diff options
Diffstat (limited to '')
276 files changed, 27688 insertions, 0 deletions
diff --git a/docbook/CMakeLists.txt b/docbook/CMakeLists.txt new file mode 100644 index 0000000..29cc73f --- /dev/null +++ b/docbook/CMakeLists.txt @@ -0,0 +1,490 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +# To do: +# - Make the build targets top-level on Windows, similar to the NSIS, +# WiX, and PortableApps targets? + +function(set_docbook_target_properties _target) + set_target_properties(${_target} PROPERTIES + FOLDER "Documentation" + EXCLUDE_FROM_DEFAULT_BUILD True + ) +endfunction(set_docbook_target_properties) + +set(COMMON_FILES + common_src/gpl_appendix.adoc + common_src/typographic_conventions.adoc +) + +set(WSUG_TITLE "Wireshark User's Guide") + +set(WSUG_FILES + wsug_src/wsug_advanced.adoc + wsug_src/wsug_build_install.adoc + wsug_src/wsug_capture.adoc + wsug_src/wsug_customize.adoc + wsug_src/wsug_files.adoc + wsug_src/wsug_howitworks.adoc + wsug_src/wsug_introduction.adoc + wsug_src/wsug_io.adoc + wsug_src/wsug_mate.adoc + wsug_src/wsug_messages.adoc + wsug_src/wsug_preface.adoc + wsug_src/wsug_protocols.adoc + wsug_src/wsug_statistics.adoc + wsug_src/wsug_telephony.adoc + wsug_src/wsug_tools.adoc + wsug_src/wsug_troubleshoot.adoc + wsug_src/wsug_use.adoc + wsug_src/wsug_work.adoc + wsug_src/capinfos-h.txt + wsug_src/dumpcap-h.txt + wsug_src/editcap-F.txt + wsug_src/editcap-T.txt + wsug_src/editcap-h.txt + wsug_src/mergecap-h.txt + wsug_src/rawshark-h.txt + wsug_src/reordercap-h.txt + wsug_src/text2pcap-h.txt + wsug_src/tshark-h.txt + wsug_src/wireshark-h.txt + ${COMMON_FILES} +) + +# Note: Images should be minimized using tools/compress-pngs.py. +set(WSUG_GRAPHICS + wsug_src/images/caution.svg + wsug_src/images/important.svg + wsug_src/images/note.svg + wsug_src/images/related-ack.png + wsug_src/images/related-current.png + wsug_src/images/related-dup-ack.png + wsug_src/images/related-first.png + wsug_src/images/related-last.png + wsug_src/images/related-other.png + wsug_src/images/related-request.png + wsug_src/images/related-response.png + wsug_src/images/related-segment.png + wsug_src/images/tip.svg + wsug_src/images/toolbar/document-open.png + wsug_src/images/toolbar/edit-find.png + wsug_src/images/toolbar/filter-toolbar-add.png + wsug_src/images/toolbar/filter-toolbar-apply.png + wsug_src/images/toolbar/filter-toolbar-bookmark.png + wsug_src/images/toolbar/filter-toolbar-clear.png + wsug_src/images/toolbar/filter-toolbar-input.png + wsug_src/images/toolbar/filter-toolbar-recent.png + wsug_src/images/toolbar/go-first.png + wsug_src/images/toolbar/go-jump.png + wsug_src/images/toolbar/go-last.png + wsug_src/images/toolbar/go-next.png + wsug_src/images/toolbar/go-previous.png + wsug_src/images/toolbar/x-capture-file-close.png + wsug_src/images/toolbar/x-capture-file-reload.png + wsug_src/images/toolbar/x-capture-file-save.png + wsug_src/images/toolbar/x-capture-options.png + wsug_src/images/toolbar/x-capture-restart.png + wsug_src/images/toolbar/x-capture-start.png + wsug_src/images/toolbar/x-capture-stop.png + wsug_src/images/toolbar/x-colorize-packets.png + wsug_src/images/toolbar/x-resize-columns.png + wsug_src/images/toolbar/x-stay-last.png + wsug_src/images/toolbar/zoom-in.png + wsug_src/images/toolbar/zoom-original.png + wsug_src/images/toolbar/zoom-out.png + wsug_src/images/warning.svg + wsug_src/images/ws-about-codecs.png + wsug_src/images/ws-analyze-menu.png + wsug_src/images/ws-bytes-pane-popup-menu.png + wsug_src/images/ws-bytes-pane-tabs.png + wsug_src/images/ws-bytes-pane.png + wsug_src/images/ws-capture-file-properties.png + wsug_src/images/ws-capture-info.png + wsug_src/images/ws-capture-interfaces-main-macos.png + wsug_src/images/ws-capture-interfaces-main-win32.png + wsug_src/images/ws-capture-menu.png + wsug_src/images/ws-capture-options-compile-selected-bpfs.png + wsug_src/images/ws-capture-options-options.png + wsug_src/images/ws-capture-options-output.png + wsug_src/images/ws-capture-options-output.png + wsug_src/images/ws-capture-options.png + wsug_src/images/ws-choose-color-rule.png + wsug_src/images/ws-coloring-fields.png + wsug_src/images/ws-coloring-rules-dialog.png + wsug_src/images/ws-column-header-popup-menu.png + wsug_src/images/ws-decode-as.png + wsug_src/images/ws-details-pane-popup-menu.png + wsug_src/images/ws-details-pane.png + wsug_src/images/ws-diagram-pane-popup-menu.png + wsug_src/images/ws-diagram-pane.png + wsug_src/images/ws-display-filter-tcp.png # GTK+ + wsug_src/images/ws-edit-menu.png + wsug_src/images/ws-enabled-protocols.png + wsug_src/images/ws-expert-colored-tree.png + wsug_src/images/ws-expert-column.png + wsug_src/images/ws-expert-information.png + wsug_src/images/ws-export-objects.png + wsug_src/images/ws-export-packet-dissections.png + wsug_src/images/ws-export-selected.png + wsug_src/images/ws-export-specified-packets.png + wsug_src/images/ws-file-import.png + wsug_src/images/ws-file-menu.png + wsug_src/images/ws-file-set-dialog.png # GTK+ + wsug_src/images/ws-filter-add-expression.png # GTK+ + wsug_src/images/ws-filter-toolbar.png + wsug_src/images/ws-filters.png # GTK+ + wsug_src/images/ws-find-packet.png + wsug_src/images/ws-follow-http2-stream.png + wsug_src/images/ws-follow-sip-stream.png + wsug_src/images/ws-follow-stream.png + wsug_src/images/ws-go-menu.png + wsug_src/images/ws-goto-packet.png + wsug_src/images/ws-help-menu.png + wsug_src/images/ws-list-pane.png # Outdated + wsug_src/images/ws-main-toolbar.png + wsug_src/images/ws-main.png + wsug_src/images/ws-manage-interfaces.png + wsug_src/images/ws-mate-analysis.png + wsug_src/images/ws-mate-dns_pane.png + wsug_src/images/ws-mate-dns_pdu.png + wsug_src/images/ws-mate-ftp_over_gre.png + wsug_src/images/ws-mate-gop_analysis.png + wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png + wsug_src/images/ws-mate-mmse_over_http.png + wsug_src/images/ws-mate-pdu_analysis.png + wsug_src/images/ws-mate-tcp-output.png + wsug_src/images/ws-mate-transform.png + wsug_src/images/ws-menu.png + wsug_src/images/ws-merge-qt5.png + wsug_src/images/ws-merge-win32.png + wsug_src/images/ws-open-qt5.png + wsug_src/images/ws-open-win32.png + wsug_src/images/ws-packet-format.png + wsug_src/images/ws-packet-pane-popup-menu.png + wsug_src/images/ws-packet-range.png + wsug_src/images/ws-packet-selected.png + wsug_src/images/ws-packet-sep-win.png + wsug_src/images/ws-pref-advanced.png + wsug_src/images/ws-pref-appearance-columns.png + wsug_src/images/ws-pref-appearance-fonts-and-colors.png + wsug_src/images/ws-pref-appearance-layout.png + wsug_src/images/ws-pref-appearance.png + wsug_src/images/ws-pref-capture.png + wsug_src/images/ws-pref-expert.png + wsug_src/images/ws-pref-filter-buttons.png + wsug_src/images/ws-pref-name-resolution.png + wsug_src/images/ws-pref-protocols.png + wsug_src/images/ws-pref-rsa-keys.png + wsug_src/images/ws-pref-statistics.png + wsug_src/images/ws-print.png + wsug_src/images/ws-save-as-qt5.png + wsug_src/images/ws-save-as-win32.png + wsug_src/images/ws-statistics-menu.png + wsug_src/images/ws-stats-conversations.png + wsug_src/images/ws-stats-endpoints.png + wsug_src/images/ws-stats-hierarchy.png + wsug_src/images/ws-stats-iographs.png + wsug_src/images/ws-stats-lte-mac-traffic.png + wsug_src/images/ws-stats-lte-rlc-traffic.png + wsug_src/images/ws-stats-packet-lengths.png + wsug_src/images/ws-stats-srt-smb2.png + wsug_src/images/ws-stats-wlan-traffic.png # GTK+ + wsug_src/images/ws-statusbar-empty.png + wsug_src/images/ws-statusbar-filter.png + wsug_src/images/ws-statusbar-loaded.png + wsug_src/images/ws-statusbar-profile.png + wsug_src/images/ws-statusbar-selected.png + wsug_src/images/ws-tcp-analysis.png + wsug_src/images/ws-tel-playlist.png + wsug_src/images/ws-tel-rtp-player_1.png + wsug_src/images/ws-tel-rtp-player_2.png + wsug_src/images/ws-tel-rtp-player_3.png + wsug_src/images/ws-tel-rtp-player_button.png + wsug_src/images/ws-tel-rtp-streams.png + wsug_src/images/ws-tel-rtpstream-analysis_1.png + wsug_src/images/ws-tel-rtpstream-analysis_2.png + wsug_src/images/ws-tel-rtpstream-analysis_3.png + wsug_src/images/ws-tel-seq-dialog.png + wsug_src/images/ws-tel-voip-calls.png + wsug_src/images/ws-telephony-menu.png + wsug_src/images/ws-time-reference.png # GTK+ + wsug_src/images/ws-tools-menu.png + wsug_src/images/ws-view-menu.png +) + +set(WSDG_TITLE "Wireshark Developer's Guide") + +set(WSDG_FILES + wsdg_src/wsdg_asn2wrs.adoc + wsdg_src/wsdg_build_intro.adoc + wsdg_src/wsdg_capture.adoc + wsdg_src/wsdg_dissection.adoc + wsdg_src/wsdg_env_intro.adoc + wsdg_src/wsdg_libraries.adoc + wsdg_src/wsdg_lua_support.adoc + wsdg_src/wsdg_preface.adoc + wsdg_src/wsdg_quick_setup.adoc + wsdg_src/wsdg_sources.adoc + wsdg_src/wsdg_tests.adoc + wsdg_src/wsdg_tools.adoc + wsdg_src/wsdg_userinterface.adoc + wsdg_src/wsdg_works.adoc + ${COMMON_FILES} +) + +set(WSDG_GRAPHICS + wsdg_src/images/caution.svg + wsdg_src/images/git-triangular-workflow.gv + wsdg_src/images/git-triangular-workflow.svg + wsdg_src/images/important.svg + wsdg_src/images/note.svg + wsdg_src/images/tip.svg + wsdg_src/images/warning.svg + wsdg_src/images/ws-capture_internals.dia + wsdg_src/images/ws-capture_internals.png + wsdg_src/images/ws-capture-sync.dia + wsdg_src/images/ws-capture-sync.png + wsdg_src/images/ws-capture-sync.png + wsdg_src/images/ws-function-blocks.dia + wsdg_src/images/ws-function-blocks.png + wsdg_src/images/ws-logo.png +) + +set(WSUG_SOURCE + ${WSUG_FILES} + ${WSUG_GRAPHICS} +) + +# Ensure ws.css is available when the user tries to open generated .html files. +if(NOT CMAKE_SOURCE_DIR STREQUAL CMAKE_BINARY_DIR) + add_custom_command( + OUTPUT ws.css + COMMAND ${CMAKE_COMMAND} -E copy_if_different + ${CMAKE_CURRENT_SOURCE_DIR}/ws.css + ${CMAKE_CURRENT_BINARY_DIR}/ws.css + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/ws.css + ) + add_custom_target(copy_ws.css DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/ws.css) +else() + add_custom_target(copy_ws.css) +endif() + +set( WSUG_BUILT_DEPS copy_ws.css) + +set(WSDG_SOURCE + ${WSDG_FILES} + ${WSDG_GRAPHICS} +) + +# Note: file order here MATTERS! +# new WSLUA_MODULE files must come right before any WSLUA_CONTINUE_MODULE +# files for the same module +set(WSLUA_MODULES + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dumper.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_field.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_gui.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_int64.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_listener.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_pinfo.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_address.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_column.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_nstime.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dissector.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_pref.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto_expert.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_proto_field.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_tree.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_tvb.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_byte_array.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_file.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_file_handler.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_frame_info.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_capture_info.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_dir.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_wtap.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_utility.c + ${CMAKE_SOURCE_DIR}/epan/wslua/wslua_struct.c +) + +# Empty file to trigger wsluarm generation. +ADD_CUSTOM_COMMAND( + OUTPUT + wsluarm + COMMAND ${CMAKE_COMMAND} -E make_directory wsluarm_src + COMMAND ${Python3_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/make-wsluarm.py + --output-directory wsluarm_src + ${WSLUA_MODULES} + COMMAND ${CMAKE_COMMAND} -E touch + wsluarm + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/make-wsluarm.py + ${WSLUA_MODULES} +) + +set( WSDG_BUILT_DEPS copy_ws.css wsluarm ) + +set( ASCIIDOC_CONF_FILES + attributes.adoc + # XXX Add macros +) + +if(ASCIIDOCTOR_FOUND) + # Generate the DocBook sources of user and developer guides + + ASCIIDOCTOR2DOCBOOK(wsug_src/user-guide.adoc ${ASCIIDOC_CONF_FILES} ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + add_custom_target(user_guide_docbook DEPENDS generate_user-guide.xml) + set_docbook_target_properties(user_guide_docbook) + + ASCIIDOCTOR2DOCBOOK(wsdg_src/developer-guide.adoc ${ASCIIDOC_CONF_FILES} ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + add_custom_target(developer_guide_docbook DEPENDS generate_developer-guide.xml) + set_docbook_target_properties(developer_guide_docbook) + + # Top-level guide targets. + + add_custom_target(user_guides DEPENDS user_guide_docbook) + set_docbook_target_properties(user_guides) + + add_custom_target(developer_guides DEPENDS developer_guide_docbook) + set_docbook_target_properties(developer_guides) + + add_custom_target(all_guides DEPENDS user_guides developer_guides ) + set_docbook_target_properties(all_guides) +endif() + +# User's Guide chain. +if(ASCIIDOCTOR_FOUND AND XSLTPROC_EXECUTABLE) + XML2HTML( + user_guide + wsug + single-page + user-guide.xml + WSUG_GRAPHICS + ) + + XML2HTML( + user_guide + wsug + chunked + user-guide.xml + WSUG_GRAPHICS + ) + add_custom_target( + user_guide_html + DEPENDS + wsug_html/index.html + wsug_html_chunked/index.html + ) + set_docbook_target_properties(user_guide_html) + add_dependencies(user_guides user_guide_html) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_PDF_EXECUTABLE) + ASCIIDOCTOR2PDF(${WSUG_TITLE} wsug_src/user-guide.adoc ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + + add_custom_target( + user_guide_pdf + DEPENDS + "${WSUG_TITLE}.pdf" + ) + set_docbook_target_properties(user_guide_pdf) + add_dependencies(user_guides user_guide_pdf) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_EPUB_EXECUTABLE) + ASCIIDOCTOR2EPUB(${WSUG_TITLE} wsug_src/user-guide.adoc ${WSUG_SOURCE} ${WSUG_BUILT_DEPS}) + + add_custom_target( + user_guide_epub + DEPENDS + "${WSUG_TITLE}.epub" + ) + set_docbook_target_properties(user_guide_epub) + add_dependencies(user_guides user_guide_epub) +endif() + +# Developer's Guide chain. +if(ASCIIDOCTOR_FOUND AND XSLTPROC_EXECUTABLE) + XML2HTML( + developer_guide + wsdg + single-page + developer-guide.xml + WSDG_GRAPHICS + ) + + XML2HTML( + developer_guide + wsdg + chunked + developer-guide.xml + WSDG_GRAPHICS + ) + add_custom_target( + developer_guide_html + DEPENDS + wsdg_html/index.html + wsdg_html_chunked/index.html + ) + set_docbook_target_properties(developer_guide_html) + add_dependencies(developer_guides developer_guide_html) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_PDF_EXECUTABLE) + ASCIIDOCTOR2PDF(${WSDG_TITLE} wsdg_src/developer-guide.adoc ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + + add_custom_target( + developer_guide_pdf + DEPENDS + "${WSDG_TITLE}.pdf" + ) + set_docbook_target_properties(developer_guide_pdf) + add_dependencies(developer_guides developer_guide_pdf) +endif() + +if(ASCIIDOCTOR_FOUND AND ASCIIDOCTOR_EPUB_EXECUTABLE) + ASCIIDOCTOR2EPUB(${WSDG_TITLE} wsdg_src/developer-guide.adoc ${WSDG_SOURCE} ${WSDG_BUILT_DEPS}) + + add_custom_target( + developer_guide_epub + DEPENDS + "${WSDG_TITLE}.epub" + ) + set_docbook_target_properties(developer_guide_epub) + add_dependencies(developer_guides developer_guide_epub) +endif() + +# FAQ + +add_custom_target( faq_html DEPENDS faq.html ) +set_docbook_target_properties(faq_html) + +add_custom_target( faq ) +set_docbook_target_properties(faq) +add_dependencies ( faq faq_html ) + +if( ASCIIDOCTOR_FOUND ) + ASCIIDOCTOR2HTML( faq.adoc ) +endif() + +# +# Editor modelines - https://www.wireshark.org/tools/modelines.html +# +# Local variables: +# c-basic-offset: 8 +# tab-width: 8 +# indent-tabs-mode: t +# End: +# +# vi: set shiftwidth=8 tabstop=8 noexpandtab: +# :indentSize=8:tabSize=8:noTabs=false: +# diff --git a/docbook/README.adoc b/docbook/README.adoc new file mode 100644 index 0000000..58d08ed --- /dev/null +++ b/docbook/README.adoc @@ -0,0 +1,136 @@ + +:experimental: += Introduction + +This directory contains the source files needed to build the: + +- Wireshark User’s Guide +- Wireshark Developer’s Guide +- Release notes (NEWS) +- Lua Reference + +To build everything, build the `all_guides` target, e.g. `ninja +all_guides` or `msbuild all_guides.vcxproj`. Requirements are listed +below. + +The guides and release notes are written in +https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/[Asciidoctor syntax]. +For more information see https://asciidoctor.org. + +== Requirements + +Ultimately we'd like to reduce the toolchain requirements to AsciidoctorJ alone, but that's not yet possible. +Additional tooling is required for the HTML and HTMLHelp targets. +See the https://www.wireshark.org/docs/wsdg_html_chunked/ChToolsDocumentationToolchain.html[Developer's Guide] for instructions on installing required packages for your platform. + +== Asciidoctor Markup + +The User’s and Developer’s Guides were originally written in DocBook and +were later converted to https://asciidoc.org/[AsciiDoc]. We subsequently +switched from AsciiDoc to Asciidoctor. As a result we currently use +https://asciidoctor.org/docs/migration/[compat mode], but may switch +to Asciidoctor’s modern markup at a later date. + +Please use the following conventions when writing documentation: + +- Window and dialog box names should be in “curly quotes”. + +- Use Asciidoctor macros for buttons, keys, and menus. Note that these + are currently experimental: + +** The btn:[Start] button +** Press kbd:[Shift+Ctrl+P] to open the preferences dialog. +** Select menu:File[Open] from the main menu. + +This ensures that UI elements are shown consistently and lets us apply styles +to each type of element. + +- Command line examples should reflect the OS: ++ +---- +$ echo Linux and UNIX +---- ++ +---- +C:\> echo Windows +---- + +Admonitions ([NOTE], [TIP], [IMPORTANT], [CAUTION] and [WARNING]) can be used to highlight important +information. Keep in mind that they interrupt the flow of text by design. Too +many (especially in a row) are distracting and annoying. + +== Custom Asciidoctor Macros + +The following custom macros are available in `docbook/asciidoctor-macros`: + +commaize-block:: +Sorts a list of items and separates them with commas with an "and" preceding the last item. + +cveidlink-inline-macro:: +Links a CVE ID to cve.mitre.org. + +manarg-block:: +Ensures that individual arguments don't wrap in order to improve readability. + +wsbuglink-inline-macro:: +Links an issue number to gitlab.org/wireshark/wireshark/-/issues. + +wssalink-inline-macro:: +Links a security advisory to www.wireshark.org. + +== Asciidoctor Live Preview + +The Asciidoctor project provides a JavaScript version of Asciidoctor +(asciidoctor.js), which enables live previews in many web browsers and +text editors. See the +https://asciidoctor.org/docs/editing-asciidoc-with-live-preview/[Live +Preview] documentation for more information. + +Note that our documentation depends on attributes defined in +_attributes.adoc_. The User’s Guide and Developer’s Guide are split +across several files, and only the top-level _user-guide.adoc_ and +_developer-guide.adoc_ include _attributes.adoc_. As a result, +some markup will be incomplete. You can work around this somewhat by +adding some attributes such as `compat-mode experimental` to your Live +Preview settings. + += HTML Help Alternatives + +Ideally we would ship documentation with Wireshark that is pleasant to +read, browsable, and searchable. Unfortunately we don't have an easy way +to do this. The closest we've been able to come is by shipping an HTML +Help (.chm) file on Windows. However, HTML Help a) is limited to Windows, +b) crusty on normal displays, and c) really crusty on HiDPI displays. + +The following alternative formats are available, each with advantages +and disadvantages: + +== WebHelp + +https://en.wikipedia.org/wiki/Web_help[WebHelp] has three main +dependencies: + +- DocBook XSL, including... +- webhelpindexer.jar +- The user's local web browser + +This format generates both HTML pages and JavaScript, which might not run +reliably on end user machines. + +== PDF + +PDF output is page oriented, with static page sizes. This _usually_ isn't +a problem with modern reader software. However it doesn't look like we +can reliably load a PDF file and jump to specific section on some +platforms. For example, loading +++file:///path/to/user_guide.pdf#location+++ +works in Firefox & Chrome, but not in Safari, Preview, or Internet Explorer. + +== Qt Help + +Qt provides an extensive https://doc.qt.io/qt-5/qthelp-framework.html[help system]. +However, to use it we need to generate a Qt Help Project (.qhp) file, +which isn't currently supported by Asciidoctor or via DocBook XSL. + +The default help application (Qt Assistant) is ugly. We'd probably want +to write our own help viewer app or integrate help directly via +QHelpEngine. diff --git a/docbook/asciidoctor-macros/README.adoc b/docbook/asciidoctor-macros/README.adoc new file mode 100644 index 0000000..cc5d64e --- /dev/null +++ b/docbook/asciidoctor-macros/README.adoc @@ -0,0 +1,5 @@ +Asciidoctor macros. + +These files are available under the MIT license to match the +https://github.com/asciidoctor/asciidoctor-extensions-lab[Asciidoctor Extensions Lab] +and Asciidoctor itself. diff --git a/docbook/asciidoctor-macros/commaize-block.rb b/docbook/asciidoctor-macros/commaize-block.rb new file mode 100644 index 0000000..aff6a3c --- /dev/null +++ b/docbook/asciidoctor-macros/commaize-block.rb @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: MIT +RUBY_ENGINE == 'opal' ? (require 'commaize-block/extension') : (require_relative 'commaize-block/extension') + +Extensions.register do + block CommaizeBlock +end diff --git a/docbook/asciidoctor-macros/commaize-block/extension.rb b/docbook/asciidoctor-macros/commaize-block/extension.rb new file mode 100644 index 0000000..710f1a7 --- /dev/null +++ b/docbook/asciidoctor-macros/commaize-block/extension.rb @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include Asciidoctor + +# An extension that converts a list of lines to an inline Oxford comma-separated list. +# +# Usage +# +# [commaize] +# -- +# item1 +# item2 +# item3 +# -- +# +class CommaizeBlock < Extensions::BlockProcessor + include WsUtils + use_dsl + + named :commaize + on_contexts :paragraph, :open + # XXX What's the difference between text, raw, simple, verbatim, etc? + parse_content_as :simple + + def process(parent, reader, attrs) + lines = reader.lines + sort = attrs.fetch('sort', 'true') == 'true' + + lines = lines.reject(&:empty?) + lines = lines.map(&:strip) + lines = lines.sort_by(&:downcase) if sort + + if lines.length < 2 + create_paragraph parent, lines, attrs + elsif lines.length == 2 + create_paragraph parent, lines.join(" and "), attrs + else + commaized = lines[0..-2].join(", ") + commaized << ", and " + lines[-1] + create_paragraph parent, commaized, attrs + end + end +end diff --git a/docbook/asciidoctor-macros/commaize-block/sample.adoc b/docbook/asciidoctor-macros/commaize-block/sample.adoc new file mode 100644 index 0000000..9cb2e1e --- /dev/null +++ b/docbook/asciidoctor-macros/commaize-block/sample.adoc @@ -0,0 +1,31 @@ += Sorted, delimited, empty lines + +[commaize] +-- +One +two + +red + +blue +Fish +-- + += Unsorted + +[commaize, sort=false] +One +two +red +blue +Fish + += Two elements + +[commaize] +One +Two + += One element +[commaize] +Just the one diff --git a/docbook/asciidoctor-macros/cveidlink-inline-macro.rb b/docbook/asciidoctor-macros/cveidlink-inline-macro.rb new file mode 100644 index 0000000..beb19a3 --- /dev/null +++ b/docbook/asciidoctor-macros/cveidlink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'cveidlink-inline-macro/extension') : (require_relative 'cveidlink-inline-macro/extension') + +Extensions.register do + inline_macro CVEIdLinkInlineMacro +end diff --git a/docbook/asciidoctor-macros/cveidlink-inline-macro/extension.rb b/docbook/asciidoctor-macros/cveidlink-inline-macro/extension.rb new file mode 100644 index 0000000..2dec88d --- /dev/null +++ b/docbook/asciidoctor-macros/cveidlink-inline-macro/extension.rb @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a CVE Record identified by its CVE +# Number. +# +# Usage +# +# cveidlink:<cve-number>[] +# +class CVEIdLinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :cveidlink + + def process(parent, cvenum, _attrs) + cvename = "CVE-#{cvenum}" + target = %(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cvenum}) + create_doc_links(parent, target, cvename) + end +end diff --git a/docbook/asciidoctor-macros/manarg-block.rb b/docbook/asciidoctor-macros/manarg-block.rb new file mode 100644 index 0000000..07a9bf2 --- /dev/null +++ b/docbook/asciidoctor-macros/manarg-block.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'manarg-block/extension') : (require_relative 'manarg-block/extension') + +Extensions.register do + block ManArgBlock +end diff --git a/docbook/asciidoctor-macros/manarg-block/extension.rb b/docbook/asciidoctor-macros/manarg-block/extension.rb new file mode 100644 index 0000000..2461e72 --- /dev/null +++ b/docbook/asciidoctor-macros/manarg-block/extension.rb @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include Asciidoctor + +# An inline macro that generates markup for man page arguments. +# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb +# +# Usage: +# +# [manarg] +# *command* +# [ *--help* ] +# [ *--flash-lights* ] +# +class ManArgBlock < Extensions::BlockProcessor + use_dsl + + named :manarg + parse_content_as :simple + + def process parent, reader, attrs + nowrap_lines = reader.readlines.map {|line| + if parent.document.basebackend? 'html' + # Apply the custom style "[.nowrap]## ... ##" to each line. + # This generates "<span content="nowrap"> ... </span>". Pass + # each '#' through for extra paranoia. + %([.nowrap]###{line.gsub('#', '+++#+++')}##) + elsif parent.document.backend == 'manpage' + # Replace spaces with non-breaking spaces (' '), then make + # bold markup unconstrained ('*' -> '**'). For now we naively + # assume that bolds are always constrained (that is, we only + # have single '*'s). We *should* be able to do this properly + # with a regex, but for some reason + # gsub(/([^*])\*([^*])/, '\1**\2') + # doesn't match the first asterisk in "*--extcap-interface*=<interface>" + %(#{line.gsub(' ', ' ').gsub('*', '**')}) + else + line + end + } + # STDERR.puts(nowrap_lines) + create_paragraph parent, nowrap_lines, attrs + end +end diff --git a/docbook/asciidoctor-macros/manarg-block/sample.adoc b/docbook/asciidoctor-macros/manarg-block/sample.adoc new file mode 100644 index 0000000..5b4a401 --- /dev/null +++ b/docbook/asciidoctor-macros/manarg-block/sample.adoc @@ -0,0 +1,19 @@ += androiddump(1) +:doctype: manpage + +== NAME + +sample - Sample man page + +== SYNOPSIS + +[manarg] +*androiddump* +*--mandatory-argument +[ *--optional-argument* ] +*--complex-mandatory*=<argument> +[ *--complex-optional*=<argument> ] + +== DESCRIPTION + +Sample man page. diff --git a/docbook/asciidoctor-macros/ws_utils.rb b/docbook/asciidoctor-macros/ws_utils.rb new file mode 100644 index 0000000..9a4551a --- /dev/null +++ b/docbook/asciidoctor-macros/ws_utils.rb @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: MIT +module WsUtils + def create_doc_links(parent, target, text) + if (parent.document.basebackend? 'docbook') || (parent.document.basebackend? 'html') + parent.document.register :links, target + create_anchor(parent, text, type: :link, target: target).render.to_s + elsif parent.document.backend == 'manpage' + "\\fB#{text}" + else + text + end + end +end diff --git a/docbook/asciidoctor-macros/wsbuglink-inline-macro.rb b/docbook/asciidoctor-macros/wsbuglink-inline-macro.rb new file mode 100644 index 0000000..3f192aa --- /dev/null +++ b/docbook/asciidoctor-macros/wsbuglink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'wsbuglink-inline-macro/extension') : (require_relative 'wsbuglink-inline-macro/extension') + +Extensions.register do + inline_macro WSBugLinkInlineMacro +end diff --git a/docbook/asciidoctor-macros/wsbuglink-inline-macro/extension.rb b/docbook/asciidoctor-macros/wsbuglink-inline-macro/extension.rb new file mode 100644 index 0000000..6cdb665 --- /dev/null +++ b/docbook/asciidoctor-macros/wsbuglink-inline-macro/extension.rb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a Wireshark bug report. +# +# Usage +# +# wsbuglink:<number>[<issue text>] +# Default bug text is "Issue <number>". +# +class WSBugLinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :wsbuglink + parse_content_as :text + name_positional_attributes 'bugtext' + + def process(parent, issueid, attrs) + bugtext = attrs['bugtext'] || %(Issue #{issueid}) + target = %(https://gitlab.com/wireshark/wireshark/-/issues/#{issueid}) + create_doc_links(parent, target, bugtext) + end +end diff --git a/docbook/asciidoctor-macros/wssalink-inline-macro.rb b/docbook/asciidoctor-macros/wssalink-inline-macro.rb new file mode 100644 index 0000000..3172ea5 --- /dev/null +++ b/docbook/asciidoctor-macros/wssalink-inline-macro.rb @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: MIT +# Copied from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb + +RUBY_ENGINE == 'opal' ? (require 'wssalink-inline-macro/extension') : (require_relative 'wssalink-inline-macro/extension') + +Extensions.register do + inline_macro WSSALinkInlineMacro +end diff --git a/docbook/asciidoctor-macros/wssalink-inline-macro/extension.rb b/docbook/asciidoctor-macros/wssalink-inline-macro/extension.rb new file mode 100644 index 0000000..3af9c8f --- /dev/null +++ b/docbook/asciidoctor-macros/wssalink-inline-macro/extension.rb @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: MIT +require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal' + +include ::Asciidoctor + +# An inline macro that generates a link to a Wireshark Security Advisory. +# +# Usage +# +# wssalink:<dddd>[] +# +class WSSALinkInlineMacro < Extensions::InlineMacroProcessor + include WsUtils + use_dsl + + named :'wssalink' + + def process(parent, sanum, attrs) + satext = "wnpa-sec-#{sanum}" + target = %(https://www.wireshark.org/security/wnpa-sec-#{sanum}) + create_doc_links(parent, target, satext) + end +end diff --git a/docbook/attributes.adoc b/docbook/attributes.adoc new file mode 100644 index 0000000..3076ab1 --- /dev/null +++ b/docbook/attributes.adoc @@ -0,0 +1,107 @@ +// Common attributes + +:wireshark-version: 4.2.2 +:logray-version: 0.9.0 + +// Required for btn, kbd:, and menu: macros. +:experimental: + +// We want footers (which include page numbers) in our PDF output but +// not elsewhere, particularly in our man pages. +// We could use the "reproducible" attribute here, but it generates an +// empty black box. +ifndef::backend-pdf[] +:nofooter: +endif::[] + +// Create PA4 (210 × 280mm) pages: https://en.wikipedia.org/wiki/Paper_size#PA4_or_L4 +// This is the approximate intersection of A4 (210 × 297mm) and U.S. Letter +// (216 × 279mm). +:pdf-page-size: 210mm x 280mm + +// Include glyphs for up/down arrows +:pdf-theme: default-with-fallback-font + +// +// URLs +// + +// Wireshark top level URLs (sites) +:wireshark-main-url: https://www.wireshark.org/ +:wireshark-gitlab-project-url: https://gitlab.com/wireshark/wireshark +:wireshark-qa-url: https://ask.wireshark.org/ +:wireshark-foundation-url: https://wiresharkfoundation.org/ +:sharkfest-url: https://sharkfest.wireshark.org/ + +// Wireshark secondary URLs (pages) +:wireshark-bugs-url: {wireshark-gitlab-project-url}/-/issues +:wireshark-code-review-url: {wireshark-gitlab-project-url}/-/merge_requests +:wireshark-wiki-url: {wireshark-gitlab-project-url}/-/wikis/ +:wireshark-authors-url: {wireshark-main-url}about.html#authors +:wireshark-code-browse-url: {wireshark-gitlab-project-url}/-/tree/master +:wireshark-code-file-url: {wireshark-gitlab-project-url}/-/blob/master/ +:wireshark-commits-url: {wireshark-gitlab-project-url}/-/commits/master +:wireshark-merge-request-url: {wireshark-gitlab-project-url}/-/merge_requests +:wireshark-developers-guide-url: {wireshark-main-url}docs/wsdg_html_chunked/ +:wireshark-display-filter-reference-url: {wireshark-main-url}docs/dfref/ +:wireshark-download-url: {wireshark-main-url}download.html +:wireshark-faq-url: {wireshark-main-url}faq.html +:wireshark-git-anonhttp-url: https://gitlab.com/wireshark/wireshark.git +:wireshark-git-ssh-url: \git@gitlab.com:wireshark/wireshark.git +:wireshark-mailing-lists-url: {wireshark-main-url}lists/ +:wireshark-man-page-url: {wireshark-main-url}docs/man-pages/ +:wireshark-snapshots-url: {wireshark-main-url}download/automated/src/ +:wireshark-users-guide-url: {wireshark-main-url}docs/wsug_html_chunked/ +:wireshark-wiki-moin-import-url: {wireshark-wiki-url}uploads/__moin_import__/attachments/ + +// External URLs +:tcpdump-main-url: https://www.tcpdump.org/ +:pcap-filter-man-page-url: {tcpdump-main-url}manpages/pcap-filter.7.html +:tcpdump-man-page-url: {tcpdump-main-url}manpages/tcpdump.1.html + +:npcap-main-url: https://npcap.com/ +:npcap-development-url: https://github.com/nmap/npcap +:npcap-license-url: https://raw.githubusercontent.com/nmap/npcap/master/LICENSE +:vcpkg-main-url: https://github.com/Microsoft/vcpkg/ + +:sysfs-main-url: http://linux-diag.sourceforge.net/Sysfsutils.html +:wikipedia-main-url: https://en.wikipedia.org/wiki/ +:pcre2pattern-url: https://www.pcre.org/current/doc/html/pcre2pattern.html + +:greenwichmeantime-main-url: https://wwp.greenwichmeantime.com/ +:timeanddate-main-url: https://www.timeanddate.com/worldclock/ +:ntp-main-url: http://www.ntp.org/ + +:gplv2-url: https://www.gnu.org/licenses/gpl-2.0.html +:spdx-license-url: https://spdx.org/licenses/ + +// Email addresses +:at-separator: [AT] +:wireshark-dev-list-email: wireshark-dev{at-separator}wireshark.org +:wsdg-author-email: ulf.lamping{at-separator}web.de +:wsdg-author-email2: graham.bloice{at-separator}trihedral.com + +:wsug-author-email: ulf.lamping{at-separator}web.de +:wsug-author-email2: rsharpe{at-separator}ns.aus.com +:wsug-author-email3: hagbard{at-separator}physics.rutgers.edu +:wsug-author-email4: luis{at-separator}ontanon.org + +// +// Image formatting +// + +// "scaledwidth" only applies to PDF output +:pdf-scaledwidth: scaledwidth="85%" +:screenshot-attrs: scaledwidth="85%" +:medium-screenshot-attrs: scaledwidth="60%" +:small-screenshot-attrs: scaledwidth="35%" +:related-attrs: height=18 +// XXX height=22 results in content-height="22px" in the .fo file. Not sure +// how to make scaledwidth take precedence. +:statusbar-attrs: scaledwidth="85%",height=22 + +:multiplication: × +:underscore: _ +:cmd: ⌘ + +:missing: Not yet written. If you would like to fix this, see https://gitlab.com/wireshark/wireshark/-/wikis/Development/SubmittingPatches. diff --git a/docbook/common_src/gpl_appendix.adoc b/docbook/common_src/gpl_appendix.adoc new file mode 100644 index 0000000..83744d3 --- /dev/null +++ b/docbook/common_src/gpl_appendix.adoc @@ -0,0 +1,355 @@ +// Wireshark GPL Appendix + +[[AppGPL]] +== This Document’s License (GPL) + +As with the original license and documentation distributed +with Wireshark, this document is covered by the GNU General Public +License (GNU GPL). + +If you haven't read the GPL before, please do so. It +explains all the things that you are allowed to do with this +code and documentation. + +---- + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. +---- diff --git a/docbook/common_src/typographic_conventions.adoc b/docbook/common_src/typographic_conventions.adoc new file mode 100644 index 0000000..a098fee --- /dev/null +++ b/docbook/common_src/typographic_conventions.adoc @@ -0,0 +1,99 @@ +[[PrefaceTypographicConventions]] + +=== Typographic Conventions + +The following table shows the typographic conventions that are used in this guide. + +// https://github.com/oreillymedia/orm_book_samples/blob/master/asciidoc_only/preface.adoc + +// AsciiDoc allows alternative markup for some styles, specifically +// 'single quotes' and _underlines_ for italics and +plus signs+ and +// `backticks` for monospaces. +// Asciidoctor’s modern mode is more strict, and only allows _underline_ +// italics and `backtick` monospaces. +// https://asciidoctor.org/docs/migration/ + +.Typographic Conventions +[options="header",cols="1,3,3"] +|=== +|Style|Description|Example +|_Italic_ |File names, folder names, and extensions |_C:\Development\wireshark_. +|`Monospace` |Commands, flags, and environment variables|CMake’s `-G` option. +|**`Bold Monospace`** |Commands that should be run by the user|Run **`cmake -G Ninja ..`**. +|btn:[Button] |Dialog and window buttons |Press btn:[Launch] to go to the Moon. +|kbd:[Key] |Keyboard shortcut |Press kbd:[Ctrl+Down] to move to the next packet. +|menu:Menu[] |Menu item |Select menu:Go[Next Packet] to move to the next packet. +|=== + +==== Admonitions + +Important and notable items are marked as follows: + +[WARNING] +.This is a warning +==== +You should pay attention to a warning, otherwise data loss might occur. +==== + +[CAUTION] +.This is a caution +==== +Act carefully (i.e., exercise care). +==== + +[IMPORTANT] +.This is important information +==== +RTFM - Read The Fine Manual +==== + +[TIP] +.This is a tip +==== +Tips are helpful for your everyday work using Wireshark. +==== + +[NOTE] +.This is a note +==== +A note will point you to common mistakes and things that might not be obvious. +==== + +==== Shell Prompt and Source Code Examples + +.Bourne shell, normal user +---- +$ # This is a comment +$ git config --global log.abbrevcommit true +---- + +.Bourne shell, root user +---- +# # This is a comment +# ninja install +---- + +.Command Prompt (cmd.exe) +---- +>rem This is a comment +>cd C:\Development +---- + +.PowerShell +---- +PS$># This is a comment +PS$> choco list -l +---- + +.C Source Code +---- +#include "config.h" + +/* This method dissects foos */ +static int +dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) +{ + /* TODO: implement your dissecting code */ + return tvb_captured_length(tvb); +} +---- diff --git a/docbook/custom_layer_single_html.xsl b/docbook/custom_layer_single_html.xsl new file mode 100644 index 0000000..bdd136d --- /dev/null +++ b/docbook/custom_layer_single_html.xsl @@ -0,0 +1,16 @@ +<?xml version='1.0'?> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + version="1.0"> + +<!-- copied from custom_layer_chm.xsl --> + +<!-- import the main stylesheet --> +<xsl:import href="http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl"/> + +<xsl:output + method="html" + encoding="UTF-8" + indent="yes" + /> + +</xsl:stylesheet> diff --git a/docbook/faq.adoc b/docbook/faq.adoc new file mode 100644 index 0000000..43cfa20 --- /dev/null +++ b/docbook/faq.adoc @@ -0,0 +1,1087 @@ +include::attributes.adoc[] +:stylesheet: ws.css +:linkcss: +:copycss: {stylesheet} +:toc: + += Wireshark Frequently Asked Questions + +== General Questions + +=== What is Wireshark? + +Wireshark® is a network protocol analyzer. It lets you capture and +interactively browse the traffic running on a computer network. It has a +rich and powerful feature set and is world's most popular tool of its +kind. It runs on most computing platforms including Windows, macOS, +Linux, and UNIX. Network professionals, security experts, developers, +and educators around the world use it regularly. It is freely available +as open source, and is released under the GNU General Public License +version 2. + +It is developed and maintained by a global team of protocol experts, +and it is an example of a +https://en.wikipedia.org/wiki/Disruptive_technology[disruptive +technology]. + +Wireshark used to be known as Ethereal®. See the next question for +details about the name change. If you're still using Ethereal, it is +strongly recommended that you upgrade to Wireshark as Ethereal is +unsupported and has known security vulnerabilities. + +For more information, please see the +https://www.wireshark.org/about.html[About Wireshark] page. + +[#wheretogethelp] +=== Where can I get help? + +Community support is available on the +https://ask.wireshark.org/[Q&A site] +and on the wireshark-users mailing list. +Subscription information and archives for all of Wireshark's mailing lists can be found at +https://www.wireshark.org/mailman/listinfo[https://www.wireshark.org/mailman/listinfo]. +// An IRC channel dedicated to Wireshark can be found at +// irc://irc.freenode.net/wireshark[irc://irc.freenode.net/wireshark]. + +=== What kind of shark is Wireshark? + +_carcharodon photoshopia_. + +=== How is Wireshark pronounced, spelled and capitalized? + +Wireshark is pronounced as the word _wire_ followed immediately by +the word _shark_. Exact pronunciation and emphasis may vary depending on +your locale (e.g. Arkansas). + +It's spelled with a capital _W_, followed by a lower-case _ireshark_. +It is not a CamelCase word, i.e., _WireShark_ is incorrect. + +=== How much does Wireshark cost? + +Wireshark is "free software"; you can download it without paying any +license fee. The version of Wireshark you download isn't a "demo" +version, with limitations not present in a "full" version; it _is_ the +full version. + +The license under which Wireshark is issued is +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public License +version 2]. See +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[the GNU GPL +FAQ] for some more information. + +=== But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off? + +That depends. Did they provide any sort of value-added product or +service, such as installation support, installation media, training, +trace file analysis, or funky-colored shark-themed socks? Probably not. + +Wireshark is https://www.wireshark.org/download.html[available for +anyone to download, absolutely free, at any time]. Paying for a copy +implies that you should get something for your money. + +=== Can I use Wireshark commercially? + +Yes, if, for example, you mean "I work for a commercial organization; +can I use Wireshark to capture and analyze network traffic in our +company's networks or in our customer's networks?" + +If you mean "Can I use Wireshark as part of my commercial product?", +see link:#derived_work_gpl[the next entry in the FAQ]. + +=== Can I use Wireshark as part of my commercial product? + +As noted, Wireshark is licensed under +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public +License, version 2]. The GPL imposes conditions on your use of GPL'ed +code in your own products; you cannot, for example, make a "derived +work" from Wireshark, by making modifications to it, and then sell the +resulting derived work and not allow recipients to give away the +resulting work. You must also make the changes you've made to the +Wireshark source available to all recipients of your modified version; +those changes must also be licensed under the terms of the GPL. See the +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[GPL FAQ] for +more details; in particular, note the answer to +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLCommercially[the +question about modifying a GPLed program and selling it commercially], +and +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#LinkingWithGPL[the +question about linking GPLed code with other code to make a proprietary +program]. + +You can combine a GPLed program such as Wireshark and a commercial +program as long as they communicate "at arm's length", as per +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLInProprietarySystem[this +item in the GPL FAQ]. + +We recommend keeping Wireshark and your product completely separate, +communicating over sockets or pipes. If you're loading any part of +Wireshark as a DLL, you're probably doing it wrong. + +=== Can you help me fill out this compliance form so that I can use Wireshark? + +// While we try to make sure that Wireshark is as easy as possible to obtain and use, please keep in mind that it’s developed by a team of volunteers and that filling out compliance forms is pretty far beyond the scope of what those volunteers do. + +Please contact the https://sharkfestfoundation.org[Wireshark Foundation] and they will be able to help you for a nominal fee. + +=== Can you sign this legal agreement so that I can use Wireshark? + +// As with the previous question, Wireshark is developed by a team of volunteers. +// Even if they were inclined to do so, they aren’t authorized to sign agreements on behalf of the project. + +Please contact the https://sharkfestfoundation.org[Wireshark Foundation] and they will be able to help you for a somewhat less nominal fee. + +=== What protocols are currently supported? + +There are currently hundreds of supported protocols and media. +Details can be found in the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page. + +=== Are there any plans to support {your favorite protocol}? + +Support for particular protocols is added to Wireshark as a result of +people contributing that support; no formal plans for adding support for +particular protocols in particular future releases exist. + +=== Can Wireshark read capture files from {your favorite network analyzer}? + +Support for particular capture file formats is added to Wireshark as +a result of people contributing that support; no formal plans for adding +support for particular capture file formats in particular future +releases exist. + +If a network analyzer writes out files in a format already supported by +Wireshark (e.g., in libpcap format), Wireshark may already be able to +read them, unless the analyzer has added its own proprietary extensions +to that format. + +If a network analyzer writes out files in its own format, or has added +proprietary extensions to another format, in order to make Wireshark +read captures from that network analyzer, we would either have to have a +specification for the file format, or the extensions, sufficient to give +us enough information to read the parts of the file relevant to +Wireshark, or would need at least one capture file in that format *AND* +a detailed textual analysis of the packets in that capture file (showing +packet time stamps, packet lengths, and the top-level packet header) in +order to reverse-engineer the file format. + +Note that there is no guarantee that we will be able to +reverse-engineer a capture file format. + +=== What devices can Wireshark use to capture packets? + +Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial +(PPP and SLIP) (if the OS on which it's running allows Wireshark to do +so), 802.11 wireless LAN (if the OS on which it's running allows +Wireshark to do so), ATM connections (if the OS on which it's running +allows Wireshark to do so), and the "any" device supported on Linux by +recent versions of libpcap. + +See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/NetworkMedia[the list of +supported capture media on various OSes] for details (several items in +there say "Unknown", which doesn't mean "Wireshark can't capture on +them", it means "we don't know whether it can capture on them"; we +expect that it will be able to capture on many of them, but we haven't +tried it ourselves - if you try one of those types and it works, please +update the wiki page accordingly. + +It can also read a variety of capture file formats, including: + +* pcap, used by libpcap, tcpdump and various other tools +* Oracle (previously Sun) snoop and atmsnoop captures +* Finisar (previously Shomiti) Surveyor captures +* Microsoft Network Monitor captures +* Novell LANalyzer captures +* AIX's iptrace captures +* Cinco Networks NetXRay captures +* NETSCOUT (previously Network Associates/Network General) Windows-based +Sniffer captures +* Network General/Network Associates DOS-based Sniffer captures +(compressed or uncompressed) +* LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/Packet Grabber +captures +* RADCOM's WAN/LAN analyzer captures +* Viavi (previously Network Instruments) Observer captures +* Lucent/Ascend router debug output +* Toshiba's ISDN routers dump output +* captures from HP-UX nettl +* the output from i4btrace from the ISDN4BSD project +* traces from the EyeSDN USB S0 +* the IPLog format output from the Cisco Secure Intrusion Detection System +* pppd logs (pppdump format) +* the text output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities +* the text output from the DBS Etherwatch VMS utility +* Visual Networks' Visual UpTime traffic capture +* the output from CoSine L2 debug +* the output from InfoVista (formerly Accellent) 5Views LAN agents +* Endace Measurement Systems' ERF format captures +* Linux Bluez Bluetooth stack hcidump -w traces +* Catapult DCT2000 .out files +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) +* Juniper Netscreen snoop files +* Symbian OS btsnoop files +* TamoSoft CommView files +* Tektronix K12xx 32bit .rf5 format files +* Tektronix K12 text file format captures +* Apple PacketLogger files +* Files from Aethra Telecommunications' PC108 software for their test +instruments +* Citrix NetScaler Trace files +* Android Logcat binary and text format logs +* Colasoft Capsa and Packet Builder captures +* Micropross mplog files +* Unigraf DPA-400 DisplayPort AUX channel monitor traces +* 802.15.4 traces from Daintree's Sensor Network Analyzer +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 +* Log files from the _candump_ utility +* Logs from the BUSMASTER tool +* Ixia IxVeriWave raw captures +* Rabbit Labs CAM Inspector files +* systemd journal files +* 3GPP TS 32.423 trace files + +so that it can read traces from various network types, as captured by +other applications or equipment, even if it cannot itself capture on +those network types. + +=== Does Wireshark work on older versions of Windows such as Windows 7? + +Each major release branch of Wireshark supports the versions of Windows that are within their product lifecycle at the time of the “.0” release for that branch. +For example, Wireshark 3.2.0 was released in December 2019, shortly before Windows 7 reached the end of its extended support in January 2020. As a result, each of the Wireshark 3.2._x_ releases supports Windows 7, even after January 2020. +See the +link:https://www.wireshark.org/docs/wsug_html_chunked/ChIntroPlatforms.html[Microsoft Windows section of the User’s Guide] +and the +link:https://gitlab.com/wireshark/wireshark/-/wikis/Development/LifeCycle[End Of Life Planning section of the Release Life Cycle wiki page] +for more details. + +Npcap might not work well on Windows 8 and earlier, so you might want to install WinPcap instead. + +== Installing Wireshark + +=== I installed the Wireshark RPM (or other package); why did it install TShark but not Wireshark? + +Many distributions have separate Wireshark packages, one for non-GUI +components such as TShark, editcap, dumpcap, etc. and one for the GUI. +If this is the case on your system, there's probably a separate package +named “wireshark-qt”. Find it and install it. + +== Building Wireshark + +=== Why does building Wireshark fail due to missing headers (.h files)? + +If this is happening on Linux, it's likely due to missing development library packages. +For example, Debian and Ubuntu ship the GLib library in the libglib2.0-0 package, but ship its header files and other development assets in the libglib2.0-dev package. + +We maintain setup scripts (_*-setup.sh_) for many major distributions in the _tools_ directory of the Wireshark sources that can install the required development packages for you. + +== Crashes and other fatal errors + +=== I have an _XXX_ network card on my machine; if I try to capture on it, why does my machine crash or reset itself? + +This is almost certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap/Npcap library and, if this is Windows, the Npcap device +driver; + +so: + +* if you are using Windows, see {npcap-main-url}[the Npcap support page] - check the "Patches, Bug Reports, Questions, Suggestions, +etc" section; +* if you are using some Linux distribution, some version of BSD, or some +other UNIX-flavored OS, you should report the problem to the company or +organization that produces the OS (in the case of a Linux distribution, +report the problem to whoever produces the distribution). + +=== Why does my machine crash or reset itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu? + +Both of those operations cause Wireshark to try to build a list of +the interfaces that it can open; it does so by getting a list of +interfaces and trying to open them. There is probably an OS, driver, or, +for Windows, Npcap bug that causes the system to crash when this +happens; see the previous question. + +== Capturing packets + +[#promiscsniff] +=== When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor? + +This might be because the interface on which you're capturing is +plugged into an Ethernet or Token Ring switch; on a switched network, +unicast traffic between two ports will not necessarily appear on other +ports - only broadcast and multicast traffic will be sent to all ports. + +Note that even if your machine is plugged into a hub, the "hub" may be +a switched hub, in which case you're still on a switched network. + +Note also that on the Linksys Web site, they say that their +auto-sensing hubs "broadcast the 10Mb packets to the port that operate +at 10Mb only and broadcast the 100Mb packets to the ports that operate +at 100Mb only", which would indicate that if you sniff on a 10Mb port, +you will not see traffic coming sent to a 100Mb port, and _vice versa_. +This problem has also been reported for Netgear dual-speed hubs, and may +exist for other "auto-sensing" or "dual-speed" hubs. + +Some switches have the ability to replicate all traffic on all ports to +a single port so that you can plug your analyzer into that single port +to sniff all traffic. You would have to check the documentation for the +switch to see if this is possible and, if so, to see how to do this. See +https://gitlab.com/wireshark/wireshark/-/wikis/SwitchReference[the switch reference page] on +https://gitlab.com/wireshark/wireshark/-/wikis[the Wireshark Wiki] for information on some +switches. (Note that it's a Wiki, so you can update or fix that +information, or add additional information on those switches or +information on new switches, yourself.) + +Note also that many firewall/NAT boxes have a switch built into them; +this includes many of the "cable/DSL router" boxes. If you have a box of +that sort, that has a switch with some number of Ethernet ports into +which you plug machines on your network, and another Ethernet port used +to connect to a cable or DSL modem, you can, at least, sniff traffic +between the machines on your network and the Internet by plugging the +Ethernet port on the router going to the modem, the Ethernet port on the +modem, and the machine on which you're running Wireshark into a hub +(make sure it's not a switching hub, and that, if it's a dual-speed hub, +all three of those ports are running at the same speed. + +If your machine is _not_ plugged into a switched network or a +dual-speed hub, or it is plugged into a switched network but the port is +set up to have all traffic replicated to it, the problem might be that +the network interface on which you're capturing doesn't support +"promiscuous" mode, or because your OS can't put the interface into +promiscuous mode. Normally, network interfaces supply to the host only: + +* packets sent to one of that host's link-layer addresses; +* broadcast packets; +* multicast packets sent to a multicast address that the host has +configured the interface to accept. + +Most network interfaces can also be put in "promiscuous" mode, in which +they supply to the host all network packets they see. Wireshark will try +to put the interface on which it's capturing into promiscuous mode +unless the "Capture packets in promiscuous mode" option is turned off in +the "Capture Options" dialog box, and TShark will try to put the +interface on which it's capturing into promiscuous mode unless the `-p` +option was specified. However, some network interfaces don't support +promiscuous mode, and some OSes might not allow interfaces to be put +into promiscuous mode. + +If the interface is not running in promiscuous mode, it won't see any +traffic that isn't intended to be seen by your machine. It *will* see +broadcast packets, and multicast packets sent to a multicast MAC address +the interface is set up to receive. + +You should ask the vendor of your network interface whether it supports +promiscuous mode. If it does, you should ask whoever supplied the driver +for the interface (the vendor, or the supplier of the OS you're running +on your machine) whether it supports promiscuous mode with that network +interface. + +In the case of wireless LAN interfaces, it appears that, when those +interfaces are promiscuously sniffing, they're running in a +significantly different mode from the mode that they run in when they're +just acting as network interfaces (to the extent that it would be a +significant effort for those drivers to support for promiscuously +sniffing _and_ acting as regular network interfaces at the same time), +so it may be that Windows drivers for those interfaces don't support +promiscuous mode. + +=== When I capture with Wireshark, why can't I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets? + +You're probably not seeing _any_ packets other than unicast packets +to or from your machine, and broadcast and multicast packets; a switch +will normally send to a port only unicast traffic sent to the MAC +address for the interface on that port, and broadcast and multicast +traffic - it won't send to that port unicast traffic sent to a MAC +address for some other interface - and a network interface not in +promiscuous mode will receive only unicast traffic sent to the MAC +address for that interface, broadcast traffic, and multicast traffic +sent to a multicast MAC address the interface is set up to receive. + +TCP doesn't use broadcast or multicast, so you will only see your own +TCP traffic, but UDP services may use broadcast or multicast so you'll +see some UDP traffic - however, this is not a problem with TCP traffic, +it's a problem with unicast traffic, as you also won't see all UDP +traffic between other machines. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I only seeing ARP packets when I try to capture traffic? + +You're probably on a switched network, and running Wireshark on a +machine that's not sending traffic to the switch and not being sent any +traffic from other machines on the switch. ARP packets are often +broadcast packets, which are sent to all switch ports. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I not seeing any traffic when I try to capture traffic? + +Is the machine running Wireshark sending out any traffic on the +network interface on which you're capturing, or receiving any traffic on +that network, or is there any broadcast traffic on the network or +multicast traffic to a multicast group to which the machine running +Wireshark belongs? + +If not, this may just be a problem with promiscuous sniffing, either +due to running on a switched network or a dual-speed hub, or due to +problems with the interface not supporting promiscuous mode; see the +response to link:#promiscsniff[this earlier question]. + +Otherwise, on Windows, see the response to link:#capprobwin[this +question] and, on a UNIX-flavored OS, see the response to +link:#capprobunix[this question]. + +=== How do I put an interface into promiscuous mode? + +By not disabling promiscuous mode when running Wireshark or TShark. + +Note, however, that: + +* the form of promiscuous mode that libpcap (the library that programs +such as tcpdump, Wireshark, etc. use to do packet capture) turns on will +*not* necessarily be shown if you run `ifconfig` on the interface on a +UNIX system; +* some network interfaces might not support promiscuous mode, and some +drivers might not allow promiscuous mode to be turned on - see +link:#promiscsniff[this earlier question] for more information on that; +* the fact that you're not seeing any traffic, or are only seeing +broadcast traffic, or aren't seeing any non-broadcast traffic other than +traffic to or from the machine running Wireshark, does not mean that +promiscuous mode isn't on - see link:#promiscsniff[this earlier +question] for more information on that. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== I can set a display filter just fine; why don't capture filters work? + +Capture filters currently use a different syntax than display +filters. Here's the corresponding section from the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page: + +"Display filters in Wireshark are very powerful; more fields are +filterable in Wireshark than in other protocol analyzers, and the syntax +you can use to create your filters is richer. As Wireshark progresses, +expect more and more protocol fields to be allowed in display filters. + +Packet capturing is performed with the pcap library. The capture filter +syntax follows the rules of the pcap library. This syntax is different +from the display filter syntax." + +The capture filter syntax used by libpcap can be found in the +http://www.tcpdump.org/tcpdump_man.html[tcpdump(8)] man page. + +=== How can I capture packets with CRC errors? + +Wireshark can capture only the packets that the packet capture +library - libpcap on UNIX-flavored OSes, and the Npcap port to Windows +of libpcap on Windows - can capture, and libpcap/Npcap can capture only +the packets that the OS's raw packet capture mechanism (or the Npcap +driver, and the underlying OS networking code and network interface +drivers, on Windows) will allow it to capture. + +Unless the OS always supplies packets with errors such as invalid CRCs +to the raw packet capture mechanism, or can be configured to do so, +invalid CRCs to the raw packet capture mechanism, Wireshark - and other +programs that capture raw packets, such as tcpdump - cannot capture +those packets. You will have to determine whether your OS needs to be so +configured and, if so, can be so configured, configure it if necessary +and possible, and make whatever changes to libpcap and the packet +capture program you're using are necessary, if any, to support capturing +those packets. + +Most OSes probably do *not* support capturing packets with invalid CRCs +on Ethernet, and probably do not support it on most other link-layer +types. Some drivers on some OSes do support it, such as some Ethernet +drivers on FreeBSD; in those OSes, you might always get those packets, +or you might only get them if you capture in promiscuous mode (you'd +have to determine which is the case). + +Note that libpcap does not currently supply to programs that use it an +indication of whether the packet's CRC was invalid (because the drivers +themselves do not supply that information to the raw packet capture +mechanism); therefore, Wireshark will not indicate which packets had CRC +errors unless the FCS was captured (see the next question) and you're +using Wireshark 0.9.15 and later, in which case Wireshark will check the +CRC and indicate whether it's correct or not. + +=== How can I capture entire frames, including the FCS? + +Wireshark can only capture data that the packet capture library - +libpcap on UNIX-flavored OSes, and the Npcap port to Windows of libpcap +on Windows - can capture, and libpcap/Npcap can capture only the data +that the OS's raw packet capture mechanism (or the Npcap driver, and the +underlying OS networking code and network interface drivers, on Windows) +will allow it to capture. + +For any particular link-layer network type, unless the OS supplies the +FCS of a frame as part of the frame, or can be configured to do so, +Wireshark - and other programs that capture raw packets, such as tcpdump +- cannot capture the FCS of a frame. You will have to determine whether +your OS needs to be so configured and, if so, can be so configured, +configure it if necessary and possible, and make whatever changes to +libpcap and the packet capture program you're using are necessary, if +any, to support capturing the FCS of a frame. + +Most OSes do *not* support capturing the FCS of a frame on Ethernet, +and probably do not support it on most other link-layer types. Some +drivers on some OSes do support it, such as some (all?) Ethernet drivers +on NetBSD and possibly the driver for Apple's gigabit Ethernet interface +in macOS; in those OSes, you might always get the FCS, or you might only +get the FCS if you capture in promiscuous mode (you'd have to determine +which is the case). + +Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in +a captured packet as an FCS. 0.9.15 and later will attempt to determine +whether there's an FCS at the end of the frame and, if it thinks there +is, will display it as such, and will check whether it's the correct +CRC-32 value or not. + +=== I'm capturing packets on a machine on a VLAN; why don't the packets I'm capturing have VLAN tags? + +You might be capturing on what might be called a "VLAN interface" - +the way a particular OS makes VLANs plug into the networking stack +might, for example, be to have a network device object for the physical +interface, which takes VLAN packets, strips off the VLAN header and +constructs an Ethernet header, and passes that packet to an internal +network device object for the VLAN, which then passes the packets onto +various higher-level protocol implementations. + +In order to see the raw Ethernet packets, rather than "de-VLANized" +packets, you would have to capture not on the virtual interface for the +VLAN, but on the interface corresponding to the physical network device, +if possible. See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/VLAN[the +Wireshark Wiki item on VLAN capturing] for details. + +=== Why does Wireshark hang after I stop a capture? + +The most likely reason for this is that Wireshark is trying to look +up an IP address in the capture to convert it to a name (so that, for +example, it can display the name in the source address or destination +address columns), and that lookup process is taking a very long time. + +Wireshark calls a routine in the OS of the machine on which it's +running to convert of IP addresses to the corresponding names. That +routine probably does one or more of: + +* a search of a system file listing IP addresses and names; +* a lookup using DNS; +* on UNIX systems, a lookup using NIS; +* on Windows systems, a NetBIOS-over-TCP query. + +If a DNS server that's used in an address lookup is not responding, the +lookup will fail, but will only fail after a timeout while the system +routine waits for a reply. + +In addition, on Windows systems, if the DNS lookup of the address +fails, either because the server isn't responding or because there are +no records in the DNS that could be used to map the address to a name, a +NetBIOS-over-TCP query will be made. That query involves sending a +message to the NetBIOS-over-TCP name service on that machine, asking for +the name and other information about the machine. If the machine isn't +running software that responds to those queries - for example, many +non-Windows machines wouldn't be running that software - the lookup will +only fail after a timeout. Those timeouts can cause the lookup to take a +long time. + +If you disable network address-to-name translation - for example, by +turning off the "Enable network name resolution" option in the "Capture +Options" dialog box for starting a network capture - the lookups of the +address won't be done, which may speed up the process of reading the +capture file after the capture is stopped. You can make that setting the +default by selecting "Preferences" from the "Edit" menu, turning off the +"Enable network name resolution" option in the "Name resolution" options +in the preferences dialog box, and using the "Save" button in that +dialog box; note that this will save _all_ your current preference +settings. + +If Wireshark hangs when reading a capture even with network name +resolution turned off, there might, for example, be a bug in one of +Wireshark's dissectors for a protocol causing it to loop infinitely. If +you're not running the most recent release of Wireshark, you should +first upgrade to that release, as, if there's a bug of that sort, it +might've been fixed in a release after the one you're running. If the +hang occurs in the most recent release of Wireshark, the bug should be +reported to mailto:wireshark-dev@wireshark.org[the Wireshark developers' +mailing list] at `wireshark-dev@wireshark.org`. + +On UNIX-flavored OSes, please try to force Wireshark to dump core, by +sending it a `SIGABRT` signal (usually signal 6) with the `kill` +command, and then get a stack trace if you have a debugger installed. A +stack trace can be obtained by using your debugger (`gdb` in this +example), the Wireshark binary, and the resulting core file. Here's an +example of how to use the gdb command `backtrace` to do so. + +---- +$ gdb wireshark core +(gdb) backtrace +..... prints the stack trace +(gdb) quit +$ +---- + +The core dump file may be named "wireshark.core" rather than "core" on +some platforms (e.g., BSD systems). + +Also, if at all possible, please send a copy of the capture file that +caused the problem. When capturing packets, Wireshark normally writes +captured packets to a temporary file, which will probably be in `/tmp` +or `/var/tmp` on UNIX-flavored OSes, `\TEMP` on the main system disk +(normally `\Documents and Settings\<your login name>\Local Settings\Temp` on the main system disk on Windows XP and +Server 2003, and `\Users\<your login name>\AppData\Local\Temp` on the main +system disk on Windows Vista and later, so the capture file will +probably be there. If you are capturing on a single interface, it will +have a name of the form, +`wireshark_<iface>_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <fmt> is the +capture file format (pcap or pcapng), and <iface> is the actual name of +the interface you are capturing on; otherwise, if you are capturing on +multiple interfaces, it will have a name of the form, +`wireshark_<N>_interfaces_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <N> is the +number of simultaneous interfaces you are capturing on. Please don't +send a trace file greater than 1 MB when compressed; instead, make it +available via FTP or HTTP, or say it's available but leave it up to a +developer to ask for it. If the trace file contains sensitive +information (e.g., passwords), then please do not send it. + +== Capturing packets on Windows + +[#capprobwin] +=== I'm running Wireshark on Windows; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +Wireshark relies on the Npcap library, the Npcap device driver, +and the facilities that come with the OS on which it's running in +order to do captures. + +Therefore, if the OS, the Npcap library, or the Npcap driver don't +support capturing on a particular network interface device, Wireshark +won't be able to capture on that device. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces. Try listing the interfaces with WinDump; see +https://www.windump.org/[the WinDump Web site] for information on using +WinDump. + +You would run WinDump with the `-D` flag; if it lists the interface, +please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the output of WinDump. + +If WinDump does _not_ list the interface, this is almost certainly a +problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the Npcap library and/or the Npcap device driver; + +so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there. +If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section. + +If you are having trouble capturing on a particular network interface, +first try capturing on that device with WinDump; see +https://www.windump.org/[the WinDump Web site] for information on using +WinDump. + +If you can capture on the interface with WinDump, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with WinDump, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the Npcap library and/or the Npcap device driver; + +so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there. +If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section. + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the mailto:dev@nmap.org[dev@nmap.org] mailing +lists to see if anybody happens to know about the problem and know a +workaround or fix for the problem. (Note that you will have to subscribe +to that list in order to be allowed to mail to it; see +{npcap-main-url}[the Npcap support page] for information on the +mailing list.) In your mail, please give full details of the problem, as +described above, and also indicate that the problem occurs with WinDump, +not just with Wireshark. + +=== I'm running Wireshark on Windows; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobwin[the same question as a previous one]; +see the response to that question. + +=== I'm running Wireshark on Windows; why am I not seeing any traffic being sent by the machine running Wireshark? + +If you are running some form of VPN client software, it might be +causing this problem; people have seen this problem when they have Check +Point's VPN software installed on their machine. If that's the cause of +the problem, you will have to remove the VPN software in order to have +Wireshark (or any other application using Npcap) see outgoing packets; +unfortunately, neither we nor the Npcap developers know any way to make +Npcap and the VPN software work well together. + +Also, some drivers for Windows (especially some wireless network +interface drivers) apparently do not, when running in promiscuous mode, +arrange that outgoing packets are delivered to the software that +requested that the interface run promiscuously; try turning promiscuous +mode off. + +=== When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine. What should I do to arrange that I see those packets in their entirety? + +In at least some cases, this appears to be the result of PGPnet +running on the network interface on which you're capturing; turn it off +on that interface. + +=== I'm trying to capture 802.11 traffic on Windows; why am I not seeing any packets? + +You should first ensure that Npcap was installed with {npcap-main-url}/guide/npcap-devguide.html#npcap-feature-dot11[raw 802.11 support] and that monitor mode is enabled. + +At least some 802.11 card drivers on Windows appear not to see any +packets if they're running in promiscuous mode. Try turning promiscuous +mode off; you'll only be able to see packets sent by and received by +your machine, not third-party traffic, and it'll look like Ethernet +traffic and won't include any management or control frames, but that's a +limitation of the card drivers. + +// XXX Is this still relevant? +// See the archived +// https://web.archive.org/web/20090226193157/http://www.micro-logix.com/winpcap/Supported.asp[MicroLogix's +// list of cards supported with WinPcap] for information on support of +// various adapters and drivers with WinPcap. + +=== I'm trying to capture 802.11 traffic on Windows; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +This appears to be another problem with promiscuous mode; try turning +it off. + +=== I'm trying to capture Ethernet VLAN traffic on Windows, and I'm capturing on a "raw" Ethernet device rather than a "VLAN interface", so that I can see the VLAN headers; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +The way the Windows networking code works probably means that packets +are sent on a "VLAN interface" rather than the "raw" device, so packets +sent by the machine will only be seen when you capture on the "VLAN +interface". If so, you will be unable to see outgoing packets when +capturing on the "raw" device, so you are stuck with a choice between +seeing VLAN headers and seeing outgoing packets. + +== Capturing packets on UN*Xes + +[#capprobunix] +=== I'm running Wireshark on a UNIX-flavored OS; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +You may need to run Wireshark from an account with sufficient +privileges to capture packets, such as the super-user account, or may +need to give your account sufficient privileges to capture packets. Only +those interfaces that Wireshark can open for capturing show up in that +list; if you don't have sufficient privileges to capture on any +interfaces, no interfaces will show up in the list. See +https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges[the Wireshark +Wiki item on capture privileges] for details on how to give a particular +account or account group capture privileges on platforms where that can +be done. + +If you are running Wireshark from an account with sufficient +privileges, then note that Wireshark relies on the libpcap library, and +on the facilities that come with the OS on which it's running in order +to do captures. On some OSes, those facilities aren't present by +default; see https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CaptureSupport[the +Wireshark Wiki item on adding capture support] for details. + +And, even if you're running with an account that has sufficient +privileges to capture, and capture support is present in your OS, if the +OS or the libpcap library don't support capturing on a particular +network interface device or particular types of devices, Wireshark won't +be able to capture on that device. + +On Solaris, note that libpcap 0.6.2 and earlier didn't support Token +Ring interfaces; the current version, 0.7.2, does support Token Ring, +and the current version of Wireshark works with libpcap 0.7.2 and later. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces; please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using. + +If you are having trouble capturing on a particular network interface, +and you've made sure that (on platforms that require it) you've arranged +that packet capture support is present, as per the above, first try +capturing on that device with `tcpdump`. + +If you can capture on the interface with `tcpdump`, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with `tcpdump`, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap library; + +so you should report the problem to the company or organization that +produces the OS (in the case of a Linux distribution, report the problem +to whoever produces the distribution). + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the +mailto:tcpdump-workers@lists.tcpdump.org[tcpdump-workers@lists.tcpdump.org] +mailing lists to see if anybody happens to know about the problem and +know a workaround or fix for the problem. In your mail, please give full +details of the problem, as described above, and also indicate that the +problem occurs with `tcpdump` not just with Wireshark. + +=== I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobunix[the same question as the previous +one]; see the response to that question. + +=== I'm capturing packets on Linux; why do the time stamps have only 100ms resolution, rather than 1us resolution? + +Wireshark gets time stamps from libpcap/Npcap, and libpcap/Npcap get +them from the OS kernel, so Wireshark - and any other program using +libpcap, such as tcpdump - is at the mercy of the time stamping code in +the OS for time stamps. + +At least on x86-based machines, Linux can get high-resolution time +stamps on newer processors with the Time Stamp Counter (TSC) register; +for example, Intel x86 processors, starting with the Pentium Pro, and +including all x86 processors since then, have had a TSC, and other +vendors probably added the TSC at some point to their families of x86 +processors. The Linux kernel must be configured with the CONFIG_X86_TSC +option enabled in order to use the TSC. Make sure this option is enabled +in your kernel. + +In addition, some Linux distributions may have bugs in their versions +of the kernel that cause packets not to be given high-resolution time +stamps even if the TSC is enabled. See, for example, bug 61111 for Red +Hat Linux 7.2. If your distribution has a bug such as this, you may have +to run a standard kernel from kernel.org in order to get high-resolution +time stamps. + +== Capturing packets on wireless LANs + +=== How can I capture raw 802.11 frames, including non-data (management, beacon) frames? + +That depends on the operating system on which you're running, and on +the 802.11 interface on which you're capturing. + +This would probably require that you capture in promiscuous mode or in +the mode called "monitor mode" or "RFMON mode". On some platforms, or +with some cards, this might require that you capture in monitor mode - +promiscuous mode might not be sufficient. If you want to capture traffic +on networks other than the one with which you're associated, you will +have to capture in monitor mode. + +Not all operating systems support capturing non-data packets and, even +on operating systems that do support it, not all drivers, and thus not +all interfaces, support it. Even on those that do, monitor mode might +not be supported by the operating system or by the drivers for all +interfaces. + +*NOTE:* an interface running in monitor mode will, on most if not all +platforms, not be able to act as a regular network interface; putting it +into monitor mode will, in effect, take your machine off of whatever +network it's on as long as the interface is in monitor mode, allowing it +only to passively capture packets. + +This means that you should disable name resolution when capturing in +monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries to +display IP addresses as host names, it will probably block for a long +time trying to resolve the name because it will not be able to +communicate with any DNS or NIS servers. + +See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/WLAN[the Wireshark Wiki +item on 802.11 capturing] for details. + +=== How do I capture on an 802.11 device in monitor mode? + +Whether you will be able to capture in monitor mode depends on the +operating system, adapter, and driver you're using. See +link:#raw_80211_sniff[the previous question] for information on monitor +mode, including a link to the Wireshark Wiki page that gives details on +802.11 capturing. + +== Viewing traffic + +=== Why am I seeing lots of packets with incorrect TCP checksums? + +If the packets that have incorrect TCP checksums are all being sent +by the machine on which Wireshark is running, this is probably because +the network interface on which you're capturing does TCP checksum +offloading. That means that the TCP checksum is added to the packet by +the network interface, not by the OS's TCP/IP stack; when capturing on +an interface, packets being sent by the host on which you're capturing +are directly handed to the capture interface by the OS, which means that +they are handed to the capture interface without a TCP checksum being +added to them. + +The only way to prevent this from happening would be to disable TCP +checksum offloading, but + +1. that might not even be possible on some OSes; +2. that could reduce networking performance significantly. + +However, you can disable the check that Wireshark does of the TCP +checksum, so that it won't report any packets as having TCP checksum +errors, and so that it won't refuse to do TCP reassembly due to a packet +having an incorrect TCP checksum. That can be set as an Wireshark +preference by selecting "Preferences" from the "Edit" menu, opening up +the "Protocols" list in the left-hand pane of the "Preferences" dialog +box, selecting "TCP", from that list, turning off the "Check the +validity of the TCP checksum when possible" option, clicking "Save" if +you want to save that setting in your preference file, and clicking +"OK". + +It can also be set on the Wireshark or TShark command line with a +`-o tcp.check_checksum:false` command-line flag, or manually set in your +preferences file by adding a `tcp.check_checksum:false` line. + +=== I've just installed Wireshark, and the traffic on my local LAN is boring. Where can I find more interesting captures? + +We have a collection of strange and exotic sample capture files at +https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures[https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures] + +=== Why doesn't Wireshark correctly identify RTP packets? It shows them only as UDP. + +Wireshark can identify a UDP datagram as containing a packet of a +particular protocol running atop UDP only if + +1. The protocol in question has a particular standard port number, and +the UDP source or destination port number is that port +2. Packets of that protocol can be identified by looking for a +"signature" of some type in the packet - i.e., some data that, if +Wireshark finds it in some particular part of a packet, means that the +packet is almost certainly a packet of that type. +3. Some _other_ traffic earlier in the capture indicated that, for +example, UDP traffic between two particular addresses and ports will be +RTP traffic. + +RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, +as far as I know, have any "signature", so 2) doesn't work. + +That leaves 3). If there's RTSP traffic that sets up an RTP session, +then, at least in some cases, the RTSP dissector will set things up so +that subsequent RTP traffic will be identified. Currently, that's the +only place we do that; there may be other places. + +However, there will always be places where Wireshark is simply +*incapable* of deducing that a given UDP flow is RTP; a mechanism would +be needed to allow the user to specify that a given conversation should +be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if +you select a UDP or TCP packet, the right mouse button menu will have a +"Decode As..." menu item, which will pop up a dialog box letting you +specify that the source port, the destination port, or both the source +and destination ports of the packet should be dissected as some +particular protocol. + +=== Why doesn't Wireshark show Yahoo Messenger packets in captures that contain Yahoo Messenger traffic? + +Wireshark only recognizes as Yahoo Messenger traffic packets to or +from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP +segments that start with the middle of a Yahoo Messenger packet that +takes more than one TCP segment will not be recognized as Yahoo +Messenger packets (even if the TCP segment also contains the beginning +of another Yahoo Messenger packet). + +== Filtering traffic + +=== I saved a filter and tried to use its name to filter the display; why do I get an "Unexpected end of filter string" error? + +You cannot use the name of a saved display filter as a filter. To +filter the display, you can enter a display filter expression - *not* +the name of a saved display filter - in the "Filter:" box at the bottom +of the display, and type the <Enter> key or press the "Apply" button +(that does not require you to have a saved filter), or, if you want to +use a saved filter, you can press the "Filter:" button, select the +filter in the dialog box that pops up, and press the "OK" button. + +=== How can I search for, or filter, packets that have a particular string anywhere in them? + +If you want to do this when capturing, you can't. That's a feature +that would be hard to implement in capture filters without changes to +the capture filter code, which, on many platforms, is in the OS kernel +and, on other platforms, is in the libpcap library. + +After capture, you can search for text by selecting _Edit→Find +Packet..._ and making sure _String_ is selected. Alternately, you can +use the "contains" display filter operator or "matches" operator if it's +supported on your system. + +=== How do I filter a capture to see traffic for virus XXX? + +For some viruses/worms there might be a capture filter to recognize +the virus traffic. Check the +https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters[CaptureFilters] page on the +https://gitlab.com/wireshark/wireshark/-/wikis[Wireshark Wiki] to see if anybody's added +such a filter. + +Note that Wireshark was not designed to be an intrusion detection +system; you might be able to use it as an IDS, but in most cases +software designed to be an IDS, such as https://www.snort.org/[Snort] or +https://www.prelude-siem.org/[Prelude], will probably work better. + +== Questions Which Are Still Notable Even Though They Aren’t Asked Much Any More + +=== What's up with the name change? Is Wireshark a fork? + +In May of 2006, Gerald Combs (the original author of Ethereal) went +to work for CACE Technologies (best known for WinPcap). Unfortunately, +he had to leave the Ethereal trademarks behind. + +This left the project in an awkward position. The only reasonable way +to ensure the continued success of the project was to change the name. +This is how Wireshark was born. + +Wireshark is almost (but not quite) a fork. Normally a "fork" of an +open source project results in two names, web sites, development teams, +support infrastructures, etc. This is the case with Wireshark except for +one notable exception -- every member of the core development team is +now working on Wireshark. There has been no active development on +Ethereal since the name change. Several parts of the Ethereal web site` +(such as the mailing lists, source code repository, and build farm) have +gone offline. + +More information on the name change can be found here: + +* https://www.prweb.com/releases/2006/6/prweb396098.htm[Original press +release] +* https://www.linux.com/news/ethereal-changes-name-wireshark[NewsForge article] +* Many other articles in https://www.wireshark.org/bibliography.html[our +bibliography] diff --git a/docbook/logray-quick-start.adoc b/docbook/logray-quick-start.adoc new file mode 100644 index 0000000..2e053c6 --- /dev/null +++ b/docbook/logray-quick-start.adoc @@ -0,0 +1,57 @@ += Logray Quick Start + +Logray is a sibling application for Wireshark which focuses on log messages. +It helps people understand, troubleshoot, and secure their systems via log messages similar to the way Wireshark helps people understand, troubleshoot, and secure their networks via packets. + +This document provides brief instructions for building Logray until more complete documentation comparable to the Wireshark Developer’s and User’s Guides can be written. + +== Building Logray + +Logray requires the same build environment as Wireshark. +See the https://www.wireshark.org/docs/wsdg_html_chunked/[Wireshark Developer’s Guide] for instructions on setting that up. + +It additionally requires libsinsp and libscap from https://github.com/falcosecurity/libs/[falcosecurity/libs] and any desired plugins from https://github.com/falcosecurity/plugins/[falcosecurity/plugins]. + +In order to build Logray, do the following: + +1. https://falco.org/docs/getting-started/source/[Build falcosecurity/libs]. + +2. Build falcosecurity/plugins. + +3. Build the Wireshark sources with the following CMake options: ++ +-- +[horizontal] +BUILD_logray:: Must be enabled, e.g. set to ON +SINSP_INCLUDEDIR:: The path to your local falcosecurity/libs directory +SINSP_LIBDIR:: The path to your falcosecurity/libs build directory +-- + +4. Create a directory named `falco` in your Logray plugins directory, and either copy in or symlink any desired Falco plugins. + +.Example 1: Building on macOS using Ninja +[sh] +---- +cmake -G Ninja \ + -DBUILD_logray=ON \ + -DSINSP_INCLUDEDIR=/path/to/falcosecurity/libs \ + -DSINSP_LIBDIR=/path/to/falcosecurity/libs/build \ + .. +ninja +mkdir run/Logray.app/Contents/PlugIns/logray/3-7/falco +(cd run/Logray.app/Contents/PlugIns/logray/3-7/falco ; ln -sn /path/to/falcosecurity-plugins/plugins/cloudtrail/libcloudtrail.so ) +---- + +.Example 2: Building on Linux using Make +[sh] +---- +cmake \ + -DBUILD_logray=ON \ + -DSINSP_INCLUDEDIR=/path/to/falcosecurity/libs \ + -DSINSP_LIBDIR=/path/to/falcosecurity/libs/build \ + .. +make -j $(getconf _NPROCESSORS_ONLN) +mkdir run/plugins/3.7/falco +(cd run/plugins/3.7/falco ; ln -sn /path/to/falcosecurity-plugins/plugins/cloudtrail/libcloudtrail.so ) +---- + diff --git a/docbook/make-wsluarm.py b/docbook/make-wsluarm.py new file mode 100755 index 0000000..5233075 --- /dev/null +++ b/docbook/make-wsluarm.py @@ -0,0 +1,458 @@ +#!/usr/bin/env python3 +# +# make-wsluarm.py +# +# By Gerald Combs <gerald@wireshark.org> +# Based on make-wsluarm.pl by Luis E. Garcia Onatnon <luis.ontanon@gmail.com> and Hadriel Kaplan +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +'''\ +WSLUA's Reference Manual Generator + +This reads Doxygen-style comments in C code and generates wslua API documentation +formatted as AsciiDoc. + +Behavior as documented by Hadriel: +- Allows modules (i.e., WSLUA_MODULE) to have detailed descriptions +- Two (or more) line breaks in comments result in separate paragraphs +- Any indent with a single leading star '*' followed by space is a bulleted list item + reducing indent or having an extra linebreak stops the list +- Any indent with a leading digits-dot followed by space, i.e. "1. ", is a numbered list item + reducing indent or having an extra linebreak stops the list +''' + +import argparse +import logging +import os +import re +import sys + +from enum import Enum +from string import Template + +def parse_desc(description): + '''\ +Break up descriptions based on newlines and keywords. Some processing +is done for code blocks and lists, but the output is otherwise left +intact. Assumes the input has been stripped. +''' + + c_lines = description.strip().splitlines() + + if len(c_lines) < 1: + return '' + + adoc_lines = [] + cli = iter(c_lines) + for line in cli: + raw_len = len(line) + line = line.lstrip() + indent = raw_len - len(line) + + # If we find "[source,...]" then treat it as a block + if re.search(r'\[source.*\]', line): + # The next line *should* be a delimiter... + block_delim = next(cli).strip() + line += f'\n{block_delim}\n' + block_line = next(cli) + # XXX try except StopIteration + while block_line.strip() != block_delim: + # Keep eating lines until the closing delimiter. + # XXX Strip indent spaces? + line += block_line + '\n' + block_line = next(cli) + line += block_delim + '\n' + + adoc_lines.append(line) + elif re.match(r'^\s*$', line): + # line is either empty or just whitespace, and we're not in a @code block + # so it's the end of a previous paragraph, beginning of new one + adoc_lines.append('') + else: + # We have a regular line, not in a @code block. + # Add it as-is. + + # if line starts with "@version" or "@since", make it a "Since:" + if re.match(r'^@(version|since)\s+', line): + line = re.sub(r'^@(version|since)\s+', 'Since: ', line) + adoc_lines.append(line) + + # If line starts with single "*" and space, leave it mostly intact. + elif re.match(r'^\*\s', line): + adoc_lines += ['', line] + # keep eating until we find a blank line or end + line = next(cli) + try: + while not re.match(r'^\s*$', line): + raw_len = len(line) + line = line.lstrip() + # if this is less indented than before, break out + if raw_len - len(line) < indent: + break + adoc_lines += [line] + line = next(cli) + except StopIteration: + pass + adoc_lines.append('') + + # if line starts with "1." and space, leave it mostly intact. + elif re.match(r'^1\.\s', line): + adoc_lines += ['', line] + # keep eating until we find a blank line or end + line = next(cli) + try: + while not re.match(r'^\s*$', line): + raw_len = len(line) + line = line.lstrip() + # if this is less indented than before, break out + if raw_len - len(line) < indent: + break + adoc_lines += [line] + line = next(cli) + except StopIteration: + pass + adoc_lines.append('') + + # Just a normal line, add it to array + else: + # Nested Lua arrays + line = re.sub(r'\[\[(.*)\]\]', r'$$\1$$', line) + adoc_lines += [line] + + # Strip out consecutive empty lines. + # This isn't strictly necessary but makes the AsciiDoc output prettier. + adoc_lines = '\n'.join(adoc_lines).splitlines() + adoc_lines = [val for idx, val in enumerate(adoc_lines) if idx == 0 or not (val == '' and val == adoc_lines[idx - 1])] + + return '\n'.join(adoc_lines) + + +class LuaFunction: + def __init__(self, c_file, id, start, name, raw_description): + self.c_file = c_file + self.id = id + self.start = start + self.name = name + if not raw_description: + raw_description = '' + self.description = parse_desc(raw_description) + self.arguments = [] # (name, description, optional) + self.returns = [] # description + self.errors = [] # description + logging.info(f'Created function {id} ({name}) at {start}') + + def add_argument(self, id, raw_name, raw_description, raw_optional): + if id != self.id: + logging.critical(f'Invalid argument ID {id} in function {self.id}') + sys.exit(1) + if not raw_description: + raw_description = '' + optional = False + if raw_optional == 'OPT': + optional = True + self.arguments.append((raw_name.lower(), parse_desc(raw_description), optional)) + + def extract_buf(self, buf): + "Extract arguments, errors, and return values from a function's buffer." + + # Splits "WSLUA_OPTARG_ProtoField_int8_NAME /* food */" into + # "OPT" (1), "ProtoField_int8" (2), "NAME" (3), ..., ..., " food " (6) + # Handles functions like "loadfile(filename)" too. + for m in re.finditer(r'#define WSLUA_(OPT)?ARG_((?:[A-Za-z0-9]+_)?[a-z0-9_]+)_([A-Z0-9_]+)\s+\d+' + TRAILING_COMMENT_RE, buf, re.MULTILINE|re.DOTALL): + self.add_argument(m.group(2), m.group(3), m.group(6), m.group(1)) + logging.info(f'Created arg {m.group(3)} for {self.id} at {m.start()}') + + # Same as above, except that there is no macro but a (multi-line) comment. + for m in re.finditer(r'/\*\s*WSLUA_(OPT)?ARG_((?:[A-Za-z0-9]+_)?[a-z0-9_]+)_([A-Z0-9_]+)\s*(.*?)\*/', buf, re.MULTILINE|re.DOTALL): + self.add_argument(m.group(2), m.group(3), m.group(4), m.group(1)) + logging.info(f'Created arg {m.group(3)} for {self.id} at {m.start()}') + + for m in re.finditer(r'/\*\s+WSLUA_MOREARGS\s+([A-Za-z_]+)\s+(.*?)\*/', buf, re.MULTILINE|re.DOTALL): + self.add_argument(m.group(1), '...', m.group(2), False) + logging.info(f'Created morearg for {self.id}') + + for m in re.finditer(r'WSLUA_(FINAL_)?RETURN\(\s*.*?\s*\)\s*;' + TRAILING_COMMENT_RE, buf, re.MULTILINE|re.DOTALL): + if m.group(4) and len(m.group(4)) > 0: + self.returns.append(m.group(4).strip()) + logging.info(f'Created return for {self.id} at {m.start()}') + + for m in re.finditer(r'/\*\s*_WSLUA_RETURNS_\s*(.*?)\*/', buf, re.MULTILINE|re.DOTALL): + if m.group(1) and len(m.group(1)) > 0: + self.returns.append(m.group(1).strip()) + logging.info(f'Created return for {self.id} at {m.start()}') + + for m in re.finditer(r'WSLUA_ERROR\s*\(\s*(([A-Z][A-Za-z]+)_)?