (_Strict_, _Every_, or _Loose_) and the action to be +performed (_Accept_ or _Reject_) if the match succeeds. Once every attribute has +been extracted and eventual transform list has been executed, and if the +_Criteria_ clause is present, the PDU's AVPL is matched against the match AVPL; +if the match succeeds, the action specified is executed, i.e., the PDU is +accepted or rejected. The default behaviors used if the respective keywords are +omitted are _Strict_ and _Accept_. Accordingly, if the clause is omitted, all +PDUs are accepted. + +===== DropUnassigned clause + +If set to _TRUE_, MATE will destroy the PDU if it cannot assign it to a GOP. +If set to _FALSE_ (the default if not given), MATE will keep them. + +===== DiscardPduData clause + +If set to _TRUE_, MATE will delete the PDU's AVPL once it has analyzed it and +eventually extracted some AVPs from it into the GOP's AVPL. This is useful to +save memory (of which MATE uses a lot). If set to _FALSE_ (the default if not +given), MATE will keep the PDU attributes. + +===== LastPdu clause + +If set to _FALSE_ (the default if not given), MATE will continue to look for +PDUs of other types in the frame. If set to _TRUE_, it will not try to create +PDUs of other types from the current frame, yet it will continue to try for the +current type. + +[#Gop] +==== GOP declaration block + +===== _Gop_ declaration block header + +Declares a Gop type and its candidate key. + +---- +Gop name On pduname Match key { + Start match_avpl; // optional + Stop match_avpl; // optional + Extra match_avpl; // optional + Transform transform_list; // optional + Expiration time; // optional + IdleTimeout time; // optional + Lifetime time; // optional + DropUnassigned [TRUE|FALSE]; //optional + ShowTree [NoTree|PduTree|FrameTree|BasicTree]; //optional + ShowTimes [TRUE|FALSE]; //optional, default TRUE +}; +---- + +====== Gop name + +The _name_ is a mandatory attribute of a _Gop_ declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_ +is also used as part of the filterable fields' names related to this type of +GOP which MATE creates. + +====== On clause + +The _name_ of PDUs which this type of GOP is supposed to be grouping. It is +mandatory. + +====== Match clause + +Defines what AVPs form up the _key_ part of the GOP's AVPL (the GOP's _key_ AVPL +or simply the GOP's _key_). All PDUs matching the _key_ AVPL of an active GOP +are assigned to that GOP; a PDU which contains the AVPs whose attribute names +are listed in the GOP's _key_ AVPL, but they do not strictly match any active +GOP's _key_ AVPL, will create a new GOP (unless a _Start_ clause is given). +When a GOP is created, the elements of its key AVPL are copied from the creating +PDU. + +===== Start clause + +If given, it tells MATE what match_avpl must a PDU's AVPL match, in addition to +matching the GOP's _key_, in order to start a GOP. If not given, any PDU whose +AVPL matches the GOP's _key_ AVPL will act as a start for a GOP. The PDU's AVPs +matching the match_avpl are not automatically copied into the GOP's AVPL. + +===== Stop clause + +If given, it tells MATE what match_avpl must a PDU's AVPL match, in addition to +matching the GOP's _key_, in order to stop a GOP. If omitted, the GOP is +"auto-stopped" - that is, the GOP is marked as stopped as soon as it is created. +The PDU's AVPs matching the match_avpl are not automatically copied into the +GOP's AVPL. + +===== Extra clause + +If given, tells MATE which AVPs from the PDU's AVPL are to be copied into the +GOP's AVPL in addition to the GOP's key. + +===== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_++s++ to +be performed on the GOP's AVPL after the AVPs from each new PDU, specified by +the _key_ AVPL and the _Extra_ clause's match_avpl, have been merged into it. +The list is always executed completely, left to right. On the contrary, the list +of _Match_ clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +===== Expiration clause + +A (floating) number of seconds after a GOP is _Stop_ ped during which further +PDUs matching the _Stop_ ped GOP's key but not the _Start_ condition will still +be assigned to that GOP. The default value of zero has an actual meaning of +infinity, as it disables this timer, so all PDUs matching the _Stop_ ped GOP's +key will be assigned to that GOP unless they match the _Start_ condition. + +===== IdleTimeout clause + +A (floating) number of seconds elapsed from the last PDU assigned to the GOP +after which the GOP will be considered released. The default value of zero has +an actual meaning of infinity, as it disables this timer, so the GOP won't be +released even if no PDUs arrive - unless the _Lifetime_ timer expires. + +===== Lifetime clause + +A (floating) of seconds after the GOP _Start_ after which the GOP will be +considered released regardless anything else. The default value of zero has an +actual meaning of infinity. + +===== DropUnassigned clause + +Whether or not a GOP that has not being assigned to any GOG should be discarded. +If _TRUE_, the GOP is discarded right after creation. If _FALSE_, the default, +the unassigned GOP is kept. Setting it to _TRUE_ helps save memory and speed up +filtering. + +===== TreeMode clause + +Controls the display of PDUs subtree of the GOP: + +* _NoTree_: completely suppresses showing the tree +* _PduTree_: the tree is shown and shows the PDUs by PDU Id +* _FrameTree_: the tree is shown and shows the PDUs by the frame number in which +they are +* _BasicTree_: needs investigation + +===== ShowTimes clause + +Whether or not to show the times subtree of the GOP. If _TRUE_, the default, +the subtree with the timers is added to the GOP's tree. If _FALSE_, the subtree +is suppressed. + +[#Gog] +==== GOG declaration block + +===== _Gog_ declaration block header + +Declares a Gog type and its candidate key. + +---- +Gog name { + Member gopname (key); // mandatory, at least one + Extra match_avpl; // optional + Transform transform_list; // optional + Expiration time; // optional, default 2.0 + GopTree [NoTree|PduTree|FrameTree|BasicTree]; // optional + ShowTimes [TRUE|FALSE]; // optional, default TRUE +}; +---- + +====== Gog name + +The _name_ is a mandatory attribute of a _Gog_ declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of PDUs, GOPs, and GOGs. The _name_ +is also used as part of the filterable fields' names related to this type of +GOG which MATE creates. + +===== Member clause + +Defines the _key_ AVPL for the GOG individually for each GOP type _gopname_. +All _gopname_ type GOPs whose _key_ AVPL matches the corresponding _key_ AVPL +of an active GOG are assigned to that GOG; a GOP which contains the AVPs whose +attribute names are listed in the GOG's corresponding _key_ AVPL, but they do +not strictly match any active GOG's _key_ AVPL, will create a new GOG. When a +GOG is created, the elements of its _key_ AVPL are copied from the creating GOP. + +Although the _key_ AVPLs are specified separately for each of the Member +_gopname_++s++, in most cases they are identical, as the very purpose of a GOG is +to group together GOPs made of PDUs of different types. + +===== Extra clause + +If given, tells MATE which AVPs from any of the GOP's AVPL are to be copied +into the GOG's AVPL in addition to the GOG's key. + +===== Expiration clause + +A (floating) number of seconds after all the GOPs assigned to a GOG have been +released during which new GOPs matching any of the session keys should still be +assigned to the existing GOG instead of creating a new one. Its value can range +from 0.0 to infinite. Defaults to 2.0 seconds. + +===== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_++s++ to +be performed on the GOG's AVPL after the AVPs from each new GOP, specified by +the _key_ AVPL and the _Extra_ clause's match_avpl, have been merged into it. +The list is always executed completely, left to right. On the contrary, the list +of _Match_ clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +===== TreeMode clause + +Controls the display of GOPs subtree of the GOG: + +* _NoTree_: completely suppresses showing the tree +* _BasicTree_: needs investigation +* _FullTree_: needs investigation + +===== ShowTimes clause + +Whether or not to show the times subtree of the GOG. If _TRUE_, the default, +the subtree with the timers is added to the GOG's tree. If _FALSE_, the subtree +is suppressed. + +[#Transform] +==== Transform declaration block + +A Transform is a sequence of Match rules optionally followed by an instruction +how to modify the match result using an additional AVPL. Such modification may +be an Insert (merge) or a Replace. The syntax is as follows: + +---- +Transform name { + Match [Strict|Every|Loose] match_avpl [[Insert|Replace] modify_avpl] ; // may occur multiple times, at least once +}; +---- + +For examples of Transforms, check the <<ChMateManual,Manual>> page. + +TODO: migrate the examples here? + +The list of Match rules inside a Transform is processed top to bottom; +the processing ends as soon as either a Match rule succeeds or all have been +tried in vain. + +Transforms can be used as helpers to manipulate an item's AVPL before the item +is processed further. An item declaration may contain a Transform clause +indicating a list of previously declared Transforms. Regardless whether the +individual transforms succeed or fail, the list is always executed completely +and in the order given, i.e., left to right. + +In MATE configuration file, a Transform must be declared before declaring any +item which uses it. + +==== Settings configuration AVPL + +[NOTE] +==== +The *Settings* parameters have been moved to other configuration parameters +or deprecated. Leave for now until rest of document is updated for current syntax. +==== + +The *Settings* config element is used to pass to MATE various operational +parameters. the possible parameters are + +===== GogExpiration + +How long in seconds after all the GOPs assigned to a GOG have been released new +GOPs matching any of the session keys should create a new GOG instead of being +assigned to the previous one. Its value can range from 0.0 to infinite. +Defaults to 2.0 seconds. + +===== DiscardPduData + +Whether or not the AVPL of every PDU should be deleted after it was being +processed (saves memory). It can be either _TRUE_ or _FALSE_. Defaults to _TRUE_. +Setting it to _FALSE_ can save you from a headache if your config does not work. + +===== DiscardUnassignedPdu + +Whether PDUs should be deleted if they are not assigned to any GOP. It can be +either _TRUE_ or _FALSE_. Defaults to _FALSE_. Set it to _TRUE_ to save memory +if unassigned PDUs are useless. + +===== DiscardUnassignedGop + +Whether GOPs should be deleted if they are not assigned to any session. It can +be either _TRUE_ or _FALSE_. Defaults to _FALSE_. Setting it to _TRUE_ saves +memory. + +===== ShowPduTree + +===== ShowGopTimes + +==== Debugging Stuff + +The following settings are used to debug MATE and its configuration. All levels +are integers ranging from 0 (print only errors) to 9 (flood me with junk), +defaulting to 0. + +===== Debug declaration block header + +---- +Debug { + Filename "path/name"; //optional, no default value + Level [0-9]; //optional, generic debug level + Pdu Level [0-9]; //optional, specific debug level for Pdu handling + Gop Level [0-9]; //optional, specific debug level for Gop handling + Gog Level [0-9]; //optional, specific debug level for Gog handling +}; +---- + +====== Filename clause + +The {{{path/name}}} is a full path to the file to which debug output is to be +written. Non-existent file will be created, existing file will be overwritten +at each opening of a capture file. If the statement is missing, debug messages +are written to console, which means they are invisible on Windows. + +====== Level clause + +Sets the level of debugging for generic debug messages. It is an integer +ranging from 0 (print only errors) to 9 (flood me with junk). + +====== Pdu Level clause + +Sets the level of debugging for messages regarding PDU creation. It is an +integer ranging from 0 (print only errors) to 9 (flood me with junk). + +====== Gop Level clause + +Sets the level of debugging for messages regarding PDU analysis (that is how do +they fit into ?GOPs). It is an integer ranging from 0 (print only errors) to 9 +(flood me with junk). + +====== Gog Level clause + +Sets the level of debugging for messages regarding GOP analysis (that is how do +they fit into ?GOGs). It is an integer ranging from 0 (print only errors) to 9 +(flood me with junk). + +===== Settings Example +---- +Action=Settings; SessionExpiration=3.5; DiscardPduData=FALSE; +---- + +==== Action=Include + +Will include a file to the configuration. + +---- +Action=Include; {Filename=filename;|Lib=libname;} +---- + +===== Filename + +The filename of the file to include. If it does not begin with '/' it will look +for the file in the current path. + +===== Lib + +The name of the lib config to include. will look for libname.mate in +wiresharks_dir/matelib. + +===== Include Example +---- +Action=Include; Filename=rtsp.mate; +---- + +This will include the file called "rtsp.mate" into the current config. diff --git a/doc/wsug_src/wsug_messages.adoc b/doc/wsug_src/wsug_messages.adoc new file mode 100644 index 00000000..bd3291ed --- /dev/null +++ b/doc/wsug_src/wsug_messages.adoc @@ -0,0 +1,81 @@ +// WSUG Appendix Messages + +[#AppMessages] + +[appendix] +== Wireshark Messages + +Wireshark provides you with additional information generated out of the plain +packet data or it may need to indicate dissection problems. Messages generated +by Wireshark are usually placed in square brackets (“[]”). + +[#AppMessagesList] + +=== Packet List Messages + +These messages might appear in the packet list. + +==== [Malformed Packet] + +Malformed packet means that the protocol dissector can’t dissect the contents of +the packet any further. There can be various reasons: + +* __Wrong dissector__: Wireshark erroneously has chosen the wrong protocol + dissector for this packet. This will happen e.g., if you are using a protocol + not on its well known TCP or UDP port. You may try Analyze|Decode As to + circumvent this problem. + +* __Packet not reassembled__: The packet is longer than a single frame and it is + not reassembled, see <<ChAdvReassemblySection>> for further details. + +* __Packet is malformed__: The packet is actually wrong (malformed), meaning + that a part of the packet is just not as expected (not following the protocol + specifications). + +* __Dissector is buggy__: The corresponding protocol dissector is simply buggy + or still incomplete. + +Any of the above is possible. You’ll have to look into the specific situation to +determine the reason. You could disable the dissector by disabling the protocol +on the Analyze menu and check how Wireshark displays the packet then. You could +(if it’s TCP) enable reassembly for TCP and the specific dissector (if possible) +in the Edit|Preferences menu. You could check the packet contents yourself by +reading the packet bytes and comparing it to the protocol specification. This +could reveal a dissector bug. Or you could find out that the packet is indeed +wrong. + +==== [Packet size limited during capture] + +The packet size was limited during capture, see “Limit each packet to n bytes” +at the <<ChCapCaptureOptions>>. While dissecting, the current protocol dissector +was simply running out of packet bytes and had to give up. There’s nothing else +you can do now, except to repeat the whole capture process again with a higher +(or no) packet size limitation. + +[#AppMessagesDetails] + +=== Packet Details Messages + +These messages might appear in the packet details. + +==== [Response in frame: 123] + +The current packet is the request of a detected request/response pair. You can +directly jump to the corresponding response packet by double clicking on +the message. + +==== [Request in frame: 123] + +Same as “Response in frame: 123” above, but the other way round. + +==== [Time from request: 0.123 seconds] + +The time between the request and the response packets. + +==== [Stream setup by PROTOCOL (frame 123)] + +The session control protocol (SDP, H225, etc.) message which signaled the +creation of this session. You can directly jump to the corresponding packet +by double clicking on this message. + +// End of WSUG Appendix Messages diff --git a/doc/wsug_src/wsug_preface.adoc b/doc/wsug_src/wsug_preface.adoc new file mode 100644 index 00000000..c343a805 --- /dev/null +++ b/doc/wsug_src/wsug_preface.adoc @@ -0,0 +1,91 @@ +[#Preface] +["preface",id="Preface"] +== Preface + +[#PreForeword] + +=== Foreword + +Wireshark is the world’s foremost network protocol analyzer, +but the rich feature set can be daunting for the unfamiliar. +This document is part of an effort by the Wireshark team to improve +Wireshark's usability. +We hope that you find it useful and look forward to your comments. + +[#PreAudience] + +=== Who should read this document? + +The intended audience of this book is anyone using Wireshark. + +This book explains all of the basic and some advanced features +of Wireshark. As Wireshark has become a very complex program, +not every feature may be explained in this book. + +This book is not intended to explain network sniffing in general and it +will not provide details about specific network protocols. A lot of +useful information regarding these topics can be found at the Wireshark +Wiki at link:{wireshark-wiki-url}[]. + +By reading this book, you will learn how to install Wireshark, how to use the +basic elements of the graphical user interface (such as the menu) and what’s +behind some of the advanced features that are not always obvious at first sight. +It will hopefully guide you around some common problems that frequently appear +for new (and sometimes even advanced) Wireshark users. + +[#PreAck] + +=== Acknowledgements + +The authors would like to thank the whole Wireshark team for their assistance. +In particular, the authors would like to thank: + +* Gerald Combs, for initiating the Wireshark project and funding to do this + documentation. + +* Guy Harris, for many helpful hints and a great deal of patience in reviewing + this document. + +* Gilbert Ramirez, for general encouragement and helpful hints along the way. + +The authors would also like to thank the following people for their helpful +feedback on this document: + +* Pat Eyler, for his suggestions on improving the example on generating a backtrace. + +* Martin Regner, for his various suggestions and corrections. + +* Graeme Hewson, for many grammatical corrections. + +The authors would like to acknowledge those man page and README authors for the +Wireshark project from who sections of this document borrow heavily: + +* Scott Renfro from whose `mergecap` man page <<AppToolsmergecap>> is derived. + +* Ashok Narayanan from whose `text2pcap` man page <<AppToolstext2pcap>> is derived. + +[#PreAbout] + +=== About this document + +This book was originally developed by mailto:{wsug-author-email2}[Richard +Sharpe] with funds provided from the Wireshark Fund. It was updated by +mailto:{wsug-author-email3}[Ed Warnicke] and more recently redesigned and +updated by mailto:{wsug-author-email}[Ulf Lamping]. + +It was originally written in DocBook/XML and converted to AsciiDoc by +Gerald Combs. + +[#PreDownload] + +=== Where to get the latest copy of this document? + +The latest copy of this documentation can always be found at +{wireshark-users-guide-url}. + +[#PreFeedback] + +=== Providing feedback about this document + +Should you have any feedback about this document, please send it to the +authors through mailto:{wireshark-dev-list-email}[]. diff --git a/doc/wsug_src/wsug_protocols.adoc b/doc/wsug_src/wsug_protocols.adoc new file mode 100644 index 00000000..8f2b8b92 --- /dev/null +++ b/doc/wsug_src/wsug_protocols.adoc @@ -0,0 +1,15 @@ +// WSUG Appendix Protocols + +[#AppProtocols] + +[appendix] +== Protocols and Protocol Fields + +Wireshark distinguishes between protocols (e.g., tcp) and protocol fields (e.g., +tcp.port). + +A comprehensive list of all protocols and protocol fields can be found +in the “Display Filter Reference” at +{wireshark-display-filter-reference-url} + +// End of WSUG Appendix Protocols diff --git a/doc/wsug_src/wsug_statistics.adoc b/doc/wsug_src/wsug_statistics.adoc new file mode 100644 index 00000000..66e014b2 --- /dev/null +++ b/doc/wsug_src/wsug_statistics.adoc @@ -0,0 +1,948 @@ +// WSUG Chapter Statistics + +[#ChStatistics] + +== Statistics + +[#ChStatIntroduction] + +=== Introduction + +Wireshark provides a wide range of network statistics which can be accessed via +the menu:Statistics[] menu. + +These statistics range from general information about the loaded capture file +(like the number of captured packets), to statistics about specific protocols +(e.g., statistics about the number of HTTP requests and responses captured). + +.General statistics + + - *Capture File Properties* about the capture file. + + - *Protocol Hierarchy* of the captured packets. + + - *Conversations* e.g., traffic between specific IP addresses. + + - *Endpoints* e.g., traffic to and from IP addresses. + + - *I/O Graphs* visualizing the number of packets (or similar) in time. + +.Protocol specific statistics + + - *Service Response Time* between request and response of some protocols. + + - Various other protocol specific statistics. + +[NOTE] +==== +The protocol specific statistics require detailed knowledge about the specific +protocol. Unless you are familiar with that protocol, statistics about it may +be difficult to understand. +==== + +Wireshark has many other statistics windows that display detailed +information about specific protocols and might be described in a later +version of this document. + +Some of these statistics are described at +{wireshark-wiki-url}Statistics. + +[#ChStatSummary] + +=== The “Capture File Properties” Dialog + +General information about the current capture file. + +.The “Capture File Properties” dialog +image::images/ws-capture-file-properties.png[{screenshot-attrs}] + +This dialog shows the following information: + +Details:: +Notable information about the capture file. + +File::: +General information about the capture file, including its full path, size, cryptographic hashes, file format, and encapsulation. + +Time::: +The timestamps of the first and the last packet in the file along with their difference. + +Capture::: +Information about the capture environment. +This will only be shown for live captures or if this information is present in a saved capture file. +The pcapng format supports this, while pcap doesn’t. + +Interfaces::: +Information about the capture interface or interfaces. + +Statistics::: +A statistical summary of the capture file. +If a display filter is set, you will see values in the _Captured_ column, and if any packets are marked, you will see values in the _Marked_ column. +The values in the _Captured_ column will remain the same as before, while the values in the _Displayed_ column will reflect the values corresponding to the packets shown in the display. +The values in the _Marked_ column will reflect the values corresponding to the marked packages. + +Capture file comments:: +Some capture file formats (notably pcapng) allow a text comment for the entire file. +You can view and edit this comment here. + +btn:[Refresh]:: +Updates the information in the dialog. + +btn:[Save Comments]:: +Saves the contents of the “Capture file comments” text entry. + +btn:[Close]:: +Closes the dialog + +btn:[Copy To Clipboard]:: +Copies the “Details” information to the clipboard. + +btn:[Help]:: +Opens this section of the User’s Guide. + +[#ChStatResolvedAddresses] + +=== Resolved Addresses + +The Resolved Addresses window shows the list of resolved addresses and their host names. Users can choose the `Hosts` field to display IPv4 and IPv6 addresses only. In this case, the dialog displays host names for each IP address in a capture file with a known host. This host is typically taken from DNS answers in a capture file. In case of an unknown host name, users can populate it based on a reverse DNS lookup. To do so, follow these steps: + +. Enable `Resolve Network Addresses` in the menu:View[Name Resolution] menu as this option is disabled by default. + +. Select `Use an external network name resolver` in the menu:Preferences[Name Resolution] menu. This option is enabled by default. + +NOTE: The resolved addresses are not updated automatically after a user changes the settings. To display newly available names, the user has to reopen the dialog. + +The `Ports` tab shows the list of service names, ports and types. + +Wireshark reads the entries for port mappings from the `hosts` service configuration files. See <<ChAppFilesConfigurationSection>> section for more information. + +.Resolved Addresses window +image::images/ws-resolved-addr.png[{screenshot-attrs}] + +[#ChStatHierarchy] + +=== The “Protocol Hierarchy” Window + +The protocol hierarchy of the captured packets. + +.The “Protocol Hierarchy” Window +image::images/ws-stats-hierarchy.png[{screenshot-attrs}] + +This is a tree of all the protocols in the capture. Each row contains the +statistical values of one protocol. Two of the columns (_Percent Packets_ and +_Percent Bytes_) serve double duty as bar graphs. If a display filter is set it +will be shown at the bottom. + +The btn:[Copy] button will let you copy the window contents as CSV or YAML. + +.Protocol hierarchy columns + +Protocol:: +This protocol’s name. + +Percent Packets:: +The percentage of protocol packets relative to all packets in the capture. + +Packets:: +The total number of packets that contain this protocol. + +Percent Bytes:: +The percentage of protocol bytes relative to the total bytes in the capture. + +Bytes:: +The total number of bytes of this protocol. + +Bits/s:: +The bandwidth of this protocol relative to the capture time. + +End Packets:: +The absolute number of packets of this protocol where it was the highest protocol in the stack (last dissected). + +End Bytes:: +The absolute number of bytes of this protocol where it was the highest protocol in the stack (last dissected). + +End Bits/s:: +The bandwidth of this protocol relative to the capture time where was the highest protocol in the stack (last dissected). + +PDUs:: +The total number of PDUs of this protocol. + +Packets usually contain multiple protocols. As a result, more than one protocol +will be counted for each packet. Example: In the screenshot 100% of packets +are IP and 99.3% are TCP (which is together much more than 100%). + +Protocol layers can consist of packets that won’t contain any higher layer +protocol, so the sum of all higher layer packets may not sum to the protocol's +packet count. This can be caused by segments and fragments reassembled in other +frames, TCP protocol overhead, and other undissected data. Example: In the +screenshot 99.3% of the packets are TCP but the sum of the subprotocols +(TLS, HTTP, Git, etc.) is much less. + +A single packet can contain