([a-z_]+),' + QUOTED_RE, buf, re.MULTILINE|re.DOTALL): + self.errors.append(m.group(4).strip()) + logging.info(f'Created error {m.group(4)[:10]} for {self.id} at {m.start()}') + + def to_adoc(self): + # The Perl script wrapped optional args in '[]', joined them with ', ', and + # converted non-alphabetic characters to underscores. + mangled_names = [f'_{a}_' if optional else a for a, _, optional in self.arguments] + section_name = re.sub('[^A-Za-z0-9]', '_', f'{self.name}_{"__".join(mangled_names)}_') + opt_names = [f'[{a}]' if optional else a for a, _, optional in self.arguments] + adoc_buf = f''' +// {self.c_file} +[#lua_fn_{section_name}] +===== {self.name}({', '.join(opt_names)}) + +{self.description} +''' + if len(self.arguments) > 0: + adoc_buf += ''' +[float] +===== Arguments +''' + for (name, description, optional) in self.arguments: + if optional: + name += ' (optional)' + adoc_buf += f'\n{name}::\n' + + if len(description) > 0: + adoc_buf += f'\n{description}\n' + + adoc_buf += f'\n// function_arg_footer: {name}' + + if len(self.arguments) > 0: + adoc_buf += '\n// end of function_args\n' + + if len(self.returns) > 0: + adoc_buf += ''' +[float] +===== Returns +''' + for description in self.returns: + adoc_buf += f'\n{description}\n' + + if len(self.returns) > 0: + adoc_buf += f'\n// function_returns_footer: {self.name}' + + if len(self.errors) > 0: + adoc_buf += ''' +[float] +===== Errors +''' + for description in self.errors: + adoc_buf += f'\n* {description}\n' + + if len(self.errors) > 0: + adoc_buf += f'\n// function_errors_footer: {self.name}' + + adoc_buf += f'\n// function_footer: {section_name}\n' + + return adoc_buf + + +# group 1: whole trailing comment (possibly empty), e.g. " /* foo */" +# group 2: any leading whitespace. XXX why is this not removed using (?:...) +# group 3: actual comment text, e.g. " foo ". +TRAILING_COMMENT_RE = r'((\s*|[\n\r]*)/\*(.*?)\*/)?' +IN_COMMENT_RE = r'[\s\r\n]*((.*?)\s*\*/)?' +QUOTED_RE = r'"([^"]*)"' + +# XXX We might want to create a "LuaClass" class similar to LuaFunction +# and move these there. +def extract_class_definitions(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'WSLUA_CLASS_DEFINE(?:_BASE)?\(\s*([A-Z][a-zA-Z0-9]+).*?\);' + TRAILING_COMMENT_RE, c_buf, re.MULTILINE|re.DOTALL): + raw_desc = m.group(4) + if raw_desc is None: + raw_desc = '' + name = m.group(1) + mod_class = { + 'description': parse_desc(raw_desc), + 'constructors': [], + 'methods': [], + 'attributes': [], + } + classes[name] = mod_class + logging.info(f'Created class {name}') + return 0 + +def extract_function_definitions(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'WSLUA_FUNCTION\s+wslua_([a-z_0-9]+)[^\{]*\{' + TRAILING_COMMENT_RE, c_buf, re.MULTILINE|re.DOTALL): + id = m.group(1) + functions[id] = LuaFunction(c_file, id, m.start(), id, m.group(4)) + +def extract_constructor_definitions(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'WSLUA_CONSTRUCTOR\s+([A-Za-z0-9]+)_([a-z0-9_]+).*?\{' + TRAILING_COMMENT_RE, c_buf, re.MULTILINE|re.DOTALL): + class_name = m.group(1) + id = f'{class_name}_{m.group(2)}' + name = f'{class_name}.{m.group(2)}' + functions[id] = LuaFunction(c_file, id, m.start(), name, m.group(5)) + classes[class_name]['constructors'].append(id) + +def extract_constructor_markups(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'_WSLUA_CONSTRUCTOR_\s+([A-Za-z0-9]+)_([a-z0-9_]+)\s*(.*?)\*/', c_buf, re.MULTILINE|re.DOTALL): + class_name = m.group(1) + id = f'{class_name}_{m.group(2)}' + name = f'{class_name}.{m.group(2)}' + functions[id] = LuaFunction(c_file, id, m.start(), name, m.group(3)) + classes[class_name]['constructors'].append(id) + +def extract_method_definitions(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'WSLUA_METHOD\s+([A-Za-z0-9]+)_([a-z0-9_]+)[^\{]*\{' + TRAILING_COMMENT_RE, c_buf, re.MULTILINE|re.DOTALL): + class_name = m.group(1) + id = f'{class_name}_{m.group(2)}' + name = f'{class_name.lower()}:{m.group(2)}' + functions[id] = LuaFunction(c_file, id, m.start(), name, m.group(5)) + classes[class_name]['methods'].append(id) + +def extract_metamethod_definitions(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'WSLUA_METAMETHOD\s+([A-Za-z0-9]+)(__[a-z0-9]+)[^\{]*\{' + TRAILING_COMMENT_RE, c_buf, re.MULTILINE|re.DOTALL): + class_name = m.group(1) + id = f'{class_name}{m.group(2)}' + name = f'{class_name.lower()}:{m.group(2)}' + functions[id] = LuaFunction(c_file, id, m.start(), name, m.group(5)) + classes[class_name]['methods'].append(id) + +def extract_attribute_markups(c_file, c_buf, module, classes, functions): + for m in re.finditer(r'/\*\s+WSLUA_ATTRIBUTE\s+([A-Za-z0-9]+)_([a-z0-9_]+)\s+([A-Z]*)\s*(.*?)\*/', c_buf, re.MULTILINE|re.DOTALL): + class_name = m.group(1) + name = f'{m.group(1).lower()}.{m.group(2)}' + mode = m.group(3) + mode_desc = 'Mode: ' + if 'RO' in mode: + mode_desc += 'Retrieve only.\n' + elif 'WO' in mode: + mode_desc += 'Assign only.\n' + elif 'RW' in mode or 'WR' in mode: + mode_desc += 'Retrieve or assign.\n' + else: + sys.stderr.write(f'Attribute does not have a RO/WO/RW mode {mode}\n') + sys.exit(1) + + attribute = { + 'name': name, + 'description': parse_desc(f'{mode_desc}\n{m.group(4)}'), + } + classes[class_name]['attributes'].append(attribute) + logging.info(f'Created attribute {name} for class {class_name}') + +def main(): + parser = argparse.ArgumentParser(description="WSLUA's Reference Manual Generator") + parser.add_argument("c_files", nargs='+', metavar='C file', help="C file") + parser.add_argument('--output-directory', help='Output directory') + parser.add_argument('--verbose', action='store_true', help='Show more output') + args = parser.parse_args() + + logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.DEBUG if args.verbose else logging.WARNING) + + modules = {} + + for c_file in args.c_files: + with open(c_file, encoding='utf-8') as c_f: + c_buf = c_f.read() + + # Peek for modules vs continuations. + m = re.search(r'WSLUA_(|CONTINUE_)MODULE\s*(\w+)', c_buf) + if m: + module_name = m.group(2) + c_pair = (os.path.basename(c_file), c_buf) + try: + if m.group(1) == 'CONTINUE_': + modules[module_name]['c'].append(c_pair) + else: + modules[module_name]['c'].insert(0, c_pair) + except KeyError: + modules[module_name] = {} + modules[module_name]['c'] = [c_pair] + modules[module_name]['file_base'] = os.path.splitext(c_pair[0])[0] + else: + logging.warning(f'No module found in {c_file}') + + extractors = [ + extract_class_definitions, + extract_function_definitions, + extract_constructor_definitions, + extract_constructor_markups, + extract_method_definitions, + extract_metamethod_definitions, + extract_attribute_markups, + ] + + for module_name in sorted(modules): + adoc_file = f'{modules[module_name]["file_base"]}.adoc' + logging.info(f'Writing module {module_name} to {adoc_file} from {len(modules[module_name]["c"])} input(s)') + functions = {} + classes = {} + + # Extract our module's description. + m = re.search(r'WSLUA_MODULE\s*[A-Z][a-zA-Z0-9]+' + IN_COMMENT_RE, modules[module_name]['c'][0][1], re.MULTILINE|re.DOTALL) + if not m: + return + modules[module_name]['description'] = parse_desc(f'{m.group(2)}') + + # Extract module-level information from each file. + for (c_file, c_buf) in modules[module_name]['c']: + for extractor in extractors: + extractor(c_file, c_buf, modules[module_name], classes, functions) + + # Extract function-level information from each file. + for (c_file, c_buf) in modules[module_name]['c']: + c_file_ids = filter(lambda k: functions[k].c_file == c_file, functions.keys()) + func_ids = sorted(c_file_ids, key=lambda k: functions[k].start) + id = func_ids.pop(0) + for next_id in func_ids: + functions[id].extract_buf(c_buf[functions[id].start:functions[next_id].start]) + id = next_id + functions[id].extract_buf(c_buf[functions[id].start:]) + + with open(os.path.join(args.output_directory, adoc_file), 'w', encoding='utf-8') as adoc_f: + adoc_f.write(f'''\ +// {c_file} +[#lua_module_{module_name}] +=== {modules[module_name]["description"]} +''') + for class_name in sorted(classes.keys()): + lua_class = classes[class_name] + adoc_f.write(f''' +// {c_file} +[#lua_class_{class_name}] +==== {class_name} +''') + + if not lua_class["description"] == '': + adoc_f.write(f'\n{lua_class["description"]}\n') + + for constructor_id in sorted(lua_class['constructors'], key=lambda id: functions[id].start): + adoc_f.write(functions[constructor_id].to_adoc()) + del functions[constructor_id] + + for method_id in sorted(lua_class['methods'], key=lambda id: functions[id].start): + adoc_f.write(functions[method_id].to_adoc()) + del functions[method_id] + + for attribute in lua_class['attributes']: + attribute_id = re.sub('[^A-Za-z0-9]', '_', f'{attribute["name"]}') + adoc_f.write(f''' +[#lua_class_attrib_{attribute_id}] +===== {attribute["name"]} + +{attribute["description"]} + +// End {attribute["name"]} +''') + + + adoc_f.write(f'\n// class_footer: {class_name}\n') + + if len(functions.keys()) > 0: + adoc_f.write(f'''\ +[#global_functions_{module_name}] +==== Global Functions +''') + + for global_id in sorted(functions.keys(), key=lambda id: functions[id].start): + adoc_f.write(functions[global_id].to_adoc()) + + if len(functions.keys()) > 0: + adoc_f.write(f'// Global function\n') + + adoc_f.write('// end of module\n') + +if __name__ == '__main__': + main() diff --git a/docbook/ws.css b/docbook/ws.css new file mode 100644 index 0000000..ee79141 --- /dev/null +++ b/docbook/ws.css @@ -0,0 +1,770 @@ +/*! normalize.css v2.1.2 | MIT License | git.io/normalize */ +/* ========================================================================== HTML5 display definitions ========================================================================== */ +/** Correct `block` display not defined in IE 8/9. */ +article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary { display: block; } + +/** Correct `inline-block` display not defined in IE 8/9. */ +audio, canvas, video { display: inline-block; } + +/** Prevent modern browsers from displaying `audio` without controls. Remove excess height in iOS 5 devices. */ +audio:not([controls]) { display: none; height: 0; } + +/** Address `[hidden]` styling not present in IE 8/9. Hide the `template` element in IE, Safari, and Firefox < 22. */ +[hidden], template { display: none; } + +script { display: none !important; } + +/* ========================================================================== Base ========================================================================== */ +/** 1. Set default font family to sans-serif. 2. Prevent iOS text size adjust after orientation change, without disabling user zoom. */ +html { font-family: sans-serif; /* 1 */ -ms-text-size-adjust: 100%; /* 2 */ -webkit-text-size-adjust: 100%; /* 2 */ } + +/** Remove default margin. */ +body { margin: 0; } + +/* ========================================================================== Links ========================================================================== */ +/** Remove the gray background color from active links in IE 10. */ +a { background: transparent; } + +/** Address `outline` inconsistency between Chrome and other browsers. */ +a:focus { outline: thin dotted; } + +/** Improve readability when focused and also mouse hovered in all browsers. */ +a:active, a:hover { outline: 0; } + +/* ========================================================================== Typography ========================================================================== */ +/** Address variable `h1` font-size and margin within `section` and `article` contexts in Firefox 4+, Safari 5, and Chrome. */ +h1 { font-size: 2em; margin: 0.67em 0; } + +/** Address styling not present in IE 8/9, Safari 5, and Chrome. */ +abbr[title] { border-bottom: 1px dotted; } + +/** Address style set to `bolder` in Firefox 4+, Safari 5, and Chrome. */ +b, strong { font-weight: bold; } + +/** Address styling not present in Safari 5 and Chrome. */ +dfn { font-style: italic; } + +/** Address differences between Firefox and other browsers. */ +hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } + +/** Address styling not present in IE 8/9. */ +mark { background: #ff0; color: #000; } + +/** Correct font family set oddly in Safari 5 and Chrome. */ +code, kbd, pre, samp { font-family: monospace, serif; font-size: 1em; } + +/** Improve readability of pre-formatted text in all browsers. */ +pre { white-space: pre-wrap; } + +/** Set consistent quote types. */ +q { quotes: "\201C" "\201D" "\2018" "\2019"; } + +/** Address inconsistent and variable font size in all browsers. */ +small { font-size: 80%; } + +/** Prevent `sub` and `sup` affecting `line-height` in all browsers. */ +sub, sup { font-size: 75%; line-height: 0; position: relative; vertical-align: baseline; } + +sup { top: -0.5em; } + +sub { bottom: -0.25em; } + +/* ========================================================================== Embedded content ========================================================================== */ +/** Remove border when inside `a` element in IE 8/9. */ +img { border: 0; } + +/** Correct overflow displayed oddly in IE 9. */ +svg:not(:root) { overflow: hidden; } + +/* ========================================================================== Figures ========================================================================== */ +/** Address margin not present in IE 8/9 and Safari 5. */ +figure { margin: 0; } + +/* ========================================================================== Forms ========================================================================== */ +/** Define consistent border, margin, and padding. */ +fieldset { border: 1px solid #c0c0c0; margin: 0 2px; padding: 0.35em 0.625em 0.75em; } + +/** 1. Correct `color` not being inherited in IE 8/9. 2. Remove padding so people aren't caught out if they zero out fieldsets. */ +legend { border: 0; /* 1 */ padding: 0; /* 2 */ } + +/** 1. Correct font family not being inherited in all browsers. 2. Correct font size not being inherited in all browsers. 3. Address margins set differently in Firefox 4+, Safari 5, and Chrome. */ +button, input, select, textarea { font-family: inherit; /* 1 */ font-size: 100%; /* 2 */ margin: 0; /* 3 */ } + +/** Address Firefox 4+ setting `line-height` on `input` using `!important` in the UA stylesheet. */ +button, input { line-height: normal; } + +/** Address inconsistent `text-transform` inheritance for `button` and `select`. All other form control elements do not inherit `text-transform` values. Correct `button` style inheritance in Chrome, Safari 5+, and IE 8+. Correct `select` style inheritance in Firefox 4+ and Opera. */ +button, select { text-transform: none; } + +/** 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio` and `video` controls. 2. Correct inability to style clickable `input` types in iOS. 3. Improve usability and consistency of cursor style between image-type `input` and others. */ +button, html input[type="button"], input[type="reset"], input[type="submit"] { -webkit-appearance: button; /* 2 */ cursor: pointer; /* 3 */ } + +/** Re-set default cursor for disabled elements. */ +button[disabled], html input[disabled] { cursor: default; } + +/** 1. Address box sizing set to `content-box` in IE 8/9. 2. Remove excess padding in IE 8/9. */ +input[type="checkbox"], input[type="radio"] { box-sizing: border-box; /* 1 */ padding: 0; /* 2 */ } + +/** 1. Address `appearance` set to `searchfield` in Safari 5 and Chrome. 2. Address `box-sizing` set to `border-box` in Safari 5 and Chrome (include `-moz` to future-proof). */ +input[type="search"] { -webkit-appearance: textfield; /* 1 */ -moz-box-sizing: content-box; -webkit-box-sizing: content-box; /* 2 */ box-sizing: content-box; } + +/** Remove inner padding and search cancel button in Safari 5 and Chrome on OS X. */ +input[type="search"]::-webkit-search-cancel-button, input[type="search"]::-webkit-search-decoration { -webkit-appearance: none; } + +/** Remove inner padding and border in Firefox 4+. */ +button::-moz-focus-inner, input::-moz-focus-inner { border: 0; padding: 0; } + +/** 1. Remove default vertical scrollbar in IE 8/9. 2. Improve readability and alignment in all browsers. */ +textarea { overflow: auto; /* 1 */ vertical-align: top; /* 2 */ } + +/* ========================================================================== Tables ========================================================================== */ +/** Remove most spacing between table cells. */ +table { border-collapse: collapse; border-spacing: 0; } + +meta.foundation-mq-small { font-family: "only screen and (min-width: 768px)"; width: 768px; } + +meta.foundation-mq-medium { font-family: "only screen and (min-width:1280px)"; width: 1280px; } + +meta.foundation-mq-large { font-family: "only screen and (min-width:1440px)"; width: 1440px; } + +*, *:before, *:after { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; } + +html, body { font-size: 100%; } + +body { background: white; color: rgba(0, 0, 0, 0.8); padding: 0; margin: 0; font-family: Georgia, "Times New Roman", Times, serif; font-weight: normal; font-style: normal; line-height: 1; position: relative; cursor: auto; } + +a:hover { cursor: pointer; } + +img, object, embed { max-width: 100%; height: auto; } + +object, embed { height: 100%; } + +img { -ms-interpolation-mode: bicubic; } + +#map_canvas img, #map_canvas embed, #map_canvas object, .map_canvas img, .map_canvas embed, .map_canvas object { max-width: none !important; } + +.left { float: left !important; } + +.right { float: right !important; } + +.text-left { text-align: left !important; } + +.text-right { text-align: right !important; } + +.text-center { text-align: center !important; } + +.text-justify { text-align: justify !important; } + +.hide { display: none; } + +.antialiased { -webkit-font-smoothing: antialiased; } + +img { display: inline-block; vertical-align: middle; } + +textarea { height: auto; min-height: 50px; } + +select { width: 100%; } + +p.lead { font-size: 1.21875em; line-height: 1.6; } + +.subheader, .admonitionblock td.content > .title, .audioblock > .title, .exampleblock > .title, .imageblock > .title, .listingblock > .title, .literalblock > .title, .stemblock > .title, .openblock > .title, .paragraph > .title, .quoteblock > .title, table.tableblock > .title, .verseblock > .title, .videoblock > .title, .dlist > .title, .olist > .title, .ulist > .title, .qlist > .title, .hdlist > .title { line-height: 1.45; color: #00234c; font-weight: normal; margin-top: 0; margin-bottom: 0.25em; } + +/* Typography resets */ +div, dl, dt, dd, ul, ol, li, h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6, pre, form, p, blockquote, th, td { margin: 0; padding: 0; direction: ltr; } + +/* Default Link Styles */ +a { color: #2156a5; text-decoration: underline; line-height: inherit; } +a:hover, a:focus { color: #1d4b8f; } +a img { border: none; } + +/* Default paragraph styles */ +p { font-family: inherit; font-weight: normal; font-size: 1em; line-height: 1.6; margin-bottom: 1.25em; text-rendering: optimizeLegibility; } +p aside { font-size: 0.875em; line-height: 1.35; font-style: italic; } + +/* Default header styles */ +h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; font-weight: 300; font-style: normal; color: #004698; text-rendering: optimizeLegibility; margin-top: 1em; margin-bottom: 0.5em; line-height: 1.0125em; } +h1 small, h2 small, h3 small, #toctitle small, .sidebarblock > .content > .title small, h4 small, h5 small, h6 small { font-size: 60%; color: #3290ff; line-height: 0; } + +h1 { font-size: 2.125em; } + +h2 { font-size: 1.6875em; } + +h3, #toctitle, .sidebarblock > .content > .title { font-size: 1.375em; } + +h4 { font-size: 1.125em; } + +h5 { font-size: 1.125em; } + +h6 { font-size: 1em; } + +hr { border: solid #ddddd8; border-width: 1px 0 0; clear: both; margin: 1.25em 0 1.1875em; height: 0; } + +/* Helpful Typography Defaults */ +em, i { font-style: italic; line-height: inherit; } + +strong, b { font-weight: bold; line-height: inherit; } + +small { font-size: 60%; line-height: inherit; } + +code { font-family: "Lucida Console", Menlo, Consolas, monospace; font-weight: normal; color: rgba(0, 0, 0, 0.9); } + +/* Lists */ +ul, ol, dl { font-size: 1em; line-height: 1.6; margin-bottom: 1.25em; list-style-position: outside; font-family: inherit; } + +ul, ol { margin-left: 1.5em; } +ul.no-bullet, ol.no-bullet { margin-left: 1.5em; } + +/* Unordered Lists */ +ul li ul, ul li ol { margin-left: 1.25em; margin-bottom: 0; font-size: 1em; /* Override nested font-size change */ } +ul.square li ul, ul.circle li ul, ul.disc li ul { list-style: inherit; } +ul.square { list-style-type: square; } +ul.circle { list-style-type: circle; } +ul.disc { list-style-type: disc; } +ul.no-bullet { list-style: none; } + +/* Ordered Lists */ +ol li ul, ol li ol { margin-left: 1.25em; margin-bottom: 0; } + +/* Definition Lists */ +dl dt { margin-bottom: 0.3125em; font-weight: bold; } +dl dd { margin-bottom: 1.25em; } + +/* Abbreviations */ +abbr, acronym { text-transform: uppercase; font-size: 90%; color: rgba(0, 0, 0, 0.8); border-bottom: 1px dotted #dddddd; cursor: help; } + +abbr { text-transform: none; } + +/* Blockquotes */ +blockquote { margin: 0 0 1.25em; padding: 0.5625em 1.25em 0 1.1875em; border-left: 1px solid #dddddd; } +blockquote cite { display: block; font-size: 0.9375em; color: rgba(0, 0, 0, 0.6); } +blockquote cite:before { content: "\2014 \0020"; } +blockquote cite a, blockquote cite a:visited { color: rgba(0, 0, 0, 0.6); } + +blockquote, blockquote p { line-height: 1.6; color: rgba(0, 0, 0, 0.85); } + +/* Microformats */ +.vcard { display: inline-block; margin: 0 0 1.25em 0; border: 1px solid #dddddd; padding: 0.625em 0.75em; } +.vcard li { margin: 0; display: block; } +.vcard .fn { font-weight: bold; font-size: 0.9375em; } + +.vevent .summary { font-weight: bold; } +.vevent abbr { cursor: auto; text-decoration: none; font-weight: bold; border: none; padding: 0 0.0625em; } + +@media only screen and (min-width: 768px) { h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { line-height: 1.2; } + h1 { font-size: 2.75em; } + h2 { font-size: 2.3125em; } + h3, #toctitle, .sidebarblock > .content > .title { font-size: 1.6875em; } + h4 { font-size: 1.4375em; } } +/* Tables */ +table { background: white; margin-bottom: 1.25em; border: solid 1px #dedede; } +table thead, table tfoot { background: #f7f8f7; font-weight: bold; } +table thead tr th, table thead tr td, table tfoot tr th, table tfoot tr td { padding: 0.5em 0.625em 0.625em; font-size: inherit; color: rgba(0, 0, 0, 0.8); text-align: left; } +table tr th, table tr td { padding: 0.5625em 0.625em; font-size: inherit; color: rgba(0, 0, 0, 0.8); } +table tr.even, table tr.alt, table tr:nth-of-type(even) { background: #f8f8f7; } +table thead tr th, table tfoot tr th, table tbody tr td, table tr td, table tfoot tr td { display: table-cell; line-height: 1.6; } + +body { tab-size: 4; word-wrap: anywhere; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } + +table { word-wrap: normal; } + +h1, h2, h3, #toctitle, .sidebarblock > .content > .title, h4, h5, h6 { line-height: 1.2; word-spacing: -0.05em; } +h1 strong, h2 strong, h3 strong, #toctitle strong, .sidebarblock > .content > .title strong, h4 strong, h5 strong, h6 strong { font-weight: 400; } + +object, svg { display: inline-block; vertical-align: middle; } + +.center { margin-left: auto; margin-right: auto; } + +.stretch { width: 100%; } + +.clearfix:before, .clearfix:after, .float-group:before, .float-group:after { content: " "; display: table; } +.clearfix:after, .float-group:after { clear: both; } + +:not(pre).nobreak { word-wrap: normal; } +:not(pre).nowrap { white-space: nowrap; } +:not(pre).pre-wrap { white-space: pre-wrap; } + +:not(pre):not([class^=L]) > code { font-size: 0.9375em; font-style: normal !important; letter-spacing: 0; padding: 0.1em 0.5ex; word-spacing: -0.15em; background-color: #f7f7f8; -webkit-border-radius: 4px; border-radius: 4px; line-height: 1.45; text-rendering: optimizeSpeed; } + +pre { color: rgba(0, 0, 0, 0.9); font-family: "Lucida Console", Menlo, Consolas, monospace; line-height: 1.45; text-rendering: optimizeSpeed; } +pre code, pre pre { color: inherit; font-size: inherit; line-height: inherit; } +pre > code { display: block; } + +pre.nowrap, pre.nowrap pre { white-space: pre; word-wrap: normal; } + +em em { font-style: normal; } + +strong strong { font-weight: normal; } + +.keyseq { color: rgba(51, 51, 51, 0.8); } + +kbd { font-family: "Lucida Console", Menlo, Consolas, monospace; display: inline-block; color: rgba(0, 0, 0, 0.8); font-size: 0.65em; line-height: 1.45; background-color: #f7f7f7; border: 1px solid #ccc; -webkit-border-radius: 3px; border-radius: 3px; -webkit-box-shadow: 0 1px 0 rgba(0, 0, 0, 0.2), 0 0 0 0.1em white inset; box-shadow: 0 1px 0 rgba(0, 0, 0, 0.2), 0 0 0 0.1em white inset; margin: 0 0.15em; padding: 0.2em 0.5em; vertical-align: middle; position: relative; top: -0.1em; white-space: nowrap; } + +.keyseq kbd:first-child { margin-left: 0; } + +.keyseq kbd:last-child { margin-right: 0; } + +.menuseq, .menuref { color: #000; } + +.menuseq b:not(.caret), .menuref { font-weight: inherit; } + +.menuseq { word-spacing: -0.02em; } +.menuseq b.caret { font-size: 1.25em; line-height: 0.8; } +.menuseq i.caret { font-weight: bold; text-align: center; width: 0.45em; } + +b.button:before, b.button:after { position: relative; top: -1px; font-weight: normal; } + +b.button:before { content: "["; padding: 0 3px 0 2px; } + +b.button:after { content: "]"; padding: 0 2px 0 3px; } + +p a > code:hover { color: rgba(0, 0, 0, 0.9); } + +#header, #content, #footnotes, #footer { width: 100%; margin-left: auto; margin-right: auto; margin-top: 0; margin-bottom: 0; max-width: 62.5em; *zoom: 1; position: relative; padding-left: 0.9375em; padding-right: 0.9375em; } +#header:before, #header:after, #content:before, #content:after, #footnotes:before, #footnotes:after, #footer:before, #footer:after { content: " "; display: table; } +#header:after, #content:after, #footnotes:after, #footer:after { clear: both; } + +#content { margin-top: 1.25em; } + +#content:before { content: none; } + +#header > h1:first-child { color: rgba(0, 0, 0, 0.85); margin-top: 2.25rem; margin-bottom: 0; } +#header > h1:first-child + #toc { margin-top: 8px; border-top: 1px solid #ddddd8; } +#header > h1:only-child, body.toc2 #header > h1:nth-last-child(2) { border-bottom: 1px solid #ddddd8; padding-bottom: 8px; } +#header .details { border-bottom: 1px solid #ddddd8; line-height: 1.45; padding-top: 0.25em; padding-bottom: 0.25em; padding-left: 0.25em; color: rgba(0, 0, 0, 0.6); display: -ms-flexbox; display: -webkit-flex; display: flex; -ms-flex-flow: row wrap; -webkit-flex-flow: row wrap; flex-flow: row wrap; } +#header .details span:first-child { margin-left: -0.125em; } +#header .details span.email a { color: rgba(0, 0, 0, 0.85); } +#header .details br { display: none; } +#header .details br + span:before { content: "\00a0\2013\00a0"; } +#header .details br + span.author:before { content: "\00a0\22c5\00a0"; color: rgba(0, 0, 0, 0.85); } +#header .details br + span#revremark:before { content: "\00a0|\00a0"; } +#header #revnumber { text-transform: capitalize; } +#header #revnumber:after { content: "\00a0"; } + +#content > h1:first-child:not([class]) { color: rgba(0, 0, 0, 0.85); border-bottom: 1px solid #ddddd8; padding-bottom: 8px; margin-top: 0; padding-top: 1rem; margin-bottom: 1.25rem; } + +#toc { border-bottom: 1px solid #efefed; padding-bottom: 0.5em; } +#toc > ul { margin-left: 0.125em; } +#toc ul.sectlevel0 > li > a { font-style: italic; } +#toc ul.sectlevel0 ul.sectlevel1 { margin: 0.5em 0; } +#toc ul { font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; list-style-type: none; } +#toc li { line-height: 1.3334; margin-top: 0.3334em; } +#toc a { text-decoration: none; } +#toc a:active { text-decoration: underline; } + +#toctitle { color: #00234c; font-size: 1.2em; } + +@media only screen and (min-width: 768px) { #toctitle { font-size: 1.375em; } + body.toc2 { padding-left: 15em; padding-right: 0; } + #toc.toc2 { margin-top: 0 !important; background: #f8f8f7; position: fixed; width: 15em; left: 0; top: 0; border-right: 1px solid #efefed; border-top-width: 0 !important; border-bottom-width: 0 !important; z-index: 1000; padding: 1.25em 1em; height: 100%; overflow: auto; } + #toc.toc2 #toctitle { margin-top: 0; margin-bottom: 0.8rem; font-size: 1.2em; } + #toc.toc2 > ul { font-size: 0.9em; margin-bottom: 0; } + #toc.toc2 ul ul { margin-left: 0; padding-left: 1em; } + #toc.toc2 ul.sectlevel0 ul.sectlevel1 { padding-left: 0; margin-top: 0.5em; margin-bottom: 0.5em; } + body.toc2.toc-right { padding-left: 0; padding-right: 15em; } + body.toc2.toc-right #toc.toc2 { border-right-width: 0; border-left: 1px solid #efefed; left: auto; right: 0; } } +@media only screen and (min-width: 1280px) { body.toc2 { padding-left: 20em; padding-right: 0; } + #toc.toc2 { width: 20em; } + #toc.toc2 #toctitle { font-size: 1.375em; } + #toc.toc2 > ul { font-size: 0.95em; } + #toc.toc2 ul ul { padding-left: 1.25em; } + body.toc2.toc-right { padding-left: 0; padding-right: 20em; } } +#content #toc { border-style: solid; border-width: 1px; border-color: #e0e0dc; margin-bottom: 1.25em; padding: 1.25em; background: #f8f8f7; -webkit-border-radius: 4px; border-radius: 4px; } +#content #toc > :first-child { margin-top: 0; } +#content #toc > :last-child { margin-bottom: 0; } + +#footer { max-width: none; background: rgba(0, 0, 0, 0.8); padding: 1.25em; } + +#footer-text { color: rgba(255, 255, 255, 0.8); line-height: 1.44; } + +#content { margin-bottom: 0.625em; } + +.sect1 { padding-bottom: 0.625em; } + +@media only screen and (min-width: 768px) { #content { margin-bottom: 1.25em; } + .sect1 { padding-bottom: 1.25em; } } +.sect1:last-child { padding-bottom: 0; } + +.sect1 + .sect1 { border-top: 1px solid #efefed; } + +#content h1 > a.anchor, h2 > a.anchor, h3 > a.anchor, #toctitle > a.anchor, .sidebarblock > .content > .title > a.anchor, h4 > a.anchor, h5 > a.anchor, h6 > a.anchor { position: absolute; z-index: 1001; width: 1.5ex; margin-left: -1.5ex; display: block; text-decoration: none !important; visibility: hidden; text-align: center; font-weight: normal; } +#content h1 > a.anchor:before, h2 > a.anchor:before, h3 > a.anchor:before, #toctitle > a.anchor:before, .sidebarblock > .content > .title > a.anchor:before, h4 > a.anchor:before, h5 > a.anchor:before, h6 > a.anchor:before { content: "\00A7"; font-size: 0.85em; display: block; padding-top: 0.1em; } +#content h1:hover > a.anchor, #content h1 > a.anchor:hover, h2:hover > a.anchor, h2 > a.anchor:hover, h3:hover > a.anchor, #toctitle:hover > a.anchor, .sidebarblock > .content > .title:hover > a.anchor, h3 > a.anchor:hover, #toctitle > a.anchor:hover, .sidebarblock > .content > .title > a.anchor:hover, h4:hover > a.anchor, h4 > a.anchor:hover, h5:hover > a.anchor, h5 > a.anchor:hover, h6:hover > a.anchor, h6 > a.anchor:hover { visibility: visible; } +#content h1 > a.link, h2 > a.link, h3 > a.link, #toctitle > a.link, .sidebarblock > .content > .title > a.link, h4 > a.link, h5 > a.link, h6 > a.link { color: #004698; text-decoration: none; } +#content h1 > a.link:hover, h2 > a.link:hover, h3 > a.link:hover, #toctitle > a.link:hover, .sidebarblock > .content > .title > a.link:hover, h4 > a.link:hover, h5 > a.link:hover, h6 > a.link:hover { color: #003a7f; } + +details, .audioblock, .imageblock, .literalblock, .listingblock, .stemblock, .videoblock { margin-bottom: 1.25em; } + +details > summary:first-of-type { cursor: pointer; display: list-item; outline: none; margin-bottom: 0.75em; } + +.admonitionblock td.content > .title, .audioblock > .title, .exampleblock > .title, .imageblock > .title, .listingblock > .title, .literalblock > .title, .stemblock > .title, .openblock > .title, .paragraph > .title, .quoteblock > .title, table.tableblock > .title, .verseblock > .title, .videoblock > .title, .dlist > .title, .olist > .title, .ulist > .title, .qlist > .title, .hdlist > .title { text-rendering: optimizeLegibility; text-align: left; font-family: Georgia, "Times New Roman", Times, serif; font-size: 1rem; font-style: italic; } + +table.tableblock.fit-content > caption.title { white-space: nowrap; width: 0; } + +.paragraph.lead > p, #preamble > .sectionbody > [class="paragraph"]:first-of-type p { font-size: 1.21875em; line-height: 1.6; color: rgba(0, 0, 0, 0.85); } + +.admonitionblock > table { border-collapse: separate; border: 0; background: none; width: 100%; } +.admonitionblock > table td.icon { text-align: center; width: 80px; } +.admonitionblock > table td.icon img { max-width: none; } +.admonitionblock > table td.icon .title { font-weight: bold; font-family: "Lucida Sans Unicode", "Lucida Grande", Helvetica, sans-serif; text-transform: uppercase; } +.admonitionblock > table td.content { padding-left: 1.125em; padding-right: 1.25em; border-left: 1px solid #ddddd8; color: rgba(0, 0, 0, 0.6); word-wrap: anywhere; } +.admonitionblock > table td.content > :last-child > :last-child { margin-bottom: 0; } + +.exampleblock > .content { border-style: solid; border-width: 1px; border-color: #e6e6e6; margin-bottom: 1.25em; padding: 1.25em; background: white; -webkit-border-radius: 4px; border-radius: 4px; } +.exampleblock > .content > :first-child { margin-top: 0; } +.exampleblock > .content > :last-child { margin-bottom: 0; } + +.sidebarblock { border-style: solid; border-width: 1px; border-color: #dbdbd6; margin-bottom: 1.25em; padding: 1.25em; background: #f3f3f2; -webkit-border-radius: 4px; border-radius: 4px; } +.sidebarblock > :first-child { margin-top: 0; } +.sidebarblock > :last-child { margin-bottom: 0; } +.sidebarblock > .content > .title { color: #00234c; margin-top: 0; text-align: center; } + +.exampleblock > .content > :last-child > :last-child, .exampleblock > .content .olist > ol > li:last-child > :last-child, .exampleblock > .content .ulist > ul > li:last-child > :last-child, .exampleblock > .content .qlist > ol > li:last-child > :last-child, .sidebarblock > .content > :last-child > :last-child, .sidebarblock > .content .olist > ol > li:last-child > :last-child, .sidebarblock > .content .ulist > ul > li:last-child > :last-child, .sidebarblock > .content .qlist > ol > li:last-child > :last-child { margin-bottom: 0; } + +.literalblock pre, .listingblock > .content > pre { -webkit-border-radius: 4px; border-radius: 4px; overflow-x: auto; padding: 1em; font-size: 0.8125em; } +@media only screen and (min-width: 768px) { .literalblock pre, .listingblock > .content > pre { font-size: 0.90625em; } } +@media only screen and (min-width: 1280px) { .literalblock pre, .listingblock > .content > pre { font-size: 1em; } } + +.literalblock pre, .listingblock > .content > pre:not(.highlight), .listingblock > .content > pre[class="highlight"], .listingblock > .content > pre[class^="highlight "] { background: #f7f7f8; } + +.literalblock.output pre { color: #f7f7f8; background-color: rgba(0, 0, 0, 0.9); } + +.listingblock > .content { position: relative; } + +.listingblock code[data-lang]:before { display: none; content: attr(data-lang); position: absolute; font-size: 0.75em; top: 0.425rem; right: 0.5rem; line-height: 1; text-transform: uppercase; color: inherit; opacity: 0.5; } + +.listingblock:hover code[data-lang]:before { display: block; } + +.listingblock.terminal pre .command:before { content: attr(data-prompt); padding-right: 0.5em; color: inherit; opacity: 0.5; } + +.listingblock.terminal pre .command:not([data-prompt]):before { content: "$"; } + +.listingblock pre.highlightjs { padding: 0; } +.listingblock pre.highlightjs > code { padding: 1em; -webkit-border-radius: 4px; border-radius: 4px; } + +.listingblock pre.prettyprint { border-width: 0; } + +.prettyprint { background: #f7f7f8; } + +pre.prettyprint .linenums { line-height: 1.45; margin-left: 2em; } + +pre.prettyprint li { background: none; list-style-type: inherit; padding-left: 0; } + +pre.prettyprint li code[data-lang]:before { opacity: 1; } + +pre.prettyprint li:not(:first-child) code[data-lang]:before { display: none; } + +table.linenotable { border-collapse: separate; border: 0; margin-bottom: 0; background: none; } +table.linenotable td[class] { color: inherit; vertical-align: top; padding: 0; line-height: inherit; white-space: normal; } +table.linenotable td.code { padding-left: 0.75em; } +table.linenotable td.linenos { border-right: 1px solid currentColor; opacity: 0.35; padding-right: 0.5em; } + +pre.pygments .lineno { border-right: 1px solid currentColor; opacity: 0.35; display: inline-block; margin-right: 0.75em; } +pre.pygments .lineno:before { content: ""; margin-right: -0.125em; } + +.quoteblock { margin: 0 1em 1.25em 1.5em; display: table; } +.quoteblock:not(.excerpt) > .title { margin-left: -1.5em; margin-bottom: 0.75em; } +.quoteblock blockquote, .quoteblock p { color: rgba(0, 0, 0, 0.85); font-size: 1.15rem; line-height: 1.75; word-spacing: 0.1em; letter-spacing: 0; font-style: italic; text-align: justify; } +.quoteblock blockquote { margin: 0; padding: 0; border: 0; } +.quoteblock blockquote:before { content: "\201c"; float: left; font-size: 2.75em; font-weight: bold; line-height: 0.6em; margin-left: -0.6em; color: #00234c; text-shadow: 0 1px 2px rgba(0, 0, 0, 0.1); } +.quoteblock blockquote > .paragraph:last-child p { margin-bottom: 0; } +.quoteblock .attribution { margin-top: 0.75em; margin-right: 0.5ex; text-align: right; } + +.verseblock { margin: 0 1em 1.25em 1em; } +.verseblock pre { font-family: "Open Sans", "DejaVu Sans", sans-serif; font-size: 1.15rem; color: rgba(0, 0, 0, 0.85); font-weight: 300; text-rendering: optimizeLegibility; } +.verseblock pre strong { font-weight: 400; } +.verseblock .attribution { margin-top: 1.25rem; margin-left: 0.5ex; } + +.quoteblock .attribution, .verseblock .attribution { font-size: 0.9375em; line-height: 1.45; font-style: italic; } +.quoteblock .attribution br, .verseblock .attribution br { display: none; } +.quoteblock .attribution cite, .verseblock .attribution cite { display: block; letter-spacing: -0.025em; color: rgba(0, 0, 0, 0.6); } + +.quoteblock.abstract blockquote:before, .quoteblock.excerpt blockquote:before, .quoteblock .quoteblock blockquote:before { display: none; } +.quoteblock.abstract blockquote, .quoteblock.abstract p, .quoteblock.excerpt blockquote, .quoteblock.excerpt p, .quoteblock .quoteblock blockquote, .quoteblock .quoteblock p { line-height: 1.6; word-spacing: 0; } +.quoteblock.abstract { margin: 0 1em 1.25em 1em; display: block; } +.quoteblock.abstract > .title { margin: 0 0 0.375em 0; font-size: 1.15em; text-align: center; } +.quoteblock.excerpt > blockquote, .quoteblock .quoteblock { padding: 0 0 0.25em 1em; border-left: 0.25em solid #ddddd8; } +.quoteblock.excerpt, .quoteblock .quoteblock { margin-left: 0; } +.quoteblock.excerpt blockquote, .quoteblock.excerpt p, .quoteblock .quoteblock blockquote, .quoteblock .quoteblock p { color: inherit; font-size: 1.0625rem; } +.quoteblock.excerpt .attribution, .quoteblock .quoteblock .attribution { color: inherit; font-size: 0.85rem; text-align: left; margin-right: 0; } + +p.tableblock:last-child { margin-bottom: 0; } + +td.tableblock > .content { margin-bottom: 1.25em; word-wrap: anywhere; } +td.tableblock > .content > :last-child { margin-bottom: -1.25em; } + +table.tableblock, th.tableblock, td.tableblock { border: 0 solid #dedede; } + +table.grid-all > * > tr > * { border-width: 1px; } + +table.grid-cols > * > tr > * { border-width: 0 1px; } + +table.grid-rows > * > tr > * { border-width: 1px 0; } + +table.frame-all { border-width: 1px; } + +table.frame-ends { border-width: 1px 0; } + +table.frame-sides { border-width: 0 1px; } + +table.frame-none > colgroup + * > :first-child > *, table.frame-sides > colgroup + * > :first-child > * { border-top-width: 0; } + +table.frame-none > :last-child > :last-child > *, table.frame-sides > :last-child > :last-child > * { border-bottom-width: 0; } + +table.frame-none > * > tr > :first-child, table.frame-ends > * > tr > :first-child { border-left-width: 0; } + +table.frame-none > * > tr > :last-child, table.frame-ends > * > tr > :last-child { border-right-width: 0; } + +table.stripe-all tr, table.stripe-odd tr:nth-of-type(odd) { background: #f8f8f7; } + +table.stripe-none tr, table.stripe-odd tr:nth-of-type(even) { background: none; } + +th.halign-left, td.halign-left { text-align: left; } + +th.halign-right, td.halign-right { text-align: right; } + +th.halign-center, td.halign-center { text-align: center; } + +th.valign-top, td.valign-top { vertical-align: top; } + +th.valign-bottom, td.valign-bottom { vertical-align: bottom; } + +th.valign-middle, td.valign-middle { vertical-align: middle; } + +table thead th, table tfoot th { font-weight: bold; } + +tbody tr th { display: table-cell; line-height: 1.6; background: #f7f8f7; } + +tbody tr th, tbody tr th p, tfoot tr th, tfoot tr th p { color: rgba(0, 0, 0, 0.8); font-weight: bold; } + +p.tableblock > code:only-child { background: none; padding: 0; } + +p.tableblock { font-size: 1em; } + +ol { margin-left: 1.75em; } + +ul li ol { margin-left: 1.5em; } + +dl dd { margin-left: 1.125em; } + +dl dd:last-child, dl dd:last-child > :last-child { margin-bottom: 0; } + +ol > li p, ul > li p, ul dd, ol dd, .olist .olist, .ulist .ulist, .ulist .olist, .olist .ulist { margin-bottom: 0.625em; } + +ul.checklist, ul.none, ol.none, ul.no-bullet, ol.no-bullet, ol.unnumbered, ul.unstyled, ol.unstyled { list-style-type: none; } + +ul.no-bullet, ol.no-bullet, ol.unnumbered { margin-left: 0.625em; } + +ul.unstyled, ol.unstyled { margin-left: 0; } + +ul.checklist > li > p:first-child { margin-left: -1em; } +ul.checklist > li > p:first-child > .fa-square-o:first-child, ul.checklist > li > p:first-child > .fa-check-square-o:first-child { width: 1.25em; font-size: 0.8em; position: relative; bottom: 0.125em; } +ul.checklist > li > p:first-child > input[type="checkbox"]:first-child { margin-right: 0.25em; } + +ul.inline { display: -ms-flexbox; display: -webkit-box; display: flex; -ms-flex-flow: row wrap; -webkit-flex-flow: row wrap; flex-flow: row wrap; list-style: none; margin: 0 0 0.625em -1.25em; } + +ul.inline > li { margin-left: 1.25em; } + +.unstyled dl dt { font-weight: normal; font-style: normal; } + +ol.arabic { list-style-type: decimal; } + +ol.decimal { list-style-type: decimal-leading-zero; } + +ol.loweralpha { list-style-type: lower-alpha; } + +ol.upperalpha { list-style-type: upper-alpha; } + +ol.lowerroman { list-style-type: lower-roman; } + +ol.upperroman { list-style-type: upper-roman; } + +ol.lowergreek { list-style-type: lower-greek; } + +.hdlist > table, .colist > table { border: 0; background: none; } +.hdlist > table > tbody > tr, .colist > table > tbody > tr { background: none; } + +td.hdlist1, td.hdlist2 { vertical-align: top; padding: 0 0.625em; } + +td.hdlist1 { font-weight: bold; padding-bottom: 1.25em; } + +td.hdlist2 { word-wrap: anywhere; } + +.literalblock + .colist, .listingblock + .colist { margin-top: -0.5em; } + +.colist td:not([class]):first-child { padding: 0.4em 0.75em 0 0.75em; line-height: 1; vertical-align: top; } +.colist td:not([class]):first-child img { max-width: none; } +.colist td:not([class]):last-child { padding: 0.25em 0; } + +.thumb, .th { line-height: 0; display: inline-block; border: solid 4px white; -webkit-box-shadow: 0 0 0 1px #dddddd; box-shadow: 0 0 0 1px #dddddd; } + +.imageblock.left { margin: 0.25em 0.625em 1.25em 0; } +.imageblock.right { margin: 0.25em 0 1.25em 0.625em; } +.imageblock > .title { margin-bottom: 0; } +.imageblock.thumb, .imageblock.th { border-width: 6px; } +.imageblock.thumb > .title, .imageblock.th > .title { padding: 0 0.125em; } + +.image.left, .image.right { margin-top: 0.25em; margin-bottom: 0.25em; display: inline-block; line-height: 0; } +.image.left { margin-right: 0.625em; } +.image.right { margin-left: 0.625em; } + +a.image { text-decoration: none; display: inline-block; } +a.image object { pointer-events: none; } + +sup.footnote, sup.footnoteref { font-size: 0.875em; position: static; vertical-align: super; } +sup.footnote a, sup.footnoteref a { text-decoration: none; } +sup.footnote a:active, sup.footnoteref a:active { text-decoration: underline; } + +#footnotes { padding-top: 0.75em; padding-bottom: 0.75em; margin-bottom: 0.625em; } +#footnotes hr { width: 20%; min-width: 6.25em; margin: -0.25em 0 0.75em 0; border-width: 1px 0 0 0; } +#footnotes .footnote { padding: 0 0.375em 0 0.225em; line-height: 1.3334; font-size: 0.875em; margin-left: 1.2em; margin-bottom: 0.2em; } +#footnotes .footnote a:first-of-type { font-weight: bold; text-decoration: none; margin-left: -1.05em; } +#footnotes .footnote:last-of-type { margin-bottom: 0; } +#content #footnotes { margin-top: -0.625em; margin-bottom: 0; padding: 0.75em 0; } + +.gist .file-data > table { border: 0; background: #fff; width: 100%; margin-bottom: 0; } +.gist .file-data > table td.line-data { width: 99%; } + +div.unbreakable { page-break-inside: avoid; } + +.big { font-size: larger; } + +.small { font-size: smaller; } + +.underline { text-decoration: underline; } + +.overline { text-decoration: overline; } + +.line-through { text-decoration: line-through; } + +.aqua { color: #00bfbf; } + +.aqua-background { background-color: #00fafa; } + +.black { color: black; } + +.black-background { background-color: black; } + +.blue { color: #0000bf; } + +.blue-background { background-color: #0000fa; } + +.fuchsia { color: #bf00bf; } + +.fuchsia-background { background-color: #fa00fa; } + +.gray { color: #606060; } + +.gray-background { background-color: #7d7d7d; } + +.green { color: #006000; } + +.green-background { background-color: #007d00; } + +.lime { color: #00bf00; } + +.lime-background { background-color: #00fa00; } + +.maroon { color: #600000; } + +.maroon-background { background-color: #7d0000; } + +.navy { color: #000060; } + +.navy-background { background-color: #00007d; } + +.olive { color: #606000; } + +.olive-background { background-color: #7d7d00; } + +.purple { color: #600060; } + +.purple-background { background-color: #7d007d; } + +.red { color: #bf0000; } + +.red-background { background-color: #fa0000; } + +.silver { color: #909090; } + +.silver-background { background-color: #bcbcbc; } + +.teal { color: #006060; } + +.teal-background { background-color: #007d7d; } + +.white { color: #bfbfbf; } + +.white-background { background-color: #fafafa; } + +.yellow { color: #bfbf00; } + +.yellow-background { background-color: #fafa00; } + +body { max-width: 250mm; margin-left: auto; margin-right: auto; } + +@media only screen and (min-width: 768px) { h1 { font-size: 2em; } + h2 { font-size: 1.8em; } + h3, #toctitle, .sidebarblock > .content > .title, #toctitle, .sidebarblock > .content > .title { font-size: 1.6em; } + h4 { font-size: 1.2em; } + h5 { font-size: 1.1em; } } +dt, th.tableblock, td.content, div.footnote { text-rendering: optimizeLegibility; } + +h1, h2, p, td.content, span.alt { letter-spacing: -0.01em; } + +p strong, td.content strong, div.footnote strong { letter-spacing: -0.005em; } + +p, blockquote, dt, td.content, span.alt { font-size: 1.0625rem; } + +p, pre { margin-bottom: 1.25rem; } + +.note td img, .tip td img, .important td img, .caution td img, .warning td img { max-width: none; min-width: 2em; } + +.sidebarblock p, .sidebarblock dt, .sidebarblock td.content, p.tableblock { font-size: 1em; } + +.exampleblock > .content { background-color: #fffef7; border-color: #e0e0dc; -webkit-box-shadow: 0 1px 4px #e0e0dc; box-shadow: 0 1px 4px #e0e0dc; } + +.guimenu, .guisubmenu, .guimenuitem { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; } + +.guibutton { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; border-radius: 4px; } + +.keycap { padding: .1em .3em .1em .3em; border: 0.5px rgba(0, 0, 0, 0.5) solid; box-shadow: 1px 1px rgba(0, 0, 0, 0.2); border-radius: 4px; display: inline-block; min-width: 1.5em; text-align: center; } + +.print-only { display: none !important; } + +@page { margin: 1.25cm 0.75cm; } + +@media print { * { -webkit-box-shadow: none !important; box-shadow: none !important; text-shadow: none !important; } + body { max-width: default; } + html { font-size: 80%; } + a { color: inherit !important; text-decoration: underline !important; } + a.bare, a[href^="#"], a[href^="mailto:"] { text-decoration: none !important; } + a[href^="http:"]:not(.bare):after, a[href^="https:"]:not(.bare):after { content: "(" attr(href) ")"; display: inline-block; font-size: 0.875em; padding-left: 0.25em; } + abbr[title]:after { content: " (" attr(title) ")"; } + pre, blockquote, tr, img, object, svg { page-break-inside: avoid; } + thead { display: table-header-group; } + svg { max-width: 100%; } + p, blockquote, dt, td.content { font-size: 1em; orphans: 3; widows: 3; } + h2, h3, #toctitle, .sidebarblock > .content > .title, #toctitle, .sidebarblock > .content > .title { page-break-after: avoid; } + #header, #content, #footnotes, #footer { max-width: none; } + #toc, .sidebarblock, .exampleblock > .content { background: none !important; } + #toc { border-bottom: 1px solid #ddddd8 !important; padding-bottom: 0 !important; } + body.book #header { text-align: center; } + body.book #header > h1:first-child { border: 0 !important; margin: 2.5em 0 1em 0; } + body.book #header .details { border: 0 !important; display: block; padding: 0 !important; } + body.book #header .details span:first-child { margin-left: 0 !important; } + body.book #header .details br { display: block; } + body.book #header .details br + span:before { content: none !important; } + body.book #toc { border: 0 !important; text-align: left !important; padding: 0 !important; margin: 0 !important; } + body.book #toc, body.book #preamble, body.book h1.sect0, body.book .sect1 > h2 { page-break-before: always; } + .listingblock code[data-lang]:before { display: block; } + #footer { padding: 0 0.9375em; } + .hide-on-print { display: none !important; } + .print-only { display: block !important; } + .hide-for-print { display: none !important; } + .show-for-print { display: inherit !important; } } +@media print, amzn-kf8 { #header > h1:first-child { margin-top: 1.25rem; } + .sect1 { padding: 0 !important; } + .sect1 + .sect1 { border: 0; } + #footer { background: none; } + #footer-text { color: rgba(0, 0, 0, 0.6); font-size: 0.9em; } } +@media amzn-kf8 { #header, #content, #footnotes, #footer { padding: 0; } } diff --git a/docbook/wsdg_src/developer-guide-docinfo.xml b/docbook/wsdg_src/developer-guide-docinfo.xml new file mode 100644 index 0000000..90f36d1 --- /dev/null +++ b/docbook/wsdg_src/developer-guide-docinfo.xml @@ -0,0 +1,85 @@ +<!-- Document information for the Developer's Guide. --> + +<!-- Updated by tools/make-version.py --> +<subtitle>For Wireshark 4.2</subtitle> + + <!-- <title><inlinegraphic entityref="WiresharkLogo" valign="middle" format="PNG"/> &DocumentTitle;</title> --> + +<authorgroup> + + <author><firstname>Ulf</firstname><surname>Lamping</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>ulf.lamping[AT]web.de</email> + </author> + + <author><firstname>Luis</firstname><othername>E.</othername><othername>Garcia</othername><surname>Ontanon</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>luis[AT]ontanon.org</email> + </author> + + <author><firstname>Graham</firstname><surname>Bloice</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>graham.bloice[AT]trihedral.com</email> + </author> + +</authorgroup> + +<!--<edition>&DocumentEdition;</edition> +<pubdate>2008</pubdate>--> +<copyright><year>2004-2014</year> + <holder>Ulf Lamping</holder> + <holder>Luis E. Garcia Ontanon</holder> + <holder>Graham Bloice</holder> +</copyright> + +<revhistory> + +<revision> + <revnumber>1.1</revnumber> + <date>28 Dec 2014</date> + <authorinitials>gb</authorinitials> + <revremark>Updated for 1.99.x and 2.0, move to VS2013.</revremark> +</revision> + +<revision> + <revnumber>1.0</revnumber> + <date>2 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Moved Lua reference from User's Guide to Developer's Guide.</revremark> +</revision> + +<revision> + <revnumber>0.9</revnumber> + <date>9 Feb 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Converted from DocBook to AsciiDoc.</revremark> +</revision> + +<revision> + <revnumber>0.5</revnumber> + <date>21 Jan 2007</date> + <authorinitials>ul</authorinitials> + <revremark>Major redesign.</revremark> +</revision> + +<revision> + <revnumber>0.1</revnumber> + <date>17 Aug 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Initial version.</revremark> +</revision> + +</revhistory> + +<legalnotice> + <simpara> + Permission is granted to copy, distribute + and/or modify this document under the terms of the GNU General Public + License, Version 2 or any later version published by the Free Software + Foundation. + </simpara> + <simpara> + All logos and trademarks in this document are property of their + respective owners. + </simpara> +</legalnotice> diff --git a/docbook/wsdg_src/developer-guide.adoc b/docbook/wsdg_src/developer-guide.adoc new file mode 100644 index 0000000..cc1c0bd --- /dev/null +++ b/docbook/wsdg_src/developer-guide.adoc @@ -0,0 +1,72 @@ +:doctype: book +include::../attributes.adoc[] + +// Electronic book attributes +:author: Ulf Lamping, Graham Bloice +:description: Wireshark Developer’s Guide +:keywords: Wireshark Developer Guide +ifdef::ebook-format-epub3[] +:front-cover-image: images/ws-dev-guide-cover.png +:toc: +endif::[] + += Wireshark Developer’s Guide: Version {wireshark-version} + +// Attributes +// XXX This should be surrounded by single quotes in the text. It’s +// currently surrounded by plus signs for AsciiDoc compatibility. +:dlt-glob: DLT_* +:qt6-lts-version: 6.2.4 +:source-highlighter: coderay + +include::wsdg_preface.adoc[] + +include::../common_src/typographic_conventions.adoc[] + +[#PartEnvironment] += Wireshark Build Environment + +[partintro] +.Wireshark Build Environment +-- +The first part describes how to set up the tools, libraries and sources needed to +generate Wireshark and how to do some typical development tasks. +-- + +include::wsdg_env_intro.adoc[] + +include::wsdg_quick_setup.adoc[] + +include::wsdg_sources.adoc[] + +include::wsdg_tools.adoc[] + +include::wsdg_libraries.adoc[] + +[#PartDevelopment] += Wireshark Development + +[partintro] +.Wireshark Development +-- +The second part describes how the Wireshark sources are structured and how to +change the sources such as adding a new dissector. +-- + +include::wsdg_build_intro.adoc[] + +include::wsdg_works.adoc[] + +include::wsdg_capture.adoc[] + +include::wsdg_dissection.adoc[] + +include::wsdg_lua_support.adoc[] + +include::wsdg_userinterface.adoc[] + +include::wsdg_tests.adoc[] + +include::wsdg_asn2wrs.adoc[] + +include::../common_src/gpl_appendix.adoc[] diff --git a/docbook/wsdg_src/images/caution.svg b/docbook/wsdg_src/images/caution.svg new file mode 100644 index 0000000..793c602 --- /dev/null +++ b/docbook/wsdg_src/images/caution.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightning-charge" viewBox="0 0 16 16"> + <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09zM4.157 8.5H7a.5.5 0 0 1 .478.647L6.11 13.59l5.732-6.09H9a.5.5 0 0 1-.478-.647L9.89 2.41 4.157 8.5z"/> +</svg> diff --git a/docbook/wsdg_src/images/git-triangular-workflow.gv b/docbook/wsdg_src/images/git-triangular-workflow.gv new file mode 100644 index 0000000..809877a --- /dev/null +++ b/docbook/wsdg_src/images/git-triangular-workflow.gv @@ -0,0 +1,59 @@ +// dot -Tsvg -o docbook/wsdg_graphics/git-triangular-workflow.svg docbook/wsdg_graphics/git-triangular-workflow.gv + +digraph G { + // XXX Integrate ws.css. Match it manually for now. + graph [ + fontname = "Georgia", + fontsize = 12 + ]; + + node [ + fontname = "Georgia", + fontsize = 12, + shape=box, + style=rounded + ]; + + edge [ + fontname = "Georgia", + fontsize = 12 + ]; + + rankdir = TB; + ranksep = 1.0; + nodesep = 1.0; + // margin = "0.5,0.5"; + + main_repo [ + label=<Main Repository<br/><font point-size="9">gitlab.com/wireshark/wireshark</font>> + ] + + your_fork [ + label=<Your Fork<br/><font point-size="9">gitlab.com/you/wireshark</font>> + ] + + your_repo [ + label=<Your Local Repository<br/><font point-size="9">Somewhere on your machine</font>> + ] + + { rank = same; main_repo; your_fork; } + + // :nw adds needed space + main_repo -> your_fork:nw [ + label = "Fork (once)", + style = dashed + ] + + main_repo -> your_repo [ + label = "Pull" + ] + + your_repo -> your_fork [ + label = "Push" + ] + + your_fork -> main_repo [ + label = "Merge Request" + ] + +} diff --git a/docbook/wsdg_src/images/git-triangular-workflow.svg b/docbook/wsdg_src/images/git-triangular-workflow.svg new file mode 100644 index 0000000..1f8ae3a --- /dev/null +++ b/docbook/wsdg_src/images/git-triangular-workflow.svg @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<!-- Generated by graphviz version 2.44.1 (20200629.0846) + --> +<!-- Title: G Pages: 1 --> +<svg width="429pt" height="205pt" + viewBox="0.00 0.00 428.50 205.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> +<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 201)"> +<title>G</title> +<polygon fill="white" stroke="transparent" points="-4,4 -4,-201 424.5,-201 424.5,4 -4,4"/> +<!-- main_repo --> +<g id="node1" class="node"> +<title>main_repo</title> +<path fill="none" stroke="black" d="M134,-157C134,-157 12,-157 12,-157 6,-157 0,-151 0,-145 0,-145 0,-133 0,-133 0,-127 6,-121 12,-121 12,-121 134,-121 134,-121 140,-121 146,-127 146,-133 146,-133 146,-145 146,-145 146,-151 140,-157 134,-157"/> +<text text-anchor="start" x="27.5" y="-140.9" font-family="Georgia" font-size="12.00">Main Repository</text> +<text text-anchor="start" x="8" y="-131.3" font-family="Georgia" font-size="9.00">gitlab.com/wireshark/wireshark</text> +</g> +<!-- your_fork --> +<g id="node2" class="node"> +<title>your_fork</title> +<path fill="none" stroke="black" d="M408.5,-157C408.5,-157 311.5,-157 311.5,-157 305.5,-157 299.5,-151 299.5,-145 299.5,-145 299.5,-133 299.5,-133 299.5,-127 305.5,-121 311.5,-121 311.5,-121 408.5,-121 408.5,-121 414.5,-121 420.5,-127 420.5,-133 420.5,-133 420.5,-145 420.5,-145 420.5,-151 414.5,-157 408.5,-157"/> +<text text-anchor="start" x="332" y="-140.9" font-family="Georgia" font-size="12.00">Your Fork</text> +<text text-anchor="start" x="307.5" y="-131.3" font-family="Georgia" font-size="9.00">gitlab.com/you/wireshark</text> +</g> +<!-- main_repo->your_fork --> +<g id="edge1" class="edge"> +<title>main_repo->your_fork:nw</title> +<path fill="none" stroke="black" stroke-dasharray="5,2" d="M111.13,-157.13C158.91,-177.68 241.75,-203.49 292.02,-163.66"/> +<polygon fill="black" stroke="black" points="294.36,-166.27 299.5,-157 289.71,-161.04 294.36,-166.27"/> +<text text-anchor="middle" x="222" y="-187.4" font-family="Georgia" font-size="12.00">Fork (once)</text> +</g> +<!-- your_repo --> +<g id="node3" class="node"> +<title>your_repo</title> +<path fill="none" stroke="black" d="M272.5,-36C272.5,-36 159.5,-36 159.5,-36 153.5,-36 147.5,-30 147.5,-24 147.5,-24 147.5,-12 147.5,-12 147.5,-6 153.5,0 159.5,0 159.5,0 272.5,0 272.5,0 278.5,0 284.5,-6 284.5,-12 284.5,-12 284.5,-24 284.5,-24 284.5,-30 278.5,-36 272.5,-36"/> +<text text-anchor="start" x="155.5" y="-19.9" font-family="Georgia" font-size="12.00">Your Local Repository</text> +<text text-anchor="start" x="157.5" y="-10.3" font-family="Georgia" font-size="9.00">Somewhere on your machine</text> +</g> +<!-- main_repo->your_repo --> +<g id="edge2" class="edge"> +<title>main_repo->your_repo</title> +<path fill="none" stroke="black" d="M93.49,-120.95C118.23,-100.36 159.98,-65.62 187.76,-42.5"/> +<polygon fill="black" stroke="black" points="190.1,-45.11 195.55,-36.02 185.62,-39.72 190.1,-45.11"/> +<text text-anchor="middle" x="160" y="-75.4" font-family="Georgia" font-size="12.00">Pull</text> +</g> +<!-- your_fork->main_repo --> +<g id="edge4" class="edge"> +<title>your_fork->main_repo</title> +<path fill="none" stroke="black" d="M299.29,-139C257.86,-139 202.13,-139 156.46,-139"/> +<polygon fill="black" stroke="black" points="156.29,-135.5 146.29,-139 156.29,-142.5 156.29,-135.5"/> +<text text-anchor="middle" x="222" y="-142.4" font-family="Georgia" font-size="12.00">Merge Request</text> +</g> +<!-- your_repo->your_fork --> +<g id="edge3" class="edge"> +<title>your_repo->your_fork</title> +<path fill="none" stroke="black" d="M236.59,-36.02C261.49,-56.59 303.53,-91.33 331.52,-114.46"/> +<polygon fill="black" stroke="black" points="329.43,-117.28 339.37,-120.95 333.89,-111.88 329.43,-117.28"/> +<text text-anchor="middle" x="305.5" y="-75.4" font-family="Georgia" font-size="12.00">Push</text> +</g> +</g> +</svg> diff --git a/docbook/wsdg_src/images/important.svg b/docbook/wsdg_src/images/important.svg new file mode 100644 index 0000000..a2ee701 --- /dev/null +++ b/docbook/wsdg_src/images/important.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-circle" viewBox="0 0 16 16"> + <path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/> + <path d="M7.002 11a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 4.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 4.995z"/> +</svg> diff --git a/docbook/wsdg_src/images/note.svg b/docbook/wsdg_src/images/note.svg new file mode 100644 index 0000000..803dc13 --- /dev/null +++ b/docbook/wsdg_src/images/note.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-sticky" viewBox="0 0 16 16"> + <path d="M2.5 1A1.5 1.5 0 0 0 1 2.5v11A1.5 1.5 0 0 0 2.5 15h6.086a1.5 1.5 0 0 0 1.06-.44l4.915-4.914A1.5 1.5 0 0 0 15 8.586V2.5A1.5 1.5 0 0 0 13.5 1h-11zM2 2.5a.5.5 0 0 1 .5-.5h11a.5.5 0 0 1 .5.5V8H9.5A1.5 1.5 0 0 0 8 9.5V14H2.5a.5.5 0 0 1-.5-.5v-11zm7 11.293V9.5a.5.5 0 0 1 .5-.5h4.293L9 13.793z"/> +</svg> diff --git a/docbook/wsdg_src/images/tip.svg b/docbook/wsdg_src/images/tip.svg new file mode 100644 index 0000000..1a60b74 --- /dev/null +++ b/docbook/wsdg_src/images/tip.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightbulb" viewBox="0 0 16 16"> + <path d="M2 6a6 6 0 1 1 10.174 4.31c-.203.196-.359.4-.453.619l-.762 1.769A.5.5 0 0 1 10.5 13a.5.5 0 0 1 0 1 .5.5 0 0 1 0 1l-.224.447a1 1 0 0 1-.894.553H6.618a1 1 0 0 1-.894-.553L5.5 15a.5.5 0 0 1 0-1 .5.5 0 0 1 0-1 .5.5 0 0 1-.46-.302l-.761-1.77a1.964 1.964 0 0 0-.453-.618A5.984 5.984 0 0 1 2 6zm6-5a5 5 0 0 0-3.479 8.592c.263.254.514.564.676.941L5.83 12h4.342l.632-1.467c.162-.377.413-.687.676-.941A5 5 0 0 0 8 1z"/> +</svg> diff --git a/docbook/wsdg_src/images/warning.svg b/docbook/wsdg_src/images/warning.svg new file mode 100644 index 0000000..80c0ba5 --- /dev/null +++ b/docbook/wsdg_src/images/warning.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-triangle" viewBox="0 0 16 16"> + <path d="M7.938 2.016A.13.13 0 0 1 8.002 2a.13.13 0 0 1 .063.016.146.146 0 0 1 .054.057l6.857 11.667c.036.06.035.124.002.183a.163.163 0 0 1-.054.06.116.116 0 0 1-.066.017H1.146a.115.115 0 0 1-.066-.017.163.163 0 0 1-.054-.06.176.176 0 0 1 .002-.183L7.884 2.073a.147.147 0 0 1 .054-.057zm1.044-.45a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566z"/> + <path d="M7.002 12a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 5.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995z"/> +</svg> diff --git a/docbook/wsdg_src/images/ws-capture-sync.dia b/docbook/wsdg_src/images/ws-capture-sync.dia Binary files differnew file mode 100644 index 0000000..00ba9cf --- /dev/null +++ b/docbook/wsdg_src/images/ws-capture-sync.dia diff --git a/docbook/wsdg_src/images/ws-capture-sync.png b/docbook/wsdg_src/images/ws-capture-sync.png Binary files differnew file mode 100644 index 0000000..d46e1e9 --- /dev/null +++ b/docbook/wsdg_src/images/ws-capture-sync.png diff --git a/docbook/wsdg_src/images/ws-capture_internals.dia b/docbook/wsdg_src/images/ws-capture_internals.dia Binary files differnew file mode 100644 index 0000000..0eae20e --- /dev/null +++ b/docbook/wsdg_src/images/ws-capture_internals.dia diff --git a/docbook/wsdg_src/images/ws-capture_internals.png b/docbook/wsdg_src/images/ws-capture_internals.png Binary files differnew file mode 100644 index 0000000..6d110af --- /dev/null +++ b/docbook/wsdg_src/images/ws-capture_internals.png diff --git a/docbook/wsdg_src/images/ws-dev-guide-cover.png b/docbook/wsdg_src/images/ws-dev-guide-cover.png Binary files differnew file mode 100644 index 0000000..8134d2d --- /dev/null +++ b/docbook/wsdg_src/images/ws-dev-guide-cover.png diff --git a/docbook/wsdg_src/images/ws-function-blocks.dia b/docbook/wsdg_src/images/ws-function-blocks.dia Binary files differnew file mode 100644 index 0000000..cc85781 --- /dev/null +++ b/docbook/wsdg_src/images/ws-function-blocks.dia diff --git a/docbook/wsdg_src/images/ws-function-blocks.png b/docbook/wsdg_src/images/ws-function-blocks.png Binary files differnew file mode 100644 index 0000000..169e19e --- /dev/null +++ b/docbook/wsdg_src/images/ws-function-blocks.png diff --git a/docbook/wsdg_src/images/ws-logo.png b/docbook/wsdg_src/images/ws-logo.png Binary files differnew file mode 100644 index 0000000..04226f3 --- /dev/null +++ b/docbook/wsdg_src/images/ws-logo.png diff --git a/docbook/wsdg_src/images/wslua-new-dialog.png b/docbook/wsdg_src/images/wslua-new-dialog.png Binary files differnew file mode 100644 index 0000000..9de7e4a --- /dev/null +++ b/docbook/wsdg_src/images/wslua-new-dialog.png diff --git a/docbook/wsdg_src/images/wslua-progdlg.png b/docbook/wsdg_src/images/wslua-progdlg.png Binary files differnew file mode 100644 index 0000000..d8d9510 --- /dev/null +++ b/docbook/wsdg_src/images/wslua-progdlg.png diff --git a/docbook/wsdg_src/images/wslua-textwindow.png b/docbook/wsdg_src/images/wslua-textwindow.png Binary files differnew file mode 100644 index 0000000..7defd0f --- /dev/null +++ b/docbook/wsdg_src/images/wslua-textwindow.png diff --git a/docbook/wsdg_src/wsdg_asn2wrs.adoc b/docbook/wsdg_src/wsdg_asn2wrs.adoc new file mode 100644 index 0000000..e7e021e --- /dev/null +++ b/docbook/wsdg_src/wsdg_asn2wrs.adoc @@ -0,0 +1,1256 @@ +[#CreatingAsn1Dissectors] + +== Creating ASN.1 Dissectors + +The `asn2wrs` compiler can be used to create a dissector from an ASN.1 specification of a protocol. +It is a work in progress but has been used to create a number of dissectors. + +It supports: + +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.680/en[X.680] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Specification of basic notation +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.681/en[X.681] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Information object specification +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.682/en[X.682] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Constraint specification +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.683/en[X.683] +(07/2002), Information technology - Abstract Syntax Notation One +(ASN.1): Parameterization of ASN.1 specifications + +// Limitations: Add text here + +It has inbuilt support for: + +* ITU-T Recommendation https://www.itu.int/rec/T-REC-X.880/en[X.880] +(07/1994), Information technology - Remote Operations: Concepts, model +and notation + +[#AboutASN1] + +=== About ASN.1 + +The most useful first step in writing an ASN.1-based dissector is to +learn about ASN.1. There are a number of free resources available to +help with this. One collection of such resources is maintained on +https://www.itu.int/en/ITU-T/asn1/Pages/asn1_project.aspx[the ASN.1 Consortium's web site]. + +[#Asn1DissectorRequirements] +=== ASN.1 Dissector Requirements + +The compiler needs 4 input files: an ASN.1 description of a protocol, a .cnf file, and two template files. +The ASN.1 specification may have to be edited to work, however work is in progress to at least read all ASN1 specifications. +Changing the ASN1 file is being deprecated as this creates problems when updating protocols. +The H.248 Binary encoding dissector is a good example of a dissector with relatively small changes. + +A complete <<SimpleASN1BasedDissector,simple ASN1 UDP-based dissector>> is also available. + +[#BuildingAnASN1BasedPlugin] +==== Building An ASN.1-Based Plugin + +The usual way to build an ASN.1-based dissector is to put it into the +_epan/dissectors/asn1_ subtree. This works well and is somewhat simpler than building as a +plugin, but there are two reasons one might want to build as a plugin: + +* To speed development, since only the plugin needs to be recompiled. +* To allow flexibility in deploying an updated plugin, since only the +plugin needs to be distributed. + +Reasons one might _not_ want to build as a plugin: + +* The code is somewhat more complex. +* The CMakeFile is quite a bit more complex. +* Building under the asn1 subtree keeps all such dissectors together. + +If you still think you'd like to build your module as a plugin, see https://gitlab.com/wireshark/wireshark/-/wikis/ASN1_plugin[Building ASN1 Plugins]. + +[#UnderstandingErrorMessages] +=== Understanding Error Messages + +When running asn2wrs, you could get the following errors: + +* A LexToken error (`__main__.ParseError: LexToken(DOT,'.',71)`) +means that something is not understood in the ASN1 file, line 71, +around the dot (.) - can be the dot itself. + +* A ParseError (`__main__.ParseError: LexToken(SEMICOLON,';',88)`) means that the ';' (SEMICOLON) is not understood. Maybe removing it will work? + +[#HandMassagingTheASN1File] +=== Hand-Massaging The ASN.1 File + +If a portion of your ASN.1 file is unsupported you can modify it by hand as needed. +However, the preferred way to resolve the issue is to report it on the link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev] mailing list or in the issue tracker so that asn2wrs can be improved. + +[#CommandLineSyntax] +=== Command Line Syntax + +---- +ASN.1 to Wireshark dissector compiler + + asn2wrs [-h|?] [-d dbg] [-b] [-p proto] [-c cnf_file] [-e] input_file(s) ... + -h|? : Usage + -b : BER (default is PER) + -u : Unaligned (default is aligned) + -p proto : Protocol name (implies -S). Default is module-name + from input_file (renamed by #.MODULE if present) + -o name : Output files name core (default is <proto>) + -O dir : Output directory for dissector + -c cnf_file : Conformance file + -I path : Path for conformance file includes + -e : Create conformance file for exported types + -E : Just create conformance file for exported types + -S : Single output for multiple modules + -s template : Single file output (template is input file + without .c/.h extension) + -k : Keep intermediate files though single file output is used + -L : Suppress #line directive from .cnf file + -D dir : Directory for input_file(s) (default: '.') + -C : Add check for SIZE constraints + -r prefix : Remove the prefix from type names + + input_file(s) : Input ASN.1 file(s) + + -d dbg : Debug output, dbg = [l][y][p][s][a][t][c][m][o] + l - lex + y - yacc + p - parsing + s - internal ASN.1 structure + a - list of assignments + t - tables + c - conformance values + m - list of compiled modules with dependency + o - list of output files +---- + +[#GeneratedFiles] +=== Generated Files + +Asn2wrs creates the following intermediate files: + +* packet-proto-ett.c +* packet-proto-ettarr.c +* packet-proto-fn.c +* packet-proto-hf.c +* packet-proto-hfarr.c +* packet-proto-val.h +* packet-proto-exp.h +* packet-proto-table.c +* packet-proto-syn-reg.c + +These files should be included in the template file as described in the <<ConformanceFiles,conformance file examples>>. +Some are optional. + +[#ASN1StepByStepInstructions] +=== Step By Step Instructions + +. Create a directory for your protocol in the _epan/dissectors/asn1_ directory and put +your ASN.1 file there. +. Copy _CMakeLists.txt_ from another ASN.1 dissector and edit it to suit your needs. +. Create a .cnf file either by copying an existing one and editing it or +using the empty example above. +. Create template files either by copying suitable existing ones and +editing them or use the examples above, putting your protocol name in the +appropriate places. +. Add your dissector to _epan/dissectors/asn1/CMakeLists.txt_ +. Test generating your dissector by building the _generate_dissector-*proto*_ target. +. Depending on the outcome you may have to edit your .cnf file, ASN.1 file +etc... +. Build Wireshark. + +[#HintsForUsingAsn2wrs] +=== Hints For Using Asn2wrs + +Asn2wrs does not support all of ASN.1 yet. +This means you might need to modify the ASN.1 definition before it will compile. +This page lists some tips and tricks that might make your life easier. + +[#COMPONENTS_OF] +[discrete] +==== COMPONENTS OF + +Asn2wrs does not support the COMPONENTS OF directive. +This means that you will have to modify the asn definition to manually +remove all COMPONENTS OF directives. Fortunately this is pretty easy. +COMPONENTS OF is a directive in ASN.1 which include +all specified fields in the referenced SEQUENCE by those fields as if +they had been explicitly specified. + +[#ASN1ComponentsOfExample] +[discrete] +==== Example + +Assume you have some definition that looks like this: + +---- +Foo ::= SEQUENCE { + field_1 INTEGER, + field_2 INTEGER +} + +Bar ::= SEQUENCE { + COMPONENTS OF Foo, + field_3 INTEGER +} +---- + +Since Asn2wrs can not handle COMPONENTS OF you will have to modify the ASN.1 file so that instead Bar +will look like this : + +---- +Bar ::= SEQUENCE { + field_1 INTEGER, + field_2 INTEGER, + field_3 INTEGER +} +---- + +That was pretty easy wasn't it? + +[#SemicolonCharacters] +[discrete] +==== Semicolon Characters + +In some ASN1 you may have semicolon characters like this: + +---- +PBAddressString ::= SEQUENCE { + extension INTEGER(1), natureOfAddressIndicator INTEGER, numberingPlanInd INTEGER, digits OCTET STRING (SIZE(0..19)) +}; +---- + +You will have to remove the last semicolon character. + +[#ASN1Parameters] +[discrete] +==== Parameters + +Parameters will have to be replaced too. +Something like this: + +---- +AChBillingChargingCharacteristics + {PARAMETERS-BOUND : bound} ::= OCTET STRING (SIZE (minAChBillingChargingLength .. +maxAChBillingChargingLength)) +---- + +Will have to be replaced with the real values of the parameters: + +---- +AChBillingChargingCharacteristics ::= OCTET STRING (SIZE (5 .. 177)) +---- + +[#ASN1ANYAndParameterizedTypes] +==== ANY And Parameterized Types + +Asn2wrs can handle the type ANY but not parameterized types. +Fortunately this is easy to work around with small changes to the ASN file and some conformance file magic. +Assuming you have a construct that looks something like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm ALGORITHM.&id({SupportedAlgorithms}), + parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL +} +---- + +Which is essentially a structure that takes two fields, one field being an object identifier and the second field that can be just about anything, depending on what object identifier was used. +Here we just have to rewrite this SEQUENCE slightly so that it looks like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} +---- + +The only thing remaining now is to add the actual code to manage the dissection of this structure. +We do this by using the <<ASN1CnfDirectiveFN_BODY,\#.FN_BODY conformance file directive>>, which will replace the function body of a dissector with the contents that you specify in the conformance file. +For this one we need a string where we store the OID from AlgorithmIdentifier/algorithm so that we can pick it up and act on later from inside the dissector for AlgorithmIdentifier/parameters. +So we have to add something like this: + +[source,c] +---- +static char algorithm_id[64]; /* 64 chars should be enough? */ +---- + +to the template file. +Then we add the following to the conformance file: + +---- +#.FN_BODY AlgorithmIdentifier/algorithmId + +offset = dissect_ber_object_identifier(false, pinfo, tree, tvb, offset, + hf_x509af_algorithm_id, algorithm_id); + +#.FN_BODY AlgorithmIdentifier/parameters + +offset=call_ber_oid_callback(algorithm_id, tvb, offset, pinfo, tree); +---- + +This example comes from the X509AF dissector. Please see the code there +for more examples on how to do this. + +[#TaggedAssignments] +==== Tagged Assignments + +There is currently a bug in Asn2wrs that makes it +generate incorrect code for the case when tagged assignments are used. +The bug is two-fold, first the generated code "forgets" to strip of the +actual tag and length, second it fails to specify 'implicit_tag' +properly. + +A tagged assignment is something that looks like this example from the +FTAM asn specification: + +---- +Degree-Of-Overlap ::= +[APPLICATION 30] IMPLICIT INTEGER { + normal(0), consecutive(1), concurrent(2) +} +---- + +I.e. an assignment that also specifies a tag value. + +Until Asn2wrs is enhanced to handle these constructs you MUST add a workaround for it to the conformance file: + +---- +#.FN_BODY Degree-Of-Overlap + +int8_t class; +bool pc, ind_field; +int32_t tag; +int32_t len1; + +/* + * XXX asn2wrs can not yet handle tagged assignment yes so this + * is some conformance file magic to work around that bug + */ + +offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); +offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); +offset = dissect_ber_integer(true, pinfo, tree, tvb, offset, hf_index, NULL); +---- + +This tells Asn2wrs to not +autogenerate any code at all for the Degree-Of-Overlap object instead it +should use the code specified here. Note that we +do have to specify the implicit_tag value explicitly and we can NOT use +the parameter passed to the function from the caller (also due to the +bug in Asn2wrs) this is the true parameter in the call to +dissect_ber_integer(). We specify true here since +the definition of Degree-Of-Overlap was using IMPLICIT tags and would +have specified false if it was not. + +The code above can be easily cut-n-pasted into the conformance file with +the exception of the last line that actually calls the next dissector +helper (...dissect_ber_integer... in this case). +The easiest way to find out exactly what this +final line should look like in the conformance file; just generate the +dissector first without this workaround and look at what call was +generated. Then put that line in the conformance directive and replace +`implicit_tag` with either true or false depending on whether IMPLICIT +is used or not. + +[#UntaggedCHOICEs] +==== Untagged CHOICEs + +Asn2wrs cannot handle untagged CHOICEs within either a SET or a SEQUENCE. For example: + +---- +MessageTransferEnvelope ::= SET { + ... + content-type ContentType, + ... +} + +ContentType ::= CHOICE { + built-in BuiltInContentType, + extended ExtendedContentType +} + +BuiltInContentType ::= [APPLICATION 6] INTEGER { + unidentified(0), external(1), interpersonal-messaging-1984(2), interpersonal-messaging-1988(22), + edi-messaging(35), voice-messaging(40)} + +ExtendedContentType ::= OBJECT IDENTIFIER +---- + +The Asn2wrs SET/SEQUENCE parsing only looks one level +deep into the dissection tree and does not have access to class/tags of +the elements in the CHOICE. + +As with COMPONENTS OF, the solution is to expand the CHOICE in-line +within the SET or SEQUENCE, but *make sure* that each element of the +CHOICE is marked as OPTIONAL. For example, + +---- +MessageTransferEnvelope ::= SET { + ... + built-in BuiltInContentType OPTIONAL, + extended ExtendedContentType OPTIONAL + ... +} +---- + +This isn't an entirely correct ASN.1 definition, but should allow +successful parsing. + +[#ImportedModuleNameConflicts] +==== Imported Module Name Conflicts + +When importing a module using <<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>> in the conformance file, this +may introduce a definition from the module which contradicts the +definition used in the current ASN.1 file. For example, the X.509 +Authentication Framework defines Time as + +---- +Time ::= CHOICE {utcTime UTCTime, + generalizedTime GeneralizedTime +} +---- + +whereas X.411 defines Time as + +---- +Time ::= UTCTime +---- + +This can lead to failure to decode the ASN.1 as, in the example, +Asn2wrs will be passed the wrong attributes when trying +to decode an X.411 time. In order to solve this +problem, (if you don't want to globally change the conflicting name +within the ASN.1 module), then you must add an appropriate #.TYPE_ATTR +into the conformance file *before* the <<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>> line. For example + +---- +#.TYPE_ATTR +Time TYPE = FT_STRING DISPLAY = BASE_NONE STRING = NULL BITMASK = 0 +---- + +[#SimpleASN1BasedDissector] +=== Simple ASN.1-Based Dissector + +// https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/ASN1_sample/foo.tar.gz +// all seven files as gzipped foo directory (suitable for unzipping in +// wireshark/asn1 directory) + +The following snippets show the different files that make up a dissector for a “FOO” protocol dissector. + +.README.txt +---- + + FOO protocol dissector + ---------------------- + +This trivial dissector is an example for the struggling dissector developer (me included) +of how to create a dissector for a protocol that is encapsulated in UDP packets +for a specific port, and the packet data is ASN1 PER encoded. + +The thing that took me a while to figure out was that in order to see my packet +dissected on the detail pane, I had to: +1. Tell the compiler which block in the ASN1 definition is a PDU definition by adding + FOO-MESSAGE under the #.PDU directive in the foo.cnf file +2. Add a call to dissect_FOO_MESSAGE_PDU() function in the dissect_foo() function in the + packet-foo-template.c file. + +To build and test it: +1. in foo directory, run make +2. run make copy_files +3. add packet-foo.c and packet-foo.h to epan/dissectors/Makefile.common +4. run top level make + +CAVEAT: Makefile.nmake was not tested . + +You can take it from here :-) + + --00-- +---- + +.foo.asn +---- +-- FOO PROTOCOL +-- + +FOO-PROTOCOL DEFINITIONS AUTOMATIC TAGS ::= +BEGIN + +-- General definitions + +MessageId ::= INTEGER (0..65535) +FlowId ::= INTEGER (0..65535) + +MessageData ::= SEQUENCE { + name OCTET STRING(SIZE(10)), + value OCTET STRING(SIZE(10)) +} + +FOO-MESSAGE ::= SEQUENCE { + messageId MessageId, + flowId FlowId, + messageData MessageData +} + +END +---- + +.foo.cnf +---- +# foo.cnf +# FOO conformation file + +# $Id$ + +#.MODULE_IMPORT + +#.EXPORTS + +#.PDU +FOO-MESSAGE + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.END +---- + +.packet-foo-template.h +[source,c] +---- +/* packet-foo.h + * Routines for foo packet dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_FOO_H +#define PACKET_FOO_H + +#endif /* PACKET_FOO_H */ +---- + +.packet-foo-template.c +[source,c] +---- +/* packet-foo.c + * Routines for FOO packet dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <glib.h> +#include <epan/packet.h> +#include <epan/conversation.h> + +#include <stdio.h> +#include <string.h> + +#include "packet-per.h" +#include "packet-foo.h" + +#define PNAME "FOO Protocol" +#define PSNAME "FOO" +#define PFNAME "foo" +#define FOO_PORT 5001 /* UDP port */ +static dissector_handle_t foo_handle=NULL; + +void proto_reg_handoff_foo(void); +void proto_register_foo(void); + +/* Initialize the protocol and registered fields */ +static int proto_foo = -1; +static int global_foo_port = FOO_PORT; + +#include "packet-foo-hf.c" + +/* Initialize the subtree pointers */ +static int ett_foo = -1; + +#include "packet-foo-ett.c" + +#include "packet-foo-fn.c" + +static void +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + proto_item *foo_item = NULL; + proto_tree *foo_tree = NULL; + int offset = 0; + + /* make entry in the Protocol column on summary display */ + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, PNAME); + + /* create the foo protocol tree */ + if (tree) { + foo_item = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + foo_tree = proto_item_add_subtree(foo_item, ett_foo); + + dissect_FOO_MESSAGE_PDU(tvb, pinfo, foo_tree); + } +} +/*--- proto_register_foo -------------------------------------------*/ +void proto_register_foo(void) { + + /* List of fields */ + static hf_register_info hf[] = { + +#include "packet-foo-hfarr.c" + }; + + /* List of subtrees */ + static int *ett[] = { + &ett_foo, +#include "packet-foo-ettarr.c" + }; + + /* Register protocol */ + proto_foo = proto_register_protocol(PNAME, PSNAME, PFNAME); + /* Register fields and subtrees */ + proto_register_field_array(proto_foo, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + + +} + +/*--- proto_reg_handoff_foo ---------------------------------------*/ +void +proto_reg_handoff_foo(void) +{ + static bool inited = false; + + if( !inited ) { + + foo_handle = create_dissector_handle(dissect_foo, + proto_foo); + dissector_add("udp.port", global_foo_port, foo_handle); + + inited = true; + } + +} +---- + +.CMakeLists.txt +---- +set( PROTOCOL_NAME foo ) + +set( PROTO_OPT ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + Foo.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS ) + +ASN2WRS() +---- + +[#ConformanceFiles] +=== Conformance (.cnf) Files + +The .cnf file tells the compiler what to do with certain things, such as skipping auto generation for some ASN.1 entries. +They can contain the following directives: + +#.OPT:: +Compiler options. + +#.MODULE and <<ASN1CnfDirectiveMODULE_IMPORT,++#++.MODULE_IMPORT>>:: +Assign Wireshark protocol name to ASN.1 module name. + +<<ASN1CnfDirectiveINCLUDE,++#++.INCLUDE>>:: +Include another conformance file. + +<<ASN1CnfDirectiveEXPORTS,++#++.EXPORTS>>:: +Export type or information object class. + +<<ASN1CnfDirectivePDUAndPDU_NEW,++#++.PDU>>, <<ASN1CnfDirectivePDUAndPDU_NEW,++#++.PDU_NEW>>, <<ASN1CnfDirectiveREGISTERAndREGISTER_NEW,++#++.REGISTER>>, <<ASN1CnfDirectiveREGISTERAndREGISTER_NEW,++#++.REGISTER_NEW>>, and #.SYNTAX:: +Create PDU functions and register them optionally to dissector table. + + +#.CLASS:: +Declare or define information object class. + +#.ASSIGNED_OBJECT_IDENTIFIER:: +Declare assigned object identifier. + +#.TABLE_HDR, #.TABLE_BODY, and #.TABLE_FTR:: +User tables. + +#.OMIT_ASSIGNMENT, #.NO_OMIT_ASSGN, #.OMIT_ALL_ASSIGNMENTS, #.OMIT_ASSIGNMENTS_EXCEPT, #.OMIT_ALL_TYPE_ASSIGNMENTS, #.OMIT_TYPE_ASSIGNMENTS_EXCEPT, #.OMIT_ALL_VALUE_ASSIGNMENTS, and #.OMIT_VALUE_ASSIGNMENTS_EXCEPT:: +Ignore assignments from ASN.1 source. + +<<ASN1CnfDirectiveNO_EMITAndUSER_DEFINED,++#++.NO_EMIT>> and <<ASN1CnfDirectiveNO_EMITAndUSER_DEFINED,++#++.USER_DEFINED>>:: +See linked text for info. + +#.VIRTUAL_ASSGN, #.SET_TYPE, #.MAKE_ENUM, #.MAKE_DEFINES, and #.ASSIGN_VALUE_TO_TYPE:: +Unknown. + +#.TYPE_RENAME, #.FIELD_RENAME, and #.TF_RENAME:: +Type/field renaming + +#.IMPORT_TAG, #.TYPE_ATTR, #.FIELD_ATTR:: +Type attributes + + +#.FN_HDR, <<ASN1CnfDirectiveFN_BODY,++#++.FN_BODY>>, #.FN_FTR, and #.FN_PARS:: +Type function modification + +<<ASN1CnfDirectiveEND,++#++.END>>:: +End of directive + +#.END_OF_CNF:: +End of conformance file + +[#ExampleCnfFile] +==== Example .cnf File + +---- +#.MODULE IMPORT +InformationFramework x509if + +#.INCLUDE ../x509if/x509if_exp.cnf + +#.EXPORTS + +ObjectName + +#.PDU +ObjectName + +#.REGISTER +Certificate B "2.5.4.36" "id-at-userCertificate" + +#.SYNTAX +ObjectName [FriendlyName] + +#.NO_EMIT ONLY_VALS +# this can be used with: [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +# using NO_EMIT NO_VALS means it won't generate value_string array for it +Type1 + +#.USER DEFINED +Type1 [WITH_VALS|WITHOUT_VALS|ONLY_VALS] + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.TYPE_ATTR Ss-Code TYPE = FT_UINT16 DISPLAY = BASE_HEX STRINGS = VALS(ssCode_vals) + +# This entry will change the hf definition from the auto-generated one for Ss-Code ::= OCTET STRING(SIZE(1)) + + { &hf_gsm_map_ss_Code, + { "ss-Code", "gsm_map.ss_Code", + FT_BYTES, BASE_HEX, NULL, 0, "", HFILL }}, + +# to: + + { &hf_gsm_map_ss_Code, + { "ss-Code", "gsm_map.ss_Code", + FT_UINT16, BASE_HEX, VALS(ssCode_vals), 0, "", HFILL }}, +---- + +In the proto_abbr-template.c file the corresponding value string must be +inserted. As an example the following would be included in +proto_abbr-template.c to define ssCode_vals: + +---- +static const value_string ssCode_vals[] = { + { 0, "ssCodeString 1" }, /* The string for value 0 */ + { 1, "String 2" }, /* String for value 1 */ + { 5, "String for value 5" }, /* Value String 5 */ + { 0, NULL } /* Null terminated array */ +} +---- + +Note that the NULL value must be the final entry and that the index values need not be consecutive. + +Foo is expressed in different ways depending on where you want to insert your code and the ASN.1 code in question. + +* Foo +* Foo/foo +* Foo/_item/foo + +For Tagged type use: + +---- +Foo/_untag + +#.FN_HDR Foo +/* This is code to be inserted into the dissector for Foo BEFORE the BER/PER helper is called. */ +tvbuff_t *out_tvb; +fragment_data *fd_head; +tvbuff_t *next_tvb = NULL; + +#.FN_BODY Foo +/* This here is code to replace the actual call to the helper completely. */ +offset = dissect_ber_octet_string(implicit_tag, pinfo, tree, tvb, offset, hf_index, &out_tvb); + +/* Putting %(DEFAULT_BODY)s inside #.FN_BODY will insert the original code there. */ + +#.FN_FTR Foo +/* This is code to be inserted into the dissector for Foo AFTER the ber/per helper has returned called. */ +if (foo_reassemble) { +... +} + +#.FN_PARS + +#.END +---- + +[#ExamplePacketProtocolTemplateHFile] +==== Example packet-protocol-template.h File + +Example template.h file. +Replace all PROTOCOL/protocol references with the name of your protocol. + +[source,c] +---- +/* packet-protocol.h + * Routines for Protocol packet dissection + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_PROTOCOL_H +#define PACKET_PROTOCOL_H + +#include "packet-protocol-exp.h" + +#endif /* PACKET_PROTOCOL_H */ +---- + +[#ExamplePacketProtocolTemplateCFile] +==== Example packet-protocol-template.c File + +Example template.c file. +Replace all PROTOCOL/protocol references with the name of your protocol. + +[source,c] +---- +/* packet-protocol.c + * Routines for PROTOCOL packet dissection + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <glib.h> +#include <epan/packet.h> +#include <epan/conversation.h> + +#include <stdio.h> +#include <string.h> + +#include "packet-ber.h" +#include "packet-protocol.h" + +#define PNAME "This Is The Protocol Name" +#define PSNAME "PROTOCOL" +#define PFNAME "protocol" + +/* Initialize the protocol and registered fields */ +int proto_protocol = -1; +#include "packet-protocol-hf.c" + +/* Initialize the subtree pointers */ +#include "packet-protocol-ett.c" + +#include "packet-protocol-fn.c" + +/*--- proto_register_protocol ----------------------------------------------*/ +void proto_register_protocol(void) { + + /* List of fields */ + static hf_register_info hf[] = { +#include "packet-protocol-hfarr.c" + }; + + /* List of subtrees */ + static int *ett[] = { +#include "packet-protocol-ettarr.c" + }; + + /* Register protocol */ + proto_protocol = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_protocol, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + +/*--- proto_reg_handoff_protocol -------------------------------------------*/ +void proto_reg_handoff_protocol(void) { +#include "packet-protocol-dis-tab.c" +} +---- + +[#ASN1ConformanceFileDirectiveReference] +=== Conformance File Directive Reference + +The following directives can be used in conformance (.cnf) files: + +[#ASN1CnfDirectiveEND] +==== #.END + +Some of the other directives in the Asn2wrs conformance file consists of multiple lines. +The #.END directive is used to terminate such a directive. +All other “#.” directives (except #.INCLUDE) automatically act as an implicit #.END directive which is why you will not see many #.END directives in the conformance files for the dissectors shipped with Wireshark. + +[#ASN1CnfDirectiveEXPORTS] +==== #.EXPORTS + +This directive in the Asn2wrs conformation file is used to export functions for type decoding from the dissector. + +[#ASN1CnfDirectiveEXPORTSSyntax] +===== Syntax + +---- +#.EXPORTS + +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] [WS_VAR] [NO_PROT_PREFIX] +... +#.END +---- + +Options: + +* WITH_VALS (default): Exports dissection function and value string table if present. +* WITHOUT_VALS: Exports only the dissection function. +* ONLY_VALS: Exports only the value string table. +* WS_VAR and WS_VAR_IMPORT: Used for value string table so as it can be exported from libwireshark.dll. +* NO_PROT_PREFIX: - value string table name does not have protocol prefix + +[#ASN1CnfDirectiveEXPORTSExample] +===== Example + +---- +#.EXPORTS +NonStandardParameter +RasMessage WITH_VALS WS_VAR +H323-UU-PDU/h323-message-body ONLY_VALS WS_VAR +#.END +---- + +[#ASN1CnfDirectiveFN_BODY] +==== #.FN_BODY + +Sometimes, like when we have ANY types, we might want to replace +whatever function body that Asn2wrs generates with code +of our own. This is what this directive allows us to do. + +[#ASN1CnfDirectiveFN_BODYExample] +===== Example: ANY + +Asn2wrs can handle the type ANY but we have to help it by adding some small changes to the conformance file. +Assuming you have a construct that looks something like this: + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} +---- + +To handle this we need to specify our own function bodies to both the +algorithm and the parameters fields, which we do using the #.FN_BODY +directive. + +This particular example also requires us to keep some state between the +two field dissectors, namely the OBJECT IDENTIFIER from algorithm which +specifies what the content of parameters is. For +this one we need a string where we store the oid from +AlgorithmIdentifier/algorithm so that we can pick it up and act on +later from inside the dissector for AlgorithmIdentifier/parameters. +So we have to add: + +---- +static char algorithm_id[64]; /* 64 chars should be enough? */ +---- + +to the template file as a placeholder to remember which OID we picked +up. Then we add to the conformance file: + +---- +#.FN_BODY AlgorithmIdentifier/algorithmId + offset = dissect_ber_object_identifier(false, pinfo, tree, tvb, offset, + hf_x509af_algorithm_id, algorithm_id); + +#.FN_BODY AlgorithmIdentifier/parameters + offset=call_ber_oid_callback(algorithm_id, tvb, offset, pinfo, tree); +---- + +The dissector body we specified for AlgorithmIdentifier/algorithmId +here stores the retrieved OID inside the variable algorithm_id we +specified. + +When we later come to the dissector for +AlgorithmIdentifier/parameters we pick this OID up from the static +variable and just pass it on to the ber/oid dissector helper. + + + + +This example comes from the X509AF dissector. Please see the code there +for more examples on how to do this. + + + +[#ASN1CnfDirectiveMODULE_IMPORTAndINCLUDE] +==== #.MODULE_IMPORT And #.INCLUDE + +These directive in the Asn2wrs conformation file are used to manage references to external type definitions, i.e. IMPORTS. +The examples below are all from the X.509 Authentication Framework (x509af) dissector source code in Wireshark. + +[#ASN1CnfDirectiveMODULE_IMPORTAndINCLUDEExample] +===== Example ASN + +This is an example from the X509AF dissector which amongst other things +imports definitions from X.509 InformationFramework: + +---- +IMPORTS + Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute + FROM InformationFramework informationFramework +---- + +Which tells the Asn2wrs compiler that the types 'Name', +'ATTRIBUTE', 'AttributeType', 'MATCHING-RULE' and 'Attribute' are +declared inside the external InformationFramework ASN module and +that they are referenced from this module. +In order for Asn2wrs to generate correct code for the +dissection it is necessary to give it some help by telling what kind of +types these are, i.e. are they INTEGERs or SEQUENCEs or something +else. + +In order to be able to access these functions from this module it is +important that these types have been declared as #.EXPORTS in the X509 +InformationFramework dissector so that they are exported and that we +can link to them. + +[#ASN1CnfDirectiveMODULE_IMPORT] +==== #.MODULE_IMPORT + +First we need to tell Asn2wrs which protocol name +Wireshark uses for the functions in this external import, so that +Asn2wrs can generate suitable function call signatures to +these external functions. + +We do this by adding a directive to the conformation file : + +---- +#.MODULE_IMPORT +InformationFramework x509if +---- + +Where InformationFramework is the ASN name for the module used in +the asn IMPORTS declaration and that x509if is the name we use inside +Wireshark for this protocol. + +This tells Asn2wrs that the function name to call to +dissect Name would be dissect_x509if_Name(...). Without this knowledge +Asn2wrs would not know which function name to generate. + + +[#ASN1CnfDirectiveINCLUDE] +==== #.INCLUDE + +Second, in order for Asn2wrs to generate correct code it +also needs to know the BER type and class of these types that are +imported, since that would affect how they are to be encoded on the +wire. + +This information about what kind of BER attributes these imported types +have are done using the #.INCLUDE directive in the conformance file: + +---- +#.INCLUDE ../x509if/x509if_exp.cnf +---- + +See #.EXPORTS for a description and examples of these types of include +files. + +[#ASN1CnfDirectiveNO_EMITAndUSER_DEFINED] +==== #.NO_EMIT And #.USER_DEFINED + +These two directives in the conformance file for Asn2wrs +can be used to suppress generation of dissectors +and/or value_strings and similar for a protocol. This is useful when +there are types in the asn definition that either Asn2wrs +can not handle or if we want to handle the dissection ourself inside the +template file to do additional state keeping or things that +Asn2wrs does not know how to manage. + +These two directives are very similar. The only +difference between is that #.NO_EMIT will suppress emitting the +dissector for that function and also any value_strings while +#.USER_DEFINED will emit declarations instead of definitions. + +I.e. #.USER_DEFINED will emit declarations such +as +`extern const value_string Type_vals[];` +and +`[static] int dissect_Proto_Type(...);` + +Use #.NO_EMIT if you dont need to call this function at all from anywhere (except from the template itself) and use #.USER_DEFINED is better if you implement the function inside the template but still want to allow it to be called from other places. +// (need much better explanation here) + +[#ASN1CnfDirectiveNO_EMITSyntax] +===== Syntax + +---- +#.USER_DEFINED +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +... +#.END +---- + +---- +#.NO_EMIT +TypeName [WITH_VALS|WITHOUT_VALS|ONLY_VALS] +... +#.END +---- + +Options: + +* WITH_VALS (default): Both dissection function and value string table are user defined and not emitted. +* WITHOUT_VALS: Only dissection function is user defined and not emitted. +* ONLY_VALS: Only value string table is user defined and not emitted. + +[#ASN1CnfDirectivePDUAndPDU_NEW] +==== #.PDU and #.PDU_NEW + +This directive in the Asn2wrs conformation file will +generate a wrapper function around an object dissector. +This is useful if there is an object inside the +ASN.1 definition that we really want to register as a protocol dissector +or if we want it to have a well known signature. + +[#ASN1CnfDirectivePDUFunctionNames] +===== Function Names + +The wrapper functions that are created will all be named and have the +following signature: + +---- +static void dissect_ProtocolName_ObjectName(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); +---- + +Notice that this is exactly the same signature as `dissector_t` which is used by all dissector entry points. + +[#ASN1CnfDirectivePDUUsage] +===== Usage + +To get Asn2wrs to generate such wrapper functions you +just have to list all objects one by one on the lines following the +#.PDU declaration. + +[#ASN1CnfDirectivePDUExample] +===== Example + +---- +#.PDU +SomeObject +---- + +This will result in Asn2wrs creating this wrapper function in the packet-foo.c dissector file: + +[source,c] +---- +static void dissect_SomeObject_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { + dissect_foo_SomeObject(false, ... +} +---- + +This function can then later be called or referenced from the template file or even exported. + +[#ASN1CnfDirectiveREGISTERAndREGISTER_NEW] +==== #.REGISTER and #.REGISTER_NEW + +This directive in the Asn2wrs conformation file can be used to register a dissector for an object to an OID. +This is very useful for X.509 and similar protocols where structures and objects are frequently associated with an OID. +In particular, some of the structures here encode an OID in a field and then the content in a different field later, and how that field is to be dissected depends on the previously seen OID. + +One such example can be seen in the ASN.1 description for X.509/AuthenticationFramework which has a structure defined such as + +---- +AlgorithmIdentifier ::= SEQUENCE { + algorithm ALGORITHM.