the same protocol more than once. In this case, the +entry in the `PDUs` column will be greater than that of `Packets`. Example: +In the screenshot there are many more TLS and Git PDUs than there are packets. + +[#ChStatConversations] + +=== Conversations + +A network conversation is the traffic between two specific endpoints. For +example, an IP conversation is all the traffic between two IP addresses. The +description of the known endpoint types can be found in <<ChStatEndpoints>>. + +The conversations are influenced by the _Deinterlacing conversations key_ +preference. + +[#ChStatConversationsWindow] + +==== The “Conversations” Window + +The conversations window is similar to the endpoint Window. See +<<ChStatEndpointsWindow>> for a description of their common features. Along with +addresses, packet counters, and byte counters the conversation window adds four +columns: the start time of the conversation (“Rel Start”) or (“Abs Start”), +the duration of the conversation in seconds, and the average bits (not bytes) +per second in each direction. A timeline graph is also drawn across the +“Rel Start” / “Abs Start” and “Duration” columns. + +.The “Conversations” window +image::images/ws-stats-conversations.png[{screenshot-attrs}] + +Each row in the list shows the statistical values for exactly one conversation. + +_Name resolution_ will be done if selected in the window and if it is active for +the specific protocol layer (MAC layer for the selected Ethernet endpoints +page). _Limit to display filter_ will only show conversations matching the +current display filter. _Absolute start time_ switches the start time column +between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start +times match the “Seconds Since First Captured Packet” time display format in the +packet list and absolute start times match the “Time of Day” display format. + +If a display filter had been applied before the dialog is opened, _Limit to +display filter_ will be set automatically. Additionally, after a display filter +had been applied, two columns ("Total Packets") and ("Percent Filtered") show +the number of unfiltered total packets and the percentage of packets in this filter +display. + +The btn:[Copy] button will copy the list values to the clipboard in CSV +(Comma Separated Values), YAML format or JSON format. The numbers are generally +exported without special formatting, but this can be enabled if needed. + +The btn:[Follow Stream...] button will show the stream contents as described +in <<ChAdvFollowStream>> dialog. The btn:[Graph...] button will show a graph +as described in <<ChStatIOGraphs>>. + +btn:[Conversation Types] lets you choose which traffic type tabs are shown. +See <<ChStatEndpoints>> for a list of endpoint types. The enabled types +are saved in your profile settings. + +[TIP] +==== +This window will be updated frequently so it will be useful even if you open +it before (or while) you are doing a live capture. +==== + +// Removed: +// [[ChStatConversationListWindow]] + +[#ChStatEndpoints] + +=== Endpoints + +A network endpoint is the logical endpoint of separate protocol traffic of a +specific protocol layer. The endpoint statistics of Wireshark will take the +following endpoints into account: + +[TIP] +==== +If you are looking for a feature other network tools call a _hostlist_, here is +the right place to look. The list of Ethernet or IP endpoints is usually what +you’re looking for. +==== + +.Endpoint and Conversation types + +Bluetooth:: A MAC-48 address similar to Ethernet. + +Ethernet:: Identical to the Ethernet device’s MAC-48 identifier. + +Fibre Channel:: A MAC-48 address similar to Ethernet. + +IEEE 802.11:: A MAC-48 address similar to Ethernet. + +FDDI:: Identical to the FDDI MAC-48 address. + +IPv4:: Identical to the 32-bit IPv4 address. + +IPv6:: Identical to the 128-bit IPv6 address. + +IPX:: A concatenation of a 32-bit network number and 48-bit node address, by +default the Ethernet interface’s MAC-48 address. + +JXTA:: A 160-bit SHA-1 URN. + +NCP:: Similar to IPX. + +RSVP:: A combination of various RSVP session attributes and IPv4 addresses. + +SCTP:: A combination of the host IP addresses (plural) and +the SCTP port used. So different SCTP ports on the same IP address are different +SCTP endpoints, but the same SCTP port on different IP addresses of the same +host are still the same endpoint. + +TCP:: A combination of the IP address and the TCP port used. +Different TCP ports on the same IP address are different TCP endpoints. + +Token Ring:: Identical to the Token Ring MAC-48 address. + +UDP:: A combination of the IP address and the UDP port used, so different UDP +ports on the same IP address are different UDP endpoints. + +USB:: Identical to the 7-bit USB address. + +[NOTE] +.Broadcast and multicast endpoints +==== +Broadcast and multicast traffic will be shown separately as additional +endpoints. Of course, as these aren’t physical endpoints the real traffic +will be received by some or all of the listed unicast endpoints. +==== + +[#ChStatEndpointsWindow] + +==== The “Endpoints” Window + +This window shows statistics about the endpoints captured. + +.The “Endpoints” window +image::images/ws-stats-endpoints.png[{screenshot-attrs}] + +For each supported protocol, a tab is shown in this window. Each tab label shows +the number of endpoints captured (e.g., the tab label “Ethernet · 4” tells +you that four ethernet endpoints have been captured). If no endpoints of a +specific protocol were captured, the tab label will be greyed out (although the +related page can still be selected). + +Each row in the list shows the statistical values for exactly one endpoint. + +_Name resolution_ will be done if selected in the window and if it is +active for the specific protocol layer (MAC layer for the selected +Ethernet endpoints page). _Limit to display filter_ will only show +conversations matching the current display filter. Note that in this +example we have MaxMind DB configured which gives us extra geographic +columns. See <<ChMaxMindDbPaths>> for more information. + +If a display filter had been applied before the dialog is opened, _Limit to +display filter_ will be set automatically. Additionally, after a display filter +had been applied, two columns ("Total Packets") and ("Percent Filtered") show +the number of unfiltered total packets and the percentage of packets in this filter +display. + +The btn:[Copy] button will copy the list values to the clipboard in CSV +(Comma Separated Values), YAML format or JSON format. The numbers are generally +exported without special formatting, but this can be enabled if needed. +The btn:[Map] button will show the endpoints mapped in your web browser. + +btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See +<<ChStatEndpoints>> above for a list of endpoint types. The enabled +types are saved in your profile settings. + +[TIP] +==== +This window will be updated frequently, so it will be useful even if you open +it before (or while) you are doing a live capture. +==== + +// Removed: +// [[ChStatEndpointListWindow]] + + +[#ChStatPacketLengths] + +=== Packet Lengths + +Shows the distribution of packet lengths and related information. + +.The “Packet Lengths” window +image::images/ws-stats-packet-lengths.png[{medium-screenshot-attrs}] + +Information is broken down by packet length ranges as shown above. + +Packet Lengths:: +The range of packet lengths. ++ +Ranges can be configured in the “Statistics -> Stats Tree” section of the <<ChCustPreferencesSection,Preferences Dialog>>. + +Count:: +The number of packets that fall into this range. + +Average:: +The arithmetic mean of the packet lengths in this range. + +Min Val, Max Val:: +The minimum and maximum lengths in this range. + +Rate (ms):: +The average packets per millisecond for the packets in this range. + +Percent:: +The percentage of packets in this range, by count. + +Burst Rate:: +Packet bursts are detected by counting the number of packets in a given time interval and comparing that count to the intervals across a window of time. +Statistics for the interval with the maximum number of packets are shown. +By default, bursts are detected across 5 millisecond intervals and intervals are compared across 100 millisecond windows. ++ +These calculations can be adjusted in the “Statistics” section of the <<ChCustPreferencesSection,Preferences Dialog>>. + +Burst Start:: +The start time, in seconds from the beginning of the capture, for the interval with the maximum number of packets. + +You can show statistics for a portion of the capture by entering a display filter into the _Display filter_ entry and pressing btn:[Apply]. + +btn:[Copy] copies the statistics to the clipboard. +btn:[Save as...] lets you save the data as text, CSV, YAML, or XML. + +[#ChStatIOGraphs] + +=== The “I/O Graphs” Window + +Lets you plot packet and protocol data in a variety of ways. + +.The “I/O Graphs” window +image::images/ws-stats-iographs.png[{screenshot-attrs}] + +As shown above, this window contains a chart drawing area along with a customizable list of graphs. +Graphs are saved in your current <<ChCustConfigProfilesSection,profile>>. +They are divided into time intervals, which can be set as described below. +Hovering over the graph shows the last packet in each interval except as noted below. +Clicking on the graph takes you to the associated packet in the packet list. +Individual graphs can be configured using the following options: + +Enabled:: +Draw or don’t draw this graph. + +Graph Name:: +The name of this graph. + +Display Filter:: +Limits the graph to packets that match this filter. + +Color:: +The color to use for plotting the graph’s lines, bars, or points. + +Style:: +How to visually represent the graph’s data, e.g., by drawing a line, bar, circle, plus, etc. + +Y Axis:: +The value to use for the graph’s Y axis. Can be one of: + +Packets, Bytes, or Bits::: +The total number of packets, packet bytes, or packet bits that match the graph’s display filter per interval. +<<ChStatIOGraphsMissingValues, Zero values>> are omitted in some cases. + +SUM(Y Field)::: +The sum of the values of the field specified in “Y Field” per interval. + +COUNT FRAMES(Y Field)::: +The number of frames that contain the field specified in “Y Field” per interval. +// Unlike the plain “Packets” graph, this always displays <<ChStatIOGraphsMissingValues, zero values>>. +// Above is no longer true. COUNT FRAMES is now exactly the same as Packets, except that the Y Field +// is used instead of just the filter. Everything you can graph with one you can graph with the other. + +COUNT FIELDS(Y Field)::: +The number of instances of the field specified in “Y Field” per interval. +Some fields, such as _dns.resp.name_, can show up multiple times in a packet. + +MAX(Y Field), MIN(Y Field), AVG(Y Field)::: +The maximum, minimum, and arithmetic mean values of the specified “Y Field” per interval. +For MAX and MIN values, hovering and clicking the graph will show and take you to the packet with the MAX or MIN value in the interval instead of the most recent packet. + +LOAD(Y Field)::: +The queue depth, i.e., number of concurrent requests or calls, in each interval expressed in Erlangs. +Requires “Y Field” be a relative time value, and treats it as the duration of an event which +ended in the containing packet. Useful for response time fields like `smb.time`. + +THROUGHPUT(Y Field)::: +If the “Y Field” is a payload counted in Bytes (as frame.len, ip.len, ipv6.plen..), this is the throughput expressed in bits per second. + +Y Field:: +The display filter field from which to extract values for the Y axis calculations listed above. + +SMA Period:: +Show a simple moving average of values over a specified period of intervals. + +Y Axis Factor:: +Scale the Y axis for this graph by multiplying by a constant factor, e.g. to +graph bits if the “Y Field” contains bytes, or to present multiple graphs at +a similar scale. + +The chart as a whole can be configured using the controls under the graph list: + +btn:[{plus}]:: +Add a new graph. + +btn:[-]:: +Remove the selected graph(s). + +btn:[Copy]:: +Copy the selected graph(s). + +btn:[⌃]:: Move the selected graph(s) up in the list. + +btn:[⌄]:: Move the selected graph(s) down in the list. + +btn:[Clear]:: +Remove all graphs. + +Mouse drags / zooms:: +When using the mouse inside the graph area, either drag the graph contents or select a zoom area. + +Interval:: +Set the interval period for the graph. + +Time of day:: +Switch between showing the absolute time of day or the time relative from the start of capture in the X axis. + +Log scale:: +Switch between a logarithmic or linear Y axis. + +Automatic updates:: +Redraw each graph automatically. + +Enable legend:: +Show a graph legend. + +The main dialog buttons along the bottom let you do the following: + +btn:[Help] will take you to this section of the User’s Guide. + +btn:[Reset] will autoscale the axes to full display all graphs. + +btn:[Copy] will copy values from selected graphs to the clipboard in CSV +(Comma Separated Values) format. + +btn:[Copy from] will let you copy graphs from another profile to the current dialog. + +btn:[Close] will close this dialog. + +btn:[Save As...] will save the currently displayed graph as an image or CSV data. + +[TIP] +==== +You can see a list of useful keyboard shortcuts by right-clicking on the graph. +==== + +[#ChStatIOGraphsMissingValues] + +[discrete] +==== Missing Values Are Zero + +Wireshark's I/O Graph window counts or calculates summary statistics over intervals. +If a packet or field does not occur in a given interval, the calculation might yield zero. +This is particularly likely for very small intervals. For "counting" graphs +(Packets, Bytes, Bits, COUNT FRAMES, COUNT FIELDS) zero values are omitted from scatter +plots, but shown in line graphs and bar charts. For the summary statistics SUM, MAX, and AVG, +values are always omitted if the Y field was not present in the interval. +For LOAD graphs, values are omitted if no field's time indicated that an event was +was present in the interval. +(Note for LOAD graphs that a response time can contribute to earlier intervals than +the one containing the packet if the duration is longer than the interval.) + +// If you need to display zero values in a scatter plot, you can do so by making the Y Axis a calculated field. +// For example, the calculated equivalent of “Packets” is a “COUNT FRAMES” Y Axis with a Y Field set to “frame”. +// XXX - No longer true as of eb4e2cca69. + +[#ChStatSRT] + +=== Service Response Time + +The service response time is the time between a request and the corresponding response. +This information is available for many protocols, including the following: + +* AFP +* CAMEL +* DCE-RPC +* Diameter +* Fibre Channel +* GTP +* GTPv2 +* H.225 RAS +* LDAP +* MEGACO +* MGCP +* NCP +* ONC-RPC +* PFCP +* RADIUS +* SCSI +* SMB +* SMB2 +* SNMP + +As an example, the SMB2 service response time is described below in more detail. +The other Service Response Time windows will show statistics specific to their respective protocols, but will offer the same menu options. + +[#ChStatSRTSMB2] + +==== The “SMB2 Service Response Time Statistics” Window + +This window shows the number of transactions for each SMB2 opcode present in the capture file along with various response time statistics. +Right-clicking on a row will let you apply or prepare filters for, search for, or colorize a specific opcode. +You can also copy all of the response time information or save it in a variety of formats. + +.The “SMB2 Service Response Time Statistics” window +image::images/ws-stats-srt-smb2.png[{screenshot-attrs}] + +You can optionally apply a display filter in order to limit the statistics to a specific set of packets. + +The main dialog buttons along the bottom let you do the following: + +The btn:[Copy] button will copy the response time information as text. + +btn:[Save As...] will save the response time information in various formats. + +btn:[Close] will close this dialog. + +[#ChStatDHCPBOOTP] + +=== DHCP (BOOTP) Statistics + +The Dynamic Host Configuration Protocol (DHCP) is an option of the Bootstrap Protocol (BOOTP). It dynamically assigns IP addresses and other parameters to a DHCP client. The DHCP (BOOTP) Statistics window displays a table over the number of occurrences of a DHCP message type. The user can filter, copy or save the data into a file. + +[#ChStatNetPerfMeter] + +=== NetPerfMeter Statistics + +The NetPerfMeter Protocol{nbsp}(NPMP) is the control and data transfer protocol of NetPerfMeter, the transport protocol performance testing tool. It transmits data streams over TCP, SCTP, UDP and DCCP with given parameters, such as frame rate, frame size, saturated flows, etc. + +With these statistics you can: + +* Observed number of messages and bytes per message type. +* The share of messages and bytes for each message type. +* See the first and last occurrence of each message type. +* See the interval between first and last occurrence of each message type (if there are at least 2 messages of the corresponding type). +* See the message and byte rate within the interval for each message type (if there are at least 2 messages of the corresponding type). + +See link:https://www.uni-due.de/~be0001/netperfmeter/[NetPerfMeter – A TCP/MPTCP/UDP/SCTP/DCCP Network Performance Meter Tool] and Section{nbsp}6.3 of +link:https://duepublico2.uni-due.de/servlets/MCRFileNodeServlet/duepublico_derivate_00029737/Dre2012_final.pdf[Evaluation and Optimisation of Multi-Path Transport using the Stream Control Transmission Protocol] for more details about NetPerfMeter and the NetPerfMeter Protocol. + +.NetPerfMeter Statistics window +image::images/ws-netperfmeter-statistics.png[{screenshot-attrs}] + +[#ChStatONCRPC] + +=== ONC-RPC Programs + +Open Network Computing (ONC) Remote Procedure Call (RPC) uses TCP or UDP protocols to map a program number to a specific port on a remote machine and call a required service at that port. The ONC-RPC Programs window shows the description for captured program calls, such as program name, its number, version, and other data. +[#ChStat29West] + +=== 29West + +The 29West technology now refers to Ultra-Low Latency Messaging (ULLM) technology. It allows sending and receiving a high number of messages per second with microsecond delivery times for zero-latency data delivery. + +The menu:Statistics[29West] shows: +[cols="1,1"] +|=== +|The `Topics` submenu shows counters for: +a|* Advertisement by Topic +* Advertisement by Source +* Advertisement by Transport +* Queries by Topic +* Queries by Receiver +* Wildcard Queries by Pattern +* Wildcard Queries by Receiver + +|The `Queues` submenu shows counters for: +a|* Advertisement by Queue +* Advertisement by Source +* Queries by Queue +* Queries by Receiver + +|The `UIM` submenu shows `Streams`: +| Each stream is provided by Endpoints, Messages, Bytes, and the First and Last Frame statistics. + +|The `LBT-RM` submenu +|The LBT-RM Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data. + +|The `LBT-RU` submenu +|The LBT-Ru Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data. +|=== + +[#ChStatANCP] + +=== ANCP + +The Access Node Control Protocol (ANCP) is an TCP based protocol, which operates between an Access Node and Network Access Server. The Wireshark ANCP dissector supports the listed below messages: + +* Adjacency Message +* Topology Discovery Extensions, such as Port-Up and Port-Down Messages +* Operation And Maintenance (OAM) Extension, such as Port Management Message. + +The ANCP window shows the related statistical data. The user can filter, copy or save the data into a file. + +[#ChStatBACnet] + +=== BACnet + +Building Automation and Control Networks (BACnet) is a communication protocol which provides control for various building automated facilities, such as light control, fire alarm control, and others. Wireshark provides the BACnet statistics which is a packet counter. You can sort packets by instance ID, IP address, object type or service. + +[#ChStatCollectd] + +=== Collectd + +Collectd is a system statistics collection daemon. It collects various statistics from your system and converts it for the network use. The Collectd statistics window shows counts for values, which split into type, plugin, and host as well as total packets counter. You can filter, copy or save the data to a file. + +[#ChStatDNS] + +=== DNS + +The Domain Name System (DNS) associates different information, such as IP addresses, with domain names. DNS returns different codes, request-response and counters for various aggregations. The DNS statistics window enlists a total count of DNS messages, which are divided into groups by request types (opcodes), response code (rcode), query type, and others. + +.DNS statistics window +image::images/ws-dns.png[{screenshot-attrs}] + +You might find these statistics useful for quickly examining the health of a DNS service or other investigations. See the few possible scenarios below: + +* The DNS server might have issues if you see that DNS queries have a long request-response time or, if there are too many unanswered queries. +* DNS requests with abnormally large requests and responses might be indicative of DNS tunneling or command and control traffic. +* The order of magnitude more DNS responses than requests and the responses are very large might indicate that the target is being attacked with a DNS-based DDoS. + +You can filter, copy or save the data into a file. + +[#ChStatFlowGraph] + +=== Flow Graph + +The Flow Graph window shows connections between hosts. It displays the packet time, direction, ports and comments for each captured connection. You can filter all connections by ICMP Flows, ICMPv6 Flows, UIM Flows and TCP Flows. Flow Graph window is used for showing multiple different topics. Based on it, it offers different controls. + +.Flow Graph window +image::images/ws-flow-graph.png[{screenshot-attrs}] + +Each vertical line represents the specific host, which you can see in the top of the window. + +The numbers in each row at the very left of the window represent the time packet. You can change the time format in the menu:View[Time Display Format]. If you change the time format, you must relaunch the Flow Graph window to observe the time in a new format. + +The numbers at the both ends of each arrow between hosts represent the port numbers. + +Left-click a row to select a corresponding packet in the packet list. + +Right-click on the graph for additional options, such as selecting the previous, current, or next packet in the packet list. This menu also contains shortcuts for moving the diagram. + +Available controls: + +* btn:[Limit to display filter] filters calls just to ones matching display filter. When display filter is active before window is opened, checkbox is checked. +* btn:[Flow type] allows limit type of protocol flows should be based on. +* btn:[Addresses] allows switch shown addresses in diagram. +* btn:[Reset Diagram] resets view position and zoom to default state. +* btn:[Export] allows export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG and ASCII (diagram is stored with ASCII characters only)). + +.Flow Graph window showing VoIP call sequences +image::images/ws-tel-seq-dialog.png[{screenshot-attrs}] + +Additional shortcuts available for VoIP calls: + +* On selected RTP stream +** kbd:[S] - Selects the stream in <<ChTelRTPStreams,RTP Streams>> window (if not opened, it opens it and put it on background). +** kbd:[D] - Deselects the stream in <<ChTelRTPStreams,RTP Streams>> window (if not opened, it opens it and put it on background). + +Additional controls available for VoIP calls: + +* btn:[Reset Diagram] resets view position and zoom to default state. +* btn:[Play Streams] sends selected RTP stream to playlist of <<ChTelRtpPlayer,RTP Player>> window. +* btn:[Export] allows to export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG and ASCII (diagram is stored with ASCII characters only)). + + + +[#ChStatHARTIP] + +=== HART-IP + +Highway Addressable Remote Transducer over IP (HART-IP) is an application layer protocol. It sends and receives digital information between smart devices and control or monitoring systems. The HART-IP statistics window shows the counter for response, request, publish and error packets. You can filter, copy or save the data to a file. + +[#ChStatHPFEEDS] + +=== HPFEEDS + +Hpfeeds protocol provides a lightweight authenticated publishing and subscription. It supports arbitrary binary payloads which can be separated into different channels. HPFEEDS statistics window shows a counter for payload size per channel and opcodes. You can filter, copy or save the data to a file. + +[#ChStatHTTP] + +=== HTTP Statistics + +[#ChStatHTTPPacketCounter] + +==== HTTP Packet Counter + +Statistics for HTTP request types and response codes. + +[#ChStatHTTPRequests] + +==== HTTP Requests + +HTTP statistics based on the host and URI. + +[#ChStatHTTPLoadDistribution] + +==== HTTP Load Distribution + +HTTP request and response statistics based on the server address and host. + +[#ChStatHTTPRequestSequences] + +==== HTTP Request Sequences + +HTTP Request Sequences uses HTTP's Referer and Location headers to sequence a +capture's HTTP requests as a tree. This enables analysts to see how one HTTP +request leads to the next. + +.The “HTTP Request Sequences” window +image::images/ws-stats-http-requestsequences.png[{screenshot-attrs}] + + +[#ChStatHTTP2] + +=== HTTP2 + +Hypertext Transfer Protocol version 2 (HTTP/2) allows multiplexing various HTTP requests and responses over a single connection. It uses a binary encoding which is consisting of frames. The HTTP/2 statistics window shows the total number of HTTP/2 frames and also provides a breakdown per frame types, such as `HEADERS`, `DATA`, and others. + +As HTTP/2 traffic is typically encrypted with TLS, you must configure decryption to observe HTTP/2 traffic. For more details, see the link:{wireshark-wiki-url}TLS[TLS wiki page]. + +[#ChStatSametime] + +=== Sametime + +Sametime is a protocol for the IBM Sametime software. The Sametime statistics window shows the counter for message type, send type, and user status. + +[#ChStatTCPStreamGraphs] + +=== TCP Stream Graphs + +Show different visual representations of the TCP streams in a capture. + +Time Sequence (Stevens):: This is a simple graph of the TCP sequence +number over time, similar to the ones used in Richard Stevens’ “TCP/IP +Illustrated” series of books. + +Time Sequence (tcptrace):: Shows TCP metrics similar to the +http://www.tcptrace.org/[tcptrace] utility, including forward segments, +acknowledgements, selective acknowledgements, reverse window sizes, and +zero windows. + +Throughput:: Average throughput and goodput. + +Round Trip Time:: Round trip time vs time or sequence number. RTT is +based on the acknowledgment timestamp corresponding to a particular +segment. + +Window Scaling:: Window size and outstanding bytes. + +[#ChStatUDPMulticastStreams] + +=== UDP Multicast Streams + +The UDP Multicast Streams window shows statistics for all UDP multicast streams. It includes source addresses and ports, destination addresses and ports, packets counter and other data. You can specify the burst interval, the alarm limits and output speeds. To apply new settings, press btn:[Enter]. + +With these statistics you can: + +* Measure the burst size for a video stream. This uses the sliding window algorithm. +* Measure of the output buffer size limit, that no packet drop will occur. This uses the Leaky bucket algorithm. +* Detect the packet loss inside the MPEG2 video stream. + +.UDP Multicast Streams window +image::images/ws-udp-multicast-stream.png[{screenshot-attrs}] + +[#ChStatRSerPool] + +=== Reliable Server Pooling (RSerPool) + +The Reliable Server Pooling (RSerPool) windows show statistics for the different protocols of Reliable Server Pooling (RSerPool): + +* Aggregate Server Access Protocol{nbsp}(ASAP) +* Endpoint Handlespace Redundancy Protocol{nbsp}(ENRP) + +Furthermore, statistics for application protocols provided by link:https://www.uni-due.de/~be0001/rserpool/[RSPLIB] are provided as well: + +* Component Status Protocol{nbsp}(CSP) +* CalcApp Protocol +* Fractal Generator Protocol +* Ping Pong Protocol +* Scripting Service Protocol{nbsp}(SSP) + +With these statistics you can: + +* Observed number of messages and bytes per message type. +* The share of messages and bytes for each message type. +* See the first and last occurrence of each message type. +* See the interval between first and last occurrence of each message type (if there are at least 2 messages of the corresponding type). +* See the message and byte rate within the interval for each message type (if there are at least 2 messages of the corresponding type). + +See link:https://www.uni-due.de/~be0001/rserpool/[Thomas Dreibholz's Reliable Server Pooling (RSerPool) Page] and Chapter{nbsp}3 of link:https://duepublico.uni-duisburg-essen.de/servlets/DerivateServlet/Derivate-16326/Dre2006_final.pdf[Reliable Server Pooling – Evaluation, Optimization and Extension of a Novel IETF Architecture] for more details about RSerPool and its protocols. + +.ASAP Statistics window +image::images/ws-asap-statistics.png[{screenshot-attrs}] + +.ENRP Statistics window +image::images/ws-enrp-statistics.png[{screenshot-attrs}] + +.Component Status Protocol Statistics window +image::images/ws-csp-statistics.png[{screenshot-attrs}] + +.CalcApp Protocol Statistics window +image::images/ws-calcappprotocol-statistics.png[{screenshot-attrs}] + +.Fractal Generator Protocol Statistics window +image::images/ws-fgp-statistics.png[{screenshot-attrs}] + +.Ping Pong Protocol Statistics window +image::images/ws-pingpongprotocol-statistics.png[{screenshot-attrs}] + +.Scripting Service Protocol Statistics window +image::images/ws-ssp-statistics.png[{screenshot-attrs}] + +[#ChStatF5] + +=== F5 + +In F5 Networks, *TMM* stands for Traffic Management Microkernel. It processes all load-balanced traffic on the BIG-IP system. + +The F5 statistics menu shows packet and byte counts for both `Virtual Server Distribution` and `tmm Distribution` submenus. + +Each `Virtual Server Distribution` window contains the statistics for the following data: + +* A line for each named virtual server name. +* A line for traffic with a flow ID and no virtual server name. +* A line for traffic without a flow ID. + +Each `tmm Distribution` window contains the statistics for the following data: + +* A line for each tmm, which contains: +** A line for each ingress and egress (should add to tmm total), which contains: +*** Traffic with a virtual server name. +*** Traffic with a flow ID and no virtual server name. +*** Traffic without a flow ID. + + +[#ChStatIPv4] + +=== IPv4 Statistics + +Internet Protocol version 4 (IPv4) is a core protocol for the internet layer. It uses 32-bit addresses and allows packets routing from one source host to the next one. + +The menu:Statistics[IPv4] menu provides the packet counter by submenus: + +* `All Addresses`. Divides data by IP address. +* `Destination and Ports`. Divides data by IP address, and further by IP protocol type, such as TCP, UDP, and others. It also shows port number. +* `IP Protocol Types`. Divides data by IP protocol type. +* `Source TTLs`. Divides data by source IP address and then by TTL. Also shows the destination IP address for each TTL value. +* `Source and Destination addresses`. Divides data by source and destination IP address. + +You can see similar statistics in the menu:Statistics[Conversations] and menu:Statistics[Endpoints] menus. + +[#ChStatIPv6] + +=== IPv6 Statistics + +Internet Protocol version 6 (IPv6) is a core protocol for the internet layer. It uses 128-bit addresses and routes internet traffic. Similar to <<ChStatIPv4>>, the menu:Statistics[IPv6] menu shows the packet counter in each submenu. + +// End of WSUG Chapter Statistics diff --git a/doc/wsug_src/wsug_telephony.adoc b/doc/wsug_src/wsug_telephony.adoc new file mode 100644 index 00000000..33a60575 --- /dev/null +++ b/doc/wsug_src/wsug_telephony.adoc @@ -0,0 +1,619 @@ +// WSUG Chapter Telephony + +[#ChTelephony] + +== Telephony + +[#ChTelIntroduction] + +=== Introduction + +Wireshark provides a wide range of telephony related network statistics which +can be accessed via the menu:Telephony[] menu. + +These statistics range from specific signaling protocols, to analysis of +signaling and media flows. If encoded in a compatible encoding the media flow +can even be played. + +The protocol specific statistics windows display detailed information of +specific protocols and might be described in a later version of this document. + +Some of these statistics are described at the +{wireshark-wiki-url}Statistics pages. + +[#ChTelPlayingCalls] + +=== Playing VoIP Calls + +The tool for playing VoIP calls is called <<ChTelRtpPlayer,RTP Player>>. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depend on supported codecs. + +==== Supported codecs + +RTP Player is able to play any codec supported by an installed plugin. The codecs supported by RTP Player depend on the version of Wireshark you're using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark installation's installed codec plugins, do the following: + +* Open menu:Help[About Wireshark] window +* Select the menu:Plugins[] tab +* In the menu:Filter by type[] menu on the top-right, select codec + +.List of supported codecs +image::images/ws-about-codecs.png[{screenshot-attrs}] + +==== Work with RTP streams - Playlist + +Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose. + +Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained. + +When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways: + +* button menu:Play Streams[Set playlist] clears existing playlist and adds streams selected in the tool. +* button menu:Play Streams[Add to playlist] adds streams selected in the tool to playlist. Duplicated streams are not inserted again. +* button menu:Play Streams[Remove from playlist] removes streams selected in the tool from playlist, if they are in the playlist. + +.btn:[Play Streams] button with opened action menu +image::images/ws-tel-rtp-player_button.png[] + +btn:[Play Streams] button can be clicked directly and opens RTP Player window directly with btn:[Set playlist] action. All actions can be selected with the small down arrow next to the button. + +When the playlist is empty, there is no difference between btn:[Set playlist] and btn:[Add to playlist]. When the RTP Player window is not opened, all three actions above open it. + +btn:[Remove from playlist] is useful e.g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with menu:VoIPCalls[]. + +Tools below can be used to maintain content of playlist, they contain btn:[Play Streams] button. You can use one of procedures (Note: btn:[Add to playlist] action is demonstrated): + +* Open menu:Telephony[RTP > RTP Streams] window, it will show all streams in the capture. Select one or more streams and then press btn:[Play Streams]. Selected streams are added to playlist. +* Select any RTP packet in packet list, open menu:Telephony[RTP > Stream Analysis] window. It will show analysis of selected forward stream and its reverse stream (if btn:[Ctrl] is pressed during window opening). Then press btn:[Play Streams]. Forward and reverse stream is added to playlist. +** menu:RTP Stream Analysis[] window can be opened from other tools too. +* Open menu:Telephony[VoIP Calls] or menu:Telephony[SIP Flows] window, it will show all calls. Select one or more calls and then press btn:[Play Streams]. It will add all RTP streams related to selected calls to playlist. +* Open btn:[Flow Sequence] window in menu:Telephony[VoIP Calls] or menu:Telephony[SIP Flows] window, it will show flow sequence of calls. Select any RTP stream and then press btn:[Play Streams]. It will add selected RTP stream to playlist. + +.Tools for modifying playlist in RTP Player window +image::images/ws-tel-playlist.png[] + +[NOTE] +==== +Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see <<ChTelRTPAnalysis,RTP Stream Analysis>> window. +==== + +[#ChTelPlayingCallsLive] + +==== Playing audio during live capture + +Decoding RTP payload and showing waveforms is time consuming task. To speedup it RTP Player window uses copy of packet payload for all streams in the playlist. During live capture the dialog is not refreshed automatically as other Wireshark dialogs, but user must initiate it. + +The copy is created or refreshed and dialog updated: + +* Every time window is opened. +* Every time a new stream is added or set. +* During live capture, when btn:[Refresh streams] is pressed. +* Every time live capture is finished/stopped by a user. + +When capture file is opened (no live capturing), streams are read complete, no user action is required. Button btn:[Refresh streams] is disabled as it is useless. + +When live capture is running, streams are read only till "now" and are shown. When stream is continuous and user would like to see additional part, they must press btn:[Refresh stream]. When the user ends live capture, view is refreshed and button is disabled. + +[NOTE] +==== +RTP Player dialog stays open even live capture is stopped and then started again. Play list stays unchanged. Therefore, btn:[Refresh stream] tries to read same streams as before and shows them if they are still running. Past part of them (from previous live capture) is lost. +==== + +==== RTP Decoding Settings + +RTP is carried usually in UDP packets with random source and destination ports. Therefore, Wireshark can only recognize RTP streams based on VoIP signaling, e.g., based on SDP messages in SIP signaling. If signaling is not captured, Wireshark shows just UDP packets. However, there are multiple settings which help Wireshark recognize RTP even when there is no related signaling. + +You can use <<ChAdvDecodeAsFig,Decode As...>> function from menu:Analyze[Decode As...] menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use. + +Use of menu:Decode As...[] menu works fine, but is arduous for many streams. + +You can enable heuristic dissector menu:rtp_udp[] in menu:Analyze[Enabled Protocols...]. See <<ChCustProtocolDissectionSection>> for details. Once menu:rtp_udp[] is enabled, Wireshark tries to decode every UDP packet as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP. + +When an RTP stream uses a well-known port, the heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol menu:Preferences[Protocols > udp > Try heuristic sub-dissectors first], see <<ChCustPreferencesSection>>. In this case heuristics dissector tries to decode UDP packet even it uses a well-known port. + +[NOTE] +==== +Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected. + +When you enable menu:udp[Try heuristic sub-dissectors first], it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high. +==== + +RTP Player must store decoded data somewhere to be able to play it. When data are decoded, there are audio samples and dictionary for fast navigation. Both types of data are stored in memory for default, but you can configure Wireshark to store it on disk. There are two settings: + +* ui.rtp_player_use_disk1 - When set to FALSE (default), audio samples are kept in memory. When set to TRUE, audio samples are stored on temporary file. +* ui.rtp_player_use_disk2 - When set to FALSE (default), dictionary is kept in memory. When set to TRUE, dictionary is stored on temporary file. + +When any data are configured to be stored on disk, one file is created for each stream. Therefore, there might be up to two files for one RTP stream (audio samples and dictionary). If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see fewer streams that was added to playlist. Warnings are printed on console in this case and you will see fewer streams in the playlist than you send to it from other tools. + +For common use you can use default settings - store everything in memory. When you will be out of memory, switch ui.rtp_player_use_disk1 to TRUE first - it saves much more memory than ui.rtp_player_use_disk2. + + +==== VoIP Processing Performance and Related Limits + +Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines... + +RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU. + +RTP Player can handle 1000+ streams, but take into account that waveforms are very small and difficult to recognize in this case. + +RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again. + +RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams. + + +[#ChTelVoipCalls] + +=== VoIP Calls Window + +The VoIP Calls window shows a list of all detected VoIP calls in the captured +traffic. It finds calls by their signaling and shows related RTP streams. The current VoIP supported protocols are: + +* H.323 +* IAX2 +* ISUP +* MGCP/MEGACO +* SIP +* SKINNY +* UNISTIM + +See {wireshark-wiki-url}VOIPProtocolFamily[VOIPProtocolFamily] for an overview of the used VoIP protocols. + +VoIP Calls window can be opened as window showing all protocol types (menu:Telephony[VoIP Calls] window) or limited to SIP messages only (menu:Telephony[SIP Flows] window). + +.VoIP Calls window +image::images/ws-tel-voip-calls.png[{screenshot-attrs}] + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* On selected call/calls +** kbd:[S] - Selects stream/streams related to call in RTP Streams window (if not opened, it opens it and put it on background). +** kbd:[D] - Deselects stream/streams related to call in RTP Streams window (if not opened, it opens it and put it on background). + +Available controls are: + +* btn:[Limit to display filter] filters calls just to ones matching display filter. When display filter is active before window is opened, checkbox is checked. +* btn:[Time of Day] switches format of shown time between relative to start of capture or absolute time of received packets. +* btn:[Flow Sequence] opens <<ChStatFlowGraph,Flow Sequence>> window and shows selected calls in it. +* btn:[Prepare Filter] generates display filter matching to selected calls (signaling and RTP streams) and apply it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Copy] copies information from table to clipboard in CSV or YAML. + +[#ChTelANSI] + +=== ANSI + +This menu shows groups of statistic data for mobile communication protocols according to ETSI GSM standards. + +==== A-I/F BSMAP Statistics Window + +The A-Interface Base Station Management Application Part (BSMAP) Statistics window shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file. + +==== A-I/F DTAP Statistics Window + +The A-Interface Direct Transfer Application Part (DTAP) Statistics widow shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file. + +[#ChTelGSM] + +=== GSM Windows + +The Global System for Mobile Communications (GSM) is a standard for mobile networks. This menu shows a group of statistic data for mobile communication protocols according to ETSI GSM standard. + +[#ChTelIAX2Analysis] + +=== IAX2 Stream Analysis Window + +The “IAX2 Stream Analysis” window shows statistics for the forward and reverse +streams of a selected IAX2 call along with a graph. + +[#ChTelISUPMessages] + +=== ISUP Messages Window + +Integrated Service User Part (ISUP) protocol provides voice and non-voice signaling for telephone communications. ISUP Messages menu opens the window which shows the related statistics. The user can filter, copy or save the data into a file. + +[#ChTelLTE] + +=== LTE + +[#ChTelLTEMACTraffic] + +==== LTE MAC Traffic Statistics Window + +Statistics of the captured LTE MAC traffic. This window will summarize the LTE +MAC traffic found in the capture. + +.The “LTE MAC Traffic Statistics” window +image::images/ws-stats-lte-mac-traffic.png[{screenshot-attrs}] + +The top pane shows statistics for common channels. Each row in the middle pane +shows statistical highlights for exactly one UE/C-RNTI. In the lower pane, you +can see the for the currently selected UE/C-RNTI the traffic broken down by +individual channel. + +[#ChTelLTERLCGraph] + +==== LTE RLC Graph Window + +The LTE RLC Graph menu launches a graph which shows LTE Radio Link Control protocol sequence numbers changing over time along with acknowledgements which are received in the opposite direction. + +NOTE: That graph shows data of a single bearer and direction. The user can also launch it from the `RLC Statistics` window. + +.The RLC Graph window +image::images/ws-rlc-graph.png[{screenshot-attrs}] + +[.small]#_The image of the RLC Graph is borrowed from link:{wireshark-wiki-url}RLC-LTE[the Wireshark wiki]._# + +[#ChTelLTERLCTraffic] + +==== LTE RLC Traffic Statistics Window + +Statistics of the captured LTE RLC traffic. This window will summarize the LTE +RLC traffic found in the capture. + +.The “LTE RLC Traffic Statistics” window +image::images/ws-stats-lte-rlc-traffic.png[{screenshot-attrs}] + +At the top, the check-box allows this window to include RLC PDUs found within +MAC PDUs or not. This will affect both the PDUs counted as well as the display +filters generated (see below). + +The upper list shows summaries of each active UE. Each row in the lower list +shows statistical highlights for individual channels within the selected UE. + +The lower part of the windows allows display filters to be generated and set for +the selected channel. Note that in the case of Acknowledged Mode channels, if a +single direction is chosen, the generated filter will show data in that +direction and control PDUs in the opposite direction. + +[#ChTelMTP3] + +=== MTP3 Windows + +The Message Transfer Part level 3 (MTP3) protocol is a part of the Signaling System 7 (SS7). The Public Switched Telephone Networks use it for reliable, unduplicated and in-sequence transport of SS7 messaging between communication partners. + +This menu shows MTP3 Statistics and MTP3 Summary windows. + +[#ChTelOsmux] + +=== Osmux Windows + +OSmux is a multiplex protocol designed to reduce bandwidth usage of satellite-based GSM systems's voice (RTP-AMR) and signaling traffic. The OSmux menu opens the packet counter window with the related statistic data. The user can filter, copy or save the data into a file. + +[#ChTelRTP] + +=== RTP + +[#ChTelRTPStreams] + +==== RTP Streams Window + +The RTP streams window shows all RTP streams in capture file. Streams can be selected there and on selected streams other tools can be initiated. + +.The “RTP Streams” window +image::images/ws-tel-rtp-streams.png[{screenshot-attrs}] + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* Find Reverse +** kbd:[R] - Try search for reverse streams related to already selected streams. If found, selects them in the list too. +** btn:[Shift+R] - Select all pair streams (forward/reverse relation). +** btn:[Ctrl+R] - Select all single streams (no reverse stream does exist). +* kbd:[G] - Go to packet of stream under the mouse cursor. +* kbd:[M] - Mark all packets of selected streams. +* kbd:[P] - Prepare filter matching selected streams and apply it. +* kbd:[E] - Export selected streams in RTPDump format. +* kbd:[A] - Open <<ChTelRTPAnalysis,RTP Stream Analysis>> window and add selected streams to it. + +Available controls are: + +* Find Reverse +** btn:[Find Reverse] search for reverse stream of every selected stream. If found, selects it in the list too. +** btn:[Find All Pairs] select all streams which have forward/reverse relation. +** btn:[Find Only Single] select all streams which are single - have no reverse stream. +* btn:[Analyze] opens <<ChTelRTPAnalysis,RTP Stream Analysis>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Prepare Filter] prepares filter matching selected streams and apply it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Copy] copies information from table to clipboard in CSV or YAML. +* btn:[Export] exports selected streams in RTPDump format. + + +[#ChTelRTPAnalysis] + +==== RTP Stream Analysis Window + +The RTP analysis function takes the selected RTP streams and generates a list of +statistics on them including a graph. + +The menu:Telephony[RTP > RTP Stream Analysis] menu item is enabled only when the +selected packet is an RTP packet. When the action is selected, the RTP Stream +Analysis window is opened (if not already) and the RTP stream of the current +packet is added for analysis. If btn:[Ctrl] is pressed when selecting the +menu item, other RTP streams on the same addresses and ports (in both forward +and reverse direction) are scanned for and added to the window too if found. + +Every stream is shown on its own tab. Tabs are numbered as streams are added +and each tooltip shows the identification of the stream. When a tab is closed, +its number is not reused. The tab color matches the color of the corresponding +graph on the graph tab. + +.The “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_1.png[{screenshot-attrs}] + +.Error indicated in “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_3.png[{screenshot-attrs}] + +Per packet statistic shows: + +* Packet number +* Sequence number +* Delta (ms) to last packet +* Jitter (ms) +* Skew +* Bandwidth +* Marker - packet is marked in RTP header +* Status - information related to the packet. E. g. change of codec, DTMF number, warning about incorrect sequence number. + +Side panel left to packet list shows stream statistics: + +* Maximal delta and at which packet it occurred +* Maximal jitter +* Mean jitter +* Maximal skew +* Count of packets +* Count of lost packets - calculated from sequence numbers +* When the stream starts and first packet number +* Duration of the stream +* Clock drift +* Frequency drift + +[NOTE] +==== +Some statistic columns are calculated only when Wireshark is able to decode codec of RTP stream. +==== + +Available shortcuts are: + +* kbd:[G] - Go to selected packet of stream in packet list +* kbd:[N] - Move to next problem packet + +Available controls are: + +* Prepare Filter +** btn:[Current Tab] prepares filter matching current tab and applies it. +** btn:[All Tabs] prepares filter matching all tabs and applies it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Export] allows export current stream or all streams as CSV or export graph as image in multiple different formats (PDF, PNG, BMP and JPEG). + +.Graph in “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_2.png[{screenshot-attrs}] + +Graph view shows graph of: + +* jitter +* difference - absolute value of difference between expected and real time of packet arrival +* delta - time difference from reception of previous packet + +for every stream. Checkboxes below graph are enabling or disabling showing of a graph for every stream. btn:[Stream X] checkbox enables or disables all graphs for the stream. + +[NOTE] +==== +Stream Analysis window contained tool for save audio and payload for analyzed streams. This tool was moved in Wireshark 3.5.0 to <<ChTelRtpPlayer,RTP Player>> window. New tool has more features. +==== + +[#ChTelRtpPlayer] + +==== RTP Player Window + +The RTP Player function is a tool for playing VoIP calls. It shows RTP streams +and their waveforms, and can play the streams and export them to file as audio +or raw payload. See related concepts in <<ChTelPlayingCalls>>. + +The menu:Telephony[RTP > RTP Player] menu item is enabled only when the +selected packet is an RTP packet. When the action is selected, the RTP Player +window is opened (if not already) and the RTP stream of the current packet is +added to the playlist. If btn:[Ctrl] is pressed when selecting the menu item, +other RTP streams on the same addresses and ports (in both forward and reverse +direction) are scanned for and added to the playlist too if found. + +.RTP Player window +image::images/ws-tel-rtp-player_1.png[{screenshot-attrs}] + +RTP Player Window consists of three parts: + +. Waveform view +. Playlist +. Controls + +Waveform view shows visual presentation of RTP stream. Color of waveform and playlist row are matching. Height of wave shows volume. + +Waveform shows error marks for Out of Sequence, Jitter Drops, Wrong Timestamps and Inserted Silence marks if it happens in a stream. + +.Waveform with error marks +image::images/ws-tel-rtp-player_3.png[{screenshot-attrs}] + +Playlist shows information about every stream: + +* Play - Audio routing +* Source Address, Source Port, Destination Address, Destination Port, SSRC +* Setup Frame +** SETUP <number> is shown, when there is known signaling packet. Number is packet number of signaling packet. Note: Word SETUP is shown even RTP stream was initiated e. g. by SKINNY where no SETUP message exists. +** RTP <number> is shown, when no related signaling was found. Number is packet number of first packet of the stream. +* Packets - Count of packets in the stream. +* Time Span - Start - Stop (Duration) of the stream +* SR - Sample rate of used codec +* PR - Decoded play rate used for stream playing +* Payloads - One or more payload types used by the stream + +[NOTE] +==== +When rtp_udp is active, most of streams shows just RTP <number> even there is setup frame in capture. + +When RTP stream contains multiple codecs, SR and PR is based on first observed coded. Later codecs in stream are resampled to first one. +==== + +Controls allow a user to: + +* btn:[Start]/btn:[Pause]/btn:[Stop] playing of unmuted streams +* btn:[>>] enabling/disabling silence skipping +** Min silence - Minimal duration of silence to skip in seconds. Shorter silence is played as it is. +* Select btn:[Output audio device] and btn:[Output audio rate] +* Select btn:[Playback Timing] +** Jitter Buffer - Packets outside btn:[Jitter Buffer] size are discarded during decoding +** RTP Timestamp - Packets are ordered and played by its Timestamp, no Jitter Buffer is used +** Uninterrupted Mode - All gaps (e. g. Comfort Noise, lost packets) are discarded therefore audio is shorted than timespan +* btn:[Time of Day] selects whether waveform timescale is shown in seconds from start of capture or in absolute time of received packets +* btn:[Refresh streams] refreshes streams during live capture (see <<ChTelPlayingCallsLive>>). Button is disabled when no live capture is running. +* Inaudible streams +** btn:[Select] select