&id({SupportedAlgorithms}), + parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL +} +---- + +Which means that the parameters field in this structure, what this field contains and how it is to be dissected depends entirely upon what OID is stored inside algorithm. +A whole bunch of protocols use similar types of constructs. +While dissection of this particular structure itself currently has to be hand implemented inside the template (see x509af for examples of how this very structure is handled there). +The #.REGISTER option in the conformance file will at least make it easy and painless to attach the actual OID to dissector mappings. + +[#ASN1CnfDirectiveREGISTERUsage] +===== Usage + +To get Asn2wrs to generate such automatic registration of +OID to dissector mappings just use the #.REGISTER directive in the +conformation file. + +[#ASN1CnfDirectiveREGISTERExample] +===== Example + +---- +#.REGISTER +Certificate B "2.5.4.36" "id-at-userCertificate" +---- + +Which will generate the extra code to make sure that anytime Wireshark needs to dissect the blob associated to the OID "2.5.4.36" it now knows that that is done by calling the subroutine to dissect a Certificate in the current protocol file. +The "id-at-userCertificate" is just a free form text string to make Wireshark print a nice name together with the OID when it presents it in the decode pane. While this can be just about anything you want I would STRONGLY use the name used to this object/oid in the actual ASN.1 definition file. + +[#ASN1CnfDirectiveREGISTERIncludeFile] +===== Include File + +During the compilation phase Asn2wrs will put all the extra registration code for this in the include file +packet-protocol-dis-tab.c. +Make sure that you include this file from the template file or the registration to an OID will never occur. `#include "packet-protocol-dis-tab.c"` should be included from the proto_reg_handoff_protocol function in the template file. + +[#ASN1CnfDirectiveREGISTERSeeAlso] +===== See Also + +The various dissectors we have for X.509 such as the X.509AF which contains several examples of how to use this option. +That dissector can also serve as an example on how one would handle structures of the type AlgorithmIdentifier above. +Asn2wrs can NOT handle these types of structures so we need to implement them by hand inside the template. diff --git a/docbook/wsdg_src/wsdg_build_intro.adoc b/docbook/wsdg_src/wsdg_build_intro.adoc new file mode 100644 index 0000000..d4ededb --- /dev/null +++ b/docbook/wsdg_src/wsdg_build_intro.adoc @@ -0,0 +1,52 @@ +// WSDG Chapter Build Introduction + +[#ChapterBuildIntro] + +== Introduction + +[#ChCodeOverview] + +=== Source overview + +Wireshark consists of the following major parts: + +* Packet dissection - in the _/epan/dissectors_ and +_/plugins/epan/{asterisk}_ directories + +* Capture file I/O - using Wireshark’s own wiretap library + +* Capture - using the libpcap and Npcap libraries, in _dumpcap.c_ and +the _/capture_ directory + +* User interface - using Qt and associated libraries + +* Utilities - miscellaneous helper code + +* Help - using an external web browser and text output + +[#ChCodeStyle] + +=== Coding Style + +The coding style guides for Wireshark can be found in the “Portability” +section of the file _doc/README.developer_. + +[#ChCodeGLib] + +=== The GLib library + +GLib is used as a basic platform abstraction library. It doesn't provide +any direct GUI functionality. + +To quote the GLib Reference Manual: +____ +GLib provides the core application building blocks for libraries and +applications written in C. It provides the core object system used in GNOME, the +main loop implementation, and a large set of utility functions for strings and +common data structures. +____ + +GLib contains lots of useful things for platform independent development. +See https://developer.gnome.org/glib/ and https://docs.gtk.org/glib/ for details about GLib. + +// End of WSDG Chapter Build Introduction diff --git a/docbook/wsdg_src/wsdg_capture.adoc b/docbook/wsdg_src/wsdg_capture.adoc new file mode 100644 index 0000000..868f2a0 --- /dev/null +++ b/docbook/wsdg_src/wsdg_capture.adoc @@ -0,0 +1,505 @@ +// WSDG Chapter Capture + +[#ChapterCapture] + +== Packet Capture + +**** +This chapter needs to be reviewed and extended. +**** + +[#ChCaptureAddLibpcap] + +=== Adding A New Capture Type To Libpcap + +For this discussion, let's assume you're working with libpcap 1.0 or +later. You probably don't want to work with a version older than 1.0, +even if whatever OS you're using happens to include libpcap - older +versions are not as friendly towards adding support for devices other +than standard network interfaces. + +First, read +link:https://www.tcpdump.org/libpcap-module-HOWTO.html[the +libpcap documentation on writing a new libpcap module] + +(It's currently incomplete, but I'll be finishing it up over time. If +you have contributions, feel free to submit pull requests for it.) + +If you had to introduce one or more new `{dlt-glob}` values, you will +also have to add support in Wireshark for those `{dlt-glob}` values to +_wiretap/pcap-common.c_, which might mean adding one or more +_WTAP_ENCAP_ types to _wtap.h_ and to the `encap_table[]` table in +_wiretap/wtap.c_. You'd then have to write a dissector or dissectors for +the link-layer protocols or protocols and have them register themselves +with the `wtap_encap` dissector table, with the appropriate _WTAP_ENCAP_ +values by calling `dissector_add_uint()`. + +[#ChCaptureExtcap] + +=== Adding Capture Interfaces And Log Sources Using Extcap + +The extcap interface is a versatile plugin interface that allows external binaries +to act as capture interfaces directly in Wireshark. It is used in scenarios, where +the source of the capture is not a traditional capture model (live capture from an +interface, from a pipe, from a file, etc). The typical example is connecting esoteric +hardware of some kind to the main Wireshark app. + +Without extcap, a capture can always be achieved by directly writing to a capture file: + +.Bash example for traditional capture with a capture file. +[source,bash] +---- +$ the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap & +$ wireshark dumpfile.pcap +---- + +but the extcap interface allows for such a connection to be easily established and +configured using the Wireshark GUI. + +The extcap subsystem is made of multiple extcap binaries that are automatically +called by the GUI in a row. In the following chapters we will refer to them as +“the extcaps”. + +Extcaps may be any binary or script within the extcap directory. Please note, that +scripts need to be executable without prefacing a script interpreter before the call. + +IMPORTANT: *Windows Users* Because of restrictions directly calling the script may not always work. +In such a case, a batch file may be provided, which then in turn executes the script. +Please refer to <<ChCaptureExtcapWindowsShell>> for more information. + +When Wireshark launches an extcap, it automatically adds its installation path +(normally _C:\Program Files\Wireshark\_) to the DLL search path so that the extcap library dependencies +can be found (it is not designed to be launched by hand). This is done on purpose. There should +only be extcap programs (executables, Python scripts, etc.) in the extcap folder to reduce the startup +time and not have Wireshark trying to execute other file types. + +[#ChCaptureExtcapProcess] + +==== Extcap Command Line Interface + +The actual capture is run after a setup process that can be done manually by the +user or automatically by the GUI. All the steps performed are done for every extcap. + +Let's go through those steps. + +===== Query For Available Interfaces + +In the first step the extcap is queried for its interfaces. + +[source,bash] +---- +$ extcapbin --extcap-interfaces +---- + +This call must print the existing interfaces for this extcap and must return 0. +The output must conform to the grammar specified for extcap, and it is specified +in the doc/extcap.4 generated man page (in the build dir). + +Wireshark 2.9 and later also pass `--extcap-version=x.x`, which provides the calling Wireshark's major and minor version. +This can be used to change behavior depending on the Wireshark version in question. + +.Example call for interface query +[source,bash] +---- +$ extcap_example.py --extcap-interfaces --extcap-version=4.0 +extcap {version=1.0}{help=Some help url} +interface {value=example1}{display=Example interface 1 for extcap} +interface {value=example2}{display=Example interface 2 for extcap} +---- + +The *version* for the extcap sentence (which may exist as many times as is needed, but only +the last one will be used) will be used for displaying the version information of +the extcap interface in the about dialog of Wireshark. + +The value for each interface will be used in subsequent calls as the interface name <iface>. + +Using the help argument, an interface may provide a generic help URL for the extcap +utility. + +===== Ask For DLTs For Each Interface + +Next, the extcap binary is queried for all valid DLTs for all the interfaces returned by step 1. + +[source,bash] +---- +$ extcap_example.py --extcap-dlts --extcap-interface <iface> +---- + +This call must print the valid DLTs for the interface specified. This call is +made for all the interfaces and must return 0. + +.Example for the DLT query +[source,bash] +---- +$ extcap_example.py --extcap-interface IFACE --extcap-dlts +dlt {number=147}{name=USER1}{display=Demo Implementation for Extcap} +---- + +A binary or script which neither provides an interface list or a DLT list will not show up in the extcap interfaces list. + +===== The Extcap Configuration Interface + +The extcap binary is next asked for the configuration of each specific interface + +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> --extcap-config +---- + +Each interface can have custom options that are valid for this interface only. +Those config options are specified on the command line when running the actual +capture. To allow an end-user to specify certain options, such options may be +provided using the extcap config argument. + +To share which options are available for an interface, the extcap responds to the command `--extcap-config`, which shows all the available options (aka additional command line options). + +Those options are used to build a configuration dialog for the interface. + +.Example for interface options +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> --extcap-config +arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{required=true} +arg {number=1}{call=--message}{display=Message}{tooltip=Package message content}{placeholder=Please enter a message here ...}{type=string} +arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag} +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector} +arg {number=4}{call=--server}{display=IP address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b} +value {arg=3}{value=if1}{display=Remote1}{default=true} +value {arg=3}{value=if2}{display=Remote2}{default=false} +---- + +Now the user can click on the options and change them. They are sent to the +extcap when the capture is launched. + +There are several kind of options available: + +[horizontal] +File:: +A path to a file displayed as a text entry and file selector. + +Flag:: +A boolean value displayed as a checkbox. +_boolflag_ for instance expects the option to be present resulting in the corresponding entry set to true or false. + +Selection:: +A set of fixed values displayed as a combobox, radio group, or selection list. +Selections can be presented multiple times in the command line. +Subsequent _value_ items must be provided in the config list. + +Timestamp:: +A time value displayed as a date/time editor. + +Value:: +A text or numeric value displayed as an entry box. +Values are passed as a single value via the command-line call. + +===== The Extcap Capture Process + +Once the interfaces are listed and configuration is customized by the user the capture can be started. + +[source,bash] +---- +$ extcap_example.py --extcap-interface <iface> [params] --capture [--extcap-capture-filter <cfilter>] + --fifo FIFO +---- + +To run the capture, the extcap must implement the `--capture`, `--extcap-capture-filter` +and `--fifo` options. + +They are automatically added by Wireshark, which opens the fifo for reading. +All the other options are automatically added to run the capture. +The extcap interface is used like all other interfaces (meaning that capture on multiple interfaces, as well as stopping and restarting the capture is supported). + +[#ChCaptureExtcapWindowsShell] + +====== Execute A Script-based Extcap On Windows + +Although Windows will run batch and PowerShell scripts directly, other scripting languages require extra effort. +In most cases this involves creating a wrapper script which runs the appropriate interpreter. +For example, in order to run a Python-based extcap, you can create _scriptname.bat_ inside your extcap folder with the following content: + +[source,batch] +---- +@echo off +C:\Windows\py.exe C:\Path\to\my\extcap.py %* +---- + +==== Extcap Arguments + +The extcap interface provides the possibility for generating a GUI dialog to +set and adapt settings for the extcap binary. + +All options must provide a number, by which they are identified. +No number may be provided twice. +All options must present the elements _call_ and _display_, with _call_ specifying the argument’s name on the command line and _display_ specifying the name in the GUI. + +Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field. + +These options do have types, for which the following types are being supported: + +[horizontal] +_integer_, _unsigned_, _long_, _double_:: +This provides a field for entering a numeric value of the given data type. +A _default_ value may be provided, as well as a _range_. ++ +[source,python] +---- +arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{default=0} +---- + +_string_:: +This provides a field for entering a text value. ++ +[source,python] +---- +arg {number=1}{call=--server}{display=IP Address}{tooltip=IP Address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b} +---- ++ +`validation` allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b) + +_password_:: +Lets the user provide a masked string to the capture. +Password strings are not saved with other capture settings. ++ +[source,python] +---- +arg {number=0}{call=--password}{display=The user password}{tooltip=The password for the connection}{type=password} +---- + +_boolean_, _boolflag_:: +This provides the possibility to set a true/false value. +_boolflag_ values will only appear in the command line if set to true, otherwise they will not be added to the command-line call for the extcap interface. ++ +[source,python] +---- +arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag} +---- + +_fileselect_:: +Lets the user provide a file path. +If _mustexist=true_ is provided, the GUI shows the user a dialog for selecting a file. +When _mustexist=false_ is used, the GUI shows the user a file dialog for saving a file. ++ +[source,python] +---- +arg {number=3}{call=--logfile}{display=Logfile}{tooltip=A file for log messages}{type=fileselect}{mustexist=false} +---- + +_selector_, __editselector__, _radio_, _multicheck_:: +Option fields where the user may choose from one or more options. +If _parent_ is provided for the value items, the option fields for _multicheck_ and _selector_ are presented in a tree-like structure. +_selector_ and _radio_ values must present a default value, which will be the value provided to the extcap binary for this argument. +_editselector_ option fields let the user select from a list of items or enter a custom value. ++ +[source,python] +---- +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector} +value {arg=3}{value=if1}{display=Remote1}{default=true} +value {arg=3}{value=if2}{display=Remote2}{default=false} +---- + +===== Reload A Selector + +A selector may be reloaded from the configuration dialog of the extcap application within Wireshark. With the reload argument (defaults to false), the entry can be marked as reloadable. + +[source,python] +---- +arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector}{reload=true}{placeholder=Load interfaces...} +---- + +After this has been defined, the user will get a button displayed in the configuration dialog for this extcap application, with the text "Load interfaces..." in this case, and a generic "Reload" text if no text has been provided. + +The extcap utility is then called again with all filled out arguments and the additional parameter `--extcap-reload-option <option_name>`. It is expected to return a value section for this option, as it would during normal configuration. The provided option list is then presented as the selection, a previous selected option will be reselected if applicable. + +===== Validation Of Arguments + +Arguments may be set with `{required=true}` which enforces a value being provided, before +a capture can be started using the extcap options dialog. This is not being checked, if +the extcap is started via a simple double-click. The necessary fields are marked for the +customer, to ensure a visibility for the end customer of the required argument. + +Additionally text and number arguments may also be checked using a regular expression, +which is provided using the validation attribute (see example above). The syntax for +such a check is the same as for Qt RegExp classes. This feature is only active in the +Qt version of Wireshark. + + +==== Toolbar Controls + +An extcap utility can provide configuration for controls to use in an interface toolbar. +These controls are bidirectional and can be used to control the extcap utility while +capturing. + +This is useful in scenarios where configuration can be done based on findings in the +capture process, setting temporary values or give other inputs without restarting the +current capture. + +.Example of interface definition with toolbar controls +[source,bash] +---- +$ extcap_example.py --extcap-interfaces +extcap {version=1.0}{display=Example extcap interface} +interface {value=example1}{display=Example interface 1 for extcap} +interface {value=example2}{display=Example interface 2 for extcap} +control {number=0}{type=string}{display=Message}{tooltip=Package message content. Must start with a capital letter.}{validation=[A-Z]+}{required=true} +control {number=1}{type=selector}{display=Time delay}{tooltip=Time delay between packages} +control {number=2}{type=boolean}{display=Verify}{default=true}{tooltip=Verify package content} +control {number=3}{type=button}{display=Turn on}{tooltip=Turn on or off} +control {number=4}{type=button}{role=logger}{display=Log}{tooltip=Show capture log} +value {control=1}{value=1}{display=1 sec} +value {control=1}{value=2}{display=2 sec}{default=true} +---- + +All controls will be presented as GUI elements in a toolbar specific to the extcap +utility. The extcap must not rely on using those controls (they are optional) because +of other capturing tools not using GUI (e.g. tshark, tfshark). + + +===== Controls + +The controls are similar to the _arguments_, but without the _call_ element. +All controls may be given a default value at startup and most can be changed during capture, both by the extcap and the user (depending on the type of control). + +All controls must provide a _number_, by which they are identified. +No _number_ may be provided twice. +All options must present the elements _type_ and _display_, where _type_ provides the type of control to add to the toolbar and _display_ providing the name in the GUI. + +Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field. + +All controls, except from the logger, help and restore buttons, may be disabled +(and enabled) in GUI by the extcap during capture. This can be because of set-once +operations, or operations which takes some time to complete. + +All control values which are changed by the user (not equal to the default value) will +be sent to the extcap utility when starting a capture. The extcap utility may choose +to discard initial values and set new values, depending on implementation. + +These __type__s are defined as controls: + +[horizontal] +_boolean_:: +This provides a checkbox which lets the user set a true/false value. ++ +The extcap utility can set a default value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is one byte with binary value 0 or 1. ++ +Valid Commands: Set value, Enable, Disable. + +_button_:: This provides a button with different __role__s: + +_control_:::: +This button will send a signal when pressed. This is the default if no role is configured. +The button is only enabled when capturing. ++ +The extcap utility can set the button text at startup, and can change (set) the button text and receive button press signals while capturing. The button is disabled and the button text is restored to the default text when not capturing. ++ +The payload is either the button text or empty (signal). ++ +Valid Commands: Set value, Enable, Disable. + +_logger_:::: +This provides a logger mechanism where the extcap utility can send log entries to be presented in a log window. +This communication is unidirectional. ++ +The payload is the log entry, and should be ended with a newline. Maximum length is 65535 bytes. ++ +Valid Commands: Set log entry, Add log entry. ++ +The Set command will clear the log before adding the entry. + +_help_:::: +This button opens the help page, if configured. +This role has no controls and will not be used in communication. ++ +Valid Commands: None. + +_restore_:::: +This button will restore all control values to default. +This role has no controls and will not be used in communication. The button is only enabled when not capturing. ++ +Valid Commands: None. + +_selector_:: +This provides a combo box with fixed values which can be selected. ++ +The extcap utility can set default values at startup, and add and remove values and receive change in value selection while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is a string with the value, and optionally a string with a display value if this is different from the value. This two string values are separated by a null character. ++ +Valid Commands: Set selected value, Add value, Remove value, Enable, Disable. ++ +If value is empty the Remove command will remove all entries. + +_string_:: +This provides a text edit line with the possibility to set a string or any value which can be represented in a string (integer, float, date, etc.). ++ +The extcap utility can set a default string value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value. ++ +The payload is a string with the value. Maximum length is 32767 bytes. ++ +Valid Commands for control: Set value, Enable, Disable. ++ +The element VALIDATION allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b). + +===== Messages + +In addition to the controls it’s possible to send a single message from the extcap +utility to the user. This message can be put in the status bar or displayed in a +information, warning or error dialog which must be accepted by the user. This message +does not use the NUMBER argument so this can have any value. + +====== Control Protocol + +The protocol used to communicate over the control pipes has a fixed size header of +6 bytes and a payload with 0 - 65535 bytes. + +.Control packet: +[cols="^m", width="50%"] +|=== +|Sync Pipe Indication (1 byte) +|Message Length + + (3 bytes network order) +|Control Number (1 byte) +|Command (1 byte) +|Payload + + (0 - 65535 bytes) +|=== + +.Sync Pipe Indication +The common sync pipe indication. This protocol uses the value “T”. + +.Message Length +Payload length + 2 bytes for control number and command. + +.Control Number +Unique number to identify the control. This number also gives the order of the controls in the interface toolbar. + +.Commands and application for controls +[cols="1,2,3"] +|=== +|Command Byte|Command Name|Control type + +|0 |Initialized |none +|1 |Set |boolean / button / logger / selector / string +|2 |Add |logger / selector +|3 |Remove |selector +|4 |Enable |boolean / button / selector / string +|5 |Disable |boolean / button / selector / string +|6 |Statusbar message |none +|7 |Information message |none +|8 |Warning message |none +|9 |Error message |none +|=== + +The `Initialized` command will be sent from the GUI to the extcap utility when all +user changed control values are sent after starting a capture. This is an indication +that the GUI is ready to receive control values. + +The GUI will only send `Initialized` and `Set` commands. The extcap utility shall not +send the `Initialized` command. + +Messages with unknown control number or command will be silently ignored. + + +// End of WSDG Chapter Capture diff --git a/docbook/wsdg_src/wsdg_dissection.adoc b/docbook/wsdg_src/wsdg_dissection.adoc new file mode 100644 index 0000000..efc0a71 --- /dev/null +++ b/docbook/wsdg_src/wsdg_dissection.adoc @@ -0,0 +1,1498 @@ +// WSDG Chapter Dissection + +[#ChapterDissection] + +== Packet Dissection + +[#ChDissectWorks] + +=== How packet dissection works + +Each dissector decodes its part of the protocol and then hands off +decoding to subsequent dissectors for an encapsulated protocol. + +Every dissection starts with the Frame dissector which dissects the +details of the capture file itself (e.g. timestamps). From there it passes the +data on to the lowest-level data dissector, e.g. the Ethernet dissector for +the Ethernet header. The payload is then passed on to the next dissector (e.g. +IP) and so on. At each stage, details of the packet are decoded and +displayed. + +Dissectors can either be built-in to Wireshark or written as a self-registering +plugin (a shared library or DLL). +There is little difference in having your dissector as either a plugin +or built-in. You have limited function access through the ABI exposed +by functions declared as WS_DLL_PUBLIC. + +The big benefit of writing a dissector as a plugin is that rebuilding +a plugin is much faster than rebuilding wireshark after editing a built-in +dissector. +As such, starting with a plugin often makes initial development quicker, while +the finished code may make more sense as a built-in dissector. + +[NOTE] +.Read README.dissector +==== +The file _doc/README.dissector_ contains detailed information about writing +a dissector. In many cases it is more up to date than this document. +==== + +[#ChDissectAdd] + +=== Adding a basic dissector + +Let’s step through adding a basic dissector. We'll start with the made up "foo" +protocol. It consists of the following basic items. + +* A packet type - 8 bits. Possible values: 1 - initialisation, 2 - terminate, 3 - data. + +* A set of flags stored in 8 bits. 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet. + +* A sequence number - 16 bits. + +* An IPv4 address. + +[#ChDissectSetup] + +==== Setting up the dissector + +The first decision you need to make is if this dissector will be a +built-in dissector and included in the main program, or a plugin. + +Plugins are easier to write initially, so let’s start with that. +With a little care, the plugin can be converted into a built-in dissector. + +.Dissector Initialisation. +[source,c] +---- +#include "config.h" +#include <epan/packet.h> + +#define FOO_PORT 1234 + +static int proto_foo = -1; + +void +proto_register_foo(void) +{ + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short name */ + "foo" /* filter_name */ + ); +} +---- + +Let’s go through this a bit at a time. First we have some boilerplate +include files. These will be pretty constant to start with. + +Then a `#define` for the UDP port that carries _foo_ traffic. + +Next we have `proto_foo`, an int that stores our protocol handle and is +initialised to `-1`. +This handle will be set when the dissector is registered within the main program. +It’s good practice to make all variables and functions that aren't exported +static to minimize name space pollution. This normally isn't a problem unless your +dissector gets so big that it spans multiple files. + +Now that we have the basics in place to interact with the main program, we'll +start with two protocol dissector setup functions: `proto_register_XXX` and +`proto_reg_handoff_XXX`. + +Each protocol must have a register function with the form "proto_register_XXX". +This function is used to register the protocol in Wireshark. +The code to call the register routines is generated automatically and is +called when Wireshark starts. In this example, the function is named +`proto_register_foo`. + +`proto_register_foo` calls `proto_register_protocol()`, which takes a `name`, +`short name`, and `filter_name`. The +name and short name are used in the "Preferences" and "Enabled protocols" +dialogs and the documentation's generated field name list. The +`filter_name` is used as the display filter name. `proto_register_protocol()` +returns a protocol handle, which can be used to refer to the protocol and +obtain a handle to the protocol's dissector. + + +Next we need a handoff routine. + +.Dissector Handoff. +[source,c] +---- +void +proto_reg_handoff_foo(void) +{ + static dissector_handle_t foo_handle; + + foo_handle = create_dissector_handle(dissect_foo, proto_foo); + dissector_add_uint("udp.port", FOO_PORT, foo_handle); +} +---- + +A handoff routine associates a protocol handler with the protocol's +traffic. It consists of two major steps: The first step is to create a +dissector handle, which is a handle associated with the protocol and the +function called to do the actual dissecting. +The second step is to register the dissector handle so that traffic +associated with the protocol calls the dissector. + +In this example, `proto_reg_handoff_foo()` calls `create_dissector_handle()` +to obtain a dissector handle for the foo protocol. It then uses +`dissector_add_uint()` to associate traffic on UDP port FOO_PORT (1234) +with the foo protocol, so that Wireshark will call `dissect_foo()` when +it receives UDP traffic on port 1234. + +Wireshark's dissector convention is to put `proto_register_foo()` and +`proto_reg_handoff_foo()` as the last two functions in the dissector source. + +The next step is to write the dissecting function, `dissect_foo()`. +We'll start with a basic placeholder. + +.Dissection. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + return tvb_captured_length(tvb); +} +---- + +`dissect_foo()` is called to dissect the packets presented to it. The packet data +is held in a special buffer referenced here as `tvb`. The packet_info structure +contains general data about the protocol and we can update +information here. The tree parameter is where the detail dissection takes place. +Note that the `\_U_` following `tree` and `data` signals to the compiler that the +parameters are unused, so that the compiler does not print a warning. + +For now we'll do the minimum we can get away with. `col_set_str()` is used to set +Wireshark's Protocol column to "FOO" so everyone can see it’s being +recognised. The +only other thing we do is to clear out any data in the INFO column if it’s being +displayed. + +At this point we have a basic dissector ready to compile and install. +The dissector doesn't do anything other than identify the protocol and label it. +Here is the dissector's complete code: + +.Complete _packet-foo.c_:. +[source,c] +---- +#include "config.h" +#include <epan/packet.h> + +#define FOO_PORT 1234 + +static int proto_foo = -1; + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) +{ + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short_name */ + "foo" /* filter_name */ + ); +} + +void +proto_reg_handoff_foo(void) +{ + static dissector_handle_t foo_handle; + + foo_handle = create_dissector_handle(dissect_foo, proto_foo); + dissector_add_uint("udp.port", FOO_PORT, foo_handle); +} + +---- + +To compile this dissector and create a plugin a few support files +are required, besides the dissector source in _packet-foo.c_: + +* _CMakeLists.txt_ - Contains the CMake file and version info for this plugin. + +* _packet-foo.c_ - Your dissector source. + +* _plugin.rc.in_ - Contains the DLL resource template for Windows. (optional) + +Samples of these files are available in the gryphon plugin directory +(plugins/epan/gryphon). +If you copy the files from the gryphon plugin, _CMakeLists.txt_ will need +to be updated with the correct plugin name, version +info, and the relevant files to compile. + +In the main top-level source directory, copy _CMakeListsCustom.txt.example_ to +_CMakeListsCustom.txt_ and add the path of your plugin to the list in +`CUSTOM_PLUGIN_SRC_DIR`. + +Compile the dissector to a DLL or shared library and either run Wireshark from +the build directory as detailed in <<ChSrcRunFirstTime>> or copy the plugin +binary into the plugin directory of your Wireshark installation and run that. + +[#ChDissectDetails] + +==== Dissecting the protocol's details + +Now that we have our basic dissector up and running, let’s do something with it. +The simplest thing to start with is labeling the payload. We can label the +payload by building a subtree to decode our results into. +This subtree will hold all the protocol's details and +helps keep things looking nice in the detailed display. + +We add the new subtree with `proto_tree_add_item()`, as is depicted below: + +.Plugin Packet Dissection. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + + return tvb_captured_length(tvb); +} +---- + +As the `FOO` protocol does not encapsulate another protocol, we +consume all of the tvb's data, from `0` to the end (`-1`). + +The final parameter specifies the "encoding" and is set to +`ENC_NA` ("not applicable"), as the protocol doesn't specifically +use big endian (`ENC_BIG_ENDIAN`) or little endian (`ENC_LITTLE_ENDIAN`). + +After adding the call to +`proto_tree_add_item()` +, there should be a label `FOO` in the protocol's detailed display. +Selecting this label will highlight the remaining contents of the packet. + +Now let’s go to the next step and add some protocol dissection. To do this +we'll need to construct tables to define which fields will be present in the +packet and to store the opened/closed state of the subtree. We'll +add these statically allocated arrays to the beginning of the file +and name them +`hf_register_info` ('hf' is short for 'header field') and `ett`. +The arrays wil then registered after the call to +`proto_register_protocol()` by calling `proto_register_field_array()` +and `proto_register_subtree_array()`: + +.Registering data structures. +[source,c] +---- +static int hf_foo_pdu_type = -1; +static int ett_foo = -1; + +/* ... */ + +void +proto_register_foo(void) +{ + static hf_register_info hf[] = { + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + } + }; + + /* Setup protocol subtree array */ + static int *ett[] = { + &ett_foo + }; + + proto_foo = proto_register_protocol ( + "FOO Protocol", /* name */ + "FOO", /* short_name */ + "foo" /* filter_name*/ + ); + + proto_register_field_array(proto_foo, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} +---- + +As you can see, a field `foo.type` was defined inside the array of +header fields. + +Now we can dissect the `FOO PDU Type` (referenced as `foo.type`) +field in `dissect_foo()` by adding +the FOO Protocol's subtree with `proto_item_add_subtree()` and +then calling `proto_tree_add_item()` to add the field: + +.Dissector starting to dissect the packets. +[source,c] +---- + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN); +---- + +As mentioned earlier, the foo protocol begins with an 8-bit `packet type` +which can have three possible values: 1 - initialisation, 2 - terminate, 3 - data. +Here's how we can add the packet details: + +The `proto_item_add_subtree()` call has added a child node +to the protocol tree which is where we will do our detail dissection. +The expansion of this node is controlled by the `ett_foo` +variable. This remembers if the node should be expanded or not as you move +between packets. All subsequent dissection will be added to this tree, +as you can see from the next call. +A call to `proto_tree_add_item()` in the foo_tree, +this time using the `hf_foo_pdu_type` to control the formatting +of the item. The pdu type is one byte of data, starting at 0. We assume it is +in network order (also called big endian), so that is why we use `ENC_BIG_ENDIAN`. +For a 1-byte quantity, there is no order issue, but it is good practice to +make this the same as any multibyte fields that may be present, and as we will +see in the next section, this particular protocol uses network order. + +If we look in detail at the `hf_foo_pdu_type` declaration in +the static array we can see the details of the definition. + +---- +static hf_register_info hf[] = { + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + } +}; +---- + +* _hf_foo_pdu_type_ - The node's index. + +* _FOO PDU Type_ - The item's label. + +* _foo.type_ - The item's abbreviated name, for use in the display filter +(e.g., `foo.type=1`). + +* _FT_UINT8_ - The item's type: An 8bit unsigned integer. +This tallies with our call above where we tell it to only look at one byte. + +* _BASE_DEC_ - For an integer type, this tells it to be printed as a decimal +number. It could be hexadecimal (BASE_HEX) or octal (BASE_OCT) if that made more sense. + +We'll ignore the rest of the structure for now. + +If you install this plugin and try it out, you'll see something that begins to look +useful. + +Now let’s finish off dissecting the simple protocol. We need to add a few +more variables to the hfarray, and a couple more procedure calls. + +.Wrapping up the packet dissection. +[source,c] +---- +... +static int hf_foo_flags = -1; +static int hf_foo_sequenceno = -1; +static int hf_foo_initialip = -1; +... + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + int offset = 0; + + ... + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + ... + + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) { + ... + ... + { &hf_foo_flags, + { "FOO PDU Flags", "foo.flags", + FT_UINT8, BASE_HEX, + NULL, 0x0, + NULL, HFILL } + }, + { &hf_foo_sequenceno, + { "FOO PDU Sequence Number", "foo.seqn", + FT_UINT16, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + }, + { &hf_foo_initialip, + { "FOO PDU Initial IP", "foo.initialip", + FT_IPv4, BASE_NONE, + NULL, 0x0, + NULL, HFILL } + }, + ... + ... +} +... +---- + +This dissects all the bits of this simple hypothetical protocol. We've +introduced a new variable offsetinto the mix to help keep track of where we are +in the packet dissection. With these extra bits in place, the whole protocol is +now dissected. + +==== Improving the dissection information + +We can certainly improve the display of the protocol with a bit of extra data. +The first step is to add some text labels. Let’s start by labeling the packet +types. There is some useful support for this sort of thing by adding a couple of +extra things. First we add a simple table of type to name. + + +.Naming the packet types. +[source,c] +---- +static const value_string packettypenames[] = { + { 1, "Initialise" }, + { 2, "Terminate" }, + { 3, "Data" }, + { 0, NULL } +}; +---- + +This is a handy data structure that can be used to look up a name for a value. +There are routines to directly access this lookup table, but we don't need to +do that, as the support code already has that added in. We just have to give +these details to the appropriate part of the data, using the `VALS` macro. + +.Adding Names to the protocol. +[source,c] +---- + { &hf_foo_pdu_type, + { "FOO PDU Type", "foo.type", + FT_UINT8, BASE_DEC, + VALS(packettypenames), 0x0, + NULL, HFILL } + } +---- + +This helps in deciphering the packets, and we can do a similar thing for the +flags structure. For this we need to add some more data to the table though. + +.Adding Flags to the protocol. +[source,c] +---- +#define FOO_START_FLAG 0x01 +#define FOO_END_FLAG 0x02 +#define FOO_PRIORITY_FLAG 0x04 + +static int hf_foo_startflag = -1; +static int hf_foo_endflag = -1; +static int hf_foo_priorityflag = -1; + +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + ... + ... + static int* const bits[] = { + &hf_foo_startflag, + &hf_foo_endflag, + &hf_foo_priorityflag, + NULL + }; + + proto_tree_add_bitmask(foo_tree, tvb, offset, hf_foo_flags, ett_foo, bits, ENC_BIG_ENDIAN); + offset += 1; + ... + ... + return tvb_captured_length(tvb); +} + +void +proto_register_foo(void) { + ... + ... + { &hf_foo_startflag, + { "FOO PDU Start Flags", "foo.flags.start", + FT_BOOLEAN, 8, + NULL, FOO_START_FLAG, + NULL, HFILL } + }, + { &hf_foo_endflag, + { "FOO PDU End Flags", "foo.flags.end", + FT_BOOLEAN, 8, + NULL, FOO_END_FLAG, + NULL, HFILL } + }, + { &hf_foo_priorityflag, + { "FOO PDU Priority Flags", "foo.flags.priority", + FT_BOOLEAN, 8, + NULL, FOO_PRIORITY_FLAG, + NULL, HFILL } + }, + ... + ... +} +... +---- + +Some things to note here. For the flags, as each bit is a different flag, we use +the type `FT_BOOLEAN`, as the flag is either on or off. Second, we include the flag +mask in the 7th field of the data, which allows the system to mask the relevant bit. +We've also changed the 5th field to 8, to indicate that we are looking at an 8 bit +quantity when the flags are extracted. Then finally we add the extra constructs +to the dissection routine. + +This is starting to look fairly full featured now, but there are a couple of +other things we can do to make things look even more pretty. At the moment our +dissection shows the packets as "Foo Protocol" which whilst correct is a little +uninformative. We can enhance this by adding a little more detail. First, let’s +get hold of the actual value of the protocol type. We can use the handy function +`tvb_get_guint8()` to do this. With this value in hand, there are a couple of +things we can do. First we can set the INFO column of the non-detailed view to +show what sort of PDU it is - which is extremely helpful when looking at +protocol traces. Second, we can also display this information in the dissection +window. + +.Enhancing the display. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + int offset = 0; + uint8_t packet_type = tvb_get_guint8(tvb, 0); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo,COL_INFO); + col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s", + val_to_str(packet_type, packettypenames, "Unknown (0x%02x)")); + + proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); + proto_item_append_text(ti, ", Type %s", + val_to_str(packet_type, packettypenames, "Unknown (0x%02x)")); + proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo); + proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + + return tvb_captured_length(tvb); +} +---- + +So here, after grabbing the value of the first 8 bits, we use it with one of the +built-in utility routines `val_to_str()`, to lookup the value. If the value +isn't found we provide a fallback which just prints the value in hex. We use +this twice, once in the INFO field of the columns -- if it’s displayed, and +similarly we append this data to the base of our dissecting tree. + +[#ChDissectExpertInfo] + +=== How to add an expert item + +A dissector showing the protocol fields and interpretation of their values is +very informative. It can be even more helpful if the dissector can draw your +attention to fields where something noteworthy can be seen. This can be something +as simple as the start flag of a session, or something more severe as an invalid +value. + +Here we take our dissector for `FOO` and add an expert item for the sequence +number being zero (assuming that's a noteworthy thing for this protocol). + +.Expert item setup. +[source,c] +---- +#include <epan/expert.h> + +static expert_field ei_foo_seqn_zero = EI_INIT; + +/* ... */ + +void +proto_register_foo(void) +{ + /* ... */ + expert_module_t* expert_foo; + + /* ... */ + static ei_register_info ei[] = { + { + &ei_foo_seqn_zero, + { "foo.seqn_zero", PI_SEQUENCE, PI_CHAT, + "Sequence number is zero", EXPFILL } + } + }; + + /* ... */ + expert_foo = expert_register_protocol(proto_foo); + expert_register_field_array(expert_foo, ei, array_length(ei)); +} +---- + +Let's go through this step by step. The data structures and functions needed for +expert items are found in epan/expert.h, so we have to include that file. + +Next we have to allocate an `expert_field` structure for every type of expert item +we would like to add to the dissection. This structure is initialised with `EI_INIT`. + +Now we have to register with the protocol we are providing expert info for. Since +we already have a function to register our protocol, we add the expert info +registration there too. This is done by calling `expert_register_protocol()` with +the handle for the protocol we received earlier in this function. + +Next we need to register an array of definitions of expert items that we would +like to add to the dissection. This array, not unlike the array of header fields +before, contains all the data the dissection engine needs to create and handle +the expert items. + +The expert item definition consists of a pointer to the `expert_field` structure +we defined before and a structure with data elements of the expert item itself. + +* _"foo.seqn_zero"_ - The expert items display filter + +* _PI_SEQUENCE_ - The group to which the expert item belongs + +* _PI_CHAT_ - The severity of the expert item + +* _"Sequence number is zero"_ - The text string added to the dissection + +We'll ignore the rest of the structure for now. + +To keep an overview of lots of expert items it helps to categorize them into groups. +Currently there are several types of groups defined, e.g. `checksum`, `sequence`, +`protocol`, etc. All these are defined in the epan/proto.h header file. + +Not every noteworthy field value is of equal severity. The start of a session +is nice to know, while an invalid value may be significant error in the protocol. +To differentiate between these severties the expert item is assigned one of them: +`comment`, `chat`, `note`, `warn` or `error`. Try to choose the lowest one which +is suitable. The topic you're currently working on seems probably more important +than it will look like in a few weeks. + +With the expert item array setup, we add this to the dissection engine with a +call to `expert_register_field_array()`. + +Now that all information of the expert item is defined and registered it's time +to actually add the expert item to the dissection. + +.Expert item use. +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + uint32_t sequenceno = 0xFFFF; + + /* ... */ + + ti = proto_tree_add_item_ret_uint(foo_tree, hf_foo_sequenceno, + tvb, offset, 2, ENC_BIG_ENDIAN, &sequenceno); + if (sequenceno == 0) { + expert_add_info(pinfo, ti, &ei_foo_seqn_zero); + } + + /* ... */ +} +---- + +There's been a slight alteration to the function used to add the sequence number +dissection. First the proto_item created by the function is saved in previously +defined variable `ti`, and the actual value of the field is stored in the variable +`sequenceno`. We can now use the value of this field to determine wether to add +the expert item. + +Adding the expert item is simply done by calling `expert_add_info()` with reference +to the `packet_info` structure, the proto item `ti` to add the expert item to and +the previously defined and registered expert item information. + +[#ChDissectTransformed] + +=== How to handle transformed data + +Some protocols do clever things with data. They might possibly +encrypt the data, or compress data, or part of it. If you know +how these steps are taken it is possible to reverse them within the +dissector. + +As encryption can be tricky, let’s consider the case of compression. +These techniques can also work for other transformations of data, +where some step is required before the data can be examined. + +What basically needs to happen here, is to identify the data that needs +conversion, take that data and transform it into a new stream, and then call a +dissector on it. Often this needs to be done "on-the-fly" based on clues in the +packet. Sometimes this needs to be used in conjunction with other techniques, +such as packet reassembly. The following shows a technique to achieve this +effect. + +.Decompressing data packets for dissection. +[source,c] +---- + uint8_t flags = tvb_get_guint8(tvb, offset); + offset ++; + if (flags & FLAG_COMPRESSED) { /* the remainder of the packet is compressed */ + uint16_t orig_size = tvb_get_ntohs(tvb, offset); + unsigned char *decompressed_buffer = (unsigned char*)wmem_alloc(pinfo->pool, orig_size); + offset += 2; + decompress_packet(tvb_get_ptr(tvb, offset, -1), + tvb_captured_length_remaining(tvb, offset), + decompressed_buffer, orig_size); + /* Now re-setup the tvb buffer to have the new data */ + next_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, orig_size, orig_size); + add_new_data_source(pinfo, next_tvb, "Decompressed Data"); + } else { + next_tvb = tvb_new_subset_remaining(tvb, offset); + } + offset = 0; + /* process next_tvb from here on */ +---- + +The first steps here are to recognise the compression. In this case a flag byte +alerts us to the fact the remainder of the packet is compressed. Next we +retrieve the original size of the packet, which in this case is conveniently +within the protocol. If it’s not, it may be part of the compression routine to +work it out for you, in which case the logic would be different. + +So armed with the size, a buffer is allocated to receive the uncompressed data +using `wmem_alloc()` in pinfo->pool memory, and the packet is decompressed into +it. The `tvb_get_ptr()` function is useful to get a pointer to the raw data of +the packet from the offset onwards. In this case the decompression routine also +needs to know the length, which is given by the +`tvb_captured_length_remaining()` function. + +Next we build a new tvb buffer from this data, using the +`tvb_new_child_real_data()` call. This data is a child of our original data, so +calling this function also acknowledges that. No need to call +`tvb_set_free_cb()` as the pinfo->pool was used (the memory block will be +automatically freed when the pinfo pool lifetime expires). Finally we add this +tvb as a new data source, so that the detailed display can show the +decompressed bytes as well as the original. + +After this has been set up the remainder of the dissector can dissect the buffer +next_tvb, as it’s a new buffer the offset needs to be 0 as we start again from +the beginning of this buffer. To make the rest of the dissector work regardless +of whether compression was involved or not, in the case that compression was not +signaled, we use `tvb_new_subset_remaining()` to deliver us a new buffer based +on the old one but starting at the current offset, and extending to the end. +This makes dissecting the packet from this point on exactly the same regardless +of compression. + +[#ChDissectReassemble] + +=== How to reassemble split packets + +Some protocols have times when they have to split a large packet across +multiple other packets. In this case the dissection can't be carried out correctly +until you have all the data. The first packet doesn't have enough data, +and the subsequent packets don't have the expect format. +To dissect these packets you need to wait until all the parts have +arrived and then start the dissection. + +The following sections will guide you through two common cases. For a +description of all possible functions, structures and parameters, see +_epan/reassemble.h_. + +[#ChDissectReassembleUdp] + +==== How to reassemble split UDP packets + +As an example, let’s examine a protocol that is layered on top of UDP that +splits up its own data stream. If a packet is bigger than some given size, it +will be split into chunks, and somehow signaled within its protocol. + +To deal with such streams, we need several things to trigger from. We need to +know that this packet is part of a multi-packet sequence. We need to know how +many packets are in the sequence. We also need to know when we have all the +packets. + +For this example we'll assume there is a simple in-protocol signaling mechanism +to give details. A flag byte that signals the presence of a multi-packet +sequence and also the last packet, followed by an ID of the sequence and a +packet sequence number. + +---- +msg_pkt ::= SEQUENCE { + ..... + flags ::= SEQUENCE { + fragment BOOLEAN, + last_fragment BOOLEAN, + ..... + } + msg_id INTEGER(0..65535), + frag_id INTEGER(0..65535), + ..... +} +---- + +.Reassembling fragments - Part 1 +[source,c] +---- +#include <epan/reassemble.h> + ... +save_fragmented = pinfo->fragmented; +flags = tvb_get_guint8(tvb, offset); offset++; +if (flags & FL_FRAGMENT) { /* fragmented */ + tvbuff_t* new_tvb = NULL; + fragment_data *frag_msg = NULL; + uint16_t msg_seqid = tvb_get_ntohs(tvb, offset); offset += 2; + uint16_t msg_num = tvb_get_ntohs(tvb, offset); offset += 2; + + pinfo->fragmented = true; + frag_msg = fragment_add_seq_check(msg_reassembly_table, + tvb, offset, pinfo, + msg_seqid, NULL, /* ID for fragments belonging together */ + msg_num, /* fragment sequence number */ + tvb_captured_length_remaining(tvb, offset), /* fragment length - to the end */ + flags & FL_FRAG_LAST); /* More fragments? */ +---- + +We start by saving the fragmented state of this packet, so we can restore it +later. Next comes some protocol specific stuff, to dig the fragment data out of +the stream if it’s present. Having decided it is present, we let the function +`fragment_add_seq_check()` do its work. We need to provide this with a certain +amount of parameters: + +* The `msg_reassembly_table` table is for bookkeeping and is described later. + +* The tvb buffer we are dissecting. + +* The offset where the partial packet starts. + +* The provided packet info. + +* The sequence number of the fragment stream. There may be several streams of + fragments in flight, and this is used to key the relevant one to be used for + reassembly. + +* Optional additional data for identifying the fragment. Can be set to `NULL` + (as is done in the example) for most dissectors. + +* msg_num is the packet number within the sequence. + +* The length here is specified as the rest of the tvb as we want the rest of the packet data. + +* Finally a parameter that signals if this is the last fragment or not. This + might be a flag as in this case, or there may be a counter in the protocol. + +.Reassembling fragments part 2 +[source,c] +---- + new_tvb = process_reassembled_data(tvb, offset, pinfo, + "Reassembled Message", frag_msg, &msg_frag_items, + NULL, msg_tree); + + if (frag_msg) { /* Reassembled */ + col_append_str(pinfo->cinfo, COL_INFO, + " (Message Reassembled)"); + } else { /* Not last packet of reassembled Short Message */ + col_append_fstr(pinfo->cinfo, COL_INFO, + " (Message fragment %u)", msg_num); + } + + if (new_tvb) { /* take it all */ + next_tvb = new_tvb; + } else { /* make a new subset */ + next_tvb = tvb_new_subset_remaining(tvb, offset); + } +} +else { /* Not fragmented */ + next_tvb = tvb_new_subset_remaining(tvb, offset); +} + +..... +pinfo->fragmented = save_fragmented; +---- + +Having passed the fragment data to the reassembly handler, we can now check if +we have the whole message. If there is enough information, this routine will +return the newly reassembled data buffer. + +After that, we add a couple of informative messages to the display to show that +this is part of a sequence. Then a bit of manipulation of the buffers and the +dissection can proceed. Normally you will probably not bother dissecting further +unless the fragments have been reassembled as there won't be much to find. +Sometimes the first packet in the sequence can be partially decoded though if +you wish. + +Now the mysterious data we passed into the `fragment_add_seq_check()`. + +.Reassembling fragments - Initialisation +[source,c] +---- +static reassembly_table reassembly_table; + +static void +proto_register_msg(void) +{ + reassembly_table_register(&msg_reassemble_table, + &addresses_ports_reassembly_table_functions); +} +---- + +First a `reassembly_table` structure is declared and initialised in the protocol +initialisation routine. The second parameter specifies the functions that should +be used for identifying fragments. We will use +`addresses_ports_reassembly_table_functions` in order to identify fragments by +the given sequence number (`msg_seqid`), the source and destination addresses +and ports from the packet. + +Following that, a `fragment_items` structure is allocated and filled in with a +series of ett items, hf data items, and a string tag. The ett and hf values +should be included in the relevant tables like all the other variables your +protocol may use. The hf variables need to be placed in the structure something +like the following. Of course the names may need to be adjusted. + +.Reassembling fragments - Data +[source,c] +---- +... +static int hf_msg_fragments = -1; +static int hf_msg_fragment = -1; +static int hf_msg_fragment_overlap = -1; +static int hf_msg_fragment_overlap_conflicts = -1; +static int hf_msg_fragment_multiple_tails = -1; +static int hf_msg_fragment_too_long_fragment = -1; +static int hf_msg_fragment_error = -1; +static int hf_msg_fragment_count = -1; +static int hf_msg_reassembled_in = -1; +static int hf_msg_reassembled_length = -1; +... +static int ett_msg_fragment = -1; +static int ett_msg_fragments = -1; +... +static const fragment_items msg_frag_items = { + /* Fragment subtrees */ + &ett_msg_fragment, + &ett_msg_fragments, + /* Fragment fields */ + &hf_msg_fragments, + &hf_msg_fragment, + &hf_msg_fragment_overlap, + &hf_msg_fragment_overlap_conflicts, + &hf_msg_fragment_multiple_tails, + &hf_msg_fragment_too_long_fragment, + &hf_msg_fragment_error, + &hf_msg_fragment_count, + /* Reassembled in field */ + &hf_msg_reassembled_in, + /* Reassembled length field */ + &hf_msg_reassembled_length, + /* Tag */ + "Message fragments" +}; +... +static hf_register_info hf[] = +{ +... +{&hf_msg_fragments, + {"Message fragments", "msg.fragments", + FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment, + {"Message fragment", "msg.fragment", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_overlap, + {"Message fragment overlap", "msg.fragment.overlap", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_overlap_conflicts, + {"Message fragment overlapping with conflicting data", + "msg.fragment.overlap.conflicts", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_multiple_tails, + {"Message has multiple tail fragments", + "msg.fragment.multiple_tails", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_too_long_fragment, + {"Message fragment too long", "msg.fragment.too_long_fragment", + FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_error, + {"Message defragmentation error", "msg.fragment.error", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_fragment_count, + {"Message fragment count", "msg.fragment.count", + FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_reassembled_in, + {"Reassembled in", "msg.reassembled.in", + FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, +{&hf_msg_reassembled_length, + {"Reassembled length", "msg.reassembled.length", + FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, +... +static int *ett[] = +{ +... +&ett_msg_fragment, +&ett_msg_fragments +... +---- + +These hf variables are used internally within the reassembly routines to make +useful links, and to add data to the dissection. It produces links from one +packet to another, such as a partial packet having a link to the fully +reassembled packet. Likewise there are back pointers to the individual packets +from the reassembled one. The other variables are used for flagging up errors. + +[#TcpDissectPdus] + +==== How to reassemble split TCP Packets + +A dissector gets a `tvbuff_t` pointer which holds the payload +of a TCP packet. This payload contains the header and data +of your application layer protocol. + +When dissecting an application layer protocol you cannot assume +that each TCP packet contains exactly one application layer message. +One application layer message can be split into several TCP packets. + +You also cannot assume that a TCP packet contains only one application layer message +and that the message header is at the start of your TCP payload. +More than one messages can be transmitted in one TCP packet, +so that a message can start at an arbitrary position. + +This sounds complicated, but there is a simple solution. +`tcp_dissect_pdus()` does all this tcp packet reassembling for you. +This function is implemented in _epan/dissectors/packet-tcp.h_. + +.Reassembling TCP fragments +[source,c] +---- +#include "config.h" + +#include <epan/packet.h> +#include <epan/prefs.h> +#include "packet-tcp.h" + +... + +#define FRAME_HEADER_LEN 8 + +/* This method dissects fully reassembled messages */ +static int +dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) +{ + /* TODO: implement your dissecting code */ + return tvb_captured_length(tvb); +} + +/* determine PDU length of protocol foo */ +static unsigned +get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) +{ + /* TODO: change this to your needs */ + return (unsigned)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */ +} + +/* The main dissecting routine */ +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + tcp_dissect_pdus(tvb, pinfo, tree, true, FRAME_HEADER_LEN, + get_foo_message_len, dissect_foo_message, data); + return tvb_captured_length(tvb); +} + +... +---- + +As you can see this is really simple. Just call `tcp_dissect_pdus()` in your +main dissection routine and move you message parsing code into another function. +This function gets called whenever a message has been reassembled. + +The parameters tvb, pinfo, tree and data are just handed over to +`tcp_dissect_pdus()`. The 4th parameter is a flag to indicate if the data should +be reassembled or not. This could be set according to a dissector preference as +well. Parameter 5 indicates how much data has at least to be available to be +able to determine the length of the foo message. Parameter 6 is a function +pointer to a method that returns this length. It gets called when at least the +number of bytes given in the previous parameter is available. Parameter 7 is a +function pointer to your real message dissector. Parameter 8 is the data +passed in from parent dissector. + +Protocols which need more data before the message length can be determined can +return zero. Other values smaller than the fixed length will result in an +exception. + +[#ChDissectTap] + +=== How to tap protocols + +Adding a Tap interface to a protocol allows it to do some useful things. +In particular you can produce protocol statistics from the tap interface. + +A tap is basically a way of allowing other items to see what’s happening as +a protocol is dissected. A tap is registered with the main program, and +then called on each dissection. Some arbitrary protocol specific data +is provided with the routine that can be used. + +To create a tap, you first need to register a tap. A tap is registered with an +integer handle, and registered with the routine `register_tap()`. This takes a +string name with which to find it again. + +.Initialising a tap +[source,c] +---- +#include <epan/packet.h> +#include <epan/tap.h> + +static int foo_tap = -1; + +struct FooTap { + int packet_type; + int priority; + ... +}; + +void proto_register_foo(void) +{ + ... + foo_tap = register_tap("foo"); +---- + +Whilst you can program a tap without protocol specific data, it is generally not +very useful. Therefore it’s a good idea to declare a structure that can be +passed through the tap. This needs to be a static structure as it will be used +after the dissection routine has returned. It’s generally best to pick out some +generic parts of the protocol you are dissecting into the tap data. A packet +type, a priority or a status code maybe. The structure really needs to be +included in a header file so that it can be included by other components that +want to listen in to the tap. + +Once you have these defined, it’s simply a case of populating the protocol +specific structure and then calling `tap_queue_packet`, probably as the last part +of the dissector. + +.Calling a protocol tap +[source,c] +---- +static int +dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + ... + fooinfo = wmem_alloc(pinfo->pool, sizeof(struct FooTap)); + fooinfo->packet_type = tvb_get_guint8(tvb, 0); + fooinfo->priority = tvb_get_ntohs(tvb, 8); + ... + tap_queue_packet(foo_tap, pinfo, fooinfo); + + return tvb_captured_length(tvb); +} +---- + +This now enables those interested parties to listen in on the details +of this protocol conversation. + +[#ChDissectStats] + +=== How to produce protocol stats + +Given that you have a tap interface for the protocol, you can use this +to produce some interesting statistics (well presumably interesting!) from +protocol traces. + +This can be done in a separate plugin, or in the same plugin that is +doing the dissection. The latter scheme is better, as the tap and stats +module typically rely on sharing protocol specific data, which might get out +of step between two different plugins. + +Here is a mechanism to produce statistics from the above TAP interface. + +.Initialising a stats interface +[source,c] +---- +#include <epan/stats_tree.h> + +/* register all http trees */ +static void register_foo_stat_trees(void) { + stats_tree_register_plugin("foo", "foo", "Foo/Packet Types", 0, + foo_stats_tree_packet, foo_stats_tree_init, NULL); +} + +WS_DLL_PUBLIC_DEF void plugin_register_tap_listener(void) +{ + register_foo_stat_trees(); +} +---- + +Working from the bottom up, first the plugin interface entry point is defined, +`plugin_register_tap_listener()`. This simply calls the initialisation function +`register_foo_stat_trees()`. + +This in turn calls the `stats_tree_register_plugin()` function, which takes three +strings, an integer, and three callback functions. + +. This is the tap name that is registered. + +. An abbreviation of the stats name. + +. The name of the stats module. A “/” character can be used to make sub menus. + +. Flags for per-packet callback + +. The function that will called to generate the stats. + +. A function that can be called to initialise the stats data. + +. A function that will be called to clean up the stats data. + +In this case we only need the first two functions, as there is nothing specific to clean up. + +.Initialising a stats session +[source,c] +---- +static const uint8_t* st_str_packets = "Total Packets"; +static const uint8_t* st_str_packet_types = "FOO Packet Types"; +static int st_node_packets = -1; +static int st_node_packet_types = -1; + +static void foo_stats_tree_init(stats_tree* st) +{ + st_node_packets = stats_tree_create_node(st, st_str_packets, 0, STAT_DT_INT, true); + st_node_packet_types = stats_tree_create_pivot(st, st_str_packet_types, st_node_packets); +} +---- + +In this case we create a new tree node, to handle the total packets, +and as a child of that we create a pivot table to handle the stats about +different packet types. + + +.Generating the stats +[source,c] +---- +static tap_packet_status foo_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt, const void* p, tap_flags_t flags) +{ + struct FooTap *pi = (struct FooTap *)p; + tick_stat_node(st, st_str_packets, 0, false); + stats_tree_tick_pivot(st, st_node_packet_types, + val_to_str(pi->packet_type, packettypenames, "Unknown packet type (%d)")); + return TAP_PACKET_REDRAW; +} +---- + +In this case the processing of the stats is quite simple. First we call the +`tick_stat_node` for the `st_str_packets` packet node, to count packets. Then a +call to `stats_tree_tick_pivot()` on the `st_node_packet_types` subtree allows +us to record statistics by packet type. + +[#ChDissectConversation] + +=== How to use conversations + +Some info about how to use conversations in a dissector can be found in the file +_doc/README.dissector_, chapter 2.2. + +[#ChDissectIdl2wrs] + +=== __idl2wrs__: Creating dissectors from CORBA IDL files + +Many of Wireshark’s dissectors are automatically generated. This section shows +how to generate one from a CORBA IDL file. + +==== What is it? + +As you have probably guessed from the name, `idl2wrs` takes a user specified IDL +file and attempts to build a dissector that can decode the IDL traffic over +GIOP. The resulting file is “C” code, that should compile okay as a Wireshark +dissector. + +`idl2wrs` parses the data struct given to it by the `omniidl` compiler, +and using the GIOP API available in packet-giop.[ch], generates get_CDR_xxx +calls to decode the CORBA traffic on the wire. + +It consists of 4 main files. + +README.idl2wrs:: +This document + +wireshark_be.py:: +The main compiler backend + +wireshark_gen.py:: +A helper class, that generates the C code. + +idl2wrs:: +A simple shell script wrapper that the end user should use to generate the +dissector from the IDL file(s). + +==== Why do this? + +It is important to understand what CORBA traffic looks like over GIOP/IIOP, and +to help build a tool that can assist in troubleshooting CORBA interworking. This +was especially the case after seeing a lot of discussions about how particular +IDL types are represented inside an octet stream. + +I have also had comments/feedback that this tool would be good for say a CORBA +class when teaching students what CORBA traffic looks like “on the wire”. + +It is also COOL to work on a great Open Source project such as the case with +“Wireshark” ({wireshark-main-url}). + + +==== How to use idl2wrs + +To use the idl2wrs to generate Wireshark dissectors, you need the following: + +* Python must be installed. See link:https://python.org/[] + +* `omniidl` from the omniORB package must be available. See link:http://omniorb.sourceforge.net/[] + +* Of course you need Wireshark installed to compile the code and tweak it if +required. idl2wrs is part of the standard Wireshark distribution + +To use idl2wrs to generate an Wireshark dissector from an idl file use the following procedure: + +* To write the C code to stdout. ++ +-- +---- +$ idl2wrs <your_file.idl> +---- + +e.g.: + +---- +$ idl2wrs echo.idl +---- +-- + +* To write to a file, just redirect the output. ++ +-- +---- +$ idl2wrs echo.idl > packet-test-idl.c +---- + +You may wish to comment out the register_giop_user_module() code and that will +leave you with heuristic dissection. + +If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. +-- + +* To write the C code to stdout. ++ +-- +---- +$ omniidl -p ./ -b wireshark_be <your file.idl> +---- + +e.g.: + +---- +$ omniidl -p ./ -b wireshark_be echo.idl +---- +-- + +* To write to a file, just redirect the output. ++ +-- +---- +$ omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c +---- + +You may wish to comment out the register_giop_user_module() code and that will +leave you with heuristic dissection. +-- + +* Copy the resulting C code to subdirectory epan/dissectors/ inside your +Wireshark source directory. ++ +-- +---- +$ cp packet-test-idl.c /dir/where/wireshark/lives/epan/dissectors/ +---- + +The new dissector has to be added to CMakeLists.txt in the same directory. Look +for the declaration DISSECTOR_SRC and add the new dissector there. For +example, + +---- +DISSECTOR_SRC = \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-2dparityfec.c + ${CMAKE_CURRENT_SOURCE_DIR}/packet-3com-njack.c + ... +---- + +becomes + +---- +DISSECTOR_SRC = \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-test-idl.c \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-2dparityfec.c \ + ${CMAKE_CURRENT_SOURCE_DIR}/packet-3com-njack.c \ + ... +---- +-- + +For the next steps, go up to the top of your Wireshark source directory. + +* Create a build dir ++ +-- +---- +$ mkdir build && cd build +---- +-- + +* Run cmake ++ +-- +---- +$ cmake .. +---- +-- + +* Build the code ++ +-- +---- +$ make +---- +-- + +* Good Luck !! + +==== TODO + +* Exception code not generated (yet), but can be added manually. + +* Enums not converted to symbolic values (yet), but can be added manually. + +* Add command line options etc + +* More I am sure :-) + +==== Limitations + +See the TODO list inside _packet-giop.c_ + +==== Notes + +The `-p ./` option passed to omniidl indicates that the wireshark_be.py and +wireshark_gen.py are residing in the current directory. This may need tweaking +if you place these files somewhere else. + +If it complains about being unable to find some modules (e.g. tempfile.py), you +may want to check if PYTHONPATH is set correctly. + + +// End of WSDG Chapter Dissection diff --git a/docbook/wsdg_src/wsdg_env_intro.adoc b/docbook/wsdg_src/wsdg_env_intro.adoc new file mode 100644 index 0000000..91d51ea --- /dev/null +++ b/docbook/wsdg_src/wsdg_env_intro.adoc @@ -0,0 +1,524 @@ +// WSDG Chapter Introduction + +[#ChapterIntroduction] + +== Introduction + +[#ChIntroIntro] + +=== Introduction + +This chapter will provide a general overview of Wireshark development. + +[#ChIntroWhatIs] + +=== What Is Wireshark? + +Well, if you want to start Wireshark development, you might already +know what Wireshark is doing. If not, please have a look at the +link:{wireshark-users-guide-url}[Wireshark User’s Guide], +which will provide a lot of general information about it. + +[#ChIntroPlatforms] + +=== Supported Platforms + +Wireshark currently runs on most UNIX-like platforms and various Windows +platforms. It requires Qt, GLib, libpcap and some other libraries in +order to run. + +As Wireshark is developed in a platform independent way and uses libraries (such +as the Qt GUI library) which are available for many different platforms, +it’s thus available on a wide variety of platforms. + +If a binary package is not available for your platform, you should +download the source and try to build it. Please report your experiences +to mailto:{wireshark-dev-list-email}[]. + +Binary packages are available for the following platforms along with many +others: + +==== Unix And Unix-like Platforms + +* Apple macOS + +* FreeBSD + +* HP-UX + +* IBM AIX + +* NetBSD + +* OpenBSD + +* Oracle Solaris + +===== Linux + +* Arch Linux + +* Debian GNU/Linux + +* Ubuntu + +* Fedora + +* Gentoo Linux + +* IBM S/390 Linux (Red Hat) + +* Mandriva Linux + +* PLD Linux + +* Red Hat Linux + +* Slackware Linux + +* Suse Linux + +==== Microsoft Windows + +Wireshark supports Windows natively via the https://en.wikipedia.org/wiki/Windows_API[Windows API]. +Note that in this documentation and elsewhere we tend to use the terms “Win32”, “Win”, and “Windows” interchangeably to refer to the Windows API. +“Win64” refers to the Windows API on 64-bit platforms. +Wireshark runs on and can be compiled on the following Windows versions: + +* Windows 11 / Windows Server 2022 + +* Windows 10 / Windows Server 2016 / Windows Server 2019 + +* Windows 8.1 / Windows Server 2012 R2 + +* Windows 8 / Windows Server 2012 + +Development on Windows 7, Server 2008 R2, Vista, Server 2008, and older versions may be possible but is not supported. + +Some versions of Windows support https://devblogs.microsoft.com/commandline/per-directory-case-sensitivity-and-wsl/[case sensitive directories]. +We don’t officially support building or running Wireshark in this environment, but we will accept patches to fix any issues that might arise. + +[#ChIntroDevelopment] + +=== Development And Maintenance Of Wireshark + +Wireshark was initially developed by Gerald Combs. Ongoing development +and maintenance of Wireshark is handled by the Wireshark core developers, +a loose group of individuals who fix bugs and provide new functionality. + +There have also been a large number of people who have contributed +protocol dissectors and other improvements to Wireshark, and it is +expected that this will continue. You can find a list of the people who +have contributed code to Wireshark by checking the About dialog box of +Wireshark, or have a look at the {wireshark-authors-url} page on the +Wireshark web site. + +The communication between the developers is usually done through the developer +mailing list, which can be joined by anyone interested in the development +activities. At the time this document was written, more than 500 persons were +subscribed to this mailing list! + +It is strongly recommended to join the developer mailing list, if you are going +to do any Wireshark development. See <<ChIntroMailingLists>> about the different +Wireshark mailing lists available. + +==== Programming Languages Used + +Most of Wireshark is implemented in C. +A notable exception is the code in _ui/qt_, which is written in {cpp}. + +The typical task for a new Wireshark developer is to extend an existing dissector, or write a new dissector for a specific network protocol. +Most dissectors are written in C11, so a good knowledge of C will be sufficient for Wireshark development in almost any case. +Dissectors can also be written in Lua, which might be more suitable for your specific needs. +As noted above, if you’re going to modify Wireshark’s user interface you will need a knowledge of {cpp}. + +Modifying the build system and support tooling might requires knowledge of CMake, Python, PowerShell, Bash, or Perl. +Note that these are required to build Wireshark, but not to run it. +If Wireshark is installed from a binary package, none of these helper tools are needed on the target system. + +==== Open Source Software + +Wireshark is an https://opensource.org/[open source] software (OSS) project, and is released under +the link:{gplv2-url}[GNU General Public License] (GPL). +You can freely use Wireshark on any number of computers you like, without +worrying about license keys or fees or such. In addition, all source +code is freely available under the GPL. Because of that, it is very easy +for people to add new protocols to Wireshark, either as plugins, or built +into the source, and they often do! + +You are welcome to modify Wireshark to suit your own needs, and it would be +appreciated if you contribute your improvements back to the Wireshark community. + +You gain three benefits by contributing your improvements back to the +community: + +* Other people who find your contributions useful will appreciate them, and you + will know that you have helped people in the same way that the developers of + Wireshark have helped you and other people. + +* The developers of Wireshark might improve your changes even more, as there’s + always room for improvement. Or they may implement some advanced things on top + of your code, which can be useful for yourself too. + +* The maintainers and developers of Wireshark will maintain your code as well, + fixing it when API changes or other changes are made, and generally keeping it + in tune with what is happening with Wireshark. So if Wireshark is updated + (which is done often), you can get a new Wireshark version from the website + and your changes will already be included without any effort for you. + + +The Wireshark source code and binary packages for some platforms are all +available on the download page of the Wireshark website: +{wireshark-download-url}. + + +[#ChIntroReleases] + +=== Releases And Distributions + +Official Wireshark releases can be found at {wireshark-download-url}. +Minor releases typically happen every six weeks and typically include bug fixes and security updates. +Major releases happen about once a year and include new features and new protocol support. +Official releases include binary packages for Windows and macOS along with source code. + +[#ChIntroReleaseBinary] + +==== Binary Distributions + +The Wireshark development team would like to make it as easy as possible for people to obtain and use Wireshark. +This means that we need to support the software installation systems that different operating systems provide. +We currently offer the following types of precompiled packages as part of each official release: + +* Windows .exe installer. + This is an executable file that installs Wireshark, and optionally Npcap and USBPcap, created using https://nsis.sourceforge.io/Main_Page[NSIS]. + It is the most popular installation method on Windows. + +* Windows https://portableapps.com/[PortableApps] .paf.exe file. + This is a self-contained package that can be run from anywere, either standalone or under the PortableApps.com Platform. + +* Windows .msi installer. + This installs Wireshark using Microsoft’s https://docs.microsoft.com/en-us/windows/win32/msi/installer-database[Installer Database], created using the https://wixtoolset.org/[WiX toolset]. + It does not yet include Npcap or USBPcap and is somewhat https://gitlab.com/wireshark/wireshark/-/issues/8814[experimental]. + +* macOS .dmg. + This is a disk image which includes a drag-installable Wireshark application bundle along with utility packages for installing ChmodBPF and adding Wireshark to your PATH environment variable. + +Most Linux and UNIX distributions have their own packaging systems which usually include Wireshark. +The Wireshark sources include support for creating the following types of packages: + +* Debian .deb files. + Packaging assets can be found in the _debian_ directory in the Wireshark sources. + +* Red Hat .rpm files. + Packaging assets can be found in the _packaging/rpm_ directory in the Wireshark sources. + +You can also create your own binary packages. See <<ChSrcBinary>> for details. + +[#ChIntroReleaseSource] + +==== The Source Code Distribution + +Wireshark is and will always be https://opensource.org/[open source]. +You’re welcome to download a source tarball, build it, and modify it under the terms of the {gplv2-url}[GPLv2]. +However, it’s usually much easier to use a binary package if you want to get up and running quickly in a production environment. + +Source tarballs are commonly used for building the binary packages for UNIX and UNIX-like platforms. +However, if you are going to modify the Wireshark sources, e.g. to contribute changes back or to develop an in-house version of Wireshark we recommend that you use the latest Git sources. +For details about the different ways to get the Wireshark source code see <<ChSrcObtain>>. + +Before building Wireshark from a source distribution, make sure you have all the tools and libraries required to build. +Later chapters describe the required tools and libraries in detail. + +[#ChIntroAutomated] + +=== Automated Builds (GitLab CI) + +The Wireshark development team uses GitLab’s continuous integration (CI) system to automatically build Wireshark for each Git merge request and commit. +Automated builds provide several useful services: + +* Cross-platform testing. + Inbound merge requests and commits can be tested on each of our supported plaforms, which ensures that a developer on one platform doesn’t break the build on other platforms. + +* A health indicator for the source code. + The CI badges at {wireshark-gitlab-project-url} can quickly tell you how healthy the latest code is. + Green is good, red is bad. + +* Fast code delivery. + After a change is committed to the repository, an installer is usually available within an hour at https://www.wireshark.org/download/automated/. + This can be quite helpful for resolving issues, e.g. a bug reporter can easily verify a bugfix by installing a recent build. + +* Automated regression tests. + We run a comprehensive test suite as part of each build and continuously run fuzz tests that try to crash the dissection engine. + +==== What Do The Automated Builds Do? + +GitLab’s CI operates by running a series of steps and reporting success or failure. +A typical CI job might do the following: + +. Check out Wireshark from the source repository. + +. Build Wireshark. + +. Create a source tarball, binary package, or installer. + +. Run regression tests. + +GitLab’s CI marks successful jobs with a green checkmark and failed jobs with a red “X”. +Jobs provide a link to the corresponding console logfile which provides additional information. + +Release packages are built on the following platforms: + +* Windows Server 2019 x86-64 (Win64, little endian, Visual Studio 2022) + +* Ubuntu 18.04 x86-64 (Linux, little endian, gcc, Clang) + +* macOS 10.14 x86-64 (BSD, little endian, Clang) + +Static code analysis and fuzz tests are run on the following platforms: + +* Visual Studio Code Analysis (Win64, little endian, VS 2022) + +* Clang Code Analysis, Coverity Scan, and fuzz tests (Linux, little endian, Clang) + +Each platform is represented at the status page by a single column, the most recent entries are at the top. + +[#ChIntroHelp] + + +=== Reporting problems and getting help + +If you have problems, or need help with Wireshark, there are several +places that may be of interest to you (well, beside this guide of +course). + +[#ChIntroHomepage] + +==== Website + +You will find lots of useful information on the Wireshark homepage at +{wireshark-main-url}. + +[#ChIntroWiki] + +==== Wiki + +The Wireshark Wiki at {wireshark-wiki-url} provides a wide range +of information related to Wireshark and packet capturing in general. +You will find a lot of information not part of this developer’s guide. For +example, there is an explanation how to capture on a switched network, +an ongoing effort to build a protocol reference and a lot more. + +And best of all, if you would like to contribute your knowledge on a +specific topic (maybe a network protocol you know well), you can edit the +Wiki pages by simply using your webbrowser. + +[#ChIntroFAQ] + + +==== FAQ + +The "Frequently Asked Questions" will list often asked questions and +the corresponding answers. + +Before sending any mail to the mailing lists below, be sure to read the +FAQ, as it will often answer any questions you might have. This will save +yourself and others a lot of time. Keep in mind that a lot of people are +subscribed to the mailing lists. + +You will find the FAQ inside Wireshark by clicking the menu item +Help/Contents and selecting the FAQ page in the upcoming dialog. + +An online version is available at the Wireshark website: +{wireshark-faq-url}. You might prefer this online version as it’s +typically more up to date and the HTML format is easier to use. + +[#ChIntroOtherSources] + +==== Other sources + +If you don't find the information you need inside this book, there are +various other sources of information: + +* The file _doc/README.developer_ and all the other README.xxx files in the + source code. These are various documentation files on different topics + +[NOTE] +.Read the README +==== +_README.developer_ is packed full with all kinds of details relevant +to the developer of Wireshark source code. Its companion file +_README.dissector_ advises you around common +pitfalls, shows you basic layout of dissector code, shows details of the +APIs available to the dissector developer, etc. +==== + +* The Wireshark source code + +* Tool documentation of the various tools used +(e.g. manpages of sed, gcc, etc.) + +* The different mailing lists. See <<ChIntroMailingLists>> + +[#ChIntroQA] + +==== Q&A Site + +The Wireshark Q&A site at {wireshark-qa-url} offers a resource where +questions and answers come together. You have the option to search what +questions were asked before and what answers were given by people who +knew about the issue. Answers are graded, so you can pick out the best +ones easily. If your issue isn't discussed before you can post one +yourself. + +[#ChIntroMailingLists] + +==== Mailing Lists + +There are several mailing lists available on specific Wireshark topics: + +wireshark-announce:: This mailing list will inform you about new program +releases, which usually appear about every 4-8 weeks. + +wireshark-users:: This list is for users of Wireshark. People post +questions about building and using Wireshark, others (hopefully) +provide answers. + +wireshark-dev:: This list is for Wireshark developers. People post questions about +the development of Wireshark, others (hopefully) provide answers. +If you want to start developing a protocol dissector, join this list. + +wireshark-bugs:: This list is for Wireshark developers. Every time a change to the bug +database occurs, a mail to this mailing list is generated. +If you want to be notified about all the changes to the bug +database, join this list. Details about the bug database can be +found in <<ChIntroBugDatabase>>. + +wireshark-commits:: This list is for Wireshark developers. Every time a change to the Git +repository is checked in, a mail to this mailing list is generated. +If you want to be notified about all the changes to the Git +repository, join this list. Details about the Git repository can be +found in <<ChSrcGitRepository>>. + +You can subscribe to each of these lists from the Wireshark web site: +{wireshark-mailing-lists-url}. From there, you can choose which mailing +list you want to subscribe to by clicking on the +Subscribe/Unsubscribe/Options button under the title of the relevant +list. The links to the archives are included on that page as well. + +[TIP] +.The archives are searchable +==== +You can search in the list archives to see if someone previously asked the same +question and maybe already got an answer. That way you don't have to wait until +someone answers your question. +==== + +[#ChIntroBugDatabase] + +==== Bug Database (GitLab Issues) + +The Wireshark community collects bug reports in an issues database at {wireshark-bugs-url}. +This database is filled with manually filed bug reports, usually after some discussion on wireshark-dev, and automatic bug reports from continuous integration jobs. + +[#ChIntroReportProblems] + +==== Reporting Problems + +[NOTE] +.Test with the latest version +==== +Before reporting any problems, please make sure you have installed the +latest version of Wireshark. Reports on older maintenance releases are +usually met with an upgrade request. +==== + +If you report problems, provide as much information as possible. In general, +just think about what you would need to find that problem, if someone else sends +you such a problem report. Also keep in mind that people compile/run Wireshark +on a lot of different platforms. + +When reporting problems with Wireshark, it is helpful if you supply the +following information: + +. The version number of Wireshark and the dependent libraries linked with +it, e.g. Qt, GLib, etc. You can obtain this with the command +`wireshark -v`. + +. Information about the platform you run Wireshark on. + +. A detailed description of your problem. + +. If you get an error/warning message, copy the text of that message (and +also a few lines before and after it, if there are some), so others may +find the build step where things go wrong. +Please don't give something like: "I get a warning when compiling x" +as this won't give any direction to look at. + +[NOTE] +.Don't send large files +==== +Do not send large files (>100KB) to the mailing lists, just place a note +that further data is available on request. Large files will only annoy a +lot of people on the list who are not interested in your specific problem. +If required, you will be asked for further data by the persons who really +can help you. +==== + +[WARNING] +.Don't send confidential information +==== +If you send captured data to the mailing lists, or add it to your bug report, +be sure it doesn't contain any sensitive or confidential information, +such as passwords. Visibility of such files can be limited to certain +groups in the GitLab Issues database by marking the issue confidential. +==== + +==== Reporting Crashes on UNIX-like platforms + +When reporting crashes with Wireshark, it is helpful if you supply the +traceback information (besides the information mentioned in +<<ChIntroReportProblems>>). + +You can obtain this traceback information with the following commands: + +---- +$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt +backtrace +^D +$ +---- + +[NOTE] +.Using GDB +==== +Type the characters in the first line verbatim. Those are +back-tics there. + +`backtrace` is a `gdb` command. You should +enter it verbatim after the first line shown above, but it will not be +echoed. The ^D +(Control-D, that is, press the Control key and the D key +together) will cause `gdb` to exit. This will +leave you with a file called +_bt.txt_ in the current directory. +Include the file with your bug report. + +If you do not have `gdb` available, you +will have to check out your operating system’s debugger. +==== + +You should mail the traceback to mailto:{wireshark-dev-list-email}[] or attach it +to your bug report. + +==== Reporting Crashes on Windows platforms + +You can download Windows debugging symbol files (.pdb) from the following locations: + +* 64-bit Windows: https://www.wireshark.org/download/win64/all-versions/ + +Files are named "Wireshark-pdb-win__bits__-_x_._y_._z_.zip" to match their +corresponding "Wireshark-win__bits__-_x_._y_._z_.exe" installer packages. + +// XXX Show how to use the Visual Studio debugger + +// End of WSDG Chapter Introduction diff --git a/docbook/wsdg_src/wsdg_libraries.adoc b/docbook/wsdg_src/wsdg_libraries.adoc new file mode 100644 index 0000000..d0f5f1d --- /dev/null +++ b/docbook/wsdg_src/wsdg_libraries.adoc @@ -0,0 +1,349 @@ +// WSDG Chapter Libraries + +[#ChapterLibraries] + +== Library Reference + +[#ChLibIntro] + +=== Introduction + +Like most applications, Wireshark depends on libraries provided by your operating system and by third parties, including the C runtime library, GLib, libpcap, and Qt. +While running Wireshark only requires the libraries themselves, building it requires header files, import libraries, and related resources. + +Binary libraries are available in different formats and are specific to the target operating system, platform, and compiler. +They can be compiled by hand, but are most often installed as pre-built packages. + +On most Linux systems, the required binary and development libraries can be installed using your package manager. +We provide setup scripts that will install the required packages for most distributions. +See <<ChSetupUNIXBuildEnvironmentSetup>> for details. + +On macOS, you can install pre-built packages using a third party package manager such as Homebrew or MacPorts. +As with Linux, we provide `tools/macos-setup-brew.sh`, which will install the required Homebrew packages. +We also provide `tools/macos-setup.sh`, which will download, build, and install required packages. + +Windows doesn't have a good library package manager at the present time, so we provide our own pre-built libraries. +They can be installed using `tools/win-setup.ps1` and are automatically installed when you run CMake. +With the exception of Qt, all libraries required to build Wireshark on Windows are available for download at +https://dev-libs.wireshark.org/windows/[]. +See <<ChLibsSetup>> for details. + +[#ChLibsSetup] + +=== Windows Automated Library Download + +The required libraries (apart from Qt) are automatically downloaded as part of +the CMake generation step, and subsequently as required when libraries are updated. + +The libraries are downloaded into the directory indicated by the environment +variable WIRESHARK_BASE_DIR, this must be set appropriately for your environment. +The libraries are downloaded and extracted into WIRESHARK_BASE_DIR\wireshark-x64-libs or WIRESHARK_BASE_DIR\wireshark-arm64-libs depending on your target platform. + +You may also set the library directory to a custom value with the environment variable WIRESHARK_LIB_DIR, but you may run into problems if you switch between major versions or target platforms. + +[#ChLibsQt] + +=== Qt + +The Qt library is used to build the UI for Wireshark and is used to provide a platform independent UI. +Wireshark can be built with Qt 5.12 or later, but looks for Qt 6 as the default version. + +To enable builds with Qt 5.x, the command-line option `-DUSE_qt6=OFF` has to be set for cmake. + +For more information on the Qt libraries, see <<ChUIQt>>. + +[#ChLibsUnixQt] + +[discrete] +==== Unix + +Most Linux distributions provide Qt and its development libraries as standard packages. +The required libraries and tools will likely be split across several packages. For example, +building on Ubuntu requires _qt6-tools-dev_, _qt6-tools-dev-tools_, _libqt6svg6-dev_, +_qt6-multimedia-dev_, and possibly others. + +The Qt Project provides an installation tool for macOS, similar to Windows. +It is available at https://www.qt.io/download-open-source/#section-2[]. + +[#ChLibsWindowsQt] + +[discrete] +==== Windows + +Qt 6 must be installed manually from the Qt installers page https://www.qt.io/download-open-source/#section-2[] using the version of Qt appropriate for your compiler. + +The CMake variable CMAKE_PREFIX_PATH (see `https://doc.qt.io/qt-6/cmake-get-started.html`) should be set to your Qt installation directory, e.g. _C:\Qt{backslash}{qt6-lts-version}\msvc2019_64_. +Alternatively you can also use the environment variable WIRESHARK_QT6_PREFIX_PATH. + +[#ChLibsGLib] + +=== GLib And Supporting Libraries + +The GLib library is used as a basic platform abstraction library and can +be used in both CLI and GUI applications. For a detailed description +about GLib see <<ChCodeGLib>>. + +GLib depends on GNU libiconv, GNU gettext, and other libraries. You will +typically not come into contact with these while doing Wireshark +development. Wireshark's build system check for and require both GLib +and its dependencies. + +[#ChLibsUnixGLib] + +[discrete] +==== Unix + +The GLib library is available for most Linux distributions and UNIX +flavors. If it isn't already installed and isn't available as a package +for your platform, you can get it at https://wiki.gnome.org/Projects/GLib[]. + +[#ChLibsWindowsGLib] + +[discrete] +==== Windows + +GLib is part of our vcpkg-export bundles and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsCares] + +=== c-ares + +C-Ares is used for asynchronous DNS resolution and lets us resolve names with a minimal performance impact. + +[#ChLibsUnixCares] + +[discrete] +==== Unix + +If this library isn't already installed or available as a package for your +platform, you can get it at https://c-ares.org/[]. + +[#ChLibsWindowsCares] + +[discrete] +==== Windows + +C-Ares is built using {vcpkg-main-url}[vcpkg] and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsSMI] + +=== SMI (Optional) + +LibSMI is used for MIB and PIB parsing and for OID resolution. + +[#ChLibsUnixSMI] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://www.ibr.cs.tu-bs.de/projects/libsmi/[]. + +[#ChLibsWindowsSMI] + +[discrete] +==== Windows + +Wireshark uses the source libSMI distribution at +https://www.ibr.cs.tu-bs.de/projects/libsmi/[]. +LibSMI is cross-compiled using MinGW32. +It’s stored in the libsmi zip archives at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsZlib] + +=== zlib (Optional) + +[quote, The zlib web site, https://www.zlib.net/] +____ +zlib is designed to be a +https://www.zlib.net/zlib_license.html[free], +general-purpose, legally unencumbered -- that is, not covered by any +patents -- lossless data-compression library for use on virtually any computer +hardware and operating system. +____ + +[#ChLibsUnixZlib] + +[discrete] +==== Unix + +This library is almost certain to be installed on your system. If it isn't or +you don't want to use the default library you can download it from +https://www.zlib.net/[]. + +[#ChLibsWindowsZlib] + +[discrete] +==== Windows + +zlib is part of our vcpkg-export bundles and is available at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsPcap] + +=== libpcap or Npcap (Optional, But Strongly Recommended) + +Libpcap and Npcap provide the packet capture capabilities that are central +to Wireshark’s core functionality. + +[#ChLibsLibpcap] + +[discrete] +==== Unix: libpcap + +If this library isn't already installed or available as a package for your +platform, you can get it at {tcpdump-main-url}. + +[#ChLibsWinpPcap] + +[discrete] +==== Windows: Npcap + +The Windows build environment compiles and links against a libpcap SDK built using {vcpkg-main-url}[vcpkg] and includes the {npcap-main-url}[Npcap packet capture driver] with the .exe installer. +Both are <<ChLibsSetup,automatically downloaded by CMake>>. + +You can download the Npcap Windows packet capture library manually from +{npcap-main-url}. + +[WARNING] +.Npcap has its own license with its own restrictions +==== +Insecure.Com LLC, aka “The Nmap Project” has granted the Wireshark +Foundation the right to include Npcap with the installers that we +distribute from wireshark.org. If you wish to distribute your own +Wireshark installer or any other package that includes Npcap you must +comply with the {npcap-license-url}[Npcap license] and may be required +to purchase a redistribution license. Please see {npcap-main-url} for +more details. +==== + +[#ChLibsGNUTLS] + +=== GnuTLS (Optional) + +The GNU Transport Layer Security Library is used to enable TLS decryption +using an RSA private key. + +[#ChLibsUnixGNUTLS] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://gnutls.org/[]. + +[#ChLibsWindowsGNUTLS] + +[discrete] +==== Windows + +We provide packages cross-compiled using MinGW32 at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsGcrypt] + +=== Gcrypt + +The Gcrypt Library is a low-level cryptographic library that provides +support for many ciphers and message authentication codes, such as DES, 3DES, +AES, Blowfish, SHA-1, SHA-256, and others. + +[#ChLibsUnixGcrypt] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://directory.fsf.org/wiki/Libgcrypt[]. + +[#ChLibsWindowsGcrypt] + +[discrete] +==== Windows + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsKerberos] + +=== Kerberos (Optional) + +The Kerberos library is used to dissect Kerberos, sealed DCERPC and +secure LDAP protocols. + +[#ChLibsUnixKerberos] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://web.mit.edu/Kerberos/dist/[]. + +[#ChLibsWindowsKerberos] + +[discrete] +==== Windows + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsLua] + +=== Lua (Optional) + +The Lua library is used to add scripting support to Wireshark. + +[#ChLibsUnixLua] + +[discrete] +==== Unix + +If this library isn't already installed or available as a +package for your platform, you can get it at +https://www.lua.org/download.html[]. + +[#ChLibsWindowsLua] + +[discrete] +==== Windows + +We provide copies of the official packages at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsMaxMindDB] + +=== MaxMindDB (Optional) + +MaxMind Inc. publishes a set of IP geolocation databases and related +open source libraries. They can be used to map IP addresses to +geographical locations and other information. + +If libmaxminddb library isn't already installed or available as a +package for your platform, you can get it at +https://github.com/maxmind/libmaxminddb[]. + +We provide packages for Windows at +https://dev-libs.wireshark.org/windows/packages/[]. + +[#ChLibsSparkle] + +=== WinSparkle (Optional) + +WinSparkle is an easy-to-use software update library for Windows developers. + +[#ChLibsWinSparkle] + +[discrete] +==== Windows + +We provide copies of the WinSparkle package at +https://dev-libs.wireshark.org/windows/packages/[]. + +// End of WSDG Chapter Libraries diff --git a/docbook/wsdg_src/wsdg_lua_support.adoc b/docbook/wsdg_src/wsdg_lua_support.adoc new file mode 100644 index 0000000..8f7314b --- /dev/null +++ b/docbook/wsdg_src/wsdg_lua_support.adoc @@ -0,0 +1,276 @@ +[#wsluarm] + +// Attributes +:build_dir: .. + +== Lua Support in Wireshark + +[#wsluarm_intro] + +=== Introduction + +Lua is a powerful light-weight programming language designed for extending +applications. Wireshark contains an embedded Lua 5.2 interpreter which +can be used to write dissectors, taps, and capture file readers +and writers. + +If Lua is enabled, Wireshark will first try to load a file named `init.lua` +from the global link:{wireshark-users-guide-url}ChPluginFolders.html[_plugins directory_]. +and then from the user’s +link:{wireshark-users-guide-url}ChAppFilesConfigurationSection.html[_personal plugins directory_]. +Then all files ending with _.lua_ are loaded from the global plugins +directory. Then all files ending with _.lua_ in the personal Lua plugin's +directory. + +Whether or not Lua scripts are enabled can be controlled via the +_$$enable_lua$$_ variable. Lua scripts are enabled by +default. To disable Lua scripts, set the _$$enable_lua$$_ variable to _false_. +Wireshark 2.6 and earlier enabled or disabled Lua scripts using +the variable _$$disable_lua$$_ (deprecated). If both _$$enable_lua$$_ and +_$$disable_lua$$_ are present, _$$disable_lua$$_ is ignored. + +.Example for init.lua +[source,lua] +---- +-- Set enable_lua to false to disable Lua support. +enable_lua = true + +if not enable_lua then + return +end + +-- If false and Wireshark was started as (setuid) root, then the user +-- will not be able to execute custom Lua scripts from the personal +-- configuration directory, the -Xlua_script command line option or +-- the Lua Evaluate menu option in the GUI. +-- Note: Not checked on Windows. running_superuser is always false. +run_user_scripts_when_superuser = true +---- + +The command line option _$$-X lua_script:$$++file.lua++_ can also be used to load +specific Lua scripts. + +The Lua code is executed after all protocol dissectors are +initialized and before reading any file. + +Wireshark for Windows uses a modified Lua runtime +(link:https://github.com/Lekensteyn/lua-unicode[lua-unicode]) to +support Unicode (UTF-8) filesystem paths. This brings consistency with other +platforms (for example, Linux and macOS). + +[#wslua_menu_example] + +=== Example: Creating a Menu with Lua + +The code below adds a menu "Lua Dialog Test" under the Tools menu. +When selected, it opens a dialog prompting the user for input +and then opens a text window with the output. + +[source,lua] +---- + +-- Define the menu entry's callback +local function dialog_menu() + local function dialog_func(person,eyes,hair) + local window = TextWindow.new("Person Info"); + local message = string.format("Person %s with %s eyes and %s hair.", person, eyes, hair); + window:set(message); + end + + new_dialog("Dialog Test",dialog_func,"A Person","Eyes","Hair") +end + +-- Create the menu entry +register_menu("Lua Dialog Test",dialog_menu,MENU_TOOLS_UNSORTED) + +-- Notify the user that the menu was created +if gui_enabled() then + local splash = TextWindow.new("Hello!"); + splash:set("Wireshark has been enhanced with a useless feature.