all inaudible streams (streams with zero play rate) +** btn:[Deselect] deselect all inaudible streams (streams with zero play rate) +* btn:[Analyze] open <<ChTelRTPAnalysis,RTP Stream Analysis>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Prepare Filter] prepare filter matching selected streams and apply it. +* btn:[Export] - See <<tel-rtp-export>>. + +[NOTE] +==== +RTP Player detects silence just by missing voice samples (Comfort Noise, interrupted RTP, missing RTP, ...) or when some streams are muted. +==== + +.RTP stream state indication +image::images/ws-tel-rtp-player_2.png[{screenshot-attrs}] + +Waveform view and playlist shows state of a RTP stream: + +. stream is muted (dashed waveform, menu:Muted[] is shown in Play column) or unmuted (non-dashed waveform, audio routing is shown in Play column) +. stream is selected (blue waveform, blue row) +. stream is below mouse cursor (bold waveform, bold font) + +User can control to where audio of a stream is routed to: + +* L - Left channel +* L+R - Left and Right (Middle) channel +* R - Left channel +* P - Play (when mono soundcard is available only) +* M - Muted + +Audio routing can be changed by double clicking on first column of a row, by shortcut or by menu. + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* Go to packet +** kbd:[G] - Go to packet of stream under the mouse cursor +** kbd:[Shift + G] - Go to setup packet of stream under the mouse cursor +* Audio routing +** kbd:[M] - Mute all selected streams +** kbd:[Shift + M] - Unmute all selected streams +** kbd:[Ctrl + M] - Invert muting of all selected streams +* kbd:[P] - Play audio +* kbd:[S] - Stop playing +* kbd:[Del] or kbd:[Ctrl + X] - Remove all selected streams from playlist +* Inaudible steams +** kbd:[N] - Select all inaudible streams +** kbd:[Shift + N] - Deselect all inaudible streams + +[#tel-rtp-export] + +===== Export + +[NOTE] +==== +menu:Export[] was moved from menu:RTP Stream Analysis[] window to menu:RTP Player[] window in 3.5.0. + +Wireshark is able to export decoded audio in .au or .wav file format. Prior to version 3.2.0, Wireshark only supported exporting audio using the G.711 codec. From 3.2.0 it supports audio export using any codec with 8000 Hz sampling. From 3.5.0 is supported export of any codec, rate is defined by Output Audio Rate. +==== + +Export options available: + +* for one or more selected non-muted streams +** From cursor - Streams are saved from play start cursor. If some streams are shorter, they are removed from the list before save and count of saved streams is lower than count of selected streams. +** Stream Synchronized Audio - File starts at the begin of earliest stream in export, therefore there is no silence at beginning of exported file. +** File Synchronized Audio - Streams starts at beginning of file, therefore silence can be at start of file. +* for just one selected stream +** Payload - just payload with no information about coded is stored in the file + +Audio is exported as multi-channel file - one channel per RTP stream. One or two channels are equal to mono or stereo, but Wireshark can export e.g., 100 channels. For playing a tool with multi-channel support must be used (e.g., https://www.audacityteam.org/). + +Export of payload function is useful for codecs not supported by Wireshark. + +[NOTE] +==== +Default value of btn:[Output Audio Rate] is btn:[Automatic]. When multiple codecs with different codec rates are captured, Wireshark decodes each stream with its own play audio rate. Therefore, each stream can have a different audio rate. If you attempt to export audio when there are multiple audio rates, it will fail because .au or .wav require a fixed audio rate. + +In this case user must manually select one of rates in btn:[Output Audio Rate], streams will be resampled and audio export succeeds. +==== + +[#ChTelRTSP] + +=== RTSP Window + +In the Real Time Streaming Protocol (RTSP) menu the user can check the Packet Counter window. It shows Total RTCP Packets and divided into RTSP Response Packets, RTSP Request Packets and Other RTSP packets. The user can filter, copy or save the data into a file. + +[#ChTelSCTP] + +=== SCTP Windows + +Stream Control Transmission Protocol (SCTP) is a computer network protocol which provides a message transfer in telecommunication in the transport layer. It overcomes some lacks of User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). The SCTP packets consist of the _common header_ and the _data chunks_. + +The SCTP Analyze Association window shows the statistics of the captured packets between two Endpoints. You can check the different chunk types by pressing btn:[Chunk Statistics] button in the `Statistics` tab. In the `Endpoint` tabs you can see various statistics, such as IP addresses, ports and others. You can also check different graphs here. + +.SCTP Analyze Association window +image::images/ws-sctp-1-association.png[{screenshot-attrs}] + +The SCTP Associations window shows the table with the data for captured packets, such as port and counter. You can also call for the SCTP Analyze Association window by pressing the btn:[Analyze] button. + +.SCTP Associations window +image::images/ws-sctp.png[{screenshot-attrs}] + +[#ChTelSMPPOperations] + +=== SMPP Operations Window + +Short Message Peer-to-Peer (SMPP) protocol uses TCP protocol as its transfer for exchanging Short Message Service (SMS) Messages, mainly between Short Message Service Centers (SMSC). The dissector determines whether the captured packet is SMPP or not by using the heuristics in the fixed header. The SMPP Operations window displays the related statistical data. The user can filter, copy or save the data into a file. + +[#ChTelUCPMessages] + +=== UCP Messages Window + +The Universal Computer Protocol (UCP) plays role in transferring Short Messages between a Short Message Service Centre (SMSC) and an application, which is using transport protocol, such as TCP or X.25. The UCP Messages window displays the related statistical data. The user can filter, copy or save the data into a file. + +[#ChTelH225] + +=== H.225 Window + +H.225 telecommunication protocol which is responsible for messages in call signaling and media stream packetization for packet-based multimedia communication systems. The H.225 window shows the counted messages by types and reasons. The user can filter, copy or save the data into a file. + +[#ChTelSIPFlows] + +=== SIP Flows Window + +Session Initiation Protocol (SIP) Flows window shows the list of all captured SIP transactions, such as client registrations, messages, calls and so on. + +This window will list both complete and in-progress SIP transactions. + +Window has same features as <<ChTelVoipCalls,VoIP Calls>> window. + +[#ChTelSIPStatistics] + +=== SIP Statistics Window + +SIP Statistics window shows captured SIP transactions. It is divided into SIP Responses and SIP Requests. In this window the user can filter, copy or save the statistics into a file. + +[#ChTelWAPWSPPacketCounter] + +=== WAP-WSP Packet Counter Window + +The WAP-WSP Packet Counter menu displays the number of packets for each Status Code and PDU Type in Wireless Session Protocol traffic. The user can filter, copy or save the data into a file. + +// End of WSUG Chapter Telephony diff --git a/doc/wsug_src/wsug_tools.adoc b/doc/wsug_src/wsug_tools.adoc new file mode 100644 index 00000000..3a83d05f --- /dev/null +++ b/doc/wsug_src/wsug_tools.adoc @@ -0,0 +1,301 @@ +// WSUG Appendix Tools + +[#AppTools] + +[appendix] +== Related command line tools + +[#AppToolsIntroduction] + +=== Introduction + +Wireshark comes with an array of +command line tools which can be helpful for packet analysis. Some of +these tools are described in this chapter. You can find more +information about all of Wireshark’s command line tools on +link:{wireshark-man-page-url}[the web site]. + +[#AppToolstshark] + +=== __tshark__: Terminal-based Wireshark + +TShark is a terminal oriented version of Wireshark designed for capturing and +displaying packets when an interactive user interface isn’t necessary or +available. It supports the same options as `wireshark`. For more information on +`tshark` consult your local manual page (`man tshark`) or +link:{wireshark-man-page-url}tshark.html[the online version]. + +[#AppToolstsharkEx] +.Help information available from `tshark` +---- +include::tshark-h.txt[] +---- + +[#AppToolstcpdump] + +=== __tcpdump__: Capturing with “tcpdump” for viewing with Wireshark + +It’s often more useful to capture packets using `tcpdump` rather than +`wireshark`. For example, you might want to do a remote capture and either don’t +have GUI access or don’t have Wireshark installed on the remote machine. + +Older versions of `tcpdump` truncate packets to 68 or 96 bytes. If this is the case, +use `-s` to capture full-sized packets: + +---- +$ tcpdump -i <interface> -s 65535 -w <file> +---- + +You will have to specify the correct _interface_ and the name of a _file_ to +save into. In addition, you will have to terminate the capture with ^C when you +believe you have captured enough packets. + +`tcpdump` is not part of the Wireshark distribution. You can get it from +{tcpdump-main-url} or as a standard package in most Linux distributions. +For more information on `tcpdump` consult your local manual page (`man +tcpdump`) or link:{tcpdump-man-page-url}[the online version]. + +[#AppToolsdumpcap] + +=== __dumpcap__: Capturing with “dumpcap” for viewing with Wireshark + +Dumpcap is a network traffic dump tool. It captures packet data from a live +network and writes the packets to a file. Dumpcap’s native capture file format +is pcapng, which is also the format used by Wireshark. + +By default, Dumpcap uses the pcap library to capture traffic +from the first available network interface and writes the received raw +packet data, along with the packets’ time stamps into a pcapng file. The +capture filter syntax follows the rules of the pcap library. For more +information on `dumpcap` consult your local manual page (`man dumpcap`) +or link:{wireshark-man-page-url}dumpcap.html[the online version]. + +[#AppToolsdumpcapEx] +.Help information available from `dumpcap` +---- +include::dumpcap-h.txt[] +---- + +[#AppToolscapinfos] + +=== __capinfos__: Print information about capture files + +`capinfos` can print information about capture files including the file +type, number of packets, date and time information, and file hashes. +Information can be printed in human and machine readable formats. For +more information on `capinfos` consult your local manual page (`man +capinfos`) or link:{wireshark-man-page-url}capinfos.html[the online +version]. + +[#AppToolscapinfosEx] +.Help information available from `capinfos` +---- +include::capinfos-h.txt[] +---- + +[#AppToolsrawshark] + +=== __rawshark__: Dump and analyze network traffic. + +Rawshark reads a stream of packets from a file or pipe, and prints a +line describing its output, followed by a set of matching fields for +each packet on stdout. For more information on `rawshark` consult your +local manual page (`man rawshark`) or +link:{wireshark-man-page-url}rawshark.html[the online version]. + +[#AppToolsrawsharkEx] +.Help information available from `rawshark` +---- +include::rawshark-h.txt[] +---- + +[#AppToolseditcap] + +=== __editcap__: Edit capture files + +`editcap` is a general-purpose utility for modifying capture files. Its +main function is to remove packets from capture files, but it can also +be used to convert capture files from one format to another, as well as +to print information about capture files. For more information on +`editcap` consult your local manual page (`man editcap`) or +link:{wireshark-man-page-url}editcap.html[the online version]. + +[#AppToolseditcapEx] +.Help information available from editcap +---- +include::editcap-h.txt[] +---- + +[#AppToolseditcapEx1] +.Capture file types available from `editcap -F` +---- +include::editcap-F.txt[] +---- + +[#AppToolseditcapEx2] +.Encapsulation types available from `editcap -T` + +---- +include::editcap-T.txt[] +---- + +[#AppToolsmergecap] + +=== __mergecap__: Merging multiple capture files into one + +Mergecap is a program that combines multiple saved capture files into a single +output file specified by the `-w` argument. Mergecap can read libpcap +capture files, including those of tcpdump. In addition, Mergecap can read +capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer +(compressed or uncompressed), Microsoft Network Monitor, AIX’s iptrace, NetXray, +Sniffer Pro, RADCOM’s WAN/LAN analyzer, Lucent/Ascend router debug output, +HP-UX’s nettl, and the dump output from Toshiba’s ISDN routers. There is no need +to tell Mergecap what type of file you are reading; it will determine the file +type by itself. Mergecap is also capable of reading any of these file formats if +they are compressed using `gzip`. Mergecap recognizes this directly from the +file; the “.gz” extension is not required for this purpose. + +By default, Mergecap writes all of the packets in the input capture files to a +pcapng file. The `-F` flag can be used +to specify the capture file's output format ; it can write the file +in libpcap format (standard libpcap format, a modified format used by some +patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format +used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft +Network Monitor 1.x format, and the format used by Windows-based versions of the +Sniffer software. + +Packets from the input files are merged in chronological order based on each +frame’s timestamp, unless the `-a` flag is specified. Mergecap assumes that +frames within a single capture file are already stored in chronological order. +When the `-a` flag is specified, packets are copied directly from each input +file to the output file, independent of each frame’s timestamp. + +If the `-s` flag is used to specify a snapshot length, frames in the input file +with more captured data than the specified snapshot length will have only the +amount of data specified by the snapshot length written to the output file. This +may be useful if the program that is to read the output file cannot handle +packets larger than a certain size (for example, the versions of snoop in +Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the +standard Ethernet MTU, making them incapable of handling gigabit Ethernet +captures if jumbo frames were used). + +If the `-T` flag is used to specify an encapsulation type, the encapsulation +type of the output capture file will be forced to the specified type, rather +than being the type appropriate to the encapsulation type of the input capture +file. Note that this merely forces the encapsulation type of the output file to +be the specified type; the packet headers of the packets will not be translated +from the encapsulation type of the input capture file to the specified +encapsulation type (for example, it will not translate an Ethernet capture to an +FDDI capture if an Ethernet capture is read and `-T fddi` is specified). + +For more information on `mergecap` consult your local manual page (`man +mergecap`) or link:{wireshark-man-page-url}mergecap.html[the online +version]. + +[#AppToolsmergecapEx] +.Help information available from `mergecap` +---- +include::mergecap-h.txt[] +---- + +A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into +`outfile.pcapng` is shown below. + +[#AppToolsmergecapExSimple] +.Simple example of using mergecap +---- +$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng +---- + +[#AppToolstext2pcap] + +=== __text2pcap__: Converting ASCII hexdumps to network captures + +There may be some occasions when you wish to convert a hex dump of some network +traffic into a capture file. + +`text2pcap` is a program that reads in an ASCII hex dump and writes the data +described into any capture file format supported by libwiretap. `text2pcap` can +read hexdumps with multiple packets in them, and build a capture file of +multiple packets. +`text2pcap` is also capable of generating dummy Ethernet, IP, UDP, TCP or SCTP +headers, in order to build fully processable packet dumps from hexdumps of +application-level data only. + +`text2pcap` understands a hexdump of the form generated by `od -A x -t x1`. In +other words, each byte is individually displayed and surrounded with a space. +Each line begins with an offset describing the position in the packet, each new +packet starts with an offset of 0 and there is a space separating the offset +from the following bytes. The offset +is a hex number (can also be octal - see `-o`), of more than two hex digits. Here +is a sample dump that `text2pcap` can recognize: + +---- +000000 00 e0 1e a7 05 6f 00 10 ........ +000008 5a a0 b9 12 08 00 46 00 ........ +000010 03 68 00 00 00 00 0a 2e ........ +000018 ee 33 0f 19 08 7f 0f 19 ........ +000020 03 80 94 04 00 00 10 01 ........ +000028 16 a2 0a 00 03 50 00 0c ........ +000030 01 01 0f 19 03 80 11 01 ........ +---- + +There is no limit on the width or number of bytes per line. Also the text dump +at the end of the line is ignored. Bytes/hex numbers can be uppercase or +lowercase. Any text before the offset is ignored, including email forwarding +characters “>”. Any lines of text between the bytestring lines is ignored. +The offsets are used to track the bytes, so offsets must be correct. Any line +which has only bytes without a leading offset is ignored. An offset is +recognized as being a hex number longer than two characters. Any text after the +bytes is ignored (e.g., the character dump). Any hex numbers in this text are +also ignored. An offset of zero is indicative of starting a new packet, so a +single text file with a series of hexdumps can be converted into a packet +capture with multiple packets. Packets may be preceded by a timestamp. These +are interpreted according to the format given on the command line. If not, the +first packet is timestamped with the current time the conversion takes place. +Multiple packets are written with timestamps differing by one microsecond each. +In general, short of these restrictions, `text2pcap` +is pretty liberal about reading in hexdumps and has been tested with a variety +of mangled outputs (including being forwarded through email multiple times, with +limited line wrap etc.) + +There are a couple of other special features to note. Any line where the first +non-whitespace character is “#” will be ignored as a comment. Any line beginning +with #TEXT2PCAP is a directive and options can be inserted after this command to +be processed by `text2pcap`. Currently there are no directives implemented; in the +future, these may be used to give more fine-grained control on the dump and the +way it should be processed e.g., timestamps, encapsulation type etc. + +`text2pcap` also allows the user to read in dumps of application-level data, by +inserting dummy L2, L3 and L4 headers before each packet. Possibilities include +inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or TCP, +or SCTP before each packet. This allows Wireshark or any other full-packet +decoder to handle these dumps. + +For more information on `text2pcap` consult your local manual page (`man +text2pcap`) or link:{wireshark-man-page-url}text2pcap.html[the online +version]. + +[#AppToolstext2pcapEx] +.Help information available from text2pcap + +---- +include::text2pcap-h.txt[] +---- + +[#AppToolsreordercap] + +=== __reordercap__: Reorder a capture file + +`reordercap` lets you reorder a capture file according to the packets +timestamp. For more information on `reordercap` consult your local +manual page (`man reordercap`) or +link:{wireshark-man-page-url}reordercap.html[the online version]. + +[#AppToolsreordercapEx] +.Help information available from reordercap +---- +include::reordercap-h.txt[] +---- + +// End of WSUG Appendix Tools diff --git a/doc/wsug_src/wsug_troubleshoot.adoc b/doc/wsug_src/wsug_troubleshoot.adoc new file mode 100644 index 00000000..ededd77b --- /dev/null +++ b/doc/wsug_src/wsug_troubleshoot.adoc @@ -0,0 +1,79 @@ +// WSUG Chapter Four + +[#Chap04] + +== Troubleshooting with Wireshark + +=== An approach to troubleshooting with Wireshark + +Wireshark is a very useful tool for network troubleshooting, since it contains a +number of features that allow you to quickly focus on problems in your network +for several reasons: + +* It allows you to focus in on specific packets and protocols, as you can see a + large amount of detail associated with various protocols. + +* It supports a large number of protocols, and the list of protocols supported + is growing as more people contribute dissectors + +* By giving you a visual view of traffic in parts of your network, and providing + tools to filter and colorize that information, you can get a better feel for + your network traffic, and can understand your network better. + +The following general approach is suggested: + +* Determine that the problem looks like a networking problem. There is no point + in capturing packets if the problem is not networking related. + +* Figure out where to capture packets. You will have to capture packets from a + part of the network where you can actually get network traffic related to the + problem. This is especially important in the presence of switches and routers. + See <<Ch04ROUSWI>> for more details. ++ +Because Wireshark can read many capture file formats, you can capture using any +convenient tool. One useful approach is to use _tcpdump_ to capture on remote +systems and then copy the capture file to your system for later analysis. For +more details on capturing with _tcpdump_, see <<Ch05tcpdump>>. + +* Once you have captured packets that you think relate to the problem, load them + into Wireshark and look for your problem. Using Wireshark’s filtering and + colorization capabilities, you can quickly narrow down the capture to the area + of interest. + +* Examine the appropriate fields within the packets where the problem appears to + be. These can often help to reveal the problem. + +[#Ch04ROUSWI] + +=== Capturing in the presence of switches and routers + +In the old days of Ethernet, all network traffic was spread over one “yellow” +cable through the whole network. Capturing data was easy, as all packets from +the network could be captured using the “promiscuous mode” at any place in the +network. The only devices blocking network traffic, were routers. But as routers +were extremely expensive, they were not widely used. + +Then Ethernet wiring using hubs become the state of the art. As the hubs still +spaded the packets all over the network, things regarding capturing didn’t +change. + +At the next stage, Ethernet switches became widely available. This complicated +things a lot. When capturing traffic on a computer connected to a switch, +usually the switch will only forward packets to the computer, which are directed +to it, or to all computers (broadcasts). It’s much the same like deactivating +the promiscuous mode of the capturing network card. + +There are some ways to circumvent this. + +Many vendor’s switches support a feature known as “port spanning” or “port +mirroring” in which all of the traffic to and from port A are also sent out +port B. + +=== Examples of troubleshooting + +Troubleshooting often requires a reasonable knowledge of the protocols in +question. However, as Wireshark will often give you some good hints, you might +get an idea of what is going wrong simply by looking in the packets being +exchanged. + +// End of WSUG Chapter 4 diff --git a/doc/wsug_src/wsug_use.adoc b/doc/wsug_src/wsug_use.adoc new file mode 100644 index 00000000..c2511ba4 --- /dev/null +++ b/doc/wsug_src/wsug_use.adoc @@ -0,0 +1,1186 @@ +// WSUG User Interface Chapter + +[#ChapterUsing] + +== User Interface + +[#ChUseIntroductionSection] + +=== Introduction + +By now you have installed Wireshark and are likely keen to get started +capturing your first packets. In the next chapters we will explore: + +* How the Wireshark user interface works +* How to capture packets in Wireshark +* How to view packets in Wireshark +* How to filter packets in Wireshark +* ... and many other things! + +[#ChUseStartSection] + +=== Start Wireshark + +You can start Wireshark from your shell or window manager. + +[TIP] +.Power user tip +==== +When starting Wireshark it’s possible to specify optional settings using the +command line. See <<ChCustCommandLine>> for details. +==== + +The following chapters contain many screenshots of Wireshark. As +Wireshark runs on many different platforms with many different window managers, +different styles applied and there are different versions of the underlying GUI +toolkit used, your screen might look different from the provided screenshots. +But as there are no real differences in functionality these screenshots should +still be well understandable. + +[#ChUseMainWindowSection] + +=== The Main window + +Let’s look at Wireshark’s user interface. <<ChUseFig01>> shows Wireshark as you +would usually see it after some packets are captured or loaded (how to do this +will be described later). + +[#ChUseFig01] +.The Main window +image::images/ws-main.png[{screenshot-attrs}] + +Wireshark’s main window consists of parts that are commonly known from many +other GUI programs. + +. The _menu_ (see <<ChUseMenuSection>>) is used to start actions. +. The _main toolbar_ (see <<ChUseMainToolbarSection>>) provides quick access to + frequently used items from the menu. +. The _filter toolbar_ (see <<ChUseFilterToolbarSection>>) allows users to + set _display filters_ to filter which packets are displayed (see + <<ChWorkDisplayFilterSection>>). +. The _packet list pane_ (see <<ChUsePacketListPaneSection>>) displays a summary + of each packet captured. By clicking on packets in this pane you control what is + displayed in the other two panes. +. The _packet details pane_ (see <<ChUsePacketDetailsPaneSection>>) displays the + packet selected in the packet list pane in more detail. +. The _packet bytes pane_ (see <<ChUsePacketBytesPaneSection>>) displays the + data from the packet selected in the packet list pane, and highlights the field + selected in the packet details pane. +. The _packet diagram pane_ (see <<ChUsePacketDiagramPaneSection>>) displays the + packet selected in the packet list as a textbook-style diagram. +. The _statusbar_ (see <<ChUseStatusbarSection>>) shows some detailed + information about the current program state and the captured data. + +[TIP] +==== +The layout of the main window can be customized by changing preference settings. +See <<ChCustPreferencesSection>> for details. +==== + +[#ChUseMainWindowNavSection] + +==== Main Window Navigation + +Packet list and detail navigation can be done entirely from the keyboard. +<<ChUseTabNav>> shows a list of keystrokes that will let you quickly move around +a capture file. See <<ChUseTabGo>> for additional navigation keystrokes. + +[#ChUseTabNav] +.Keyboard Navigation +[options="header",cols="1,3"] +|=== +|Accelerator |Description +|kbd:[Tab] or kbd:[Shift+Tab]|Move between screen elements, e.g., from the