\n") + splash:append("Go to 'Tools->Lua Dialog Test' and check it out!") +end + +---- + +[#wslua_dissector_example] + +=== Example: Dissector written in Lua + +[source,lua] +---- +local p_multi = Proto("multi", "MultiProto"); + +local vs_protos = { + [2] = "mtp2", + [3] = "mtp3", + [4] = "alcap", + [5] = "h248", + [6] = "ranap", + [7] = "rnsap", + [8] = "nbap" +} + +local f_proto = ProtoField.uint8("multi.protocol", "Protocol", base.DEC, vs_protos) +local f_dir = ProtoField.uint8("multi.direction", "Direction", base.DEC, { [1] = "incoming", [0] = "outgoing"}) +local f_text = ProtoField.string("multi.text", "Text") + +p_multi.fields = { f_proto, f_dir, f_text } + +local data_dis = Dissector.get("data") + +local protos = { + [2] = Dissector.get("mtp2"), + [3] = Dissector.get("mtp3"), + [4] = Dissector.get("alcap"), + [5] = Dissector.get("h248"), + [6] = Dissector.get("ranap"), + [7] = Dissector.get("rnsap"), + [8] = Dissector.get("nbap"), + [9] = Dissector.get("rrc"), + [10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua + [11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp +} + +function p_multi.dissector(buf, pkt, tree) + + local subtree = tree:add(p_multi, buf(0,2)) + subtree:add(f_proto, buf(0,1)) + subtree:add(f_dir, buf(1,1)) + + local proto_id = buf(0,1):uint() + + local dissector = protos[proto_id] + + if dissector ~= nil then + -- Dissector was found, invoke subdissector with a new Tvb, + -- created from the current buffer (skipping first two bytes). + dissector:call(buf(2):tvb(), pkt, tree) + elseif proto_id < 2 then + subtree:add(f_text, buf(2)) + -- pkt.cols.info:set(buf(2, buf:len() - 3):string()) + else + -- fallback dissector that just shows the raw data. + data_dis:call(buf(2):tvb(), pkt, tree) + end + +end + +local wtap_encap_table = DissectorTable.get("wtap_encap") +local udp_encap_table = DissectorTable.get("udp.port") + +wtap_encap_table:add(wtap.USER15, p_multi) +wtap_encap_table:add(wtap.USER12, p_multi) +udp_encap_table:add(7555, p_multi) +---- + +[#wslua_tap_example] + +=== Example: Listener written in Lua + +[source,lua] +---- +-- This program will register a menu that will open a window with a count of occurrences +-- of every address in the capture + +local function menuable_tap() + -- Declare the window we will use + local tw = TextWindow.new("Address Counter") + + -- This will contain a hash of counters of appearances of a certain address + local ips = {} + + -- this is our tap + local tap = Listener.new(); + + local function remove() + -- this way we remove the listener that otherwise will remain running indefinitely + tap:remove(); + end + + -- we tell the window to call the remove() function when closed + tw:set_atclose(remove) + + -- this function will be called once for each packet + function tap.packet(pinfo,tvb) + local src = ips[tostring(pinfo.src)] or 0 + local dst = ips[tostring(pinfo.dst)] or 0 + + ips[tostring(pinfo.src)] = src + 1 + ips[tostring(pinfo.dst)] = dst + 1 + end + + -- this function will be called once every few seconds to update our window + function tap.draw(t) + tw:clear() + for ip,num in pairs(ips) do + tw:append(ip .. "\t" .. num .. "\n"); + end + end + + -- this function will be called whenever a reset is needed + -- e.g. when reloading the capture file + function tap.reset() + tw:clear() + ips = {} + end + + -- Ensure that all existing packets are processed. + retap_packets() +end + +-- using this function we register our function +-- to be called when the user selects the Tools->Test->Packets menu +register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED) +---- + +[#wsluarm_modules] + +== Wireshark’s Lua API Reference Manual + +This Part of the User Guide describes the Wireshark specific functions in the embedded Lua. + +Classes group certain functionality, the following notational conventions are +used: + +* _Class.function()_ represents a class method (named _function_) on class + _Class_, taking no arguments. + +* _Class.function(a)_ represents a class method taking one argument. + +* _Class.function(...)_ represents a class method taking a variable number of + arguments. + +* _class:method()_ represents an instance method (named _method_) on an instance + of class _Class_, taking no arguments. Note the lowercase notation in the + documentation to clarify an instance. + +* _class.prop_ represents a property _prop_ on the instance of class _Class_. + +Trying to access a non-existing property, function or method currently gives an +error, but do not rely on it as the behavior may change in the future. + + +include::{build_dir}/wsluarm_src/wslua_utility.adoc[] +include::{build_dir}/wsluarm_src/wslua_gui.adoc[] +include::{build_dir}/wsluarm_src/wslua_proto.adoc[] +include::{build_dir}/wsluarm_src/wslua_field.adoc[] +include::{build_dir}/wsluarm_src/wslua_pinfo.adoc[] +include::{build_dir}/wsluarm_src/wslua_tvb.adoc[] +include::{build_dir}/wsluarm_src/wslua_tree.adoc[] +include::{build_dir}/wsluarm_src/wslua_listener.adoc[] +include::{build_dir}/wsluarm_src/wslua_dumper.adoc[] +include::{build_dir}/wsluarm_src/wslua_wtap.adoc[] +include::{build_dir}/wsluarm_src/wslua_file.adoc[] +include::{build_dir}/wsluarm_src/wslua_dir.adoc[] +include::{build_dir}/wsluarm_src/wslua_int64.adoc[] +include::{build_dir}/wsluarm_src/wslua_struct.adoc[] + +[#lua_module_PCRE2] + +=== PCRE2 Regular Expressions + +Lua has its own native _pattern_ syntax in the string library, but sometimes a +real regex engine is more useful. Wireshark comes with Perl Compatible Regular +Expressions version 2 (PCRE2). This engine is exposed into Wireshark’s Lua engine through the +well-known Lrexlib library. The module is loaded in the global environment using +the "rex_pcre2" table. The manual is available at https://rrthomas.github.io/lrexlib/manual.html. diff --git a/docbook/wsdg_src/wsdg_preface.adoc b/docbook/wsdg_src/wsdg_preface.adoc new file mode 100644 index 0000000..6b20969 --- /dev/null +++ b/docbook/wsdg_src/wsdg_preface.adoc @@ -0,0 +1,84 @@ +[#Preface] +["preface",id="Preface"] +== Preface + +[#PreForeword] + +=== Foreword + +This book tries to give you a guide to start your own experiments into +the wonderful world of Wireshark development. + +Developers who are new to Wireshark often have a hard time getting their development environment up and running. +This is especially true for Windows developers, as a lot of the tools and methods used when building Wireshark are much more common in the UNIX world than on Windows. + +The first part of this book will describe how to set up the environment +needed to develop Wireshark. + +The second part of this book will describe how to change the Wireshark +source code. + +We hope that you find this book useful, and look forward to your comments. + +[#PreAudience] + +=== Who should read this document? + +The intended audience of this book is anyone going into the development of +Wireshark. + +This book is not intended to explain the usage of Wireshark in general. +Please refer the +{wireshark-users-guide-url}[Wireshark User’s Guide] about Wireshark usage. + +By reading this book, you will learn how to develop Wireshark. It will +hopefully guide you around some common problems that frequently appear for +new (and sometimes even advanced) developers of Wireshark. + +[#PreAck] + +=== Acknowledgements + +The authors would like to thank the whole Wireshark team for their +assistance. In particular, the authors would like to thank: + +* Gerald Combs, for initiating the Wireshark project. + +* Guy Harris, for many helpful hints and his effort in maintaining +the various contributions on the mailing lists. + +* Frank Singleton from whose `README.idl2wrs` <<ChDissectIdl2wrs>> is derived. + +The authors would also like to thank the following people for their +helpful feedback on this document: + +* XXX - Please give feedback :-) + +And of course a big thank you to the many, many contributors of the +Wireshark development community! + +[#PreAbout] + +=== About this document + +This book was developed by mailto:{wsdg-author-email}[Ulf Lamping], +updated for VS2013 by mailto:{wsdg-author-email2}[Graham Bloice], +and updated for later versions of Visual Studio by various contributors. + +It is written in AsciiDoc. + +[#PreDownload] + +=== Where to get the latest copy of this document? + +The latest copy of this documentation can always be found at +{wireshark-developers-guide-url}. + +[#PreFeedback] + +=== Providing feedback about this document + +Should you have any feedback about this document, please send it to the +authors through mailto:{wireshark-dev-list-email}[]. + + diff --git a/docbook/wsdg_src/wsdg_quick_setup.adoc b/docbook/wsdg_src/wsdg_quick_setup.adoc new file mode 100644 index 0000000..15458be --- /dev/null +++ b/docbook/wsdg_src/wsdg_quick_setup.adoc @@ -0,0 +1,965 @@ +// WSDG Chapter Setup + +[#ChapterSetup] + +== Setup and Build Instructions + +[#ChSetupUNIX] + +=== UN*X + +[#ChSetupUNIXBuildEnvironmentSetup] + +==== Build environment setup + +The following must be installed in order to build Wireshark: + +* a C compiler and a C++ compiler; +* the Flex lexical analyzer; +* Python 3; +* CMake; +* several required libraries. + +Either make or Ninja can be used to build Wireshark; at least one of +those must be installed. + +To build the manual pages, Developer's Guide and User's Guide, Asciidoctor, Xsltproc, and DocBook must be installed. + +Perl is required to generate some code and run some code analysis checks. + +Some features of Wireshark require additional libraries to be installed. +The processes for doing so on various UN*X families is shown here. + +There are shell scripts in the `tools` directory to install the packages +and libraries required to build Wireshark. Usage is available with the +`--help` option. `root` permission is required to run the scripts. +The available scripts and their options for a given family of UN*Xes are +shown in the section for that family. + +[discrete] +==== Alpine Linux + +The setup script is `tools/alpine-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-all` install everything +* `[other]` other options are passed as-is to apk + +[discrete] +==== Arch Linux and pacman-based systems + +The setup script is `tools/arch-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-test-deps` install packages required to run all tests +* `--install-all` install everything +* `[other]` other options are passed as-is to pacman + +[discrete] +==== BSD systems such as FreeBSD, NetBSD, OpenBSD, and DragonFly BSD + +The setup script is `tools/bsd-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `[other]` other options are passed as-is to pkg manager + +[discrete] +==== Debian, and Linux distributions based on Debian, such as Ubuntu + +The setup script is `tools/debian-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-deb-deps` install packages required to build the .deb file +* `--install-test-deps` install packages required to run all tests +* `--install-qt5-deps` force installation of packages required to use Qt5 +* `--install-qt6-deps` force installation of packages required to use Qt6 +* `--install-all` install everything +* `[other]` other options are passed as-is to apt + +[discrete] +==== RPM-based Linux distributions such as Red Hat, Centos, Fedora, and openSUSE + + +The setup script is `tools/rpm-setup.sh`; its options are: + +* `--install-optional` install optional software as well +* `--install-rpm-deps` install packages required to build the .rpm file +* `--install-qt5-deps` force installation of packages required to use Qt5 +* `--install-qt6-deps` force installation of packages required to use Qt6 +* `--install-all` install everything +* `[other]` other options are passed as-is to the packet manager + +[discrete] +==== macOS + +You must first install Xcode. + +After installing Xcode, the setup script `tools/macos-setup.sh` will +install the rest of the tools and libraries required to build Wireshark, +except for Qt 6, as well as the additional tools required to build the +documentation and the libraries required for all Wireshark features. If +you're using Homebrew, the script `tools/macos-setup-brew.sh` will +install the same tools and libraries from Homebrew. + +If you will be building Wireshark with Qt 6, which is the default for +Wireshark 4.0 and later, you will also have to install Qt; the +`tools/macos-setup.sh` script will not install Qt 6. To install +Qt, go to the https://www.qt.io/download-qt-installer-oss[Download Qt +for open source use page], select “macOS” if it's not already selected, +and then select “Qt online installer for macOS“. This will download a +.dmg for the installer; launch the installer. It will require that you +log into your Qt account; if you don't have an account, select “Sign up“ +to create one. The next page will require you to accept the LGPL (Lesser +GNU Public License); do so. Continue to the “Installation Folder“ page +of the installer screen, and select the “Custom installation“ option. +On the “Select Components“ screen of the installer, select, for the +desired Qt version, the “macOS” component. For example, at the time of +this writing the Qt {qt6-lts-version} “macOS” component is used to build +the official packages. The “Qt Debug Information Files” component +contains dSYM files which can be used for debugging. You can deselect +all of the other the components such as “Qt Charts” or “Android xxxx” +as they aren’t required. + +Qt 6 needs the "Qt 5 Compatibility Module" to be installed as well. Additionally, the module +"Qt Multimedia" may be installed, to support advanced controls for playing back streams in the +RTP Player dialog. + +[#ChSetupUNIXBuild] + +==== Building + +Before building: + +On macOS, you will need to set the Qt installation directory in the +environment: + +[subs="attributes+"] +---- +WIRESHARK_QT6_PREFIX_PATH=~/Qt/{qt6-lts-version}/macos +export WIRESHARK_QT6_PREFIX_PATH +---- + +If you want to append a custom string to the package version, run the +command + +[subs="attributes+"] +---- +WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo +export WIRESHARK_VERSION_EXTRA +---- + +The recommended (and fastest) way to build Wireshark is with CMake +and Ninja. Building with make took nearly 2x time as Ninja in one +experiment. + +CMake builds are best done in a separate build directory, such as a +`build` subdirectory of the top-level source directory. + +If that directory is a subdirectory of the top-level source directory, +to generate the build files, change to the build directory and enter the +following command: + +---- +cmake .. +---- + +to use make as the build tool or + +---- +cmake -G Ninja .. +---- + +to use Ninja as the build tool. + +If you created the build directory in the +same directory that contains the top-level Wireshark source directory, +to generate the build files, change to the build directory and enter the +following command: + +---- +cmake ../{source directory} +---- + +to use make as the build tool or + +---- +cmake -G Ninja ../{source directory} +---- + +to use Ninja as the build tool. + +`{source directory}` is the name of the +top-level Wireshark source directory. + +If you need to build with a non-standard configuration, you can run + +[source,sh] +---- +cmake -LH ../{source directory} +---- + +to see what options you have. + +You can then run Ninja or make to build Wireshark. + +---- +ninja +# or +make +---- + +Once you have build Wireshark with `ninja` or `make` above, you should be able to test it +by entering `run/wireshark`. + +==== Optional: Install + +Install Wireshark in its final destination: + +---- +make install +---- + +Once you have installed Wireshark with `make install` above, you should be able +to run it by entering `wireshark`. + +==== Optional: Create User’s and Developer’s Guide + +To build the Wireshark User's Guide and the Wireshark Developer's Guide, +build the `all_guides` target, e.g. `make all_guides` or `ninja +all_guides`. Detailed information to build these guides can be found in +the file _docbook/README.adoc_ in the Wireshark sources. + +==== Optional: Create an installable or source code package + +You can create packages using the following build targets and commands: + +Source code tarball:: + Build the `dist` target. + +deb (Debian) package:: + Create a symlink in the top-level source directory to _packaging/debian_, then run `dpkg-buildpackage`. + +RPM package:: + Build the `wireshark_rpm` target. + +https://appimage.org[AppImage] package:: + Build the `wireshark_appimage` target. + +macOS .dmg package containing an application bundle:: + Build the `wireshark_dmg` or `logray_dmg` targets. + +Installable packages typically require building Wireshark first. + +==== Troubleshooting during the build and install on Unix + +A number of errors can occur during the build and installation process. +Some hints on solving these are provided here. + +If the `cmake` stage fails you will need to find out why. You can check the +file `CMakeOutput.log` and `CMakeError.log` in the build directory to find +out what failed. The last few lines of this file should help in determining the +problem. + +The standard problems are that you do not have a required development package on +your system or that the development package isn’t new enough. Note that +installing a library package isn’t enough. You need to install its development +package as well. + +If you cannot determine what the problems are, send an email to the +_wireshark-dev_ mailing list explaining your problem. Include the output from +`cmake` and anything else you think is relevant such as a trace of the +`make` stage. + + +// Retain ChSetupWin32 for backward compatibility +[#ChSetupWindows] +=== Windows: Using Microsoft Visual Studio[[ChSetupWin32]] + +A quick setup guide for Windows development with recommended configurations. + +[WARNING] +==== +Unless you know exactly what you are doing, you +should strictly follow the recommendations below. They are known to work +and if the build breaks, please re-read this guide carefully. + +Known traps are: + +. Not using the correct (x64 or x86) version of the Visual Studio command prompt. + +. Not using a supported version of Windows. Please check + https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet[here] + that your installed version is supported and updated. + +==== + +[#ChSetupChocolatey] + +==== Recommended: Install Chocolatey + +https://chocolatey.org/[Chocolatey] is a native package manager for +Windows. There are https://chocolatey.org/packages[packages] for most of +the software listed below. Along with traditional Windows packages it +supports the Python Package Index. + +Chocolatey tends to install packages into its own path (%ChocolateyInstall%), although packages are free to use their own preferences. +You can install Chocolatey packages using the command `choco install` (or its shorthand, `cinst`), e.g. + +[source,cmd] +---- +rem Flex is required. +choco install -y winflexbison3 +rem Git, CMake, Python, etc are also required, but can be installed +rem via their respective installation packages. +choco install -y git cmake python3 +---- + + +[#ChSetupMSVC] + +==== Install Microsoft Visual Studio + +Download and install https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=17[“Microsoft Visual Studio 2022 Community Edition”]. +If you prefer you can instead download and install https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=16[“Microsoft Visual Studio 2019 Community Edition”]. +The examples below are for Visual Studio 2022 but can be adapted for Visual Studio 2019. +These are small utilities that download all the other required parts (which are quite large). + +Check the checkbox for “Desktop development with {cpp}” and then uncheck +all the optional components other than + +* “MSVC ... VS 2022 {cpp}” item with the “... build tools (Latest)” +* “Windows 11 SDK” +* “{cpp} CMake tools for Windows" + +(unless you want to use them for purposes other than Wireshark). + +You can alternatively use Chocolatey to install Visual Studio, using the Visual Studio Community and Native Desktop workload packages. +Note that this includes Visual Studio’s CMake component. + +---- +choco install -y visualstudio2022community visualstudio2022-workload-nativedesktop +---- + +// winget has basic VS 2022 and 2019 packages, but no native desktop workload packages. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/m/Microsoft/VisualStudio + +You can use other Microsoft C compiler variants, but VS2022 is used to +build the development releases and is the preferred option. It’s +possible to compile Wireshark with a wide range of Microsoft C compiler +variants. For details see <<ChToolsMSChain>>. + +You may have to do this as Administrator. + +Compiling with gcc or Clang is not recommended and will +certainly not work (at least not without a lot of advanced +tweaking). For further details on this topic, see +<<ChToolsGNUChain>>. This may change in future as releases +of Visual Studio add more cross-platform support. + +// XXX - mention the compiler and PSDK web installers - +// which significantly reduce download size - and find out the +// required components + +Why is this recommended? +While this is a huge download, the Community Editions of Visual Studio are free (as in beer) and include the Visual Studio integrated debugger. +Visual Studio 2022 is also used to create official Wireshark builds, so it will likely have fewer development-related problems. + +[#ChSetupQt] + +==== Install Qt + +The main Wireshark application uses the Qt windowing toolkit. To install +Qt, go to the https://www.qt.io/download[“Download Qt” page], select +"Download open source", then "Download Qt Online Installer", and download +"*Qt Online Installer for Windows*". When executing it, sign up or log in, +and use Next button to proceed. When asked, select "*Custom installation*". + +In the "Select Components" page, select your desired Qt version. We recommend +the latest LTS version, and the stable Windows installers currently ship with Qt {qt6-lts-version}. +Select the following components: + +* MSVC 2019 64-bit +* Qt 5 Compatibility Module +* Qt Debug Information Files (contains PDB files which can be used for debugging) +* Under "Additional Libraries" select "Qt Multimedia" to support advanced +controls for playing back streams in the RTP Player dialog +* You can deselect all of the other the components +such as “Qt Charts” or “Android xxxx” as they aren’t required. + +The CMake variable CMAKE_PREFIX_PATH (see `https://doc.qt.io/qt-6/cmake-get-started.html`) should be set as appropriate for your environment and should point to the Qt installation directory, e.g. _C:\Qt{backslash}{qt6-lts-version}\msvc2019_64_ +Alternatively you can also use the environment variable WIRESHARK_QT6_PREFIX_PATH. + +Qt 6 is the default option for building Wireshark, but Wireshark has support for Qt 5.12 and later. To enable Wireshark to build with Qt 5 pass `-DUSE_qt6=OFF` +to cmake. + +[#ChSetupPython] + +==== Install Python + +Get a Python 3 installer from https://python.org/download/[] and install Python. +Its installation location varies depending on the options selected in the installer and on the version of Python that you are installing. +At the time of this writing the latest version of Python is 3.10, and common installation directories are +_C:\Users{backslash}**username**\AppData\Local\Programs\Python\Python310_, _C:\Program Files\Python310_, and _C:\Python310_. + +Alternatively you can install Python using Chocolatey: + +---- +choco install -y python3 +---- + +// Not sure how to document Chocolatey's installation location other than "could be anywhere, LOL" +// https://community.chocolatey.org/packages/python3/#discussion +Chocolatey will likely install Python in one of the locations above, or possibly in _C:\Tools\Python3_. + +// winget has Python 3 packages. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/p/Python/Python/3 + +[#ChSetupGit] + +==== Install Git + +Please note that the following is not required to build Wireshark but can be +quite helpful when working with the sources. + +Working with the Git source repositories is highly recommended, as described in +<<ChSrcObtain>>. It is much easier to update a personal source tree (local repository) with Git +rather than downloading a zip file and merging new sources into a personal +source tree by hand. It also makes first-time setup easy and enables the +Wireshark build process to determine your current source code revision. + +There are several ways in which Git can be installed. Most packages are +available at the URLs below or via https://chocolatey.org/[Chocolatey]. +Note that many of the GUI interfaces depend on the command line version. + +If installing the Windows version of git select the +_Use Git from the Windows Command Prompt_ (in chocolatey the _/GitOnlyOnPath_ +option). Do *not* select the _Use Git and optional Unix tools from the Windows Command Prompt_ +option (in chocolatey the _/GitAndUnixToolsOnPath_ option). + +===== The Official Windows Installer + +The official command-line installer is available at https://git-scm.com/download/win. + +===== Git Extensions + +Git Extensions is a native Windows graphical Git client for +Windows. You can download the installer from +https://github.com/gitextensions/gitextensions/releases/latest. + +===== TortoiseGit + +TortoiseGit is a native Windows graphical Git +similar to TortoiseSVN. You can download the installer from +https://tortoisegit.org/download/. + +===== Command Line client via Chocolatey + +The command line client can be installed (and updated) using Chocolatey: +---- +choco install -y git +---- + +// winget has git. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/g/Git/Git + +===== Others + +A list of other GUI interfaces for Git can be found at +https://git-scm.com/downloads/guis + + +[#ChSetupCMake] + +==== Install CMake + +While CMake is required to build Wireshark, it might have been installed as a component of either Visual Studio or Qt. +If that’s the case you can skip this step. +If you do want or need to install CMake, you can get it from https://cmake.org/download/[]. +Installing CMake into the default location is recommended. +Ensure the directory containing cmake.exe is added to your path. + +Alternatively you can install it using Chocolatey: + +---- +choco install -y cmake +---- + +// winget has CMake. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/k/Kitware/CMake + +Chocolatey ensures cmake.exe is on your path. + +[#ChSetupAsciidoctor] + +==== Install Asciidoctor, Xsltproc, And DocBook + +https://asciidoctor.org/[Asciidoctor] can be run directly as a Ruby script or via a Java wrapper (AsciidoctorJ). +The JavaScript flavor (Asciidoctor.js) isn’t yet supported. +It is used in conjunction with Xsltproc and DocBook to generate the documentation you're reading and the User’s Guide. + +You can install AsciidoctorJ, Xsltproc, and DocBook using Chocolatey. +AsciidoctorJ requires a Java runtime and there are https://en.wikipedia.org/wiki/List_of_Java_virtual_machines[many to choose from]. +Chocolatey doesn't support alternative package dependencies at the present time, including dependencies on Java. +As a result, installing the asciidoctorj package won't automatically install a Java runtime -- you must install one separately. + +---- +choco install -y <your favorite Java runtime> +choco install -y asciidoctorj xsltproc docbook-bundle +---- + +Chocolatey ensures that asciidoctorj.exe and xsltproc.exe is on your +path and that xsltproc uses the DocBook catalog. + +// winget has no Asciidoctor, xsltproc, or DocBook packages. + +==== Install winflexbison + +Get the winFlexBison installer from +https://sourceforge.net/projects/winflexbison/ +and install into the default location. +Ensure the directory containing win_flex.exe is on your path. + +Alternatively you can install Winflexbison using Chocolatey: + +---- +choco install -y winflexbison3 +---- + +Chocolatey ensures win_flex.exe is on your path. + +// winget has no bison package. + +==== Optional: Install Perl + +If needed you can get a Perl installer from +http://strawberryperl.com/ +or +https://www.activestate.com/ +and install Perl into the default location. + +Alternatively you can install Perl using Chocolatey: + +---- +choco install -y strawberryperl +# ...or... +choco install -y activeperl +---- + +// winget has StrawberryPerl. +// https://github.com/microsoft/winget-pkgs/tree/master/manifests/s/StrawberryPerl/StrawberryPerl + +==== Install and Prepare Sources + +[TIP] +.Make sure everything works +==== +It’s a good idea to make sure Wireshark compiles and runs at least once before +you start hacking the Wireshark sources for your own project. This example uses +Git Extensions but any other Git client should work as well. +==== + +*Download sources* Download Wireshark sources into +_C:\Development\wireshark_ using either the command line or Git Extensions: + +Using the command line: + +---- +cd C:\Development +git clone https://gitlab.com/wireshark/wireshark.git +---- + +Using Git extensions: + +. Open the Git Extensions application. By default Git Extensions + will show a validation checklist at startup. If anything needs to + be fixed do so now. You can bring up the checklist at any time + via menu:Tools[Settings]. + +. In the main screen select _Clone repository_. Fill in the following: ++ +Repository to clone: *`https://gitlab.com/wireshark/wireshark.git`* ++ +Destination: Your top-level development directory, e.g. _C:\Development_. ++ +Subdirectory to create: Anything you’d like. Usually _wireshark_. ++ +[TIP] +.Check your paths +==== +Make sure your repository path doesn't contain spaces. +==== + +. Click the btn:[Clone] button. Git Extensions should start cloning the + Wireshark repository. + +[#ChSetupPrepareCommandCom] + +==== Open a Visual Studio Command Prompt + +From the Start Menu (or Start Screen), navigate to the “Visual Studio 2022” folder and choose the https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line?view=msvc-170#developer_command_prompt_shortcuts[Command Prompt] appropriate for the build you wish to make, e.g. “x64 Native Tools Command Prompt for VS 2022” for a 64-bit version. +Depending on your version of Windows the Command Prompt list might be directly under “Visual Studio 2022” or you might have to dig for it under multiple folders, e.g. menu:Visual Studio 2022[Visual Studio Tools,Windows Desktop Command Prompts]. + +You can set up a build environment in your own command prompt by running the appropriate `vcvars__ARCHITECTURE__.bat` command. +See https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line?view=msvc-170#use-the-developer-tools-in-an-existing-command-window[Use the Microsoft C++ toolset from the command line] for details. + +[TIP] +.Pin the items to the Task Bar +==== +Pin the Command Prompt you use to the Task Bar for easy access. +==== + +All subsequent operations take place in this Command Prompt window. + +. Set environment variables to control the build. ++ +-- +Set the following environment variables, using paths and values suitable for your installation: + +[subs="attributes+"] +---- +rem Let CMake determine the library download directory name under +rem WIRESHARK_BASE_DIR or set it explicitly by using WIRESHARK_LIB_DIR. +rem Set *one* of these. +set WIRESHARK_BASE_DIR=C:\Development +rem set WIRESHARK_LIB_DIR=c:\wireshark-x64-libs +rem Set the Qt installation directory +set WIRESHARK_QT6_PREFIX_PATH=C:\Qt{backslash}{qt6-lts-version}\msvc2019_64 +rem Append a custom string to the package version. Optional. +set WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo +---- + +Setting these variables could be added to a batch file to be run after you open +the Visual Studio Tools Command Prompt. + +[TIP] +.Use of Qt’s LTS branch +==== +It is generally recommended to use a LTS ("long term support") version for Qt. The current LTS version for Qt 6 is +{qt6-lts-version}. +==== + +-- + +. Create and change to the correct build directory. +CMake is best used in an out-of-tree build configuration where the build is done in a separate directory from the source tree, leaving the source tree in a pristine state. +64 and 32 bit builds require a separate build directory. +Create (if required) and change to the appropriate build directory. ++ +-- +// XXX Our CI builds are in-tree in <src dir>/build. +---- +mkdir C:\Development\wsbuild64 +cd C:\Development\wsbuild64 +---- +to create and jump into the build directory. + +The build directory can be deleted at any time and the build files regenerated as detailed in <<ChWindowsGenerate>>. +-- + +[#ChWindowsGenerate] + +==== Generate the build files + +CMake is used to process the CMakeLists.txt files in the source tree and produce build files appropriate +for your system. + +You can generate Visual Studio solution files to build either from within Visual Studio, or from the command +line with MSBuild. CMake can also generate other build types but they aren't supported. + +The initial generation step is only required the first time a build directory is created. Subsequent +builds will regenerate the build files as required. + +If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. + +To generate the build files enter the following at the Visual Studio command prompt: +---- +cmake -G "Visual Studio 17 2022" -A x64 ..\wireshark +---- + +Adjusting the path to the Wireshark source tree as required. +To use a different generator modify the `-G` parameter. +`cmake -G` lists all the CMake supported generators, but only Visual Studio is supported for Wireshark builds. +32-bit builds are no longer supported. + +The CMake generation process will download the required 3rd party libraries (apart from Qt) +as required, then test each library for usability before generating the build files. + +At the end of the CMake generation process the following should be displayed: +---- +-- Configuring done +-- Generating done +-- Build files have been written to: C:/Development/wsbuild64 +---- + +If you get any other output, there is an issue in your environment that must be rectified before building. +Check the parameters passed to CMake, especially the `-G` option and the path to the Wireshark sources and +the environment variables `WIRESHARK_BASE_DIR` and `CMAKE_PREFIX_PATH`. + +[#ChWindowsBuild] + +==== Build Wireshark + +Now it’s time to build Wireshark! + +. If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. + +. Run ++ +-- +---- +msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln +---- +to build Wireshark. +-- + +. Wait for Wireshark to compile. This will take a while, and there will be a lot of text output in the command prompt window + +. Run _C:\Development\wsbuild64\run\RelWithDebInfo\Wireshark.exe_ and make sure it starts. + +. Open menu:Help[About]. If it shows your "private" program +version, e.g.: Version {wireshark-version}-myprotocol123 +congratulations! You have compiled your own version of Wireshark! + +You may also open the Wireshark solution file (_Wireshark.sln_) in the Visual Studio IDE and build there. + +TIP: If compilation fails for suspicious reasons after you changed some source +files try to clean the build files by running `msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln /t:Clean` +and then building the solution again. + +The build files produced by CMake will regenerate themselves if required by changes in the source tree. + +==== Debug Environment Setup + +You can debug using the Visual Studio Debugger or WinDbg. See the section +on using the <<ChToolsDebugger, Debugger Tools>>. + +==== Optional: Create User’s and Developer’s Guide + +To build the Wireshark User's Guide and the Wireshark Developer's Guide, +build the `all_guides` target, e.g. `msbuild all_guides.vcxproj`. +Detailed information to build these guides can be found in the file +_docbook\README.adoc_ in the Wireshark sources. + +==== Optional: Create a Wireshark Installer + +Note: You should have successfully built Wireshark +before doing the following. + +If you want to build your own +_Wireshark-{wireshark-version}-myprotocol123-x64.exe_, you'll need +NSIS. You can download it from http://nsis.sourceforge.net[]. + +Note that the 32-bit version of NSIS will work for both 64-bit and 32-bit versions of Wireshark. +NSIS version 3 is required. + +If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again. Run + +---- +msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis.vcxproj +---- + +to build a Wireshark installer. +If you sign your executables you should do so between the “wireshark_nsis_prep” and “wireshark_nsis” steps. +To sign your installer you should place the signing batch script on the path. It must be named "sign-wireshark.bat". +It should be autodetected by CMake, to always require signing set the -DENABLE_SIGNED_NSIS=On CMake option. + +Run + +---- +packaging\nsis\wireshark-{wireshark-version}-myprotocol123-x64.exe +---- + +to test your new installer. +It’s a good idea to test on a different machine than the developer machine. + +[#ChSetupMSYS2] + +=== Windows: Using MinGW-w64 with MSYS2 + +MSYS2 comes with different environments/subsystems and the first thing you +have to decide is which one to use. The differences among the environments +are mainly environment variables, default compilers/linkers, architecture, +system libraries used etc. If you are unsure, go with UCRT64. + +==== Building from source + +. Open the shell for the selected 64-bit environment. + +. Download the Wireshark source code using Git, if you haven't done so already, + and cd into that directory. + +. Install needed dependencies: + + tools/msys2-setup.sh --install-all + +. Build using CMake + Ninja: + + mkdir build && cd build + # Ninja generator is the default + cmake -DENABLE_CCACHE=On -DFETCH_lua=Yes .. + ninja + ninja test # optional, to run the test suite + ninja install # optional, install to the MSYS2 shell path + +The application should be launched using the same shell. + +==== Building an .exe installer + +. Follow the instructions above to compile Wireshark from source. + +. Build the NSIS installer target. + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If successful the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +Alternatively you can also use the PKGBUILD included in the Wireshark +source distribution to compile Wireshark into a binary package that can be +https://www.msys2.org/wiki/Creating-Packages/[installed using pacman]. + +==== Comparison with MSVC toolchain + +The official Wireshark Windows installer is compiled using Microsoft Visual +Studio (MSVC). Currently the MSYS2 build has the following limitations compared to +the build using MSVC: + +* Lua does not have https://github.com/Lekensteyn/lua-unicode[custom UTF-8 patches]. + +* The Event Tracing for Windows (ETW) extcap cannot be compiled using MinGW-w64. + +* Enhanced Kerberos dissection with decryption is not available. + +* AirPcap is not supported. + +[#ChSetupCross] + +=== Windows: Cross-compilation using Linux + +It is possible to compile Wireshark for Microsoft Windows using Linux and MinGW. +This way developers can deploy Wireshark on Windows systems without requiring +a Windows host machine. Building for Windows using a Linux host is also +easier for devs already familiar with Linux, the build itself is faster and it +uses a very mature C/C++ compiler (GCC) and debugger (GDB). + +==== Using Fedora Linux + +https://fedoraproject.org/[Fedora Linux] provides the best out-of-the-box +support for MinGW cross-compilation. Fedora is what the project uses to test +the build and it's what we recommend. While any other reasonably modern Linux +distribution can be used, that will make the process more time consuming and +involve some trial and error to setup. + +The build instructions on Fedora follow the familiar recipe for building Wireshark +using Linux. + +===== Building from source + +. Install needed dependencies: + + tools/mingw-rpm-setup.sh --install-all + +. Build using CMake + Ninja: + + mkdir build && cd build + mingw64-cmake -G Ninja -DENABLE_CCACHE=Yes -DFETCH_lua=Yes .. + ninja ++ +Note that currently it is not possible to run the test-suite when cross-compiling. + +. Build the NSIS installer + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If successful the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +===== Notes and comparison with MSVC builds + +* Only the MSVCRT C library for Microsoft Windows can be used. Support for the + UCRT (Universal C Runtime) library on Fedora Linux is in the initial stages of + deployment and not ready for prime-time (at the time of this writing). + +* Some optional dependencies are missing from Fedora repositories and must be + compiled from source if desired. An up-to-date complete list can be found in + the bug tracker (https://gitlab.com/wireshark/wireshark/-/issues/19108[issue 19108]). + +* Lua does not have https://github.com/Lekensteyn/lua-unicode[custom UTF-8 patches]. + +* The Event Tracing for Windows (ETW) extcap cannot be compiled using MinGW-w64. + +* Enhanced Kerberos dissection with decryption is not available. + +* AirPcap is not supported. + +==== Using Arch Linux + +https://archlinux.org/[Arch Linux] has good support for MinGW using packages +from the https://aur.archlinux.org/[AUR]. Note that the mingw-w64 AUR packages +sometimes break. If that happens you may be required to fix it or skip the +package until it is fixed by the maintainer, if it's an optional dependency. +You may also want to consider using an +https://wiki.archlinux.org/title/unofficial_user_repositories[unofficial user repository] +(such as the https://martchus.no-ip.biz/repo/arch/ownstuff/[ownstuff] repository) +to provide pre-compiled packages. This will greatly simplify the initial setup +and subsequent upgrades. + +CAUTION: AUR packages and unofficial user repositories are user-produced +content. These packages are completely unofficial and have not been thoroughly +vetted. It is your decision whether to trust their maintainers and you take +full responsibility for choosing to use them. + +You will need to install an https://wiki.archlinux.org/title/AUR_helpers[AUR helper]. +This guide assumes `paru` is being used. + +. Install required dependencies from official repositories: + + pacman -S mingw-w64 nsis lemon qt6-tools ccache + +. Install required dependencies from the AUR: + + paru -S mingw-w64-cmake + paru -S mingw-w64-glib2 + paru -S mingw-w64-libgcrypt + paru -S mingw-w64-c-ares + paru -S mingw-w64-speexdsp + paru -S mingw-w64-libpcap + +. Install Qt6: + + paru -S mingw-w64-qt6-base mingw-w64-qt6-5compat mingw-w64-qt6-multimedia + +. Install optional dependencies: + + paru -S mingw-w64-gnutls + paru -S mingw-w64-lz4 + paru -S mingw-w64-snappy + paru -S mingw-w64-opus + paru -S mingw-w64-opencore-amr + paru -S mingw-w64-libxml2 + paru -S mingw-w64-libnghttp2 + paru -S mingw-w64-libssh + paru -S mingw-w64-minizip ++ +Search the AUR for other dependencies not listed above. + +. Build Wireshark using CMake + Ninja. From the directory containing the + Wireshark source tree run: + + mkdir build && cd build + x86_64-w64-mingw32-cmake -G Ninja -DENABLE_CCACHE=Yes -DFETCH_lua=Yes \ + -DMINGW_SYSROOT=/usr/x86_64-w64-mingw32 .. + ninja ++ +This will automatically download and build Lua as a static library. ++ +To reconfigure the CMake build you may to do it explicitly by running +`x86_64-w64-mingw32-cmake .` in the build directory, +instead of letting `ninja` do it for you automatically. + +. Build the NSIS installer + + ninja wireshark_nsis_prep + ninja wireshark_nsis + +If everything goes well the installer can be found in `$CMAKE_BINARY_DIR/packaging/nsis`. + +The same notes as the build using Fedora apply. diff --git a/docbook/wsdg_src/wsdg_sources.adoc b/docbook/wsdg_src/wsdg_sources.adoc new file mode 100644 index 0000000..9e2a3c1 --- /dev/null +++ b/docbook/wsdg_src/wsdg_sources.adoc @@ -0,0 +1,1412 @@ +[#ChapterSources] + +== Work with the Wireshark sources + +[#ChSrcIntro] + +=== Introduction + +This chapter will explain how to work with the Wireshark source code. +It will show you how to: + +* Get the source + +* Compile it on your machine + +* Submit changes for inclusion in the official release + +This chapter will not explain the source file contents in detail, +such as where to find specific functionality. This is done in +<<ChCodeOverview>>. + +[#ChSrcGitRepository] + +=== The Wireshark Git repository + +https://git-scm.com/[Git] is used to keep track of the changes made to the Wireshark source code. +The official repository is hosted at {wireshark-gitlab-project-url}[GitLab], and incoming changes are evaluated and reviewed there. +For more information on GitLab see https://docs.gitlab.com/ce/gitlab-basics/[their documentation]. + +.Why Git? + +Git is a fast, flexible way of managing source code. +It allows large scale distributed development and ensures data integrity. + +.Why GitLab? + +GitLab makes it easy to contribute. +You can make changes locally and push them to your own work area at gitlab.com, or if your change is minor you can make changes entirely within your web browser. + +.Historical trivia: GitLab is the *fourth* iteration of our source code repository and code review system. + +Wireshark originally used https://www.nongnu.org/cvs/[Concurrent Versions System] (CVS) and migrated to https://subversion.apache.org/[Subversion] in July 2004. +We migrated from Subversion to Git and https://www.gerritcodereview.com/[Gerrit] in January 2014, and from Gerrit to GitLab in August 2020. + +Using Wireshark’s GitLab project you can: + +* Keep your private sources up to date with very little effort. +* Receive notifications about code reviews and issues. +* Get the source files from any previous release (or any other point in time). +* Browse and search the source code using a web interface. +* See which person changed a specific piece of code. + +[#ChSrcWebInterface] + +==== Git Naming Conventions + +Like most revision control systems, Git uses +https://en.wikipedia.org/wiki/Branching_%28revision_control%29[branching] +to manage different copies of the source code and allow parallel development. +Wireshark uses the following branch naming conventions: + +.master. +Main feature development and odd-numbered development releases. + +.release-x.y, master-x.y. +Stable release maintenance. For example, release-3.4 is used to manage the 3.4.x official releases. + +Tags for major releases and release candidates consist of a “v” followed by a version number such as “v3.2.1” or “v3.2.3rc0”. +Major releases additionally have a tag prefixed with “wireshark-” followed by a version number, such as “wireshark-3.2.0”. + + +[#ChSrcGitWeb] +=== Browsing And Searching The Source Code + +If you need a quick look at the Wireshark source code you can browse the repository files in GitLab at + +{wireshark-code-browse-url} + +You can view commit logs, branches, and tags, find files and search the repository contents. +You can also download individual files. + +[#ChSrcObtain] +=== Obtaining The Wireshark Sources + +There are two primary ways to obtain Wireshark’s source code: Git and compressed .tar archives. +Each is described in more detail below. +We recommend using Git for day to day development, particularly if you wish to contribute changes back to the project. +The age mentioned in the following sections indicates the age of the most recent change in that set of the sources. + + +[#ChSrcGit] +==== Git Over SSH Or HTTPS + +This method is strongly recommended for day to day development. + +You can use a Git client to download the source code from Wireshark’s code review system. +Anyone can clone from the anonymous HTTP git URL: + +{wireshark-git-anonhttp-url} + +If you have a GitLab account you can also clone using SSH: + +{wireshark-git-ssh-url} + +If wish to make changes to Wireshark you must create a GitLab account, create a fork of the official Wireshark repository, update your fork, and create a merge request. +See <<ChSrcContribute>> for details. + +The following example shows how to get up and running on the command line. +See <<ChToolsGit>> for information on installing and configuring graphical Git clients. + +. Now on to the command line. +First, make sure `git` works: ++ +-- +[source,sh] +---- +$ git --version +---- +-- + +. If this is your first time using Git, make sure your username and email address are configured. +This is particularly important if you plan on uploading changes: ++ +-- +[source,sh] +---- +$ git config --global user.name "Henry Perry" +$ git config --global user.email henry.perry@example.com +---- +-- + +. Next, clone the Wireshark repository: ++ +-- +[source,sh] +---- +# If you have a GitLab account, you can use the SSH URL: +$ git clone -o upstream git@gitlab.com:wireshark/wireshark.git +# If you don't you can use the HTTPS URL: +$ git clone -o upstream https://gitlab.com/wireshark/wireshark.git +# You can speed up cloning in either case by adding --shallow-since=1year or --depth=5000. +---- +The clone only has to be done once. +This will copy all the sources (including directories) from the server to your machine and check out the latest version. + +The `-o upstream` flag uses the origin name “upstream” for the repository instead of the default “origin” as described in the https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[GitLab documentation]. + +Cloning may take some time depending on the speed of your internet connection. + +The `--shallow-since=1year` option limits cloned commits to the last 1 year. + +The `--depth=5000` option limits cloned commits to the last 5000. +-- + +[#ChSrcDevelopmentSnapshots] +==== Development Snapshots + +This method is useful for one-off builds or if Git is inaccessible (e.g. because of a restrictive firewall). + +Our GitLab CI configuration automatically generates development packages, including source packages. +They can be found at {wireshark-snapshots-url}. +Packages are available for recent commits in the master branch and each release branch. + +[#ChSrcReleased] +==== Official Source Releases + +This method is recommended for building downstream release packages. + +The official source releases can be found at {wireshark-download-url}. +You should use these sources if you want to build Wireshark on your platform based on an official release with minimal or no changes, such as Linux distribution packages. + +[#ChSrcUpdating] +=== Update Your Wireshark Sources + +After you've obtained the Wireshark sources for the first time, +you might want to keep them in sync with the sources at the upstream +Git repository. + +[TIP] +.Take a look at the recent commits first +==== +As development evolves, the Wireshark sources are compilable most of the time -- but not always. +You should take a look at {wireshark-commits-url} before fetching or pulling to make sure the builds are in good shape. +==== + +[#ChSrcGitUpdate] +==== Update Using Git + +From time to time you will likely want to synchronize your master branch with the upstream repository. +You can do so by running: + +[source,sh] +---- +$ git pull --rebase upstream master +---- + +[#ChSrcBuildFirstTime] +=== Build Wireshark + +The sources contain several documentation files. It’s a good idea to read these +files first. After obtaining the sources, tools and libraries, the first place +to look at is _doc/README.developer_. Inside you will find the latest +information for Wireshark development for all supported platforms. + +.Build Wireshark before changing anything +[TIP] +==== +It is a very good idea to first test your complete build environment +(including running and debugging Wireshark) before making any changes +to the source code (unless otherwise noted). +==== + +Building Wireshark for the first time depends on your platform. + +==== Building on Unix + +Follow the build procedure in <<ChSetupUNIX>> to build Wireshark. + +==== Windows Native + +Follow the build procedure in <<ChSetupWindows>> to build Wireshark. + +After the build process has successfully finished, you should find a +`Wireshark.exe` and some other files in the `run\RelWithDebInfo` directory. + +[#ChSrcBuildType] +==== Build Type + +CMake can compile Wireshark for several different build types: + +.Build Types +|=== +|Type |Compiler Flags |Description + +|`RelWithDebInfo` +|`-O2 -g` +|Default, build with default optimizations and generate debug symbols. +Enables assertions and disables debug level logs + +|`Debug` +|`-O0 -g -DWS_DEBUG -DWS_DEBUG_UTF_8` +|For development, no optimization. Enables assertions +and debug level logs + +|`Release` +|`-O3 -DNDEBUG` +|Optimized for speed, no debug symbols or debug level logs or assertions + +|`MinSizeRel` +|`-Os -DNDEBUG` +|Optimized for size, no debug symbols or debug level logs or assertions +|=== + +The default is `RelWithDebInfo`, which provides a good compromise of +some optimization (`-O2`) along with including debug symbols (`-g`) +for release builds. For normal development coding you probably want to be +using `Debug` build type or set -DENABLE_DEBUG=On, to enable full +<<ChSrcLogging,logging capabilities>> and debug code. + +CMake will automatically add the -DNDEBUG option to certain build +types. This macro is used to disable assertions but it can be overruled +using ENABLE_ASSERT, which can be used to unconditionally enable assertions +if defined. + +To change the build type, set the CMake variable `CMAKE_BUILD_TYPE`, e.g.: + +[source,sh] +---- +$ cmake .. -DCMAKE_BUILD_TYPE=Debug +---- + +or on Windows, + +[source,cmd] +---- +> msbuild /m /p:Configuration=Debug Wireshark.sln +---- + +[#ChSrcRunFirstTime] +=== Run Your Version Of Wireshark + + +[TIP] +.Beware of multiple Wiresharks +==== +An already installed Wireshark may interfere with your newly generated +version in various ways. If you have any problems getting your Wireshark +running the first time, it might be a good idea to remove the previously +installed version first. +==== + +[#ChSrcRunFirstTimeUnix] +==== Unix-Like Platforms + +After a successful build you can run Wireshark right from the `run` directory. +There's no need to install it first. + +[source,sh] +---- +$ ./run/wireshark +---- + +There’s no need to run Wireshark as root user, but depending on your platform you might not be able to capture. +Running Wireshark this way can be helpful since debugging output will be displayed in your terminal. +You can also change Wireshark’s behavior by setting various environment variables. +See the {wireshark-man-page-url}wireshark.html#ENVIRONMENT-VARIABLES[ENVIRONMENT VARIABLES] section of the Wireshark man page for more details. + +On macOS, Wireshark is built as an application bundle (_run/Wireshark.app_) by default, and _run/wireshark_ will be a wrapper script that runs _Wireshark.app/Contents/MacOS/Wireshark_. +Along with running `./run/wireshark` as shown above you can also run it on the command line with `open run/Wireshark.app`. + +[#ChSrcRunFirstTimeWindows] +==== Windows Native + +By default the CMake-generated Visual {cpp} project places all of the files necessary to run Wireshark in the subdirectory `run\RelWithDebInfo`. +As with the Unix-like build described above, you can run Wireshark from the build directory without installing it first. + +[source,cmd] +---- +> .\run\RelWithDebInfo\Wireshark +---- + + +[#ChSrcDebug] +=== Debug Your Version Of Wireshark + +Optimization can make debugging a bit more difficult, e.g. by changing the +execution order of statements. To disable optimization, set the +<<ChSrcBuildType,build type>> to `Debug`. + +Full debug logs can be invaluable to investigate any issues with the code. +By default debug level logs are only enabled with `Debug` build type. You +can enable full debug logs and extra debugging code by configuring the +ENABLE_DEBUG CMake option. This in turn will define the macro symbol +`WS_DEBUG` and enable the full range of debugging code in Wireshark. + +There is an additional CMake knob called ENABLE_DEBUG_UTF_8 that can be used to +control specifically the extra validation Wireshark performs internally +for invalid UTF-8 encodings in internal strings, which should never happen +and can be somewhat expensive to check during normal usage. + +Conversely, the `Release` or `MinSizeRel` build types can be used to optimize +further for speed or size, but do not include debug symbols for use with +debuggers, and completely disable <<ChSrcLoggingLevels,lower level logging>> +and asserts, optimizing away the code path. Ensure that you have not built with +one of those types before attempting debugging. + +[#ChSrcLogging] +==== Wireshark Logging + +Wireshark has a flexible logging system to assist in development and troubleshooting. +Logging configuration takes into account what, when and where to output diagnostic messages. + +* The 'what generates log messages' is defined through logging domain(s). +* The 'when it generates log messages' is defined through the logging level. +* The 'where it outputs log messages' is defined through the output channel(s). + +The details to configure and use the logging system are explained in the following sections. + +[#ChSrcLoggingDomains] +===== Logging Domains + +Any part of Wireshark can be assigned a logging domain. This is already done for most of the internals of Wireshark, +e.g., "Main", "Capture", "Epan", "GUI". The domains are defined in the `ws_log_defs.h` header but dissectors should +define their own logging domain. Any string can be used as ID for a logging domain. + +[#ChSrcLoggingLevels] +===== Logging Levels + +The following logging levels are defined from highest to lowest: + +* error +* critical +* warning +* message +* info +* debug +* noisy + +By default logging output is generated for logging level "message" and above. If the logging level is lowered or raised +all log output generated at or above this level is sent to the log output. +Note that if the <<ChSrcBuildType,build type>> is not set to `Debug` +then by default all log output for the logging levels "debug" and +"noisy" will be optimized away by the compiler and cannot be emitted to the log +output, regardless of the logging setings. To enable debug logging for all build +types, set the CMake variable `-DENABLE_DEBUG=ON`. + +There is also a special "echo" logging level used exclusively for temporary debugging print outs (usually +via the `WS_DEBUG_HERE` macro). + +[#ChSrcLoggingOutput] +===== Logging Output + +By default logging output is sent to stderr. In addition to that it is possible to configure a log file. This collects all log output to the +file, besides the normal output streams. The output can then be read in a text editor or used with other text processing tools. + +A program can also register its own log writer when the standard facilities are insufficient or special handling is required. + +[#ChSrcConfigureLogging] +===== Configure Logging + +Logging can be configured through either environment variables or command line parameters. + +The following environment variables and command line parameters are used by the logging system: + +WIRESHARK_LOG_DOMAIN, WIRESHARK_LOG_DOMAINS, or --log-domain, --log-domains:: +This is a filter for the domain(s) which are to generate log messages. +WIRESHARK_LOG_LEVEL, or --log-level:: +This is the level (below critical) for which log messages are to be generated. This is used for all configured domains. +WIRESHARK_LOG_DEBUG, or --log-debug:: +These domain(s) will generate debug level log messages regardless of the log level and log domains configured. +WIRESHARK_LOG_NOISY, or --log_noisy:: +These domain(s) will generate noisy level log messages regardless of the log level and log domains configured. + +Multiple domains can be concatenated using commas or semicolons. The match can be inverted by prefixing the domain(s) list with an exclamation mark. + +[#ChSrcTrapsLogging] +==== Traps Set By Logging + +Sometimes it can be helpful to abort the program right after a log message of a certain level or a certain domain is output. + +The following environment variables are used to configure a trap by the logging system: + +WIRESHARK_LOG_FATAL, or --log_fatal:: +This is the level for which log messages are fatal. This can either be "critical" or "warning" level. + +WIRESHARK_LOG_FATAL_DOMAIN, WIRESHARK_LOG_FATAL_DOMAINS, or --log-fatal-domain, --log-fatal-domains:: +These are the domain(s) where output of a log message is fatal. This is less commonly used than the fatal log level setting above. + +[#ChSrcLoggingApi] +==== Logging APIs + +The logging API can be found in `wsutil/wslog.h`. + +To use the logging API for your code add the definition of the ID of your logging domain right after including `config.h`. For example: + +[source,c] +---- +/* My code doing something awesome */ +#include "config.h" +#define WS_LOG_DOMAIN "MyCode" + +#include <wireshark.h> + +... +---- + +Populate your code with the applicable function calls to generate log messages when enabled. The following convenience macros are provided: + +* `ws_error()` +* `ws_critical()` +* `ws_warning()` +* `ws_message()` +* `ws_info()` +* `ws_debug()` +* `ws_noisy()` + +All these take `printf()` style parameters. There is also a `WS_DEBUG_HERE` macro that is always active and outputs to a special "echo" +domain for temporary debug print outs. `WS_DEBUG_HERE` should be used for development purposes only and not appear in final delivery of the code. + +[#ChSrcUnixDebug] +==== Unix-Like Platforms + +You can debug using command-line debuggers such as gdb, dbx, or lldb. +If you prefer a graphic debugger, you can use an IDE or debugging frontend +such as Qt Creator, CLion, or Eclipse. + +Additional traps can be set on Wireshark, see <<ChSrcTrapsLogging>> + +[#ChSrcMemorySafety] +===== Memory Safety and Leaks + +Wireshark's wmem memory management framework makes it easy to allocate +memory in pools with a certain scope that is freed automatically at +a certain point (such as the end of dissecting a packet or when closing +a file), even if a dissector raises an exception after allocating the +memory. Memory in a pool is also freed collectively, which can be +considerably faster than calling `free()` individually on each individual +allocation. Proper use of wmem makes a dissector faster and less prone +to memory leaks with unexpected data, which happens frequently with +capture files. + +However, wmem's block allocation can obscure issues that memory checkers +might otherwise catch. Fortunately, the `WIRESHARK_DEBUG_WMEM_OVERRIDE` +environment variable can be set at runtime to instruct wmem to use a specific +memory allocator for all allocations, some of which are more compatible with +memory checkers: + +* `simple` - Uses `malloc()` only, no block allocation, compatible with Valgrind +* `strict` - Finds invalid memory via canaries and scrubbing freed memory +* `block` - Standard block allocator for file and epan scopes +* `block_fast` - Block allocator for short-lived scope, e.g. packet, (`free()` is a no-op) + +The `simple` allocator produces the most accurate results with tools like +https://valgrind.org[Valgrind] and can be enabled as follows: + +[source,sh] +---- +$ export WIRESHARK_DEBUG_WMEM_OVERRIDE=simple +---- + +Wireshark uses GLib's GSlice memory allocator, either indirectly via wmem or via various GLib API calls. +GLib provides a `G_SLICE` environment variable that can be set to `always-malloc` (similar to `simple`) or `debug-blocks` (similar to `strict`). +See https://developer-old.gnome.org/glib/stable/glib-running.html for details. +The C libraries on FreeBSD, Linux, and macOS also support memory allocation debugging via various environment variables. +You can enable many of them by running `source tools/debug-alloc.env` in a POSIX shell. + +If you're encountering memory safety bugs, you might want to build with +https://github.com/google/sanitizers/wiki/AddressSanitizer[Address Sanitizer] +(ASAN) so that Wireshark will immediately alert you to any detected issues. +It works with GCC or Clang, provided that the appropriate libraries are installed. + +[source,sh] +---- +$ cmake .. -G Ninja -DENABLE_ASAN=1 +$ source ../tools/debug-alloc.env +$ ./run/tshark ... +---- + +TIP: ASAN slows things down by a factor of 2 (or more), so having a different +build directory for an ASAN build can be useful. + +ASAN will catch more errors when run with either the `simple` or `strict` +wmem allocator than with the defaults. (It is more compatible with the +`strict` allocator and the analogous GSlice `debug-blocks` option than +Valgrind is.) + +For additional instrumentation, ASAN supports a number of +https://github.com/google/sanitizers/wiki/AddressSanitizerFlags[options]. + +For further investigating memory leaks, the following can be useful: + +[source,sh] +---- +# This slows things down a lot more but results in more precise backtraces, +# especially when calling third party libraries (such as the C++ standard +# library): +$ export ASAN_OPTIONS=fast_unwind_on_malloc=0 +# This causes LeakSanitizer to print the addresses of leaked objects for +# inspection in a debugger: +$ export LSAN_OPTIONS=report_objects=1 +---- + +LeakSanitizer and AddressSanitizer can detect issues in third-party libraries +that you cannot do anything about. For example, internal Qt library calls to +the fontconfig library can produce leaks. To ignore them, create a +https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions[suppressions file] with an appropriate entry, e.g. `leak:libfontconfig`. + +If you are just interested in memory safety checking, but not memory +leak debugging, disable the included https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer[LeakSanitizer] with: + +[source,sh] +---- +$ export ASAN_OPTIONS=detect_leaks=0 +---- + +[#ChSrcWindowsDebug] +==== Windows Native + +You can debug using the Visual Studio Debugger or WinDbg. See the section +on using the <<ChToolsDebugger, Debugger Tools>>. + +[#ChSrcChange] +=== Make Changes To The Wireshark Sources + +There are several reasons why you might want to change Wireshark’s sources: + +* Add support for a new protocol (i.e., add a new dissector) + +* Change or extend an existing dissector + +* Fix a bug + +* Implement a glorious new feature + +Wireshark’s developers work on a variety of different platforms and use a variety of different development environments. +Although we don't enforce or recommend a particular environment, your editor should support https://editorconfig.org/[EditorConfig] in order to make sure you pick up the correct indentation style for any files that you might edit. + +The internal structure of the Wireshark sources are described in <<PartDevelopment>>. + +.Ask the {wireshark-dev-list-email} mailing list before you start a new development task. +[TIP] +==== +If you have an idea what you want to add or change it’s a good idea to +contact the developer mailing list +(see <<ChIntroMailingLists>>) +and explain your idea. Someone else might already be working on the same +topic, so a duplicated effort can be reduced. Someone might also give you tips that +should be thought about (like side effects that are sometimes very +hard to see). +==== + +// XXX - Add a section on branching. + +[#ChSrcContribute] +=== Contribute Your Changes + +If you have finished changing the Wireshark sources to suit your needs, you might want to contribute your changes back to the Wireshark community. +You gain the following benefits by contributing your improvements: + +.It’s the right thing to do. +Other people who find your contributions useful will appreciate them, and you will know that you have helped people in the same way that the developers of Wireshark have helped you. + +.You get free enhancements. +By making your code public, other developers have a chance to make improvements, as there’s always room for improvements. +In addition someone may implement advanced features on top of your code, which can be useful for yourself too. + +You save time and effort. +The maintainers and developers of Wireshark will maintain your code as well, updating it when API changes or other changes are made, and generally keeping it in tune with what is happening with Wireshark. +So if Wireshark is updated (which is done often), you can get a new Wireshark version from the website and your changes will already be included without any effort for you. + +There’s no direct way to push changes to the {wireshark-gitlab-project-url}[main repository]. +Only a few people are authorised to actually make changes to the source code (check-in changed files). +If you want to submit your changes, you should upload them to the code review system at {wireshark-code-review-url}. +This requires you to set up git as described at <<ChSrcGit>>. + +[#ChSrcCreatingMergeRequests] +==== Creating Merge Requests + +// To do: +// - Note that you can mirror your fork: https://about.gitlab.com/blog/2016/12/01/how-to-keep-your-fork-up-to-date-with-its-origin/ +// - Mention CLI utilities. + +GitLab uses a https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[forking workflow], which looks like this: + +.GitLab Workflow +image::images/git-triangular-workflow.svg[] + +In the diagram above, your fork can created by pressing the “Fork” button at {wireshark-gitlab-project-url}. +Your local repository can be created as described in <<ChSrcGit>>. +You only need to do this once. +You should pull from the main repository on a regular basis in order to ensure that your sources are current. +You should push any time you want to make a merge request or otherwise make your code public. +The “Pull”, “Push”, and “Merge Request” parts of the workflow are important, so let’s look at them in more detail. + +First, you need to set up your environment. +For the steps below we’ll pretend that your username is “henry.perry”. + +. Sign in to {wireshark-gitlab-project-url} by clicking “Sign in / Register” in the upper right corner of the web page and following the login instructions. + +. https://docs.gitlab.com/ce/ssh/[Add an SSH key to your account] as described in the GitLab documentation. + +. Make sure you have a clone of the main repository as described in <<ChSrcGit>>. + +. Create your own personal fork of the Wireshark project by https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html[pressing the “Fork” button] at {wireshark-gitlab-project-url}. ++ +-- +WARNING: If you want to make merge requests you must keep your fork public. +Making it private will disassociate it from the main Wireshark repository. +-- + +. Add a remote for your personal repository. +The main repository remote is named “upstream”, so we'll name this one “downstream”. ++ +-- +[source,sh] +---- +$ git remote add downstream git@gitlab.com:henry.perry/wireshark.git +---- +-- + +. Double-check your remotes: ++ +-- +[source,sh] +---- +$ git remote -v +$ downstream git@gitlab.com:henry.perry/wireshark.git (fetch) +$ downstream git@gitlab.com:henry.perry/wireshark.git (push) +$ upstream git@gitlab.com:wireshark/wireshark.git (fetch) +$ upstream git@gitlab.com:wireshark/wireshark.git (push) +---- +-- + +Before you begin it’s a good idea to synchronize your local repository with the main repository. +This is the *Pull* part of the workflow. +You should do this periodically in order to stay up to date and avoid merge conflicts later on. + +. Fetch and optionally apply the latest changes. ++ +-- +[source,sh] +---- +# Fetch changes from upstream and apply them to the current branch... +$ git pull --rebase upstream master +# ...or fetch changes and leave the current branch alone +$ git fetch upstream +---- +-- + +Now you’re ready to create a merge request (the *Push* and *Merge Request* parts of the workflow above). + +. First, create a branch for your change: ++ +-- +[source,sh] +---- +$ git checkout -b my-glorious-new-feature upstream/master +---- +-- + +. Write some code! +See <<ChSrcGoodPatch>> and <<ChSrcCodeRequirements>> for details. + +. Commit your changes. +See <<ChSrcGoodCommitMessage>> for details. ++ +-- +[source,sh] +---- +$ git commit -a +---- +-- + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +$ git push downstream HEAD +---- +-- + +. Go to {wireshark-merge-request-url}. +You should see a https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html#create-merge-request-button[“Create merge request”] button. +Press it. + +. In the merge request page, make sure “Allow commits from members who can merge to the target branch” is selected so that core developers can rebase your change. You might want to select “Delete source branch when merge request is accepted” as well. Click the “Submit merge request” button. + +// XXX Add command line instructions for one or more of the following: +// https://docs.gitlab.com/ee/user/project/push_options.html +// https://github.com/zaquestion/lab - Go (single binary). +// https://invent.kde.org/sdk/git-lab - Developed by the KDE team. +// https://github.com/vishwanatharondekar/gitlab-cli - Might work well for people who don't mind using NPM. + + +[#ChSrcUpdatingMergeRequests] +==== Updating Merge Requests + +At this point various automated tests will be run and someone will review your change. +If you need to make changes you can do so by force-pushing it to the same branch in your personal repository. + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +# First, make sure you're on the right branch. +$ git status +On branch my-glorious-new-feature +---- +-- + +. Update your code. + +. Push your changes to your personal repository. ++ +-- +[source,sh] +---- +# Modify the current commit and force-push... +$ git commit --amend ... +$ git push downstream +HEAD +# ...or keep the current commit as-is add another commit on top of it +$ git commit ... +$ git push downstream HEAD +---- +The `+` sign is shorthand for forcing the push (`-f`). +-- + +[#ChSrcGoodPatch] +==== Some Tips For A Good Patch + +Some tips that will make the merging of your changes into Git much more likely +(and you want exactly that, don't you?): + +.Use the latest Git sources. +It’s a good idea to work with the same sources that are used by the other developers. +This usually makes it much easier to apply your patch. +For information about the different ways to get the sources, see <<ChSrcObtain>>. + +.Update your sources just before making a patch. +For the same reasons as the previous point. + +.Inspect your patch carefully. +Run `git diff` or `git show` as appropriate and make sure you aren't adding, removing, or omitting anything you shouldn't. + +.Give your branch a brief but descriptive name. +Short, specific names such as _snowcone-machine-protocol_ are preferred. + +.Don't put unrelated things into one large change. +Merge requests should be limited in scope. +For example, updates to the Snowcone Machine Protocol dissector and the Coloring Rules dialog box should be in separate merge requests. + +In general, making it easier to understand and apply your patch by one of the maintainers will make it much more likely (and faster) that it will actually be applied. + +.Thank you in advance for your patience. +Wireshark is a volunteer effort. +As a result, we can’t guarantee a quick turnaround time. + +.Preview the final product. +Wireshark’s GitLab CI jobs are disabled by default for forks, but if you need to test any CI jobs you can do so under the “Pipelines” section in your repository. +For example, if your change might affect Debian (apt) packaging you can run the “build:debian-stable” job. + +[#ChSrcGoodCommitMessage] +==== Writing a Good Commit Message + +When running `git commit`, you will be prompted to describe your change. +Here are some guidelines on how to make that message more useful to other people (and to scripts that may try to parse it): + +.Provide a brief description (under 60 characters or so) of the change in the first line. +If the change is specific to a single protocol, start this line with the abbreviated name of the protocol and a colon. +If the change is not yet complete prefix the line with “WIP:” to inform this change not to be submitted yet. +This be removed when the change is ready to be merged. + +.Insert a single blank line after the first line. +This is required by various formatting tools and helpful to humans. + +.Provide a detailed description of the change in the lines that follow. +Break paragraphs where needed. +Limit each line to 80 characters. + +You can also reference and close issues in a commit message by prefixing the issue number with a https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically[number sign]. +For example, “closes #5” will close issue number 5. + +Putting all that together, we get the following example: + +[source] +---- +MIPv6: Fix dissection of Service Selection Identifier + +APN field is not encoded as a dotted string so the first character is not a +length. Closes #10323. +---- + +[#ChSrcCodeRequirements] + +==== Code Requirements + +To ensure Wireshark’s code quality and to reduce friction in the code review process, there are some things you should consider before submitting a patch: + +.Follow the Wireshark source code style guide. +Wireshark runs on many platforms, and can be compiled with a number of different compilers. +It’s easy to write code that compiles on your machine, but doesn’t compile elsewhere. +The guidelines at <<ChCodeStyle>> describe the techniques and APIs that you can use to write high-quality, portable, and maintainable code in our environment. + +.Submit dissectors as built-in whenever possible. +Developing a new dissector as a plugin can make compiling and testing quicker, but it’s usually best to convert it to built-in before submitting for review. +This reduces the number of files that must be installed with Wireshark and ensures your dissector will be available on all platforms. + +Dissectors vary, so this is not a hard-and-fast rule. +Most dissectors are single C modules that can easily be put into “the big pile.” +Some (most notably ASN.1 dissectors) are generated using templates and configuration files. +Others are split across multiple source files and are often more suitable to be placed in a separate plugin directory. + +.Ensure that the Wireshark Git Pre-Commit Hook is in the repository. +In your local repository directory, there will be a __.git/hooks/__ directory, with sample git hooks for running automatic actions before and after git commands. +You can also optionally install other hooks that you find useful. + +In particular, the _pre-commit_ hook will run every time you commit a change and can be used to automatically check for various errors in your code. +The sample git pre-commit hook simply detects whitespace errors such as mixed tabs and spaces. +To install it just remove the .sample suffix from the existing _pre-commit.sample_ file. + +Wireshark provides a custom pre-commit hook which does additional Wireshark-specific API and formatting checks, but it might return false positives. +If you want to install it, copy the pre-commit file from the tools directory (`cp ./tools/pre-commit .git/hooks/`) and make sure it is executable or it will not be run. + +If the pre-commit hook is preventing you from committing what you believe is a valid change, you can run `git commit --no-verify` to skip running the hooks. +Warning: using --no-verify avoids the commit-msg hook, and thus if you have setup this hook it will not run. + +Additionally, if your system supports symbolic links, as all UNIX-like platforms do, you can use them instead of copying files. +Running `ln -s ../../tools/pre-commit .git/hooks` creates a symbolic link that will make the hook to be up-to-date with the current master. + +.Choose a compatible license. +Wireshark is released under the {spdx-license-url}GPL-2.0-or-later.html[GPL version 2 or later], and it is strongly recommended that incoming code use that license. +If that is not possible, it *must* use a compatible license. +The following licenses are currently allowed: + +* BSD {spdx-license-url}BSD-1-Clause.html[1], {spdx-license-url}BSD-2-Clause.html[2], {spdx-license-url}BSD-3-Clause.html[3] clause +* {spdx-license-url}GPL-3.0-or-later.html[GPL version 3 or later] *with* the https://www.gnu.org/software/bison/manual/html_node/Conditions.html[Bison parser exception] +* {spdx-license-url}ISC.html[ISC] +* {spdx-license-url}LGPL-2.0-or-later.html[LGPL v2 or later], including {spdx-license-url}LGPL-2.1-or-later.html[v2.1] +* {spdx-license-url}MIT.html[MIT] / {spdx-license-url}X11.html[X11] +* {wikipedia-main-url}Public_domain[Public domain] +* {spdx-license-url}Zlib.html[zlib/libpng] + +Notable incompatible licenses include {spdx-license-url}Apache-2.0.html[Apache 2.0], {spdx-license-url}GPL-3.0-or-later.html[GPL 3.0], and {spdx-license-url}LGPL-3.0-or-later.html[LGPL 3.0]. + +.Fuzz test your changes. +Fuzz testing is a very effective way of finding dissector related bugs. +In our case fuzzing involves making random changes to capture files and feeding them to TShark in order to try to make it crash or hang. +There are tools available to automatically do this on any number of input files. +See {wireshark-wiki-url}FuzzTesting for details. + +[#ChSrcUpload] + +//// +==== Uploading your changes + +When you're satisfied with your changes (and obtained any necessary +approval from your organization) you can upload them for review at +{wireshark-code-review-url}. This requires a GitLab account +as described at <<ChSrcGitRepository>>. + +You need to fork your repository which will became yours, and you will have write access to it. Once +you are done with your changes, push them to a branch of your choice (as snowcone-machine). Now in the +GitLab's UI a message will tell you that you created a new branch and a button to create a merge request. + + +[source,sh] +---- +$ git push https://gitlab.com/wireshark/<my.username>.git HEAD:<branchname> +---- + +The username `my.username` is the one which was given during registration with +the review system. + +You can push using any Git client. + +You might get one of the following responses to your patch request: + +* Your patch is checked into the repository. Congratulations! + +* You are asked to provide additional information, capture files, or other + material. If you haven't fuzzed your code, you may be asked to do so. + +* Your patch is rejected. You should get a response with the reason for + rejection. Common reasons include not following the style guide, buggy or + insecure code, and code that won't compile on other platforms. In each case + you'll have to fix each problem and upload another patch. + +* You don't get any response to your patch. Possible reason: All + the core developers are busy (e.g., with their day jobs or family or other commitments) and + haven't had time to look at your patch. Don't worry, if + your patch is in the review system it won't get lost. + +If you're concerned, feel free to add a comment to the patch or send an email +to the developer’s list asking for status. But please be patient: most if not +all of us do this in our spare time. +//// + +[#ChSrcBackport] +==== Backporting A Change + +:example-branch: master-3.2 +When a bug is fixed in the master branch it’s sometimes desirable or necessary to backport the fix to a release branch. +You can do this in Git by cherry-picking the change from one branch to another. +Suppose you want to backport change 1ab2c3d4 from the master branch to {example-branch}. +You can do so as follows: + +[source,sh,subs="attributes+"] +---- +# Create a new topic branch for the backport. +$ git checkout -b backport-1ab2c3d4 upstream/{example-branch} + +# Cherry-pick the change. Include a "cherry picked from..." line. +$ git cherry-pick -x 1ab2c3d4 + +# If there are conflicts, fix them. + +# Compile and test the change. +$ ninja +$ ... + +# OPTIONAL: Add entries to docbook/release-notes.adoc. +$EDITOR docbook/release-notes.adoc + +# If you made any changes, update your commit. +git commit --amend -a + +# Push the change to your working repository. +git push downstream HEAD +---- + +You can also cherry-pick changes in the https://docs.gitlab.com/ee/user/project/merge_requests/cherry_pick_changes.html[GitLab web UI]. + +//// +// XXX Is this relevant any more? +[#ChSrcPatchApply] +=== Apply a patch from someone else + +Sometimes you need to apply a patch to your private source tree. Maybe +because you want to try a patch from someone on the developer mailing +list, or you want to check your own patch before submitting. + + +.Beware line endings +[WARNING] +==== +If you have problems applying a patch, make sure the line endings (CR/LF) +of the patch and your source files match. +==== + +[#ChSrcPatchUse] +==== Using patch + +Given the file _new.diff_ containing a unified diff, +the right way to call the patch tool depends on what the pathnames in +_new.diff_ look like. +If they're relative to the top-level source directory (for example, if a +patch to _prefs.c_ just has _prefs.c_ as the file name) you’d run it as: + +[source,sh] +---- +$ patch -p0 < new.diff +---- + +If they're relative to a higher-level directory, you’d replace 0 with the +number of higher-level directories in the path, e.g. if the names are +_wireshark.orig/prefs.c_ and +_wireshark.mine/prefs.c_, you’d run it with: + +[source,sh] +---- +$ patch -p1 < new.diff +---- + +If they're relative to a _subdirectory_ of the top-level +directory, you’d run `patch` in _that_ directory and run it with `-p0`. + +If you run it without `-pat` all, the patch tool +flattens path names, so that if you +have a patch file with patches to _CMakeLists.txt_ and +_wiretap/CMakeLists.txt_, +it'll try to apply the first patch to the top-level +_CMakeLists.txt_ and then apply the +_wiretap/CMakeLists.txt_ patch to the top-level +_CMakeLists.txt_ as well. + +At which position in the filesystem should the patch tool be called? + +If the pathnames are relative to the top-level source directory, or to a +directory above that directory, you’d run it in the top-level source +directory. + +If they're relative to a *subdirectory* -- for example, +if somebody did a patch to _packet-ip.c_ and ran `diff` or `git diff` in +the _epan/dissectors_ directory -- you’d run it in that subdirectory. +It is preferred that people *not* submit patches like +that, especially if they're only patching files that exist in multiple +directories such as _CMakeLists.txt_. +//// + +[#ChSrcBinary] + +=== Binary Packaging + +Delivering binary packages makes it much easier for the end-users to +install Wireshark on their target system. This section will explain how +the binary packages are made. + +[#ChSrcVersioning] + +==== Packaging Guidelines + +The following guidelines should be followed by anyone creating and +distributing third-party Wireshark packages or redistributing official +Wireshark packages. + +[discrete] +===== Spelling And Capitalization + +Wireshark is spelled with a capital “W”, and with everything else lower +case. “WireShark” in particular is incorrect. + +[discrete] +===== Main URL + +The official Wireshark project URL is https://www.wireshark.org/. + +[discrete] +===== Download URLs + +Official packages are distributed on the main web server +(www.wireshark.org) and a +https://www.wireshark.org/download.html#spelunking[number of download +mirrors]. The canonical locations for packages are in the _all_versions_ +subdirectories on each server. + +For example, if your packaging system links to or downloads the +source tarball and you want to download from 1.na.dl.wireshark.org, +use + +https://1.na.dl.wireshark.org/download/src/all-versions/wireshark-{wireshark-version}.tar.xz + +instead of + +https://1.na.dl.wireshark.org/download/src/wireshark-{wireshark-version}.tar.xz + +[discrete] +===== Artwork + +Logo and icon artwork can be found in the _image_ directory in the +distribution. This is available online at + +{wireshark-code-browse-url}/image + +[discrete] +===== Licensing + +Wireshark is released under the GNU General Public License version 2 or +later. Make sure you and your package comply with this license. + +[discrete] +===== Trademarks + +Wireshark and the “fin” logo are registered trademarks of the Wireshark +Foundation. Make sure you and your package comply with trademark law. + +[discrete] +===== Privileges + +All function calls that require elevated privileges are in dumpcap. + +WIRESHARK CONTAINS OVER THREE MILLION LINES OF SOURCE CODE. DO NOT RUN +THEM AS ROOT. + +Warnings are displayed when Wireshark and TShark are run as root. + +There are two <<ChToolsCMake,configure-time options>> on non-Windows +systems that affect the privileges a normal user needs to capture +traffic and list interfaces: + +-DDUMPCAP_INSTALL_OPTION=capabilities:: +Install dumpcap with cap_net_admin and cap_net_raw capabilities. Linux +only. + +-DDUMPCAP_INSTALL_OPTION=suid:: +Install dumpcap setuid root. + +These are necessary for non-root users to be able to capture on most +systems, e.g. on Linux or FreeBSD if the user doesn't have permissions +to access /dev/bpf*. Setcap installation is preferred over setuid on +Linux. If `-DDUMPCAP_INSTALL_OPTION=capabilities` is used it will +override any setuid settings. + +The `-DENABLE_CAP` option is only useful when dumpcap is installed +setuid. If it is enabled dumpcap will try to drop any setuid privileges +it may have while retaining the `CAP_NET_ADMIN` and `CAP_NET_RAW` +capabilities. It is enabled by default, if the Linux capabilities +library (on which it depends) is found. + +Note that enabling setcap or setuid installation allows packet capture +for ALL users on your system. If this is not desired, you can restrict +dumpcap execution to a specific group or user. The following two examples +show how to restrict access using setcap and setuid respectively: + +[source,sh] +---- +# groupadd -g packetcapture +# chmod 750 /usr/bin/dumpcap +# chgrp packetcapture /usr/bin/dumpcap +# setcap cap_net_raw,cap_net_admin+ep /usr/bin/dumpcap + +# groupadd -g packetcapture +# chgrp packetcapture /usr/bin/dumpcap +# chmod 4750 /usr/bin/dumpcap +---- + +[discrete] +===== Customization + +Custom version information can be added by running +`tools/make-version.py`. If your package contains significant changes we +recommend that you use this to differentiate it from official Wireshark +releases. + +[source, sh] +---- +tools/make-version.py --set-release --untagged-version-extra=-{vcsinfo}-FooCorp --tagged-version-extra=-FooCorp . +---- + +See `tools/make-version.py` for details. + +The Git version corresponding to each release is in _version.h_. It's +defined as a string. If you need a numeric definition, let us know. + +If you have a question not addressed here, please contact +{wireshark-dev-list-email}. + + +[#ChSrcDeb] + +==== Debian: .deb Packages + +The Debian Package is built using dpkg-buildpackage, based on information found in the source tree under _packaging/debian_. +You must create a top-level symbolic link to _packaging/debian_ before building. +See https://www.debian.org/doc/manuals/maint-guide/build.en.html for a more in-depth discussion of the build process. + + +In the wireshark directory, type: + +[source,sh] +---- +ln -snf packaging/debian +export DEB_BUILD_OPTIONS="nocheck" +dpkg-buildpackage -b -us -uc -jauto +---- + +to build the Debian Package. + +[#ChSrcRpm] + +==== Red Hat: .rpm Packages + +You can build an RPM package using the `wireshark_rpm` target. If you +are building from a git checkout, the package version is derived from +the current git HEAD. If you are building from source extracted from a +tarball created with `git archive` (such as those downloaded from +http://www.wireshark.org/download.html), you must place the original +tarball into your build directory. + +The package is built using https://rpm.org/[rpmbuild], which comes as +standard on many flavours of Linux, including Red Hat, Fedora, and +openSUSE. The process creates a clean build environment in +_$\{CMAKE_BINARY_DIR}/packaging/rpm/BUILD_ each time the RPM is built. +The settings that control the build are in +_$\{CMAKE_SOURCE_DIR}/packaging/rpm/wireshark.spec.in_. The generated +SPEC file contains CMake flags and other settings for the RPM build +environment. Many of these come from the parent CMake environment. +Notable ones are: + +* _prefix_ is set to _CMAKE_INSTALL_PREFIX_. By default this is + _/usr/local_. Pass `-DCMAKE_INSTALL_PREFIX=/usr` to create a package + that installs into _/usr_. + +* Whether or not to create the “wireshark-qt” package + (`-DBUILD_wireshark`). + +* Lua, c-ares, nghttp2, and other library support (`-DENABLE_...