toolbars to the packet list to the packet detail. +|kbd:[↓] |Move to the next packet or detail item. +|kbd:[↑] |Move to the previous packet or detail item. +|kbd:[Ctrl+↓] or kbd:[F8] |Move to the next packet, even if the packet list isn’t focused. +|kbd:[Ctrl+↑] or kbd:[F7] |Move to the previous packet, even if the packet list isn’t focused. +|kbd:[Ctrl+.] |Move to the next packet of the conversation (TCP, UDP or IP). +|kbd:[Ctrl+,] |Move to the previous packet of the conversation (TCP, UDP or IP). +|kbd:[Alt+→] or kbd:[Option+→] (macOS) |Move to the next packet in the selection history. +|kbd:[Alt+←] or kbd:[Option+←] (macOS) |Move to the previous packet in the selection history. +|kbd:[←] |In the packet detail, closes the selected tree item. If it’s already closed, jumps to the parent node. +|kbd:[→] |In the packet detail, opens the selected tree item. +|kbd:[Shift+→] |In the packet detail, opens the selected tree item and all of its subtrees. +|kbd:[Ctrl+→] |In the packet detail, opens all tree items. +|kbd:[Ctrl+←] |In the packet detail, closes all tree items. +|kbd:[Backspace] |In the packet detail, jumps to the parent node. +|kbd:[Return] or kbd:[Enter] |In the packet detail, toggles the selected tree item. +|=== + +menu:Help[About Wireshark,Keyboard Shortcuts] will show a list of all shortcuts +in the main window. Additionally, typing anywhere in the main window will start +filling in a display filter. + +[#ChUseMenuSection] + +=== The Menu + +Wireshark’s main menu is located either at the top of the main window (Windows, +Linux) or at the top of your main screen (macOS). An example is shown in +<<ChUseWiresharkMenu>>. + +[NOTE] +==== +Some menu items will be disabled (greyed out) if the corresponding feature isn’t +available. For example, you cannot save a capture file if you haven’t captured +or loaded any packets. +==== + +[#ChUseWiresharkMenu] +.The Menu +image::images/ws-menu.png[{screenshot-attrs}] + +The main menu contains the following items: + +menu:File[]:: +This menu contains items to open and merge capture files, save, print, or export +capture files in whole or in part, and to quit the Wireshark application. See +<<ChUseFileMenuSection>>. + +menu:Edit[]:: +This menu contains items to find a packet, time reference or mark one or more +packets, handle configuration profiles, and set your preferences; (cut, copy, +and paste are not presently implemented). See <<ChUseEditMenuSection>>. + +menu:View[]:: +This menu controls the display of the captured data, including colorization of +packets, zooming the font, showing a packet in a separate window, expanding and +collapsing trees in packet details, .... See <<ChUseViewMenuSection>>. + +menu:Go[]:: +This menu contains items to go to a specific packet. See <<ChUseGoMenuSection>>. + +menu:Capture[]:: +This menu allows you to start and stop captures and to edit capture filters. See +<<ChUseCaptureMenuSection>>. + +menu:Analyze[]:: +This menu contains items to manipulate display filters, enable or disable the +dissection of protocols, configure user specified decodes and follow a TCP +stream. See <<ChUseAnalyzeMenuSection>>. + +menu:Statistics[]:: +This menu contains items to display various statistic windows, including a +summary of the packets that have been captured, display protocol hierarchy +statistics and much more. See <<ChUseStatisticsMenuSection>>. + +menu:Telephony[]:: +This menu contains items to display various telephony related statistic windows, +including a media analysis, flow diagrams, display protocol hierarchy statistics +and much more. See <<ChUseTelephonyMenuSection>>. + +menu:Wireless[]:: +This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics. + +menu:Tools[]:: +This menu contains various tools available in Wireshark, such as creating +Firewall ACL Rules. See <<ChUseToolsMenuSection>>. + +menu:Help[]:: +This menu contains items to help the user, e.g., access to some basic help, +manual pages of the various command line tools, online access to some of the +webpages, and the usual about dialog. See <<ChUseHelpMenuSection>>. + +Each of these menu items is described in more detail in the sections that follow. + +[TIP] +.Shortcuts make life easier +==== +Most common menu items have keyboard shortcuts. For example, you can +press the Control and the K keys together to open the +“Capture Options” dialog. +==== + +[#ChUseFileMenuSection] + +=== The “File” Menu + +The Wireshark file menu contains the fields shown in <<ChUseTabFile>>. + +[#ChUseWiresharkFileMenu] +.The “File” Menu +image::images/ws-file-menu.png[{screenshot-attrs}] + +[#ChUseTabFile] +.File menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description + +|menu:Open...[] |kbd:[Ctrl+O]| +This shows the file open dialog box that allows you to load a +capture file for viewing. It is discussed in more detail in <<ChIOOpen>>. + +|menu:Open Recent[] | | +This lets you open recently opened capture files. +Clicking on one of the submenu items will open the corresponding capture file +directly. + +|menu:Merge...[] | | +This menu item lets you merge a capture file into the currently loaded one. It +is discussed in more detail in <<ChIOMergeSection>>. + +|menu:Import from Hex Dump...[] | | +This menu item brings up the import file dialog box that allows you to import a +text file containing a hex dump into a new temporary capture. It is discussed in +more detail in <<ChIOImportSection>>. + +|menu:Close[] |kbd:[Ctrl+W]| +This menu item closes the current capture. If you haven’t saved the capture, you +will be asked to do so first (this can be disabled by a preference setting). + +|menu:Save[] |kbd:[Ctrl+S]| +This menu item saves the current capture. If you have not set a default capture +file name (perhaps with the -w <capfile> option), Wireshark pops up the +Save Capture File As dialog box (which is discussed further in <<ChIOSaveAs>>). + +If you have already saved the current capture, this menu item will be greyed +out. + +You cannot save a live capture while the capture is in progress. You must +stop the capture in order to save. + +|menu:Save As...[] |kbd:[Shift+Ctrl+S]| +This menu item allows you to save the current capture file to whatever file you +would like. It pops up the Save Capture File As dialog box (which is discussed +further in <<ChIOSaveAs>>). + +|menu:File Set[List Files] || +This menu item allows you to show a list of files in a file set. It pops up the +Wireshark List File Set dialog box (which is discussed further in +<<ChIOFileSetSection>>). + +|menu:File Set[Next File] || +If the currently loaded file is part of a file set, jump to the next file in the +set. If it isn’t part of a file set or just the last file in that set, this item +is greyed out. + +|menu:File Set[Previous File] || +If the currently loaded file is part of a file set, jump to the previous file in +the set. If it isn’t part of a file set or just the first file in that set, this +item is greyed out. + +|menu:Export Specified Packets...[] || +This menu item allows you to export all (or some) of the packets in the capture +file to file. It pops up the Wireshark Export dialog box (which is discussed +further in <<ChIOExportSection>>). + +|menu:Export Packet Dissections...[]|kbd:[Ctrl+H]| +These menu items allow you to export the currently selected bytes in the packet +bytes pane to a text file in a number of formats including plain, CSV, +and XML. It is discussed further in <<ChIOExportSelectedDialog>>. + +|menu:Export Objects[] || +These menu items allow you to export captured DICOM, FTP-DATA, HTTP, IMF, SMB, +or TFTP objects into local files. It pops up a corresponding object list +(which is discussed further in <<ChIOExportObjectsDialog>>) + +|menu:Print...[] |kbd:[Ctrl+P]| +This menu item allows you to print all (or some) of the packets in the capture +file. It pops up the Wireshark Print dialog box (which is discussed further in +<<ChIOPrintSection>>). + +|menu:Quit[] |kbd:[Ctrl+Q]| +This menu item allows you to quit from Wireshark. Wireshark will ask to save +your capture file if you haven’t previously saved it (this can be disabled by a +preference setting). + +|=== + +[#ChUseEditMenuSection] + +=== The “Edit” Menu + +The Wireshark Edit menu contains the fields shown in <<ChUseTabEdit>>. + +[#ChUseWiresharkEditMenu] +.The “Edit” Menu +image::images/ws-edit-menu.png[{screenshot-attrs}] + +[#ChUseTabEdit] +.Edit menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description +|menu:Copy[] || +These menu items will copy the packet list, packet detail, or properties of +the currently selected packet to the clipboard. + +|menu:Find Packet...[] |kbd:[Ctrl+F] | +This menu item brings up a toolbar that allows you to find a packet by many +criteria. There is further information on finding packets in +<<ChWorkFindPacketSection>>. + +|menu:Find Next[] |kbd:[Ctrl+N] | +This menu item tries to find the next packet matching the settings from “Find +Packet...”. + +|menu:Find Previous[] |kbd:[Ctrl+B] | +This menu item tries to find the previous packet matching the settings from +“Find Packet...”. + +|menu:Mark/Unmark Selected[] |kbd:[Ctrl+M] | +This menu item marks the currently selected packet. See +<<ChWorkMarkPacketSection>> for details. + +|menu:Mark All Displayed Packets[] |kbd:[Ctrl+Shift+M]| +This menu item marks all displayed packets. + +|menu:Unmark All Displayed Packets[] |kbd:[Ctrl+Alt+M] | +This menu item unmarks all displayed packets. + +|menu:Next Mark[] |kbd:[Ctrl+Shift+N] | +Find the next marked packet. + +|menu:Previous Mark[] |kbd:[Ctrl+Shift+B] | +Find the previous marked packet. + +|menu:Ignore/Unignore Selected[] |kbd:[Ctrl+D] | +This menu item marks the currently selected packet as ignored. See +<<ChWorkIgnorePacketSection>> for details. + +|menu:Ignore All Displayed[] |kbd:[Ctrl+Shift+D]| +This menu item marks all displayed packets as ignored. + +|menu:Unignore All Displayed[] |kbd:[Ctrl+Alt+D] | +This menu item unmarks all ignored packets. + +|menu:Set/Unset Time Reference[] |kbd:[Ctrl+T] | +This menu item set a time reference on the currently selected packet. See +<<ChWorkTimeReferencePacketSection>> for more information about the time +referenced packets. + +|menu:Unset All Time References[] |kbd:[Ctrl+Alt+T] | +This menu item removes all time references on the packets. + +|menu:Next Time Reference[] |kbd:[Ctrl+Alt+N] | +This menu item tries to find the next time referenced packet. + +|menu:Previous Time Reference[] |kbd:[Ctrl+Alt+B] | +This menu item tries to find the previous time referenced packet. + +|menu:Time Shift...[] |kbd:[Ctrl+Shift+T]| +Opens the “Time Shift” dialog, which allows you to adjust the timestamps +of some or all packets. + +|menu:Packet Comment...[] |kbd:[Ctrl+Alt+C] | +Opens the “Packet Comment” dialog, which lets you add a comment to a +single packet. Note that the ability to save packet comments depends on +your file format. E.g., pcapng supports comments, pcap does not. + +|menu:Delete All Packet Comments[] || +This will delete all comments from all packets. Note that the ability to save +capture comments depends on your file format. E.g., pcapng supports +comments, pcap does not. + +|menu:Inject TLS Secrets[] || +Embeds the used TLS decryption secrets into the capture file, which lets +TLS be decrypted without having the separate keylog file. +Note that the ability to save decryption secrets depends on your file +format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not. + +|menu:Discard All Secrets[] || +This will discard all embedded decryption secrets from the capture file. +Note that the ability to save decryption secrets depends on your file +format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not. + +|menu:Configuration Profiles...[] |kbd:[Ctrl+Shift+A]| +This menu item brings up a dialog box for handling configuration profiles. More +detail is provided in <<ChCustConfigProfilesSection>>. + +|menu:Preferences...[] |kbd:[Ctrl+Shift+P] or kbd:[Cmd+,] (macOS)| +This menu item brings up a dialog box that allows you to set preferences for +many parameters that control Wireshark. You can also save your preferences so +Wireshark will use them the next time you start it. More detail is provided in +<<ChCustPreferencesSection>>. + +|=== + +[#ChUseViewMenuSection] + +=== The “View” Menu + +The Wireshark View menu contains the fields shown in <<ChUseTabView>>. + +[#ChUseWiresharkViewMenu] +.The “View” Menu +image::images/ws-view-menu.png[{screenshot-attrs}] + +[#ChUseTabView] +.View menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator|Description +|menu:Main Toolbar[] ||This menu item hides or shows the main toolbar, see <<ChUseMainToolbarSection>>. +|menu:Filter Toolbar[] ||This menu item hides or shows the filter toolbar, see <<ChUseFilterToolbarSection>>. +|menu:Wireless Toolbar[]||This menu item hides or shows the wireless toolbar. May not be present on some platforms. +|menu:Statusbar[] ||This menu item hides or shows the statusbar, see <<ChUseStatusbarSection>>. +|menu:Packet List[] ||This menu item hides or shows the packet list pane, see <<ChUsePacketListPaneSection>>. +|menu:Packet Details[] ||This menu item hides or shows the packet details pane, see <<ChUsePacketDetailsPaneSection>>. +|menu:Packet Bytes[] ||This menu item hides or shows the packet bytes pane, see <<ChUsePacketBytesPaneSection>>. +|menu:Packet Diagram[] ||This menu item hides or shows the packet diagram pane. See <<ChUsePacketDiagramPaneSection>>. +|menu:Time Display Format[Date and Time of Day: 1970-01-01 01:02:03.123456]|| Selecting this tells Wireshark to display the time stamps in date and time of day format, see <<ChWorkTimeFormatsSection>>. + +The fields “Time of Day”, “Date and Time of Day”, “Seconds Since First +Captured Packet”, “Seconds Since Previous Captured Packet” and “Seconds +Since Previous Displayed Packet” are mutually exclusive. + +|menu:Time Display Format[Time of Day: 01:02:03.123456]||Selecting this tells Wireshark to display time stamps in time of day format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Epoch (1970-01-01): 1234567890.123456]||Selecting this tells Wireshark to display time stamps in seconds since 1970-01-01 00:00:00, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since First Captured Packet: 123.123456]||Selecting this tells Wireshark to display time stamps in seconds since first captured packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Previous Captured Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous captured packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Previous Displayed Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Automatic (File Format Precision)]||Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see <<ChWorkTimeFormatsSection>>. + +The fields “Automatic”, “Seconds” and “...seconds” are mutually exclusive. + +|menu:Time Display Format[Seconds: 0]||Selecting this tells Wireshark to display time stamps with a precision of one second, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[...seconds: 0....]||Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Display Seconds with hours and minutes]||Selecting this tells Wireshark to display time stamps in seconds, with hours and minutes. +|menu:Name Resolution[Edit Resolved Name]||This item allows you to manually enter names to resolve IP addresses in the current packet, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for MAC Layer]||This item allows you to control whether or not Wireshark translates MAC addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for Network Layer]||This item allows you to control whether or not Wireshark translates network addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for Transport Layer]||This item allows you to control whether or not Wireshark translates transport addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Zoom In[] |kbd:[Ctrl++] | Zoom into the packet data (increase the font size). +|menu:Zoom Out[] |kbd:[Ctrl+-] | Zoom out of the packet data (decrease the font size). +|menu:Normal Size[] |kbd:[Ctrl+=] | Set zoom level back to 100% (set font size back to normal). +|menu:Expand Subtrees[] |kbd:[Shift+→]|This menu item expands the currently selected subtree in the packet details tree. +|menu:Collapse Subtrees[] |kbd:[Shift+←]|This menu item collapses the currently selected subtree in the packet details tree. +|menu:Expand All[] |kbd:[Ctrl+→] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture. +|menu:Collapse All[] |kbd:[Ctrl+←] |This menu item collapses the tree view of all packets in the capture list. +|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list. + +Enabling colorization will slow down the display of new packets while +capturing or loading capture files. + +|menu:Colorize Conversation[] | |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>. +|menu:Colorize Conversation[Color 1-10] | |These menu items enable one of the ten temporary color filters based on the currently selected conversation. +|menu:Colorize Conversation[Reset coloring] | |This menu item clears all temporary coloring rules. +|menu:Colorize Conversation[New Coloring Rule...] | |This menu item opens a dialog window in which a new permanent coloring rule can be created based on the currently selected conversation. +|menu:Coloring Rules...[] | |This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see <<ChCustColorizationSection>>. +|menu:Resize All Columns[] |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it. + +Resizing may take a significant amount of time, especially if a large capture file is loaded. + +|menu:Internals[] | |Information about various internal data structures. See <<ChUseInternals>> below for more information. + +|menu:Show Packet in New Window[] || +Shows the selected packet in a separate window. The separate window +shows only the packet details and bytes of that packet, and will +continue to do so even if another packet is selected in the main window. +See <<ChWorkPacketSepView>> for details. + +|menu:Reload[] |kbd:[Ctrl+R] |This menu item allows you to reload the current capture file. +|=== + +[#ChUseInternals] +.Internals menu items +[options="header",cols="3,5"] +|=== +|Menu Item|Description +|menu:Conversation Hash Tables[]| Shows the tuples (address and port combinations) used to identify each conversation. +|menu:Dissector Tables[]| Shows tables of subdissector relationships. +|menu:Supported Protocols[]| Displays supported protocols and protocol fields. +|=== + + +[#ChUseGoMenuSection] + +=== The “Go” Menu + +The Wireshark Go menu contains the fields shown in <<ChUseTabGo>>. + +[#ChUseWiresharkGoMenu] +.The “Go” Menu +image::images/ws-go-menu.png[{screenshot-attrs}] + +[#ChUseTabGo] +.Go menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description +|menu:Back[] |kbd:[Alt+←] |Jump to the recently visited packet in the packet history, much like the page history in a web browser. +|menu:Forward[] |kbd:[Alt+→] |Jump to the next visited packet in the packet history, much like the page history in a web browser. +|menu:Go to Packet...[] |kbd:[Ctrl+G] |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details. +|menu:Go to Corresponding Packet[] | |Go to the corresponding packet of the currently selected protocol field (e.g., the reply +corresponding to a request packet, or vice versa). If the selected field doesn’t correspond to a packet, this item is greyed out. +|menu:Previous Packet[] |kbd:[Ctrl+↑]|Move to the previous packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:Next Packet[] |kbd:[Ctrl+↓]|Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:First Packet[] |kbd:[Ctrl+Home] |Jump to the first packet of the capture file. +|menu:Last Packet[] |kbd:[Ctrl+End] |Jump to the last packet of the capture file. +|menu:Previous Packet In Conversation[] |kbd:[Ctrl+,] |Move to the previous packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:Next Packet In Conversation[] |kbd:[Ctrl+.] |Move to the next packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:Auto Scroll in Live Capture[] | |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane. +|=== + +[#ChUseCaptureMenuSection] + +=== The “Capture” Menu + +The Wireshark Capture menu contains the fields shown in <<ChUseTabCap>>. + +[#ChUseWiresharkCaptureMenu] +.The “Capture” Menu +image::images/ws-capture-menu.png[{screenshot-attrs}] + +[#ChUseTabCap] +.Capture menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description + +|menu:Options...[] |kbd:[Ctrl+K] | +Shows the Capture Options dialog box, which allows you to configure +interfaces and capture options. +See <<ChCapCaptureOptions>>. + +|menu:Start[] |kbd:[Ctrl+E] | +Immediately starts capturing packets with the same settings as the last +time. + +|menu:Stop[] |kbd:[Ctrl+E] | +Stops the currently running capture. See <<ChCapStopSection>>. + +|menu:Restart[] |kbd:[Ctrl+R] | +Stops the currently running capture and starts it again with the same +options. + +|menu:Capture Filters...[] | | +Shows a dialog box that allows you to create and edit capture filters. +You can name filters and save them for future use. +See <<ChWorkDefineFilterSection>>. + +|menu:Refresh Interfaces[] |kbd:[F5] | +Clear and recreate the interface list. + +|=== + +[#ChUseAnalyzeMenuSection] + +=== The “Analyze” Menu + +The Wireshark Analyze menu contains the fields shown in <<ChUseAnalyze>>. + +[#ChUseWiresharkAnalyzeMenu] +.The “Analyze” Menu +image::images/ws-analyze-menu.png[{screenshot-attrs}] + +[#ChUseAnalyze] +.Analyze menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Display Filters...[] || +Displays a dialog box that allows you to create and edit display +filters. You can name filters, and you can save them for future use. +See <<ChWorkDefineFilterSection>>. + +|menu:Display Filter Macros...[] || +Shows a dialog box that allows you to create and edit display filter +macros. You can name filter macros, and you can save them for future +use. +See <<ChWorkDefineFilterMacrosSection>>. + +|menu:Display Filter Expression...[] || +Shows a dialog box that allows you to build a display filter expression +to apply. This shows possible fields and their applicable relations and +values, and allows you to search by name and description. +See <<ChWorkFilterAddExpressionSection>>. + +|menu:Apply as Column[] |kbd:[Shift+Ctrl+I]| +Adds the selected protocol item in the packet details pane as a column +to the packet list. + +|menu:Apply as Filter[] || +Change the current display filter and apply it immediately. Depending on +the chosen menu item, the current display filter string will be replaced +or appended to by the selected protocol field in the packet details +pane. + +|menu:Prepare as Filter[] || +Change the current display filter but won’t apply it. Depending on the +chosen menu item, the current display filter string will be replaced or +appended to by the selected protocol field in the packet details pane. + +|menu:Conversation Filter[] || +Apply a conversation filter for various protocols. + +|menu:Enabled Protocols...[] |kbd:[Shift+Ctrl+E]| +Enable or disable various protocol dissectors. See <<ChAdvEnabledProtocols>>. + +|menu:Decode As...[] || +Decode certain packets as a particular protocol. See <<ChAdvDecodeAs>>. + +|menu:Follow[TCP Stream] || +Open a window that displays all the TCP segments captured that are on +the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] || +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[TLS Stream] || +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] || +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Show Packet Bytes[] || +Open a window allowing for decoding and reformatting packet bytes. +You can do actions like Base64 decode, decompress, interpret as +a different character encoding, interpret bytes as an image format, +and save, print, or copy to the clipboard the results. +See <<ChAdvShowPacketBytes>> for more information. + +|menu:Expert Info[] || +Open a window showing expert information found in the capture. +Some protocol dissectors add packet detail items for notable or unusual +behavior, such as invalid checksums or retransmissions. +Those items are shown here. +See <<ChAdvExpert>> for more information. + +The amount of information will vary depend on the protocol +|=== + +[#ChUseStatisticsMenuSection] + +=== The “Statistics” Menu + +The Wireshark Statistics menu contains the fields shown in <<ChUseStatistics>>. + +[#ChUseWiresharkStatisticsMenu] +.The “Statistics” Menu +image::images/ws-statistics-menu.png[{screenshot-attrs}] + +Each menu item brings up a new window showing specific statistics. + +[#ChUseStatistics] +.Statistics menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Capture File Properties[]|| Show information about the capture file, see <<ChStatSummary>>. +|menu:Resolved Addresses[]||See <<ChStatResolvedAddresses>> +|menu:Protocol Hierarchy[]|| Display a hierarchical tree of protocol statistics, see <<ChStatHierarchy>>. +|menu:Conversations[]|| Display a list of conversations (traffic between two endpoints), see <<ChStatConversationsWindow>>. +|menu:Endpoints[]|| Display a list of endpoints (traffic to/from an address), see <<ChStatEndpointsWindow>>. +|menu:Packet Lengths[]||See <<ChStatPacketLengths>> +|menu:I/O Graphs[]|| Display user specified graphs (e.g., the number of packets in the course of time), see <<ChStatIOGraphs>>. +|menu:Service Response Time[]|| Display the time between a request and the corresponding response, see <<ChStatSRT>>. +|menu:DHCP (BOOTP)[]||See <<ChStatDHCPBOOTP>> +|menu:NetPerfMeter[]||See <<ChStatNetPerfMeter>> +|menu:ONC-RPC Programs[]||See <<ChStatONCRPC>> +|menu:29West[]||See <<ChStat29West>> +|menu:ANCP[]||See <<ChStatANCP>> +|menu:BACnet[]||See <<ChStatBACnet>> +|menu:Collectd[]||See <<ChStatCollectd>> +|menu:DNS[]||See <<ChStatDNS>> +//|menu:Compare...[]||See <<ChStatOtherProtocols>> +|menu:Flow Graph[]||See <<ChStatFlowGraph>> +|menu:HART-IP[]||See <<ChStatHARTIP>> +|menu:HPFEEDS[]||See <<ChStatHPFEEDS>> +|menu:HTTP[]||HTTP request/response statistics, see <<ChStatHTTP>> +|menu:HTTP2[]||See <<ChStatHTTP2>> +|menu:Sametime[]||See <<ChStatSametime>> +|menu:TCP Stream Graphs[]||See <<ChStatTCPStreamGraphs>> +|menu:UDP Multicast Streams[]||See <<ChStatUDPMulticastStreams>> +|menu:Reliable Server Pooling (RSerPool)[]||See <<ChStatRSerPool>> +|menu:F5[]||See <<ChStatF5>> +|menu:IPv4 Statistics[]||See <<ChStatIPv4>> +|menu:IPv6 Statistics[]||See <<ChStatIPv6>> + + +|=== + +[#ChUseTelephonyMenuSection] + +=== The “Telephony” Menu + +The Wireshark Telephony menu contains the fields shown in <<ChUseTelephony>>. + +[#ChUseWiresharkTelephonyMenu] +.The “Telephony” Menu +image::images/ws-telephony-menu.png[{screenshot-attrs}] + +Each menu item shows specific telephony related statistics. + +[#ChUseTelephony] +.Telephony menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:VoIP Calls...[]||See <<ChTelVoipCalls>> +|menu:ANSI[]||See <<ChTelANSI>> +|menu:GSM[]||See <<ChTelGSM>> +|menu:IAX2 Stream Analysis[]||See <<ChTelIAX2Analysis>> +|menu:ISUP Messages[]||See <<ChTelISUPMessages>> +|menu:LTE[]||See <<ChTelLTE>> +|menu:MTP3[]||See <<ChTelMTP3>> +|menu:Osmux[]||See <<ChTelOsmux>> +|menu:RTP[]||See <<ChTelRTPStreams>> and <<ChTelRTPAnalysis>> +|menu:RTSP[]||See <<ChTelRTSP>> +|menu:SCTP[]||See <<ChTelSCTP>> +|menu:SMPP Operations[]||See <<ChTelSMPPOperations>> +|menu:UCP Messages[]||See <<ChTelUCPMessages>> +|menu:H.225[]||See <<ChTelH225>> +|menu:SIP Flows[]||See <<ChTelSIPFlows>> +|menu:SIP Statistics[]||See <<ChTelSIPStatistics>> +|menu:WAP-WSP Packet Counter[]||See <<ChTelWAPWSPPacketCounter>> + +|=== + +[#ChUseWirelessMenuSection] + +=== The “Wireless” Menu + +The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in <<ChUseWiresharkWirelessMenu>>. + +[#ChUseWiresharkWirelessMenu] +.The “Wireless” Menu +image::images/ws-wireless-menu.png[{screenshot-attrs}] + +Each menu item shows specific Bluetooth and IEEE 802.11 statistics. + +[#ChUseWireless] +.Wireless menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description + +|menu:Bluetooth ATT Server Attributes[]||See <<ChWirelessBluetoothATTServerAttributes>> +|menu:Bluetooth Devices[]||See <<ChWirelessBluetoothDevices>> +|menu:Bluetooth HCI Summary[]||See <<ChWirelessBluetoothHCISummary>> +|menu:WLAN Traffic[]||See <<ChWirelessWLANTraffic>> + +|=== + +[#ChUseToolsMenuSection] + +=== The “Tools” Menu + +The Wireshark Tools menu contains the fields shown in <<ChUseTools>>. + +[#ChUseWiresharkToolsMenu] +.The “Tools” Menu +image::images/ws-tools-menu.png[{screenshot-attrs}] + +[#ChUseTools] +.Tools menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Firewall ACL Rules[]|| This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. + +It is assumed that the rules will be applied to an outside interface. + +Menu item is greyed out unless one (and only one) frame is selected in the packet list. +|menu:Credentials[]|| This allows you to extract credentials from the current capture file. Some of the dissectors (ftp, http, imap, pop, smtp) have been instrumented to provide the module with usernames and passwords and more will be instrumented in the future. The window dialog provides you the packet number where the credentials have been found, the protocol that provided them, the username and protocol specific information. +|menu:MAC Address Blocks[]|| This allows viewing the IEEE MAC address registry data that Wireshark uses to resolve MAC address blocks to vendor names. The table can be searched by address prefix or vendor name. +|menu:TLS Keylog Launcher[]|| This can launch an application such as a web browser or a terminal window with the SSLKEYLOGFILE environment variable set to the same value as the TLS secret log file. Note that you will probably have to quit your existing web browser session in order to have it run under a fresh environment. +|menu:Lua Console[]|| This option allows you to work with the Lua interpreter optionally built into Wireshark, to inspect Lua internals and evaluate code. +See “Lua Support in Wireshark” in the Wireshark Developer’s Guide. +|=== + +[#ChUseHelpMenuSection] + +=== The “Help” Menu + +The Wireshark Help menu contains the fields shown in <<ChUseHelp>>. + +[#ChUseWiresharkHelpMenu] +.The “Help” Menu +image::images/ws-help-menu.png[{screenshot-attrs}] + +[#ChUseHelp] +.Help menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:User's Guide[]|F1| This menu item brings up the Wireshark User's Guide you're reading right now. +|menu:Manual Pages[...]|| This menu item starts a Web browser showing one of the locally installed html manual pages. +|menu:Website[]|| This menu item starts a Web browser showing the webpage from: link:{wireshark-main-url}[]. +|menu:FAQs[]|| This menu item starts a Web browser showing various FAQs. +|menu:Downloads[]|| This menu item starts a Web browser showing the downloads from: link:{wireshark-download-url}[]. +|menu:Wiki[]|| This menu item starts a Web browser showing the front page from: link:{wireshark-wiki-url}[]. +|menu:Sample Captures[]|| This menu item starts a Web browser showing the sample captures from: link:{wireshark-wiki-url}SampleCaptures[]. +|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it’s built, the plugins loaded, the used folders, ... + +|=== + +[NOTE] +==== +Opening a Web browser might be unsupported in your version of Wireshark. If this +is the case the corresponding menu items will be hidden. + +If calling a Web browser fails on your machine, nothing happens, or the browser +starts but no page is shown, have a look at the web browser setting in the +preferences dialog. +==== + +[#ChUseMainToolbarSection] + +=== The “Main” Toolbar + +The main toolbar provides quick access to frequently used items +from the menu. This toolbar cannot be customized by the user, but it can +be hidden using the View menu if the space on the screen is needed to +show more packet data. + +Items in the toolbar will be enabled or disabled (greyed out) similar to +their corresponding menu items. For example, in the image below shows +the main window toolbar after a file has been opened. Various +file-related buttons are enabled, but the stop capture button is +disabled because a capture is not in progress. + +[#ChUseWiresharkMainToolbar] + +.The “Main” toolbar +image::images/ws-main-toolbar.png[{screenshot-attrs}] + +:toolbar-icon-attrs: height=24,width=24 + +[#ChUseMainToolbar] +.Main toolbar items +[options="header",cols="1,2,2,4"] +|=== +|Toolbar Icon|Toolbar Item|Menu Item|Description +|image:images/toolbar/x-capture-start.png[{toolbar-icon-attrs}] |btn:[Start]|menu:Capture[Start]| Starts capturing packets with the same options as the last capture or the default options if none were set (<<ChCapCapturingSection>>). +|image:images/toolbar/x-capture-stop.png[{toolbar-icon-attrs}] |btn:[Stop]|menu:Capture[Stop]| Stops the currently running capture (<<ChCapCapturingSection>>). +|image:images/toolbar/x-capture-restart.png[{toolbar-icon-attrs}] |btn:[Restart]|menu:Capture[Restart]| Restarts the current capture session. +|image:images/toolbar/x-capture-options.png[{toolbar-icon-attrs}] |btn:[Options...]|menu:Capture[Options...]| Opens the “Capture Options” dialog box. See <<ChCapCapturingSection>> for details. +// -- +|image:images/toolbar/document-open.png[{toolbar-icon-attrs}] |btn:[Open...]|menu:File[Open...]| Opens the file open dialog box, which allows you to load a capture file for viewing. It is discussed in more detail in <<ChIOOpen>>. +|image:images/toolbar/x-capture-file-save.png[{toolbar-icon-attrs}] |btn:[Save As...]|menu:File[Save As...]| Save the current capture file to whatever file you would like. See <<ChIOSaveAs>> for details. If you currently have a temporary capture file open the “Save” icon will be shown instead. +|image:images/toolbar/x-capture-file-close.png[{toolbar-icon-attrs}] |btn:[Close]|menu:File[Close]|Closes the current capture. If you have not saved the capture, you will be asked to save it first. +|image:images/toolbar/x-capture-file-reload.png[{toolbar-icon-attrs}] |btn:[Reload]|menu:View[Reload]| Reloads the current capture file. +// -- +|image:images/toolbar/edit-find.png[{toolbar-icon-attrs}] |btn:[Find Packet...]|menu:Edit[Find Packet...]|Find a packet based on different criteria. See <<ChWorkFindPacketSection>> for details. +|image:images/toolbar/go-previous.png[{toolbar-icon-attrs}] |btn:[Go Back]|menu:Go[Go Back]|Jump back in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go back in the selection history. +|image:images/toolbar/go-next.png[{toolbar-icon-attrs}] |btn:[Go Forward]|menu:Go[Go Forward]|Jump forward in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go forward in the selection history. +|image:images/toolbar/go-jump.png[{toolbar-icon-attrs}] |btn:[Go to Packet...]|menu:Go[Go to Packet...]| Go to a specific packet. +|image:images/toolbar/go-first.png[{toolbar-icon-attrs}] |btn:[Go To First Packet]|menu:Go[First Packet]| Jump to the first packet of the capture file. +|image:images/toolbar/go-last.png[{toolbar-icon-attrs}] |btn:[Go To Last Packet]|menu:Go[Last Packet]| Jump to the last packet of the capture file. +|image:images/toolbar/x-stay-last.png[{toolbar-icon-attrs}] |btn:[Auto Scroll in Live Capture]|menu:View[Auto Scroll in Live Capture]| Auto scroll packet list while doing a live capture (or not). +// -- +|image:images/toolbar/x-colorize-packets.png[{toolbar-icon-attrs}] |btn:[Colorize]|menu:View[Colorize]| Colorize the packet list (or not). +// -- +|image:images/toolbar/zoom-in.png[{toolbar-icon-attrs}] |btn:[Zoom In]|menu:View[Zoom In]| Zoom into the packet data (increase the font size). +|image:images/toolbar/zoom-out.png[{toolbar-icon-attrs}] |btn:[Zoom Out]|menu:View[Zoom Out]| Zoom out of the packet data (decrease the font size). +|image:images/toolbar/zoom-original.png[{toolbar-icon-attrs}] |btn:[Normal Size]|menu:View[Normal Size]| Set zoom level back to 100%. +|image:images/toolbar/x-resize-columns.png[{toolbar-icon-attrs}] |btn:[Resize Columns]|menu:View[Resize Columns]| Resize columns, so the content fits into them. +|image:images/toolbar/x-reset-layout_2.png[{toolbar-icon-attrs}] |btn:[Reset Layout]|menu:View[Reset Layout]| Reset layout to default size. +// -- +//|image:images/toolbar/stock_colorselector_24.png[{toolbar-icon-attrs}]|btn:[Coloring Rules...]|menu:View[Coloring Rules...]| This item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in <<ChCustColorizationSection>>. +|=== + +[#ChUseFilterToolbarSection] + +=== The “Filter” Toolbar + +The filter toolbar lets you quickly edit and apply display filters. More +information on display filters is available in <<ChWorkDisplayFilterSection>>. + +[#ChUseWiresharkFilterToolbar] + +.The “Filter” toolbar +image::images/ws-filter-toolbar.png[{screenshot-attrs}] + +// Icons themselves are 32px high. +:filter-icon-attrs: height=24 + +[#ChUseFilterToolbar] +.Filter toolbar items +[options="header",cols="1,3,5"] +|=== +|Toolbar Icon|Name|Description +|image:images/toolbar/filter-toolbar-bookmark.png[{filter-icon-attrs}]|Bookmarks|Manage or select <<ChWorkDefineFilterSection,saved filters>>. +|image:images/toolbar/filter-toolbar-input.png[{filter-icon-attrs}]|Filter Input|The area to enter or edit a display filter string, see <<ChWorkBuildDisplayFilterSection>>. A syntax check of your filter string is done while you are typing. The background will turn red if you enter an incomplete or invalid string, and will become green when you enter a valid string. + +After you’ve changed something in this field, don’t forget to press the Apply +button (or the Enter/Return key), to apply this filter string to the display. + +This field is also where the current applied filter is displayed. + +|image:images/toolbar/filter-toolbar-clear.png[{filter-icon-attrs}]|Clear|Reset the current display filter and clear the edit area. +|image:images/toolbar/filter-toolbar-apply.png[{filter-icon-attrs}]|Apply|Apply the current value in the edit area as the new display filter. + +Applying a display filter on large capture files might take quite a long time. + +|image:images/toolbar/filter-toolbar-recent.png[{filter-icon-attrs}]|Recent|Select from a list of recently applied filters. +|image:images/toolbar/filter-toolbar-add.png[{filter-icon-attrs}]|Add Button|Add a new filter button. +|btn:[Squirrels]|Filter Button| +Filter buttons are handy shortcuts that apply a display filter as soon as you press them. +You can create filter buttons by pressing the btn:[{plus}] button, right-clicking in the filter button area, or opening the <<ChCustFilterButtons,Filter Button>> section of the <<ChCustPreferencesSection,Preferences Dialog>>. +The example shows a filter button with the label “Squirrels”. +If you have lots of buttons you can arrange them into groups by using “//” as a label separator. +For example, if you create buttons named “Not Squirrels // Rabbits” and “Not Squirrels // Capybaras” they will show up in the toolbar under a single button named “Not Squirrels”. + +|=== + + +[#ChUsePacketListPaneSection] + +=== The “Packet List” Pane + +The packet list pane displays all the packets in the current capture file. + +[#ChUseWiresharkListPane] +.The “Packet List” pane +image::images/ws-list-pane.png[{screenshot-attrs}] + +Each line in the packet list corresponds to one packet in the capture file. If +you select a line in this pane, more details will be displayed in the “Packet +Details” and “Packet Bytes” panes. + +While dissecting a packet, Wireshark will place information from the protocol +dissectors into the columns. As higher-level protocols might overwrite +information from lower levels, you will typically see the information from the +highest possible level only. + +For example, let’s look at a packet containing TCP inside IP inside an Ethernet +packet. The Ethernet dissector will write its data (such as the Ethernet +addresses), the IP dissector will overwrite this by its own (such as the IP +addresses), the TCP dissector will overwrite the IP information, and so on. + +There are many different columns available. You can choose which columns are +displayed in the preferences. See <<ChCustPreferencesSection>>. + +The default columns will show: + +* btn:[No.] The number of the packet in the capture file. This number won’t + change, even if a display filter is used. + +* btn:[Time] The timestamp of the packet. The presentation format of this + timestamp can be changed, see <<ChWorkTimeFormatsSection>>. + +* btn:[Source] The address where this packet is coming from. + +* btn:[Destination] The address where this packet is going to. + +* btn:[Protocol] The protocol name in a short (perhaps abbreviated) version. + +* btn:[Length] The length of each packet. + +* btn:[Info] Additional information about the packet content. + +The first column shows how each packet is related to the selected packet. For +example, in the image above the first packet is selected, which is a DNS +request. Wireshark shows a rightward arrow for the request itself, followed by a +leftward arrow for the response in packet 2. Why is there a dashed line? There +are more DNS packets further down that use the same port numbers. Wireshark +treats them as belonging to the same conversation and draws a line connecting +them. + +// Images were created on macOS 10.11 using a retina display. Lines were +// 36 physical pixels high. + +[horizontal] +.Related packet symbols + +image:images/related-first.png[{related-attrs}]:: + First packet in a conversation. + +image:images/related-current.png[{related-attrs}]:: + Part of the selected conversation. + +image:images/related-other.png[{related-attrs}]:: + _Not_ part of the selected conversation. + +image:images/related-last.png[{related-attrs}]:: + Last packet in a conversation. + +image:images/related-request.png[{related-attrs}]:: + Request. + +image:images/related-response.png[{related-attrs}]:: + Response. + +image:images/related-ack.png[{related-attrs}]:: + The selected packet acknowledges this packet. + +image:images/related-dup-ack.png[{related-attrs}]:: + The selected packet is a duplicate acknowledgement of this packet. + +image:images/related-segment.png[{related-attrs}]:: + The selected packet is related to this packet in some other way, e.g., as part + of reassembly. + +The packet list has an _Intelligent Scrollbar_ which shows a miniature map of +nearby packets. Each https://en.wikipedia.org/wiki/Raster_graphics[raster line] +of the scrollbar corresponds to a single packet, so the number of packets shown +in the map depends on your physical display and the height of the packet list. A +tall packet list on a high-resolution (“Retina”) display will show you quite a +few packets. In the image above the scrollbar shows the status of more than 500 +packets along with the 15 shown in the packet list itself. + +Right clicking will show a context menu, described in +<<ChWorkPacketListPanePopUpMenu>>. + +[#ChUsePacketDetailsPaneSection] + +=== The “Packet Details” Pane + +The packet details pane shows the current packet (selected in the “Packet List” +pane) in a more detailed form. + +[#ChUseWiresharkDetailsPane] + +.The “Packet Details” pane +image::images/ws-details-pane.png[{screenshot-attrs}] + +This pane shows the protocols and protocol fields of the packet selected in the +“Packet List” pane. The protocol summary lines (subtree labels) and fields of the +packet are shown in a tree which can be expanded and collapsed. + +There is a context menu (right mouse click) available. See details in +<<ChWorkPacketDetailsPanePopUpMenu>>. + +Some protocol fields have special meanings. + +* *Generated fields.* Wireshark itself will generate additional protocol + information which isn’t present in the captured data. This information + is enclosed in square brackets (“[” and “]”). Generated information + includes response times, TCP analysis, IP geolocation information, and + checksum validation. + +* *Links.* If Wireshark detects a relationship to another packet in the capture + file it will generate a link to that packet. Links are underlined and + displayed in blue. If you double-clicked on a link Wireshark will jump to the + corresponding packet. + +[#ChUsePacketBytesPaneSection] + +=== The “Packet Bytes” Pane + +The packet bytes pane shows the data of the current packet (selected in the +“Packet List” pane) in a hexdump style. + +[#ChUseWiresharkBytesPane] + +.The “Packet Bytes” pane +image::images/ws-bytes-pane.png[{screenshot-attrs}] + +The “Packet Bytes” pane shows a canonical +https://en.wikipedia.org/wiki/Hex_dump[hex dump] of the packet data. Each line +contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. +Non-printable bytes are replaced with a period (“.”). + +Depending on the packet data, sometimes more than one page is available, e.g. +when Wireshark has reassembled some packets into a single chunk of data. (See +<<ChAdvReassemblySection>> for details). In this case you can see each data +source by clicking its corresponding tab at the bottom of the pane. + +The default mode for viewing will highlight the bytes for a field where the +mouse pointer is hovering above. The highlight will follow the mouse cursor +as it moves. If this highlighting is not required or wanted, there are two +methods for deactivating the functionality: + +* *Temporary* By holding down the Ctrl button while moving the mouse, the + highlighted field will not change + +* *Permanently* Using the context menu (right mouse click) the hover highlighting + may be activated/deactivated. This setting is stored in the selected profile + __recent__ file. + +[#ChUseWiresharkBytesPaneTabs] +.The “Packet Bytes” pane with tabs +image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}] + +Additional tabs typically contain data reassembled from multiple packets or +decrypted data. + +[#ChUsePacketDiagramPaneSection] + +=== The “Packet Diagram” Pane + +The packet diagram pane shows the current packet (selected in the “Packet List” +pane) as a diagram, similar to ones used in textbooks and IETF RFCs. + +[#ChUseWiresharkDiagramPane] + +.The “Packet Diagram” pane +image::images/ws-diagram-pane.png[{screenshot-attrs}] + +This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List” pane as a series of diagrams. + +There is a context menu (right mouse click) available. +For details see <<ChWorkPacketDiagramPanePopUpMenu>>. + +[#ChUseStatusbarSection] + +=== The Statusbar + +The statusbar displays informational messages. + +In general, the left side will show context related information, the middle part +will show information about the current capture file, and the right side will +show the selected configuration profile. Drag the handles between the text areas +to change the size. + +[#ChUseWiresharkStatusbarEmpty] +.The initial Statusbar +image::images/ws-statusbar-empty.png[{statusbar-attrs}] + +This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started. + +[#ChUseWiresharkStatusbarLoaded] +.The Statusbar with a loaded capture file +image::images/ws-statusbar-loaded.png[{statusbar-attrs}] + +The colorized bullet...:: on the left shows the highest expert information level found in the currently loaded capture file. +Hovering the mouse over this icon will show a description of the expert info level, and clicking the icon will bring up the Expert Information dialog box. +For a detailed description of this dialog and each expert level, see <<ChAdvExpert>>. + +The edit icon...:: on the left side lets you add a comment to the capture file using the <<ChStatSummary,Capture File Properties>> dialog. + +The left side...:: shows the capture file name by default. +It also shows field information when hovering over and selecting items in the packet detail and packet bytes panes, as well as general notifications. + +The middle...:: shows the current number of packets in the capture file. +The following values are displayed: + +Packets::: The number of captured packets. + +Displayed::: The number of packets currently being displayed. + +Marked::: The number of marked packets. Only displayed if you marked any packets. + +Dropped::: The number of dropped packets Only displayed if Wireshark was unable to capture all packets. + +Ignored::: The number of ignored packets Only displayed if you ignored any packets. + +//Load time::: The time it took to load the capture (wall clock time). + +The right side...:: shows the selected configuration profile. +Clicking on this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile. + +[#ChUseWiresharkStatusbarProfile] +.The Statusbar with a configuration profile menu +image::images/ws-statusbar-profile.png[{pdf-scaledwidth},height=192] + +For a detailed description of configuration profiles, see <<ChCustConfigProfilesSection>>. + +[#ChUseWiresharkStatusbarSelected] +.The Statusbar with a selected protocol field +image::images/ws-statusbar-selected.png[{statusbar-attrs}] + +This is displayed if you have selected a protocol field in the “Packet Details” pane. + +[TIP] +==== +The value between the parentheses (in this example “ipv6.src”) is the display filter field for the selected item. +You can become more familiar with display filter fields by selecting different packet detail items. +==== + +[#ChUseWiresharkStatusbarFilter] + +//FIXME: Remove or choose a better example of a display filter message. +.The Statusbar with a display filter message +image::images/ws-statusbar-filter.png[{statusbar-attrs}] + +This is displayed if you are trying to use a display filter which may have unexpected results. + +// End of WSUG Chapter 3 diff --git a/doc/wsug_src/wsug_wireless.adoc b/doc/wsug_src/wsug_wireless.adoc new file mode 100644 index 00000000..445d6abb --- /dev/null +++ b/doc/wsug_src/wsug_wireless.adoc @@ -0,0 +1,75 @@ +// WSUG Chapter Wireless + +[#ChWireless] + +== Wireless + +[#ChWirelessIntroduction] + +=== Introduction + +The Wireless menu provides access to statistics related to wireless traffic. +For configuring keys to decrypt wireless traffic, see <<Ch80211Keys>> + +[#ChWirelessBluetoothATTServerAttributes] + +=== Bluetooth ATT Server Attributes + +Bluetooth ATT Server Attributes window displays a list of captured Attribute Protocol (ATT) packets. The user can filter the list by the interfaces or devices, and also exclude repetitions by checking the `Remove duplicates` check box. + +`Handle` is a unique attribute which is specific to the device. + +`UUID` is a value which defines a type of an attribute. + +`UUID Name` is a specified name for the captured packet. + +[#ChWirelessBluetoothDevices] + +=== Bluetooth Devices + +The Bluetooth Devices window displays the list of the captured information about devices, such as MAC address, Organizationally Unique Identifier (OUI), Name and other. Users can filter it by interface. + +.Bluetooth Devices window +image::images/ws-bluetooth-devices.png[{screenshot-attrs}] + +[#ChWirelessBluetoothHCISummary] + +=== Bluetooth HCI Summary + +The Bluetooth HCI Summary window displays the summary for the captured Host Controller Interface (HCI) layer packets. This window allows users to apply filters and choose to display information about specific interfaces or devices. + +.Bluetooth HCI Summary window +image::images/ws-bt-hci-summary.png[{screenshot-attrs}] + +[#ChWirelessWLANTraffic] + +=== WLAN Traffic + +Statistics about captured WLAN traffic. This can be found under the +menu:Wireless[] menu and summarizes the wireless network traffic found +in the capture. Probe requests will be merged into an existing network +if the SSID matches. + +.The “WLAN Traffic Statistics” window +image::images/ws-stats-wlan-traffic.png[{screenshot-attrs}] + +Each row in the list shows the statistical values for exactly one wireless +network. + +_Name resolution_ will be done if selected in the window and if it is active for +the MAC layer. + +_Only show existing networks_ will exclude probe requests with a SSID not +matching any network from the list. + +The btn:[Copy] button will copy the list values to the clipboard in CSV (Comma +Separated Values) format. + + +[TIP] +==== +This window will be updated frequently, so it will be useful, even if you open +it before (or while) you are doing a live capture. +==== + +// End of WSUG Chapter Wireless diff --git a/doc/wsug_src/wsug_work.adoc b/doc/wsug_src/wsug_work.adoc new file mode 100644 index 00000000..39499a89 --- /dev/null +++ b/doc/wsug_src/wsug_work.adoc @@ -0,0 +1,1557 @@ +// WSUG Chapter Work + +[#ChapterWork] + +== Working With Captured Packets + +[#ChWorkViewPacketsSection] + +=== Viewing Packets You Have Captured + +Once you have captured some packets or you have opened a previously saved +capture file, you can view the packets that are displayed in the packet list +pane by simply clicking on a packet in the packet list pane, which will bring up +the selected packet in the tree view and byte view panes. + +You can then expand any part of the tree to view detailed information about each +protocol in each packet. Clicking on an item in the tree will highlight the +corresponding bytes in the byte view. An example with a TCP packet selected is +shown in <<ChWorkSelPack1>>. It also has the Acknowledgment number in the TCP +header selected, which shows up in the byte view as the selected bytes. + +[#ChWorkSelPack1] + +.Wireshark with a TCP packet selected for viewing +image::images/ws-packet-selected.png[{screenshot-attrs}] + +You can also select and view packets the same way while Wireshark is capturing +if you selected “Update list of packets in real time” in the “Capture +Preferences” dialog box. + +In addition you can view individual packets in a separate window as shown in +<<ChWorkPacketSepView>>. You can do this by double-clicking on an item in the +packet list or by selecting the packet in which you are interested in the packet +list pane and selecting menu:View[Show Packet in New Window]. This allows you to +easily compare two or more packets, even across multiple files. + +[#ChWorkPacketSepView] + +.Viewing a packet in a separate window +image::images/ws-packet-sep-win.png[{screenshot-attrs}] + +Along with double-clicking the packet list and using the main menu there are a +number of other ways to open a new packet window: + +- Hold down the shift key and double-click on a frame link in the packet + details. +- From <<PacketListPopupMenuTable>>. +- From <<PacketDetailsPopupMenuTable>>. + +[#ChWorkDisplayPopUpSection] + +=== Pop-up Menus + +You can open a pop-up menu over the “Packet List”, its column heading, +“Packet Details”, or “Packet Bytes” by clicking your right mouse button +on the corresponding item. + +[#ChWorkColumnHeaderPopUpMenuSection] + +==== Pop-up Menu Of The “Packet List” Column Header + +[#ChWorkColumnHeaderPopUpMenu] +.Pop-up menu of the “Packet List” column header +image::images/ws-column-header-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this header, where to find the corresponding function in the main +menu, and a description of each item. + +[#ColumnHeaderPopupMenuTable] +.The menu items of the “Packet List” column header pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Align Left[] | +Left-align values in this column. + +|menu:Align Center[] | +Center-align values in this column. + +|menu:Align Right[] | +Right-align values in this column. + +|menu:Column Preferences...