`). + +* Building with Ninja (`-G Ninja`). + +In your build directory, type: + +[source,sh] +---- +ninja wireshark_rpm +# ...or, if you're using GNU make... +make wireshark_rpm +---- + +to build the binary and source RPMs. When it is finished there will be a +message stating where the built RPM can be found. + +.This might take a while +[TIP] +==== +This creates a tarball, extracts it, compiles Wireshark, and constructs +a package. This can take quite a long time. You can speed up the process +by using Ninja. If you're using GNU make you can add the following to +your `~/.rpmmacros` file to enable parallel builds: + +---- +%_smp_mflags -j %(grep -c processor /proc/cpuinfo) +---- +==== + +Building the RPM package requires quite a few packages and libraries +including GLib, `gcc`, `flex`, Asciidoctor, and Qt development +tools such as `uic` and `moc`. The required Qt packages can usually be +obtained by installing the _qt5-devel_ package. For a complete list of +build requirements, look for the “BuildRequires” lines in +_packaging/rpm/wireshark.spec.in_. + +[#ChSrcOSX] + +==== macOS: .dmg Packages + +The macOS Package is built using macOS packaging tools, based on information found in the source tree under _packaging/macosx_. +It requires https://asciidoctor.org/[Asciidoctor] and https://pypi.org/project/dmgbuild/[dmgbuild]. + +In your build directory, type: + +[source,sh] +---- +ninja wireshark_dmg logray_dmg # (Modify as needed) +# ...or, if you're using GNU make... +make wireshark_dmg logray_dmg # (Modify as needed) +---- + +to build the macOS Packages. + +[#ChSrcNSIS] + +==== Windows: NSIS .exe Installer + +The _Nullsoft Install System_ is a free installer generator for Windows systems. +Instructions on installing it can be found in <<ChToolsNSIS>>. +NSIS is script based. You can find the main Wireshark installer generation script at _packaging/nsis/wireshark.nsi_. + +When building with CMake you must first build the _wireshark_nsis_prep_ target, followed by the _wireshark_nsis_ target, e.g. + +[source,cmd] +---- +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis.vcxproj +---- + +Splitting the packaging projects in this way allows for code signing. + +[TIP] +.This might take a while +==== +Please be patient while the package is compressed. +It might take some time, even on fast machines. +==== + +If everything went well, you will now find something like: +_wireshark-setup-{wireshark-version}.exe_ in +the _packaging/nsis_ directory in your build directory. + +[#ChSrcPortableApps] + +==== Windows: PortableApps .paf.exe Package + +_PortableApps.com_ is an environment that lets users run popular applications +from portable media such as flash drives and cloud drive services. + +* Install the _PortableApps.com Platform_. Install for “all users”, which +will place it in `C:\PortableApps`. + + +* Add the following apps: + +** PortableApps.com Installer +** PortableApps.com Launcher + +When building with CMake you must first build the _wireshark_nsis_prep_ target +(which takes care of general packaging dependencies), followed by the +_wireshark_portableapps_ target, e.g. + +[source,cmd] +---- +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_nsis_prep.vcxproj +> msbuild /m /p:Configuration=RelWithDebInfo wireshark_portableapps.vcxproj +---- + +[TIP] +.This might take a while +==== +Please be patient while the package is compressed. +It might take some time, even on fast machines. +==== + +If everything went well, you will now find something like: +_WiresharkPortable64{underscore}{wireshark-version}.paf.exe_ in +the _packaging/portableapps_ directory. + +[#ChSrcMimeTypes] + +=== Mime Types + +Wireshark uses various mime-types for dragging dropping as well as file formats. +This chapter gives an overview over all the mimetypes being used, as well as the +data format in which data has to be provided for each individual mimetype. + +If not otherwise stated, the data is encoded as a JSON Object. + +==== Display Filter + +**MimeType**: application/vnd.wireshark.displayfilter + +Display filters are being dragged and dropped by utilizing this mime type. + +[source,json] +---- +{ + "filter": "udp.port == 8080", + "field": "udp.port", + "description": "UDP Port" +} +---- + +==== Coloring Rules + +**MimeType**: application/vnd.wireshark.coloringrules + +Coloring Rules are being used for dragging and dropping color rules inside the +coloring rules dialog. + +[source,json] +---- +{ + "coloringrules" : + [ + { + "disabled": false, + "name": "UDP Ports for 8080", + "filter": "udp.port == 8080", + "foreground": "[0x0000, 0x0000, 0x0000]", + "background": "[0xFFFF, 0xFFFF, 0xFFFF]" + } + ] +} +---- + +==== Filter List + +**MimeType**: application/vnd.wireshark.filterlist + +*_Internal Use only_* - used on the filter list for moving entries within the +list + +==== Column List + +**MimeType**: application/vnd.wireshark.columnlist + +*_Internal Use only_* - used on the column list for moving entries within the +list + + +// End of WSDG Chapter Sources + +// vim: set syntax=asciidoc: diff --git a/docbook/wsdg_src/wsdg_tests.adoc b/docbook/wsdg_src/wsdg_tests.adoc new file mode 100644 index 0000000..a9435ca --- /dev/null +++ b/docbook/wsdg_src/wsdg_tests.adoc @@ -0,0 +1,298 @@ +// WSDG Chapter Tests + +[#ChapterTests] +== Wireshark Tests + +The Wireshark sources include a collection of Python scripts that test +the features of Wireshark, TShark, Dumpcap, and other programs that +accompany Wireshark. These are located in the `test` directory of the +Wireshark source tree. + +The command line options of Wireshark and its companion command line +tools are numerous. These tests help to ensure that we don't introduce +bugs as Wireshark grows and evolves. + +[#TestsQuickStart] +=== Quick Start + +The recommended steps to prepare for and run tests with a UN*X toolchain: + +* Install two Python packages, pytest: `pip install pytest pytest-xdist` +* Build programs (“wireshark”, “tshark”, etc.): `ninja` +* Build additional programs for the “unittests” suite: `ninja test-programs` +* Run tests in the build directory: `pytest` + +Replace `ninja` by `make` as needed. + +If building with <<#ChWindowsBuild,Microsoft Visual Studio>> the analogous steps are: + +* Install pytest Python packages: `python -m pip install pytest pytest-xdist` +* Build programs: `msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln` +* Build test-programs: `msbuild /m /p:Configuration=RelWithDebInfo test-programs.vcxproj` +* Run tests: `python -m pytest` + +TIP: Depending on your PATH, you may need to run the pytest module as a +script from your Python interpreter, e.g, `python -m pytest` or +`python3 -m pytest` instead of `pytest`. + +The test suite will attempt to test as much as possible and skip tests +when its dependencies are not satisfied. For example, packet capture +tests require a Loopback interface and capture privileges. To avoid +capture tests, pass the `--disable-capture` option. + +List available tests with `pytest --collectonly`. Enable verbose output +with `pytest --verbose`. For more details, see <<ChTestsRun>>. + +You can also run the "ninja test" target instead of invoking pytest +directly. This will automatically build the test programs dependency, +so it may be preferred for that reason. + +[#ChTestsStructure] +=== Test suite structure + +The following sections describes how the test suite is organized. + +[#TestCoverage] +==== Test Coverage And Availability + +The testing framework can run programs and check their stdout, stderr, +and exit codes. It cannot interact with the Wireshark UI. Tests cover +capture, command line options, decryption, file format support and +conversion, Lua scripting, and other functionality. + +Available tests depend on the libraries with which Wireshark was built. +For example, some decryption tests depend on a minimum version of +Libgcrypt and Lua tests depend on Lua. + +Capture tests depend on the permissions of the user running the test +script. We assume that the test user has capture permissions on Windows +and macOS and capture tests are enabled by default on those platforms. + +TIP: Build the "test-capture" target on Linux (using sudo) to set dumpcap +permissions and enable capture tests. + +If a feature is unavailable, the test will be skipped. For example, if +an old version of Libgcrypt is in use, then some decryption tests will +be skipped while other tests can still run to completion. + +[#TestsLayout] +==== Suites, Cases, and Tests + +The test suite uses pytest as a test runner. Tests are organized according to +suites, cases, and individual tests. Suites correspond to Python modules +that match the pattern “suite_*.py”. Cases correspond to one or more +classes in each module, and case class methods matching the pattern +”test_*” correspond to individual tests. For example, the invalid +capture filter test in the TShark capture command line options test case +in the command line options suite has the ID +“suite_clopts.py::TestTsharkCaptureClopts::test_tshark_invalid_capfilter”. + +[#TestsPytest] +==== pytest fixtures + +A test has typically additional dependencies, like the path to an +executable, the path to a capture file, a configuration directory, the +availability of an optional library, and so on. + +https://pytest.org/[pytest] is a test framework which has full +parallelization support (test-level instead of just suite-level), +provides nice test reports, and allows +https://docs.pytest.org/en/latest/fixture.html[modular fixtures]. + +A fixture is a function decorated with `@pytest.fixture` and can +either call `pytest.skip("reason")` to skip tests that depend on the +fixture, or return/yield a value. +Test functions (and other fixture functions) can receive the fixture +value by using the name of the fixture function as function parameters. +Common fixtures are available in `fixtures_ws.py` and includes +`cmd_tshark` for the path to the `tshark` executable and `capture_file` +for a factory function that produces the path to a capture file. + +[#ChTestsRun] +=== Listing And Running Tests + +Tests are run with https://pytest.org/[pytest]. Pytest features versus the +"unittest" standard library module include finer +test selection, full parallelism, nicer test execution summaries, better output +in case of failures (containing the contents of variables) and the ability to +open the PDB debugger on failing tests. + +To get started, install pytest 3.0 or newer and +https://pypi.org/project/pytest-xdist/[pytest-xdist]: + +[source,sh] +---- +# Install required packages on Ubuntu 18.04 or Debian jessie-backports +$ sudo apt install python3-pytest python3-pytest-xdist + +# Install required packages on other systems +$ pip install pytest pytest-xdist +---- + +Run `pytest` in the Wireshark build directory, Wireshark binaries are assumed to +be present in the `run` subdirectory (or `run\RelWithDebInfo` on Windows). + +[source,sh] +---- +# Run all tests +$ cd /path/to/wireshark/build +$ pytest + +# Run all except capture tests +$ pytest --disable-capture + +# Run all tests with "decryption" in its name +$ pytest -k decryption + +# Run all tests with an explicit path to the Wireshark executables +$ pytest --program-path /path/to/wireshark/build/run +---- + +To list tests without actually executing them, use the `--collect-only` option: + +[source,sh] +---- +# List all tests +$ pytest --collect-only + +# List only tests containing both "dfilter" and "tvb" +$ pytest --collect-only -k "dfilter and tvb" +---- + +The test suite will fail tests when programs are missing. When only a +subset of programs are built or when some programs are disabled, then +the test suite can be instructed to skip instead of fail tests: + +[source,sh] +---- +# Run tests when libpcap support is disabled (-DENABLE_PCAP=OFF) +$ pytest --skip-missing-programs dumpcap,rawshark + +# Run tests and ignore all tests with missing program dependencies +$ pytest --skip-missing-programs all +---- + +To open a Python debugger (PDB) on failing tests, use the `--pdb` option and +disable parallelism with the `-n0` option: + +[source,sh] +---- +# Run decryption tests sequentially and open a debugger on failing tests +$ pytest -n0 --pdb -k decryption +---- + +[#ChTestsDevelop] +=== Adding Or Modifying Tests + +Tests must be in a Python module whose name matches “suite_*.py”. The +module must contain one or more subclasses with a name starting with +"Test" something, for example "class TestDissectionHttp2:". Each test case +method whose name starts with “test_” constitutes an individual test. + +Success or failure conditions are signalled using regular assertions +with the "assert" Python keyword. + +Test dependencies (such as programs, directories, or the environment +variables) are injected through method parameters. Commonly used +fixtures include `cmd_tshark` and `capture_file`. + +Processes (tshark, capinfos, etc.) are run using the "subprocess" Python module, +or the Wireshark `subprocesstest` module with some convenience functions. +Possible functions include `subprocesstest.run()`, `subprocesstest.check_run()` +or creating `subprocess.Popen` object if the utility functions are not sufficient for some reason. +Usually this is only required if two-way communication is performed with +the child process. `subprocesstest.check_run()` is exactly the same as +calling `subprocesstest.run()` with `check=True` as an argument, only +a bit more expressive. + +Check the documentation for the Python subprocess module for a full description +of the arguments available to the `subprocesstest.run()` convenience wrapper +and the `subprocess.Popen` object. + +All of the current tests run one or more of Wireshark's suite of +executables and either check their return code or their output. A +simple example is “suite_clopts.py::TestBasicClopts::test_existing_file”, +which reads a capture file using TShark and checks its exit code. + +[source,python] +---- +import subprocesstest +import pytest + +class TestBasicClopts: + def test_existing_file(self, cmd_tshark, capture_file, test_env): + subprocess.check_run((cmd_tshark, '-r', capture_file('dhcp.pcap')), env=test_env) +---- + +Output can be checked using `assert subprocesstest.grep_output()`, +`assert subprocesstest.count_output()` or any other `assert` statement. +`subprocesstest.check_run()` also asserts that the child process returns +the value 0 as exit code. + +[source,python] +---- +import subprocesstest +import pytest + +class TestDecrypt80211: + def test_80211_wpa_psk(self, cmd_tshark, capture_file, test_env): + tshark_proc = subprocesstest.run((cmd_tshark, + '-o', 'wlan.enable_decryption: TRUE', + '-Tfields', + '-e', 'http.request.uri', + '-r', capture_file('wpa-Induction.pcap.gz'), + '-Y', 'http', + ), capture_output=True, env=test_env) + assert 'favicon.ico' in tshark_proc.stdout +---- + +Tests can be run in parallel. This means that any files you create must +be unique for each test. Filenames based on the current test name are +generated using fixtures such as "capture_file" and "result_file". By default +pytest generates paths in the system's temporary directory and the last three +pytest runs are kept. Temporary files from older runs are automatically deleted. + +[#ChTestsExternal] +=== External Tests + +You can create your own Python test files outside of the Wireshark source tree. +To include your tests when running the Wireshark test suite, simply add the +directory containing your test files to the `pytest` command line. Note that +filenames must match the same conventions as discussed above. + +In order for your tests to have access to the Wireshark test fixtures, you will +need this line in each test file: + +[source,python] +---- +from fixtures_ws import * +---- + +[#ChTestsExtFixtures] +==== Custom Fixtures + +You may wish to define your own test fixtures -- for example, a fixture similar +to `capture_file` but which gives the path to a file in your external test +directory. Here is an example Python file containing such a fixture. It presumes +a subdirectory named `extra_captures` which exists in the same directory, and +which contains your extra capture files. + +[source,python] +---- +# my_fixtures.py +# To use in your own tests, import like so: +# from my_fixtures import * + +from pathlib import Path +import pytest + +@pytest.fixture(scope='session') +def extra_file(): + def resolver(filename): + return Path(__file__).parent.joinpath("extra_captures", filename) + return resolver +---- + +NOTE: If you give your fixture the same name as an existing Wireshark fixture, +any tests using your fixture library will lose access to the Wireshark fixture +of the same name. This can lead to confusing behavior and is not recommended. diff --git a/docbook/wsdg_src/wsdg_tools.adoc b/docbook/wsdg_src/wsdg_tools.adoc new file mode 100644 index 0000000..f1d99e9 --- /dev/null +++ b/docbook/wsdg_src/wsdg_tools.adoc @@ -0,0 +1,1043 @@ +// WSDG Chapter Tools + +[#ChapterTools] + +== Tool Reference + +[#ChToolsIntro] + +=== Introduction + +This chapter will provide you with information about the various tools +needed for Wireshark development. None of the tools mentioned in this +chapter are needed to run Wireshark. They are only needed to build it. + +Most of these tools have their roots on UNIX or UNIX-like platforms such +as Linux, but Windows ports are also available. Therefore the tools are +available in different "flavours": + +* UNIX and UNIX-like platforms: The tools should be commonly available + on the supported UNIX and UNIX-like platforms. Cygwin is unsupported. +* Windows native: Some tools are available as native Windows tools, no + special emulation is required. Many of these tools can be installed + (and updated) using https://chocolatey.org[Chocolatey], a Windows + package manager similar to the Linux package managers apt-get or yum. + +[WARNING] +.Follow the directions +==== +Unless you know exactly what you are doing, you should strictly follow the recommendations given in <<ChapterSetup>>. +==== + +The following sections give a very brief description of +what a particular tool is doing, how it is used in the +Wireshark project and how it can be installed and +tested. + +Documentation for these tools is outside the scope of this document. If you need +further information on using a specific tool you should find lots of useful +information on the web, as these tools are commonly used. You can also get help +for the UNIX based tools with `**toolname** --help` or the man page via `man +**toolname**`. + +You will find explanations of the tool usage for some of the specific +development tasks in <<ChapterSources>>. + +[#ChToolsChocolatey] +=== Chocolatey + +Chocolatey is a Windows package manager that can be used to install (and update) +many of the packages required for Wireshark development. Chocolatey can be +obtained from the https://chocolatey.org[website] or from a Command Prompt: + +[source,cmd] +---- +C:\>@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString(_https://chocolatey.org/install.ps1_))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin +---- + +or a Powershell prompt: + +[source,cmd] +---- +PS:\>iex ((new-object net.webclient).DownloadString(_https://chocolatey.org/install.ps1_)) +---- + +Chocolatey sometimes installs packages in unexpected locations. Python +is a notable example. While it's typically installed in a top-level +directory, e.g. _C:\Python37_ or in %PROGRAMFILES%, e.g. _C:\Program +Files\Python37_, Chocolatey tends to install it under +_C:\ProgramData\chocolatey_ or _C:\Tools_. If you want to avoid this +behavior you'll probably want to install Python using the packages from +python.org. + +Other package managers for Windows include the https://docs.microsoft.com/en-us/windows/package-manager/[Windows Package Manager (winget)] and https://scoop.sh/[Scoop]. +As of January 2022 neither option provides all of the packages we require, but that might change in the future. + +[#ChToolsCMake] + +=== CMake + +Wireshark’s build environment can be configured using CMake on various UNIX-like platforms, including Linux, macOS, and *BSD, and on Windows. +CMake is designed to support out-of-tree builds - so much so that in-tree builds do not work properly in all cases. +Along with being cross-platform, CMake supports many build tools and environments including traditional make, Ninja, and MSBuild. + +Building with CMake typically includes creating a build directory and +specifying a *generator*, aka a build tool. For example, to build +Wireshark using Ninja in the directory _wireshark-ninja_ you might +run the following commands: + +[source,sh] +---- +# Starting from your Wireshark source directory, create a build directory +# alongside it. +$ cd .. +$ mkdir wireshark-ninja +$ cd wireshark-ninja +# Assumes your source directory is named "wireshark". +$ cmake -G Ninja ../wireshark +$ ninja (or cmake --build .) +---- + +Using CMake on Windows is described further in <<ChWindowsGenerate>>. + +Along with specifying a generator with the `-G` flag you can set variables +using the `-D` flag. Useful variables and generators include the following: + +-DBUILD_wireshark=OFF:: Don't build the Wireshark GUI application. +Each command line utility has its own BUILD_xxx flag as well. For +example, you can use -DBUILD_mmdbresolve=OFF to disable mmdbresolve. + +-DENABLE_CCACHE=ON:: Build using the ccache compiler cache. + +-DENABLE_CAP=OFF:: Disable the POSIX capabilities check + +-DCMAKE_BUILD_TYPE=Debug:: Enable debugging symbols + +-DCARES_INCLUDE_DIR=/your/custom/cares/include, -DCARES_LIBRARY=/your/custom/cares/lib/libcares.so:: +Let you set the path to a locally-compiled version of c-ares. Most +optional libraries have xxx_INCLUDE_DIR and xxx_LIB flags that let you +control their discovery. + +-DCMAKE_OSX_DEPLOYMENT_TARGET=10.12:: +Specify the minimum macOS version for Wireshark and each command line utility. +Note that this doesn’t affect the minimum target for third-party libraries. +For example, if you’re building for macOS 10.12 you’ll need to install https://doc.qt.io/archives/qt-5.13/supported-platforms.html[Qt 5.14 or earlier] and ensure that other libraries support macOS 10.12, for example by running `tools/macos-setup.sh -t 10.12`. + +-DENABLE_APPLICATION_BUNDLE=OFF:: Disable building an application bundle (Wireshark.app) on macOS + +You can list all build variables (with help) by running `cmake -LH [options] +../<Name_of_WS_source_dir>`. This lists the cache of build variables +after the cmake run. To only view the current cache, add option `-N`. + +Depending on your needs, it might be useful to save your CMake configuration options in a file outside your build directory. +CMake supports this via its https://cmake.org/cmake/help/v3.23/manual/cmake-presets.7.html[presets] option. +For example, adding the follwing to `CMakeUserPresets.json` would let you build using Ninja in the `build` directory, enable ccache, and set a custom Qt directory by running `cmake --preset mydev`: + +[source,json] +---- +{ + "version": 4, + "configurePresets": [ + { + "name": "mydev", + "displayName": "Local development", + "generator": "Ninja", + "binaryDir": "${sourceDir}/build", + "cacheVariables": { + "ENABLE_CCACHE": "ON" + }, + "environment": { + "CMAKE_PREFIX_PATH": "/usr/local/Qt6" + } + } + ] +} +---- + +After running cmake, you can always run `make help` to see a list of all possible make targets. + +Note that CMake honors user umask for creating directories as of now. You should set +the umask explicitly before running the `install` target. + +CMake links: + +The home page of the CMake project: https://cmake.org/ + +Official documentation: https://cmake.org/documentation/ + +About CMake in general and why KDE4 uses it: https://lwn.net/Articles/188693/ + +Useful variables: https://gitlab.kitware.com/cmake/community/wikis/doc/cmake/Useful-Variables + +Frequently Asked Questions: https://gitlab.kitware.com/cmake/community/wikis/FAQ + +[#ChToolsGNUChain] + +=== GNU Compiler Toolchain (UNIX And UNIX-like Platforms) + +[#ChToolsGCC] + +==== gcc (GNU Compiler Collection) + +The GCC C compiler is available for most UNIX and UNIX-like operating +systems. + +If GCC isn't already installed or available +as a package for your platform, you can get it at: +https://gcc.gnu.org/[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ gcc --version +---- + +should result in something like + +---- +gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1 +Copyright (C) 2014 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +---- + +Your version string may vary, of course. + +[#ChToolsGDB] + +==== gdb (GNU Project Debugger) + +GDB is the debugger for the GCC compiler. It is +available for many (if not all) UNIX-like platforms. + +If you don't like debugging using the command line, many +https://sourceware.org/gdb/wiki/GDB%20Front%20Ends[GUI frontends for it +available], including Qt Creator, CLion, and Eclipse. + +If gdb isn't already installed or available +as a package for your platform, you can get it at: +https://www.gnu.org/software/gdb/gdb.html[]. + +After correct installation: + +[source,sh] +---- +$ gdb --version +---- + +should result in something like: + +---- +GNU gdb (GDB) 8.3 +Copyright (C) 2019 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +---- + +Your version string may vary, of course. + +[#ChToolsGNUmake] + +==== make (GNU Make) + +[NOTE] +.GNU make isn't supported either for Windows + +GNU Make is available for most of the UNIX-like +platforms. + +If GNU Make isn't already installed or +available as a package for your platform, you can get it at: +https://www.gnu.org/software/make/[]. + +After correct installation: + +[source,sh] +---- +$ make --version +---- + +should result in something like: + +---- +GNU Make 4.0 +Built for x86_64-pc-linux-gnu +Copyright (C) 1988-2013 Free Software Foundation, Inc. +Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +---- + +Your version string may vary, of course. + +==== Ninja + +Ninja is an alternative to make, and is available for many of the +UNIX-like platforms. It runs builds faster than make does. + +It is designed to have its build files generated by tools such as CMake; +to generate build files for Ninja, run CMake with the `-G Ninja` flag. + +If Ninja isn't already installed, see the list of suggestions for Ninja +packages at: +https://github.com/ninja-build/ninja/wiki/Pre-built-Ninja-packages. + +If Ninja isn't already installed and isn't +available as a package for your platform, you can get it from: +https://ninja-build.org. You can download the source code or binaries +for Linux, macOS, and Windows (we have not tested Ninja on Windows). + +[#ChToolsMSChain] + +=== Microsoft compiler toolchain (Windows native) + +To compile Wireshark on Windows using the Microsoft C/{cpp} +compiler (MSVC), you'll need: + +. C compiler (_cl.exe_) + +. Assembler (_ml.exe_ for 32-bit targets and _ml64.exe_ for 64-bit targets) + +. Linker (_link.exe_) + +. Resource Compiler (_rc.exe_) + +. C runtime headers and libraries (e.g. _stdio.h_, _vcruntime140.lib_) + +. Windows platform headers and libraries (e.g. +_windows.h_, _WS2_32.lib_) + +==== Official Toolchain Packages And Alternatives + +Official releases are or were built with the following Visual {cpp} versions: + +* Wireshark 4.2.x: Microsoft Visual {cpp} 2022. +* Wireshark 4.0.x: Microsoft Visual {cpp} 2022. +* Wireshark 3.6.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.4.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.2.x: Microsoft Visual {cpp} 2019. +* Wireshark 3.0.x: Microsoft Visual {cpp} 2017. +* Wireshark 2.6.x: Microsoft Visual {cpp} 2017. +* Wireshark 2.4.x: Microsoft Visual {cpp} 2015. +* Wireshark 2.2.x: Microsoft Visual {cpp} 2013. +* Wireshark 2.0.x: Microsoft Visual {cpp} 2013. +* Wireshark 1.12.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.10.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.8.x: Microsoft Visual {cpp} 2010 SP1. +* Wireshark 1.6.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.4.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.2.x: Microsoft Visual {cpp} 2008 SP1. +* Wireshark 1.0.x and earlier: Microsoft Visual {cpp} 6.0. + +Using the release compilers is recommended for Wireshark development work. + +“Community” editions of Visual Studio such as “Visual Studio Community +2022” can be used to compile Wireshark but any PortableApps packages you +create with them might require the installation of a separate Visual +{cpp} Redistributable package on any machine on which the PortableApps +package is to be used. See <<msvc-runtime-redistributable>> below for +more details. + +However, you might already have a different Microsoft {cpp} compiler +installed. It should be possible to use any of the following with the +considerations listed. You will need to sign up for a +https://visualstudio.microsoft.com/dev-essentials/[Visual Studio Dev +Essentials] account if you don't have a Visual Studio (MSDN) +subscription. The older versions can be downloaded from +https://visualstudio.microsoft.com/vs/older-downloads/[]. + +==== Visual {cpp} 2022 Community Edition + +IDE + Debugger?:: Yes + +SDK required for 64-bit builds?:: No + +CMake Generator: *`Visual Studio 17`* + +You can use Chocolatey to install Visual Studio, e.g: + +[source,cmd] +---- +PS:\> choco install visualstudiocommunity2022 visualstudio2022-workload-nativedesktop +---- + +If you wish to build Arm64 executables you must install the following components: + +Microsoft.VisualStudio.Component.VC.Tools.ARM64:: MSVC v143 - VS 2022 C++ ARM64/ARM64EC build tools (Latest) + +Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre:: MSVC v143 - VS 2022 C++ ARM64/ARM64EC Spectre-mitigated libs (Latest) + +==== cl.exe (C Compiler) + +The following table gives an overview of the possible +Microsoft toolchain variants and their specific C compiler +versions ordered by release date. + +|=== +| Compiler Package | V{cpp} | _MSC_VER +| Visual Studio 2022 (17.4.2) | 14.34 | 1934 +|=== + +A description of `_MSC_VER` and `_MSC_FULL_VER`, and their relation to Visual Studio and compiler versions, +can be found at +https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170[Microsoft-specific predefined macros]. + +Information on the V{cpp} version can be found in the file _wsutil/version_info.c_. + +After correct installation of the toolchain, typing +at the Visual Studio Command line prompt (cmd.exe): + +[source,cmd] +---- +> cl +---- + +should result in something like: + +---- +Microsoft (R) C/C++ Optimizing Compiler Version 19.23.28106.4 for x64 +Copyright (C) Microsoft Corporation. All rights reserved. + +usage: cl [ option... ] filename... [ /link linkoption... ] +---- + +However, the version string may vary. + +Documentation on recent versions of the compiler can be found at +https://docs.microsoft.com/en-us/cpp/build/reference/compiling-a-c-cpp-program[Microsoft Docs] + +==== link.exe (Linker) + +After correct installation, typing at the Visual Studio Command line prompt (cmd.exe): + +[source,cmd] +---- +> link +---- + +should result in something like: + +---- +Microsoft (R) Incremental Linker Version 14.23.28106.4 +Copyright (C) Microsoft Corporation. All rights reserved. + + usage: LINK [options] [files] [@commandfile] + ... +---- + +However, the version string may vary. + +Documentation on recent versions of the linker can be found at +https://docs.microsoft.com/en-us/cpp/build/reference/linking[Microsoft Docs] + +[#msvc-runtime-redistributable] + +==== Visual {cpp} Runtime “Redistributable” Files + +Please note: The following is not legal advice. Ask your preferred +lawyer instead. It’s the authors view and this view might be wrong. + +Wireshark and its libraries depend on POSIX functions such as fopen() +and malloc(). On Windows, these functions are provided by the Microsoft +Visual {cpp} C Runtime (CRT). There are many different versions of the CRT and +Visual {cpp} 2015 and later use the _Universal CRT_ (UCRT). + +The Universal CRT comes standard with Windows 10 and is installed as part +of Windows Update on earlier versions of Windows. The Wireshark .exe +installers include redistributables (_vc_redist.x64.exe_ or +_vc_redist.x86.exe_) which ensure that the Universal CRT is installed and +up to date. + +[NOTE] +.Make sure you're allowed to distribute this file +==== +The files to redistribute must be mentioned in the +redist.txt file of the compiler package. Otherwise it +can't be legally redistributed by third parties like +us. +==== + +The following Microsoft Docs link is recommended for the +interested reader: + +https://docs.microsoft.com/en-us/cpp/windows/redistributing-visual-cpp-files[Redistributing Visual {cpp} Files] + +In all cases where _vc_redist.x64.exe_ or _vc_redist.x86.exe_ is +downloaded it should be downloaded to the directory into which the +support libraries for Wireshark have been downloaded and installed. This +directory is specified by the `WIRESHARK_BASE_DIR` or +`WIRESHARK_LIB_DIR` environment variables. It need not, and should not, +be run after being downloaded. + +==== Windows Platform SDK + +The Windows Platform SDK (PSDK) or Windows SDK is a free +(as in beer) download and contains platform specific headers and +libraries (e.g. _windows.h_, _WSock32.lib_, etc.). As new Windows +features evolve in time, updated SDKs become available that +include new and updated APIs. + +When you purchase a commercial Visual Studio or use the Community +Edition, it will include an SDK. + +[#ChToolsDocumentationToolchain] +=== Documentation Toolchain + +Wireshark’s documentation is split across two directories. +The `doc` directory contains man pages written in Asciidoctor markup. +The `docbook` directory contains the User’s Guide, Developer’s Guide, and the release notes, which are also written in Asciidoctor markup. +The split is for historical reasons (described below), and the documentation will likely be consolidated into one directory in the future. + +Our various output formats are generated using the following tools. +Intermediate formats are in _italics_. + +Man page roff:: Asciidoctor +Man page HTML:: Asciidoctor + +Guide HTML:: Asciidoctor → _DocBook XML_ → xsltproc + DocBook XSL +Guide PDF:: Asciidoctor + +Release notes HTML:: Asciidoctor +Release notes text:: Asciidoctor → _HTML_ → html2text.py + +==== Asciidoctor + +https://asciidoctor.org/[Asciidoctor] comes in several flavors: a Ruby gem (Asciidoctor), a Java bundle (AsciidoctorJ), and transpiled JavaScript (Asciidoctor.js). +The Ruby and Java flavors can be used to build Wireshark’s documentation, but the JavaScript flavor doesn’t support all of the features that we require. +// We need docbook5, PDF & EPUB output and macros + +The guides and release notes were originally written in DocBook (hence the directory name). +They were later converted to AsciiDoc and then migrated to Asciidoctor. +The man pages were originally in Perl’s POD (Plain Old Documentation) format and were later converted to Asciidoctor. +We use Asciidoctor’s modern (>= 1.5.0) syntax. + +PDF output requires Asciidoctor’s PDF backend. +It is included with AsciidoctorJ but _not_ with Asciidoctor. + +==== DocBook XML and XSL + +Converting from DocBook to HTML requires the DocBook DTD +(http://www.sagehill.net/docbookxsl/ToolsSetup.html) +and DocBook stylesheets +(http://www.sagehill.net/docbookxsl/InstallStylesheets.html). +These are available via installable packages on most Linux distributions, Chocolatey, and Homebrew. + +==== xsltproc + +http://xmlsoft.org/xslt/[xsltproc] converts DocBook XML to various formats based on XSL stylesheets. +It either ships as part of the operating system or is available via an installable package on most Linux distributions, Chocolatey, and Homebrew. + +[#ChToolsDebugger] + +=== Debugger + +Using a good debugger can save you a lot of development time. + +The debugger you use must match the C compiler Wireshark was compiled with, +otherwise the debugger will simply fail or you will only see a lot of garbage. + +[#ChToolsMSVCDebugger] + +==== Visual Studio Integrated Debugger + +You can use the integrated debugger of Visual Studio if your toolchain includes +it. Open the solution in your build directory and build and debug as normal +with a Visual Studio solution. + +To set the correct paths for Visual Studio when running Wireshark under the +debugger, add the build output directory to the path before opening Visual +Studio from the same command prompt, e.g. + +[source,cmd] +---- +C:\Development\wsbuild64>set PATH="%PATH%;C:\Development\wsbuild64\run\RelwithDebInfo" +C:\Development\wsbuild64>wireshark.sln +---- + +for PowerShell use + +[source,cmd] +---- +PS C:\Development\wsbuild64>$env:PATH += ";$(Convert-Path run\RelWithDebInfo)" +PS C:\Development\wsbuild64>wireshark.sln +---- + +When Visual Studio has finished loading the solution, set the executable to +be run in the debugger, e.g. Executables\Wireshark, by right clicking it in +the Solution Explorer window and selecting "Set as StartUp Project". Also +set the Solution Configuration (usually RelWithDebInfo) from the droplist on +the toolbar. + +NOTE: Currently Visual Studio regards a command line build as incomplete, so +will report that some items need to be built when starting the debugger. These +can either be rebuilt or ignored as you wish. + + +The normal build is an optimised release version so debugging can be a bit +difficult as variables are optimised out into registers and the execution +order of statements can jump around. + +If you require a non-optimised version, then build using a debug configuration. + +[#ChToolsMSDebuggingTools] + +==== Debugging Tools For Windows + +You can also use the Microsoft Debugging Tools for Windows toolkit, which is a +standalone GUI debugger. Although it’s not that comfortable compared to +debugging with the Visual Studio integrated debugger it can be helpful if you +have to debug on a machine where an integrated debugger is not available. + +You can get it free of charge from Microsoft in several ways, see the +https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/[Debugging tools for Windows] page. + +You can also use Chocolatey to install WinDbg: + +[source,cmd] +---- +PS:\> choco install windbg +---- + +To debug Wireshark using WinDbg, open the built copy of Wireshark using +the File -> Open Executable... menu, +i.e. C:\Development\wsbuild64\run\RelWithDebInfo\Wireshark.exe. To set a +breakpoint open the required source file using the File -> Open Source File... +menu and then click on the required line and press F9. To run the program, +press F5. + +If you require a non-optimised version, then build using a debug configuration, e.g. +*`msbuild /m /p:Configuration=Debug Wireshark.sln`*. The build products will be found +in C:\Development\wsbuild64\run\Debug\. + +[#ChToolsBash] + +=== bash + +The bash shell is needed to run several shell scripts. + +[#ChToolsGNUBash] + +[discrete] +==== Unix + +Bash (the GNU Bourne-Again SHell) is available for most UNIX and +UNIX-like platforms. If it isn't already installed or available as a +package for your platform, you can get it at +https://www.gnu.org/software/bash/bash.html[]. + +After correct installation, typing at the bash command line prompt: + +[source,sh] +---- +$ bash --version +---- + +should result in something like: + +---- +GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu) +Copyright (C) 2016 Free Software Foundation, Inc. +---- + +Your version string will likely vary. + +[#ChToolsPython] + +=== Python + +https://python.org/[Python] is an interpreted programming language. +It is used to generate some source files, documentation, testing and other tasks. +Python 3.6 and later is required. +Python 2 is no longer supported. + +Python is either included or available as a package on most UNIX-like platforms. +Windows packages and source are available at https://python.org/download/[]. + +You can also use Chocolatey to install Python: + +[source,cmd] +---- +PS:\> choco install python3 +---- + +Chocolatey installs Python into _C:\Python37_ by +default. You can verify your Python version by running + +[source,sh] +---- +$ python3 --version +---- + +on UNIX-like platforms and + +[source,cmd] +---- +rem Official package +C:> cd python35 +C:Python35> python --version + +rem Chocolatey +C:> cd \tools\python3 +C:\tools\python3> python --version +---- + +on Windows. You should see something like + +---- +Python 3.5.1 +---- + +Your version string may vary of course. + +[#ChToolsFlex] + +=== Flex + +Flex is a lexical analyzer generator used for Wireshark’s display filters, some +file formats, and other features. + +[#ChToolsUnixFlex] + +[discrete] +==== Unix + +Flex is available for most UNIX and UNIX-like platforms. See the next +section for native Windows options. + +If GNU flex isn't already installed or available as a package for your platform +you can get it at https://www.gnu.org/software/flex/[]. + +After correct installation running the following + +[source,sh] +---- +$ flex --version +---- + +should result in something like: + +---- +flex version 2.5.4 +---- + +Your version string may vary. + +[#ChToolsWindowsFlex] + +[discrete] +==== Windows + +A native Windows version of flex is available in the _winflexbison3_ +https://chocolatey.org/[Chocolatey] package. Note that the executable is named +_win_flex_. + +[source,cmd] +---- +PS:\> choco install winflexbison3 +---- + +Native packages are available from other sources such as +http://gnuwin32.sourceforge.net/packages/flex.htm[GnuWin]. They aren't +officially supported but _should_ work. + +[#ChToolsGit] + +=== Git client + +The Wireshark project uses its own Git repository to keep track of all +the changes done to the source code. Details about the usage of Git in +the Wireshark project can be found in <<ChSrcGitRepository>>. + +If you want to work with the source code and are planning to commit your +changes back to the Wireshark community, it is recommended to use a Git +client to get the latest source files. For detailed information about +the different ways to obtain the Wireshark sources, see <<ChSrcObtain>>. + +You will find more instructions in <<ChSrcGit>> on how to use the Git +client. + +[#ChToolsUnixGit] + +[discrete] +==== Unix + +Git is available for most UNIX and UNIX-like platforms. If Git isn't +already installed or available as a package for your platform, you can +get it at: https://git-scm.com/[]. + +After correct installation, typing at the bash command line prompt: + +[source,sh] +---- +$ git --version +---- + +should result in something like: + +---- +git version 2.14.1 +---- + +Your version will likely be different. + +[#ChToolsWindowsGit] + +[discrete] +==== Windows + +The Git command line tools for Windows can be found at +https://git-scm.com/download/win[] and can also be installed using Chocolatey: + +[source,cmd] +---- +PS:\> choco install git +---- + +After correct installation, typing at the command +line prompt (cmd.exe): + +[source,cmd] +---- +> git --version +---- + +should result in something like: + +---- +git version 2.16.1.windows.1 +---- + +However, the version string may vary. + +[#ChToolsGitPowerShellExtensions] + +=== Git Powershell Extensions (Optional) + +A useful tool for command line git on Windows is https://github.com/dahlbyk/posh-git[PoshGit]. +Poshgit provides git command completion and alters the prompt to indicate the local working +copy status. You can install it using Chocolatey: + +[source,cmd] +---- +PS:\> choco install poshgit +---- + +[#ChToolsGitGUI] + +=== Git GUI Client (Optional) + +Along with the traditional command-line client, several +GUI clients are available for a number of platforms. See +https://git-scm.com/downloads/guis[] for details. + +// [[ChToolsUnixGitGUI]] +// XXX Add Gui client section + +[#ChToolsPerl] + +=== Perl (Optional) + +https://www.perl.org[Perl] is an interpreted programming language. +Perl is used to convert various text files into usable source code and for various source code checks. +Perl version 5.6 and above should work fine. + +[#ChToolsUnixPerl] + +[discrete] +==== Unix + +Perl is available for most UNIX and UNIX-like platforms. If it isn't +already installed or available as a package for your platform, you can +get it at https://www.perl.org/[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ perl --version +---- + +should result in something like: + +---- +This is perl 5, version 26, subversion 0 (v5.26.0) built for x86_64-linux-gnu-thread-multi +(with 62 registered patches, see perl -V for more detail) + +Copyright 1987-2017, Larry Wall + +Perl may be copied only under the terms of either the Artistic License or the +GNU General Public License, which may be found in the Perl 5 source kit. + +Complete documentation for Perl, including FAQ lists, should be found on +this system using "man perl" or "perldoc perl". If you have access to the +Internet, point your browser at http://www.perl.org/, the Perl Home Page. +---- + +However, the version string may vary. + +[#ChToolsWindowsPerl] + +[discrete] +==== Windows + +A native Windows Perl package can be obtained from +http://strawberryperl.com/[Strawberry Perl] or +https://www.activestate.com[Active State]. The installation should be +straightforward. + +You may also use Chocolatey to install either package: + +---- +PS:\> choco install strawberryperl +---- + +or + +---- +PS:\> choco install activeperl +---- + +After correct installation, typing at the command +line prompt (cmd.exe): + +---- +> perl -v +---- + +should result in something like: + +---- +This is perl, v5.8.0 built for MSWin32-x86-multi-thread +(with 1 registered patch, see perl -V for more detail) + +Copyright 1987-2002, Larry Wall + +Binary build 805 provided by ActiveState Corp. http://www.ActiveState.com +Built 18:08:02 Feb 4 2003 +... +---- + +However, the version string may vary. + +[#ChToolsPatch] + +=== patch (Optional) + +The patch utility is used to merge a diff file into your own source tree. This +tool is only needed, if you want to apply a patch (diff file) from someone else +(probably from the developer mailing list) to try out in your own private source +tree. + +It most cases you may not need the patch tool installed. Git should +handle patches for you. + +// You will find more instructions in <<ChSrcPatchApply>>on how to use the patch tool. + +[#ChToolsUnixPatch] + +[discrete] +==== Unix + +Patch is available for most UNIX and UNIX-like platforms. If GNU patch +isn't already installed or available as a package for your platform, you +can get it at https://www.gnu.org/software/patch/patch.html[]. + +After correct installation, typing at the +bash command line prompt: + +[source,sh] +---- +$ patch --version +---- + +should result in something like: + +---- +patch 2.5.8 +Copyright (C) 1988 Larry Wall +Copyright (C) 2002 Free Software Foundation, Inc. + +This program comes with NO WARRANTY, to the extent permitted by law. +You may redistribute copies of this program +under the terms of the GNU General Public License. +For more information about these matters, see the file named COPYING. + +written by Larry Wall and Paul Eggert +---- + +However, the version string may vary. + +[#ChToolsWindowsPatch] + +[discrete] +==== Windows + +The Windows native Git tools provide patch. A native Windows patch package can be obtained from +http://gnuwin32.sourceforge.net/[]. The +installation should be straightforward. + +[#ChToolsNSIS] + +=== Windows: NSIS (Optional) + +The NSIS (Nullsoft Scriptable Install System) is used to generate +_Wireshark-{wireshark-version}-x64.exe_ from all the files +needed to be installed, including all required DLLs, plugins, and supporting +files. + +To install it, download the latest released version from +https://nsis.sourceforge.net[]. NSIS v3 is required. You can also install +it using Chocolatey: + +[source,cmd] +---- +PS$> choco install nsis +---- + +You can find more instructions on using NSIS in <<ChSrcNSIS>>. + +[#ChToolsWiX] + +=== Windows: WiX Toolset (Optional) + +The Wix Toolset can be used to generate Windows Installer (_.msi_) packages. +You can download it from the link:https://wixtoolset.org/[WiX web site] or install it using Chocolatey: + +[source,cmd] +---- +PS$> choco install wixtoolset +---- + +This also requires the Visual C++ redistributable merge modules, which can be installed by selecting “Individual Components -> {cpp} 2022 Redistributable MSMs” or “...2019 Redistributable MSMs” as appropriate for your compiler in the Visual Studio installer. + +Wireshark’s .msi packaging is currently experimental and the generated packages may be incomplete. + +[#ChToolsPortableApps] +=== Windows: PortableApps (Optional) + +The PortableApps.com Installer is used to generate +_WiresharkPortable64{underscore}{wireshark-version}.paf.exe_ from all the files +needed to be installed, including all required DLLs, plugins, and supporting +files. + +To install it, do the following: + +* Download the latest PortableApps.com Platform release from + https://portableapps.com/[]. + +* Install the following applications in the PortableApps.com environment: + +** PortableApps.com Installer + +** PortableApps.com Launcher + +You can find more instructions on using the PortableApps.com Installer in +<<ChSrcPortableApps>>. + +// End of WSDG Chapter Tools + +// vim: set syntax=asciidoc: diff --git a/docbook/wsdg_src/wsdg_userinterface.adoc b/docbook/wsdg_src/wsdg_userinterface.adoc new file mode 100644 index 0000000..a4fe17a --- /dev/null +++ b/docbook/wsdg_src/wsdg_userinterface.adoc @@ -0,0 +1,318 @@ +// WSDG Chapter User Interface + +[#ChapterUserInterface] + +== User Interface + +[#ChUIIntro] + +=== Introduction + +Wireshark can be logically separated into the backend (dissecting protocols, +file loading and saving, capturing, etc.) and the frontend (the user interface). + +The following frontends are currently maintained by the Wireshark +development team: + +* Wireshark, Qt based + +* TShark, console based + +This chapter is focused on the Wireshark frontend, and especially on +the Qt interface. + +[#ChUIQt] + +=== The Qt Application Framework + +Qt is a cross-platform application development framework. While we mainly use +the core (QtCore) and user interface (QtWidgets) modules, it also supports a +number of other modules for specialized application development, such as +networking (QtNetwork) and web browsing (QtWebKit). + +At the time of this writing (September 2016) most of the main Wireshark +application has been ported to Qt. The sections below provide an +overview of the application and tips for Qt development in our +environment. + +==== User Experience Considerations + +When creating or modifying Wireshark try to make sure that it will work +well on Windows, macOS, and Linux. See <<ChUIGUIDocs>> for details. +Additionally, try to keep the following in mind: + +*Workflow*. Excessive navigation and gratuitous dialogs should be +avoided or reduced. For example, compared to the legacy UI many alert +dialogs have been replaced with status bar messages. Statistics dialogs +are displayed immediately instead of requiring that options be +specified. + +*Discoverability and feedback*. Most users don't like to read +documentation and instead prefer to learn an application as they use it. +Providing feedback increases your sense of control and awareness, and +makes the application more enjoyable to use. Most of the Qt dialogs +provide a “hint” area near the bottom which shows useful information. +For example, the “Follow Stream” dialog shows the packet corresponding +to the text under the mouse. The profile management dialog shows a +clickable path to the current profile. The main welcome screen shows +live interface traffic. Most dialogs have a context menu that shows +keyboard shortcuts. + +==== Qt Creator + +Qt Creator is a full-featured IDE and user interface editor. It makes +adding new UI features much easier. It doesn't work well on Windows at +the present time, so it’s recommended that you use it on macOS or Linux. + +To edit and build Wireshark using Qt Creator, open the top-level +_CMakeLists.txt_ within Qt Creator. It should ask you to choose a build +location. Do so. It should then ask you to run CMake. Fill in any +desired build arguments (e.g. <<ChSrcBuildType,`-D CMAKE_BUILD_TYPE=Debug`>> or +`-D ENABLE_CCACHE=ON`) and click the btn:[Run CMake] button. When that +completes select menu:Build[Open Build and Run Kit Selector...] and make +sure _wireshark_ is selected. + +Note that Qt Creator uses output created by CMake’s “CodeBlocks” +generator. If you run CMake outside of Qt Creator you should use the +“CodeBlocks - Unix Makefiles” generator, otherwise Qt Creator will +prompt you to re-run CMake. + +==== Source Code Overview + +Wireshark’s `main` entry point is in _ui/qt/main.cpp_. Command-line arguments +are processed there and the main application class (`WiresharkApplication`) +instance is created there along with the main window. + +The main window along with the rest of the application resides in _ui/qt_. Due +to its size the main window code is split into several modules, _main_window.cpp_, +_wireshark_main_window.cpp_ and _wireshark_main_window_slots.cpp_. + +Most of the modules in _ui/qt_ are dialogs. Although we follow Qt naming +conventions for class names, we follow our own conventions by separating file +name components with underscores. For example, ColoringRulesDialog is defined in +_coloring_rules_dialog.cpp_, _coloring_rules_dialog.h_, and +_coloring_rules_dialog.ui_. + +General-purpose dialogs are subclasses of `QDialog`. Dialogs that rely on the +current capture file can subclass `WiresharkDialog`, which provides methods and +members that make it easier to access the capture file and to keep the dialog +open when the capture file closes. + +==== Coding Practices and Naming Conventions + +===== Names + +The code in _ui/qt_ directory uses three APIs: Qt (which uses upper camel case), GLib (which uses snake_case), and the Wireshark +API (which also uses snake_case). + +As a general rule, for names, Wireshark’s Qt code: + +- uses upper camel case, in which words in the name are not separated by underscores, and the first letter of each word is capitalized, for classes, for example, `PacketList`; +- uses lower camel case, in which words in the name are not separated by underscores, and the first letter of each word other than the first word is capitalized, for methods, for example, `resetColumns`; +- uses snake case, in which words in the name are separated by underscores, and the first letter of the word is not capitalized, for variables, with a trailing underscore used for member variables, for example, `packet_list_model_`. + +===== Dialogs + +Dialogs that work with capture file information shouldn't close just because the +capture file closes. Subclassing `WiresharkDialog` as described above can make +it easier to persist across capture files. + +When you create a window with a row of standard “OK” and “Close” buttons at +the bottom using Qt Creator you will end up with a subclass of QDialog. This is +fine for traditional modal dialogs, but many times the “dialog” needs to behave +like a QWindow instead. + +Modal dialogs should be constructed with `QDialog(parent)`. Modeless dialogs +(windows) should be constructed with `QDialog(NULL, Qt::Window)`. Other +combinations (particularly `QDialog(parent, Qt::Window)`) can lead to odd and +inconsistent behavior. Again, subclassing `WiresharkDialog` will take care of +this for you. + +Most of the dialogs in ui/qt share many similarities, including method names, +widget names, and behavior. Most dialogs should have the following, although +it’s not strictly required: + +- An `updateWidgets()` method, which enables and disables widgets depending on + the current state and constraints of the dialog. For example, the Coloring + Rules dialog disables the *Save* button if the user has entered an + invalid display filter. +- A `hintLabel()` widget subclassed from `QLabel` or `ElidedLabel`, placed just + above the dialog button box. The hint label provides guidance and feedback to + the user. +- A context menu (`ctx_menu_`) for additional actions not present in the + button box. +- If the dialog box contains a `QTreeWidget` you might want to add your own + `QTreeWidgetItem` subclass with the following methods: + `drawData()`:: Draws column data with any needed formatting. + `colData()`:: Returns the data for each column as a `QVariant`. Used for + copying as CSV, YAML, etc. + `operator<()`:: Allows sorting columns based on their raw data. + +===== Strings + +Wireshark’s C code and GLib use UTF-8 encoded character arrays. Qt +(specifically QString) uses UTF-16. You can convert a `char *` to a +`QString` using simple assignment. You can convert a `QString` to a +`const char *` using `qUtf8Printable`. + +If you're using GLib string functions or plain old C character array +idioms in Qt-only code you're probably doing something wrong, +particularly if you're manually allocating and releasing memory. +QStrings are generally *much* safer and easier to use. They also make +translations easier. + +If you need to pass strings between Qt and GLib you can use a number +of convenience routines which are defined in _ui/qt/utils/qt_ui_utils.h_. + +If you're calling a function that returns wmem-allocated memory it might make +more sense to add a wrapper function to _qt_ui_utils_ than to call wmem_free in +your code. + +===== Mixing C and {cpp} + +Sometimes we have to call {cpp} functions from one of +Wireshark’s C callbacks and pass {cpp} objects to or from C. Tap +listeners are a common example. The {cpp} FAQ +https://www.parashift.com/c++-faq/mixing-c-and-cpp.html[describes how to do +this safely]. + +Tapping usually involves declaring static methods for callbacks, passing `this` +as the tap data. + +[#ChUII18N] +===== Internationalization and Translation + +Qt provides a convenient method for translating text: `Qobject::tr()`, +usually available as `tr()`. + +However, please avoid using `tr()` for static strings and define them in _*.ui_ +files instead. `tr()` on manually created objects like `QMenu` are not +automatically retranslated and must instead be manually translated using +`changeEvent()` and `retranslateUi()`. See _ui/qt/wireshark_main_window.cpp_ for an example +of this. + +NOTE: If your object life is short and your components are (re)created +dynamically then it is ok to use `tr()`. + +In most cases you should handle the changeEvent in order to catch +`QEvent::LanguageChange`. + +Qt makes translating the Wireshark UI into different languages easy. To add a new +translation, do the following: + +- Add your translation (_ui/qt/wireshark_XX.ts_) to _ui/qt/CMakeLists.txt_ +- (Recommended) Add a flag image for your language in _resources/languages/XX.svg_. Update _resources/languages/languages.qrc_ accordingly. +- Run `lupdate ui/qt -ts ui/qt/wireshark_XX.ts` to generate/update your translation file. +- Add ui/qt/wireshark_XX.ts to `.tx/config`. +- Translate with Qt Linguist: `linguist ui/qt/wireshark_XX.ts`. +- Do a test build and make sure the generated _wireshark_XX.qm_ binary file is included. +- Push your translation to GitLab for review. See <<ChSrcContribute>> for details. + +Alternatively you can put your QM and flag files in the _languages_ +directory in the Wireshark user configuration directory +(_$XDG_CONFIG_HOME/wireshark/languages/_ or _$HOME/.wireshark/languages/_ on +UNIX). + +For more information about Qt Linguist see +https://doc.qt.io/qt-5/qtlinguist-index.html[its manual]. + +You can also manage translations online with +https://www.transifex.com/wireshark/wireshark/[Transifex]. +Translation resources are organized by type of translation and development branch: + +master:: +Qt Linguist resources in the _ui/qt_ in the master branch. + +debian:: +GNU gettext resources in the _debian_ directory in the master branch. + +qt-_XY_, master-_XY_:: +Qt Linguist resources in the _ui/qt_ in the _X.Y_ release branch. +For example, qt-34 matches the Wireshark 3.2 release branch. + +po-_XY_, debian-_XY_:: +GNU gettext (.po) resources in the _debian_ directory in the _X.Y_ release branch. +For example, po-34 matches the Wireshark 3.4 release branch. + +Each week translations are automatically synchronized with the source code through the following steps: + +- Pull changes from Transifex by running `tx pull -f`. +- Run `lupdate` on the ts files. +- Push and commit on GitLab. +- Push changes to Transifex by running `tx push`. + +===== Colors And Themes + +Qt provides a number of colors via the https://doc.qt.io/qt-5/qpalette.html[QPalette] +class. Use this class when you need a standard color provided by the +underlying operating system. + +Wireshark uses an extended version of the +https://en.wikipedia.org/wiki/Tango_Desktop_Project[Tango Color Palette] +for many interface elements that require custom colors. This includes the +I/O graphs, sequence diagrams, and RTP streams. Please use this palette +(defined in `tango_colors.h` and the *ColorUtils* class) if *QPalette* +doesn't meet your needs. + +Wireshark supports dark themes (aka “dark mode”) on some platforms. We +leverage Qt's dark theme support when possible, but have implemented our +own support and workarounds in some cases. You can ensure that your code +includes proper dark theme support by doing the following: + +* You can use a macOS-style template icon by creating a monochrome SVG +document with “.template” appended to the name, e.g. +`resources/stock_icons/24x24/edit-find.template.svg`. +* Qt draws unvisited links *Qt::blue* no matter what. You can work +around this by using `ColorUtils::themeLinkBrush()` and +`ColorUtils::themeLinkStyle()`. +* You can catch dark and light mode changes by handling +`QEvent::ApplicationPaletteChange`. + +==== Other Issues and Information + +The main window has many QActions which are shared with child widgets. See +_ui/qt/proto_tree.cpp_ for an example of this. + +To demonstrate the functionality of the plugin interface options, a +demonstration plugin exists (pluginifdemo). See _doc/README.plugins_ and +_plugins/epan/pluginifdemo_. + +https://www.kdab.com/development-resources/qt-tools/gammaray/[GammaRay] lets you inspect +the internals of a running Qt application similar to $$Spy++$$ on Windows. + +[#ChUIGUIDocs] + +=== Human Interface Reference Documents + +Wireshark runs on a number of platforms, primarily Windows, macOS, and +Linux. It should conform to the Windows, macOS, GNOME, and KDE human +interface guidelines as much as possible. Unfortunately, creating a +feature that works well across these platforms can sometimes be a +juggling act since the human interface guidelines for each platform +often contradict one another. If you run into trouble you can ask the +_wireshark-dev_ mailing list as well as the User Experience Stack +Exchange listed below. + +For further reference, see the following: + +* Android Design: +https://developer.android.com/design/[]. Wireshark doesn't have +a mobile frontend (not yet, at least) but there is still useful +information here. + +* GNOME Human Interface Guidelines: +https://developer.gnome.org/hig/[] + +* KDE Human Interface Guidelines: +https://hig.kde.org[] + +* macOS Human Interface Guidelines: +https://developer.apple.com/design/human-interface-guidelines/macos/overview/themes/[] + +* Design guidelines for the Windows desktop: +https://docs.microsoft.com/en-us/windows/desktop/uxguide/guidelines[] + +* User Experience Stack Exchange: +https://ux.stackexchange.com/[] + +// End of WSDG Chapter User Interface diff --git a/docbook/wsdg_src/wsdg_works.adoc b/docbook/wsdg_src/wsdg_works.adoc new file mode 100644 index 0000000..baa7540 --- /dev/null +++ b/docbook/wsdg_src/wsdg_works.adoc @@ -0,0 +1,119 @@ +// WSDG Chapter Works + +[#ChapterWorks] + +== How Wireshark Works + +[#ChWorksIntro] + +=== Introduction + +This chapter will give you a short overview of how Wireshark works. + +[#ChWorksOverview] + +=== Overview + +The following will give you a simplified overview of Wireshark’s function blocks: + +[#ChWorksFigOverview] + +.Wireshark function blocks +image::images/ws-function-blocks.png[{pdf-scaledwidth}] + +The function blocks in more detail: + +GUI:: Handling of all user input/output (all windows, dialogs and such). +Source code can be found in the _ui/qt_ directory. + +Core:: Main "glue code" that holds the other blocks together. Source +code can be found in the root directory. + +Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine. +Source code can be found in the _epan_ directory. Epan provides +the following APIs: + +* Protocol Tree. Dissection information for an individual packet. + +* Dissectors. The various protocol dissectors in +_epan/dissectors_. + +* Dissector Plugins - Support for implementing dissectors as separate modules. +Source code can be found in _plugins_. + +* Display Filters - The display filter engine at +_epan/dfilter_. + +Wiretap:: The wiretap library is used to read and write capture files in libpcap, +pcapng, and many other file formats. Source code is in the +_wiretap_ directory. + +Capture:: The interface to the capture engine. Source code is in the +root directory. + +Dumpcap:: The capture engine itself. This is the only part that executes with +elevated privileges. Source code is in the root directory. + +Npcap and libpcap:: These are external libraries that provide packet capture +and filtering support on different platforms. The filtering in Npcap and libpcap +works at a much lower level than Wireshark’s display filters and uses a +significantly different mechanism. That’s why there are different display and +capture filter syntaxes. + + +[#ChWorksCapturePackets] + +=== Capturing packets + +Capturing takes packets from a network adapter and saves them to a file +on your hard disk. + +Since raw network adapter access requires elevated privileges, these functions +are isolated to the `dumpcap` program. Placing the capture functionality +into `dumpcap` allows the rest of the code (dissectors, user interface, +etc.) to run with normal user privileges. + +To hide all the low-level machine dependent details from Wireshark, the libpcap +and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a +general purpose interface to capture packets and are used by a wide variety of +applications. + +[#ChWorksCaptureFiles] + +=== Capture Files + +Wireshark can read and write capture files in its natural file formats, pcapng +and pcap, which are used by many other network capturing tools, such as tcpdump. +Additionally, Wireshark supports reading and writing packet capture files +in formats used by other network capture tools. This support is implemented in +Wireshark's wiretap library, which provides a general purpose interface for +reading and writing packet capture formats and supports more than twenty +packet capture formats. + +[#ChWorksDissectPackets] + +=== Dissect packets + +Wireshark dissects packets in what it calls 'two-pass' dissection. + +Wireshark performs a first pass of dissecting all packets as they are loaded +from the file. All packets are dissected sequentially and this information +is used to populate Wireshark's packet list pane and to build state and +other information needed when displaying the packet. + +Wireshark later performs 'second pass' ad-hoc dissections on the +packets that it needs data from. This enables Wireshark to fill in fields that +require future knowledge, like the 'response in frame #' fields, +and correctly calculate reassembly frame dependencies. + +For example, Wireshark will perform an ad-hoc dissection when a user selects +a packet (to display the packet details), +calculates a statistic (so all values are computed), +or performs another action that requires packet data. +However, because Wireshark may only dissect +the packets that are needed, there is no guarantee that +Wireshark will dissect all packets again, nor is there any guarantee as to the +order that the packets will be dissected after the first pass. + +// End of WSDG Chapter Works + diff --git a/docbook/wsug_src/capinfos-h.txt b/docbook/wsug_src/capinfos-h.txt new file mode 100644 index 0000000..fa422fc --- /dev/null +++ b/docbook/wsug_src/capinfos-h.txt @@ -0,0 +1,68 @@ +Capinfos (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Print various information (infos) about capture files. +See https://www.wireshark.org for more information. + +Usage: capinfos [options] <infile> ... + +General infos: + -t display the capture file type + -E display the capture file encapsulation + -I display the capture file interface information + -F display additional capture file information + -H display the SHA256 and SHA1 hashes of the file + -k display the capture comment + -p display individual packet comments + +Size infos: + -c display the number of packets + -s display the size of the file (in bytes) + -d display the total length of all packets (in bytes) + -l display the packet size limit (snapshot length) + +Time infos: + -u display the capture duration (in seconds) + -a display the capture start time + -e display the capture end time + -o display the capture file chronological status (True/False) + -S display start and end times as seconds + +Statistic infos: + -y display average data rate (in bytes/sec) + -i display average data rate (in bits/sec) + -z display average packet size (in bytes) + -x display average packet rate (in packets/sec) + +Metadata infos: + -n display number of resolved IPv4 and IPv6 addresses + -D display number of decryption secrets + +Output format: + -L generate long report (default) + -T generate table report + -M display machine-readable values in long reports + +Table report options: + -R generate header record (default) + -r do not generate header record + + -B separate infos with TAB character (default) + -m separate infos with comma (,) character + -b separate infos with SPACE character + + -N do not quote infos (default) + -q quote infos with single quotes (') + -Q quote infos with double quotes (") + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -C cancel processing if file open fails (default is to continue) + -A generate all infos (default) + -K disable displaying the capture comment + -P disable displaying individual packet comments + +Options are processed from left to right order with later options superseding +or adding to earlier options. + +If no options are given the default is to display all infos in long report +output format. diff --git a/docbook/wsug_src/dumpcap-h.txt b/docbook/wsug_src/dumpcap-h.txt new file mode 100644 index 0000000..23441e8 --- /dev/null +++ b/docbook/wsug_src/dumpcap-h.txt @@ -0,0 +1,94 @@ +Dumpcap (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Capture network packets and dump them into a pcapng or pcap file. +See https://www.wireshark.org for more information. + +Usage: dumpcap [options] ... + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback), + or for remote capturing, use one of these formats: + rpcap://<host>/<interface> + TCP@<host>:<port> + --ifname <name> name to use in the capture file for a pipe from which + we're capturing + --ifdescr <description> + description to use in the capture file for a pipe + from which we're capturing + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer in MiB (def: 2MiB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + --update-interval interval between updates with new packets (def: 100ms) + -d print generated BPF code for capture filter + -k <freq>,[<type>],[<center_freq1>],[<center_freq2>] + set channel on wifi interface + -S print statistics for each interface once per second + -M for -D, -L, and -S, produce machine-readable output + +Stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM kB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Output (files): + -w <filename> name of file to save (def: tempfile) + -g enable group read access on the output file(s) + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM kB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - ringbuffer: replace after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs + printname:FILE - print filename to FILE when written + (can use 'stdout' or 'stderr') + -n use pcapng format instead of pcap (default) + -P use libpcap format instead of pcapng + --capture-comment <comment> + add a capture comment to the output file + (only for pcapng) + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -N <packet_limit> maximum number of packets buffered within dumpcap + -C <byte_limit> maximum number of bytes used for buffering packets + within dumpcap + -t use a separate thread per interface + -q don't report packet capture counts + -v, --version print version information and exit + -h, --help display this help and exit + +Dumpcap can benefit from an enabled BPF JIT compiler if available. +You might want to enable it by executing: + "echo 1 > /proc/sys/net/core/bpf_jit_enable" +Note that this can make your system less secure! + +Example: dumpcap -i eth0 -a duration:60 -w output.pcapng +"Capture packets from interface eth0 until 60s passed into output.pcapng" + +Use Ctrl-C to stop capturing at any time. diff --git a/docbook/wsug_src/editcap-F.txt b/docbook/wsug_src/editcap-F.txt new file mode 100644 index 0000000..c566bd2 --- /dev/null +++ b/docbook/wsug_src/editcap-F.txt @@ -0,0 +1,39 @@ +editcap: The available capture file types for the "-F" flag are: + pcap - Wireshark/tcpdump/... - pcap + pcapng - Wireshark/... - pcapng + 5views - InfoVista 5View capture + btsnoop - Symbian OS btsnoop + commview-ncf - TamoSoft CommView NCF + commview-ncfx - TamoSoft CommView NCFX + dct2000 - Catapult DCT2000 trace (.out format) + erf - Endace ERF capture + eyesdn - EyeSDN USB S0/E1 ISDN trace format + k12text - K12 text file + lanalyzer - Novell LANalyzer + logcat - Android Logcat Binary format + logcat-brief - Android Logcat Brief text format + logcat-long - Android Logcat Long text format + logcat-process - Android Logcat Process text format + logcat-tag - Android Logcat Tag text format + logcat-thread - Android Logcat Thread text format + logcat-threadtime - Android Logcat Threadtime text format + logcat-time - Android Logcat Time text format + modpcap - Modified tcpdump - pcap + netmon1 - Microsoft NetMon 1.x + netmon2 - Microsoft NetMon 2.x + nettl - HP-UX nettl trace + ngsniffer - Sniffer (DOS) + ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 + ngwsniffer_2_0 - Sniffer (Windows) 2.00x + nokiapcap - Nokia tcpdump - pcap + nsecpcap - Wireshark/tcpdump/... - nanosecond pcap + nstrace10 - NetScaler Trace (Version 1.0) + nstrace20 - NetScaler Trace (Version 2.0) + nstrace30 - NetScaler Trace (Version 3.0) + nstrace35 - NetScaler Trace (Version 3.5) + observer - Viavi Observer + rf5 - Tektronix K12xx 32-bit .rf5 format + rh6_1pcap - RedHat 6.1 tcpdump - pcap + snoop - Sun snoop + suse6_3pcap - SuSE 6.3 tcpdump - pcap + visual - Visual Networks traffic capture diff --git a/docbook/wsug_src/editcap-T.txt b/docbook/wsug_src/editcap-T.txt new file mode 100644 index 0000000..e975dce --- /dev/null +++ b/docbook/wsug_src/editcap-T.txt @@ -0,0 +1,225 @@ +editcap: The available encapsulation types for the "-T" flag are: + alp - ATSC Link-Layer Protocol (A/330) packets + ap1394 - Apple IP-over-IEEE 1394 + arcnet - ARCNET + arcnet_linux - Linux ARCNET + ascend - Lucent/Ascend access equipment + atm-pdus - ATM PDUs + atm-pdus-untruncated - ATM PDUs - untruncated + atm-rfc1483 - RFC 1483 ATM + auerlog - Auerswald Log + autosardlt - AUTOSAR DLT + ax25 - Amateur Radio AX.25 + ax25-kiss - AX.25 with KISS header + bacnet-ms-tp - BACnet MS/TP + bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info + ber - ASN.1 Basic Encoding Rules + bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF + bluetooth-h4 - Bluetooth H4 + bluetooth-h4-linux - Bluetooth H4 with linux header + bluetooth-hci - Bluetooth without transport layer + bluetooth-le-ll - Bluetooth Low Energy Link Layer + bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF + bluetooth-linux-monitor - Bluetooth Linux Monitor + can20b - Controller Area Network 2.0B + chdlc - Cisco HDLC + chdlc-with-direction - Cisco HDLC with Directional Info + cosine - CoSine L2 debug log + dbus - D-Bus + dct2000 - Catapult DCT2000 + docsis - Data Over Cable Service Interface Specification + docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header + dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header + dpnss_link - Digital Private Signalling System No 1 Link Layer + dvbci - DVB-CI (Common Interface) + ebhscr - Elektrobit High Speed Capture and Replay + enc - OpenBSD enc(4) encapsulating interface + epon - Ethernet Passive Optical Network + erf - Extensible Record Format + eri_enb_log - Ericsson eNode-B raw log + ether - Ethernet + ether-mpacket - IEEE 802.3br mPackets + ether-nettl - Ethernet with nettl headers + etw - Event Tracing for Windows messages + fc2 - Fibre Channel FC-2 + fc2sof - Fibre Channel FC-2 With Frame Delimiter + fddi - FDDI + fddi-nettl - FDDI with nettl headers + fddi-swapped - FDDI with bit-swapped MAC addresses + fira-uci - FiRa UWB Controller Interface (UCI) protocol. + flexray - FlexRay + frelay - Frame Relay + frelay-with-direction - Frame Relay with Directional Info + gcom-serial - GCOM Serial + gcom-tie1 - GCOM TIE1 + gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode + gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode + gprs-llc - GPRS LLC + gsm_um - GSM Um Interface + hhdlc - HiPath HDLC + i2c-linux - I2C with Linux-specific pseudo-header + ieee-802-11 - IEEE 802.11 Wireless LAN + ieee-802-11-avs - IEEE 802.11 plus AVS radio header + ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header + ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header + ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information + ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header + ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer + infiniband - InfiniBand + ios - Cisco IOS internal + ip-ib - IP over IB + ip-over-fc - RFC 2625 IP-over-Fibre Channel + ip-over-ib - IP over InfiniBand + ipfix - RFC 5655/RFC 5101 IPFIX + ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header + ipmi-trace - IPMI Trace Data Collection + ipnet - Solaris IPNET + irda - IrDA + isdn - ISDN + iso14443 - ISO 14443 contactless smartcard standards + ixveriwave - IxVeriWave header and stats block + jfif - JPEG/JFIF + json - JavaScript Object Notation + juniper-atm1 - Juniper ATM1 + juniper-atm2 - Juniper ATM2 + juniper-chdlc - Juniper C-HDLC + juniper-ether - Juniper Ethernet + juniper-frelay - Juniper Frame-Relay + juniper-ggsn - Juniper GGSN + juniper-mlfr - Juniper MLFR + juniper-mlppp - Juniper MLPPP + juniper-ppp - Juniper PPP + juniper-pppoe - Juniper PPPoE + juniper-st - Juniper Secure Tunnel Information + juniper-svcs - Juniper Services + juniper-vn - Juniper VN + juniper-vp - Juniper Voice PIC + k12 - K12 protocol analyzer + lapb - LAPB + lapd - LAPD + layer1-event - EyeSDN Layer 1 event + lin - Local Interconnect Network + linux-atm-clip - Linux ATM CLIP + linux-lapd - LAPD with Linux pseudo-header + linux-sll - Linux cooked-mode capture v1 + linux-sll2 - Linux cooked-mode capture v2 + log_3GPP - 3GPP Phone Log + logcat - Android Logcat Binary format + logcat_brief - Android Logcat Brief text format + logcat_long - Android Logcat Long text format + logcat_process - Android Logcat Process text format + logcat_tag - Android Logcat Tag text format + logcat_thread - Android Logcat Thread text format + logcat_threadtime - Android Logcat Threadtime text format + logcat_time - Android Logcat Time text format + loop - OpenBSD loopback + loratap - LoRaTap + ltalk - Localtalk + mdb - MDB (Multi-Drop Bus) + message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4 + message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6 + message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4 + message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6 + message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4 + message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6 + mime - MIME + most - Media Oriented Systems Transport + mp2ts - ISO/IEC 13818-1 MPEG2-TS + mp4 - MP4 files + mpeg - MPEG + mtp2 - SS7 MTP2 + mtp2-with-phdr - MTP2 with pseudoheader + mtp3 - SS7 MTP3 + mux27010 - MUX27010 + netanalyzer - Hilscher netANALYZER + netanalyzer-transparent - Hilscher netANALYZER-Transparent + netlink - Linux Netlink + netmon_event - Network Monitor Network Event + netmon_filter - Network Monitor Filter + netmon_header - Network Monitor Header + netmon_network_info - Network Monitor Network Info + nfc-llcp - NFC LLCP + nflog - NFLOG + nordic_ble - nRF Sniffer for Bluetooth LE + nstrace10 - NetScaler Encapsulation 1.0 of Ethernet + nstrace20 - NetScaler Encapsulation 2.0 of Ethernet + nstrace30 - NetScaler Encapsulation 3.0 of Ethernet + nstrace35 - NetScaler Encapsulation 3.5 of Ethernet + null - NULL/Loopback + packetlogger - Apple Bluetooth PacketLogger + pflog - OpenBSD PF Firewall logs + pflog-old - OpenBSD PF Firewall logs, pre-3.4 + pktap - Apple PKTAP + ppi - Per-Packet Information header + ppp - PPP + ppp-with-direction - PPP with Directional Info + pppoes - PPP-over-Ethernet session + raw-icmp-nettl - Raw ICMP with nettl headers + raw-icmpv6-nettl - Raw ICMPv6 with nettl headers + raw-telnet-nettl - Raw telnet with nettl headers + rawip - Raw IP + rawip-nettl - Raw IP with nettl headers + rawip4 - Raw IPv4 + rawip6 - Raw IPv6 + redback - Redback SmartEdge + rfc7468 - RFC 7468 file + rtac-serial - RTAC serial-line + ruby_marshal - Ruby marshal object + s4607 - STANAG 4607 + s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU) + sccp - SS7 SCCP + sctp - SCTP + sdh - SDH + sdjournal - systemd journal + sdlc - SDLC + silabs-dch - Silabs Debug Channel + sita-wan - SITA WAN packets + slip - SLIP + socketcan - SocketCAN + symantec - Symantec Enterprise Firewall + tnef - Transport-Neutral Encapsulation Format + tr - Token Ring + tr-nettl - Token Ring with nettl headers + tzsp - Tazmen sniffer protocol + unknown - Unknown + unknown-nettl - Unknown link-layer type with nettl headers + usb-20 - USB 2.0/1.1/1.0 packets + usb-20-full - Full-Speed USB 2.0/1.1/1.0 packets + usb-20-high - High-Speed USB 2.0 packets + usb-20-low - Low-Speed USB 2.0/1.1/1.0 packets + usb-darwin - USB packets with Darwin (macOS, etc.) headers + usb-freebsd - USB packets with FreeBSD header + usb-linux - USB packets with Linux header + usb-linux-mmap - USB packets with Linux header and padding + usb-usbpcap - USB packets with USBPcap header + user0 - USER 0 + user1 - USER 1 + user2 - USER 2 + user3 - USER 3 + user4 - USER 4 + user5 - USER 5 + user6 - USER 6 + user7 - USER 7 + user8 - USER 8 + user9 - USER 9 + user10 - USER 10 + user11 - USER 11 + user12 - USER 12 + user13 - USER 13 + user14 - USER 14 + user15 - USER 15 + v5-ef - V5 Envelope Function + vpp - Vector Packet Processing graph dispatch trace + vsock - Linux vsock + whdlc - Wellfleet HDLC + wireshark-upper-pdu - Wireshark Upper PDU export + wpan - IEEE 802.15.4 Wireless PAN + wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present + wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY + wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header + x2e-serial - X2E serial line capture + x2e-xoraya - X2E Xoraya + x25-nettl - X.25 with nettl headers + xeth - Xerox 3MB Ethernet + zbncp - ZBOSS NCP + zwave-serial - Z-Wave Serial API packets diff --git a/docbook/wsug_src/editcap-h.txt b/docbook/wsug_src/editcap-h.txt new file mode 100644 index 0000000..0b8a5b5 --- /dev/null +++ b/docbook/wsug_src/editcap-h.txt @@ -0,0 +1,117 @@ +Editcap (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Edit and/or translate the format of capture files. +See https://www.wireshark.org for more information. + +Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] + +<infile> and <outfile> must both be present; use '-' for stdin or stdout. +A single packet or a range of packets can be selected. + +Packet selection: + -r keep the selected packets; default is to delete them. + -A <start time> only read packets whose timestamp is after (or equal + to) the given time. + -B <stop time> only read packets whose timestamp is before the + given time. + Time format for -A/-B options is + YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm] + Unix epoch timestamps are also supported. + +Duplicate packet removal: + --novlan remove vlan info from packets before checking for duplicates. + -d remove packet if duplicate (window == 5). + -D <dup window> remove packet if duplicate; configurable <dup window>. + Valid <dup window> values are 0 to 1000000. + NOTE: A <dup window> of 0 with -V (verbose option) is + useful to print MD5 hashes. + -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR + LESS THAN <dup time window> prior to current packet. + A <dup time window> is specified in relative seconds + (e.g. 0.000001). + NOTE: The use of the 'Duplicate packet removal' options with + other editcap options except -V may not always work as expected. + Specifically the -r, -t or -S options will very likely NOT have the + desired effect if combined with the -d, -D or -w. + --skip-radiotap-header skip radiotap header when checking for packet duplicates. + Useful when processing packets captured by multiple radios + on the same channel in the vicinity of each other. + --set-unused set unused byts to zero in sll link addr. + +Packet manipulation: + -s <snaplen> truncate each packet to max. <snaplen> bytes of data. + -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values + chop at the packet beginning, negative values at the + packet end. If an optional offset precedes the length, + then the bytes chopped will be offset from that value. + Positive offsets are from the packet beginning, + negative offsets are from the packet end. You can use + this option more than once, allowing up to 2 chopping + regions within a packet provided that at least 1 + choplen is positive and at least 1 is negative. + -L adjust the frame (i.e. reported) length when chopping + and/or snapping. + -t <time adjustment> adjust the timestamp of each packet. + <time adjustment> is in relative seconds (e.g. -0.5). + -S <strict adjustment> adjust timestamp of packets if necessary to ensure + strict chronological increasing order. The <strict + adjustment> is specified in relative seconds with + values of 0 or 0.000001 being the most reasonable. + A negative adjustment value will modify timestamps so + that each packet's delta time is the absolute value + of the adjustment specified. A value of -0 will set + all packets to the timestamp of the first packet. + -E <error probability> set the probability (between 0.0 and 1.0 incl.) that + a particular packet byte will be randomly changed. + -o <change offset> When used in conjunction with -E, skip some bytes from the + beginning of the packet. This allows one to preserve some + bytes, in order to have some headers untouched. + --seed <seed> When used in conjunction with -E, set the seed to use for + the pseudo-random number generator. This allows one to + repeat a particular sequence of errors. + -I <bytes to ignore> ignore the specified number of bytes at the beginning + of the frame during MD5 hash calculation, unless the + frame is too short, then the full frame is used. + Useful to remove duplicated packets taken on + several routers (different mac addresses for + example). + e.g. -I 26 in case of Ether/IP will ignore + ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). + -a <framenum>:<comment> Add or replace comment for given frame number + +Output File(s): + -c <packets per file> split the packet output to different files based on + uniform packet counts with a maximum of + <packets per file> each. + -i <seconds per file> split the packet output to different files based on + uniform time intervals with a maximum of + <seconds per file> each. + -F <capture type> set the output file type; default is pcapng. + An empty "-F" option will list the file types. + -T <encap type> set the output file encapsulation type; default is the + same as the input file. An empty "-T" option will + list the encapsulation types. + --inject-secrets <type>,<file> Insert decryption secrets from <file>. List + supported secret types with "--inject-secrets help". + --discard-all-secrets Discard all decryption secrets from the input file + when writing the output file. Does not discard + secrets added by "--inject-secrets" in the same + command line. + --capture-comment <comment> + Add a capture file comment, if supported. + --discard-capture-comment + Discard capture file comments from the input file + when writing the output file. Does not discard + comments added by "--capture-comment" in the same + command line. + --discard-packet-comments + Discard all packet comments from the input file + when writing the output file. Does not discard + comments added by "-a" in the same command line. + +Miscellaneous: + -h, --help display this help and exit. + -V verbose output. + If -V is used with any of the 'Duplicate Packet + Removal' options (-d, -D or -w) then Packet lengths + and MD5 hashes are printed to standard-error. + -v, --version print version information and exit. diff --git a/docbook/wsug_src/images/caution.svg b/docbook/wsug_src/images/caution.svg new file mode 100644 index 0000000..793c602 --- /dev/null +++ b/docbook/wsug_src/images/caution.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightning-charge" viewBox="0 0 16 16"> + <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09zM4.157 8.5H7a.5.5 0 0 1 .478.647L6.11 13.59l5.732-6.09H9a.5.5 0 0 1-.478-.647L9.89 2.41 4.157 8.5z"/> +</svg> diff --git a/docbook/wsug_src/images/important.svg b/docbook/wsug_src/images/important.svg new file mode 100644 index 0000000..a2ee701 --- /dev/null +++ b/docbook/wsug_src/images/important.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-circle" viewBox="0 0 16 16"> + <path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/> + <path d="M7.002 11a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 4.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 4.995z"/> +</svg> diff --git a/docbook/wsug_src/images/note.svg b/docbook/wsug_src/images/note.svg new file mode 100644 index 0000000..803dc13 --- /dev/null +++ b/docbook/wsug_src/images/note.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-sticky" viewBox="0 0 16 16"> + <path d="M2.5 1A1.5 1.5 0 0 0 1 2.5v11A1.5 1.5 0 0 0 2.5 15h6.086a1.5 1.5 0 0 0 1.06-.44l4.915-4.914A1.5 1.5 0 0 0 15 8.586V2.5A1.5 1.5 0 0 0 13.5 1h-11zM2 2.5a.5.5 0 0 1 .5-.5h11a.5.5 0 0 1 .5.5V8H9.5A1.5 1.5 0 0 0 8 9.5V14H2.5a.5.5 0 0 1-.5-.5v-11zm7 11.293V9.5a.5.5 0 0 1 .5-.5h4.293L9 13.793z"/> +</svg> diff --git a/docbook/wsug_src/images/related-ack.png b/docbook/wsug_src/images/related-ack.png Binary files differnew file mode 100644 index 0000000..a60c5fb --- /dev/null +++ b/docbook/wsug_src/images/related-ack.png diff --git a/docbook/wsug_src/images/related-current.png b/docbook/wsug_src/images/related-current.png Binary files differnew file mode 100644 index 0000000..02578c5 --- /dev/null +++ b/docbook/wsug_src/images/related-current.png diff --git a/docbook/wsug_src/images/related-dup-ack.png b/docbook/wsug_src/images/related-dup-ack.png Binary files differnew file mode 100644 index 0000000..a73dc64 --- /dev/null +++ b/docbook/wsug_src/images/related-dup-ack.png diff --git a/docbook/wsug_src/images/related-first.png b/docbook/wsug_src/images/related-first.png Binary files differnew file mode 100644 index 0000000..03e44ac --- /dev/null +++ b/docbook/wsug_src/images/related-first.png diff --git a/docbook/wsug_src/images/related-last.png b/docbook/wsug_src/images/related-last.png Binary files differnew file mode 100644 index 0000000..9f740eb --- /dev/null +++ b/docbook/wsug_src/images/related-last.png diff --git a/docbook/wsug_src/images/related-other.png b/docbook/wsug_src/images/related-other.png Binary files differnew file mode 100644 index 0000000..3bde3ac --- /dev/null +++ b/docbook/wsug_src/images/related-other.png diff --git a/docbook/wsug_src/images/related-request.png b/docbook/wsug_src/images/related-request.png Binary files differnew file mode 100644 index 0000000..472b850 --- /dev/null +++ b/docbook/wsug_src/images/related-request.png diff --git a/docbook/wsug_src/images/related-response.png b/docbook/wsug_src/images/related-response.png Binary files differnew file mode 100644 index 0000000..883274e --- /dev/null +++ b/docbook/wsug_src/images/related-response.png diff --git a/docbook/wsug_src/images/related-segment.png b/docbook/wsug_src/images/related-segment.png Binary files differnew file mode 100644 index 0000000..9fff8a7 --- /dev/null +++ b/docbook/wsug_src/images/related-segment.png diff --git a/docbook/wsug_src/images/tip.svg b/docbook/wsug_src/images/tip.svg new file mode 100644 index 0000000..1a60b74 --- /dev/null +++ b/docbook/wsug_src/images/tip.svg @@ -0,0 +1,3 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-lightbulb" viewBox="0 0 16 16"> + <path d="M2 6a6 6 0 1 1 10.174 4.31c-.203.196-.359.4-.453.619l-.762 1.769A.5.5 0 0 1 10.5 13a.5.5 0 0 1 0 1 .5.5 0 0 1 0 1l-.224.447a1 1 0 0 1-.894.553H6.618a1 1 0 0 1-.894-.553L5.5 15a.5.5 0 0 1 0-1 .5.5 0 0 1 0-1 .5.5 0 0 1-.46-.302l-.761-1.77a1.964 1.964 0 0 0-.453-.618A5.984 5.984 0 0 1 2 6zm6-5a5 5 0 0 0-3.479 8.592c.263.254.514.564.676.941L5.83 12h4.342l.632-1.467c.162-.377.413-.687.676-.941A5 5 0 0 0 8 1z"/> +</svg> diff --git a/docbook/wsug_src/images/toolbar/document-open.png b/docbook/wsug_src/images/toolbar/document-open.png Binary files differnew file mode 100644 index 0000000..516a261 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/document-open.png diff --git a/docbook/wsug_src/images/toolbar/edit-find.png b/docbook/wsug_src/images/toolbar/edit-find.png Binary files differnew file mode 100644 index 0000000..f739ea9 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/edit-find.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-add.png b/docbook/wsug_src/images/toolbar/filter-toolbar-add.png Binary files differnew file mode 100644 index 0000000..ca3454e --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-add.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-apply.png b/docbook/wsug_src/images/toolbar/filter-toolbar-apply.png Binary files differnew file mode 100644 index 0000000..262646e --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-apply.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png b/docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png Binary files differnew file mode 100644 index 0000000..c7c4c95 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-bookmark.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-clear.png b/docbook/wsug_src/images/toolbar/filter-toolbar-clear.png Binary files differnew file mode 100644 index 0000000..1122947 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-clear.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-input.png b/docbook/wsug_src/images/toolbar/filter-toolbar-input.png Binary files differnew file mode 100644 index 0000000..98962ab --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-input.png diff --git a/docbook/wsug_src/images/toolbar/filter-toolbar-recent.png b/docbook/wsug_src/images/toolbar/filter-toolbar-recent.png Binary files differnew file mode 100644 index 0000000..fff2d03 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/filter-toolbar-recent.png diff --git a/docbook/wsug_src/images/toolbar/go-first.png b/docbook/wsug_src/images/toolbar/go-first.png Binary files differnew file mode 100644 index 0000000..95b485a --- /dev/null +++ b/docbook/wsug_src/images/toolbar/go-first.png diff --git a/docbook/wsug_src/images/toolbar/go-jump.png b/docbook/wsug_src/images/toolbar/go-jump.png Binary files differnew file mode 100644 index 0000000..cc13792 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/go-jump.png diff --git a/docbook/wsug_src/images/toolbar/go-last.png b/docbook/wsug_src/images/toolbar/go-last.png Binary files differnew file mode 100644 index 0000000..78ea4b7 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/go-last.png diff --git a/docbook/wsug_src/images/toolbar/go-next.png b/docbook/wsug_src/images/toolbar/go-next.png Binary files differnew file mode 100644 index 0000000..0bc6a15 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/go-next.png diff --git a/docbook/wsug_src/images/toolbar/go-previous.png b/docbook/wsug_src/images/toolbar/go-previous.png Binary files differnew file mode 100644 index 0000000..6870ea2 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/go-previous.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-close.png b/docbook/wsug_src/images/toolbar/x-capture-file-close.png Binary files differnew file mode 100644 index 0000000..dab2f84 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-file-close.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-reload.png b/docbook/wsug_src/images/toolbar/x-capture-file-reload.png Binary files differnew file mode 100644 index 0000000..22e6edb --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-file-reload.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-file-save.png b/docbook/wsug_src/images/toolbar/x-capture-file-save.png Binary files differnew file mode 100644 index 0000000..48ef252 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-file-save.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-options.png b/docbook/wsug_src/images/toolbar/x-capture-options.png Binary files differnew file mode 100644 index 0000000..a3384e6 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-options.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-restart.png b/docbook/wsug_src/images/toolbar/x-capture-restart.png Binary files differnew file mode 100644 index 0000000..eb5eb0b --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-restart.