[] | +Open the “Preferences” dialog for this column. + +|menu:Edit Column[] | +Open the column editor toolbar for this column. + +|menu:Resize To Contents[] | +Resize the column to fit its values. + +|menu:Resolve Names[] | +If this column contains addresses, resolve them. + +| _No., Time, Source, et al._ | +Show or hide a column by selecting its item. + +|menu:Remove Column[] | +Remove this column, similar to deleting it in the “Preferences” dialog. + +|=== + +[#ChWorkPacketListPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet List” Pane + +[#ChWorkPacketListPanePopUpMenu] + +.Pop-up menu of the “Packet List” pane +image::images/ws-packet-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane, where to find the corresponding function in the main menu, +and a short description of each item. + +[#PacketListPopupMenuTable] +.The menu items of the “Packet List” pop-up menu +[options="header",cols="3,1,6"] +|=== +|Item |Corresponding main menu item |Description +|menu:Mark Packet (toggle)[]|menu:Edit[]| Mark or unmark a packet. +|menu:Ignore Packet (toggle)[]|menu:Edit[]| Ignore or inspect this packet while dissecting the capture file. +|menu:Set Time Reference (toggle)[]|menu:Edit[]| Set or reset a time reference. + +|menu:Time Shift[] |menu:Edit[] | +Opens the “Time Shift” dialog, which allows you to adjust the timestamps +of some or all packets. + +|menu:Packet Comment...[] |menu:Edit[] | +Opens the “Packet Comment” dialog, which lets you add a comment to a +single packet. Note that the ability to save packet comments depends on +your file format. E.g., pcapng supports comments, pcap does not. + +|menu:Edit Resolved Name[]|| +Allows you to enter a name to resolve for the selected address. + +|menu:Apply as Filter[]|menu:Analyze[]| +Immediately replace or append the current display filter based on the most recent packet list or packet details item selected. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be applied. + +|menu:Prepare as Filter[]|menu:Analyze[]| +Change the current display filter based on the most recent packet list or packet details item selected, but don't apply it. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be changed. + +// XXX - add a new section describing this better. +|menu:Conversation Filter[] || +Apply a display filter with the address information from the selected packet. +For example, the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. + +|menu:Colorize Conversation[] || +Create a new colorizing rule based on address information from the selected packet. + +|menu:SCTP[] || +Allows you to analyze and prepare a filter for this SCTP association. + +|menu:Follow[TCP Stream] |menu:Analyze[] | +Open a window that displays all the TCP segments captured that are on the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[DCCP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for DCCP streams. + +|menu:Follow[TLS Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Copy[Summary as Text] || +Copy the summary fields as displayed to the clipboard as tab-separated +text. + +|menu:Copy[...as CSV] || +Copy the summary fields as displayed to the clipboard as comma-separated +text. + +|menu:Copy[...as YAML] || +Copy the summary fields as displayed to the clipboard as YAML data. + +|menu:Copy[As Filter] || +Prepare a display filter based on the currently selected item and copy +that filter to the clipboard. + +|menu:Copy[Bytes as Hex + ASCII Dump] || +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:Copy[...as Hex Dump] || +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:Copy[...as Printable Text] || +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:Copy[...as a Hex Stream] || +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:Copy[...as Raw Binary] || +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:Protocol Preferences[] || +Adjust the preferences for the selected protocol. + +|menu:Decode As...[] |menu:Analyze[] | +Change or apply a new relation between two dissectors. + +|menu:Show Packet in New Window[] |menu:View[] | +Shows the selected packet in a separate window. The separate window +shows only the packet details and bytes. See <<ChWorkPacketSepView>> for +details. + +|=== + + +[#ChWorkPacketDetailsPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Details” Pane + +[#ChWorkPacketDetailsPanePopUpMenu] + +.Pop-up menu of the “Packet Details” pane +image::images/ws-details-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available in this +pane, where to find the corresponding function in the main menu, and a short +description of each item. + +[#PacketDetailsPopupMenuTable] + +.The menu items of the “Packet Details” pop-up menu +[options="header",cols="3,1,6"] +|=== +|Item |Corresponding main menu item |Description +|menu:Expand Subtrees[]|menu:View[]| Expand the currently selected subtree. +|menu:Collapse Subtrees[]|menu:View[]| Collapse the currently selected subtree. +|menu:Expand All[]|menu:View[]| Expand all subtrees in all packets in the capture. +|menu:Collapse All[]|menu:View[]| Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list. +|menu:Edit Resolved Name[]|menu:View[]| Allows you to enter a name to resolve for the selected address. +|menu:Apply as Column[]|| Use the selected protocol item to create a new column in the packet list. + +|menu:Apply as Filter[]|menu:Analyze[]| +Immediately replace or append the current display filter based on the most recent packet list or packet details item selected. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be applied. + +|menu:Prepare as Filter[]|menu:Analyze[]| +Change the current display filter based on the most recent packet list or packet details item selected, but don't apply it. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be changed. + +|menu:Colorize with Filter[]|| This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule. + +|menu:Follow[TCP Stream] |menu:Analyze[] | +Open a window that displays all the TCP segments captured that are on the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[TLS Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Copy[All Visible Items] |menu:Edit[] | +Copy the packet details as displayed. + +|menu:Copy[All Visible Selected Tree Items] |menu:Edit[] | +Copy the selected packet detail and its children as displayed. + +|menu:Copy[Description] |menu:Edit[] | +Copy the displayed text of the selected field to the system clipboard. + +|menu:Copy[Fieldname] |menu:Edit[] | +Copy the name of the selected field to the system clipboard. + +|menu:Copy[Value] |menu:Edit[] | +Copy the value of the selected field to the system clipboard. + +|menu:Copy[As Filter]| menu:Edit[] | +Prepare a display filter based on the currently selected item and copy +it to the clipboard. + +|menu:Copy[Bytes as Hex + ASCII Dump] || +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:Copy[...as Hex Dump] || +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:Copy[...as Printable Text] || +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:Copy[...as a Hex Stream] || +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:Copy[...as Raw Binary] || +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:Copy[...as Escaped String] || +Copy the packet bytes to the clipboard as C-style escape sequences. + +|menu:Export Packet Bytes...[] |menu:File[] | +This menu item is the same as the File menu item of the same name. It +allows you to export raw packet bytes to a binary file. + +|menu:Wiki Protocol Page[]|| Open the wiki page for the selected protocol in your web browser. +|menu:Filter Field Reference[]|| Open the filter field reference web page for the selected protocol in your web browser. + +|menu:Protocol Preferences[] || +Adjust the preferences for the selected protocol. + +|menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors. + +|menu:Go to Linked Packet[] |menu:Go[] | +If the selected field has a corresponding packet such as the matching +request for a DNS response, go to it. + +|menu:Show Linked Packet in New Window[] |menu:Go[] | +If the selected field has a corresponding packet such as the matching +request for a DNS response, show the selected packet in a separate +window. See <<ChWorkPacketSepView>> for details. + +|=== + +[#ChWorkPacketBytesPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Bytes” Pane + +[#ChWorkPacketBytesPanePopUpMenu] + +.Pop-up menu of the “Packet Bytes” pane +image::images/ws-bytes-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane along with a short description of each item. + +[#PacketBytesPopupMenuTable] + +.The menu items of the “Packet Bytes” pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Copy Bytes as Hex + ASCII Dump[] | +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:...as Hex Dump[] | +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:...as Printable Text[] | +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:...as a Hex Stream[] | +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:...as Raw Binary[] | +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:...as Escaped String[] | +Copy the packet bytes to the clipboard as C-style escape sequences. + +|menu:Show bytes as hexadecimal[] | +Display the byte data as hexadecimal digits. + +|menu:Show bytes as bits[] | +Display the byte data as binary digits. + +|menu:Show text based on packet[] | +Show the “hexdump” data with text. + +|menu:...as ASCII[] | +Use ASCII encoding when displaying “hexdump” text. + +|menu:...as EBCDIC[] | +Use EBCDIC encoding when displaying “hexdump” text. + +|=== + +[#ChWorkPacketDiagramPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Diagram” Pane + +[#ChWorkPacketDiagramPanePopUpMenu] + +.Pop-up menu of the “Packet Diagram” pane +image::images/ws-diagram-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane along with a short description of each item. + +[#PacketDiagramPopupMenuTable] + +.The menu items of the “Packet Diagram” pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Show Field Values[] | +Display current value for each field on the packet diagram. + +|menu:Save Diagram As...[] | +Save the packet diagram to an image file (PNG, BMP, JPEG). + +|menu:Copy as Raster Image[] | +Copy the packet diagram to the clipboard in raster (ARGB32) format. + +// |menu:…as SVG[] | +// (macOS) Copy the packet diagram to the clipboard in SVG format. + +|=== + +[#ChWorkDisplayFilterSection] + +=== Filtering Packets While Viewing + +Wireshark has two filtering languages: _capture filters_ and _display filters_. +_Capture filters_ are used for filtering +when capturing packets and are discussed in <<ChCapCaptureFilterSection>>. +_Display filters_ are used for filtering +which packets are displayed and are discussed below. +For more information about _display filter_ syntax, see the +link:{wireshark-man-page-url}wireshark-filter.html[wireshark-filter(4)] man page. + +Display filters allow you to concentrate on the packets you are interested in +while hiding the currently uninteresting ones. They allow you to only display packets +based on: + +* Protocol + +* The presence of a field + +* The values of fields + +* A comparison between fields + +* ... and a lot more! + +To only display packets containing a particular protocol, type the protocol name +in the display filter toolbar of the Wireshark +window and press enter to apply the filter. <<ChWorkTCPFilter>> shows an +example of what happens when you type _tcp_ in the display filter toolbar. + +[NOTE] +==== +Protocol and field names are usually in lowercase. +==== + +[NOTE] +==== +Don’t forget to press enter or click on the apply display filter button after entering the filter +expression. +==== + + +[#ChWorkTCPFilter] + +.Filtering on the TCP protocol +image::images/ws-display-filter-tcp.png[{screenshot-attrs}] + +As you may have noticed, only packets containing the TCP protocol are now displayed, +so packets 1-10 are hidden and packet number 11 +is the first packet displayed. + +[NOTE] +==== +When using a display filter, all packets remain in the capture file. The display +filter only changes the display of the capture file but not its content! +==== + +To remove the filter, click on the btn:[Clear] button to the right of the +display filter field. All packets will become visible again. + +Display filters can be very powerful and are discussed in further detail in +<<ChWorkBuildDisplayFilterSection>> + +It's also possible to create display filters with the +_Display Filter Expression_ dialog box. More information about +the _Display Filter Expression_ dialog box is available in +<<ChWorkFilterAddExpressionSection>>. + + +[#ChWorkBuildDisplayFilterSection] + +=== Building Display Filter Expressions + +Wireshark provides a display filter language that enables you +to precisely control which packets are displayed. They can be used +to check for the presence of a protocol or field, the value of a field, or +even compare two fields to each other. These comparisons can be combined +with logical operators, like "and" and "or", and parentheses +into complex expressions. + +The following sections will go into the display filter functionality in +more detail. + +[TIP] +==== +There are many display filter examples on the _Wireshark Wiki Display +Filter page_ at: link:{wireshark-wiki-url}DisplayFilters[]. +==== + +==== Display Filter Fields + +The simplest display filter is one that displays a single protocol. +To only display packets containing a particular protocol, type the protocol +into Wireshark's display filter toolbar. For example, to only +display TCP packets, type _tcp_ into Wireshark's display filter toolbar. +Similarly, to only display +packets containing a particular field, type the field +into Wireshark's display filter toolbar. For example, to only display +HTTP requests, type _http.request_ into Wireshark's display filter toolbar. + +You can filter on any protocol that Wireshark supports. You can +also filter on any field that a dissector adds to the tree view, if the dissector +has added an abbreviation for that field. A full list of the available protocols +and fields is available through the menu item +menu:View[Internals,Supported Protocols]. + +// XXX - add some more info here and a link to the statusbar info. + +==== Comparing Values + +You can build display filters that compare values using a number of different +comparison operators. For example, to only display packets to or +from the IP address 192.168.0.1, use `ip.addr==192.168.0.1`. + +A complete list of available comparison operators is shown in <<DispCompOps>>. + +[TIP] +==== +English and C-like operators are interchangeable and can be mixed within a filter string. +==== + +[#DispCompOps] + +.Display Filter comparison operators +[options="header",cols="1,1,1,3,3"] +|=== +| English | Alias | C-like | Description | Example +| eq | any_eq | == | Equal (any if more than one) | `ip.src == 10.0.0.5` +| ne | all_ne | != | Not equal (all if more than one) | `ip.src != 10.0.0.5` +| | all_eq | === | Equal (all if more than one) | `ip.src === 10.0.0.5` +| | any_ne | !== | Not equal (any if more than one) | `ip.src !== 10.0.0.5` +| gt | | > | Greater than | `frame.len > 10` +| lt | | < | Less than | `frame.len < 128` +| ge | | >= | Greater than or equal to | `frame.len ge 0x100` +| le | | \<= | Less than or equal to | `frame.len \<= 0x20` +| contains | | | Protocol, field or slice contains a value | `sip.To contains "a1762"` +| matches | | ~ | Protocol or text field matches a Perl-compatible regular expression| `http.host matches "acme\\.(org\|com\|net)"` +|=== + + +[NOTE] +==== +The meaning of != (all not equal) was changed in Wireshark 3.6. +Before it used to mean "any not equal". +==== + +All protocol fields have a type. <<ChWorkFieldTypes>> provides a list +of the types with examples of how to use them in display filters. + +[#ChWorkFieldTypes] + +===== Display Filter Field Types + +Unsigned integer:: + Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, octal, + hexadecimal or binary. The following display filters are equivalent: ++ +`ip.len le 1500` ++ +`ip.len le 02734` ++ +`ip.len le 0x5dc` ++ +`ip.len le 0b10111011100` + +Signed integer:: + Can be 8, 16, 24, 32, or 64 bits. As with unsigned integers you can use + decimal, octal, hexadecimal or binary. + +Boolean:: + Can be 1 or "True", 0 or "False" (without quotes). ++ +A Boolean field is present regardless if its value is true or false. For example, +`tcp.flags.syn` is present in all TCP packets containing the flag, whether +the SYN flag is 0 or 1. To only match TCP packets with the SYN flag set, you need +to use `tcp.flags.syn == 1` or `tcp.flags.syn == True`. + +Ethernet address:: + 6 bytes separated by a colon (:), dot (.), or dash (-) with one or two bytes between separators: ++ +`eth.dst == ff:ff:ff:ff:ff:ff` ++ +`eth.dst == ff-ff-ff-ff-ff-ff` ++ +`eth.dst == ffff.ffff.ffff` + +IPv4 address:: + `ip.addr == 192.168.0.1` ++ +Classless InterDomain Routing (CIDR) notation can be used to test if +an IPv4 address is in a certain subnet. For example, this display +filter will find all packets in the 129.111 Class-B network: ++ +`ip.addr == 129.111.0.0/16` + +IPv6 address:: + `ipv6.addr == ::1` ++ +As with IPv4 addresses, IPv6 addresses can match a subnet. + +Text string:: + `http.request.uri == "https://www.wireshark.org/"` ++ +Strings are a sequence of bytes. Functions like `lower()` use ASCII, otherwise +no particular encoding is assumed. String literals are specified with double +quotes. Characters can also be specified using a byte escape sequence using +hex \x__hh__ or octal {backslash}__ddd__, where _h_ and _d_ are hex and octal +numerical digits respectively: ++ +`dns.qry.name contains "www.\x77\x69\x72\x65\x73\x68\x61\x72\x6b.org"` ++ +Alternatively, a raw string syntax can be used. Such strings are prefixed with `r` or `R` and treat +backslash as a literal character. ++ +`http.user_agent matches r"\(X11;"` + +Date and time:: +`frame.time == "Sep 26, 2004 23:18:04.954975"` ++ +`ntp.xmt ge "2020-07-04 12:34:56"` ++ +The value of an absolute time field is expressed as a string, using one of the +two formats above. Fractional seconds can be omitted or specified up to +nanosecond precision; extra trailing zeros are allowed but not other digits. +The string cannot take a time zone suffix, and is always parsed as in the local +time zone, even for fields that are displayed in UTC. ++ +In the first format, the abbreviated month names must be in English regardless +of locale. In the second format, any number of time fields may be omitted, in +the order from least significant (seconds) to most, but at least the entire +date must be specified: ++ +`frame.time < "2022-01-01"` ++ +In the second format, a `T` may appear between the date and time as in +ISO 8601, but not when less significant times are dropped. + +[#ChWorkFilterExamples] + +===== Some Examples + +---- +udp contains 81:60:03 +---- +The display filter above matches packets that contains the 3-byte sequence 0x81, 0x60, +0x03 anywhere in the UDP header or payload. +---- +sip.To contains "a1762" +---- +The display filter above matches packets where the SIP To-header contains the string "a1762" +anywhere in the header. +---- +http.host matches "acme\\.(org|com|net)" +---- +The display filter above matches HTTP packets where the HOST header contains +acme.org, acme.com, or acme.net. +Comparisons are case-insensitive. +---- +tcp.flags & 0x02 +---- +That display filter will match all packets that contain the “tcp.flags” field with the 0x02 bit, +i.e., the SYN bit, set. + +===== Possible Pitfalls Using Regular Expressions + +String literals containing regular expressions are parsed twice. Once by Wireshark's display +filter engine and again by the PCRE2 library. It's important to keep this in mind when using +the "matches" operator with regex escape sequences and special characters. + +For example, the filter expression `+frame matches "AB\x43"+` uses the string `+"ABC"+` as input +pattern to PCRE. However, the expression `+frame matches "AB\\x43"+` uses the string `+"AB\x43"+` +as the pattern. In this case both expressions give the same result because Wireshark and PCRE +both support the same byte escape sequence (0x43 is the ASCII hex code for `C`). + +An example where this fails badly is `+foo matches "bar\x28"+`. Because 0x28 is the ASCII +code for `(` the pattern input to PCRE is `+"bar("+`. This regular expression is syntactically +invalid (missing closing parenthesis). To match a literal parenthesis in a display filter regular +expression it must be escaped (twice) with backslashes. + +TIP: Using raw strings avoids most problem with the "matches" operator and double escape requirements. + +==== Combining Expressions + +You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>> + +[#FiltLogOps] + +.Display Filter Logical Operations +[options="header",cols="1,1,1,4"] +|=== +|English |C-like |Description | Example +|and |&&| Logical AND | `ip.src==10.0.0.5 and tcp.flags.fin` +|or |\|\| | Logical OR | `ip.src==10.0.0.5 or ip.src==192.1.1.1` +|xor |^^ | Logical XOR | `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29` +|not |! | Logical NOT | `not llc` +|[...] | | Subsequence | See “Slice Operator” below. +|in | | Set Membership| http.request.method in {"HEAD", "GET"}. See “Membership Operator” below. +|=== + +==== Slice Operator +Wireshark allows you to select a subsequence of byte arrays (including +protocols) or text strings in rather elaborate ways. After a label you can +place a pair of brackets [] containing a comma separated list of range +specifiers. +---- +eth.src[0:3] == 00:00:83 +---- +The example above uses the n:m format to specify a single range. In this case n +is the beginning offset and m is the length of the range being specified. +---- +eth.src[1-2] == 00:83 +---- +The example above uses the n-m format to specify a single range. In this case n +is the beginning offset and m is the ending offset. +---- +eth.src[:4] == 00:00:83:00 +---- +The example above uses the :m format, which takes everything from the beginning +of a sequence to offset m. It is equivalent to 0:m +---- +eth.src[4:] == 20:20 +---- +The example above uses the n: format, which takes everything from offset n to +the end of the sequence. +---- +eth.src[2] == 83 +---- +The example above uses the n format to specify a single range. In this case the +element in the sequence at offset n is selected. This is equivalent to n:1. +---- +eth.src[0:3,1-2,:4,4:,2] == +00:00:83:00:83:00:00:83:00:20:20:83 +---- +Wireshark allows you to string together single ranges in a comma separated list +to form compound ranges as shown above. + +You can use the slice operator on a protocol name, too, to slice the +bytes associated with that protocol. The `+frame+` protocol can be useful, +encompassing all the captured data (not including secondary data sources +like decrypted data.) + +Offsets can be negative, indicating an offset from the end of a field. +---- +frame[-4:4] == 0.1.2.3 +frame[-4] == 0.1.2.3 +---- +The two examples above both check the last four bytes of a frame. + +Slices of string fields yield strings, and are indexed on codepoint +boundaries after conversation of the string to UTF-8, not bytes. +---- +http.content_type[0:4] == "text" +smpp.message_text[:10] == "Абвгдеёжзи" +---- +The second example above will match regardless of whether the original +string was in Windows-1251, UTF-8, or UTF-16, so long as the converted +string starts with those ten characters. + +Byte slices can be directly compared to strings; this converts the +string to the corresponding UTF-8 byte sequence. To compare string +slices with byte sequences, use the @ operator, below. + +==== The Layer Operator + +A field can be restricted to a certain layer in the protocol stack using the +layer operator (#), followed by a decimal number: + + ip.addr#2 == 192.168.30.40 + +matches only the inner (second) layer in the packet. +Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1. +For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2". + +For more complicated ranges the same syntax used with slices is valid: + + tcp.port#[2-4] + +means layers number 2, 3 or 4 inclusive. The hash symbol is required to +distinguish a layer range from a slice. + +==== The At Operator +By prefixing the field name with an at sign (@) the comparison is done against +the raw packet data for the field. + +A character string must be decoded from a source encoding during dissection. +If there are decoding errors the resulting string will usually contain +replacement characters: + +[subs="replacements"] +---- +browser.comment == "string is ����" +---- + +The at operator allows testing the raw undecoded data: +---- +@browser.comment == 73:74:72:69:6e:67:20:69:73:20:aa:aa:aa:aa +---- + +The syntactical rules for a bytes field type apply to the second example. + +[NOTE] +==== +When a bytes field is compared with a literal string, it is compared +with the UTF-8 representation of that string. The at operator compares +a string field with the actual byte representation in the original encoding, +which may not be UTF-8. + +As an example, SMPP has a bytes field, `+smpp.message+`, and a string +field, `+smpp.message_text+`, that refer to the same data. If the +first four characters of the message is the string "Text" in the UTF-16 +encoding, the following filters all match. + +---- +smpp.message[:8] == 00:54:00:65:00:73:00:74 +smpp.message[:8] == "\x00T\x00e\x00s\x00t" +smpp.message_text[:4] == "Test" +smpp.message_text[:4] == "\x54\x65\x73\x74" +@smpp.message_text[:8] == 00:54:00:65:00:73:00:74 +@smpp.message_text[:8] == "\x00T\x00e\x00s\x00t" +---- + +The following filters do *NOT* match. + +---- +@smpp.message_text[:4] == "\x00T\x00e\x00s\x00t" +smpp.message[:4] == "Test" +smpp.message[:8] == "Test" +@smpp.message_text[:4] == "Test" +@smpp.message_text[:8] == "Test" +---- + +The first filter above does not match because of operator precedence +left-to-right; `+@smpp.message_text` is converted to bytes before the +slice operator is applied, so the length of the necessary slice is 8. +The other filters do not match because the literal string "Test" is +always converted to its 4 octet UTF-8 representation when comparing +against bytes, and it does not match the UTF-16 representation of +the field bytes. + +==== + +==== Membership Operator +Wireshark allows you to test a field for membership in a set of values or +fields. After the field name, use the `in` operator followed by the set items +surrounded by braces {}. For example, to display packets with a TCP source or +destination port of 80, 443, or 8080, you can use `tcp.port in {80, 443, 8080}`. +Set elements must be separated by commas. +The set of values can also contain ranges: `tcp.port in {443,4430..4434}`. + +[NOTE] +==== +The display filter +---- +tcp.port in {80, 443, 8080} +---- +is equivalent to +---- +tcp.port == 80 || tcp.port == 443 || tcp.port == 8080 +---- +However, the display filter +---- +tcp.port in {443, 4430..4434} +---- +is not equivalent to +---- +tcp.port == 443 || (tcp.port >= 4430 && tcp.port <= 4434) +---- +This is because comparison operators are satisfied when _any_ field +matches the filter, so a packet with a source port of 56789 and +destination port of port 80 would also match the second filter +since `56789 >= 4430 && 80 \<= 4434` is true. In contrast, the +membership operator tests a single field against the range condition. +==== + + + +Sets are not just limited to numbers, other types can be used as well: +---- +http.request.method in {"HEAD", "GET"} +ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9} +frame.time_delta in {10 .. 