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-start.png b/docbook/wsug_src/images/toolbar/x-capture-start.png Binary files differnew file mode 100644 index 0000000..ac0a3d2 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-start.png diff --git a/docbook/wsug_src/images/toolbar/x-capture-stop.png b/docbook/wsug_src/images/toolbar/x-capture-stop.png Binary files differnew file mode 100644 index 0000000..7a64753 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-capture-stop.png diff --git a/docbook/wsug_src/images/toolbar/x-colorize-packets.png b/docbook/wsug_src/images/toolbar/x-colorize-packets.png Binary files differnew file mode 100644 index 0000000..624b7ea --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-colorize-packets.png diff --git a/docbook/wsug_src/images/toolbar/x-resize-columns.png b/docbook/wsug_src/images/toolbar/x-resize-columns.png Binary files differnew file mode 100644 index 0000000..f79cf32 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-resize-columns.png diff --git a/docbook/wsug_src/images/toolbar/x-stay-last.png b/docbook/wsug_src/images/toolbar/x-stay-last.png Binary files differnew file mode 100644 index 0000000..eba7ae5 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/x-stay-last.png diff --git a/docbook/wsug_src/images/toolbar/zoom-in.png b/docbook/wsug_src/images/toolbar/zoom-in.png Binary files differnew file mode 100644 index 0000000..0025c34 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/zoom-in.png diff --git a/docbook/wsug_src/images/toolbar/zoom-original.png b/docbook/wsug_src/images/toolbar/zoom-original.png Binary files differnew file mode 100644 index 0000000..c8bb23e --- /dev/null +++ b/docbook/wsug_src/images/toolbar/zoom-original.png diff --git a/docbook/wsug_src/images/toolbar/zoom-out.png b/docbook/wsug_src/images/toolbar/zoom-out.png Binary files differnew file mode 100644 index 0000000..e582655 --- /dev/null +++ b/docbook/wsug_src/images/toolbar/zoom-out.png diff --git a/docbook/wsug_src/images/warning.svg b/docbook/wsug_src/images/warning.svg new file mode 100644 index 0000000..80c0ba5 --- /dev/null +++ b/docbook/wsug_src/images/warning.svg @@ -0,0 +1,4 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="bi bi-exclamation-triangle" viewBox="0 0 16 16"> + <path d="M7.938 2.016A.13.13 0 0 1 8.002 2a.13.13 0 0 1 .063.016.146.146 0 0 1 .054.057l6.857 11.667c.036.06.035.124.002.183a.163.163 0 0 1-.054.06.116.116 0 0 1-.066.017H1.146a.115.115 0 0 1-.066-.017.163.163 0 0 1-.054-.06.176.176 0 0 1 .002-.183L7.884 2.073a.147.147 0 0 1 .054-.057zm1.044-.45a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566z"/> + <path d="M7.002 12a1 1 0 1 1 2 0 1 1 0 0 1-2 0zM7.1 5.995a.905.905 0 1 1 1.8 0l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995z"/> +</svg> diff --git a/docbook/wsug_src/images/ws-about-codecs.png b/docbook/wsug_src/images/ws-about-codecs.png Binary files differnew file mode 100644 index 0000000..5f5c46f --- /dev/null +++ b/docbook/wsug_src/images/ws-about-codecs.png diff --git a/docbook/wsug_src/images/ws-analyze-menu.png b/docbook/wsug_src/images/ws-analyze-menu.png Binary files differnew file mode 100644 index 0000000..5147d7a --- /dev/null +++ b/docbook/wsug_src/images/ws-analyze-menu.png diff --git a/docbook/wsug_src/images/ws-asap-statistics.png b/docbook/wsug_src/images/ws-asap-statistics.png Binary files differnew file mode 100644 index 0000000..d1a3307 --- /dev/null +++ b/docbook/wsug_src/images/ws-asap-statistics.png diff --git a/docbook/wsug_src/images/ws-bluetooth-devices.png b/docbook/wsug_src/images/ws-bluetooth-devices.png Binary files differnew file mode 100644 index 0000000..b6d1e3c --- /dev/null +++ b/docbook/wsug_src/images/ws-bluetooth-devices.png diff --git a/docbook/wsug_src/images/ws-bt-hci-summary.png b/docbook/wsug_src/images/ws-bt-hci-summary.png Binary files differnew file mode 100644 index 0000000..16b7bec --- /dev/null +++ b/docbook/wsug_src/images/ws-bt-hci-summary.png diff --git a/docbook/wsug_src/images/ws-bytes-pane-popup-menu.png b/docbook/wsug_src/images/ws-bytes-pane-popup-menu.png Binary files differnew file mode 100644 index 0000000..bee43bf --- /dev/null +++ b/docbook/wsug_src/images/ws-bytes-pane-popup-menu.png diff --git a/docbook/wsug_src/images/ws-bytes-pane-tabs.png b/docbook/wsug_src/images/ws-bytes-pane-tabs.png Binary files differnew file mode 100644 index 0000000..b9817a2 --- /dev/null +++ b/docbook/wsug_src/images/ws-bytes-pane-tabs.png diff --git a/docbook/wsug_src/images/ws-bytes-pane.png b/docbook/wsug_src/images/ws-bytes-pane.png Binary files differnew file mode 100644 index 0000000..70d1291 --- /dev/null +++ b/docbook/wsug_src/images/ws-bytes-pane.png diff --git a/docbook/wsug_src/images/ws-calcappprotocol-statistics.png b/docbook/wsug_src/images/ws-calcappprotocol-statistics.png Binary files differnew file mode 100644 index 0000000..3c9d9fe --- /dev/null +++ b/docbook/wsug_src/images/ws-calcappprotocol-statistics.png diff --git a/docbook/wsug_src/images/ws-capture-file-properties.png b/docbook/wsug_src/images/ws-capture-file-properties.png Binary files differnew file mode 100644 index 0000000..816987b --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-file-properties.png diff --git a/docbook/wsug_src/images/ws-capture-info.png b/docbook/wsug_src/images/ws-capture-info.png Binary files differnew file mode 100644 index 0000000..e82ec0a --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-info.png diff --git a/docbook/wsug_src/images/ws-capture-interfaces-main-macos.png b/docbook/wsug_src/images/ws-capture-interfaces-main-macos.png Binary files differnew file mode 100644 index 0000000..3869886 --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-interfaces-main-macos.png diff --git a/docbook/wsug_src/images/ws-capture-interfaces-main-win32.png b/docbook/wsug_src/images/ws-capture-interfaces-main-win32.png Binary files differnew file mode 100644 index 0000000..a50b64e --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-interfaces-main-win32.png diff --git a/docbook/wsug_src/images/ws-capture-menu.png b/docbook/wsug_src/images/ws-capture-menu.png Binary files differnew file mode 100644 index 0000000..5d001e1 --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-menu.png diff --git a/docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png b/docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png Binary files differnew file mode 100644 index 0000000..14501e0 --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-options-compile-selected-bpfs.png diff --git a/docbook/wsug_src/images/ws-capture-options-options.png b/docbook/wsug_src/images/ws-capture-options-options.png Binary files differnew file mode 100644 index 0000000..b72a54f --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-options-options.png diff --git a/docbook/wsug_src/images/ws-capture-options-output.png b/docbook/wsug_src/images/ws-capture-options-output.png Binary files differnew file mode 100644 index 0000000..097c7f0 --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-options-output.png diff --git a/docbook/wsug_src/images/ws-capture-options.png b/docbook/wsug_src/images/ws-capture-options.png Binary files differnew file mode 100644 index 0000000..8a12d43 --- /dev/null +++ b/docbook/wsug_src/images/ws-capture-options.png diff --git a/docbook/wsug_src/images/ws-choose-color-rule.png b/docbook/wsug_src/images/ws-choose-color-rule.png Binary files differnew file mode 100644 index 0000000..263aa55 --- /dev/null +++ b/docbook/wsug_src/images/ws-choose-color-rule.png diff --git a/docbook/wsug_src/images/ws-coloring-fields.png b/docbook/wsug_src/images/ws-coloring-fields.png Binary files differnew file mode 100644 index 0000000..9a5171a --- /dev/null +++ b/docbook/wsug_src/images/ws-coloring-fields.png diff --git a/docbook/wsug_src/images/ws-coloring-rules-dialog.png b/docbook/wsug_src/images/ws-coloring-rules-dialog.png Binary files differnew file mode 100644 index 0000000..ac6d28e --- /dev/null +++ b/docbook/wsug_src/images/ws-coloring-rules-dialog.png diff --git a/docbook/wsug_src/images/ws-column-header-popup-menu.png b/docbook/wsug_src/images/ws-column-header-popup-menu.png Binary files differnew file mode 100644 index 0000000..d895dd8 --- /dev/null +++ b/docbook/wsug_src/images/ws-column-header-popup-menu.png diff --git a/docbook/wsug_src/images/ws-csp-statistics.png b/docbook/wsug_src/images/ws-csp-statistics.png Binary files differnew file mode 100644 index 0000000..cbade24 --- /dev/null +++ b/docbook/wsug_src/images/ws-csp-statistics.png diff --git a/docbook/wsug_src/images/ws-decode-as.png b/docbook/wsug_src/images/ws-decode-as.png Binary files differnew file mode 100644 index 0000000..2b37e56 --- /dev/null +++ b/docbook/wsug_src/images/ws-decode-as.png diff --git a/docbook/wsug_src/images/ws-details-pane-popup-menu.png b/docbook/wsug_src/images/ws-details-pane-popup-menu.png Binary files differnew file mode 100644 index 0000000..c0980ba --- /dev/null +++ b/docbook/wsug_src/images/ws-details-pane-popup-menu.png diff --git a/docbook/wsug_src/images/ws-details-pane.png b/docbook/wsug_src/images/ws-details-pane.png Binary files differnew file mode 100644 index 0000000..cc0b917 --- /dev/null +++ b/docbook/wsug_src/images/ws-details-pane.png diff --git a/docbook/wsug_src/images/ws-diagram-pane-popup-menu.png b/docbook/wsug_src/images/ws-diagram-pane-popup-menu.png Binary files differnew file mode 100644 index 0000000..1e17628 --- /dev/null +++ b/docbook/wsug_src/images/ws-diagram-pane-popup-menu.png diff --git a/docbook/wsug_src/images/ws-diagram-pane.png b/docbook/wsug_src/images/ws-diagram-pane.png Binary files differnew file mode 100644 index 0000000..117f1f5 --- /dev/null +++ b/docbook/wsug_src/images/ws-diagram-pane.png diff --git a/docbook/wsug_src/images/ws-display-filter-tcp.png b/docbook/wsug_src/images/ws-display-filter-tcp.png Binary files differnew file mode 100644 index 0000000..181f41d --- /dev/null +++ b/docbook/wsug_src/images/ws-display-filter-tcp.png diff --git a/docbook/wsug_src/images/ws-dns.png b/docbook/wsug_src/images/ws-dns.png Binary files differnew file mode 100644 index 0000000..4458e3c --- /dev/null +++ b/docbook/wsug_src/images/ws-dns.png diff --git a/docbook/wsug_src/images/ws-edit-menu.png b/docbook/wsug_src/images/ws-edit-menu.png Binary files differnew file mode 100644 index 0000000..204e219 --- /dev/null +++ b/docbook/wsug_src/images/ws-edit-menu.png diff --git a/docbook/wsug_src/images/ws-enabled-protocols.png b/docbook/wsug_src/images/ws-enabled-protocols.png Binary files differnew file mode 100644 index 0000000..a7d149b --- /dev/null +++ b/docbook/wsug_src/images/ws-enabled-protocols.png diff --git a/docbook/wsug_src/images/ws-enrp-statistics.png b/docbook/wsug_src/images/ws-enrp-statistics.png Binary files differnew file mode 100644 index 0000000..df0db91 --- /dev/null +++ b/docbook/wsug_src/images/ws-enrp-statistics.png diff --git a/docbook/wsug_src/images/ws-expert-colored-tree.png b/docbook/wsug_src/images/ws-expert-colored-tree.png Binary files differnew file mode 100644 index 0000000..a203ff6 --- /dev/null +++ b/docbook/wsug_src/images/ws-expert-colored-tree.png diff --git a/docbook/wsug_src/images/ws-expert-column.png b/docbook/wsug_src/images/ws-expert-column.png Binary files differnew file mode 100644 index 0000000..66941af --- /dev/null +++ b/docbook/wsug_src/images/ws-expert-column.png diff --git a/docbook/wsug_src/images/ws-expert-information.png b/docbook/wsug_src/images/ws-expert-information.png Binary files differnew file mode 100644 index 0000000..8fa6310 --- /dev/null +++ b/docbook/wsug_src/images/ws-expert-information.png diff --git a/docbook/wsug_src/images/ws-export-objects.png b/docbook/wsug_src/images/ws-export-objects.png Binary files differnew file mode 100644 index 0000000..fc9a024 --- /dev/null +++ b/docbook/wsug_src/images/ws-export-objects.png diff --git a/docbook/wsug_src/images/ws-export-packet-dissections.png b/docbook/wsug_src/images/ws-export-packet-dissections.png Binary files differnew file mode 100644 index 0000000..4be7c95 --- /dev/null +++ b/docbook/wsug_src/images/ws-export-packet-dissections.png diff --git a/docbook/wsug_src/images/ws-export-pdus-to-file.png b/docbook/wsug_src/images/ws-export-pdus-to-file.png Binary files differnew file mode 100644 index 0000000..a496922 --- /dev/null +++ b/docbook/wsug_src/images/ws-export-pdus-to-file.png diff --git a/docbook/wsug_src/images/ws-export-selected.png b/docbook/wsug_src/images/ws-export-selected.png Binary files differnew file mode 100644 index 0000000..1c20f76 --- /dev/null +++ b/docbook/wsug_src/images/ws-export-selected.png diff --git a/docbook/wsug_src/images/ws-export-specified-packets.png b/docbook/wsug_src/images/ws-export-specified-packets.png Binary files differnew file mode 100644 index 0000000..e8bb8ae --- /dev/null +++ b/docbook/wsug_src/images/ws-export-specified-packets.png diff --git a/docbook/wsug_src/images/ws-fgp-statistics.png b/docbook/wsug_src/images/ws-fgp-statistics.png Binary files differnew file mode 100644 index 0000000..bfe4d50 --- /dev/null +++ b/docbook/wsug_src/images/ws-fgp-statistics.png diff --git a/docbook/wsug_src/images/ws-file-import-regex.png b/docbook/wsug_src/images/ws-file-import-regex.png Binary files differnew file mode 100644 index 0000000..3f57eb1 --- /dev/null +++ b/docbook/wsug_src/images/ws-file-import-regex.png diff --git a/docbook/wsug_src/images/ws-file-import.png b/docbook/wsug_src/images/ws-file-import.png Binary files differnew file mode 100644 index 0000000..e957d14 --- /dev/null +++ b/docbook/wsug_src/images/ws-file-import.png diff --git a/docbook/wsug_src/images/ws-file-menu.png b/docbook/wsug_src/images/ws-file-menu.png Binary files differnew file mode 100644 index 0000000..d7e8d43 --- /dev/null +++ b/docbook/wsug_src/images/ws-file-menu.png diff --git a/docbook/wsug_src/images/ws-file-set-dialog.png b/docbook/wsug_src/images/ws-file-set-dialog.png Binary files differnew file mode 100644 index 0000000..fb470d2 --- /dev/null +++ b/docbook/wsug_src/images/ws-file-set-dialog.png diff --git a/docbook/wsug_src/images/ws-filter-add-expression.png b/docbook/wsug_src/images/ws-filter-add-expression.png Binary files differnew file mode 100644 index 0000000..e4f9970 --- /dev/null +++ b/docbook/wsug_src/images/ws-filter-add-expression.png diff --git a/docbook/wsug_src/images/ws-filter-macros.png b/docbook/wsug_src/images/ws-filter-macros.png Binary files differnew file mode 100644 index 0000000..861f1b5 --- /dev/null +++ b/docbook/wsug_src/images/ws-filter-macros.png diff --git a/docbook/wsug_src/images/ws-filter-toolbar.png b/docbook/wsug_src/images/ws-filter-toolbar.png Binary files differnew file mode 100644 index 0000000..1c680c6 --- /dev/null +++ b/docbook/wsug_src/images/ws-filter-toolbar.png diff --git a/docbook/wsug_src/images/ws-filters.png b/docbook/wsug_src/images/ws-filters.png Binary files differnew file mode 100644 index 0000000..afbb36e --- /dev/null +++ b/docbook/wsug_src/images/ws-filters.png diff --git a/docbook/wsug_src/images/ws-find-packet.png b/docbook/wsug_src/images/ws-find-packet.png Binary files differnew file mode 100644 index 0000000..e773d94 --- /dev/null +++ b/docbook/wsug_src/images/ws-find-packet.png diff --git a/docbook/wsug_src/images/ws-flow-graph.png b/docbook/wsug_src/images/ws-flow-graph.png Binary files differnew file mode 100644 index 0000000..17dacda --- /dev/null +++ b/docbook/wsug_src/images/ws-flow-graph.png diff --git a/docbook/wsug_src/images/ws-follow-http2-stream.png b/docbook/wsug_src/images/ws-follow-http2-stream.png Binary files differnew file mode 100644 index 0000000..616dfd7 --- /dev/null +++ b/docbook/wsug_src/images/ws-follow-http2-stream.png diff --git a/docbook/wsug_src/images/ws-follow-sip-stream.png b/docbook/wsug_src/images/ws-follow-sip-stream.png Binary files differnew file mode 100644 index 0000000..52f8181 --- /dev/null +++ b/docbook/wsug_src/images/ws-follow-sip-stream.png diff --git a/docbook/wsug_src/images/ws-follow-stream.png b/docbook/wsug_src/images/ws-follow-stream.png Binary files differnew file mode 100644 index 0000000..1c926af --- /dev/null +++ b/docbook/wsug_src/images/ws-follow-stream.png diff --git a/docbook/wsug_src/images/ws-go-menu.png b/docbook/wsug_src/images/ws-go-menu.png Binary files differnew file mode 100644 index 0000000..d0231c9 --- /dev/null +++ b/docbook/wsug_src/images/ws-go-menu.png diff --git a/docbook/wsug_src/images/ws-goto-packet.png b/docbook/wsug_src/images/ws-goto-packet.png Binary files differnew file mode 100644 index 0000000..10092fc --- /dev/null +++ b/docbook/wsug_src/images/ws-goto-packet.png diff --git a/docbook/wsug_src/images/ws-gui-config-profiles.png b/docbook/wsug_src/images/ws-gui-config-profiles.png Binary files differnew file mode 100644 index 0000000..38c594d --- /dev/null +++ b/docbook/wsug_src/images/ws-gui-config-profiles.png diff --git a/docbook/wsug_src/images/ws-help-menu.png b/docbook/wsug_src/images/ws-help-menu.png Binary files differnew file mode 100644 index 0000000..f083a85 --- /dev/null +++ b/docbook/wsug_src/images/ws-help-menu.png diff --git a/docbook/wsug_src/images/ws-list-pane.png b/docbook/wsug_src/images/ws-list-pane.png Binary files differnew file mode 100644 index 0000000..8770bc4 --- /dev/null +++ b/docbook/wsug_src/images/ws-list-pane.png diff --git a/docbook/wsug_src/images/ws-main-toolbar.png b/docbook/wsug_src/images/ws-main-toolbar.png Binary files differnew file mode 100644 index 0000000..0de939f --- /dev/null +++ b/docbook/wsug_src/images/ws-main-toolbar.png diff --git a/docbook/wsug_src/images/ws-main.png b/docbook/wsug_src/images/ws-main.png Binary files differnew file mode 100644 index 0000000..a975b9e --- /dev/null +++ b/docbook/wsug_src/images/ws-main.png diff --git a/docbook/wsug_src/images/ws-manage-interfaces.png b/docbook/wsug_src/images/ws-manage-interfaces.png Binary files differnew file mode 100644 index 0000000..ff37aa2 --- /dev/null +++ b/docbook/wsug_src/images/ws-manage-interfaces.png diff --git a/docbook/wsug_src/images/ws-mate-analysis.png b/docbook/wsug_src/images/ws-mate-analysis.png Binary files differnew file mode 100644 index 0000000..bb33b4f --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-analysis.png diff --git a/docbook/wsug_src/images/ws-mate-dns_pane.png b/docbook/wsug_src/images/ws-mate-dns_pane.png Binary files differnew file mode 100644 index 0000000..99e5a07 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-dns_pane.png diff --git a/docbook/wsug_src/images/ws-mate-dns_pdu.png b/docbook/wsug_src/images/ws-mate-dns_pdu.png Binary files differnew file mode 100644 index 0000000..1506303 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-dns_pdu.png diff --git a/docbook/wsug_src/images/ws-mate-ftp_over_gre.png b/docbook/wsug_src/images/ws-mate-ftp_over_gre.png Binary files differnew file mode 100644 index 0000000..b7aa637 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-ftp_over_gre.png diff --git a/docbook/wsug_src/images/ws-mate-gop_analysis.png b/docbook/wsug_src/images/ws-mate-gop_analysis.png Binary files differnew file mode 100644 index 0000000..6086fa7 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-gop_analysis.png diff --git a/docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png b/docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png Binary files differnew file mode 100644 index 0000000..a6e2baf --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-isup_over_mtp3_over_ip.png diff --git a/docbook/wsug_src/images/ws-mate-mmse_over_http.png b/docbook/wsug_src/images/ws-mate-mmse_over_http.png Binary files differnew file mode 100644 index 0000000..4ee2d4e --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-mmse_over_http.png diff --git a/docbook/wsug_src/images/ws-mate-pdu_analysis.png b/docbook/wsug_src/images/ws-mate-pdu_analysis.png Binary files differnew file mode 100644 index 0000000..cf126e8 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-pdu_analysis.png diff --git a/docbook/wsug_src/images/ws-mate-tcp-output.png b/docbook/wsug_src/images/ws-mate-tcp-output.png Binary files differnew file mode 100644 index 0000000..c547639 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-tcp-output.png diff --git a/docbook/wsug_src/images/ws-mate-transform.png b/docbook/wsug_src/images/ws-mate-transform.png Binary files differnew file mode 100644 index 0000000..a943011 --- /dev/null +++ b/docbook/wsug_src/images/ws-mate-transform.png diff --git a/docbook/wsug_src/images/ws-menu.png b/docbook/wsug_src/images/ws-menu.png Binary files differnew file mode 100644 index 0000000..3f7f847 --- /dev/null +++ b/docbook/wsug_src/images/ws-menu.png diff --git a/docbook/wsug_src/images/ws-merge-qt5.png b/docbook/wsug_src/images/ws-merge-qt5.png Binary files differnew file mode 100644 index 0000000..e5d0368 --- /dev/null +++ b/docbook/wsug_src/images/ws-merge-qt5.png diff --git a/docbook/wsug_src/images/ws-merge-win32.png b/docbook/wsug_src/images/ws-merge-win32.png Binary files differnew file mode 100644 index 0000000..c3233ba --- /dev/null +++ b/docbook/wsug_src/images/ws-merge-win32.png diff --git a/docbook/wsug_src/images/ws-netperfmeter-statistics.png b/docbook/wsug_src/images/ws-netperfmeter-statistics.png Binary files differnew file mode 100644 index 0000000..15a0c7a --- /dev/null +++ b/docbook/wsug_src/images/ws-netperfmeter-statistics.png diff --git a/docbook/wsug_src/images/ws-open-qt5.png b/docbook/wsug_src/images/ws-open-qt5.png Binary files differnew file mode 100644 index 0000000..01acf86 --- /dev/null +++ b/docbook/wsug_src/images/ws-open-qt5.png diff --git a/docbook/wsug_src/images/ws-open-win32.png b/docbook/wsug_src/images/ws-open-win32.png Binary files differnew file mode 100644 index 0000000..182942a --- /dev/null +++ b/docbook/wsug_src/images/ws-open-win32.png diff --git a/docbook/wsug_src/images/ws-packet-format.png b/docbook/wsug_src/images/ws-packet-format.png Binary files differnew file mode 100644 index 0000000..74a24d4 --- /dev/null +++ b/docbook/wsug_src/images/ws-packet-format.png diff --git a/docbook/wsug_src/images/ws-packet-pane-popup-menu.png b/docbook/wsug_src/images/ws-packet-pane-popup-menu.png Binary files differnew file mode 100644 index 0000000..6a2cc4d --- /dev/null +++ b/docbook/wsug_src/images/ws-packet-pane-popup-menu.png diff --git a/docbook/wsug_src/images/ws-packet-range.png b/docbook/wsug_src/images/ws-packet-range.png Binary files differnew file mode 100644 index 0000000..a35a008 --- /dev/null +++ b/docbook/wsug_src/images/ws-packet-range.png diff --git a/docbook/wsug_src/images/ws-packet-selected.png b/docbook/wsug_src/images/ws-packet-selected.png Binary files differnew file mode 100644 index 0000000..bafc07c --- /dev/null +++ b/docbook/wsug_src/images/ws-packet-selected.png diff --git a/docbook/wsug_src/images/ws-packet-sep-win.png b/docbook/wsug_src/images/ws-packet-sep-win.png Binary files differnew file mode 100644 index 0000000..f9e507f --- /dev/null +++ b/docbook/wsug_src/images/ws-packet-sep-win.png diff --git a/docbook/wsug_src/images/ws-pingpongprotocol-statistics.png b/docbook/wsug_src/images/ws-pingpongprotocol-statistics.png Binary files differnew file mode 100644 index 0000000..d67b7cd --- /dev/null +++ b/docbook/wsug_src/images/ws-pingpongprotocol-statistics.png diff --git a/docbook/wsug_src/images/ws-pref-advanced.png b/docbook/wsug_src/images/ws-pref-advanced.png Binary files differnew file mode 100644 index 0000000..c7c4449 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-advanced.png diff --git a/docbook/wsug_src/images/ws-pref-appearance-columns.png b/docbook/wsug_src/images/ws-pref-appearance-columns.png Binary files differnew file mode 100644 index 0000000..84db3d9 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-appearance-columns.png diff --git a/docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png b/docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png Binary files differnew file mode 100644 index 0000000..538a20f --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-appearance-fonts-and-colors.png diff --git a/docbook/wsug_src/images/ws-pref-appearance-layout.png b/docbook/wsug_src/images/ws-pref-appearance-layout.png Binary files differnew file mode 100644 index 0000000..6f896d1 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-appearance-layout.png diff --git a/docbook/wsug_src/images/ws-pref-appearance.png b/docbook/wsug_src/images/ws-pref-appearance.png Binary files differnew file mode 100644 index 0000000..ffc52e2 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-appearance.png diff --git a/docbook/wsug_src/images/ws-pref-capture.png b/docbook/wsug_src/images/ws-pref-capture.png Binary files differnew file mode 100644 index 0000000..5c76d28 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-capture.png diff --git a/docbook/wsug_src/images/ws-pref-expert.png b/docbook/wsug_src/images/ws-pref-expert.png Binary files differnew file mode 100644 index 0000000..fe1594b --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-expert.png diff --git a/docbook/wsug_src/images/ws-pref-filter-buttons.png b/docbook/wsug_src/images/ws-pref-filter-buttons.png Binary files differnew file mode 100644 index 0000000..e45e736 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-filter-buttons.png diff --git a/docbook/wsug_src/images/ws-pref-name-resolution.png b/docbook/wsug_src/images/ws-pref-name-resolution.png Binary files differnew file mode 100644 index 0000000..3fdc7d5 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-name-resolution.png diff --git a/docbook/wsug_src/images/ws-pref-protocols.png b/docbook/wsug_src/images/ws-pref-protocols.png Binary files differnew file mode 100644 index 0000000..821b7cc --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-protocols.png diff --git a/docbook/wsug_src/images/ws-pref-rsa-keys.png b/docbook/wsug_src/images/ws-pref-rsa-keys.png Binary files differnew file mode 100644 index 0000000..21cb620 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-rsa-keys.png diff --git a/docbook/wsug_src/images/ws-pref-statistics.png b/docbook/wsug_src/images/ws-pref-statistics.png Binary files differnew file mode 100644 index 0000000..2bef021 --- /dev/null +++ b/docbook/wsug_src/images/ws-pref-statistics.png diff --git a/docbook/wsug_src/images/ws-print.png b/docbook/wsug_src/images/ws-print.png Binary files differnew file mode 100644 index 0000000..9c3b79e --- /dev/null +++ b/docbook/wsug_src/images/ws-print.png diff --git a/docbook/wsug_src/images/ws-resolved-addr.png b/docbook/wsug_src/images/ws-resolved-addr.png Binary files differnew file mode 100644 index 0000000..c386821 --- /dev/null +++ b/docbook/wsug_src/images/ws-resolved-addr.png diff --git a/docbook/wsug_src/images/ws-rlc-graph.png b/docbook/wsug_src/images/ws-rlc-graph.png Binary files differnew file mode 100644 index 0000000..e14bb72 --- /dev/null +++ b/docbook/wsug_src/images/ws-rlc-graph.png diff --git a/docbook/wsug_src/images/ws-save-as-qt5.png b/docbook/wsug_src/images/ws-save-as-qt5.png Binary files differnew file mode 100644 index 0000000..64d2eec --- /dev/null +++ b/docbook/wsug_src/images/ws-save-as-qt5.png diff --git a/docbook/wsug_src/images/ws-save-as-win32.png b/docbook/wsug_src/images/ws-save-as-win32.png Binary files differnew file mode 100644 index 0000000..e50619f --- /dev/null +++ b/docbook/wsug_src/images/ws-save-as-win32.png diff --git a/docbook/wsug_src/images/ws-sctp-1-association.png b/docbook/wsug_src/images/ws-sctp-1-association.png Binary files differnew file mode 100644 index 0000000..0573ae8 --- /dev/null +++ b/docbook/wsug_src/images/ws-sctp-1-association.png diff --git a/docbook/wsug_src/images/ws-sctp.png b/docbook/wsug_src/images/ws-sctp.png Binary files differnew file mode 100644 index 0000000..884a91e --- /dev/null +++ b/docbook/wsug_src/images/ws-sctp.png diff --git a/docbook/wsug_src/images/ws-ssp-statistics.png b/docbook/wsug_src/images/ws-ssp-statistics.png Binary files differnew file mode 100644 index 0000000..8c6817b --- /dev/null +++ b/docbook/wsug_src/images/ws-ssp-statistics.png diff --git a/docbook/wsug_src/images/ws-statistics-menu.png b/docbook/wsug_src/images/ws-statistics-menu.png Binary files differnew file mode 100644 index 0000000..e772bff --- /dev/null +++ b/docbook/wsug_src/images/ws-statistics-menu.png diff --git a/docbook/wsug_src/images/ws-stats-conversations.png b/docbook/wsug_src/images/ws-stats-conversations.png Binary files differnew file mode 100644 index 0000000..fb4cd9e --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-conversations.png diff --git a/docbook/wsug_src/images/ws-stats-endpoints.png b/docbook/wsug_src/images/ws-stats-endpoints.png Binary files differnew file mode 100644 index 0000000..917726a --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-endpoints.png diff --git a/docbook/wsug_src/images/ws-stats-hierarchy.png b/docbook/wsug_src/images/ws-stats-hierarchy.png Binary files differnew file mode 100644 index 0000000..f904ece --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-hierarchy.png diff --git a/docbook/wsug_src/images/ws-stats-http-requestsequences.png b/docbook/wsug_src/images/ws-stats-http-requestsequences.png Binary files differnew file mode 100644 index 0000000..8365673 --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-http-requestsequences.png diff --git a/docbook/wsug_src/images/ws-stats-iographs.png b/docbook/wsug_src/images/ws-stats-iographs.png Binary files differnew file mode 100644 index 0000000..80e4cf7 --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-iographs.png diff --git a/docbook/wsug_src/images/ws-stats-lte-mac-traffic.png b/docbook/wsug_src/images/ws-stats-lte-mac-traffic.png Binary files differnew file mode 100644 index 0000000..441ab97 --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-lte-mac-traffic.png diff --git a/docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png b/docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png Binary files differnew file mode 100644 index 0000000..9fb1364 --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-lte-rlc-traffic.png diff --git a/docbook/wsug_src/images/ws-stats-packet-lengths.png b/docbook/wsug_src/images/ws-stats-packet-lengths.png Binary files differnew file mode 100644 index 0000000..7b22e4d --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-packet-lengths.png diff --git a/docbook/wsug_src/images/ws-stats-srt-smb2.png b/docbook/wsug_src/images/ws-stats-srt-smb2.png Binary files differnew file mode 100644 index 0000000..6e05af0 --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-srt-smb2.png diff --git a/docbook/wsug_src/images/ws-stats-wlan-traffic.png b/docbook/wsug_src/images/ws-stats-wlan-traffic.png Binary files differnew file mode 100644 index 0000000..8186b4a --- /dev/null +++ b/docbook/wsug_src/images/ws-stats-wlan-traffic.png diff --git a/docbook/wsug_src/images/ws-statusbar-empty.png b/docbook/wsug_src/images/ws-statusbar-empty.png Binary files differnew file mode 100644 index 0000000..953aced --- /dev/null +++ b/docbook/wsug_src/images/ws-statusbar-empty.png diff --git a/docbook/wsug_src/images/ws-statusbar-filter.png b/docbook/wsug_src/images/ws-statusbar-filter.png Binary files differnew file mode 100644 index 0000000..1e09e0b --- /dev/null +++ b/docbook/wsug_src/images/ws-statusbar-filter.png diff --git a/docbook/wsug_src/images/ws-statusbar-loaded.png b/docbook/wsug_src/images/ws-statusbar-loaded.png Binary files differnew file mode 100644 index 0000000..8b19b02 --- /dev/null +++ b/docbook/wsug_src/images/ws-statusbar-loaded.png diff --git a/docbook/wsug_src/images/ws-statusbar-profile.png b/docbook/wsug_src/images/ws-statusbar-profile.png Binary files differnew file mode 100644 index 0000000..dcc309b --- /dev/null +++ b/docbook/wsug_src/images/ws-statusbar-profile.png diff --git a/docbook/wsug_src/images/ws-statusbar-selected.png b/docbook/wsug_src/images/ws-statusbar-selected.png Binary files differnew file mode 100644 index 0000000..fd10c24 --- /dev/null +++ b/docbook/wsug_src/images/ws-statusbar-selected.png diff --git a/docbook/wsug_src/images/ws-tcp-analysis.png b/docbook/wsug_src/images/ws-tcp-analysis.png Binary files differnew file mode 100644 index 0000000..9a376c5 --- /dev/null +++ b/docbook/wsug_src/images/ws-tcp-analysis.png diff --git a/docbook/wsug_src/images/ws-tel-playlist.dia b/docbook/wsug_src/images/ws-tel-playlist.dia Binary files differnew file mode 100644 index 0000000..28eced5 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-playlist.dia diff --git a/docbook/wsug_src/images/ws-tel-playlist.png b/docbook/wsug_src/images/ws-tel-playlist.png Binary files differnew file mode 100644 index 0000000..4c586d0 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-playlist.png diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_1.png b/docbook/wsug_src/images/ws-tel-rtp-player_1.png Binary files differnew file mode 100644 index 0000000..9e7249d --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_1.png diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_1.xcf b/docbook/wsug_src/images/ws-tel-rtp-player_1.xcf Binary files differnew file mode 100644 index 0000000..c48a0ca --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_1.xcf diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_2.png b/docbook/wsug_src/images/ws-tel-rtp-player_2.png Binary files differnew file mode 100644 index 0000000..8ec513e --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_2.png diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_2.xcf b/docbook/wsug_src/images/ws-tel-rtp-player_2.xcf Binary files differnew file mode 100644 index 0000000..4411c7c --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_2.xcf diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_3.png b/docbook/wsug_src/images/ws-tel-rtp-player_3.png Binary files differnew file mode 100644 index 0000000..6eb5c15 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_3.png diff --git a/docbook/wsug_src/images/ws-tel-rtp-player_button.png b/docbook/wsug_src/images/ws-tel-rtp-player_button.png Binary files differnew file mode 100644 index 0000000..a4a5183 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-player_button.png diff --git a/docbook/wsug_src/images/ws-tel-rtp-streams.png b/docbook/wsug_src/images/ws-tel-rtp-streams.png Binary files differnew file mode 100644 index 0000000..d9ce959 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtp-streams.png diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png Binary files differnew file mode 100644 index 0000000..48b3de4 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_1.png diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png Binary files differnew file mode 100644 index 0000000..2819ede --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_2.png diff --git a/docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png Binary files differnew file mode 100644 index 0000000..cf3dccc --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-rtpstream-analysis_3.png diff --git a/docbook/wsug_src/images/ws-tel-seq-dialog.png b/docbook/wsug_src/images/ws-tel-seq-dialog.png Binary files differnew file mode 100644 index 0000000..18f78cc --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-seq-dialog.png diff --git a/docbook/wsug_src/images/ws-tel-voip-calls.png b/docbook/wsug_src/images/ws-tel-voip-calls.png Binary files differnew file mode 100644 index 0000000..a8d8909 --- /dev/null +++ b/docbook/wsug_src/images/ws-tel-voip-calls.png diff --git a/docbook/wsug_src/images/ws-telephony-menu.png b/docbook/wsug_src/images/ws-telephony-menu.png Binary files differnew file mode 100644 index 0000000..38facaa --- /dev/null +++ b/docbook/wsug_src/images/ws-telephony-menu.png diff --git a/docbook/wsug_src/images/ws-time-reference.png b/docbook/wsug_src/images/ws-time-reference.png Binary files differnew file mode 100644 index 0000000..656dfab --- /dev/null +++ b/docbook/wsug_src/images/ws-time-reference.png diff --git a/docbook/wsug_src/images/ws-time-shift-details.png b/docbook/wsug_src/images/ws-time-shift-details.png Binary files differnew file mode 100644 index 0000000..8872a30 --- /dev/null +++ b/docbook/wsug_src/images/ws-time-shift-details.png diff --git a/docbook/wsug_src/images/ws-time-shift.png b/docbook/wsug_src/images/ws-time-shift.png Binary files differnew file mode 100644 index 0000000..dcfb6f7 --- /dev/null +++ b/docbook/wsug_src/images/ws-time-shift.png diff --git a/docbook/wsug_src/images/ws-tls-session-keys.png b/docbook/wsug_src/images/ws-tls-session-keys.png Binary files differnew file mode 100644 index 0000000..ba0084f --- /dev/null +++ b/docbook/wsug_src/images/ws-tls-session-keys.png diff --git a/docbook/wsug_src/images/ws-tools-menu.png b/docbook/wsug_src/images/ws-tools-menu.png Binary files differnew file mode 100644 index 0000000..edc753d --- /dev/null +++ b/docbook/wsug_src/images/ws-tools-menu.png diff --git a/docbook/wsug_src/images/ws-udp-multicast-stream.png b/docbook/wsug_src/images/ws-udp-multicast-stream.png Binary files differnew file mode 100644 index 0000000..b2bcbde --- /dev/null +++ b/docbook/wsug_src/images/ws-udp-multicast-stream.png diff --git a/docbook/wsug_src/images/ws-user-guide-cover.png b/docbook/wsug_src/images/ws-user-guide-cover.png Binary files differnew file mode 100644 index 0000000..7aeda92 --- /dev/null +++ b/docbook/wsug_src/images/ws-user-guide-cover.png diff --git a/docbook/wsug_src/images/ws-view-menu.png b/docbook/wsug_src/images/ws-view-menu.png Binary files differnew file mode 100644 index 0000000..78e932b --- /dev/null +++ b/docbook/wsug_src/images/ws-view-menu.png diff --git a/docbook/wsug_src/images/ws-wireless-menu.png b/docbook/wsug_src/images/ws-wireless-menu.png Binary files differnew file mode 100644 index 0000000..002289e --- /dev/null +++ b/docbook/wsug_src/images/ws-wireless-menu.png diff --git a/docbook/wsug_src/mergecap-h.txt b/docbook/wsug_src/mergecap-h.txt new file mode 100644 index 0000000..d2c5231 --- /dev/null +++ b/docbook/wsug_src/mergecap-h.txt @@ -0,0 +1,20 @@ +Mergecap (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Merge two or more capture files into one. +See https://www.wireshark.org for more information. + +Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] + +Output: + -a concatenate rather than merge files. + default is to merge based on frame timestamps. + -s <snaplen> truncate packets to <snaplen> bytes of data. + -w <outfile>|- set the output filename to <outfile> or '-' for stdout. + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. + an empty "-I" option will list the merge modes. + +Miscellaneous: + -h, --help display this help and exit. + -V verbose output. + -v, --version print version information and exit. diff --git a/docbook/wsug_src/rawshark-h.txt b/docbook/wsug_src/rawshark-h.txt new file mode 100644 index 0000000..1302dea --- /dev/null +++ b/docbook/wsug_src/rawshark-h.txt @@ -0,0 +1,59 @@ +Rawshark (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: rawshark [options] ... + +Input file: + -r <infile> set the pipe or file name to read from + +Processing: + -d <encap:linktype>|<proto:protoname> + packet encapsulation or protocol + -F <field> field to display + -m virtual memory limit, in bytes + -n disable all name resolutions (def: "mNd" enabled, or + as set in preferences) + -N <name resolve flags> enable specific name resolution(s): "mnNtdv" + -p use the system's packet header format + (which may have 64-bit timestamps) + -R <read filter> packet filter in Wireshark display filter syntax + -s skip PCAP header on input + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <protocols> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol + +Output: + -l flush output after each packet + -S format string for fields + (%D - name, %S - stringval, %N numval) + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -o <name>:<value> ... override preference setting + -K <keytab> keytab file to use for kerberos decryption diff --git a/docbook/wsug_src/reordercap-h.txt b/docbook/wsug_src/reordercap-h.txt new file mode 100644 index 0000000..eb8ab5d --- /dev/null +++ b/docbook/wsug_src/reordercap-h.txt @@ -0,0 +1,10 @@ +Reordercap (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Reorder timestamps of input file frames into output file. +See https://www.wireshark.org for more information. + +Usage: reordercap [options] <infile> <outfile> + +Options: + -n don't write to output file if the input file is ordered. + -h, --help display this help and exit. + -v, --version print version information and exit. diff --git a/docbook/wsug_src/text2pcap-h.txt b/docbook/wsug_src/text2pcap-h.txt new file mode 100644 index 0000000..9066427 --- /dev/null +++ b/docbook/wsug_src/text2pcap-h.txt @@ -0,0 +1,108 @@ +Text2pcap (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Generate a capture file from an ASCII hexdump of packets. +See https://www.wireshark.org for more information. + +Usage: text2pcap [options] <infile> <outfile> + +where <infile> specifies input filename (use - for standard input) + <outfile> specifies output filename (use - for standard output) + +Input: + -o hex|oct|dec|none parse offsets as (h)ex, (o)ctal, (d)ecimal, or (n)one; + default is hex. + -t <timefmt> treat the text before the packet as a date/time code; + <timefmt> is a format string supported by strptime, + with an optional %f descriptor for fractional seconds. + Example: The time "10:15:14.5476" has the format code + "%H:%M:%S.%f" + The special format string ISO supports ISO-8601 times. + NOTE: Date/time fields from the current date/time are + used as the default for unspecified fields. + -D the text before the packet starts with an I or an O, + indicating that the packet is inbound or outbound. + This is used when generating dummy headers if the + output format supports it (e.g. pcapng). + -a enable ASCII text dump identification. + The start of the ASCII text dump can be identified + and excluded from the packet data, even if it looks + like a HEX dump. + NOTE: Do not enable it if the input file does not + contain the ASCII text dump. + -r <regex> enable regex mode. Scan the input using <regex>, a Perl + compatible regular expression matching a single packet. + Named capturing subgroups are used to identify fields: + <data> (mand.), and <time>, <dir>, and <seqno> (opt.) + The time field format is taken from the -t option + Example: -r '^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$' + could match a file with lines like + > 0:00:00.265620 a130368b000000080060 + < 0:00:00.295459 a2010800000000000000000800000000 + -b 2|8|16|64 encoding base (radix) of the packet data in regex mode + (def: 16: hexadecimal) No effect in hexdump mode. + +Output: + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + -E <encap type> set the output file encapsulation type; default is + ether (Ethernet). An empty "-E" option will list + the encapsulation types. + -l <typenum> set the output file encapsulation type via link-layer + type number; default is 1 (Ethernet). See + https://www.tcpdump.org/linktypes.html for a list of + numbers. + Example: -l 7 for ARCNet packets. + -m <max-packet> max packet length in output; default is 262144 + -N <intf-name> assign name to the interface in the pcapng file. + +Prepend dummy header: + -e <l3pid> prepend dummy Ethernet II header with specified L3PID + (in HEX). + Example: -e 0x806 to specify an ARP packet. + -i <proto> prepend dummy IP header with specified IP protocol + (in DECIMAL). + Automatically prepends Ethernet header as well if + link-layer type is Ethernet. + Example: -i 46 + -4 <srcip>,<destip> prepend dummy IPv4 header with specified + dest and source address. + Example: -4 10.0.0.1,10.0.0.2 + -6 <srcip>,<destip> prepend dummy IPv6 header with specified + dest and source address. + Example: -6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334 + -u <srcp>,<destp> prepend dummy UDP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -u 1000,69 to make the packets look like + TFTP/UDP packets. + -T <srcp>,<destp> prepend dummy TCP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -T 50,60 + -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified + source/dest ports and verification tag (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -s 30,40,34 + -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified + source/dest ports and verification tag 0. + Automatically prepends a dummy SCTP DATA + chunk header with payload protocol identifier ppi. + Example: -S 30,40,34 + -P <dissector> prepend EXPORTED_PDU header with specified dissector + as the payload DISSECTOR_NAME tag. + Automatically sets link type to Upper PDU Export. + EXPORTED_PDU payload defaults to "data" otherwise. + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version print version information and exit + -q don't report processed packet counts diff --git a/docbook/wsug_src/tshark-h.txt b/docbook/wsug_src/tshark-h.txt new file mode 100644 index 0000000..84bb1c1 --- /dev/null +++ b/docbook/wsug_src/tshark-h.txt @@ -0,0 +1,166 @@ +TShark (Wireshark) 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: tshark [options] ... + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback) + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer (def: 2MB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + --update-interval interval between updates with new packets (def: 100ms) + +Capture stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Capture output: + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - switch to next file after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs +Input file: + -r <infile>, --read-file <infile> + set the filename to read from (or '-' for stdin) + +Processing: + -2 perform a two-pass analysis + -M <packet count> perform session auto reset + -R <read filter>, --read-filter <read filter> + packet Read filter in Wireshark display filter syntax + (requires -2) + -Y <display filter>, --display-filter <display filter> + packet displaY filter in Wireshark display filter + syntax + -n disable all name resolutions (def: "mNd" enabled, or + as set in preferences) + -N <name resolve flags> enable specific name resolution(s): "mnNtdv" + -d <layer_type>==<selector>,<decode_as_protocol> ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + -H <hosts file> read a list of entries from a hosts file, which will + then be written to a capture file. (Implies -W n) + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <protocols> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol +Output: + -w <outfile|-> write packets to a pcapng-format file named "outfile" + (or '-' for stdout) + --capture-comment <comment> + add a capture file comment, if supported + -C <config profile> start with specified configuration profile + -F <output file type> set the output file type, default is pcapng + an empty "-F" option will list the file types + -V add output of packet tree (Packet Details) + -O <protocols> Only show packet details of these protocols, comma + separated + -P, --print print packet summary even when writing to a file + -S <separator> the line separator to print between packets + -x add output of hex and ASCII dump (Packet Bytes) + --hexdump <hexoption> add hexdump, set options for data source and ASCII dump + all dump all data sources (-x default) + frames dump only frame data source + ascii include ASCII dump text (-x default) + delimit delimit ASCII dump text with '|' characters + noascii exclude ASCII dump text + help display help for --hexdump and exit + -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? + format of text output (def: text) + -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected + (e.g. "ip ip.flags text", filter does not expand child + nodes, unless child is specified also in the filter) + -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected + (e.g. "http tcp", filter which expands all child nodes) + -e <field> field to print if -Tfields selected (e.g. tcp.port, + _ws.col.info) + this option can be repeated to print multiple fields + -E<fieldsoption>=<value> set options for output when -Tfields selected: + bom=y|n print a UTF-8 BOM + header=y|n switch headers on and off + separator=/t|/s|<char> select tab, space, printable character as separator + occurrence=f|l|a print first, last or all occurrences of each field + aggregator=,|/s|<char> select comma, space, printable character as + aggregator + quote=d|s|n select double, single, no quotes for values + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -l flush standard output after each packet + -q be more quiet on stdout (e.g. when using statistics) + -Q only log true errors to stderr (quieter than -q) + -g enable group read access on the output file(s) + -W n Save extra information in the file, if supported. + n = write network address resolution information + -X <key>:<value> eXtension options, see the man page for details + -U tap_name PDUs export mode, see the man page for details + -z <statistics> various statistics, see the man page for details + --export-objects <protocol>,<destdir> + save exported objects for a protocol to a directory + named "destdir" + --export-tls-session-keys <keyfile> + export TLS Session Keys to a file named "keyfile" + --color color output text similarly to the Wireshark GUI, + requires a terminal with 24-bit color support + Also supplies color attributes to pdml and psml formats + (Note that attributes are nonstandard) + --no-duplicate-keys If -T json is specified, merge duplicate keys in an object + into a single key with as value a json array containing all + values + --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the + specified protocols within the mapping file + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -o <name>:<value> ... override preference setting + -K <keytab> keytab file to use for kerberos decryption + -G [report] dump one of several available reports and exit + default report="fields" + use "-G help" for more help + +Dumpcap can benefit from an enabled BPF JIT compiler if available. +You might want to enable it by executing: + "echo 1 > /proc/sys/net/core/bpf_jit_enable" +Note that this can make your system less secure! diff --git a/docbook/wsug_src/user-guide-docinfo.xml b/docbook/wsug_src/user-guide-docinfo.xml new file mode 100644 index 0000000..f6987c6 --- /dev/null +++ b/docbook/wsug_src/user-guide-docinfo.xml @@ -0,0 +1,150 @@ +<!-- Document information for the User's Guide. --> + +<!-- Updated by tools/make-version.py --> +<subtitle>For Wireshark 4.2</subtitle> + +<!-- + <title><inlinegraphic entityref="WiresharkLogo" valign="middle" format="PNG"/> &DocumentTitle;</title> +--> + +<authorgroup> + + <author><firstname>Ulf</firstname><surname>Lamping</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>ulf.lamping[AT]web.de</email> + </author> + + <author><firstname>Richard</firstname><surname>Sharpe</surname> + <affiliation><jobtitle>Director</jobtitle><orgname>NS Computer Software and Services P/L</orgname></affiliation> + <email>rsharpe[AT]ns.aus.com</email> + </author> + + <author><firstname>Ed</firstname><surname>Warnicke</surname> + <!-- <affiliation><orgname></orgname></affiliation> --> + <email>hagbard[AT]physics.rutgers.edu</email> + </author> + +</authorgroup> + + +<!-- Author information as listed in the old DocBook version. --> +<!-- Author's Names --> +<!-- + <!ENTITY AuthorFullName "Ulf Lamping"> + <!ENTITY AuthorFirstName "Ulf"> + <!ENTITY AuthorOtherName ""> + <!ENTITY AuthorSurname "Lamping"> + + <!ENTITY AuthorFullName2 "Richard Sharpe"> + <!ENTITY AuthorFirstName2 "Richard"> + <!ENTITY AuthorOtherName2 ""> + <!ENTITY AuthorSurname2 "Sharpe"> + + <!ENTITY AuthorFullName3 "Ed Warnicke"> + <!ENTITY AuthorFirstName3 "Ed"> + <!ENTITY AuthorOtherName3 ""> + <!ENTITY AuthorSurname3 "Warnicke"> + + <!ENTITY AuthorFullName4 "Luis E. Garcia Ontanon"> + <!ENTITY AuthorFirstName4 "Luis"> + <!ENTITY AuthorOtherName4 "Enrique"> + <!ENTITY AuthorSurname4 "Garcia Ontanon"> +--> + +<!--Author's Affiliation --> +<!-- + <!ENTITY AuthorShortAffiliation ""> + <!ENTITY AuthorJobTitle ""> + <!ENTITY AuthorOrgName ""> + <!ENTITY AuthorOrgDiv ""> + <!ENTITY AuthorEmail "ulf.lamping[AT]web.de"> + + <!ENTITY AuthorShortAffiliation2 ""> + <!ENTITY AuthorJobTitle2 "Director"> + <!ENTITY AuthorOrgName2 "NS Computer Software and Services P/L"> + <!ENTITY AuthorOrgDiv2 ""> + <!ENTITY AuthorEmail2 "rsharpe[AT]ns.aus.com"> + + <!ENTITY AuthorShortAffiliation3 ""> + <!ENTITY AuthorJobTitle3 ""> + <!ENTITY AuthorOrgName3 ""> + <!ENTITY AuthorOrgDiv3 ""> + <!ENTITY AuthorEmail3 "hagbard[AT]physics.rutgers.edu"> + + <!ENTITY AuthorShortAffiliation4 ""> + <!ENTITY AuthorJobTitle4 ""> + <!ENTITY AuthorOrgName4 ""> + <!ENTITY AuthorOrgDiv4 ""> + <!ENTITY AuthorEmail4 "luis [at] ontanon.org"> +--> + +<copyright><year>2004-2014</year> + <holder>Ulf Lamping</holder> + <holder>Richard Sharpe</holder> + <holder>Ed Warnicke</holder> +</copyright> + +<revhistory> + +<revision> + <revnumber>3.2</revnumber> + <date>9 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Converted from DocBook to AsciiDoc.</revremark> +</revision> + +<revision> + <revnumber>3.1</revnumber> + <date>2 Nov 2014</date> + <authorinitials>gcc</authorinitials> + <revremark>Moved Lua reference from User's Guide to Developer's Guide.</revremark> +</revision> + +<revision><!-- ge10e4fb --> + <revnumber>3.0.2</revnumber> + <date>31 May 2006</date> + <authorinitials>jk</authorinitials> + <revremark>Further cleanup of Wireshark User Guide</revremark> +</revision> + +<revision> + <revnumber>2.0.2</revnumber> + <date>29 Jan 2005</date> + <authorinitials>ul</authorinitials> + <revremark>Add links to wiki example pages</revremark> +</revision> + +<!-- We removed the protocol pages without incrementing revnumber --> + +<revision> + <revnumber>2.0</revnumber> + <date>6 Aug 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Review updates</revremark> +</revision> + +<!-- 1.91 - 1.94 were review updates. Should we include them? --> + +<revision> + <revnumber>1.90</revnumber> + <date>19 Jul 2004</date> + <authorinitials>ul</authorinitials> + <revremark>Updated for Ethereal 0.10.5.</revremark> +</revision> + +<!-- Earlier versions in https://anonsvn.wireshark.org/wireshark-doc/ --> + +</revhistory> + +<legalnotice> + <simpara> + Permission is granted to copy, distribute + and/or modify this document under the terms of the GNU General Public + License, Version 2 or any later version published by the Free Software + Foundation. + </simpara> + <simpara> + All logos and trademarks in this document are property of their + respective owner. + </simpara> +</legalnotice> diff --git a/docbook/wsug_src/user-guide.adoc b/docbook/wsug_src/user-guide.adoc new file mode 100644 index 0000000..7c80cf7 --- /dev/null +++ b/docbook/wsug_src/user-guide.adoc @@ -0,0 +1,64 @@ +:doctype: book +include::../attributes.adoc[] + +// Electronic book attributes +:author: Richard Sharpe, Ed Warnicke, Ulf Lamping +:description: Wireshark User’s Guide +:keywords: Wireshark User Guide +ifdef::ebook-format-epub3[] +:front-cover-image: images/ws-user-guide-cover.png +:toc: +endif::[] + += Wireshark User’s Guide: Version {wireshark-version} + +:source-highlighter: coderay + +include::wsug_preface.adoc[] + +include::../common_src/typographic_conventions.adoc[] + +// Chapters + +include::wsug_introduction.adoc[] + +include::wsug_build_install.adoc[] + +include::wsug_use.adoc[] + +include::wsug_capture.adoc[] + +include::wsug_io.adoc[] + +include::wsug_work.adoc[] + +include::wsug_advanced.adoc[] + +include::wsug_statistics.adoc[] + +include::wsug_telephony.adoc[] + +include::wsug_wireless.adoc[] + +include::wsug_customize.adoc[] + +include::wsug_mate.adoc[] + +// Needs to be reworked +//include::wsug_troubleshoot.adoc[] + +// Appendices +include::wsug_messages.adoc[] + +include::wsug_files.adoc[] + +include::wsug_protocols.adoc[] + +// Needs to be reworked +//include::wsug_howitworks.adoc[] + +include::wsug_tools.adoc[] + +// License + +include::../common_src/gpl_appendix.adoc[] diff --git a/docbook/wsug_src/wireshark-h.txt b/docbook/wsug_src/wireshark-h.txt new file mode 100644 index 0000000..320d579 --- /dev/null +++ b/docbook/wsug_src/wireshark-h.txt @@ -0,0 +1,112 @@ +Wireshark 4.2.1 (v4.2.1rc0-11-gae025b2614ce) +Interactively dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: wireshark [options] ... [ <infile> ] + +Capture interface: + -i <interface>, --interface <interface> + name or idx of interface (def: first non-loopback) + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen>, --snapshot-length <snaplen> + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B <buffer size>, --buffer-size <buffer size> + size of kernel buffer (def: 2MB) + -y <link type>, --linktype <link type> + link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + +Capture display: + -k start capturing immediately (def: do nothing) + -S update packet display when new packets are captured + --update-interval interval between updates with new packets (def: 100ms) + -l turn on automatic scrolling while -S is in use +Capture stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ..., --autostop <autostop cond.> ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Capture output: + -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - switch to next file after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs +Input file: + -r <infile>, --read-file <infile> + set the filename to read from (no pipes or stdin!) + +Processing: + -R <read filter>, --read-filter <read filter> + packet filter in Wireshark display filter syntax + -n disable all name resolutions (def: all enabled) + -N <name resolve flags> enable specific name resolution(s): "mnNtdv" + -d <layer_type>==<selector>,<decode_as_protocol> ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --only-protocols <proto_name> + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol + +User interface: + -C <config profile> start with specified configuration profile + -H hide the capture info dialog during packet capture + -Y <display filter>, --display-filter <display filter> + start with the given display filter + -g <packet number> go to specified packet number after "-r" + -J <jump filter> jump to the first packet matching the (display) + filter + -j search backwards for a matching packet after "-J" + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -X <key>:<value> eXtension options, see man page for details + -z <statistics> show various statistics, see man page for details + +Output: + -w <outfile|-> set the output filename (or '-' for stdout) + --capture-comment <comment> + add a capture file comment, if supported + --temp-dir <directory> write temporary files to this directory + (default: /tmp) + +Diagnostic output: + --log-level <level> sets the active log level ("critical", "warning", etc.) + --log-fatal <level> sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains <list> + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file <path> file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -P <key>:<path> persconf:path - personal configuration files + persdata:path - personal data files + -o <name>:<value> ... override preference or recent setting + -K <keytab> keytab file to use for kerberos decryption + --display <X display> X display to use + --fullscreen start Wireshark in full screen diff --git a/docbook/wsug_src/wsug_advanced.adoc b/docbook/wsug_src/wsug_advanced.adoc new file mode 100644 index 0000000..2c3aef5 --- /dev/null +++ b/docbook/wsug_src/wsug_advanced.adoc @@ -0,0 +1,1297 @@ +// WSUG Chapter Advanced + +[#ChapterAdvanced] + +== Advanced Topics + +[#ChAdvIntroduction] + +=== Introduction + +This chapter will describe some of Wireshark’s advanced features. + +// We switched from FollowTCP to FollowStream in June 2018. +// This is apparently how you assign multiple anchors. +// https://docs.asciidoctor.org/asciidoc/latest/attributes/id/#add-additional-anchors-to-a-section + +[#ChAdvFollowStreamSection] +=== [[ChAdvFollowTCPSection]]Following Protocol Streams + +It can be very helpful to see a protocol in the way that the application +layer sees it. Perhaps you are looking for passwords in a Telnet stream, +or you are trying to make sense of a data stream. Maybe you just need a +display filter to show only the packets in a TLS or SSL stream. If so, +Wireshark’s ability to follow protocol streams will be useful to you. + +To filter to a particular stream, +select a TCP, UDP, DCCP, TLS, HTTP, HTTP/2, QUIC or SIP packet in the packet list of the stream/connection you are +interested in and then select the menu item menu:Analyze[Follow > TCP Stream] +(or use the context menu in the packet list). Wireshark will set an +appropriate display filter and display a dialog box with the data from the +stream laid out, as shown in <<ChAdvFollowStream>>. + +[TIP] +==== +Following a protocol stream applies a display filter which selects all +the packets in the current stream. Some people open the “Follow TCP +Stream” dialog and immediately close it as a quick way to isolate a +particular stream. Closing the dialog with the “Back” button will reset +the display filter if this behavior is not desired. +==== + +[#ChAdvFollowStream] + +.The “Follow TCP Stream” dialog box +image::images/ws-follow-stream.png[{screenshot-attrs}] + +The stream content is displayed in the same sequence as it appeared on the +network. Non-printable characters are replaced by dots. +Traffic from the client to the server is colored red, while traffic +from the server to the client is +colored blue. These colors can be changed by opening menu:Edit[Preferences] and +under menu:Appearance[Font and Colors], selecting different colors for the +btn:[Sample "Follow Stream" client text] and btn:[Sample "Follow Stream" server text] +options. + + + +// XXX - What about line wrapping (maximum line length) and CRNL conversions? + +The stream content won’t be updated while doing a live capture. To get the +latest content you’ll have to reopen the dialog. + +You can choose from the following actions: + +btn:[Help]:: Show this help. + +btn:[Filter out this stream]:: Apply a display filter removing the current + stream data from the display. + +btn:[Print]:: Print the stream data in the currently selected format. + +btn:[Save as...]:: Save the stream data in the currently selected format. + +btn:[Back]:: Close this dialog box and restore the previous display filter. + +btn:[Close]:: Close this dialog box, leaving the current display filter in + effect. + +By default, Wireshark displays both client and server data. You can select the +menu:Entire conversation[] to switch between both, client to server, or +server to client data. + +You can choose to view the data in one of the following formats: + +menu:ASCII[]:: In this view you see the data from each direction in ASCII. + Obviously best for ASCII based protocols, e.g., HTTP. + +menu:C Arrays[]:: This allows you to import the stream data into your own C + program. + +menu:EBCDIC[]:: For the big-iron freaks out there. + +menu:HEX Dump[]:: This allows you to see all the data. This will require a lot of + screen space and is best used with binary protocols. + +menu:UTF-8[]:: Like ASCII, but decode the data as UTF-8. + +menu:UTF-16[]:: Like ASCII, but decode the data as UTF-16. + +menu:YAML[]:: This allows you to load the stream as YAML. + +The YAML output is divided into 2 main sections: + +* The `peers` section where for each `peer` you found the peer index, the `host` address and the `port` number. + +* The `packets` section where for each `packet` you found the packet number in the original capture, the `peer` index, +the packet `index` for this peer, the `timestamp` in seconds and the `data` in base64 encoding. + +.Follow Stream YAML output +==== +[source,yaml] +---- +peers: + - peer: 0 + host: 127.0.0.1 + port: 54048 + - peer: 1 + host: 127.0.10.1 + port: 5000 +packets: + - packet: 1 + peer: 0 + index: 0 + timestamp: 1599485409.693955274 + data: !!binary | + aGVsbG8K + - packet: 3 + peer: 1 + index: 0 + timestamp: 1599485423.885866692 + data: !!binary | + Ym9uam91cgo= +---- +==== + +The same example but in old YAML format (before version 3.5): +[source,yaml] +---- +# Packet 1 +peer0_0: !!binary | + aGVsbG8K +# Packet 3 +peer1_0: !!binary | + Ym9uam91cgo= +---- + +How the old format data can be found in the new format: +[options="header"] +|=== +|New YAML format |Old YAML format | +a| +---- +... +packets: + - packet: AAA + peer: BBB + index: CCC + data: !!binary \| + DDD +---- +a| +---- +# Packet AAA +peerBBB_CCC !!binary \| + DDD +---- +a| + AAA: packet number in the original capture + BBB: peer index + CCC: packet index for this peer + DDD: data in base64 encoding +|=== + +menu:Raw[]:: This allows you to load the unaltered stream data into a different + program for further examination. The display will look the same as the ASCII + setting, but “Save As” will result in a binary file. + +You can switch between streams using the “Stream” selector. + +You can search for text by entering it in the “Find” entry box and +pressing btn:[Find Next]. + +.The “Follow HTTP/2 Stream” dialog box +image::images/ws-follow-http2-stream.png[{screenshot-attrs}] + +The HTTP/2 Stream dialog is similar to the "Follow TCP Stream" dialog, except +for an additional "Substream" dialog field. HTTP/2 Streams are identified by +a HTTP/2 Stream Index (field name `http2.streamid`) which are unique within a +TCP connection. The “Stream” selector determines the TCP connection whereas the +“Substream” selector is used to pick the HTTP/2 Stream ID. + +The QUIC protocol is similar, the first number selects the QUIC connection number +while the "Substream" field selects the QUIC Stream ID. + +.The “Follow SIP Call” dialog box +image::images/ws-follow-sip-stream.png[{screenshot-attrs}] + +The SIP call is shown with same dialog, just filter is based on sip.Call-ID +field. Count of streams is fixed to 0 and the field is disabled. + +[#ChAdvShowPacketBytes] + +=== Show Packet Bytes + +If a selected packet field does not show all the bytes (i.e., they are truncated +when displayed) or if they are shown as bytes rather than string or if they require +more formatting because they contain an image or HTML then this dialog can be used. + +This dialog can also be used to decode field bytes from base64, zlib compressed +or quoted-printable and show the decoded bytes as configurable output. +It’s also possible to select a subset of bytes setting the start byte and end byte. + +You can choose from the following actions: + +btn:[Help]:: Show this help. + +btn:[Print]:: Print the bytes in the currently selected format. + +btn:[Copy]:: Copy the bytes to the clipboard in the currently selected format. + +btn:[Save As]:: Save the bytes in the currently selected format. + +btn:[Close]:: Close this dialog box. + +You can choose to decode the data from one of the following formats: + +menu:None[]:: This is the default which does not decode anything. + +menu:Base64[]:: This will decode from Base64. + +menu:Compressed[]:: This will decompress the buffer using zlib. + +menu:Hex Digits[]:: This will decode from a string of hex digits. Non-hex characters are skipped. + +menu:Quoted-Printable[]:: This will decode from a Quoted-Printable string. + +menu:ROT-13[]:: This will decode ROT-13 encoded text. + +You can choose to view the data in one of the following formats: + +menu:ASCII[]:: In this view you see the bytes as ASCII. + All control characters and non-ASCII bytes are replaced by dot. + +menu:ASCII & Control[]:: In this view all control characters are shown using a + UTF-8 symbol and all non-ASCII bytes are replaced by dot. + +menu:C Array[]:: This allows you to import the field data into your own C program. + +menu:EBCDIC[]:: For the big-iron freaks out there. + +menu:Hex Dump[]:: This allows you to see all the data. This will require a lot of + screen space and is best used with binary protocols. + +menu:HTML[]:: This allows you to see all the data formatted as a HTML document. + The HTML supported is what’s supported by the Qt QTextEdit class. + +menu:Image[]:: This will try to convert the bytes into an image. + Most popular formats are supported including PNG, JPEG, GIF, and BMP. + +menu:ISO 8859-1[]:: In this view you see the bytes as ISO 8859-1. + +menu:Raw[]:: This allows you to load the unaltered stream data into a different + program for further examination. The display will show HEX data, but + “Save As” will result in a binary file. + +menu:UTF-8[]:: In this view you see the bytes as UTF-8. + +menu:UTF-16[]:: In this view you see the bytes as UTF-16. + +menu:YAML[]:: This will show the bytes as a YAML binary dump. + +You can search for text by entering it in the “Find” entry box and +pressing btn:[Find Next]. + +[#ChAdvExpert] + +=== Expert Information + +Wireshark keeps track of any anomalies and other items of interest it finds in a capture file and shows them in the Expert Information dialog. +The goal is to give you a better idea of uncommon or notable network behavior and to let novice and expert users find network problems faster than manually scanning through the packet list. + +[WARNING] +.Expert information is only a hint +==== +Expert information is the starting point for investigation, not the stopping point. +Every network is different, and it's up to you to verify that Wireshark’s expert information applies to your particular situation. +The presence of expert information doesn't necessarily indicate a problem and absence of expert information doesn’t necessarily mean everything is OK. +==== + +The amount of expert information largely depends on the protocol being used. +While dissectors for some common protocols like TCP and IP will show detailed information, other dissectors will show little or none. + +The following describes the components of a single expert information entry along with the expert user interface. + +[#ChAdvExpertInfoEntries] + +==== Expert Information Entries + +Expert information entries are grouped by severity level (described below) and contain the following: + +[#ChAdvTabExpertInfoEntries] + +.Example expert information items +[options="header"] +|=== +|Packet #|Summary|Group|Protocol +|592|TCP: [TCP Out-Of-Order] ...|Malformed|TCP +|1202|DNS: Standard query response ...|Protocol|DNS +|443|TCP: 80 → 59322 [RST] Seq=12761 Win=0 Len=0|Sequence|TCP +|=== + +[#ChAdvExpertSeverity] + +===== Severity + +Every expert information item has a severity level. +The following levels are used, from lowest to highest. +Wireshark marks them using different colors, which are shown in parentheses: + +Chat [white blue-background]#(blue)#:: +Information about usual workflow, e.g., a TCP packet with the SYN flag set. + +Note [black aqua-background]#(cyan)#:: +Notable events, e.g., an application returned a common error code such as HTTP 404. + +Warn [black yellow-background]#(yellow)#:: +Warnings, e.g., application returned an unusual error code like a connection problem. + +Error [white red-background]#(red)#:: +Serious problems, such as malformed packets. + +[#ChAdvExpertGroup] + +===== Summary + +Short explanatory text for each expert information item. + +===== Group + +Along with severity levels, expert information items are categorized by group. +The following groups are currently implemented: + +Assumption:: +The protocol field has incomplete data and was dissected based on assumed value. + +Checksum:: +A checksum was invalid. + +Comment:: +Packet comment. + +Debug:: +Debugging information. +You shouldn’t see this group in release versions of Wireshark. + +Decryption:: +A decryption issue. + +Deprecated:: +The protocol field has been deprecated. + +Malformed:: +Malformed packet or dissector has a bug. +Dissection of this packet aborted. + +Protocol:: +Violation of a protocol’s specification (e.g., invalid field values or illegal lengths). +Dissection of this packet probably continued. + +Reassemble:: +Problems while reassembling, e.g., not all fragments were available or an exception happened during reassembly. + +Request Code:: +An application request (e.g., File Handle == _x_). Usually assigned the Chat severity level. + +Response Code:: +An application response code indicates a potential problem, e.g., HTTP 404 page not found. + +Security:: +A security problem, e.g., an insecure implementation. + +Sequence:: +A protocol sequence number was suspicious, e.g., it wasn’t continuous or a retransmission was detected. + +Undecoded:: +Dissection incomplete or data can’t be decoded for other reasons. + +It’s possible that more groups will be added in the future. + +[#ChAdvExpertProtocol] + +===== Protocol + +The protocol dissector that created the expert information item. + +[#ChAdvExpertSummary] + +[#ChAdvExpertDialog] + +==== The “Expert Information” Dialog + +You can open the expert info dialog by selecting menu:Analyze[Expert Info] or by clicking the expert level indicator in the main status bar. + +Right-clicking on an item will allow you to apply or prepare a filter based on the item, copy its summary text, and other tasks. + +.The “Expert Information” dialog box +image::images/ws-expert-information.png[{screenshot-attrs}] + +You can choose from the following actions: + +Limit to display filter:: +Only show expert information items present in packets that match the current display filter. + +Group by summary:: +Group items by their summary instead of the groups described above. + +Search:: +Only show items that match the search string, such as “dns”. +Regular expressions are supported. + +menu:Show...[]:: +Lets you show or hide each severity level. +For example, you can deselect Chat and Note severities if desired. + +btn:[Help]:: +Takes you to this section of the User’s Guide. + +btn:[Close]:: +Closes the dialog + +// ===== Errors / Warnings / Notes / Chats tabs + +// An easy and quick way to find the most interesting infos (rather than using the +// Details tab), is to have a look at the separate tabs for each severity level. As +// the tab label also contains the number of existing entries, it’s easy to find +// the tab with the most important entries. + +// There are usually a lot of identical expert infos only differing in the packet +// number. These identical infos will be combined into a single line - with a count +// column showing how often they appeared in the capture file. Clicking on the plus +// sign shows the individual packet numbers in a tree view. + +// [[ChAdvExpertDialogDetails]] + +// ===== Details tab + +// The Details tab provides the expert infos in a “log like” view, each entry on +// its own line (much like the packet list). As the amount of expert infos for a +// capture file can easily become very large, getting an idea of the interesting +// infos with this view can take quite a while. The advantage of this tab is to +// have all entries in the sequence as they appeared, this is sometimes a help to +// pinpoint problems. + +[#ChAdvExpertColorizedTree] + +==== “Colorized” Protocol Details Tree + +.The “Colorized” protocol details tree +image::images/ws-expert-colored-tree.png[{screenshot-attrs}] + +The packet detail tree marks fields with expert information based on their severity level color, e.g., “Warning” severities have a yellow background. +This color is propagated to the top-level protocol item in the tree in order to make it easy to find the field that created the expert information. + +For the example screenshot above, the IP “Time to live” value is very low (only 1), so the corresponding protocol field is marked with a cyan background. +To make it easier find that item in the packet tree, the IP protocol toplevel item is marked cyan as well. + +[#ChAdvExpertColumn] + +==== “Expert” Packet List Column (Optional) + +.The “Expert” packet list column +image::images/ws-expert-column.png[{screenshot-attrs}] + +An optional “Expert Info Severity” packet list column is available that +displays the most significant severity of a packet or stays empty if everything +seems OK. This column is not displayed by default but can be easily added using +the Preferences Columns page described in <<ChCustPreferencesSection>>. + +[#ChAdvTCPAnalysis] + +=== TCP Analysis + +By default, Wireshark’s TCP dissector tracks the state of each TCP +session and provides additional information when problems or potential +problems are detected. Analysis is done once for each TCP packet when a +capture file is first opened. Packets are processed in the order in +which they appear in the packet list. You can enable or disable this +feature via the “Analyze TCP sequence numbers” TCP dissector preference. + +For analysis of data or protocols layered on top of TCP (such as HTTP), see +<<ChAdvReassemblyTcp>>. + +.“TCP Analysis” packet detail items +image::images/ws-tcp-analysis.png[{screenshot-attrs}] + +TCP Analysis flags are added to the TCP protocol tree under “SEQ/ACK +analysis”. Each flag is described below. Terms such as “next expected +sequence number” and “next expected acknowledgment number” refer to +the following”: + +// tcp_analyze_seq_info->nextseq +Next expected sequence number:: The last-seen sequence number plus +segment length. Set when there are no analysis flags and for zero +window probes. This is initially zero and calculated based on the +previous packet in the same TCP flow. Note that this may not be the same +as the tcp.nxtseq protocol field. + +// tcp_analyze_seq_info->maxseqtobeacked +Next expected acknowledgment number:: The last-seen sequence number for +segments. Set when there are no analysis flags and for zero window probes. + +// tcp_analyze_seq_info->lastack +Last-seen acknowledgment number:: Always set. Note that this is not the +same as the next expected acknowledgment number. + +// tcp_analyze_seq_info->lastack +Last-seen acknowledgment number:: Always updated for each packet. Note +that this is not the same as the next expected acknowledgment number. + +// TCP_A_ACK_LOST_PACKET +[discrete] +==== TCP ACKed unseen segment + +Set when the expected next acknowledgment number is set for the reverse +direction and it’s less than the current acknowledgment number. + +// TCP_A_DUPLICATE_ACK +[discrete] +==== TCP Dup ACK __<frame>__#__<acknowledgment number>__ + +Set when all of the following are true: + +* The segment size is zero. +* The window size is non-zero and hasn’t changed. +* The next expected sequence number and last-seen acknowledgment number are non-zero (i.e., the connection has been established). +* SYN, FIN, and RST are not set. + +// TCP_A_FAST_RETRANSMISSION +[discrete] +==== TCP Fast Retransmission + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment size is greater than zero or the SYN or FIN is set. +* The next expected sequence number is greater than the current sequence number. +* We have at least two duplicate ACKs in the reverse direction. +* The current sequence number equals the next expected acknowledgment number. +* We saw the last acknowledgment less than 20ms ago. + +Supersedes “Out-Of-Order” and “Retransmission”. + +// TCP_A_KEEP_ALIVE +[discrete] +==== TCP Keep-Alive + +Set when the segment size is zero or one, the current sequence number +is one byte less than the next expected sequence number, and none of SYN, +FIN, or RST are set. + +Supersedes “Fast Retransmission”, “Out-Of-Order”, “Spurious +Retransmission”, and “Retransmission”. + +// TCP_A_KEEP_ALIVE_ACK +[discrete] +==== TCP Keep-Alive ACK + +Set when all of the following are true: + +* The segment size is zero. +* The window size is non-zero and hasn’t changed. +* The current sequence number is the same as the next expected sequence number. +* The current acknowledgment number is the same as the last-seen acknowledgment number. +* The most recently seen packet in the reverse direction was a keepalive. +* The packet is not a SYN, FIN, or RST. + +Supersedes “Dup ACK” and “ZeroWindowProbeAck”. + +// TCP_A_OUT_OF_ORDER +[discrete] +==== TCP Out-Of-Order + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment length is greater than zero or the SYN or FIN is set. +* The next expected sequence number is greater than the current sequence number. +* The next expected sequence number and the next sequence number differ. +* The last segment arrived within the Out-Of-Order RTT threshold. + The threshold is either the value shown in the “iRTT” (tcp.analysis.initial_rtt) field under “SEQ/ACK analysis” if it is present, or the default value of 3ms if it is not. + +Supersedes “Retransmission”. + +// TCP_A_REUSED_PORTS +[discrete] +==== TCP Port numbers reused + +Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same addresses and ports, and the sequence number is different than the existing conversation’s initial sequence number. + +// TCP_A_LOST_PACKET +[discrete] +==== TCP Previous segment not captured + +Set when the current sequence number is greater than the next expected sequence number. + +// TCP_A_SPURIOUS_RETRANSMISSION +[discrete] +==== TCP Spurious Retransmission + +Checks for a retransmission based on analysis data in the reverse +direction. Set when all of the following are true: + +* The SYN or FIN flag is set. +* This is not a keepalive packet. +* The segment length is greater than zero. +* Data for this flow has been acknowledged. That is, the last-seen acknowledgment number has been set. +* The next sequence number is less than or equal to the last-seen acknowledgment number. + +Supersedes “Fast Retransmission”, “Out-Of-Order”, and “Retransmission”. + +// TCP_A_RETRANSMISSION +[discrete] +==== TCP Retransmission + +Set when all of the following are true: + +* This is not a keepalive packet. +* In the forward direction, the segment length is greater than zero or the SYN or FIN flag is set. +* The next expected sequence number is greater than the current sequence number. + +// TCP_A_WINDOW_FULL +[discrete] +==== TCP Window Full + +Set when the segment size is non-zero, we know the window size in the +reverse direction, and our segment size exceeds the window size in the +reverse direction. + +// TCP_A_WINDOW_UPDATE +[discrete] +==== TCP Window Update + +Set when the all of the following are true: + +* The segment size is zero. +* The window size is non-zero and not equal to the last-seen window size. +* The sequence number is equal to the next expected sequence number. +* The acknowledgment number is equal to the last-seen acknowledgment number, +* or to the next expected sequence number when answering to a ZeroWindowProbe. +* None of SYN, FIN, or RST are set. + +// TCP_A_ZERO_WINDOW +[discrete] +==== TCP ZeroWindow + +Set when the receive window size is zero and none of SYN, FIN, or RST are set. + +The _window_ field in each TCP header advertises the amount of data a receiver can accept. +If the receiver can’t accept any more data it will set the window value to zero, which tells the sender to pause its transmission. +In some specific cases this is normal -- for example, a printer might use a zero window to pause the transmission of a print job while it loads or reverses a sheet of paper. +However, in most cases this indicates a performance or capacity problem on the receiving end. +It might take a long time (sometimes several minutes) to resume a paused connection, even if the underlying condition that caused the zero window clears up quickly. + +// TCP_A_ZERO_WINDOW_PROBE +[discrete] +==== TCP ZeroWindowProbe + +Set when the sequence number is equal to the next expected sequence +number, the segment size is one, and last-seen window size in the +reverse direction was zero. + +If the single data byte from a Zero Window Probe is dropped by the receiver (not +ACKed), then a subsequent segment should not be flagged as retransmission if all +of the following conditions are true for that segment: +* The segment size is larger than one. +* The next expected sequence number is one less than the current sequence number. + +This affects “Fast Retransmission”, “Out-Of-Order”, or “Retransmission”. + +// TCP_A_ZERO_WINDOW_PROBE_ACK +[discrete] +==== TCP ZeroWindowProbeAck + +Set when the all of the following are true: + +* The segment size is zero. +* The window size is zero. +* The sequence number is equal to the next expected sequence number. +* The acknowledgment number is equal to the last-seen acknowledgment number. +* The last-seen packet in the reverse direction was a zero window probe. + +Supersedes “TCP Dup ACK”. + +// TCP_A_AMBIGUOUS_INTERPRETATIONS +[discrete] +==== TCP Ambiguous Interpretations + +Some captures are quite difficult to analyze automatically, particularly when the +time frame may cover both Fast Retransmission and Out-Of-Order packets. A TCP +preference allows to switch the precedence of these two interpretations at the +protocol level. + +// TCP_A_CONVERSATION_COMPLETENESS +[discrete] +==== TCP Conversation Completeness + +TCP conversations are said to be complete when they have both opening and closing +handshakes, independently of any data transfer. However, we might be interested in +identifying complete conversations with some data sent, and we are using the +following bit values to build a filter value on the tcp.completeness field : + +* 1 : SYN +* 2 : SYN-ACK +* 4 : ACK +* 8 : DATA +* 16 : FIN +* 32 : RST + +For example, a conversation containing only a three-way handshake will be found +with the filter 'tcp.completeness==7' (1+2+4) while a complete conversation with +data transfer will be found with a longer filter as closing a connection can be +associated with FIN or RST packets, or even both : +'tcp.completeness==31 or tcp.completeness==47 or tcp.completeness==63' + +Another way to select specific conversation values is to filter on the +tcp.completeness.str field. Thus, 'tcp.completeness.str matches "(R.*|F)[^D]ASS"' +will find all 'Complete, NO_DATA' conversations, while the 'Complete, WITH_DATA' +ones will be found with 'tcp.completeness.str matches "(R.*|F)DASS"'. + +[#ChAdvTimestamps] + +=== Time Stamps + +Time stamps, their precisions and all that can be quite confusing. This section +will provide you with information about what’s going on while Wireshark +processes time stamps. + +While packets are captured, each packet is time stamped as it comes in. These +time stamps will be saved to the capture file, so they also will be available +for (later) analysis. + +So where do these time stamps come from? While capturing, Wireshark gets the +time stamps from the libpcap (Npcap) library, which in turn gets them from the +operating system kernel. If the capture data is loaded from a capture file, +Wireshark obviously gets the data from that file. + +==== Wireshark Internals + +The internal format that Wireshark uses to keep a packet time stamp consists of +the date (in days since 1.1.1970) and the time of day (in nanoseconds since +midnight). You can adjust the way Wireshark displays the time stamp data in the +packet list, see the “Time Display Format” item in the +<<ChUseViewMenuSection>> for details. + +While reading or writing capture files, Wireshark converts the time stamp data +between the capture file format and the internal format as required. + +While capturing, Wireshark uses the libpcap (Npcap) capture library which +supports microsecond resolution. Unless you are working with specialized +capturing hardware, this resolution should be adequate. + +==== Capture File Formats + +Every capture file format that Wireshark knows supports time stamps. The time +stamp precision supported by a specific capture file format differs widely and +varies from one second “0” to one nanosecond “0.123456789”. Most file +formats store the time stamps with a fixed precision (e.g., microseconds), while +some file formats are even capable of storing the time stamp precision itself +(whatever the benefit may be). + +The common libpcap capture file format that is used by Wireshark (and a lot of +other tools) supports a fixed microsecond resolution “0.123456” only. + +Writing data into a capture file format that doesn’t provide the capability to +store the actual precision will lead to loss of information. For example, if you +load a capture file with nanosecond resolution and store the capture data in a +libpcap file (with microsecond resolution) Wireshark obviously must reduce the +precision from nanosecond to microsecond. + +==== Accuracy + +People often ask “Which time stamp accuracy is provided by Wireshark?”