10.5} +---- + +==== Arithmetic operators + +You can perform the arithmetic operations on numeric fields shown in <<ArithmeticOps>> + +[#ArithmeticOps] + +.Display Filter Arithmetic Operations +[options="header",cols="1,1,1,4"] +|=== +|Name |Syntax | Alternative | Description +|Unary minus |-A | | Negation of A +|Addition |A + B | | Add B to A +|Subtraction |A - B | | Subtract B from A +|Multiplication |A * B | | Multiply A times B +|Division |A / B | | Divide A by B +|Modulo |A % B | | Remainder of A divided by B +|Bitwise AND |A & B | A bitand B | Bitwise AND of A and B +|=== + +An unfortunate quirk in the filter syntax is that the subtraction +operator must be preceded by a space character, so "A-B" must be +written as "A -B" or "A - B". + +Arithmetic expressions can be grouped using curly braces. + +For example, frames where capture length resulted in truncated TCP options: +---- +frame.cap_len < { 14 + ip.hdr_len + tcp.hdr_len } +---- + +==== Functions + +The display filter language has a number of functions to convert fields, see +<<DispFunctions>>. + +[#DispFunctions] +.Display Filter Functions +[options="header",cols="1,4"] +|=== +|Function|Description +|upper |Converts a string field to uppercase. +|lower |Converts a string field to lowercase. +|len |Returns the byte length of a string or bytes field. +|count |Returns the number of field occurrences in a frame. +|string |Converts a non-string field to a string. +|vals |Converts a field value to its value string, if it has one. +|dec |Converts an unsigned integer field to a decimal string. +|hex |Converts an unsigned integer field to a hexadecimal string. +|max |Return the maximum value for the arguments. +|min |Return the minimum value for the arguments. +|abs |Return the absolute value for the argument. +|=== + +The `upper` and `lower` functions can used to force case-insensitive matches: +`lower(http.server) contains "apache"`. + +To find HTTP requests with long request URIs: `len(http.request.uri) > 100`. +Note that the `len` function yields the string length in bytes rather than +(multi-byte) characters. + +Usually an IP frame has only two addresses (source and destination), but in case +of ICMP errors or tunneling, a single packet might contain even more addresses. +These packets can be found with `count(ip.addr) > 2`. + +The `string` function converts a field value to a string, suitable for use with operators +like "matches" or "contains". Integer fields are converted to their decimal representation. +It can be used with IP/Ethernet addresses (as well as others), but not with string or +byte fields. + +For example, to match odd frame numbers: +---- +string(frame.number) matches "[13579]$" +---- + +To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31): +---- +string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255" +---- + +The `vals` function converts an integer or boolean field value to a string +using the field's associated value string, if it has one. + +The functions max() and min() take any number of arguments of the same type +and returns the largest/smallest respectively of the set. + +---- +max(tcp.srcport, tcp.dstport) <= 1024 +---- + +==== Field References + +An expression of the form ${some.proto.field} is called a field reference. +Its value is read from the corresponding field in the currently selected +field in the GUI. This is a powerful way to build dynamic filters, such +as frames since the last five minutes to the selected frame: + +---- +frame.time_relative >= ${frame.time_relative} - 300 +---- + +or all HTTP packets whose `+ip.dst` value equals the "A" record of +the DNS response in the current frame: + +---- +http && ip.dst eq ${dns.a} +---- + +The notation of field references is similar to that of macros but they are +syntactically distinct. Field references, like other complex filters, make +excellent use cases for <<ChWorkDefineFilterMacrosSection,macros>>, +<<ChWorkDefineFilterSection,saved filters>>, and +<<ChCustFilterButtons,filter buttons>> + +[#ChWorkBuildDisplayFilterTransitional] + +==== Sometimes Fields Change Names + +As protocols evolve they sometimes change names or are superseded by +newer standards. For example, DHCP extends and has largely replaced +BOOTP and TLS has replaced SSL. If a protocol dissector originally used +the older names and fields for a protocol the Wireshark development team +might update it to use the newer names and fields. In such cases they +will add an alias from the old protocol name to the new one in order to +make the transition easier. + +For example, the DHCP dissector was originally developed for the BOOTP +protocol but as of Wireshark 3.0 all of the “bootp” display filter +fields have been renamed to their “dhcp” equivalents. You can still use +the old filter names for the time being, e.g., “bootp.type” is equivalent +to “dhcp.type” but Wireshark will show the warning “"bootp" is deprecated” +when you use it. Support for the deprecated fields may be removed in the future. + +==== Some protocol names can be ambiguous +In some particular cases relational expressions (equal, less than, etc.) +can be ambiguous. The filter name of a protocol or protocol field can contain +any letter and digit in any order, possibly separated by dots. That can be +indistinguishable from a literal value (usually numerical values in hexadecimal). +For example the semantic value of `fc` can be the protocol Fibre Channel or the +number 0xFC in hexadecimal because the 0x prefix is optional for hexadecimal numbers. + +Any value that matches a registered protocol or protocol field filter name is +interpreted semantically as such. If it doesn't match a protocol name the normal +rules for parsing literal values apply. + +So in the case of 'fc' the lexical token is interpreted as "Fibre Channel" and +not 0xFC. In the case of 'fd' it would be interpreted as 0xFD because it is a +well-formed hexadecimal literal value (according to the rules of display filter +language syntax) and there is no protocol registered with the filter name 'fd'. + +How ambiguous values are interpreted may change in the future. To avoid this +problem and resolve the ambiguity there is additional syntax available. +Values prefixed with a dot are always treated as a protocol name. The +dot stands for the root of the protocol namespace and is optional). Values +prefixed with a colon are always interpreted as a byte array. +---- +frame[10:] contains .fc or frame[10] == :fc +---- +If you are writing a script, or you think your expression may not be giving the +expected results because of the syntactical ambiguity of some filter expression +it is advisable to use the explicit syntax to indicate the correct meaning for +that expression. + +[#ChWorkFilterAddExpressionSection] + +=== The “Display Filter Expression” Dialog Box + +When you are accustomed to Wireshark’s filtering system and know what labels you +wish to use in your filters it can be very quick to simply type a filter string. +However, if you are new to Wireshark or are working with a slightly unfamiliar +protocol it can be very confusing to try to figure out what to type. The +“Display Filter Expression” dialog box helps with this. + +[TIP] +==== +The “Display Filter Expression” dialog box is an excellent way to learn how to write +Wireshark display filter strings. +==== + + +[#ChWorkFilterAddExpression1] + +.The “Display Filter Expression” dialog box +image::images/ws-filter-add-expression.png[{screenshot-attrs}] +// Screenshot from Wireshark 3.1.1 + +When you first bring up the Display Filter Expression dialog box you are shown a tree +of field names, organized by protocol, and a box for selecting a relation. + +Field Name:: +Select a protocol field from the protocol field tree. Every protocol with +filterable fields is listed at the top level. You can search for a particular +protocol entry by entering the first few letters of the protocol name. By +expanding a protocol name you can get a list of the field names available for +filtering for that protocol. + +Relation:: +Select a relation from the list of available relation. The _is present_ is a +unary relation which is true if the selected field is present in a packet. All +other listed relations are binary relations which require additional data (e.g. +a _Value_ to match) to complete. ++ +When you select a field from the field name list and select a binary relation +(such as the equality relation ==) you will be given the opportunity to enter a +value, and possibly some range information. + +Value:: +You may enter an appropriate value in the _Value_ text box. The _Value_ will +also indicate the type of value for the _Field Name_ you have selected (like +character string). + +Predefined Values:: +Some of the protocol fields have predefined values available, much like enumerations +in C. If the selected protocol field has such values defined, you can choose one +of them here. + +Search:: +Lets you search for a full or partial field name or description. +Regular expressions are supported. +For example, searching for “tcp.*flag” shows the TCP flags fields supported by a wide variety of dissectors, while “^tcp.flag” shows only the TCP flags fields supported by the TCP dissector. + +Range:: +A range of integers or a group of ranges, such as `1-12` or `39-42,98-2000`. + +btn:[Help]:: +Opens this section of the User’s Guide. + +btn:[OK]:: +When you have built a satisfactory expression click btn:[OK] and a filter string +will be built for you. + +btn:[Cancel]:: +You can leave the “Add Expression...” dialog box without any effect by +clicking the btn:[Cancel] button. + +[#ChWorkDefineFilterSection] + +=== Defining And Saving Filters + +You create pre-defined filters that appear in the capture and display filter bookmark menus (image:images/toolbar/filter-toolbar-bookmark.png[height=16,width=12]). +This can save time in remembering and retyping some of the more complex filters you use. + +To create or edit capture filters, select menu:Manage Capture Filters[] from the capture filter bookmark menu or menu:Capture[Capture Filters...] from the main menu. +Display filters can be created or edited by selecting menu:Manage Display Filters[] from the display filter bookmark menu or menu:Analyze[Display Filters...] from the main menu. +Wireshark will open the corresponding dialog as shown in <<FiltersDialog>>. +The two dialogs look and work similar to one another. +Both are described here, and the differences are noted as needed. + +[#FiltersDialog] + +.The “Capture Filters” and “Display Filters” dialog boxes +image::images/ws-filters.png[{screenshot-attrs}] + +btn:[{plus}]:: +Adds a new filter to the list. +You can edit the filter name or expression by double-clicking on it. ++ +The filter name is used in this dialog to identify the filter for your convenience and is not used elsewhere. +You can create multiple filters with the same name, but this is not very useful. ++ +When typing in a filter string, the background color will change depending on the validity of the filter similar to the main capture and display filter toolbars. + +btn:[-]:: +Delete the selected filter. +This will be greyed out if no filter is selected. + +// XXX Asciidoctor doesn't seem to allow images in DL terms, otherwise we could use +// list-copy.template.png here. +btn:[Copy]:: +Copy the selected filter. +This will be greyed out if no filter is selected. + +btn:[OK]:: +Saves the filter settings and closes the dialog. + +btn:[Cancel]:: +Closes the dialog without saving any changes. + +[#ChWorkDefineFilterMacrosSection] + +=== Defining And Saving Filter Macros + +Display Filter Macros are a mechanism to create shortcuts for complex filters. +You can define a filter macro with Wireshark and label it for later use. +This can save time in remembering and retyping some of the more complex filters +you use. + +To define and save your own filter macros, follow the steps below: + +. In the main menu select menu:Analyze[Display Filter Macros...]. Wireshark will open a corresponding dialog <<FilterMacrosDialog>>. ++ +[#FilterMacrosDialog] ++ +.Display Filter Macros window +image::images/ws-filter-macros.png[{screenshot-attrs}] + +. To add a new filter macro, click the btn:[{plus}] button in the bottom-left corner. A new row will appear in the Display Filter Macros table above. + +. Enter the name of your macro in the `Macro Name` column. Enter your filter macro in the `Macro Expression` column. + +. To save your modifications, click the btn:[OK] button in the bottom-right corner of the <<FilterMacrosDialog>>. + +==== Display Filter Macros syntax + +Display filter macros are invoked with the macro name and a number of +input arguments. There are several supported syntaxes. + +The `Macro Name` must consist of ASCII alphanumerics or the '_' character. +(Note that the presence of a '.' character would indicate a +<<_field_references,field reference>>.) + +The `Macro Expression` is replacement text for the macro name. It substitutes +$1, $2, $3, ... with the input arguments. + +For example, defining a display filter macro named _$$tcp_conv$$_ whose text is + +---- +(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) +or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) +---- + +would allow to use a display filter like + +---- +$tcp_conv(10.1.1.2,10.1.1.3,1200,1400) +---- + +or alternatively + +---- +${tcp_conv:10.1.1.2;10.1.1.3;1200;1400} +---- + +or + +---- +${tcp_conv;10.1.1.2;10.1.1.3;1200;1400} +---- + +instead of typing the whole filter. Both notations are equivalent. Once defined, a macro can +be used in <<ChWorkDefineFilterSection,saved display (but not +capture) filters>> and <<ChCustFilterButtons,filter buttons>>. + +[#ChWorkFindPacketSection] + +=== Finding Packets + +You can easily find packets once you have captured some packets or have +read in a previously saved capture file. Simply select menu:Edit[Find +Packet...] in the main menu. Wireshark will open a toolbar between the +main toolbar and the packet list shown in <<ChWorkFindPacketToolbar>>. + +==== The “Find Packet” Toolbar + +[#ChWorkFindPacketToolbar] + +.The “Find Packet” toolbar +image::images/ws-find-packet.png[{screenshot-attrs}] + +You can search using the following criteria: + +Display filter:: + Enter a display filter string into the text entry field and click the btn:[Find] button. + + + For example, to find the three-way handshake for a connection from host 192.168.0.1, use the following filter string: ++ +---- +ip.src==192.168.0.1 and tcp.flags.syn==1 +---- ++ +The value to be found will be syntax checked while you type it in. If +the syntax check of your value succeeds, the background of the entry +field will turn green, if it fails, it will turn red. For more details +see <<ChWorkDisplayFilterSection>> + +Hexadecimal Value:: + Search for a specific byte sequence in the packet data. ++ +For example, use “ef:bb:bf” to find the next packet that contains the +link:{wikipedia-main-url}Byte_order_mark[UTF-8 byte order mark]. + +String:: + Find a string in the packet data, with various options. + +Regular Expression:: + Search the packet data using link:{pcre2pattern-url}[Perl-compatible + regular expressions]. PCRE patterns are beyond the scope of this + document, but typing “pcre test” into your favorite search engine + should return a number of sites that will help you test and explore + your expressions. + +[#ChWorkGoToPacketSection] + +=== Go To A Specific Packet + +You can easily jump to specific packets with one of the menu items in +the menu:Go[] menu. + +==== The “Go Back” Command + +Go back in the packet history, works much like the page history in most +web browsers. + +==== The “Go Forward” Command + +Go forward in the packet history, works much like the page history in +most web browsers. + +==== The “Go to Packet” Toolbar + +[#ChWorkGoToPacketToolbar] + +.The “Go To Packet” toolbar +image::images/ws-goto-packet.png[{screenshot-attrs}] + +This toolbar can be opened by selecting menu:Go[Go to packet...] from +the main menu. It appears between the main toolbar and the packet list, +similar to the <<ChWorkFindPacketToolbar,”Find Packet” toolbar>>. + +When you enter a packet number and press btn:[Go to packet] +Wireshark will jump to that packet. + +==== The “Go to Corresponding Packet” Command + +If a protocol field is selected which points to another packet in the capture +file, this command will jump to that packet. + +As these protocol fields now work like links (just as in your Web browser), it’s +easier to simply double-click on the field to jump to the corresponding field. + +==== The “Go to First Packet” Command + +This command will jump to the first packet displayed. + +==== The “Go to Last Packet” Command + +This command will jump to the last packet displayed. + +[#ChWorkMarkPacketSection] + +=== Marking Packets + +You can mark packets in the “Packet List” pane. A marked packet will be shown +with black background, regardless of the coloring rules set. Marking a packet +can be useful to find it later while analyzing in a large capture file. + +Marked packet information is not stored in the capture file or anywhere +else. It will be lost when the capture file is closed. + +You can use packet marking to control the output of packets when saving, +exporting, or printing. To do so, an option in the packet range is available, +see <<ChIOPacketRangeSection>>. + +There are several ways to mark and unmark packets. From the menu:Edit[] menu +you can select from the following: + +* menu:Mark/Unmark Selected[] toggles the marked state of the current selection. + This option is also available in the packet list context menu. + +* menu:Mark All Displayed[] set the mark state of all displayed packets. + +* menu:Unmark All Displayed[] reset the mark state of all packets. + +You can also mark and unmark a packet by clicking on it in the packet list +with the middle mouse button. + +[#ChWorkIgnorePacketSection] + +=== Ignoring Packets + +You can ignore packets in the “Packet List” pane. Wireshark will then +pretend that they not exist in the capture file. An ignored packet will +be shown with white background and grey foreground, regardless of the +coloring rules set. + +Ignored packet information is not stored in the capture file or anywhere +else. It will be lost when the capture file is closed. + +There are several ways to ignore and unignore packets. From the +menu:Edit[] menu you can select from the following: + +* menu:Ignore/Unignore Selected[] toggles the ignored state of the current selection. + This option is also available in the packet list context menu. + +* menu:Ignore All Displayed[] set the ignored state of all displayed packets. + +* menu:Unignore All Displayed[] reset the ignored state of all packets. + +[#ChWorkTimeFormatsSection] + +=== Time Display Formats And Time References + +While packets are captured, each packet is timestamped. These timestamps will be +saved to the capture file, so they will be available for later analysis. + +A detailed description of timestamps, timezones and alike can be found at: +<<ChAdvTimestamps>>. + +The timestamp presentation format and the precision in the packet list can be +chosen using the View menu, see <<ChUseWiresharkViewMenu>>. + +The available presentation formats are: + +* menu:Date and Time of Day: 1970-01-01 01:02:03.123456[] The absolute date and time + of the day when the packet was captured. + +* menu:Time of Day: 01:02:03.123456[] The absolute time of the day when the packet + was captured. + +* menu:Seconds Since First Captured Packet: 123.123456[] The time relative to the + start of the capture file or the first “Time Reference” before this packet + (see <<ChWorkTimeReferencePacketSection>>). + +* menu:Seconds Since Previous Captured Packet: 1.123456[] The time relative to the + previous captured packet. + +* menu:Seconds Since Previous Displayed Packet: 1.123456[] The time relative to the + previous displayed packet. + +* menu:Seconds Since Epoch (1970-01-01): 1234567890.123456[] The time relative to + epoch (midnight UTC of January 1, 1970). + +The available precisions (aka. the number of displayed decimal places) are: + +* menu:Automatic (from capture file)[] The timestamp precision of the loaded capture file format will be + used (the default). + +* menu:Seconds[], menu:Tenths of a second[], menu:Hundredths of a second[], + menu:Milliseconds[], menu:Microseconds[] or menu:Nanoseconds[] The + timestamp precision will be forced to the given setting. If the + actually available precision is smaller, zeros will be appended. If + the precision is larger, the remaining decimal places will be cut off. + +Precision example: If you have a timestamp and it’s displayed using, “Seconds +Since Previous Packet” the value might be 1.123456. This will be displayed +using the “Automatic” setting for libpcap files (which is microseconds). If +you use Seconds it would show simply 1 and if you use Nanoseconds it shows +1.123456000. + +[#ChWorkTimeReferencePacketSection] + +==== Packet Time Referencing + +The user can set time references to packets. A time reference is the starting +point for all subsequent packet time calculations. It will be useful, if you +want to see the time values relative to a special packet, e.g., the start of a +new request. It’s possible to set multiple time references in the capture file. + +The time references will not be saved permanently and will be lost when you +close the capture file. + +Time referencing supercedes the value for the time relative to first +capture packet. It affects the default Time column if the time display +format is set to “Seconds Since First Captured Packet”, or a “Relative Time” +column if one has been added. It also affects the `frame.time_relative` field. + +To work with time references, choose one of the menu:Time Reference[] items in +the menu:[Edit] menu or from the pop-up menu of the “Packet List” pane. See +<<ChUseEditMenuSection>>. + +* menu:Set Time Reference (toggle)[] Toggles the time reference state of the + currently selected packet to on or off. + +* menu:Find Next[] Find the next time referenced packet in the “Packet List” pane. + +* menu:Find Previous[] Find the previous time referenced packet in the “Packet + List” pane. + +[#ChWorkTimeReference] + +.Wireshark showing a time referenced packet +image::images/ws-time-reference.png[{screenshot-attrs}] + +A time referenced packet will be marked with the string $$*REF*$$ in the Time +column (see packet number 10). All subsequent packets will show the time since +the last time reference. If there is a column displayed for “Cumulative Bytes” +its counter will also reset at every time reference packet. +# Somewhat odd that cumulative bytes also resets. + +Time referenced packets will always be displayed in the packet list pane. +Display filters will not affect or hide these packets. + +[#ChWorkShiftTimePacketSection] + +=== Time Shifting Packets + +Sometimes you will want to adjust the timestamps in a capture file. +This may be because a machine performing the capture had an inaccurate +clock, or because the capture was originally saved with timestamps in +<<ChAdvTabTimezones,local time>> (perhaps even to a capture file format +that only writes times in local time, or only writes the time of day +but not the date). One common use is to synchronize timestamps between +captures made on different machines with relative clock skew or clock +drift before <<ChIOMergeSection,merging>> them. Selecting +menu:Edit[Time Shift...] from the main menu opens the "Time Shift" dialog. + +.The “Time Shift” dialog +image::images/ws-time-shift.png[{medium-screenshot-attrs}] + +Shift all packets by...:: + +Apply a fixed offset, entered as a relative time in hours, minutes, +and seconds, to the timestamps for all packets. This is useful for +correcting small known errors or timezones. + +Set the time for packet...:: + +Apply offsets based on one or, if the box is checked, two given packets +to the timestamps for all packets. Enter the packet number and absolute +date and time for the packet(s). When one packet is used, a fixed offset +is applied that can be used to correct for clock skew. When two packets +are used, the correction for all other packets is computed linearly, +which can be used to correct for clock drift. This is useful when the +precise date and time for particular packets are known, e.g. packets +containing the NTP or PTP protocols. + +Undo all shifts:: + +This removes all unsaved time shifts from packets. + +[NOTE] +.Time shifts are applied to all packets +==== +Time shifts are applied to all packets in the capture, including +ignored packets and packets that are not displayed due to the current +filter. +Wireshark does not have a method to adjust the timestamps of individual +or selected packets. +==== + +The offset currently applied to time shifted packets is in the +`frame.offset_shift` field, which can be viewed in the packet details. + +.A Time Shifted Packet +image::images/ws-time-shift-details.png[{medium-screenshot-attrs}] + +After time shifts are applied, the file will have unsaved changes, +which are indicated with an {asterisk} beside its name in the title bar. +Beginning with Wireshark 4.2.0, <<ChIOSaveSection,saving>> the file +will write the corrected timestamps to the capture file. +If you attempt to close the capture file without saving it, a dialog +will prompt you to save in order to prevent losing your changes +(unless that warning has been disabled in the <<ChCustGUIPrefPage,preferences>>.) + +// End of WSUG Chapter Work |