. Well, +Wireshark doesn’t create any time stamps itself but simply gets them from +“somewhere else” and displays them. So accuracy will depend on the capture +system (operating system, performance, etc.) that you use. Because of this, the +above question is difficult to answer in a general way. + +[NOTE] +==== +USB connected network adapters often provide a very bad time stamp accuracy. The +incoming packets have to take “a long and winding road” to travel through the +USB cable until they actually reach the kernel. As the incoming packets are time +stamped when they are processed by the kernel, this time stamping mechanism +becomes very inaccurate. + +Don’t use USB connected NICs when you need precise time stamp +accuracy. +==== + +// (XXX - are there any such NIC’s that generate time stamps on the USB +// hardware?) + +[#ChAdvTimezones] + +=== Time Zones + +If you travel across the planet, time zones can be confusing. If you get a +capture file from somewhere around the world time zones can even be a lot more +confusing ;-) + +First of all, there are two reasons why you may not need to think about time +zones at all: + +* You are only interested in the time differences between the packet time stamps + and don’t need to know the exact date and time of the captured packets (which + is often the case). + +* You don’t get capture files from different time zones than your own, so there + are simply no time zone problems. For example, everyone in your team is + working in the same time zone as yourself. + +.What are time zones? +**** +People expect that the time reflects the sunset. Dawn should be in the morning +maybe around 06:00 and dusk in the evening maybe at 20:00. These times will +obviously vary depending on the season. It would be very confusing if everyone +on earth would use the same global time as this would correspond to the sunset +only at a small part of the world. + +For that reason, the earth is split into several different time zones, each zone +with a local time that corresponds to the local sunset. + +The time zone’s base time is UTC (Coordinated Universal Time) or Zulu Time +(military and aviation). The older term GMT (Greenwich Mean Time) shouldn’t be +used as it is slightly incorrect (up to 0.9 seconds difference to UTC). The UTC +base time equals to 0 (based at Greenwich, England) and all time zones have an +offset to UTC between -12 to +14 hours! + +For example: If you live in Berlin, you are in a time zone one hour earlier than +UTC, so you are in time zone “+1” (time difference in hours compared to UTC). +If it’s 3 o’clock in Berlin it’s 2 o’clock in UTC “at the same moment”. + +Be aware that at a few places on earth don’t use time zones with even hour +offsets (e.g., New Delhi uses UTC+05:30)! + +Further information can be found at: {wikipedia-main-url}Time_zone and +{wikipedia-main-url}Coordinated_Universal_Time. +**** + +.What is daylight saving time (DST)? +**** +Daylight Saving Time (DST), also known as Summer Time is intended to “save” +some daylight during the summer months. To do this, a lot of countries (but not +all!) add a DST hour to the already existing UTC offset. So you may need to take +another hour (or in very rare cases even two hours!) difference into your “time +zone calculations”. + +Unfortunately, the date at which DST actually takes effect is different +throughout the world. You may also note, that the northern and southern +hemispheres have opposite DST’s (e.g., while it’s summer in Europe it’s winter in +Australia). + +Keep in mind: UTC remains the same all year around, regardless of DST! + +Further information can be found at +link:{wikipedia-main-url}Daylight_saving[]. +**** + +Further time zone and DST information can be found at +{greenwichmeantime-main-url} and {timeanddate-main-url}. + +[discrete] +==== Set your computer’s time correctly! + +If you work with people around the world it’s very helpful to set your +computer’s time and time zone right. + +You should set your computers time and time zone in the correct sequence: + +. Set your time zone to your current location + +. Set your computer’s clock to the local time + +This way you will tell your computer both the local time and also the time +offset to UTC. Many organizations simply set the time zone on their servers and +networking gear to UTC in order to make coordination and troubleshooting easier. + +[TIP] +==== +If you travel around the world, it’s an often-made mistake to adjust the hours +of your computer clock to the local time. Don’t adjust the hours but your time +zone setting instead! For your computer, the time is essentially the same as +before, you are simply in a different time zone with a different local time. +==== + +You can use the Network Time Protocol (NTP) to automatically adjust your +computer to the correct time, by synchronizing it to Internet NTP clock servers. +NTP clients are available for all operating systems that Wireshark supports (and +for a lot more), for examples see {ntp-main-url}. + + +==== Wireshark and Time Zones + +So what’s the relationship between Wireshark and time zones anyway? + +Wireshark’s native capture file format (libpcap format), and some +other capture file formats, such as the Windows Sniffer, *Peek, Sun +snoop formats, and newer versions of the Microsoft Network Monitor and +Network Instruments/Viavi Observer formats, save the arrival time of +packets as UTC values. UN*X systems, and “Windows NT based” systems +represent time internally as UTC. When Wireshark is capturing, no +conversion is necessary. However, if the system time zone is not set +correctly, the system’s UTC time might not be correctly set even if +the system clock appears to display correct local time. When capturing, +Npcap has to convert the time to UTC before supplying it to Wireshark. +If the system’s time zone is not set correctly, that conversion will +not be done correctly. + +Other capture file formats, such as the OOS-based Sniffer format and +older versions of the Microsoft Network Monitor and Network +Instruments/Viavi Observer formats, save the arrival time of packets as +local time values. + +Internally to Wireshark, time stamps are represented in UTC. This means that +when reading capture files that save the arrival time of packets as local time +values, Wireshark must convert those local time values to UTC values. + +Wireshark in turn will display the time stamps always in local time. The +displaying computer will convert them from UTC to local time and displays this +(local) time. For capture files saving the arrival time of packets as UTC +values, this means that the arrival time will be displayed as the local time in +your time zone, which might not be the same as the arrival time in the time zone +in which the packet was captured. For capture files saving the arrival time of +packets as local time values, the conversion to UTC will be done using your time +zone’s offset from UTC and DST rules, which means the conversion will not be +done correctly; the conversion back to local time for display might undo this +correctly, in which case the arrival time will be displayed as the arrival time +in which the packet was captured. + +[#ChAdvTabTimezones] + +.Time zone examples for UTC arrival times (without DST) +[options="header"] +|=== +||Los Angeles|New York|Madrid|London|Berlin|Tokyo +|_Capture File (UTC)_|10:00|10:00|10:00|10:00|10:00|10:00 +|_Local Offset to UTC_|-8|-5|-1|0|+1|+9 +|_Displayed Time (Local Time)_|02:00|05:00|09:00|10:00|11:00|19:00 +|=== + +For example, let’s assume that someone in Los Angeles captured a packet with +Wireshark at exactly 2 o’clock local time and sends you this capture file. The +capture file’s time stamp will be represented in UTC as 10 o’clock. You are +located in Berlin and will see 11 o’clock on your Wireshark display. + +Now you have a phone call, video conference or Internet meeting with that one to +talk about that capture file. As you are both looking at the displayed time on +your local computers, the one in Los Angeles still sees 2 o’clock but you in +Berlin will see 11 o’clock. The time displays are different as both Wireshark +displays will show the (different) local times at the same point in time. + +__Conclusion__: You may not bother about the date/time of the time stamp you +currently look at unless you must make sure that the date/time is as expected. +So, if you get a capture file from a different time zone and/or DST, you’ll have +to find out the time zone/DST difference between the two local times and +“mentally adjust” the time stamps accordingly. In any case, make sure that +every computer in question has the correct time and time zone setting. + +[#ChAdvReassemblySection] + + +=== Packet Reassembly + +==== What Is It? + +Network protocols often need to transport large chunks of data which are +complete in themselves, e.g., when transferring a file. The underlying protocol +might not be able to handle that chunk size (e.g., limitation of the network +packet size), or is stream-based like TCP, which doesn’t know data chunks at +all. + +In that case the network protocol has to handle the chunk boundaries itself and +(if required) spread the data over multiple packets. It obviously also needs a +mechanism to determine the chunk boundaries on the receiving side. + +Wireshark calls this mechanism reassembly, although a specific protocol +specification might use a different term for this (e.g., desegmentation, +defragmentation, etc.). + +==== How Wireshark Handles It + +For some of the network protocols Wireshark knows of, a mechanism is implemented +to find, decode and display these chunks of data. Wireshark will try to find the +corresponding packets of this chunk, and will show the combined data as +additional tabs in the “Packet Bytes” pane (for information about this pane. +See <<ChUsePacketBytesPaneSection>>). + +[#ChAdvWiresharkBytesPaneTabs] + +.The “Packet Bytes” pane with a reassembled tab +image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}] + +Reassembly might take place at several protocol layers, so it’s possible that +multiple tabs in the “Packet Bytes” pane appear. + +[NOTE] +==== +You will find the reassembled data in the last packet of the chunk. +==== + +For example, in a _HTTP_ GET response, the requested data (e.g., an HTML page) is +returned. Wireshark will show the hex dump of the data in a new tab +“Uncompressed entity body” in the “Packet Bytes” pane. + +Reassembly is enabled in the preferences by default but can be disabled in the +preferences for the protocol in question. Enabling or disabling reassembly +settings for a protocol typically requires two things: + +. The lower-level protocol (e.g., TCP) must support reassembly. Often this + reassembly can be enabled or disabled via the protocol preferences. + +. The higher-level protocol (e.g., HTTP) must use the reassembly mechanism to + reassemble fragmented protocol data. This too can often be enabled or disabled + via the protocol preferences. + +The tooltip of the higher-level protocol setting will notify you if and which +lower-level protocol setting also has to be considered. + +[#ChAdvReassemblyTcp] + +==== TCP Reassembly + +Protocols such as HTTP or TLS are likely to span multiple TCP segments. The +TCP protocol preference “Allow subdissector to reassemble TCP streams” (enabled +by default) makes it possible for Wireshark to collect a contiguous sequence of +TCP segments and hand them over to the higher-level protocol (for example, to +reconstruct a full HTTP message). All but the final segment will be marked with +“[TCP segment of a reassembled PDU]” in the packet list. + +Disable this preference to reduce memory and processing overhead if you are only +interested in TCP sequence number analysis (<<ChAdvTCPAnalysis>>). Keep in mind, +though, that higher-level protocols might be wrongly dissected. For example, +HTTP messages could be shown as “Continuation” and TLS records could be shown as +“Ignored Unknown Record”. Such results can also be observed if you start +capturing while a TCP connection was already started or when TCP segments +are lost or delivered out-of-order. + +To reassemble of out-of-order TCP segments, the TCP protocol preference +“Reassemble out-of-order segments” (currently disabled by default) must be +enabled in addition to the previous preference. +If all packets are received in-order, this preference will not have any effect. +Otherwise (if missing segments are encountered while sequentially processing a +packet capture), it is assuming that the new and missing segments belong to the +same PDU. Caveats: + +* Lost packets are assumed to be received out-of-order or retransmitted later. + Applications usually retransmit segments until these are acknowledged, but if + the packet capture drops packets, then Wireshark will not be able to + reconstruct the TCP stream. In such cases, you can try to disable this + preference and hopefully have a partial dissection instead of seeing just + “[TCP segment of a reassembled PDU]” for every TCP segment. +// See test/suite_decryption.py (suite_decryption.case_decrypt_80211) +// which would break when enabling the preference. +* When doing a capture in monitor mode (IEEE 802.11), packets are more likely to + get lost due to signal reception issues. In that case it is recommended to + disable the option. +// See test/suite_dissection.py (case_dissect_tcp.check_tcp_out_of_order) +* If the new and missing segments are in fact part of different PDUs, + then processing is currently delayed until no more segments are missing, even + if the begin of the missing segments completed a PDU. For example, assume six + segments forming two PDUs `ABC` and `DEF`. When received as `ABECDF`, an + application can start processing the first PDU after receiving `ABEC`. + Wireshark however requires the missing segment `D` to be received as well. + This issue will be addressed in the future. +// See test/suite_dissection.py (case_dissect_tcp.test_tcp_out_of_order_twopass) +* In the GUI and during a two-pass dissection (`tshark -2`), the previous + scenario will display both PDUs in the packet with last segment (`F`) rather + than displaying it in the first packet that has the final missing segment of a + PDU. This issue will be addressed in the future. +* When enabled, fields such as the SMB “Time from request” (`smb.time`) might be + smaller if the request follows other out-of-order segments (this reflects + application behavior). If the previous scenario however occurs, then the time + of the request is based on the frame where all missing segments are received. + +Regardless of the setting of these two reassembly-related preferences, you can +always use the “Follow TCP Stream” option (<<ChAdvFollowStreamSection>>) which +displays segments in the expected order. + +[#ChAdvNameResolutionSection] + +=== Name Resolution + +Name resolution tries to convert some of the numerical address values into a +human readable format. There are two possible ways to do these conversions, +depending on the resolution to be done: calling system/network services (like +the gethostname() function) and/or resolving from Wireshark specific +configuration files. For details about the configuration files Wireshark uses +for name resolution and alike, see <<AppFiles>>. + +The name resolution feature can be enabled individually for the protocol layers +listed in the following sections. + +==== Name Resolution Drawbacks + +Name resolution can be invaluable while working with Wireshark and may even save +you hours of work. Unfortunately, it also has its drawbacks. + +* _Name resolution can often fail._ The name to be resolved might simply be + unknown by the name servers asked, or the servers are just not available and + the name is also not found in Wireshark’s configuration files. + +* _Resolved names might not be available._ +Wireshark obtains name resolution information from a variety of sources, including DNS servers, the capture file itself (e.g., for a pcapng file), and the _hosts_ files on your system and in your <<ChAppFilesConfigurationSection,profile directory>>. +The resolved names might not be available if you open the capture file later or on a different machine. As a result, each time you or someone else opens a particular capture file it may look slightly different due to changing environments. + +* _DNS may add additional packets to your capture file._ +You might run into the link:{wikipedia-main-url}Observer_effect_(information_technology)[observer effect] if the extra traffic from Wireshark’s DNS queries and responses affects the problem you're trying to troubleshoot or any subsequent analysis. ++ +The same sort of thing can happen when capturing over a remote connection, e.g., SSH or RDP. + +// XXX Are there any other such packets than DNS ones? + +* _Resolved DNS names are cached by Wireshark._ This is required for acceptable + performance. However, if the name resolution information should change while + Wireshark is running, Wireshark won’t notice a change in the name resolution + information once it gets cached. If this information changes while Wireshark + is running, e.g., a new DHCP lease takes effect, Wireshark won’t notice it. + +// XXX Is this true for all or only for DNS info? + +Name resolution in the packet list is done while the list is filled. If a name +can be resolved after a packet is added to the list, its former entry won’t be +changed. As the name resolution results are cached, you can use +menu:View[Reload] to rebuild the packet list with the correctly resolved names. +However, this isn’t possible while a capture is in progress. + +// XXX Add information about the address editor frame (View -> Name Resolution -> Edit Resolved Name) + +==== Ethernet Name Resolution (MAC Layer) + +Try to resolve an Ethernet MAC address (e.g., 00:09:5b:01:02:03) to a human readable name. + +__ARP name resolution (system service)__: Wireshark will ask the operating +system to convert an Ethernet address to the corresponding IP address (e.g. +00:09:5b:01:02:03 → 192.168.0.1). + +__Ethernet codes (ethers file)__: If the ARP name resolution failed, Wireshark +tries to convert the Ethernet address to a known device name, which has been +assigned by the user using an _ethers_ file (e.g., 00:09:5b:01:02:03 → +homerouter). + +__Ethernet manufacturer codes (manuf file)__: If neither ARP or ethers returns a +result, Wireshark tries to convert the first 3 bytes of an ethernet address to +an abbreviated manufacturer name, which has been assigned by the IEEE (e.g. +00:09:5b:01:02:03 → Netgear_01:02:03). + +==== IP Name Resolution (Network Layer) + +Try to resolve an IP address (e.g., 216.239.37.99) to a human readable name. + +__DNS name resolution (system/library service)__: Wireshark will use a name +resolver to convert an IP address to the hostname associated with it +(e.g., 216.239.37.99 -> www.1.google.com). + +Most applications use synchronously DNS name resolution. +For example, your web browser must resolve the host name portion of a URL before it can connect to the server. +Capture file analysis is different. +A given file might have hundreds, thousands, or millions of IP addresses so for usability and performance reasons Wireshark uses asynchronous resolution. +Both mechanisms convert IP addresses to human readable (domain) names and typically use different sources such as the system hosts file (__/etc/hosts__) and any configured DNS servers. + +Since Wireshark doesn’t wait for DNS responses, the host name for a given address might be missing from a given packet when you view it the first time but be present when you view it subsequent times. + +You can adjust name resolution behavior in the Name Resolution section in the <<ChCustPreferencesSection,Preferences Dialog>>. +You can control resolution itself by adding a __hosts__ file to your <<ChAppFilesConfigurationSection,personal configuration directory>>. +You can also edit your system __hosts__ file, but that isn’t generally recommended. + +==== TCP/UDP Port Name Resolution (Transport Layer) + +Try to resolve a TCP/UDP port (e.g., 80) to a human readable name. + +__TCP/UDP port conversion (system service)__: Wireshark will ask the operating +system to convert a TCP or UDP port to its well-known name (e.g., 80 -> http). + +==== VLAN ID Resolution + +To get a descriptive name for a VLAN tag ID a vlans file can be used. + +==== SS7 Point Code Resolution + +To get a node name for a SS7 point code a ss7pcs file can be used. + +// XXX - mention the role of the /etc/services file (but don’t forget the files and folders section)! + +[#ChAdvChecksums] + +=== Checksums + +Several network protocols use checksums to ensure data integrity. Applying +checksums as described here is also known as _redundancy checking_. + + +.What are checksums for? +**** +Checksums are used to ensure the integrity of data portions for data +transmission or storage. A checksum is basically a calculated summary of such a +data portion. + +Network data transmissions often produce errors, such as toggled, missing or +duplicated bits. As a result, the data received might not be identical to the +data transmitted, which is obviously a bad thing. + +Because of these transmission errors, network protocols very often use checksums +to detect such errors. The transmitter will calculate a checksum of the data and +transmits the data together with the checksum. The receiver will calculate the +checksum of the received data with the same algorithm as the transmitter. If the +received and calculated checksums don’t match a transmission error has occurred. + +Some checksum algorithms are able to recover (simple) errors by calculating +where the expected error must be and repairing it. + +If there are errors that cannot be recovered, the receiving side throws away the +packet. Depending on the network protocol, this data loss is simply ignored or +the sending side needs to detect this loss somehow and retransmits the required +packet(s). + +Using a checksum drastically reduces the number of undetected transmission +errors. However, the usual checksum algorithms cannot guarantee an error +detection of 100%, so a very small number of transmission errors may remain +undetected. + +There are several different kinds of checksum algorithms; an example of an often +used checksum algorithm is CRC32. The checksum algorithm actually chosen for a +specific network protocol will depend on the expected error rate of the network +medium, the importance of error detection, the processor load to perform the +calculation, the performance needed and many other things. + +Further information about checksums can be found at: +{wikipedia-main-url}Checksum. +**** + +==== Wireshark Checksum Validation + +Wireshark will validate the checksums of many protocols, e.g., IP, TCP, UDP, etc. + +It will do the same calculation as a “normal receiver” would do, and shows the +checksum fields in the packet details with a comment, e.g., [correct] or +[invalid, must be 0x12345678]. + +Checksum validation can be switched off for various protocols in the Wireshark +protocol preferences, e.g., to (very slightly) increase performance. + +If the checksum validation is enabled and it detected an invalid checksum, +features like packet reassembly won’t be processed. This is avoided as +incorrect connection data could “confuse” the internal database. + +==== Checksum Offloading + +The checksum calculation might be done by the network driver, protocol driver or +even in hardware. + +For example: The Ethernet transmitting hardware calculates the Ethernet CRC32 +checksum and the receiving hardware validates this checksum. If the received +checksum is wrong Wireshark won’t even see the packet, as the Ethernet hardware +internally throws away the packet. + +Higher-level checksums are “traditionally” calculated by the protocol +implementation and the completed packet is then handed over to the hardware. + +Recent network hardware can perform advanced features such as IP checksum +calculation, also known as checksum offloading. The network driver won’t +calculate the checksum itself but will simply hand over an empty (zero or +garbage filled) checksum field to the hardware. + + +[NOTE] +==== +Checksum offloading often causes confusion as the network packets to be +transmitted are handed over to Wireshark before the checksums are actually +calculated. Wireshark gets these “empty” checksums and displays them as +invalid, even though the packets will contain valid checksums when they leave +the network hardware later. +==== + + +Checksum offloading can be confusing and having a lot of [invalid] messages on +the screen can be quite annoying. As mentioned above, invalid checksums may lead +to unreassembled packets, making the analysis of the packet data much harder. + +You can do two things to avoid this checksum offloading problem: + +* Turn off the checksum offloading in the network driver, if this option is available. + +* Turn off checksum validation of the specific protocol in the Wireshark preferences. + Recent releases of Wireshark disable checksum validation by default due to the + prevalence of offloading in modern hardware and operating systems. + +// End of WSUG Chapter Advanced diff --git a/docbook/wsug_src/wsug_build_install.adoc b/docbook/wsug_src/wsug_build_install.adoc new file mode 100644 index 0000000..88199fc --- /dev/null +++ b/docbook/wsug_src/wsug_build_install.adoc @@ -0,0 +1,396 @@ +// WSUG Chapter BuildInstall + +[#ChapterBuildInstall] + +== Building and Installing Wireshark + +[#ChBuildInstallIntro] + +=== Introduction + +As with all things there must be a beginning and so it is with Wireshark. To +use Wireshark you must first install it. If you are running Windows or macOS +you can download an official release at {wireshark-download-url}, install it, +and skip the rest of this chapter. + +If you are running another operating system such as Linux or FreeBSD you might +want to install from source. Several Linux distributions offer Wireshark +packages but they commonly provide out-of-date versions. No other versions of UNIX +ship Wireshark so far. For that reason, you will need to know where to get the +latest version of Wireshark and how to install it. + +This chapter shows you how to obtain source and binary packages and how to +build Wireshark from source should you choose to do so. + +The general steps are the following: + +. Download the relevant package for your needs, e.g., source or binary + distribution. + +. For source distributions, compile the source into a binary. + This may involve building and/or installing other necessary packages. + +. Install the binaries into their final destinations. + +[#ChBuildInstallDistro] + +=== Obtaining the source and binary distributions + +You can obtain both source and binary distributions from the Wireshark {wireshark-main-url}[main page] or the download page at {wireshark-download-url}. +Select the package most appropriate for your system. + +// +// Windows +// + +[#ChBuildInstallWinInstall] + +=== Installing Wireshark under Windows + +The official Windows packages can be downloaded from the Wireshark {wireshark-main-url}[main page] or the {wireshark-download-url}[download page]. +Installer names contain the version and platform. +For example, Wireshark-{wireshark-version}-x64.exe installs Wireshark {wireshark-version} for Windows on 64-bit Intel processors. +The Wireshark installer includes Npcap which is required for packet capture. +Windows packages automatically update. +See <<ChBuildInstallUpdatingWireshark>> for details. + +Simply download the Wireshark installer from {wireshark-download-url} and execute it. +Official packages are signed by *Wireshark Foundation*. +You can choose to install several optional components and select the location of the installed package. +The default settings are recommended for most users. + +[#ChBuildInstallWinComponents] + +==== Installation Components + +On the _Choose Components_ page of the installer you can select from the following: + +* *Wireshark* - The network protocol analyzer that we all know and mostly love. + +* *TShark* - A command-line network protocol analyzer. If you haven’t tried it + you should. + +* *Plugins & Extensions* - Extras for the Wireshark and TShark dissection engines + + - *Codec Plugins* - Additional codec support. + + - *Configuration Profiles* - Additional configuration profiles. + + - *Dissector Plugins* - Additional protocol dissectors. + + - *File Type Plugins - capture file support* - Extend wiretap support for capture file types. (e.g. usbdump) + + - *Mate - Meta Analysis and Tracing Engine* - User configurable extension(s) + of the display filter engine, see <<ChMate>> for details. + + - *SNMP MIBs* - SNMP MIBs for a more detailed SNMP dissection. + + - *TRANSUM - performance analysis* - Plugin to calculate Response Time Element (RTE) statistics. + + - *Tree Statistics Plugin* - Extended statistics. (see stats_tree in WSDG; Packet Lengths in WSUG) + +* *Tools* - Additional command line tools to work with capture files and troubleshoot + + - *Capinfos* - Print information about capture files. + + - *Captype* - Print the type(format) of capture files. + + - *DFTest* - Show display filter byte-code, for debugging dfilter routines. + + - *Editcap* - Copy packets to a new file, optionally trimming packets, omitting them, + or saving to a different format. + + - *Mergecap* - Combine multiple saved capture files into a single output file. + + - *MMDBResolve* - MaxMind Database resolution tool - read IPv4 and IPv6 addresses and + print their IP geolocation information. + + - *Randpkt* - Create a pcap trace file full of random packets. (randpkt produces very bad packets) + + - *Rawshark* - Dump and analyze raw pcap data. + + - *Reordercap* - Copy packets to a new file, sorted by time. + + - *Text2Pcap* - Generate a capture file from an ASCII hexdump of packets. + +* *External Capture (extcap)* - External Capture Interfaces + + - *Androiddump* - Provide capture interfaces from Android devices. + + - *Etwdump* - Provide an interface to read Event Tracing for Windows (ETW) event trace (ETL). + + - *Randpktdump* - Provide an interface to the random packet generator. (see also randpkt) + + - *Sshdump, Ciscodump, and Wifidump* - Provide remote capture through SSH. (tcpdump, Cisco EPC, wifi) + + - *UDPdump* - Provide capture interface to receive UDP packets streamed from network devices. + +* *Documentation* - Local installation of the User’s Guide and FAQ. The Help buttons on + most dialogs will require an internet connection to show help pages if the + User’s Guide is not installed locally. + +[#ChBuildInstallWinAdditionalTasks] + +==== Additional Tasks + +* *Wireshark Start Menu Item* - Add a shortcut to the start menu. + +* *Wireshark Desktop Icon* - Add a Wireshark icon to the desktop. + +* *Associate trace file extensions with Wireshark* - Associate standard network trace files to Wireshark. + +[#ChBuildInstallWinLocation] + +==== Install Location + +By default Wireshark installs into `%ProgramFiles%\Wireshark` on 32-bit Windows +and `%ProgramFiles64%\Wireshark` on 64-bit Windows. This expands to `C:\Program +Files\Wireshark` on most systems. + +[#ChBuildInstallNpcap] + +==== Installing Npcap + +The Wireshark installer contains the latest Npcap installer. + +If you don’t have Npcap installed you won’t be able to capture live network +traffic but you will still be able to open saved capture files. By default the +latest version of Npcap will be installed. If you don’t wish to do this or if +you wish to reinstall Npcap you can check the _Install Npcap_ box as needed. + +For more information about Npcap see {npcap-main-url} and +{wireshark-wiki-url}Npcap. + + +[#ChBuildInstallWinWiresharkCommandLine] + +==== Windows installer command line options + +For special cases, there are some command line parameters available: + +* `/S` runs the installer or uninstaller silently with default values. The + silent installer *will not* install Npcap. + +* `/desktopicon` installation of the desktop icon, `=yes` - force installation, + `=no` - don’t install, otherwise use default settings. This option can be + useful for a silent installer. + +* `/quicklaunchicon` installation of the quick launch icon, `=yes` - force + installation, `=no` - don’t install, otherwise use default settings. + +* `/D` sets the default installation directory ($INSTDIR), overriding InstallDir + and InstallDirRegKey. It must be the last parameter used in the command line + and must not contain any quotes even if the path contains spaces. + +* `/NCRC` disables the CRC check. We recommend against using this flag. + +* `/EXTRACOMPONENTS` comma separated list of optional components to install. +The following extcap binaries are supported. + + +** `androiddump` - Provide interfaces to capture from Android devices + +** `ciscodump` - Provide interfaces to capture from a remote Cisco router through SSH + +** `randpktdump` - Provide an interface to generate random captures using randpkt + +** `sshdump` - Provide interfaces to capture from a remote host through SSH using a remote capture binary + +** `udpdump` - Provide a UDP receiver that gets packets from network devices + +Example: +---- +> Wireshark-4.2.5-x64.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo + +> Wireshark-4.2.5-x64.exe /S /EXTRACOMPONENTS=sshdump,udpdump +---- + +Running the installer without any parameters shows the normal interactive installer. + +[#ChBuildInstallNpcapManually] + +==== Manual Npcap Installation + +As mentioned above, the Wireshark installer also installs Npcap. +If you prefer to install Npcap manually or want to use a different version than the +one included in the Wireshark installer, you can download Npcap from +the main Npcap site at {npcap-main-url}. + +[#ChBuildInstallNpcapUpdate] + +==== Update Npcap + +Wireshark updates may also include a new version of Npcap. +Manual Npcap updates instructions can be found on the Npcap web +site at {npcap-main-url}. You may have to reboot your machine after installing +a new Npcap version. + +[#ChBuildInstallWinUninstall] + +==== Uninstall Wireshark + +You can uninstall Wireshark using the _Programs and Features_ control panel. +Select the “Wireshark” entry to start the uninstallation procedure. + +The Wireshark uninstaller provides several options for removal. The default is +to remove the core components but keep your personal settings and Npcap. +Npcap is kept in case other programs need it. + +[#ChBuildInstallNpcapUninstall] + +==== Uninstall Npcap + +You can uninstall Npcap independently of Wireshark using the _Npcap_ entry +in the _Programs and Features_ control panel. Remember that if you uninstall +Npcap you won’t be able to capture anything with Wireshark. + +[#ChBuildInstallWinBuild] + +=== Building from source under Windows + +We strongly recommended using the binary installer for Windows unless you +want to start developing Wireshark on the Windows platform. + +For further information how to obtain sources and build Wireshark for Windows +from the sources see the Developer’s Guide at: + +* {wireshark-developers-guide-url}ChSrcObtain + +* {wireshark-developers-guide-url}ChSetupWindows + +You may also want to have a look at the Development Wiki +({wireshark-wiki-url}Development) for the latest available development +documentation. + +// +// macOS +// + +[#ChBuildInstallOSXInstall] + +=== Installing Wireshark under macOS + +The official macOS packages can be downloaded from the Wireshark {wireshark-main-url}[main page] or the {wireshark-download-url}[download page]. +Packages are distributed as disk images (.dmg) containing the application bundle. +Package names contain the platform and version. +To install Wireshark simply open the disk image and drag _Wireshark_ to your _/Applications_ folder. +macOS packages automatically update. +See <<ChBuildInstallUpdatingWireshark>> for details. + +In order to capture packets, you must install the “ChmodBPF” launch daemon. +You can do so by opening the _Install ChmodBPF.pkg_ file in the Wireshark .dmg or from Wireshark itself by opening menu:Wireshark[About Wireshark] selecting the “Folders” tab, and double-clicking “macOS Extras”. + +The installer package includes Wireshark along with ChmodBPF and system path packages. +See the included _Read me first.html_ file for more details. + +[#ChBuildInstallUnixInstallBins] + +=== Installing the binaries under UNIX + +In general installing the binary under your version of UNIX will be specific to +the installation methods used with your version of UNIX. For example, under AIX, +you would use _smit_ to install the Wireshark binary package, while under Tru64 +UNIX (formerly Digital UNIX) you would use _setld_. + +==== Installing from RPMs under Red Hat and alike + +Building RPMs from Wireshark’s source code results in several packages (most +distributions follow the same system): + +* The `wireshark` package contains the core Wireshark libraries and command-line + tools. + +* The `wireshark` or `wireshark-qt` package contains the Qt-based GUI. + +Many distributions use `yum` or a similar package management tool to make +installation of software (including its dependencies) easier. If your +distribution uses `yum`, use the following command to install Wireshark +together with the Qt GUI: + +---- +yum install wireshark wireshark-qt +---- + +If you’ve built your own RPMs from the Wireshark sources you can install them +by running, for example: + +---- +rpm -ivh wireshark-2.0.0-1.x86_64.rpm wireshark-qt-2.0.0-1.x86_64.rpm +---- + +If the above command fails because of missing dependencies, install the +dependencies first, and then retry the step above. + +==== Installing from debs under Debian, Ubuntu and other Debian derivatives + +If you can just install from the repository then use + +---- +apt install wireshark +---- + +Apt should take care of all of the dependency issues for you. + +[NOTE] +.Capturing requires privileges +==== +By installing Wireshark packages non-root, users won’t gain rights automatically +to capture packets. To allow non-root users to capture packets follow the +procedure described in {wireshark-code-file-url}packaging/debian/README.Debian +(file:///usr/share/doc/wireshark-common/README.Debian.gz[/usr/share/doc/wireshark-common/README.Debian.gz]) +==== + +==== Installing from portage under Gentoo Linux + +Use the following command to install Wireshark under Gentoo Linux with all of +the extra features: + +---- +USE="c-ares ipv6 snmp ssl kerberos threads selinux" emerge wireshark +---- + +==== Installing from packages under FreeBSD + +Use the following command to install Wireshark under FreeBSD: + +---- +pkg_add -r wireshark +---- + +pkg_add should take care of all of the dependency issues for you. + +[#ChBuildInstallUnixBuild] + +=== Building from source under UNIX or Linux + +We recommended using the binary installer for your platform unless you +want to start developing Wireshark. + +Building Wireshark requires the proper build environment including a +compiler and many supporting libraries. For more information, see the Developer’s Guide at: + +* {wireshark-developers-guide-url}ChSrcObtain + +* {wireshark-developers-guide-url}ChapterSetup#ChSetupUNIX + +[#ChBuildInstallUpdatingWireshark] + +=== Updating Wireshark + +By default, Wireshark on Windows and macOS will check for new versions and notify you when they are available. +If you have the _Check for updates_ preference disabled or if you run Wireshark in an isolated environment you should subscribe to the _wireshark-announce_ mailing list to be notified of new versions. +See <<ChIntroMailingLists>> for details on subscribing to this list. + +New versions of Wireshark are usually released every four to six weeks. +Updating Wireshark is done the same way as installing it. +Simply download and run the installer on Windows, or download and drag the application on macOS. +A reboot is usually not required and all your personal settings will remain unchanged. + +We offer two update channels, _Stable_ and _Development_. +The Stable channel is the default, and only installs packages from stable (even-numbered) release branches. +The Development channel installs development and release candidate packages when they are available, and stable releases otherwise. +To configure your release channel, go to menu:Preferences[Advanced] and search for “update.channel”. +See <<ChCustPreferencesSection>> for details. + +// End of WSUG ChapterBuildInstall + diff --git a/docbook/wsug_src/wsug_capture.adoc b/docbook/wsug_src/wsug_capture.adoc new file mode 100644 index 0000000..c7ef8f1 --- /dev/null +++ b/docbook/wsug_src/wsug_capture.adoc @@ -0,0 +1,733 @@ +// WSUG Chapter Capture + +[#ChapterCapture] + +== Capturing Live Network Data + +[#ChCapIntroduction] + +=== Introduction + +Capturing live network data is one of the major features of Wireshark. + +The Wireshark capture engine provides the following features: + +* Capture from different kinds of network hardware such as Ethernet or 802.11. + +* Simultaneously capture from multiple network interfaces. + +* Stop the capture on different triggers such as the amount of captured data, + elapsed time, or the number of packets. + +* Simultaneously show decoded packets while Wireshark is capturing. + +* Filter packets, reducing the amount of data to be captured. See + <<ChCapCaptureFilterSection>>. + +* Save packets in multiple files while doing a long-term capture, optionally + rotating through a fixed number of files (a “ringbuffer”). See + <<ChCapCaptureFiles>>. + +The capture engine still lacks the following features: + +* Stop capturing (or perform some other action) depending on the captured data. + +[#ChCapPrerequisitesSection] + +=== Prerequisites + +Setting up Wireshark to capture packets for the first time can be +tricky. A comprehensive guide “How To setup a Capture” is available at +{wireshark-wiki-url}CaptureSetup. + +Here are some common pitfalls: + +* You may need special privileges to start a live capture. + +* You need to choose the right network interface to capture packet data from. + +* You need to capture at the right place in the network to see the traffic you + want to see. + +If you have any problems setting up your capture environment, you should have a +look at the guide mentioned above. + +[#ChCapCapturingSection] + +=== Start Capturing + +The following methods can be used to start capturing packets with Wireshark: + +* You can double-click on an interface in the <<ChCapInterfaceSection,welcome screen>>. + +* You can select an interface in the <<ChCapInterfaceSection,welcome screen>>, then select menu:Capture[Start] or click the first toolbar button. + +* You can get more detailed information about available interfaces using <<ChCapCaptureOptions>> (menu:Capture[Options...]). + +* If you already know the name of the capture interface you can start Wireshark from the command line: +-- +---- +$ wireshark -i eth0 -k +---- +-- +This will start Wireshark capturing on interface `eth0`. More details can be found at <<ChCustCommandLine>>. + +[#ChCapInterfaceSection] + +=== The “Capture” Section Of The Welcome Screen + +When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces. +Network activity for each interface will be shown in a sparkline next to the interface name. +It is possible to select more than one interface and capture from them simultaneously. + +[#ChCapCaptureInterfacesMainWin32] + +.Capture interfaces on Microsoft Windows +image::images/ws-capture-interfaces-main-win32.png[{screenshot-attrs}] + +[#ChCapCaptureInterfacesMainMacos] + +.Capture interfaces on macOS +image::images/ws-capture-interfaces-main-macos.png[{screenshot-attrs}] + +Some interfaces allow or require configuration prior to capture. +This will be indicated by a configuration icon +(image:images/toolbar/x-capture-options.png[height=16,width=16]) +to the left of the interface name. +Clicking on the icon will show the configuration dialog for that interface. + +Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter. + +Wireshark isn't limited to just network interfaces -- on most systems you can also capture USB, Bluetooth, and other types of packets. +Note also that an interface might be hidden if it’s inaccessible to Wireshark or if it has been hidden as described in <<ChCapManageInterfacesSection>>. + +[#ChCapCaptureOptions] + +=== The “Capture Options” Dialog Box + +When you select menu:Capture[Options...] (or use the corresponding item in the +main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in +<<ChCapCaptureOptionsDialog>>. +If you are unsure which options to choose in this dialog box, leaving the defaults settings as they are should work well in many cases. + +[#ChCapCaptureOptionsDialog] +.The “Capture Options” input tab +image::images/ws-capture-options.png[{screenshot-attrs}] + +The “Input” tab contains the “Interface” table, which shows the following columns: + +Interface:: +The interface name. ++ +Some interfaces allow or require configuration prior to capture. +This will be indicated by a configuration icon +(image:images/toolbar/x-capture-options.png[height=16,width=16]) +to the left of the interface name. +Clicking on the icon will show the configuration dialog for that interface. + +Traffic:: +A sparkline showing network activity over time. + +Link-layer Header:: +The type of packet captured by this interface. +In some cases it is possible to change this. +See <<ChCapLinkLayerHeader>> for more details. + +Promiscuous:: +Lets you put this interface in promiscuous mode while capturing. +Note that another application might override this setting. + +Snaplen:: +The snapshot length, or the number of bytes to capture for each packet. +You can set an explicit length if needed, e.g., for performance or privacy reasons. + +Buffer:: +The size of the kernel buffer that is reserved for capturing packets. +You can increase or decrease this as needed, but the default is usually sufficient. + +Monitor Mode:: +Lets you capture full, raw 802.11 headers. +Support depends on the interface type, hardware, driver, and OS. +Note that enabling this might disconnect you from your wireless network. + +Capture Filter:: +The capture filter applied to this interface. +You can edit the filter by double-clicking on it. +See <<ChCapCaptureFilterSection>> for more details about capture filters. + +Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses. + +If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings above will be overridden. + +“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same time. + +btn:[Manage Interfaces] opens the <<ChCapManageInterfacesDialog>> where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added. + +btn:[Compile Selected BPFs] opens <<ChCapCompiledFilterOutputDialog>>, which shows you the compiled bytecode for your capture filter. +This can help to better understand the capture filter you created. + + +[TIP] +.Linux power user tip +==== +The execution of BPFs can be sped up on Linux by turning on BPF Just In Time compilation by executing + +---- +$ echo 1 >/proc/sys/net/core/bpf_jit_enable +---- + +if it is not enabled already. To make the change persistent you can use +link:{sysfs-main-url}[sysfsutils]. +==== + +.The “Capture Options” output tab +image::images/ws-capture-options-output.png[{screenshot-attrs}] + +The “Output” tab shows the following information: + +Capture to a permanent file:: + +File::: +This field allows you to specify the file name that will be used for the capture file. +It is left blank by default. +If left blank, the capture data will be stored in a temporary file. +See <<ChCapCaptureFiles>> for details. +You can also click on the button to the right of this field to browse through the filesystem. + +Output format::: +Allows you to set the format of the capture file. +pcapng is the default and is more flexible than pcap. +pcapng might be required, e.g., if more than one interface is chosen for capturing. +See {wireshark-wiki-url}Development/PcapNg for more details on pcapng. + +Create a new file automatically...:: +Sets the conditions for switching a new capture file. +A new capture file can be created based on the following conditions: + * The number of packets in the capture file. + * The size of the capture file. + * The duration of the capture file. + * The wall clock time. + +Use a ring buffer with:: +Multiple files only. +Form a ring buffer of the capture files with the given number of files. + +More details about capture files can be found in <<ChCapCaptureFiles>>. + +.The “Capture Options” options tab +image::images/ws-capture-options-options.png[{screenshot-attrs}] + +The “Options” tab shows the following information: + +Display Options:: + +Update list of packets in real-time::: +Updates the packet list pane in real time during capture. +If you do not enable this, Wireshark will not display any packets until you stop the capture. +When you check this, Wireshark captures in a separate process and feeds the captures to the display process. + +Automatically scroll during live capture::: +Scroll the packet list pane as new packets come in, so you are always looking at the most recent packet. +Automatic scrolling is temporarily disabled when manually scrolling upwards or performing a <<ChUseTabGo,"Go" action>> so that the selected packet can be examined. +It will resume upon manually scrolling to the end of the packet list. +If you do not specify this Wireshark adds new packets to the packet list but does not scroll the packet list pane. +This option has no effect if “Update list of packets in real-time” is disabled. + +Show capture information during capture::: +If this option is enabled, the capture information dialog described in <<ChCapRunningSection>> will be shown while packets are captured. + +Name Resolution:: + +Resolve MAC addresses::: +Translate MAC addresses into names. + +Resolve network names::: +Translate network addresses into names. + +Resolve transport names::: +Translate transport names (port numbers). + +See <<ChAdvNameResolutionSection>> for more details on each of these options. + +Stop capture automatically after...:: + +Capturing can be stopped based on the following conditions: + +* The number of packets in the capture file. +* The number of capture files. +* The capture file size. +* The capture file duration. + +You can double click on an interface row in the “Input“ tab or click btn:[Start] from any tab to commence the capture. You can click btn:[Cancel] to apply your changes and close the dialog. + +[#ChCapManageInterfacesSection] + +=== The “Manage Interfaces” Dialog Box + +[#ChCapManageInterfacesDialog] +.The “Manage Interfaces” dialog box +image::images/ws-manage-interfaces.png[{screenshot-attrs}] + +The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage the following: + +Show:: +Whether or not to show or hide this interface in the welcome screen and the “Capture Options” dialog. + +Friendly Name:: +A name for the interface that is human readable. + +Interface Name:: +The device name of the interface. + +Comment:: +Can be used to add a descriptive comment for the interface. + +// [[ChCapManageInterfacesPipesDialog]] + +// .The “Pipes” tab +// image::images/ws-capture-options-manage-interfaces-pipes.png[{screenshot-attrs}] + +The “Pipes” tab lets you capture from a named pipe. +To successfully add a pipe, its associated named pipe must have already been created. +Click btn:[{plus}] and type the name of the pipe including its path. +Alternatively, btn:[Browse] can be used to locate the pipe. + +To remove a pipe from the list of interfaces, select it and press btn:[-]. + +// [[ChCapManageInterfacesDialog]] + +// === The “Add New Interfaces” dialog box + +// As a central point to manage interfaces this dialog box consists of three tabs +// to add or remove interfaces. + +// .The “Add New Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces.png[{screenshot-attrs}] + +// ==== Add or hide local interfaces + +// [[ChCapManageInterfacesLocalDialog]] +// .The “Add New Interfaces - Local Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-local.png[{screenshot-attrs}] + +// The tab “Local Interfaces” contains a list of available local interfaces, +// including the hidden ones, which are not shown in the other lists. + +// If a new local interface is added, for example, a wireless interface has been +// activated, it is not automatically added to the list to prevent the constant +// scanning for a change in the list of available interfaces. To renew the list a +// rescan can be done. + +// One way to hide an interface is to change the preferences. If the “Hide” +// checkbox is activated and the btn:[Apply] button clicked, the interface will +// not be seen in the lists of the “Capture Interfaces” dialog box any more. The +// changes are also saved in the `preferences` file. + +// ==== Add or hide remote interfaces + +// [[ChCapManageInterfacesRemoteDialog]] +// .The “Add New Interfaces - Remote Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-remote.png[{screenshot-attrs}] + +On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different machine. +The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it. + +On Linux or Unix you can capture (and do so more securely) through an SSH tunnel. + +To add a new remote capture interface, click btn:[{plus}] and specify the following: + +Host:: +The IP address or host name of the target platform where the Remote Packet Capture Protocol service is listening. +The drop-down list contains the hosts that have previously been successfully contacted. +The list can be emptied by choosing “Clear list” from the drop-down list. + +Port:: +Set the port number where the Remote Packet Capture Protocol service is listening on. +Leave blank to use the default port (2002). + +Null authentication:: +Select this if you don’t need authentication to take place for a remote capture to be started. +This depends on the target platform. +This is exactly as secure as it appears, i.e., it is not secure at all. + +Password authentication:: +Lets you specify the username and password required to connect to the Remote Packet Capture Protocol service. + +Each interface can optionally be hidden. +In contrast to the local interfaces, they are not saved in the `preferences` file. + +[NOTE] +==== +Make sure you have outside access to port 2002 on the target platform. +This is the default port used by the Remote Packet Capture Protocol service. +==== + +To remove a host including all its interfaces from the list, select it and click the btn:[-] button. + +// To access the Remote Capture Interfaces dialog use the “Remote Interfaces” tab of the “Manage Interfaces” dialog. See <<ChCapManageInterfacesRemoteDialog>> and select btn:[Add]. + +// [[ChCapInterfaceRemoteDialog]] +// .The “Remote Capture Interfaces” dialog box +// image::images/ws-capture-options-manage-interfaces-remote-plus.png[{screenshot-attrs}] + + +// ==== Remote Capture Settings + +// The remote capture can be further fine tuned to match your situation. The +// btn:[Remote Interfaces] button in <<ChCapManageInterfacesDialog>> gives +// you this option. It pops up the dialog shown in +// <<ChCapInterfaceRemoteSettingsDialog>>. + +// [[ChCapInterfaceRemoteSettingsDialog]] +// .The “Remote Capture Settings” dialog box +// image::images/ws-capture-options-remote-settings.png[{screenshot-attrs}] + +// You can set the following parameters in this dialog: + +// _Do not capture own RPCAP traffic_:: +// This option sets a capture filter so that the traffic flowing back from the +// Remote Packet Capture Protocol service to Wireshark isn’t captured as well and +// also send back. The recursion in this saturates the link with duplicate traffic. +// + +// You only should switch this off when capturing on an interface other than the +// interface connecting back to Wireshark. + +// _Use UDP for data transfer_:: +// Remote capture control and data flows over a TCP connection. This option allows +// you to choose a UDP stream for data transfer. + +// _Sampling option None_:: +// This option instructs the Remote Packet Capture Protocol service to send back +// all captured packets which have passed the capture filter. This is usually not a +// problem on a remote capture session with sufficient bandwidth. + +// _Sampling option 1 of x packets_:: +// This option limits the Remote Packet Capture Protocol service to send only a sub +// sampling of the captured data, in terms of number of packets. This allows +// capture over a narrow band remote capture session of a higher bandwidth +// interface. + + +// _Sampling option 1 every x milliseconds_:: +// This option limits the Remote Packet Capture Protocol service to send only a sub +// sampling of the captured data in terms of time. This allows capture over a +// narrow band capture session of a higher bandwidth interface. + +// [[ChCapInterfaceDetailsSection]] + +// === The “Interface Details” dialog box + +// When you select Details from the Capture Interface menu, Wireshark pops up the +// “Interface Details” dialog box as shown in <<ChCapInterfaceDetailsDialog>>. This +// dialog shows various characteristics and statistics for the selected interface. + +// [NOTE] +// .Microsoft Windows only +// ==== +// This dialog is only available on Microsoft Windows +// ==== + +// [[ChCapInterfaceDetailsDialog]] +// .The “Interface Details” dialog box +// image::images/ws-capture-interface-details.png[{screenshot-attrs}] + +[#ChCapCompiledFilterOutputSection] + +=== The “Compiled Filter Output” Dialog Box + +This figure shows the results of compiling the BPF filter for the selected interfaces. + +[#ChCapCompiledFilterOutputDialog] + +.The “Compiled Filter Output” dialog box +image::images/ws-capture-options-compile-selected-bpfs.png[{medium-screenshot-attrs}] + +In the list on the left the interface names are listed. +The results of compiling a filter for the selected interface are shown on the right. + +[#ChCapCaptureFiles] + +=== Capture files and file modes + +While capturing, the underlying libpcap capturing engine will grab the packets +from the network card and keep the packet data in a (relatively) small kernel +buffer. This data is read by Wireshark and saved into a capture file. + +By default, Wireshark saves packets to a temporary file. You can also tell +Wireshark to save to a specific (“permanent”) file and switch to a +different file after a given time has elapsed or a given number of packets +have been captured. These options are controlled in the +“Capture Options” dialog's “Output” tab. + +[#ChCapCaptureOptionsOutputDialog] +.Capture output options +image::images/ws-capture-options-output.png[{screenshot-attrs}] + +[TIP] +==== +Working with large files (several hundred MB) can be quite slow. If you plan to do +a long-term capture or capturing from a high traffic network, think about using +one of the “Multiple files” options. This will spread the captured packets over +several smaller files which can be much more pleasant to work with. +==== + +Using the “Multiple files” option may cut context related information. Wireshark keeps +context information of the loaded packet data, so it can report context related +problems (like a stream error) and keeps information about context related +protocols (e.g., where data is exchanged at the establishing phase and only +referred to in later packets). As it keeps this information only for the loaded +file, using one of the multiple file modes may cut these contexts. If the +establishing phase is saved in one file and the things you would like to see is +in another, you might not see some of the valuable context related information. + +Information about the folders used for capture files can be found in +<<AppFiles>>. + +[#ChCapTabCaptureFiles] +.Capture file mode selected by capture options +[options="header",cols="2,2,2,3,5"] +|=== +|File Name|“Create a new file...”|“Use a ring buffer...”|Mode|Resulting filename(s) used +|-|-|-|Single temporary file|wiresharkXXXXXX.pcap[ng] (where XXXXXX is a unique 6 character alphanumeric sequence) +|foo.cap|-|-|Single named file|foo.cap +|foo.cap|x|-|Multiple files, continuous|foo_00001_20230714110102.cap, foo_00002_20230714110318.cap, ... +|foo.cap|x|x|Multiple files, ring buffer|foo_00001_20230714110102.cap, foo_00002_20230714110318.cap, ... +|=== + +Single temporary file:: +A temporary file will be created and used (this is the default). +After capturing is stopped this file can be saved later under a user specified name. + +Single named file:: +A single capture file will be used. +Choose this mode if you want to place the new capture file in a specific folder. + +Multiple files, continuous:: +Like the “Single named file” mode, but a new file is created and used after reaching one of the multiple file switch conditions (one of the “Next file every...” values). + +Multiple files, ring buffer:: +Much like “Multiple files continuous”, reaching one of the multiple files switch +conditions (one of the “Next file every ...” values) will switch to the next +file. This will be a newly created file if value of “Ring buffer with n files” +is not reached, otherwise it will replace the oldest of the formerly used files +(thus forming a “ring”). ++ +This mode will limit the maximum disk usage, even for an unlimited amount of +capture input data, only keeping the latest captured data. + +[#ChCapLinkLayerHeader] + +=== Link-layer header type + +In most cases you won’t have to modify link-layer header type. Some exceptions +are as follows: + +If you are capturing on an Ethernet device you might be offered a choice of +“Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable +Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be +captured, select “DOCSIS”, otherwise select “Ethernet”. + +If you are capturing on an 802.11 device on some versions of BSD you might be +offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the +captured packets to have fake (“cooked”) Ethernet headers. “802.11” will +cause them to have full IEEE 802.11 headers. Unless the capture needs to be read +by an application that doesn’t support 802.11 headers you should select +“802.11”. + +If you are capturing on an Endace DAG card connected to a synchronous serial +line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If +the protocol on the serial line is PPP, select “PPP over serial” and if the +protocol on the serial line is Cisco HDLC, select “Cisco HDLC”. + +If you are capturing on an Endace DAG card connected to an ATM network you might +be offered a choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only +traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs +to be read by an application that doesn’t support SunATM headers, select “RFC +1483 IP-over-ATM”, otherwise select “Sun raw ATM”. + +[#ChCapCaptureFilterSection] + +=== Filtering while capturing + +Wireshark supports limiting the packet capture to packets that match a +_capture filter_. Wireshark capture filters are written in +libpcap filter language. Below is a brief overview of the libpcap filter +language's syntax. Complete documentation can be found at +the link:{pcap-filter-man-page-url}[pcap-filter man page]. You can find +many Capture Filter examples at {wireshark-wiki-url}CaptureFilters. + +You enter the capture filter into the “Filter” field of the Wireshark +“Capture Options” dialog box, as shown in <<ChCapCaptureOptionsDialog>>. + +A capture filter takes the form of a series of primitive expressions connected +by conjunctions (__and/or__) and optionally preceded by __not__: + +---- +[not] primitive [and|or [not] primitive ...] +---- + +An example is shown in <<ChCapExFilt1>>. + +[#ChCapExFilt1] +.A capture filter for telnet that captures traffic to and from a particular host +==== +---- +tcp port 23 and host 10.0.0.5 +---- +==== + +This example captures telnet traffic to and from the host 10.0.0.5, and shows +how to use two primitives and the __and__ conjunction. Another example is shown +in <<ChCapExFilt2>>, and shows how to capture all telnet traffic except that +from 10.0.0.5. + +[#ChCapExFilt2] +.Capturing all telnet traffic not from 10.0.0.5 +==== +---- +tcp port 23 and not src host 10.0.0.5 +---- +==== + +// XXX - add examples to the following list. + +A primitive is simply one of the following: _[src|dst] host <host>_:: +This primitive allows you to filter on a host IP address or name. You can +optionally precede the primitive with the keyword _src|dst_ to specify that you +are only interested in source or destination addresses. If these are not +present, packets where the specified address appears as either the source or the +destination address will be selected. + +ether [src|dst] host <ehost>:: +This primitive allows you to filter on Ethernet host addresses. You can +optionally include the keyword _src|dst_ between the keywords _ether_ and _host_ +to specify that you are only interested in source or destination addresses. If +these are not present, packets where the specified address appears in either the +source or destination address will be selected. + +gateway host <host>:: +This primitive allows you to filter on packets that used _host_ as a gateway. +That is, where the Ethernet source or destination was _host_ but neither the +source nor destination IP address was _host_. + +[src|dst] net <net> [{mask <mask>}|{len <len>}]:: +This primitive allows you to filter on network numbers. You can optionally +precede this primitive with the keyword _src|dst_ to specify that you are only +interested in a source or destination network. If neither of these are present, +packets will be selected that have the specified network in either the source or +destination address. In addition, you can specify either the netmask or the CIDR +prefix for the network if they are different from your own. + + +[tcp|udp] [src|dst] port <port>:: +This primitive allows you to filter on TCP and UDP port numbers. You can +optionally precede this primitive with the keywords _src|dst_ and _tcp|udp_ +which allow you to specify that you are only interested in source or destination +ports and TCP or UDP packets respectively. The keywords _tcp|udp_ must appear +before _src|dst_. ++ +If these are not specified, packets will be selected for both the TCP and UDP +protocols and when the specified address appears in either the source or +destination port field. + +less|greater <length>:: +This primitive allows you to filter on packets whose length was less than or +equal to the specified length, or greater than or equal to the specified length, +respectively. + +ip|ether proto <protocol>:: +This primitive allows you to filter on the specified protocol at either the +Ethernet layer or the IP layer. + +ether|ip broadcast|multicast:: +This primitive allows you to filter on either Ethernet or IP broadcasts or +multicasts. + +<expr> relop <expr>:: +This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. +Please see the pcap-filter man page at {pcap-filter-man-page-url} for more details. + + +[#ChCapCaptureAutoFilterSection] + +==== Automatic Remote Traffic Filtering + +If Wireshark is running remotely (using e.g., SSH, an exported X11 window, a +terminal server, ...), the remote content has to be transported over the +network, adding a lot of (usually unimportant) packets to the actually +interesting traffic. + +To avoid this, Wireshark tries to figure out if it’s remotely connected (by +looking at some specific environment variables) and automatically creates a +capture filter that matches aspects of the connection. + +The following environment variables are analyzed: + +`SSH_CONNECTION` (ssh):: +<remote IP> <remote port> <local IP> <local port> + + +`SSH_CLIENT` (ssh):: +<remote IP> <remote port> <local port> + + +`REMOTEHOST` (tcsh, others?):: +<remote name> + +`DISPLAY` (x11):: +[remote name]:<display num> + + +`SESSIONNAME` (terminal server):: +<remote name> + +On Windows it asks the operating system if it’s running in a Remote Desktop Services environment. + +[#ChCapRunningSection] + +=== While a Capture is running ... + +You might see the following dialog box while a capture is running: + +[#ChCapCaptureInfoDialog] +.The “Capture Information” dialog box +image::images/ws-capture-info.png[{small-screenshot-attrs}] + +This dialog box shows a list of protocols and their activity over time. +It can be enabled via the “capture.show_info” setting in the “Advanced” +preferences. + +[#ChCapStopSection] + +==== Stop the running capture + +A running capture session will be stopped in one of the following ways: + +. The btn:[Stop Capture] button in the “Capture Information” dialog box. + +. The menu:Capture[Stop] menu item. + +. The btn:[Stop] toolbar button. + +. Pressing kbd:[Ctrl+E]. + +. The capture will be automatically stopped if one of the _Stop Conditions_ is + met, e.g., the maximum amount of data was captured. + +[#ChCapRestartSection] + +==== Restart a running capture + +A running capture session can be restarted with the same capture options as the +last time, this will remove all packets previously captured. This can be useful, +if some uninteresting packets are captured and there’s no need to keep them. + +Restart is a convenience function and equivalent to a capture stop following by +an immediate capture start. A restart can be triggered in one of the following +ways: + +. Using the menu:Capture[Restart] menu item. + +. Using the btn:[Restart] toolbar button. + +// End of WSUG Chapter Capture diff --git a/docbook/wsug_src/wsug_customize.adoc b/docbook/wsug_src/wsug_customize.adoc new file mode 100644 index 0000000..9ca4a47 --- /dev/null +++ b/docbook/wsug_src/wsug_customize.adoc @@ -0,0 +1,1496 @@ +// WSUG Chapter Customizing + +[#ChapterCustomize] + +== Customizing Wireshark + +[#ChCustIntroduction] + +=== Introduction + +Wireshark’s default behavior will usually suit your needs pretty well. However, +as you become more familiar with Wireshark, it can be customized in various ways +to suit your needs even better. In this chapter we explore: + +* How to start Wireshark with command line parameters + +* How to colorize the packet list + +* How to control protocol dissection + +* How to use the various preference settings + +[#ChCustCommandLine] + +=== Start Wireshark from the command line + +You can start Wireshark from the command line, but it can also be started from +most Window managers as well. In this section we will look at starting it from +the command line. + +Wireshark supports a large number of command line parameters. To see what they +are, simply enter the command _wireshark -h_ and the help information shown in +<<ChCustEx1>> (or something similar) should be printed. + +[#ChCustEx1] +.Help information available from Wireshark +---- +include::wireshark-h.txt[] +---- + +We will examine each of the command line options in turn. + +The first thing to notice is that issuing the command `wireshark` by itself will +launch Wireshark. However, you can include as many of the command line +parameters as you like. Their meanings are as follows ( in alphabetical order ): + +// XXX - is the alphabetical order a good choice? Maybe better task based? + +-a <capture autostop condition>:: +--autostop <capture autostop condition>:: +Specify a criterion that specifies when Wireshark is to stop writing +to a capture file. The criterion is of the form test:value, where test +is one of: ++ +-- + duration:value:: + Stop writing to a capture file after value of seconds have elapsed. + + filesize:value:: + Stop writing to a capture file after it reaches a size of value + kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If + this option is used together with the -b option, Wireshark will + stop writing to the current capture file and switch to the next + one if filesize is reached. + + files:value:: + Stop writing to capture files after value number of files were + written. + + packets:value:: + Stop writing to a capture file after value number of packets were written. +-- + +-b <capture ring buffer option>:: +If a maximum capture file size was specified, this option causes Wireshark to +run in “ring buffer” mode, with the specified number of files. In “ring +buffer” mode, Wireshark will write to several capture files. Their +name is based on the number of the file and on the creation date and +time. ++ +When the first capture file fills up Wireshark will switch to writing +to the next file, and so on. With the files option it’s +also possible to form a “ring buffer.” This will fill up new files until the +number of files specified, at which point the data in the first file will be +discarded so a new file can be written. ++ +If the optional duration is specified, Wireshark will also +switch to the next file when the specified number of seconds has elapsed even +if the current file is not completely filled up. ++ +-- + duration:value:: + Switch to the next file after value seconds have elapsed, even + if the current file is not completely filled up. + + filesize:value:: + Switch to the next file after it reaches a size of value kilobytes + (where a kilobyte is 1000 bytes, not 1024 bytes). + + files:value:: + Begin again with the first file after value number of files were + written (form a ring buffer). + + packets:value:: + Switch to the next file after value number of packets were written, even + if the current file is not completely filled up. + + interval:value:: + Switch to the next file when the time is an exact multiple of value seconds. +-- + +-B <capture buffer size>:: +--buffer-size <capture buffer size>:: +Set capture buffer size (in MB, default is 2MB). This is used by the capture +driver to buffer packet data until that data can be written to disk. If you +encounter packet drops while capturing, try to increase this size. Not supported +on some platforms. + +-C <config profile>:: +Start with the specified configuration profile. + +-c <capture packet count>:: +This option specifies the maximum number of packets to capture when capturing +live data. It would be used in conjunction with the `-k` option. + +--capture-comment <comment>:: +Add the comment string to the capture file, if supported by the file format. + +-d <layer_type>==<selector>,<decode_as_protocol>:: +"Decode As", see <<ChAdvDecodeAs>> for details. Example: tcp.port==8888,http + +-D:: +--list-interfaces:: +Print a list of the interfaces on which Wireshark can capture, then exit. For +each network interface, a number and an interface name, possibly followed by a +text description of the interface, is printed. The interface name or the number +can be supplied to the `-i` flag to specify an interface on which to capture. ++ +This can be useful on systems that don’t have a command to list them (e.g., +Windows systems, or UNIX systems lacking `ifconfig -a`). The number can be +especially useful on Windows, where the interface name is a GUID. ++ +Note that “can capture” means that Wireshark was able to open that device to +do a live capture. If, on your system, a program doing a network capture must be +run from an account with special privileges, then, if +Wireshark is run with the `-D` flag and is not run from such an account, it will +not list any interfaces. + +--display <DISPLAY>:: +Set the X display to use, instead of the one defined in the environment, or +the default display. + +--enable-protocol <proto_name>:: +--disable-protocol <proto_name>:: +Enable and disable the dissection of the protocol. + +--enable-heuristic <short_name>:: +--disable-heuristic <short_name>:: +Enable and disable the dissection of the heuristic protocol. + +-f <capture filter>:: +This option sets the initial capture filter expression to be used when capturing +packets. + +--fullscreen:: +Start Wireshark in full screen. + +-g <packet number>:: +After reading in a capture file using the -r flag, go to the given packet +number. + +-h:: +--help:: +This option requests Wireshark to print its version and usage instructions +(as shown here) and exit. + +-H:: +Hide the capture info dialog during live packet capture. + +-i <capture interface>:: +--interface <capture interface>:: +Set the name of the network interface or pipe to use for live packet capture. ++ +Network interface names should match one of the names listed in `wireshark -D` +(described above). A number, as reported by `wireshark -D`, can also be used. If +you’re using UNIX, `netstat -i`, `ifconfig -a` or `ip link` might also work to +list interface names, although not all versions of UNIX support the `-a` flag to +`ifconfig`. ++ +If no interface is specified, Wireshark searches the list of interfaces, +choosing the first non-loopback interface if there are any non-loopback +interfaces, and choosing the first loopback interface if there are no +non-loopback interfaces; if there are no interfaces, Wireshark reports an error +and doesn’t start the capture. ++ +Pipe names should be either the name of a FIFO (named pipe) or “-” to read +data from the standard input. Data read from pipes must be in standard libpcap +format. + +-J <jump filter>:: +After reading in a capture file using the `-r` flag, jump to the first packet +which matches the filter expression. The filter expression is in display filter +format. If an exact match cannot be found the first packet afterwards is +selected. + +-I:: +--monitor-mode:: +Capture wireless packets in monitor mode if available. + +-j:: +Use this option after the `-J` option to search backwards for a first packet to +go to. + +-k:: +The `-k` option specifies that Wireshark should start capturing packets +immediately. This option requires the use of the `-i` parameter to specify the +interface that packet capture will occur from. + +-K <keytab file>:: +Use the specified file for Kerberos decryption. + +-l:: +This option turns on automatic scrolling if the packet list pane is being +updated automatically as packets arrive during a capture (as specified by the +`-S` flag). + +-L:: +--list-data-link-types:: +List the data link types supported by the interface and exit. + +--list-time-stamp-types:: +List timestamp types configurable for the interface and exit. + +-m <font>:: +This option sets the name of the font used for most text displayed by Wireshark. + +// XXX - add an example! + +-n:: +Disable network object name resolution (such as hostname, TCP and UDP port +names). + +-N <name resolving flags>:: +Turns on name resolving for particular types of addresses and port numbers. The +argument is a string that may contain the following letters: ++ +-- + N:: + Use external name resolver. + + d:: + Enable name resolution from captured DNS packets. + + m:: + Enable MAC address resolution. + + n:: + Enable network address resolution. + + t:: + Enable transport layer port number resolution. + + v:: + Enable VLAN ID resolution. +-- + +-o <preference or recent settings>:: +Sets a preference or recent value, overriding the default value and any value +read from a preference or recent file. The argument to the flag is a string of +the form _prefname:value_, where _prefname_ is the name of the preference (which +is the same name that would appear in the `preferences` or `recent` file), and +_value_ is the value to which it should be set. Multiple instances of `-o +<preference settings> ` can be given on a single command line. ++ +-- +An example of setting a single preference would be: + +---- +wireshark -o mgcp.display_dissect_tree:TRUE +---- + +An example of setting multiple preferences would be: +---- +wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627 +---- + +You can get a list of all available preference strings from the +preferences file. See <<AppFiles>> for details. + +User access tables can be overridden using “uat,” followed by +the UAT file name and a valid record for the file: + +---- +wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\"" +---- + +The example above would dissect packets with a libpcap data link type 147 as +HTTP, just as if you had configured it in the DLT_USER protocol preferences. +-- + +-p:: +--no-promiscuous-mode:: +Don’t put the interface into promiscuous mode. Note that the interface might be +in promiscuous mode for some other reason. Hence, `-p` cannot be used to ensure +that the only traffic that is captured is traffic sent to or from the machine on +which Wireshark is running, broadcast traffic, and multicast traffic to +addresses received by that machine. + +-P <path setting>:: +Special path settings usually detected automatically. This is used for special +cases, e.g., starting Wireshark from a known location on an USB stick. ++ +The criterion is of the form key:path, where key is one of: ++ +-- + persconf:path:: + Path of personal configuration files, like the preferences files. + + persdata:path:: + Path of personal data files, it’s the folder initially opened. After the + initialization, the recent file will keep the folder last used. +-- + +-r <infile>:: +--read-file <infile>:: +This option provides the name of a capture file for Wireshark to read and +display. This capture file can be in one of the formats Wireshark understands. + +-R <read (display) filter>:: +--read-filter <read (display) filter>:: +This option specifies a display filter to be applied when reading packets from a +capture file. The syntax of this filter is that of the display filters discussed +in <<ChWorkDisplayFilterSection>>. Packets not matching the filter +are discarded. + +-s <capture snapshot length>:: +--snapshot-length <capture snapshot length>:: +This option specifies the snapshot length to use when capturing packets. +Wireshark will only capture _snaplen_ bytes of data for each packet. + +-S:: +This option specifies that Wireshark will display packets as it captures them. +This is done by capturing in one process and displaying them in a separate +process. This is the same as “Update list of packets in real time” in the +“Capture Options” dialog box. + +-t <time stamp format>:: +This option sets the format of packet timestamps that are displayed in the +packet list window. The format can be one of: ++ +-- +r:: Relative, which specifies timestamps are +displayed relative to the first packet captured. + +a:: Absolute, which specifies that actual times +be displayed for all packets. + +ad:: Absolute with date, which specifies that +actual dates and times be displayed for all packets. + +adoy:: Absolute with YYYY/DOY date, which specifies that +actual dates and times be displayed for all packets. + +d:: Delta, which specifies that timestamps +are relative to the previous packet. + +dd: Delta, which specifies that timestamps +are relative to the previous displayed packet. + +e:: Epoch, which specifies that timestamps +are seconds since epoch (Jan 1, 1970 00:00:00) + +u:: Absolute, which specifies that actual times +be displayed for all packets in UTC. + +ud:: Absolute with date, which specifies that +actual dates and times be displayed for all packets in UTC. + +udoy:: Absolute with YYYY/DOY date, which specifies that +actual dates and times be displayed for all packets in UTC. +-- + +-u <s | hms>:: +Show timesamps as seconds (“s”, the default) or hours, minutes, and seconds (“hms”) + +-v:: +--version:: +This option requests Wireshark to print out its version information and +exit. + +-w <savefile>:: +This option sets the name of the file to be used to save captured packets. +This can be '-' for stdout. + +-y <capture link type>:: +--link-type <capture like types>:: +If a capture is started from the command line with `-k`, set the data +link type to use while capturing packets. The values reported by `-L` +are the values that can be used. + +--time-stamp-type <type>:: +If a capture is started from the command line with `-k`, set the time +stamp type to use while capturing packets. The values reported by +`--list-time-stamp-types` are the values that can be used. + +-X <eXtension option>:: +Specify an option to be passed to a Wireshark/TShark module. The eXtension +option is in the form extension_key:value, where extension_key can be: ++ +-- +lua_script:<lua_script_filename>:: +Tells Wireshark to load the given script in addition to the default Lua scripts. + +lua_script[num]:argument:: +Tells Wireshark to pass the given argument to the lua script identified by +_num_, which is the number indexed order of the _lua_script_ command. For +example, if only one script was loaded with `-X lua_script:my.lua`, then `-X +lua_script1:foo` will pass the string _foo_ to the _my.lua_ script. If two +scripts were loaded, such as `-X lua_script:my.lua -X lua_script:other.lua` +in that order, then a `-X lua_script2:bar` would pass the +string _bar_ to the second lua script, ie., _other.lua_. + +read_format:<file_type>:: +Tells Wireshark to use a specific input file type, instead of determining it +automatically. + +stdin_descr:<description>:: +Define a description for the standard input interface, instead of the default: +"Standard input". +-- + +-Y <display filter>:: +--display-filter <display filter>:: +Start with the given display filter. + +-z <statistics-string>:: +Get Wireshark to collect various types of statistics and display the +result in a window that updates in semi-real time. For the currently +implemented statistics consult the Wireshark manual page. + +// XXX - add more details here! + + +[#ChCustColorizationSection] + +=== Packet colorization + +A very useful mechanism available in Wireshark is packet colorization. +You can set up Wireshark so that it will colorize packets according to a +display filter. This allows you to emphasize the packets you might be +interested in. + +You can find a lot of coloring rule examples at the _Wireshark Wiki +Coloring Rules page_ at {wireshark-wiki-url}ColoringRules. + +There are two types of coloring rules in Wireshark: temporary rules that +are only in effect until you quit the program, and permanent rules that +are saved in a preference file so that they are available the next time +you run Wireshark. + +Temporary rules can be added by selecting a packet and pressing the kbd:[Ctrl] +key together with one of the number keys. This will create a coloring rule based +on the currently selected conversation. It will try to create a conversation +filter based on TCP first, then UDP, then IP and at last Ethernet. Temporary +filters can also be created by selecting the menu:Colorize with Filter[Color X] +menu items when right-clicking in the packet detail pane. + +To permanently colorize packets, select menu:View[Coloring Rules...]. Wireshark +will display the “Coloring Rules” dialog box as shown in +<<ChCustColoringRulesDialog>>. + +[#ChCustColoringRulesDialog] +.The “Coloring Rules” dialog box +image::images/ws-coloring-rules-dialog.png[{screenshot-attrs}] + +If this is the first time using the Coloring Rules dialog and you’re using the +default configuration profile you should see the default rules, shown above. + +[NOTE] +.The first match wins +==== +More specific rules should usually be listed before more general rules. For +example, if you have a coloring rule for UDP before the one for DNS, the rule +for DNS may not be applied (DNS is typically carried over UDP and the UDP rule +will match first). +==== + +You can create a new rule by clicking on the btn:[+] button. You can delete +one or more rules by clicking the btn:[-] button. The “copy” button will +duplicate a rule. + +You can edit a rule by double-clicking on its name or filter. In +<<ChCustColoringRulesDialog>> the name of the rule “Checksum Errors” is being +edited. Clicking on the btn:[Foreground] and btn:[Background] buttons will +open a color chooser (<<ChCustChooseColorDialog>>) for the foreground (text) and +background colors respectively. + +[#ChCustChooseColorDialog] +.A color chooser +image::images/ws-choose-color-rule.png[{small-screenshot-attrs}] + +The color chooser appearance depends on your operating system. The macOS color +picker is shown. Select the color you desire for the selected packets and click +btn:[OK]. + +<<ChCustColorFilterMany>> shows an example of several color filters being used +in Wireshark. Note that the frame detail shows that the “Bad TCP” rule +was applied, along with the matching filter. + +[#ChCustColorFilterMany] +.Using color filters with Wireshark +image::images/ws-coloring-fields.png[{screenshot-attrs}] + + +[#ChCustProtocolDissectionSection] + +=== Control Protocol dissection + +The user can control how protocols are dissected. + +Each protocol has its own dissector, so dissecting a complete packet will +typically involve several dissectors. As Wireshark tries to find the right +dissector for each packet (using static “routes” and heuristics “guessing”), +it might choose the wrong dissector in your specific case. For example, +Wireshark won’t know if you use a common protocol on an uncommon TCP port, e.g., +using HTTP on TCP port 800 instead of the standard port 80. + +There are two ways to control the relations between protocol dissectors: disable +a protocol dissector completely or temporarily divert the way Wireshark calls +the dissectors. + +[#ChAdvEnabledProtocols] + +==== The “Enabled Protocols” dialog box + +The Enabled Protocols dialog box lets you enable or disable specific protocols. +Most protocols are enabled by default. When a protocol is disabled, Wireshark +stops processing a packet whenever that protocol is encountered. + +[NOTE] +==== +Disabling a protocol will prevent information about higher-layer protocols from +being displayed. For example, suppose you disabled the IP protocol and selected +a packet containing Ethernet, IP, TCP, and HTTP information. The Ethernet +information would be displayed, but the IP, TCP and HTTP information would not - +disabling IP would prevent it and the higher-layer protocols from being displayed. +==== + +To enable or disable protocols select menu:Analyze[Enabled Protocols...]. +Wireshark will pop up the “Enabled Protocols” dialog box as shown in +<<ChAdvEnabledProtocolsFig>>. + +[#ChAdvEnabledProtocolsFig] +.The “Enabled Protocols” dialog box +image::images/ws-enabled-protocols.png[{screenshot-attrs}] + +To disable or enable a protocol, simply click the checkbox using the mouse. +Note that typing a few letters of the protocol name in the search box will limit +the list to those protocols that contain these letters. + +You can choose from the following actions: + +btn:[Enable All]:: Enable all protocols in the list. + +btn:[Disable All]:: Disable all protocols in the list. + +btn:[Invert]:: Toggle the state of all protocols in the list. + +btn:[OK]:: Save and apply the changes and close the dialog box, see <<AppFiles>> for details. + +btn:[Cancel]:: Cancel the changes and close the dialog box. + +[#ChAdvDecodeAs] + +==== User Specified Decodes + +The “Decode As” functionality lets you temporarily divert specific protocol +dissections. This might be useful for example, if you do some uncommon +experiments on your network. + +Decode As is accessed by selecting the menu:Analyze[Decode As...]. Wireshark +will pop up the “Decode As” dialog box as shown in <<ChAdvDecodeAsFig>>. + +[#ChAdvDecodeAsFig] +.The “Decode As” dialog box +image::images/ws-decode-as.png[{screenshot-attrs}] + +In this dialog you are able to edit entries by means of the edit buttons on the +left. + +You can also pop up this dialog box from the context menu in the packet list or +packet details. It will then contain a new line based on the currently selected +packet. + +These settings will be lost if you quit Wireshark or change profile unless you +save the entries. + +btn:[+]:: Add new entry for selected packet + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[Clear]:: Clear the list of user specified decodes. + +btn:[OK]:: Apply the user specified decodes and close the dialog box. + +btn:[Save]:: Save and apply the user specified decodes and close the dialog box. + +btn:[Cancel]:: Cancel the changes and close the dialog box. + +[#ChCustPreferencesSection] + +=== Preferences + +There are a large number of preferences you can set. Simply select the menu:Edit[Preferences...] (menu:Wireshark[Preferences...] on macOS) and Wireshark will pop up the Preferences dialog box as shown in <<ChCustGUIPrefPage>>, with the “Appearance” page as default. +On the left side is a tree where you can select the page to be shown. + +* The btn:[OK] button will apply the preferences settings and close the dialog. + +// Uncomment if bug 12566 is ever fixed. +// * The btn:[Apply] button will apply the preferences settings and keep the dialog open. + +* The btn:[Cancel] button will restore all preferences settings to the last saved state. + +==== Appearance + +These preferences give you the option to control the makeup of the GUI. + +[#ChCustGUIPrefPage] +.The preferences dialog box +image::images/ws-pref-appearance.png[{screenshot-attrs}] + +Selecting _Remember main window size and placement_ allow for a repeatable experience when restarting Wireshark. + +Selecting _Open files in_ allows you to determine where to start the file selection dialog when opening capture files. + +The preference _Show up to_ allows you to determine how much history is tracked for display filter entries and recent files shown in the main application window. + +Selecting _Confirm unsaved capture files_ causes a dialog to appear when closing a capture file when it was not yet saved. +This may help preventing inadvertent loss of data, eg., when Wireshark is closed. + +Selecting _Display autocompletion for filter text_ causes a drop down list to appear when you enter a display filter. +This drop down list contains known display filters for easy selection. + +The preference _Main toolbar style_ allows you to tailor the toolbar style in one of three ways. + +The Wireshark main window title is replaced by the name of the opened capture file. +The preferences _Window title_ and _Prepend window title_ allow you to add bracketed strings after and before the window title. +These window title strings can contain variables which will be replaced by their respective values. + +The following variables are available. + +* %F = File path of the capture file +* %P = Currently selected profile name +* %S = Conditional separator (dash) that only shows when surrounded by variables with values or static text +* %V = Wireshark version info + +The _Language_ preference allows you to select the language used in the GUI. +Note that the protocol information and details are kept in the language commonly used in this field, that being English. + +==== Columns + +These preferences give you the option to control the definition of the columns shown in the packet list, once a capture file is loaded. + +.Column preferences +image::images/ws-pref-appearance-columns.png[{screenshot-attrs}] + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +Selecting _Show displayed columns only_ hides all non-displayed columns from the list, possibly making navigating the list easier. + +The rows can be dragged and dropped to arrange them in the desired order. + +The columns in the entries are as follows. + +Selecting _Displayed_ causes the column to be shown in the packet list. + +The _Title_ is the text shown in the header of the column in the packet list. + +The _Type_ is the type of value to be shown. This can be a predefined type, ie. a value in a defined format, or custom. + +The following settings are applicable when the _Type_ is set to "custom" + +The _Fields_ setting is the display filter name of the field to be shown in the column in the packet list. + +The _Field Occurrence_ setting is count of the given field in the frame, for fields that appear more than once in a frame. + +Selecting _Resolved_ causes name resolution to be applied to the field value, when available. + +==== Fonts and Color + +These preferences give you the option to select the font and colors used in the various packet panes. +Most usable is to select a mono spaced font, which allows for a cleaner presentation, but using a proportional font is possible too. + +.Font and color preferences +image::images/ws-pref-appearance-fonts-and-colors.png[{screenshot-attrs}] + +==== Layout + +These preferences allow you to define the layout of the GUI once a capture file is loaded. + +.Layout preferences +image::images/ws-pref-appearance-layout.png[{screenshot-attrs}] + +Make sure that you have at least one pane configured to contain the Packet list. +Three panes can be active at the same time and they can be layed out as shown in the top layer. +The exact sizes of these panes can be changed as needed once a capture file is opened. + +Selecting _Show packet list separator_ causes the packet list entries to be slightly set apart, which may improve readability at the cost of the amount of packets shown in the packet list. + +Selecting _Show column definition in column context menu_ make the column context menu wider to show the currently configured field type for the column. +This may help identify the column to select or modify. + +Selecting _Allow the list to be sorted_ enables the sort operator on all the columns. +This may prevent inadvertently triggering a sort, which may take considerable time for larger capture files. + +The _Maximum number of cached rows_ setting determines how much packet list information is cached to speed up sort operations, where a larger number causes more memory to be consumed by the cache. +Be aware that changing other dissection settings may invalidate the cache content. + +Selecting _Enable mouse-over colorization_ enables the highlighting of the currently pointed to packet in the packet list. +The currently selected packet is always highlighted. + +Selecting _Show selected packet number_ adds the selected packet number to the capture file details in the status bar, taking up some space in the status bar. + +Selecting _Show file load time_ adds the time it took to load the capture file to the status bar, taking up some space in the status bar. + +==== Capture + +These preferences allow you to set the default conditions for packet capture. + +.Capture preferences +image::images/ws-pref-capture.png[{screenshot-attrs}] + +The default interface is the interface used for packet capture in case no other is selected on the opening page of GUI. +Note that this can be multiple interfaces separated by a comma. + +Selecting _Capture packets in promiscuous mode_ causes the network interface(s) to capture on to be configured in promiscuous mode. +This allows all (Ethernet) frames to be received by the network interface to be capture, not only those that are addressed to the capture interface. + +Selecting _Capture packets in pcapng format_ causes the Next-Generation packet capture file format to be used when capturing. +This much more capable packet capture file format has many advantages over the original format, although not every external tool may be capable of handling packet captures in this format. + +Selecting _Update list of packets in real time_ causes the packet list to fill up and possibly scroll up during the packet capture process. +This does give an insight in the packets captured, although it takes processing power to dissect the capture packets. + +The preference _Interval between updates (ms)_ allows you to configure how often the packet list is updated during the packet capture process. +A higher interval reduces processing, but causes more delay between capture and display in the packet list. + +Selecting _Don't load interfaces on startup_ prevents Wireshark from spawning dumpcap to populate the list of capture interfaces on the local system. +This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue. +The interface list can always be populated after Wireshark is started via menu:Capture[Refresh Interfaces]. + +Selecting _Disable external capture interfaces_ prevents Wireshark from spawning extcap programs to list off their capture interfaces. +This might be a time consuming operation delaying the start of the program, however on most systems this is not an issue. + +==== Expert Items + +These preferences allow you to modify the severity set for expert items. + +.Expert item preferences +image::images/ws-pref-expert.png[{screenshot-attrs}] + +If, for whatever reason, you find that the severity for certain expert items does not match your needs you can change them here and have them used as such, showing up in the appropriate lists and overviews. +Get the Field name from selecting the field in the packet details pane, then observe the name shown in the status bar. +This is the name you enter on a new line in the list, while setting the desired _Severity_ in the next column. + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[⌃]:: Move the selected entry up in the list. + +btn:[⌄]:: Move the selected entry down in the list. + +btn:[Clear]:: Clear the list of user specified expert item severities. + +btn:[Copy from]:: Copy the list of user specified expert item severities from another profile. + +[#ChCustFilterButtons] +==== Filter Buttons + +Having quick access to regularly used display filter expressions can be a real productivity boost. +Here you can define your own display filter buttons. + +.Filter buttons +image::images/ws-pref-filter-buttons.png[{screenshot-attrs}] + +btn:[+]:: Add new entry to the list. + +btn:[-]:: Remove the selected entry. + +btn:[Copy]:: Copy the selected entry. + +btn:[⌃]:: Move the selected entry up in the list. + +btn:[⌄]:: Move the selected entry down in the list. + +btn:[Clear]:: Clear the list of user specified display filter buttons. + +btn:[Copy from]:: Copy the list of user specified display filter buttons from another profile. + +The columns in the entries are as follows. + +Selecting _Show in toolbar_ causes the column to be shown in the toolbar besides the display filter text entry. + +The _Button Label_ is the text shown on the button in the toolbar. + +The _Filter Expression_ is the <<ChWorkBuildDisplayFilterSection,display filter expression>> entered into the display filter text entry when the button is clicked. + +The _Comment_ is the comment text which appears in a bubble when the mouse hovers over the button. + +==== Name Resolution + +These preferences allow you to configure which numeric identifiers in protocols are translated into human readable text. +For some of these identifiers the readable texts are read from configurable external sources. + +.Name resolution preferences +image::images/ws-pref-name-resolution.png[{screenshot-attrs}] + +Selecting _Resolve MAC addresses_ causes the OUI (Organizationally Unique Identifier) at the start of an Ethernet address to be translated into the name registered with the IEEE for that OUI. + +Selecting _Resolve transport names_ causes the UDP and TCP port numbers to be translated into the service registered to these ports by IANA. + +Selecting _Resolve network (IP) addresses_ causes IPv4, IPv6 and IPX addresses to be translated into their corresponding host name. +To do this Wireshark reaches out to DNS servers to request names for addresses it finds in packets. +There are several way to do this, which can be controlled through the following preferences. + +Selecting _Use captured DNS packet data for name resolution_ causes DNS response packets in the capture file to fill the network address resolution table. +These can then be used to resolve addresses found in the packets. + +Selecting _Use your system's DNS settings for name resolution_ causes DNS requests to be made as would be for other network applications. + +Selecting _Use a custom list of DNS servers for name resolution_ causes DNS requests to be made to manually configured DNS servers. + +The _DNS Servers_ btn:[Edit...] button provides access to the dialog to manage these manually configured DNS servers. + +The _Maximum concurrent requests_ input field allows you to limit the amount of DNS queries made at the same time. + +Selecting _Resolve VLAN IDs_ causes the file "vlans" to be read and used to name VLANs. +This file has the simple format of one line per VLAN, starting wit VLAN ID, a tab character, followed by the name of the VLAN. + +Selecting _Resolve SS7 PCs_ causes the file "ss7pcs" to be read and used to name SS7 Point Codes. +This file has the simple format of one line per Point Code, starting with Network Indicator, a dash, the Point Code in decimal, a tab character, followed by the name of the Point Code. + +Selecting _Enable OID resolution_ causes the SMI library to be initialized. +This library is capable of loading MIB/PIB files to provide name resolution for SMI objects, as present in SNMP packets. + +Selecting _Suppress SMI errors_ prevents the SMI library from emitting error messages while loading MIB/PIB files. +The SMI library is very sensitive to irregularities in these files often resulting in harmless error being emitted. + +The _SMI (MIB and PIB) paths_ btn:[Edit...] button provides access to the dialog to manage the directories where the MIB/PIB files to be loaded can be found. + +The _SMI (MIB and PIB) modules_ btn:[Edit...] button provides access to the dialog to manage the MIB/PIB modules to be loaded. + +The _MaxMind database directories_ btn:[Edit...] button provides access to the dialog to manage the directories where the MaxMind database files can be found. See <<ChMaxMindDbPaths>>. + +==== Protocols + +Wireshark supports quite a few protocols, which is reflected in the long list of child entries of the “Protocols” pane. +You can jump to the preferences for a specific protocol by expanding “Protocols” and typing the first few letters of the protocol name. + +.Protocol preferences +image::images/ws-pref-protocols.png[{screenshot-attrs}] + +There are a few general protocol related preferences, listed below. + +Selecting _Display hidden protocol items_ influences what is shown in the packet details pane of the packet selected from the packet list. +Some protocol dissectors add hidden protocol items that provide additional interpretations of the packet data, or with different display filter strings. +These may or may not provide valuable information to the user and may clutter the output, therefor these items can be hidden. + +Selecting _Display byte fields with a space character between bytes_ influences the way a byte field in shown in the packet details pane of the packet selected in the packet list, if the dissector creates a byte field that is. +The bytes in the byte field are normally shown as a concatenated sequence of hexadecimals. +This preference allows you to get the representation of each byte separated by a space. +This may improve readability of the individual bytes in the byte field. + +Selecting _Look for incomplete dissectors_ causes expert items to be added to the dissection of packet data for which the dissector does not create an interpretation. +Dissectors should strive to not skip packet bytes and this preference allows you to be made aware of this. + +Selecting _Enable stricter conversation tracking heuristics_ allows dissectors to take more identifiers into consideration when creating "conversations". +These are used to track related packets. +The heuristics for these conversations are sensitive to mis-identification of packets, possibly corrupting conversation analysis. +Adding more identifiers can reduce the change of this happening. +Currently only the IPv4, ICMP and ICMPv6 dissector use this preference. + +Selecting _Ignore duplicate frames_ causes a duplicate frame to appear in the packet list, but flagged as ignored, hence not dissected. +The determination of a duplicate frame is made based on the SHA256 hash of the bytes in the frame. + +The preference _The max number of hashes to keep in memory for determining duplicate frames_ allows you to set how large the set of frames to consider for duplication is. + +==== RSA Keys + +For more information see {wireshark-wiki-url}TLS. + +.RSA keys +image::images/ws-pref-rsa-keys.png[{screenshot-attrs}] + +==== Statistics + +These preference have influence on the Statistics Tree (stats_tree) based dialogs accessible via the _Statistics_ menu. + +.Statistics preferences +image::images/ws-pref-statistics.png[{screenshot-attrs}] + +The preference _Tap update interval in ms_ allows you to set how quickly protocol taps are being updated, partially determining the update speed of various dialogs and graphs. + +Selecting _Enable the calculation of burst information_ allows the Statistics Tree system to calculate burst information. + +Selecting _Show burst count for item rather than rate_ allows the statistics nodes to show the count of events within the burst window instead of a burst rate. +Burst rate is calculated as number of events within burst window divided by the burst window length. + +The preference _Burst rate resolution (ms)_ sets the duration of the time interval into which events are grouped when calculating the burst rate. +Setting a higher resolution (ie., a smaller number) increases processing overhead. + +The preference _Burst rate window size (ms)_ sets the duration of the sliding window during which the burst rate is measured. +Longer window relative to burst rate resolution increases processing overhead. +This value will be truncated to a multiple of the _Burst rate resolution_ preference setting. + +The preference _Default sort column for stats_tree stats_ gives you to option to select one of the columns to sort on. + +Selecting _Default stats_tree sort order is descending_ causes a descending sort order based on the previously selected column. + +Selecting _Case sensitive sort of stats_tree item names_ causes a case sensitive sort based on the previous selected order and column. + +Selecting _Always sort 'range' nodes by name_ causes the sort to take place by name rather than values. + +Selecting _Always sort 'range' nodes in ascending order_ makes an exception for range nodes to the previously selected sort order. + +Selecting _Display the full stats_tree plug-in name_ causes the full menu path of the Statistics Tree plugin to be shown in the title. + +==== Advanced + +The “Advanced” pane will let you view and edit all of Wireshark’s preferences, similar to link:about:config[] and link:chrome:flags[] in the Firefox and Chrome web browsers. + +.Advanced preferences +image::images/ws-pref-advanced.png[{screenshot-attrs}] + +You can search for a preference by typing text into the “Search” entry. +You can also pass preference names to Wireshark and TShark on the command line. +For example, the __gui.prepend_window_title__ can be used to differentiate between different instances of Wireshark on your screen: + +[source,sh] +---- +$ wireshark -o "gui.prepend_window_title:LAN" & +$ wireshark -o "gui.prepend_window_title:External Network" & +---- + +[#ChCustConfigProfilesSection] + +=== Configuration Profiles + +Configuration Profiles can be used to configure and use more than one set of +preferences and configurations. Select the menu:Edit[Configuration Profiles...] menu item +or press kbd:[Shift+Ctrl+A] or kbd:[Shift+Cmd+A] (macOS) and Wireshark will pop up +the Configuration Profiles dialog box as shown in +<<ChCustGUIConfigProfilesPage>>. It is also possible to click in the “Profile” +part of the statusbar to popup a menu with available Configuration Profiles +(<<ChUseWiresharkStatusbarProfile>>). + +Configuration files stored in each profile include: + +* Preferences (preferences) (<<ChCustPreferencesSection>>) + +* Capture Filters (cfilters) (<<ChWorkDefineFilterSection>>) + +* Display Filters (dfilters) (<<ChWorkDefineFilterSection>>) + +* Coloring Rules (colorfilters) (<<ChCustColorizationSection>>) + +* Disabled Protocols (disabled_protos) (<<ChAdvEnabledProtocols>>) + +* User Accessible Tables: ++ +-- +* Custom HTTP headers (custom_http_header_fields) + +* Custom IMF headers (imf_header_fields) + +* Custom LDAP AttributeValue types (custom_ldap_attribute_types) + +* Display Filter Macros (dfilter_macros) (<<ChDisplayFilterMacrosSection>>) + +* ESS Category Attributes (ess_category_attributes) + (<<ChEssCategoryAttributes>>) + +* MaxMind Database Paths (maxmind_db_paths) (<<ChMaxMindDbPaths>>) + +* K12 Protocols (k12_protos) (<<ChK12ProtocolsSection>>) + +* Object Identifier Names and Associated Syntaxes (<<ChObjectIdentifiers>>) + +* PRES Users Context List (pres_context_list) (<<ChPresContextList>>) + +* SCCP Users Table (sccp_users) (<<ChSccpUsers>>) + +* SNMP Enterprise Specific Trap Types (snmp_specific_traps) + (<<ChSNMPEnterpriseSpecificTrapTypes>>) + +* SNMP Users (snmp_users) (<<ChSNMPUsersSection>>) + +* User DLTs Table (user_dlts) (<<ChUserDLTsSection>>) + +* IKEv2 decryption table (ikev2_decryption_table) (<<ChIKEv2DecryptionSection>>) + +* Protobuf Search Paths (protobuf_search_paths) (<<ChProtobufSearchPaths>>) + +* Protobuf UDP Message Types (protobuf_udp_message_types) (<<ChProtobufUDPMessageTypes>>) +-- + +* Changed dissector assignments (__decode_as_entries__), which can be set in the “Decode + As...” dialog box (<<ChAdvDecodeAs>>). + +* Some recent settings (recent), such as pane sizes in the Main window + (<<ChUseMainWindowSection>>), column widths in the packet list + (<<ChUsePacketListPaneSection>>), all selections in the menu:View[] menu + (<<ChUseViewMenuSection>>) and the last directory navigated to in the “File + Open” dialog. + +All other configurations are stored in the personal configuration folder and +are common to all profiles. + +[#ChCustGUIConfigProfilesPage] +.The configuration profiles dialog box +image::images/ws-gui-config-profiles.png[{medium-screenshot-attrs}] + +Search for profile ...:: +The list of profiles can be filtered by entering part of the profile's name +into the search box. + +Type selection:: +Profiles can be filtered between displaying "All profiles", "Personal profiles" +and "Global profiles" +* Personal profiles - these are profiles stored in the user's configuration directory +* Global profiles - these are profiles provided with Wireshark + +New (+):: +Create a new profile. The name of the created profile is “New profile” +and is highlighted so that you can more easily change it. + +Delete (-):: +Deletes the selected profile. This includes all configuration files used +in this profile. Multiple profiles can be selected and deleted at the same time. +It is not possible to delete the “Default” profile or global profiles. +Deletion of the "Default" profile will reset this profile. + +Copy:: +Copies the selected profile. This copies the configuration of the +profile currently selected in the list. The name of the created profile +is the same as the copied profile, with the text “(copy)” and is +highlighted so that you can more easily change it. + +btn:[Import]:: +Profiles can be imported from zip-archives as well as directly from directory +structures. Profiles, which already exist by name will be skipped, as well as +profiles named "Default". + +btn:[Export]:: +Profiles can be exported to a zip-archive. Global profiles, as well as the default +profile will be skipped during export. Profiles can be selected in the list individually +and only the selected profiles will be exported + +btn:[OK]:: +This button saves all changes, applies the selected profile and closes the +dialog. + +btn:[Cancel]:: +Close this dialog. This will discard unsaved settings, new profiles will not be +added and deleted profiles will not be deleted. + +btn:[Help]:: +Show this help page. + +[#ChUserTable] + +=== User Table + +The User Table editor is used for managing various tables in Wireshark. Its main +dialog works very similarly to that of <<ChCustColorizationSection>>. + +[#ChDisplayFilterMacrosSection] + +=== Display Filter Macros + +Display Filter Macros are a mechanism to create shortcuts for complex filters. +For example, defining a display filter macro named _$$tcp_conv$$_ whose text is + +---- +(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) +or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) +---- + +would allow to use a display filter like + +---- +${tcp_conv:10.1.1.2;10.1.1.3;1200;1400} +---- + +instead of typing the whole filter. Once defined, a macro can +be used in <<ChWorkDefineFilterSection,saved display (but not +capture) filters>> and <<ChCustFilterButtons,filter buttons>>. + +Display Filter Macros can be managed with a user table, as described in +<<ChUserTable>>, by selecting menu:Analyze[Display Filter Macros] from +the menu. The User Table has the following fields: + +Name:: +The name of the macro. The name must consist of ASCII alphanumerics or +the '_' character. (Note that the presence of a '.' character would +indicate a <<_field_references,field reference>>.) + +Text:: +The replacement text for the macro it uses $1, $2, $3, ... as the input arguments. + +[#ChEssCategoryAttributes] + +=== ESS Category Attributes + +Wireshark uses this table to map ESS Security Category attributes to textual representations. The values to put in this table are usually found in an http://www.xmlspif.org/[XML SPIF], which is used for defining security labels. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Tag Set:: +An Object Identifier representing the Category Tag Set. + +Value:: +The value (Label And Cert Value) representing the Category. + +Name:: +The textual representation for the value. + +[#ChMaxMindDbPaths] + +=== MaxMind Database Paths + +If your copy of Wireshark supports https://www.maxmind.com/[MaxMind’s] MaxMindDB library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, and other bits of information. +Some databases are https://dev.maxmind.com/geoip/geoip2/geolite2/[available at no cost for registered users], while others require a licensing fee. +See https://www.maxmind.com/[the MaxMind web site] for more information. + +The configuration for the MaxMind database is a user table, as described +in <<ChUserTable>>, with the following fields: + +Database pathname:: +This specifies a directory containing MaxMind data files. Any files +ending with _.mmdb_ will be automatically loaded. + +The locations for your data files are up to you, but `/usr/share/GeoIP` +and `/var/lib/GeoIP` are common on Linux and `C:\ProgramData\GeoIP`, +`C:\Program Files\Wireshark\GeoIP` might be good choices on Windows. + +[#ChGeoIPDbPaths] + +Previous versions of Wireshark supported MaxMind's original GeoIP Legacy +database format. They were configured similar to MaxMindDB files above, +except GeoIP files must begin with _Geo_ and end with _.dat_. They are +no longer supported and MaxMind stopped distributing GeoLite Legacy +databases in April 2018. + +[#ChIKEv2DecryptionSection] + +=== IKEv2 decryption table + +Wireshark can decrypt Encrypted Payloads of IKEv2 (Internet Key Exchange version +2) packets if necessary information is provided. Note that you can decrypt only +IKEv2 packets with this feature. If you want to decrypt IKEv1 packets or ESP +packets, use Log Filename setting under ISAKMP protocol preference or settings +under ESP protocol preference respectively. + +This is handled by a user table, as described in <<ChUserTable>>, +with the following fields: + +Initiator’s SPI:: +Initiator’s SPI of the IKE_SA. This field takes hexadecimal string without +“0x” prefix and the length must be 16 hex chars (represents 8 octets). + +Responder’s SPI:: +Responder’s SPI of the IKE_SA. This field takes hexadecimal string without +“0x” prefix and the length must be 16 hex chars (represents 8 octets). + +SK_ei:: +Key used to encrypt/decrypt IKEv2 packets from initiator to responder. This +field takes hexadecimal string without “0x” prefix and its length must meet +the requirement of the encryption algorithm selected. + + +SK_er:: +Key used to encrypt/decrypt IKEv2 packets from responder to initiator. This +field takes hexadecimal string without “0x” prefix and its length must meet +the requirement of the encryption algorithm selected. + +Encryption Algorithm:: +Encryption algorithm of the IKE_SA. + +$$SK_ai$$:: +Key used to calculate Integrity Checksum Data for IKEv2 packets from responder +to initiator. This field takes hexadecimal string without “0x” prefix and its +length must meet the requirement of the integrity algorithm selected. + +$$SK_ar$$:: +Key used to calculate Integrity Checksum Data for IKEv2 packets from initiator +to responder. This field takes hexadecimal string without “0x” prefix and its +length must meet the requirement of the integrity algorithm selected. + +Integrity Algorithm:: +Integrity algorithm of the IKE_SA. + +[#ChObjectIdentifiers] + +=== Object Identifiers + +Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify +certain pieces of information. In many cases, they are used in an extension +mechanism so that new object identifiers (and associated values) may be defined +without needing to change the base standard. + +While Wireshark has knowledge about many of the OIDs and the syntax of their +associated values, the extensibility means that other values may be encountered. + +Wireshark uses this table to allow the user to define the name and syntax of +Object Identifiers that Wireshark does not know about (for example, a privately +defined X.400 extension). It also allows the user to override the name and +syntax of Object Identifiers that Wireshark does know about (e.g., changing the +name “id-at-countryName” to just “c”). + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +OID:: +The string representation of the Object Identifier e.g., “2.5.4.6”. + +Name:: +The name that should be displayed by Wireshark when the Object Identifier is +dissected e.g., (“c”); + +Syntax:: +The syntax of the value associated with the Object Identifier. This must be one +of the syntaxes that Wireshark already knows about (e.g., “PrintableString”). + +[#ChPresContextList] + +=== PRES Users Context List + +Wireshark uses this table to map a presentation context identifier to a given +object identifier when the capture does not contain a PRES package with a +presentation context definition list for the conversation. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Context Id:: +An Integer representing the presentation context identifier for which this +association is valid. + +Syntax Name OID:: +The object identifier representing the abstract syntax name, which defines the +protocol that is carried over this association. + +[#ChSccpUsers] + +=== SCCP users Table + +Wireshark uses this table to map specific protocols to a certain DPC/SSN +combination for SCCP. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Network Indicator:: +An Integer representing the network indicator for which this association is +valid. + +Called DPCs:: +A range of integers representing the dpcs for which this association is valid. + +Called SSNs:: +A range of integers representing the ssns for which this association is valid. + +User protocol:: +The protocol that is carried over this association + +[#ChSNMPSMIModules] + +=== SMI (MIB and PIB) Modules + +If your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB +modules here. The COPS and SNMP dissectors can use them to resolve OIDs. + +Module name:: +The name of the module, e.g., IF-MIB. + +[#ChSNMPSMIPaths] + +=== SMI (MIB and PIB) Paths + +If your copy of Wireshark supports libSMI, you can specify one or more paths to +MIB and PIB modules here. + +Directory name:: +A module directory, e.g., `/usr/local/snmp/mibs`. Wireshark automatically uses +the standard SMI path for your system, so you usually don’t have to add anything +here. + +[#ChSNMPEnterpriseSpecificTrapTypes] + +=== SNMP Enterprise Specific Trap Types + +Wireshark uses this table to map specific-trap values to user defined +descriptions in a Trap PDU. The description is shown in the packet details +specific-trap element. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Enterprise OID:: +The object identifier representing the object generating the trap. + + +Trap Id:: +An Integer representing the specific-trap code. + + +Description:: +The description to show in the packet details. + +[#ChSNMPUsersSection] + +=== SNMP users Table + +Wireshark uses this table to verify authentication and to decrypt encrypted +SNMPv3 packets. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +Engine ID:: +If given this entry will be used only for packets whose engine id is this. This +field takes a hexadecimal string in the form 0102030405. + +Username:: +This is the userName. When a single user has more than one password for +different SNMP-engines the first entry to match both is taken, if you need a +catch all engine-id (empty) that entry should be the last one. + +Authentication model:: +Which auth model to use (either “MD5” or “SHA1”). + +Password:: +The authentication password. Use _\xDD_ for unprintable characters. A +hexadecimal password must be entered as a sequence of _\xDD_ characters. For +example, the hex password 010203040506 must be entered as +_\x01\x02\x03\x04\x05\x06_. The _\_ character must be treated as an unprintable +character, i.e., it must be entered as _\x5C_ or _\x5c_. + +Privacy protocol:: +Which encryption algorithm to use (either “DES” or “AES”). + +Privacy password:: +The privacy password. Use _\xDD_ for unprintable characters. A hexadecimal +password must be entered as a sequence of _\xDD_ characters. For example, the hex +password 010203040506 must be entered as _\x01\x02\x03\x04\x05\x06_. The _\_ +character must be treated as an unprintable character, i.e., it must be entered +as _\x5C_ or _\x5c_. + +[#ChK12ProtocolsSection] + +=== Tektronix K12xx/15 RF5 protocols Table + +The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the +various protocols that are used by a certain interface. Wireshark doesn’t read +these stk files, it uses a table that helps it identify which lowest layer +protocol to use. + +Stk file to protocol matching is handled by a user table, as described +in <<ChUserTable>>, with the following fields: + +Match string:: +A partial match for an stk filename, the first match wins, so if you have a +specific case and a general one the specific one must appear first in the list. + +Protocol:: +This is the name of the encapsulating protocol (the lowest layer in the packet +data) it can be either just the name of the protocol (e.g., mtp2, eth_withoutfcs, +sscf-nni ) or the name of the encapsulation protocol and the “application” +protocol over it separated by a colon (e.g., sscop:sscf-nni, sscop:alcap, +sscop:nbap, ...) + +[#ChUserDLTsSection] + +=== User DLTs dissector table + +When a pcap file uses one of the user DLTs (147 to 162) Wireshark uses this +table to know which dissector(s) to use for each user DLT. + +This table is a user table, as described in <<ChUserTable>>, with the +following fields: + +DLT:: +One of the user dlts. + +Payload dissector:: +This is the name of the payload dissector (the lowest layer in the packet data). +(e.g., “eth_withfcs, "eth_withoutfcs”, and "eth_maybefcs" respectively for Ethernet frames that do, do not, or might possibly include the FCS at the end, “ip” for trying IPv4 then IPv6) + +Header size:: +If there is a header (before the payload) this tells which +size this header is. A value of 0 disables the header dissector. + +Header dissector:: +The name of the header dissector to be used (uses “data” as default). + +Trailer size:: +If there is a trailer (after the payload) this tells which +size this trailer is. A value of 0 disables the trailer dissector. + +Trailer dissector:: +The name of the trailer dissector to be used (uses “data” as default). + +[#ChProtobufSearchPaths] + +=== Protobuf Search Paths + +The +https://developers.google.com/protocol-buffers/docs/encoding[binary wire format] +of Protocol Buffers (Protobuf) messages are not self-described protocol. For +example, the `varint` wire type in protobuf packet may be converted to int32, int64, +uint32, uint64, sint32, sint64, bool or enum field types of +https://developers.google.com/protocol-buffers/docs/proto3[protocol buffers language]. +Wireshark should be configured with Protocol Buffers language files (*.proto) to +enable proper dissection of protobuf data (which may be payload of +https://grpc.io/[gRPC]) based on the message, enum and field definitions. + +You can specify protobuf search paths at the Protobuf protocol preferences. +For example, if you defined a proto file with path `d:/my_proto_files/helloworld.proto` +and the `helloworld.proto` contains a line of `import "google/protobuf/any.proto";` +because the `any` type of official protobuf library is used. And the real path of +`any.proto` is `d:/protobuf-3.4.1/include/google/protobuf/any.proto`. You should +add the `d:/protobuf-3.4.1/include/` and `d:/my_proto_files` paths into protobuf +search paths. + +The configuration for the protobuf search paths is a user table, as described +in <<ChUserTable>>, with the following fields: + +Protobuf source directory:: +This specifies a directory containing protobuf source files. For example, +`d:/protobuf-3.4.1/include/` and `d:/my_proto_files` in Windows, or +`/usr/include/` and `/home/alice/my_proto_files` in Linux/UNIX. + +Load all files:: +If this option is enabled, Wireshark will load all *.proto files in this directory +and its subdirectories when Wireshark startup or protobuf search paths preferences +changed. Note that the source directories that configured to protobuf official or third +libraries path (like `d:/protobuf-3.4.1/include/`) should not be set to load all +files, that may cause unnecessary memory use. + +[#ChProtobufUDPMessageTypes] + +=== Protobuf UDP Message Types + +If the payload of UDP on certain ports is Protobuf encoding, Wireshark use this table +to know which Protobuf message type should be used to parsing the data on the specified +UDP port(s). + +The configuration for UDP Port(s) to Protobuf message type maps is a user table, as +described in <<ChUserTable>>, with the following fields: + +UDP Ports:: +The range of UDP ports. The format may be "8000" or "8000,8008-8088,9080". + +Message Type:: +The Protobuf message type as which the data on the specified udp port(s) should be parsed. +The message type is allowed to be empty, that means let Protobuf to dissect the data on +specified UDP ports as normal wire type without precise definitions. + +Tips: You can create your own dissector to call Protobuf dissector. If your dissector is +written in C language, you can pass the message type to Protobuf dissector by `data` +parameter of call_dissector_with_data() function. If your dissector is written in Lua, you +can pass the message type to Protobuf dissector by `pinfo.private["pb_msg_type"]`. The format +of `data` and `pinfo.private["pb_msg_type"]` is + +---- + "message," message_type_name +---- + +For example: + +---- + message,helloworld.HelloRequest +---- + +the `helloworld` is package name, `HelloRequest` is message type. + +// End of WSUG Chapter Customizing diff --git a/docbook/wsug_src/wsug_files.adoc b/docbook/wsug_src/wsug_files.adoc new file mode 100644 index 0000000..3c4364b --- /dev/null +++ b/docbook/wsug_src/wsug_files.adoc @@ -0,0 +1,647 @@ +// WSUG Appendix Files + +[#AppFiles] + +[appendix] +== Files and Folders + +[#ChAppFilesCaptureFilesSection] + +=== Capture Files + +To understand which information will remain available after the captured packets +are saved to a capture file, it’s helpful to know a bit about the capture file +contents. + +Wireshark uses the +link:https://github.com/pcapng/pcapng[pcapng] file +format as the default format to save captured packets. It is very flexible +but other tools may not support it. + +Wireshark also supports the +link:https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat[libpcap] file +format. This is a much simpler format and is well established. However, it has +some drawbacks: it’s not extensible and lacks some information that would be +really helpful (e.g., being able to add a comment to a packet such as “the +problems start here” would be really nice). + +In addition to the libpcap format, Wireshark supports several different capture +file formats. However, the problems described above also applies for these +formats. + +[#ChIOFileContentSection] + +==== Libpcap File Contents + +At the start of each libpcap capture file some basic information is stored like +a magic number to identify the libpcap file format. The most interesting +information of this file start is the link layer type (Ethernet, 802.11, +MPLS, etc.). + +The following data is saved for each packet: + +* The timestamp with millisecond resolution + +* The packet length as it was “on the wire” + +* The packet length as it’s saved in the file + +* The packet’s raw bytes + +A detailed description of the libpcap file format can be found at +https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat + +[#ChIOFileNotContentSection] + +==== Not Saved in the Capture File + +You should also know the things that are _not saved_ in capture files: + +* Current selections (selected packet, ...) + +* Name resolution information. See <<ChAdvNameResolutionSection>> for details ++ +-- +Pcapng files can optionally save name resolution information. Libpcap files +can’t. Other file formats have varying levels of support. +-- + +* The number of packets dropped while capturing + +* Packet marks set with “Edit/Mark Packet” + +* Time references set with “Edit/Time Reference” + +* The current display filter + +[#ChConfigurationPluginFolders] + +=== Configuration File and Plugin Folders + +To match the different policies for Unix-like systems and Windows, and +different policies used on different Unix-like systems, the folders +containing configuration files and plugins are different on different +platforms. We indicate the location of the top-level folders under +which configuration files and plugins are stored here, giving them +placeholder names independent of their actual location, and use those +names later when giving the location of the folders for configuration +files and plugins. + +[TIP] +==== +A list of the folders Wireshark actually uses can be found under the _Folders_ +tab in the dialog box shown when you select _About Wireshark_ from the _Help_ +menu. +==== + +==== Folders on Windows + +_%APPDATA%_ is the personal application data folder, e.g.: +_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_ (details can be +found at: <<ChWindowsProfiles>>). + +_WIRESHARK_ is the Wireshark program folder, e.g.: _C:\Program +Files\Wireshark_. + +==== Folders on Unix-like systems + +_$XDG_CONFIG_HOME_ is the folder for user-specific configuration files. +It’s usually _$HOME/.config_, where _$HOME_ is the user’s home folder, which +is usually something such as _/home/**username**_, or +_/Users/**username**_ on macOS. + +If you are using macOS and you are running a copy of Wireshark +installed as an application bundle, _APPDIR_ is the top-level directory +of the Wireshark application bundle, which will typically be +_/Applications/Wireshark.app_. Otherwise, _INSTALLDIR_ is the top-level +directory under which reside the subdirectories in which components of +Wireshark are installed. This will typically be `/usr` if Wireshark is +bundled with the system (for example, provided as a package with a Linux +distribution) and _/usr/local_ if, for example, you’ve built Wireshark +from source and installed it. + +[#ChAppFilesConfigurationSection] + +=== Configuration Files + +Wireshark uses a number of configuration files while it is running. Some of these +reside in the personal configuration folder and are used to maintain information +between runs of Wireshark, while some of them are maintained in system areas. + +The content format of the configuration files is the same on all platforms. + +On Windows: + +* The personal configuration folder for Wireshark is the +_Wireshark_ sub-folder of that folder, i.e., _%APPDATA%\Wireshark_. + +* The global configuration folder for Wireshark is the Wireshark program +folder and is also used as the system configuration folder. + +On Unix-like systems: + +* The personal configuration folder is +_$XDG_CONFIG_HOME/wireshark_. For backwards compatibility with +Wireshark before 2.2, if _$XDG_CONFIG_HOME/wireshark_ does not +exist and _$HOME/.wireshark_ is present, then the latter will be used. + +* If you are using macOS and you are running a copy of Wireshark +installed as an application bundle, the global configuration folder is +_APPDIR/Contents/Resources/share/wireshark_. Otherwise, the +global configuration folder is _INSTALLDIR/share/wireshark_. + +* The _/etc_ folder is the system configuration folder. The folder +actually used on your system may vary, maybe something like: +_/usr/local/etc_. + +[#AppFilesTabFolders] +.Configuration files overview +[options="header"] +|=== +|File/Folder|Description +|_cfilters_|Capture filters. +|_colorfilters_|Coloring rules. +|__dfilter_buttons__|Display filter buttons. +|__dfilter_macros__|Display filter macros. +|_dfilters_|Display filters. +|__disabled_protos__|Disabled protocols. +|_ethers_|Ethernet name resolution. +|_hosts_|IPv4 and IPv6 name resolution. +|_ipxnets_|IPX name resolution. +|_manuf_|Ethernet name resolution. +|_preferences_|Settings from the Preferences dialog box. +|_recent_|Per-profile GUI settings. +|__recent_common__|Common GUI settings. +|_services_|Network services. +|_ss7pcs_|SS7 point code resolution. +|_subnets_|IPv4 subnet name resolution. +|_vlans_|VLAN ID name resolution. +|=== + +[discrete] +===== File contents + +cfilters:: ++ +-- +This file contains all the capture filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +"<filter name>" <filter string> +---- + +At program start, if there is a _cfilters_ file in the personal +configuration folder, it is read. If there isn’t a _cfilters_ file in +the personal configuration folder, then, if there is a _cfilters_ file +in the global configuration folder, it is read. + +When you press the Save button in the “Capture Filters” dialog box, +all the current capture filters are written to the personal capture +filters file. +-- + +colorfilters:: ++ +-- +This file contains all the color filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>] +---- + +At program start, if there is a _colorfilters_ file in the personal +configuration folder, it is read. If there isn’t a _colorfilters_ file +in the personal configuration folder, then, if there is a _colorfilters_ +file in the global configuration folder, it is read. + +When you press the Save button in the “Coloring Rules” dialog box, +all the current color filters are written to the personal color filters +file. +-- + +dfilter_buttons:: ++ +-- +This file contains all the display filter buttons that you have defined and +saved. It consists of one or more lines, where each line has the following +format: + +---- +"TRUE/FALSE","<button label>","<filter string>","<comment string>" +---- + +where the first field is TRUE if the button is enabled (shown). + +At program start, if there is a __dfilter_buttons__ file in the personal +configuration folder, it is read. If there isn’t a __dfilter_buttons__ file +in the personal configuration folder, then, if there is a __dfilter_buttons__ +file in the global configuration folder, it is read. + +When you save any changes to the filter buttons, all the current display +filter buttons are written to the personal display filter buttons file. +-- + +dfilter_macros:: ++ +-- +This file contains all the display filter macros that you have defined and saved. +It consists of one or more lines, where each line has the following format: + +---- +"<macro name>" <filter string> +---- + +At program start, if there is a __dfilter_macros__ file in the personal +configuration folder, it is read. If there isn’t a __dfilter_macros__ file +in the personal configuration folder, then, if there is a __dfilter_macros__ +file in the global configuration folder, it is read. + +When you press the Save button in the "Display Filter Macros" dialog box, +all the current display filter macros are written to the personal display +filter macros file. + +More information about Display Filter Macros is available in +<<ChDisplayFilterMacrosSection>> +-- + +dfilters:: ++ +-- +This file contains all the display filters that you have defined and saved. It +consists of one or more lines, where each line has the following format: + +---- +"<filter name>" <filter string> +---- + +At program start, if there is a _dfilters_ file in the personal +configuration folder, it is read. If there isn’t a _dfilters_ file in +the personal configuration folder, then, if there is a _dfilters_ file +in the global configuration folder, it is read. + +When you press the Save button in the “Display Filters” dialog box, +all the current display filters are written to the personal display +filters file. +-- + +disabled_protos:: ++ +-- +Each line in this file specifies a disabled protocol name. The following are +some examples: + +---- +tcp +udp +---- + +At program start, if there is a __disabled_protos__ file in the global +configuration folder, it is read first. Then, if there is a +__disabled_protos__ file in the personal configuration folder, that is +read; if there is an entry for a protocol set in both files, the setting +in the personal disabled protocols file overrides the setting in the +global disabled protocols file. + +When you press the Save button in the “Enabled Protocols” dialog box, +the current set of disabled protocols is written to the personal +disabled protocols file. +-- + +ethers:: ++ +-- +When Wireshark is trying to translate a hardware MAC address to +a name, it consults the _ethers_ file in the personal configuration +folder first. If the address is not found in that file, Wireshark +consults the _ethers_ file in the system configuration folder. + +This file has the same format as the _/etc/ethers_ file on some Unix-like systems. +Each line in these files consists of one hardware address and name separated by +whitespace. The digits of hardware addresses are separated by colons (:), dashes +(-) or periods(.). The following are some examples: + +---- +ff-ff-ff-ff-ff-ff Broadcast +c0-00-ff-ff-ff-ff TR_broadcast +00.2b.08.93.4b.a1 Freds_machine +---- + +The settings from this file are read in when a MAC address is to be +translated to a name, and never written by Wireshark. +-- + +hosts:: ++ +-- +Wireshark uses the entries in the _hosts_ files to translate IPv4 and +IPv6 addresses into names. + +At program start, if there is a _hosts_ file in the global configuration +folder, it is read first. Then, if there is a _hosts_ file in the +personal configuration folder, that is read; if there is an entry for a +given IP address in both files, the setting in the personal hosts file +overrides the entry in the global hosts file. + +This file has the same format as the usual _/etc/hosts_ file on Unix systems. + +An example is: + +---- +# Comments must be prepended by the # sign! +192.168.0.1 homeserver +---- + +The settings from this file are read in at program start and never written by +Wireshark. +-- + +ipxnets:: ++ +-- +When Wireshark is trying to translate an IPX network number to +a name, it consults the _ipxnets_ file in the personal configuration +folder first. If the address is not found in that file, Wireshark +consults the _ipxnets_ file in the system configuration folder. + + +An example is: +---- +C0.A8.2C.00 HR +c0-a8-1c-00 CEO +00:00:BE:EF IT_Server1 +110f FileServer3 +---- + +The settings from this file are read in when an IPX network number is to +be translated to a name, and never written by Wireshark. +-- + +manuf:: ++ +-- +At program start, if there is a _manuf_ file in the global configuration folder, it is read. + +The entries in this file are used to translate MAC address prefixes into short and long manufacturer names. +Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name. +Prefixes 24 bits long by default and may be followed by an optional length. +Note that this is not the same format as the _ethers_ file. + +Examples are: + +---- +00:00:01 Xerox Xerox Corporation +00:50:C2:00:30:00/36 Microsof Microsoft +---- + +The settings from this file are read in at program start and never written by Wireshark. +-- + +preferences:: ++ +-- +This file contains your Wireshark preferences, including defaults for capturing +and displaying packets. It is a simple text file containing statements of the +form: + +---- +variable: value +---- + +At program start, if there is a _preferences_ file in the global +configuration folder, it is read first. Then, if there is a +_preferences_ file in the personal configuration folder, that is read; +if there is a preference set in both files, the setting in the personal +preferences file overrides the setting in the global preference file. + +If you press the Save button in the “Preferences” dialog box, all the +current settings are written to the personal preferences file. +-- + +recent:: ++ +-- +This file contains GUI settings that are specific to the current profile, such as column widths and toolbar visibility. +It is a simple text file containing statements of the form: + +---- +variable: value +---- + +It is read at program start and written when preferences are saved and at program exit. +It is also written and read whenever you switch to a different profile. +-- + +recent_common:: ++ +-- +This file contains common GUI settings, such as recently opened capture files, recently used filters, and window geometries. +It is a simple text file containing statements of the form: + +---- +variable: value +---- + +It is read at program start and written when preferences are saved and at program exit. +-- + +services:: ++ +-- +Wireshark uses the _services_ files to translate port numbers into names. + +At program start, if there is a _services_ file in the global +configuration folder, it is read first. Then, if there is a _services_ +file in the personal configuration folder, that is read; if there is an +entry for a given port number in both files, the setting in the personal +hosts file overrides the entry in the global hosts file. + +An example is: + +---- +mydns 5045/udp # My own Domain Name Server +mydns 5045/tcp # My own Domain Name Server +---- + +The settings from these files are read in at program start and never +written by Wireshark. +-- + +ss7pcs:: ++ +-- +Wireshark uses the _ss7pcs_ file to translate SS7 point codes to node names. + +At program start, if there is a _ss7pcs_ file in the personal +configuration folder, it is read. + +Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab. + +An example is: +---- +2-1234 MyPointCode1 +---- + +The settings from this file are read in at program start and never written by +Wireshark. +-- + +subnets:: ++ +-- +Wireshark uses the __subnets__ files to translate an IPv4 address into a +subnet name. If no exact match from a __hosts__ file or from DNS is +found, Wireshark will attempt a partial match for the subnet of the +address. + +At program start, if there is a _subnets_ file in the personal +configuration folder, it is read first. Then, if there is a _subnets_ +file in the global configuration folder, that is read; if there is a +preference set in both files, the setting in the global preferences file +overrides the setting in the personal preference file. + +Each line in one of these files consists of an IPv4 address, a subnet +mask length separated only by a “/” and a name separated by whitespace. +While the address must be a full IPv4 address, any values beyond the +mask length are subsequently ignored. + +An example is: +---- +# Comments must be prepended by the # sign! +192.168.0.0/24 ws_test_network +---- + +A partially matched name will be printed as “subnet-name.remaining-address”. +For example, “192.168.0.1” under the subnet above would be printed as +“ws_test_network.1”; if the mask length above had been 16 rather than 24, the +printed address would be “ws_test_network.0.1”. + +The settings from these files are read in at program start and never +written by Wireshark. +-- + +vlans:: ++ +-- +Wireshark uses the _vlans_ file to translate VLAN tag IDs into names. + +If there is a _vlans_ file in the currently active profile folder, it is used. Otherwise, the _vlans_ file in the personal configuration folder is used. + +Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab. + +An example is: +---- +123 Server-LAN +2049 HR-Client-LAN +---- + +The settings from this file are read in at program start or when changing +the active profile and are never written by Wireshark. +-- + +[#ChPluginFolders] + +=== Plugin folders + +Wireshark supports plugins for various purposes. Plugins can either be +scripts written in Lua or code written in C or {cpp} and compiled to +machine code. + +Wireshark looks for plugins in both a personal plugin folder and a +global plugin folder. Lua plugins are stored in the plugin folders; +compiled plugins are stored in subfolders of the plugin folders, with +the subfolder name being the Wireshark minor version number (X.Y). There is +another hierarchical level for each Wireshark plugin type (libwireshark, +libwiretap and codecs). So for example the location for a libwireshark plugin +_foo.so_ (_foo.dll_ on Windows) would be _PLUGINDIR/X.Y/epan_ +(libwireshark used to be called libepan; the other folder names are _codecs_ +and _wiretap_). + +On Windows: + +* The personal plugin folder is _%APPDATA%\Wireshark\plugins_. + +* The global plugin folder is _WIRESHARK\plugins_. + +On Unix-like systems: + +* The personal plugin folder is _~/.local/lib/wireshark/plugins_. + +[NOTE] +==== +To provide better support for binary plugins this folder changed in Wireshark 2.5. +It is recommended to use the new folder but *for lua scripts only* you may +continue to use _$XDG_CONFIG_HOME/wireshark/plugins_ for backward-compatibility. +This is useful to have older versions of Wireshark installed side-by-side. In case +of duplicate file names between old and new the new folder wins. +==== + +* If you are running on macOS and Wireshark is installed as an +application bundle, the global plugin folder is +_%APPDIR%/Contents/PlugIns/wireshark_, otherwise it’s +_INSTALLDIR/lib/wireshark/plugins_. + +[#ChWindowsFolder] + +=== Windows folders + +Here you will find some details about the folders used in Wireshark on different +Windows versions. + +As already mentioned, you can find the currently used folders in the “About +Wireshark” dialog. + +[#ChWindowsProfiles] + +==== Windows profiles + +Windows uses some special directories to store user configuration files which +define the “user profile”. This can be confusing, as the default directory +location changed from Windows version to version and might also be different for +English and internationalized versions of Windows. + +[NOTE] +==== +If you’ve upgraded to a new Windows version, your profile might be kept in the +former location. The defaults mentioned here might not apply. +==== + +The following guides you to the right place where to look for Wireshark’s +profile data. + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions:: +_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_. + +Windows XP and Windows Server 2003 footnote:historical[No longer supported by Wireshark. For historical reference only.]:: +_C:\Documents and Settings{backslash}**username**\Application Data_. “Documents and +Settings” and “Application Data” might be internationalized. + +[#ChWindowsRoamingProfiles] + +==== Windows roaming profiles + +Some larger Windows environments use roaming profiles. If this is the case the +configurations of all programs you use won’t be saved on your local hard drive. +They will be stored on the domain server instead. + +Your settings will travel with you from computer to computer with one exception. +The “Local Settings” folder in your profile data (typically something like: +_C:\Documents and Settings{backslash}**username**\Local Settings_) will not be +transferred to the domain server. This is the default for temporary capture +files. + +[#ChWindowsTempFolder] + +==== Windows temporary folder + +Wireshark uses the folder which is set by the TMPDIR or TEMP environment +variable. This variable will be set by the Windows installer. + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions:: +_C:\Users{backslash}**username**\AppData\Local\Temp_ + +Windows XP and Windows Server 2003 footnote:historical[]:: +_C:\Documents and Settings{backslash}**username**\Local Settings\Temp_ + +// End of WSUG Appendix Files diff --git a/docbook/wsug_src/wsug_howitworks.adoc b/docbook/wsug_src/wsug_howitworks.adoc new file mode 100644 index 0000000..13cb817 --- /dev/null +++ b/docbook/wsug_src/wsug_howitworks.adoc @@ -0,0 +1,75 @@ +// WSUG Appendix How it Works + +[#AppHowItWorks] + +[appendix] +== How Wireshark Works + +When using such a complex program like Wireshark, it’s sometimes useful to +understand the mechanisms and concepts behind the surface. This is an approach +to shed some light on the inner workings of Wireshark. + +=== Program start + +When Wireshark starts, a lot of things are done: + +* Initialize the dissectors (register the protocol tree), including plugins + +* Load and set values from the preferences file + +* Load the capture filters from the cfilters file + +* Load the display filters from the dfilters file + +* Load and set the disabled protocols from the disabled_protos file + +* Init libpcap/Npcap (the capturing engine) + +* Process command line parameters + +* Load and set the recently used GUI settings from the recent file + +* Init and show the main screen + +* If specified by command line, load a capture file or start capturing + +=== Protocol dissectors + +Each protocol has its own protocol dissector. When processing network data, +Wireshark calls the dissector that seems relevant to the packet data. The +dissector will then process the packet data and send any unprocessed data +back to Wireshark for further dissection. + +So Wireshark will dissect a packet from the lowest to the highest protocol +layers. + +But how does Wireshark know which dissector to use? + +When Wireshark starts each dissector registers itself in one of two ways: + +* _Static_. If the dissector knows a specific value of a lower layer, it can + directly register itself there (e.g., the HTTP dissector “knows”, that + typically the well-known TCP port 80 is used to transport HTTP data). + +* _Heuristic_. If no such well-known way exists, the dissector + can register itself for the heuristic mechanism. If a lower-layer dissector + has to handle some packet data where no well-known way exists, it can + handover the packet to Wireshark’s heuristic mechanism. This will ask all + registered upper layer dissectors, if they “like” that data. These + dissectors typically look at the first few bytes of the packet, to see if they + contain some characteristic data of that protocol and then + decide whether or not to dissect that packet. + +Let’s look at an example. We’ll assume, Wireshark loads a TCP/IP/Ethernet +packet. Wireshark will call the Ethernet dissector, which will dissect the +Ethernet related data (usually the first 6 + 6 + 2 bytes). The Ethernet +dissector then passes the rest of the data back to Wireshark. +Wireshark in turn will call the next related dissector, in our case the IP +dissector (because of the value 0x800 in the Ethernet type field). This +will continue until no more data has to be dissected, or the data is +unknown to Wireshark. + +You can control the way Wireshark calls its dissectors, see +<<ChAdvProtocolDissectionSection>> for details. + +// End of WSUG Appendix How it Works diff --git a/docbook/wsug_src/wsug_introduction.adoc b/docbook/wsug_src/wsug_introduction.adoc new file mode 100644 index 0000000..78f32f5 --- /dev/null +++ b/docbook/wsug_src/wsug_introduction.adoc @@ -0,0 +1,521 @@ +// WSUG Chapter Introduction + +[#ChapterIntroduction] + +== Introduction + +[#ChIntroWhatIs] + +=== What is Wireshark? + +Wireshark is a network packet analyzer. A network packet analyzer +presents captured packet data in as much detail as possible. + +You could think of a network packet analyzer as a measuring device for +examining what’s happening inside a network cable, just like an electrician uses +a voltmeter for examining what’s happening inside an electric cable (but at a +higher level, of course). + +In the past, such tools were either very expensive, proprietary, or both. +However, with the advent of Wireshark, that has changed. Wireshark is +available for free, is open source, and is one of the best packet +analyzers available today. + +[#ChIntroPurposes] + +==== Some intended purposes + +Here are some reasons people use Wireshark: + +* Network administrators use it to _troubleshoot network problems_ + +* Network security engineers use it to _examine security problems_ + +* QA engineers use it to _verify network applications_ + +* Developers use it to _debug protocol implementations_ + +* People use it to _learn network protocol_ internals + +Wireshark can also be helpful in many other situations. + +[#ChIntroFeatures] + +==== Features + +The following are some of the many features Wireshark provides: + +* Available for _UNIX_ and _Windows_. + +* _Capture_ live packet data from a network interface. + +* _Open_ files containing packet data captured with tcpdump/WinDump, +Wireshark, and many other packet capture programs. + +* _Import_ packets from text files containing hex dumps of packet data. + +* Display packets with _very detailed protocol information_. + +* _Save_ packet data captured. + +* _Export_ some or all packets in a number of capture file formats. + +* _Filter packets_ on many criteria. + +* _Search_ for packets on many criteria. + +* _Colorize_ packet display based on filters. + +* Create various _statistics_. + +* ...and _a lot more!_ + +However, to really appreciate its power you have to start using it. + +<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you +to examine them. + +[#ChIntroFig1] +.Wireshark captures packets and lets you examine their contents. +image::images/ws-main.png[{screenshot-attrs}] + +==== Live capture from many different network media + +Wireshark can capture traffic from many different network media types, +including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific media +types supported may be limited by several factors, including your hardware +and operating system. An overview of the supported media types can be found at +link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +==== Import files from many other capture programs + +Wireshark can open packet captures from a large number of capture +programs. For a list of input formats see <<ChIOInputFormatsSection>>. + +==== Export files for many other capture programs + +Wireshark can save captured packets in many formats, including those used by other +capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>. + +==== Many protocol dissectors + +There are protocol dissectors (or decoders, as they are known in other products) +for a great many protocols: see <<AppProtocols>>. + +==== Open Source Software + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL). You can freely use +Wireshark on any number of computers you like, without worrying about license +keys or fees or such. In addition, all source code is freely available under the +GPL. Because of that, it is very easy for people to add new protocols to +Wireshark, either as plugins, or built into the source, and they often do! + +[#ChIntroNoFeatures] + +==== What Wireshark is not + +Here are some things Wireshark does not provide: + +* Wireshark isn’t an intrusion detection system. It will not warn you when + someone does strange things on your network that he/she isn’t allowed to do. + However, if strange things happen, Wireshark might help you figure out what is + really going on. + +* Wireshark will not manipulate things on the network, it will only “measure” + things from it. Wireshark doesn’t send packets on the network or do other + active things (except domain name resolution, but that can be disabled). + +[#ChIntroPlatforms] + +=== System Requirements + +The amount of resources Wireshark needs depends on your environment and on the +size of the capture file you are analyzing. The values below should be fine for +small to medium-sized capture files no more than a few hundred MB. Larger +capture files will require more memory and disk space. + +[NOTE] +.Busy networks mean large captures +==== +A busy network can produce huge capture files. Capturing on +even a 100 megabit network can produce hundreds of megabytes of +capture data in a short time. A computer with a fast processor, and lots of +memory and disk space is always a good idea. +==== + +If Wireshark runs out of memory it will crash. See +{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds. + +Although Wireshark uses a separate process to capture packets, the packet +analysis is single-threaded and won’t benefit much from multi-core systems. + +==== Microsoft Windows + +Wireshark should support any version of Windows that is still within its +https://windows.microsoft.com/en-us/windows/lifecycle[extended support +lifetime]. At the time of writing this includes Windows 11, 10, +Server 2022, +Server 2019, +and Server 2016. +It also requires the following: + +* The Universal C Runtime. This is included with Windows 10 and Windows + Server 2019 and is installed automatically on earlier versions if + Microsoft Windows Update is enabled. Otherwise you must install + https://support.microsoft.com/kb/2999226[KB2999226] or + https://support.microsoft.com/kb/3118401[KB3118401]. + +* Any modern 64-bit Intel or Arm processor. + +* 500 MB available RAM. Larger capture files require more RAM. + +* 500 MB available disk space. Capture files require additional disk space. + +* Any modern display. 1280 {multiplication} 1024 or higher resolution is + recommended. Wireshark will make use of HiDPI or Retina resolutions if + available. Power users will find multiple monitors useful. + +* A supported network card for capturing + + - Ethernet. Any card supported by Windows should work. See the wiki pages on + link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and + link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that + may affect your environment. + + - 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark + wiki page]. Capturing raw 802.11 information may be difficult without + special equipment. + + - Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +Older versions of Windows which are outside Microsoft’s extended lifecycle +support window are no longer supported. It is often difficult or impossible to +support these systems due to circumstances beyond our control, such as third +party libraries on which we depend or due to necessary features that are only +present in newer versions of Windows such as hardened security or memory +management. + +* Wireshark 4.0 was the last release branch to officially support Windows 8.1 and Windows Server 2012. +* Wireshark 3.6 was the last release branch to officially support 32-bit Windows. +* Wireshark 3.2 was the last release branch to officially support Windows 7 and Windows Server 2008 R2. +* Wireshark 2.2 was the last release branch to support Windows Vista and Windows Server 2008 sans R2 +* Wireshark 1.12 was the last release branch to support Windows Server 2003. +* Wireshark 1.10 was the last release branch to officially support Windows XP. + +See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark +release lifecycle] page for more details. + +==== macOS + +Wireshark supports macOS 10.14 and later. +Similar to Windows, supported macOS versions depend on third party libraries and on Apple’s requirements. +Apple Silicon hardware is supported natively starting with version 4.0 + +// Wireshark 4.0 ships with Qt 6.2.4, which requires macOS 10.14 and later +// Wireshark 3.6 ships with Qt 5.15, which requires macOS 10.13 and later. +// Wireshark 3.4, 3.2 and 3.0 ship with Qt 5.12, which requires macOS 10.12 and later. +// Wireshark 2.6 ships with Qt 5.3, which was the last release to support 10.6: https://wiki.qt.io/New_Features_in_Qt_5.3 +// "Mac OS 10.6 support is deprecated and scheduled for removal in Qt 5.4" + +* Wireshark 3.6 was the last release branch to support macOS 10.13. +* Wireshark 3.4 was the last release branch to support macOS 10.12. +* Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and OS X 10.8 to 10.11. +* Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel. +* Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC. + +The system requirements should be comparable to the specifications listed above for Windows. + +==== UNIX, Linux, and BSD + +Wireshark runs on most UNIX and UNIX-like platforms including Linux and most BSD variants. +The system requirements should be comparable to the specifications listed above for Windows. + +Binary packages are available for most Unices and Linux distributions +including the following platforms: + +* Alpine Linux + +* Arch Linux + +* Canonical Ubuntu + +* Debian GNU/Linux + +* FreeBSD + +* Gentoo Linux + +* HP-UX + +* NetBSD + +* OpenPKG + +* Oracle Solaris + +* Red Hat Enterprise Linux / CentOS / Fedora + +If a binary package is not available for your platform you can download +the source and try to build it. Please report your experiences to +mailto:{wireshark-dev-list-email}[]. + +[#ChIntroDownload] + +=== Where To Get Wireshark + +You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}. +The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. +Official Windows and macOS installers are signed using trusted certificates on those platforms. +macOS installers are additionally notarized. + +A new Wireshark version typically becomes available every six weeks. + +If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. +You will find more details in <<ChIntroMailingLists>>. + +Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt. +Announcement messages are archived at https://www.wireshark.org/lists/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. +Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. +As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems. + +[#ChIntroHistory] + +=== A Brief History Of Wireshark + +In late 1997 Gerald Combs needed a tool for tracking down network problems +and wanted to learn more about networking so he started writing Ethereal (the +original name of the Wireshark project) as a way to solve both problems. + +Ethereal was initially released after several pauses in development in July +1998 as version 0.2.0. Within days patches, bug reports, and words of +encouragement started arriving and Ethereal was on its way to success. + +Not long after that Gilbert Ramirez saw its potential and contributed a +low-level dissector to it. + +In October, 1998 Guy Harris was looking for something better than tcpview so he +started applying patches and contributing dissectors to Ethereal. + +In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential +on such courses and started looking at it to see if it supported the protocols +he needed. While it didn’t at that point new protocols could be easily added. +So he started contributing dissectors and contributing patches. + +The list of people who have contributed to the project has become very long +since then, and almost all of them started with a protocol that they needed that +Wireshark did not already handle. So they copied an existing dissector and +contributed the code back to the team. + +In 2006 the project moved house and re-emerged under a new name: Wireshark. + +In 2008, after ten years of development, Wireshark finally arrived at version +1.0. This release was the first deemed complete, with the minimum features +implemented. Its release coincided with the first Wireshark Developer and User +Conference, called Sharkfest. + +In 2015 Wireshark 2.0 was released, which featured a new user interface. + +In 2023 Wireshark moved to the link:{wireshark-foundation-url}[Wireshark Foundation], a nonprofit corporation that operates under section 501(c)(3) of the U.S. tax code. +The foundation provides the project's infrastructure, hosts link:{sharkfest-url}[SharkFest], our developer and user conference, and promotes low level network education. + +[#ChIntroMaintenance] + +=== Development And Maintenance Of Wireshark + +Wireshark was initially developed by Gerald Combs. Ongoing development and +maintenance of Wireshark is handled by the Wireshark team, a loose group of +individuals who fix bugs and provide new functionality. + +There have also been a large number of people who have contributed +protocol dissectors to Wireshark, and it is expected that this will +continue. You can find a list of the people who have contributed code to +Wireshark by checking the about dialog box of Wireshark, or at the +link:{wireshark-authors-url}[authors] page on the Wireshark web site. + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is +freely available under the GPL. You are welcome to modify Wireshark to suit your +own needs, and it would be appreciated if you contribute your improvements back +to the Wireshark team. + +You gain three benefits by contributing your improvements back to the community: + +. Other people who find your contributions useful will appreciate them, and you + will know that you have helped people in the same way that the developers of + Wireshark have helped you. + +. The developers of Wireshark can further improve your changes or implement + additional features on top of your code, which may also benefit you. + +. The maintainers and developers of Wireshark will maintain your code, + fixing it when API changes or other changes are made, and generally keeping it + in tune with what is happening with Wireshark. So when Wireshark is updated + (which is often), you can get a new Wireshark version from the website + and your changes will already be included without any additional effort from you. + +The Wireshark source code and binary kits for some platforms are all +available on the download page of the Wireshark website: +{wireshark-download-url}. + +[#ChIntroHelp] + +=== Reporting Problems And Getting Help + +If you have problems or need help with Wireshark there are several places that +may be of interest (besides this guide, of course). + +[#ChIntroHomepage] + +==== Website + +You will find lots of useful information on the Wireshark homepage at +{wireshark-main-url}. + +[#ChIntroWiki] + +==== Wiki + +The Wireshark Wiki at {wireshark-wiki-url} provides a +wide range of information related to Wireshark and packet capture in general. +You will find a lot of information not part of this user’s guide. For example, +it contains an explanation how to capture on a switched network, an ongoing effort +to build a protocol reference, protocol-specific information, and much more. + +And best of all, if you would like to contribute your knowledge on a specific +topic (maybe a network protocol you know well), you can edit the wiki pages +with your web browser. + +[#ChIntroQA] + +==== Q&A Site + +The Wireshark Q&A site at {wireshark-qa-url} offers a resource where +questions and answers come together. You can search for +questions asked before and see what answers were given by people who +knew about the issue. Answers are ranked, so you can easily pick out the best +ones. If your question hasn’t been discussed before you can post +one yourself. + +[#ChIntroFAQ] + +==== FAQ + +The Frequently Asked Questions lists often asked questions and their +corresponding answers. + +[NOTE] +.Read the FAQ +==== +Before sending any mail to the mailing lists below, be sure to read the FAQ. It +will often answer any questions you might have. This will save yourself and +others a lot of time. Keep in mind that a lot of people are subscribed to the +mailing lists. +==== + +You will find the FAQ inside Wireshark by clicking the menu item Help/Contents +and selecting the FAQ page in the dialog shown. + +An online version is available at the Wireshark website at +{wireshark-faq-url}. You might prefer this online version, as it’s +typically more up to date and the HTML format is easier to use. + +[#ChIntroMailingLists] + +==== Mailing Lists + +There are several mailing lists of specific Wireshark topics available: + +link:{wireshark-mailing-lists-url}wireshark-announce[wireshark-announce]:: + Information about new program releases, which usually appear about every six weeks. + +link:{wireshark-mailing-lists-url}wireshark-users[wireshark-users]:: + Topics of interest to users of Wireshark. + People typically post questions about using Wireshark and others (hopefully) provide answers. + +link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev]:: + Topics of interest to developers of Wireshark. + If you want to develop a protocol dissector or update the user interface, join this list. + +You can subscribe to each of these lists from the Wireshark web site: +{wireshark-mailing-lists-url}. From there, you can choose which mailing +list you want to subscribe to by clicking on the +Subscribe/Unsubscribe/Options button under the title of the relevant +list. The links to the archives are included on that page as well. + +[TIP] +.The lists are archived +==== +You can search in the list archives to see if someone asked the same question +some time before and maybe already got an answer. That way you don’t have to +wait until someone answers your question. +==== + +==== Reporting Problems + +[NOTE] +==== +Before reporting any problems, please make sure you have installed the latest +version of Wireshark. +==== + + +When reporting problems with Wireshark please supply the following information: + +. The version number of Wireshark and the dependent libraries linked with it, + such as Qt or GLib. You can obtain this from Wireshark’s about box or the + command _wireshark -v_. + +. Information about the platform you run Wireshark on +(Windows, Linux, etc. and 32-bit, 64-bit, etc.). + +. A detailed description of your problem. + +. If you get an error/warning message, copy the text of that message (and also a + few lines before and after it, if there are some) so others may find the + place where things go wrong. Please don’t give something like: “I get a + warning while doing x” as this won’t give a good idea where to look. + +[WARNING] +.Don’t send confidential information! +==== +If you send capture files to the mailing lists be sure they don’t contain any +sensitive or confidential information like passwords or personally identifiable +information (PII). + +In many cases you can use a tool like link:https://www.tracewrangler.com/[TraceWrangler] to sanitize a capture file before sharing it. +==== + +[NOTE] +.Don’t send large files +==== +Do not send large files (> 1 MB) to the mailing lists. Instead, provide a +download link. For bugs and feature requests, you can create an issue on +link:{wireshark-bugs-url}[GitLab Issues] and upload the file there. +==== + +==== Reporting Crashes on UNIX/Linux platforms + +When reporting crashes with Wireshark it is helpful if you supply the traceback +information along with the information mentioned in “Reporting Problems”. + +You can obtain this traceback information with the following commands on UNIX or +Linux (note the backticks): + +---- +$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt +backtrace +^D +---- + +If you do not have _gdb_ available, you will have to check out your operating system’s debugger. + +Email _backtrace.txt_ to mailto:{wireshark-dev-list-email}[]. + +==== Reporting Crashes on Windows platforms + +The Windows distributions don’t contain the symbol files (.pdb) because they are +very large. You can download them separately at +{wireshark-main-url}download/win64/all-versions/ . + +// End of WSUG Chapter 1 diff --git a/docbook/wsug_src/wsug_io.adoc b/docbook/wsug_src/wsug_io.adoc new file mode 100644 index 0000000..ed3a488 --- /dev/null +++ b/docbook/wsug_src/wsug_io.adoc @@ -0,0 +1,1254 @@ +// WSUG Chapter IO + +[#ChapterIO] + +== File Input, Output, And Printing + +[#ChIOIntroductionSection] + +=== Introduction + +This chapter will describe input and output of capture data. + +* Open capture files in various capture file formats + +* Save and export capture files in various formats + +* Merge capture files together + +* Import text files containing hex dumps of packets + +* Print packets + +[#ChIOOpenSection] + +=== Open Capture Files + +Wireshark can read in previously saved capture files. To read them, simply +select the menu:File[Open] menu or toolbar item. Wireshark will then pop up +the “File Open” dialog box, which is discussed in more detail in <<ChIOOpen>>. + +[TIP] +.You can use drag and drop to open files +==== +On most systems you can open a file by simply dragging it in your file manager and dropping it onto Wireshark’s main window. +==== + +If you haven’t previously saved the current capture file you will be asked to +do so to prevent data loss. This warning can be disabled in the preferences. + +In addition to its native file format (pcapng), Wireshark can read and write +capture files from a large number of other packet capture programs as well. See +<<ChIOInputFormatsSection>> for the list of capture formats Wireshark +understands. + +[#ChIOOpen] + +==== The “Open Capture File” Dialog Box + +The “Open Capture File” dialog box allows you to search for a capture file +containing previously captured packets for display in Wireshark. The following +sections show some examples of the Wireshark “Open File” dialog box. The +appearance of this dialog depends on the system. However, the functionality +should be the same across systems. + +Common dialog behavior on all systems: + +* Select files and directories. + +* Click the btn:[Open] button to accept your selected file and open it. + +* Click the btn:[Cancel] button to go back to Wireshark and not load a capture file. + +* The btn:[Help] button will take you to this section of the “User’s Guide”. + +Wireshark adds the following controls: + +* View file preview information such as the size and the number of packets in a selected a capture file. + +// XXX - we need a better description of these read filters +* Specify a read filter with the “Read filter” field. + This filter will be used when opening the new file. + The text field background will turn green for a valid filter string and red for an invalid one. + Read filters can be used to exclude various types of traffic, which can be useful for large capture files. + They use the same syntax as display filters, which are discussed in detail in <<ChWorkDisplayFilterSection>>. + +* Optionally force Wireshark to read a file as a particular type using the “Automatically detect file type” drop-down. + +[#ChIOOpenFileDialogWin32] + +.“Open” on Microsoft Windows +image::images/ws-open-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file open dialog along with some Wireshark extensions. + +[#ChIOOpenFileDialog] + +.“Open” - Linux and UNIX +image::images/ws-open-qt5.png[{medium-screenshot-attrs}] + +This is the common Qt file open dialog along with some Wireshark extensions. + +// XXX Add macOS + +[#ChIOInputFormatsSection] + + +==== Input File Formats + +The native capture file formats used by Wireshark are: + +* pcap. The default format used by the _libpcap_ packet capture library. Used + by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools. + +* pcapng. A flexible, extensible successor to the pcap format. + Wireshark 1.8 and later save files as pcapng by default. Versions + prior to 1.8 used pcap. Used by Wireshark and by _tcpdump_ in newer + versions of macOS. + +The following file formats from other capture tools can be opened by Wireshark: + +* Oracle (previously Sun) _snoop_ and _atmsnoop_ captures + +* Finisar (previously Shomiti) _Surveyor_ captures + +* Microsoft _Network Monitor_ captures + +* Novell _LANalyzer_ captures + +* AIX _iptrace_ captures + +* Cinco Networks NetXray captures + +* NETSCOUT (previously Network Associates/Network General) Windows-based + Sniffer and Sniffer Pro captures + +* Network General/Network Associates DOS-based Sniffer captures + (compressed or uncompressed) captures + +* LiveAction (previously WildPackets/Savvius) + *Peek/EtherHelp/PacketGrabber captures + +* RADCOM’s WAN/LAN Analyzer captures + +* Viavi (previously Network Instruments) Observer captures + +* Lucent/Ascend router debug output + +* captures from HP-UX nettl + +* Toshiba’s ISDN routers dump output + +* output from _i4btrace_ from the ISDN4BSD project + +* traces from the EyeSDN USB S0 + +* the IPLog format output from the Cisco Secure Intrusion Detection System + +* pppd logs (pppdump format) + +* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities + +* the text output from the DBS Etherwatch VMS utility + +* Visual Networks’ Visual UpTime traffic capture + +* the output from CoSine L2 debug + +* the output from InfoVista (previously Accellent) 5Views LAN agents + +* Endace Measurement Systems’ ERF format captures + +* Linux Bluez Bluetooth stack hcidump -w traces + +* Catapult (now Ixia/Keysight) DCT2000 .out files + +* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode + +* IBM Series (OS/400) Comm traces (ASCII & UNICODE) + +* Juniper Netscreen snoop captures + +* Symbian OS btsnoop captures + +* Tamosoft CommView captures + +* Tektronix K12xx 32bit .rf5 format captures + +* Tektronix K12 text file format captures + +* Apple PacketLogger captures + +* Captures from Aethra Telecommunications’ PC108 software for their test instruments + +* Citrix NetScaler Trace files + +* Android Logcat binary and text format logs + +* Colasoft Capsa and PacketBuilder captures + +* Micropross mplog files + +* Unigraf DPA-400 DisplayPort AUX channel monitor traces + +* 802.15.4 traces from Daintree's Sensor Network Analyzer + +* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1 + +* Log files from the _candump_ utility + +* Logs from the BUSMASTER tool + +* Ixia IxVeriWave raw captures + +* Rabbit Labs CAM Inspector files + +* _systemd_ journal files + +* 3GPP TS 32.423 trace files + +New file formats are added from time to time. + +It may not be possible to read some formats dependent on the packet types +captured. Ethernet captures are usually supported for most file formats but it +may not be possible to read other packet types such as PPP or IEEE 802.11 from +all file formats. + +[#ChIOSaveSection] + +=== Saving Captured Packets + +You can save captured packets by using the menu:File[Save] or menu:File[Save As...] menu items. +You can choose which packets to save and which file format to be used. + +Not all information will be saved in a capture file. For example, most file +formats don’t record the number of dropped packets. See +<<ChAppFilesCaptureFilesSection>> for details. + +[#ChIOSaveAs] + +==== The “Save Capture File As” Dialog Box + +The “Save Capture File As” dialog box allows you to save the current capture to a file. +The exact appearance of this dialog depends on your system. +However, the functionality is the same across systems. +Examples are shown below. + +[#ChIOSaveAsFileWin32] + +.“Save” on Microsoft Windows +image::images/ws-save-as-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file save dialog with some additional Wireshark extensions. + +[#ChIOSaveAsFile2] + +.“Save” on Linux and UNIX +image::images/ws-save-as-qt5.png[{medium-screenshot-attrs}] + +This is the common Qt file save dialog with additional Wireshark extensions. + +// XXX Add macOS + +You can perform the following actions: + +* Type in the name of the file in which you wish to save the captured packets. + +* Select the directory to save the file into. + +* Specify the format of the saved capture file by clicking on the “Save as” drop-down box. + You can choose from the types described in <<ChIOOutputFormatsSection>>. + Some capture formats may not be available depending on the packet types captured. + +* The btn:[Help] button will take you to this section of the “User’s Guide”. + +* “Compress with gzip” will compress the capture file as it is being written to disk. + +* Click the btn:[Save] button to accept your selected file and save it. + +* Click on the btn:[Cancel] button to go back to Wireshark without saving any packets. + +If you don’t provide a file extension to the filename (e.g., `.pcap`) Wireshark will append the standard file extension for that file format. + +[TIP] +.Wireshark can convert file formats +==== +You can convert capture files from one format to another by opening a capture and saving it as a different format. +==== + +If you wish to save some of the packets in your capture file you can do so via <<ChIOExportSpecifiedPacketsDialog>>. + +[#ChIOOutputFormatsSection] + +==== Output File Formats + +Wireshark can save the packet data in its native file format (pcapng) and in the +file formats of other protocol analyzers so other tools can read the capture +data. + +[NOTE] +.Saving in a different format might lose data +==== +Saving your file in a different format might lose information such as comments, name resolution, and time stamp resolution. +See <<ChAdvTimestamps>> for more information on time stamps. +==== + +The following file formats can be saved by Wireshark (with the known file extensions): + +* pcapng ({asterisk}.pcapng). A flexible, extensible successor to the + libpcap format. Wireshark 1.8 and later save files as pcapng by + default. Versions prior to 1.8 used libpcap. + +* pcap ({asterisk}.pcap). The default format used by the _libpcap_ + packet capture library. Used by _tcpdump, _Snort_, _Nmap_, _Ntop_, + and many other tools. + +* Accellent 5Views ({asterisk}.5vw) + +* captures from HP-UX nettl ({asterisktrc0,{asterisk}.trc1) + +* Microsoft Network Monitor - NetMon ({asterisk}.cap) + +* Network Associates Sniffer - DOS + ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,{asterisk}.fdc,{asterisk}.syc) + +* Cinco Networks NetXray captures ({asterisk}.cap) + +* Network Associates Sniffer - Windows ({asterisk}.cap) + +* Network Instruments/Viavi Observer ({asterisk}.bfr) + +* Novell LANalyzer ({asterisk}.tr1) + +* Oracle (previously Sun) snoop ({asterisk}.snoop,{asterisk}.cap) + +* Visual Networks Visual UpTime traffic ({asterisk}.{asterisk}) + +* Symbian OS btsnoop captures ({asterisk}.log) + +* Tamosoft CommView captures ({asterisk}.ncf) + +* Catapult (now Ixia/Keysight) DCT2000 .out files ({asterisk}.out) + +* Endace Measurement Systems’ ERF format capture({asterisk}.erf) + +* EyeSDN USB S0 traces ({asterisk}.trc) + +* Tektronix K12 text file format captures ({asterisk}.txt) + +* Tektronix K12xx 32bit .rf5 format captures ({asterisk}.rf5) + +* Android Logcat binary logs ({asterisk}.logcat) + +* Android Logcat text logs ({asterisk}.{asterisk}) + +* Citrix NetScaler Trace files ({asterisk}.cap) + +New file formats are added from time to time. + +Whether or not the above tools will be more helpful than Wireshark is a different question ;-) + +[NOTE] +.Third party protocol analyzers may require specific file extensions +==== +Wireshark examines a file’s contents to determine its type. Some other protocol +analyzers only look at a file's extension. For example, you might need to use +the `.cap` extension in order to open a file using the Windows version +of _Sniffer_. +==== + +[#ChIOMergeSection] + +=== Merging Capture Files + +Sometimes you need to merge several capture files into one. For example, this can +be useful if you have captured simultaneously from multiple interfaces at once +(e.g., using multiple instances of Wireshark). + +There are three ways to merge capture files using Wireshark: + +* Use the menu:File[Merge] menu to open the “Merge” dialog. + See <<ChIOMergeDialog>> for details. + This menu item will be disabled unless you have loaded a capture file. + +* Use _drag and drop_ to drop multiple files on the main window. + Wireshark will try to merge the packets in chronological order from the dropped files into a newly created temporary file. + If you drop a single file, it will simply replace the existing capture. + +* Use the `mergecap` tool from the command line to merge capture files. + This tool provides the most options to merge capture files. + See <<AppToolsmergecap>> for details. + +[#ChIOMergeDialog] + +==== The “Merge With Capture File” Dialog Box + +This lets you select a file to be merged into the currently loaded file. +If your current data has not been saved you will be asked to save it first. + +Most controls of this dialog will work the same way as described in the “Open Capture File” dialog box. +See <<ChIOOpen>> for details. + +Specific controls of this merge dialog are: + +Prepend packets:: +Prepend the packets from the selected file before the currently loaded packets. + +Merge chronologically:: +Merge both the packets from the selected and currently loaded file in chronological order. + +Append packets:: +Append the packets from the selected file after the currently loaded packets. + +[#ChIOMergeFileTab] + +.“Merge Capture File As” dialog box examples + +[#ChIOMergeFileWin32] + +.“Merge” on Microsoft Windows +image::images/ws-merge-win32.png[{medium-screenshot-attrs}] + +This is the common Windows file open dialog with additional Wireshark extensions. + +[#ChIOMergeFile2] + +.“Merge” on Linux and UNIX +image::images/ws-merge-qt5.png[{medium-screenshot-attrs}] + +This is the Qt file open dialog with additional Wireshark extensions. + +// XXX Add macOS + +[#ChIOImportSection] + +=== Import Hex Dump + +Wireshark can read in a hex dump and write the data described into a +temporary libpcap capture file. It can read hex dumps with multiple packets in +them, and build a capture file of multiple packets. It is also capable of +generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build +fully processable packet dumps from hexdumps of application-level data only. +Alternatively, a Dummy PDU header can be added to specify a dissector the data +should be passed to initially. + +Two methods for converting the input are supported: + +==== Standard ASCII Hexdumps + +Wireshark understands a hexdump of the form generated by `od -Ax -tx1 -v`. +In other words, each byte is individually displayed, with spaces separating +the bytes from each other. Hex digits can be upper or lowercase. + +In normal operation, each line must begin with an offset describing the +position in the packet, followed a colon, space, or tab separating it from +the bytes. There is no limit on the width or number of bytes per line, but +lines with only hex bytes without a leading offset are ignored (i.e., +line breaks should not be inserted in long lines that wrap.) Offsets are more +than two digits; they are in hex by default, but can also be in octal or +decimal. Each packet must begin with offset zero, and an offset +zero indicates the beginning of a new packet. Offset values must be correct; +an unexpected value causes the current packet to be aborted and the next +packet start awaited. There is also a single packet mode with no offsets. + +Packets may be preceded by a direction indicator ('I' or 'O') and/or a +timestamp if indicated. If both are present, the direction indicator precedes +the timestamp. The format of the timestamps must be specified. If no timestamp +is parsed, in the case of the first packet the current system time is used, +while subsequent packets are written with timestamps one microsecond later than +that of the previous packet. + +Other text in the input data is ignored. Any text before the offset is +ignored, including email forwarding characters '>'. Any text on a line +after the bytes is ignored, e.g., an ASCII character dump (but see *-a* to +ensure that hex digits in the character dump are ignored). Any line where +the first non-whitespace character is a '#' will be ignored as a comment. +Any lines of text between the bytestring lines are considered preamble; +the beginning of the preamble is scanned for the direction indicator and +timestamp as mentioned above and otherwise ignored. + +Any line beginning with #TEXT2PCAP is a directive and options +can be inserted after this command to be processed by Wireshark. +Currently there are no directives implemented; in the future, these may +be used to give more fine-grained control on the dump and the way it +should be processed e.g., timestamps, encapsulation type etc. + +In general, short of these restrictions, Wireshark is pretty liberal +about reading in hexdumps and has been tested with a variety of +mangled outputs (including being forwarded through email multiple +times, with limited line wrap etc.) + +Here is a sample dump that can be imported, including optional +directional indicator and timestamp: + +---- +I 2019-05-14T19:04:57Z +000000 00 e0 1e a7 05 6f 00 10 ........ +000008 5a a0 b9 12 08 00 46 00 ........ +000010 03 68 00 00 00 00 0a 2e ........ +000018 ee 33 0f 19 08 7f 0f 19 ........ +000020 03 80 94 04 00 00 10 01 ........ +000028 16 a2 0a 00 03 50 00 0c ........ +000030 01 01 0f 19 03 80 11 01 ........ +---- + +==== Regular Text Dumps + +Wireshark is also capable of scanning the input using a custom Perl regular +expression as specified by GLib's https://developer-old.gnome.org/glib/stable/glib-regex-syntax.html[GRegex here]. +Using a regex capturing a single packet in the given file +Wireshark will search the given file from start to the second to last character +(the last character has to be `\n` and is ignored) +for non-overlapping (and non-empty) strings matching the given regex and then +identify the fields to import using named capturing subgroups. Using provided +format information for each field they are then decoded and translated into a +standard libpcap file retaining packet order. + +Note that each named capturing subgroup has to match _exactly_ once a packet, +but they may be present multiple times in the regex. + +For example, the following dump: +---- +> 0:00:00.265620 a130368b000000080060 +> 0:00:00.280836 a1216c8b00000000000089086b0b82020407 +< 0:00:00.295459 a2010800000000000000000800000000 +> 0:00:00.296982 a1303c8b00000008007088286b0bc1ffcbf0f9ff +> 0:00:00.305644 a121718b0000000000008ba86a0b8008 +< 0:00:00.319061 a2010900000000000000001000600000 +> 0:00:00.330937 a130428b00000008007589186b0bb9ffd9f0fdfa3eb4295e99f3aaffd2f005 +> 0:00:00.356037 a121788b0000000000008a18 +---- +could be imported using these settings: +---- +regex: ^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$ +timestamp: %H:%M:%S.%f +dir: in: < out: > +encoding: HEX +---- + +Caution has to be applied when discarding the anchors `^` and `$`, as the input +is searched, not parsed, meaning even most incorrect regexes will produce valid +looking results when not anchored (however, anchors are not guaranteed to prevent +this). It is generally recommended to sanity check any files created using +this conversion. + +Supported fields: + +* data: Actual captured frame data ++ +The only mandatory field. This should match the encoded binary data captured and +is used as the actual frame data to import. ++ +* time: timestamp for the packet ++ +The captured field will be parsed according to the given timestamp format into a +timestamp. ++ +If no timestamp is present an arbitrary counter will count up seconds and +nanoseconds by one each packet. + +* dir: the direction the packet was sent over the wire ++ +The captured field is expected to be one character in length, any remaining +characters are ignored (e.g., given "Input" only the 'I' is looked at). This +character is compared to lists of characters corresponding to inbound and +outbound and the packet is assigned the corresponding direction. +If neither list yields a match, the direction is set to unknown. ++ +If this field is not specified the entire file has no directional information. ++ +* seqno: an ID for this packet ++ +Each packet can be assigned an arbitrary ID that can used as field by Wireshark. +This field is assumed to be a positive integer base 10. This field can e.g. +be used to reorder out of order captures after the import. ++ +If this field is not given, no IDs will be present in the resulting file. ++ + +[#ChIOImportDialog] + + +==== The “Import From Hex Dump” Dialog Box + +This dialog box lets you select a text file, containing a hex dump of packet +data, to be imported and set import parameters. + +[#ChIOFileImportDialog] + +.The “Import from Hex Dump” dialog in Hex Dump mode +image::images/ws-file-import.png[{medium-screenshot-attrs}] + +Specific controls of this import dialog are split in three sections: + +File Source:: Determine which input file has to be imported + +Input Format:: Determine how the input file has to be interpreted. + +Encapsulation:: Determine how the data is to be encapsulated. + +==== File source + +Filename / Browse:: +Enter the name of the text file to import. You can use _Browse_ to browse for a +file. + +==== Input Format + +This section is split in the two alternatives for input conversion, accessible in +the two Tabs "Hex Dump" and "Regular Expression" + +In addition to the conversion mode specific inputs, there are also common +parameters, currently only the timestamp format. + +===== The Hex Dump tab + +Offsets:: +Select the radix of the offsets given in the text file to import. This is +usually hexadecimal, but decimal and octal are also supported. Select _None_ +when only the bytes are present. These will be imported as a single packet. + +Direction indication:: +Tick this box if the text file to import has direction indicators before each +frame. These are on a separate line before each frame and start with either +_I_ or _i_ for input and _O_ or _o_ for output. + +===== The Regular Expression tab + +.The "Regular Expression" tab inside the "Import from Hex Dump” dialog. +image::images/ws-file-import-regex.png[{medium-screenshot-attrs}] + +Packet format regular expression:: +This is the regex used for searching packets and metadata inside the input file. +Named capturing subgroups are used to find the individual fields. Anchors `^` and +`$` are set to match directly before and after newlines `\n` or `\r\n`. See +https://developer-old.gnome.org/glib/stable/glib-regex-syntax.html[GRegex] for a full +documentation. + +Data encoding:: +The Encoding used for the binary data. Supported encodings are plain-hexadecimal, +-octal, -binary and base64. Plain here means no additional +characters are present in the data field beyond whitespaces, which are ignored. +Any unexpected characters abort the import process. ++ +Ignored whitespaces are `\r`, `\n`, `\t`, `\v`, ` ` and only for hex `:`, only +for base64 `=`. ++ +Any incomplete bytes at the field's end are assumed to be padding to fill the +last complete byte. These bits should be zero, however, this is not checked. + +Direction indication:: +The lists of characters indicating incoming vs. outgoing packets. These fields +are only available when the regex contains a `(?<dir>...)` group. + +===== Common items + +Timestamp Format:: +This is the format specifier used to parse the timestamps in the text file to +import. It uses the same format as `strptime(3)` with the addition of `%f` for +zero padded fractions of seconds. The precision of `%f` is determined from its +length. The most common fields are `%H`, `%M` and `%S` for hours, minutes and +seconds. The straightforward HH:MM:SS format is covered by %T. For a full +definition of the syntax look for `strptime(3)`, ++ +In Regex mode this field is only available when a `(?<time>...)` group is present. ++ +In Hex Dump mode if there are no timestamps in the text file to import, leave this +field empty and timestamps will be generated based on the time of import. + +==== Encapsulation + +Encapsulation type:: +Here you can select which type of frames you are importing. This all depends on +from what type of medium the dump to import was taken. It lists all types that +Wireshark understands, so as to pass the capture file contents to the right +dissector. + +Dummy header:: +When Ethernet encapsulation is selected you have to option to prepend dummy +headers to the frames to import. These headers can provide artificial Ethernet, +IP, UDP, TCP or SCTP headers or SCTP data chunks. When selecting a type of +dummy header, the applicable entries are enabled, others are greyed out and +default values are used. +When the _Wireshark Upper PDU export_ encapsulation is selected the option +_ExportPDU_ becomes available. This allows you to select the name of the +dissector these frames are to be directed to. + +Maximum frame length:: +You may not be interested in the full frames from the text file, just the first +part. Here you can define how much data from the start of the frame you want to +import. If you leave this open the maximum is set to 256kiB. + +Once all input and import parameters are setup click btn:[Import] to start the +import. If your current data wasn’t saved before you will be asked to save it +first. + +If the import button doesn't unlock, make sure all encapsulation parameters are +in the expected range and all unlocked fields are populated when using regex mode +(the placeholder text is not used as default). + +When completed there will be a new capture file loaded with the frames imported +from the text file. + +[#ChIOFileSetSection] + +=== File Sets + +When using the “Multiple Files” option while doing a capture (see: +<<ChCapCaptureFiles>>), the capture data is spread over several capture files, +called a file set. + +As it can become tedious to work with a file set by hand, Wireshark provides +some features to handle these file sets in a convenient way. + +.How does Wireshark detect the files of a file set? +**** +A filename in a file set uses the format Prefix_Number_DateTimeSuffix which +might look something like `test_00001_20230714183910.pcap`. All files of a file +set share the same prefix (e.g., “test”) and suffix (e.g., “.pcap”) and a +varying middle part. + +To find the files of a file set, Wireshark scans the directory where the +currently loaded file resides and checks for files matching the filename pattern +(prefix and suffix) of the currently loaded file. + +This simple mechanism usually works well but has its drawbacks. If several file +sets were captured with the same prefix and suffix, Wireshark will detect them +as a single file set. If files were renamed or spread over several directories +the mechanism will fail to find all files of a set. +**** + +The following features in the menu:File[File Set] submenu are available to work +with file sets in a convenient way: + +* The “List Files” dialog box will list the files Wireshark has recognized as + being part of the current file set. + +* btn:[Next File] closes the current and opens the next file in the file + set. + +* btn:[Previous File] closes the current and opens the previous file in the + file set. + +[#ChIOFileSetListDialog] + +==== The “List Files” Dialog Box + +.The “List Files” dialog box +image::images/ws-file-set-dialog.png[{medium-screenshot-attrs}] + +Each line contains information about a file of the file set: + +Filename:: +The name of the file. If you click on the filename (or the radio +button left to it), the current file will be closed and the corresponding +capture file will be opened. + +Created:: +The creation time of the file. + +Last Modified:: +The last time the file was modified. + +Size:: +The size of the file. + +The last line will contain info about the currently used directory where all of +the files in the file set can be found. + +The content of this dialog box is updated each time a capture file is +opened/closed. + +The btn:[Close] button will, well, close the dialog box. + +[#ChIOExportSection] + +// - Add {missing} for other exports? + +=== Exporting Data + +Wireshark provides a variety of options for exporting packet data. +This section describes general ways to export data from the main Wireshark application. +There are many other ways to export or extract data from capture files, including processing <<AppToolstshark,tshark>> output and customizing Wireshark and TShark using Lua scripts. + +[#ChIOExportSpecifiedPacketsDialog] + +==== The “Export Specified Packets” Dialog Box + +.The “Export Specified Packets” dialog box +image::images/ws-export-specified-packets.png[{medium-screenshot-attrs}] + +This is similar to the “<<ChIOSaveAs,Save>>” dialog box, but it lets you save specific packets. +This can be useful for trimming irrelevant or unwanted packets from a capture file. +See <<ChIOPacketRangeSection,Packet Range>> for details on the range controls. + +[#ChIOExportPacketDissectionsDialog] + +==== The “Export Packet Dissections” Dialog Box + +This lets you save the packet list, packet details, and packet bytes as plain text, CSV, JSON, and other formats. + +.The “Export Packet Dissections” dialog box +image::images/ws-export-packet-dissections.png[{medium-screenshot-attrs}] + +The format can be selected from the “Export As” drop-down and further customized using the “<<ChIOPacketRangeSection,Packet Range>>” and “<<ChIOPacketRangeSection,Packet Format>>” controls. +Some controls are unavailable for some formats, notably CSV and JSON. +The following formats are supported: + +* Plain text as shown in the main window +* link:{wikipedia-main-url}Comma-separated_values[Comma-separated values (CSV)] +* link:{wikipedia-main-url}C_(programming_language)[C-compatible] byte arrays +* link:https://web.archive.org/web/20141115200425/http://www.nbee.org/doku.php?id=netpdl:psml_specification[PSML] (summary XML) +* link:https://web.archive.org/web/20140416072301/http://www.nbee.org/doku.php?id=netpdl:pdml_specification[PDML] (detailed XML) +* link:{wikipedia-main-url}JSON[JavaScript Object Notation (JSON)] + +Here are some examples of exported data: + +.Plain text +---- +No. Time Source Destination Protocol Length SSID Info + 1 0.000000 200.121.1.131 172.16.0.122 TCP 1454 10554 → 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU] + +Frame 1: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits) +Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13 +Internet Protocol Version 4, Src: 200.121.1.131 (200.121.1.131), Dst: 172.16.0.122 (172.16.0.122) + 0100 .... = Version: 4 + .... 0101 = Header Length: 20 bytes (5) + Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) + Total Length: 1440 + Identification: 0x0141 (321) + Flags: 0x0000 + ...0 0000 0000 0000 = Fragment offset: 0 + Time to live: 106 + Protocol: TCP (6) + Header checksum: 0xd390 [validation disabled] + [Header checksum status: Unverified] + Source: 200.121.1.131 (200.121.1.131) + Destination: 172.16.0.122 (172.16.0.122) + [Source GeoIP: PE, ASN 6147, Telefonica del Peru S.A.A.] +Transmission Control Protocol, Src Port: 10554, Dst Port: 80, Seq: 1, Ack: 1, Len: 1400 +---- + + +[TIP] +==== +If you would like to be able to <<ChIOImportSection,import>> any previously exported packets from a plain text file it is recommended that you do the following: + +* Add the “Absolute date and time” column. + +* Temporarily hide all other columns. + +* Disable the menu:Edit[Preferences,Protocols,Data] “Show not dissected data + on new Packet Bytes pane” preference. More details are provided in + <<ChCustPreferencesSection>> + +* Include the packet summary line. + +* Exclude column headings. + +* Exclude packet details. + +* Include the packet bytes. +==== + +.CSV +---- +"No.","Time","Source","Destination","Protocol","Length","SSID","Info","Win Size" +"1","0.000000","200.121.1.131","172.16.0.122","TCP","1454","","10554 > 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +"2","0.000011","172.16.0.122","200.121.1.131","TCP","54","","[TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=53200 Len=0","53200" +"3","0.025738","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=1401 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +"4","0.025749","172.16.0.122","200.121.1.131","TCP","54","","[TCP Window Update] [TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=63000 Len=0","63000" +"5","0.076967","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Previous segment not captured] [TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=4201 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535" +---- + +.JSON +---- +{ + "_index": "packets-2014-06-22", + "_type": "doc", + "_score": null, + "_source": { + "layers": { + "frame": { + "frame.encap_type": "1", + "frame.time": "Jun 22, 2014 13:29:41.834477000 PDT", + "frame.offset_shift": "0.000000000", + "frame.time_epoch": "1403468981.834477000", + "frame.time_delta": "0.450535000", + "frame.time_delta_displayed": "0.450535000", + "frame.time_relative": "0.450535000", + "frame.number": "2", + "frame.len": "86", + "frame.cap_len": "86", + "frame.marked": "0", + "frame.ignored": "0", + "frame.protocols": "eth:ethertype:ipv6:icmpv6", + "frame.coloring_rule.name": "ICMP", + "frame.coloring_rule.string": "icmp || icmpv6" + }, + "eth": { + "eth.dst": "33:33:ff:9e:e3:8e", + "eth.dst_tree": { + "eth.dst_resolved": "33:33:ff:9e:e3:8e", + "eth.dst.oui": "3355647", + "eth.addr": "33:33:ff:9e:e3:8e", + "eth.addr_resolved": "33:33:ff:9e:e3:8e", + "eth.addr.oui": "3355647", + "eth.dst.lg": "1", + "eth.lg": "1", + "eth.dst.ig": "1", + "eth.ig": "1" + }, + "eth.src": "00:01:5c:62:8c:46", + "eth.src_tree": { + "eth.src_resolved": "00:01:5c:62:8c:46", + "eth.src.oui": "348", + "eth.src.oui_resolved": "Cadant Inc.", + "eth.addr": "00:01:5c:62:8c:46", + "eth.addr_resolved": "00:01:5c:62:8c:46", + "eth.addr.oui": "348", + "eth.addr.oui_resolved": "Cadant Inc.", + "eth.src.lg": "0", + "eth.lg": "0", + "eth.src.ig": "0", + "eth.ig": "0" + }, + "eth.type": "0x000086dd" + }, + "ipv6": { + "ipv6.version": "6", + "ip.version": "6", + "ipv6.tclass": "0x00000000", + "ipv6.tclass_tree": { + "ipv6.tclass.dscp": "0", + "ipv6.tclass.ecn": "0" + }, + "ipv6.flow": "0x00000000", + "ipv6.plen": "32", + "ipv6.nxt": "58", + "ipv6.hlim": "255", + "ipv6.src": "2001:558:4080:16::1", + "ipv6.addr": "2001:558:4080:16::1", + "ipv6.src_host": "2001:558:4080:16::1", + "ipv6.host": "2001:558:4080:16::1", + "ipv6.dst": "ff02::1:ff9e:e38e", + "ipv6.addr": "ff02::1:ff9e:e38e", + "ipv6.dst_host": "ff02::1:ff9e:e38e", + "ipv6.host": "ff02::1:ff9e:e38e", + "ipv6.geoip.src_summary": "US, ASN 7922, Comcast Cable Communications, LLC", + "ipv6.geoip.src_summary_tree": { + "ipv6.geoip.src_country": "United States", + "ipv6.geoip.country": "United States", + "ipv6.geoip.src_country_iso": "US", + "ipv6.geoip.country_iso": "US", + "ipv6.geoip.src_asnum": "7922", + "ipv6.geoip.asnum": "7922", + "ipv6.geoip.src_org": "Comcast Cable Communications, LLC", + "ipv6.geoip.org": "Comcast Cable Communications, LLC", + "ipv6.geoip.src_lat": "37.751", + "ipv6.geoip.lat": "37.751", + "ipv6.geoip.src_lon": "-97.822", + "ipv6.geoip.lon": "-97.822" + } + }, + "icmpv6": { + "icmpv6.type": "135", + "icmpv6.code": "0", + "icmpv6.checksum": "0x00005b84", + "icmpv6.checksum.status": "1", + "icmpv6.reserved": "00:00:00:00", + "icmpv6.nd.ns.target_address": "2001:558:4080:16:be36:e4ff:fe9e:e38e", + "icmpv6.opt": { + "icmpv6.opt.type": "1", + "icmpv6.opt.length": "1", + "icmpv6.opt.linkaddr": "00:01:5c:62:8c:46", + "icmpv6.opt.src_linkaddr": "00:01:5c:62:8c:46" + } + } + } + } + } +] +---- + +[#ChIOExportSelectedDialog] + +==== The “Export Selected Packet Bytes” Dialog Box + +Export the bytes selected in the “Packet Bytes” pane into a raw binary file. + +.The “Export Selected Packet Bytes” dialog box +image::images/ws-export-selected.png[{medium-screenshot-attrs}] + +File name:: +The file name to export the packet data to. + +Save as type:: +The file extension. + +[#ChIOExportPDUSDialog] + +==== The “Export PDUs to File...” Dialog Box + +The “Export PDUs to File...” dialog box allows you to filter the captured Protocol Data Units (PDUs) and export them into the file. It allows you to export reassembled PDUs avoiding lower layers such as HTTP without TCP, and decrypted PDUs without the lower protocols such as HTTP without TLS and TCP. + +. In the main menu select menu:File[Export PDUs to File...]. Wireshark will open a corresponding dialog <<ExportPDUsToFile>>. ++ +[#ExportPDUsToFile] ++ +.Export PDUs to File window +image::images/ws-export-pdus-to-file.png[{screenshot-attrs}] + +. To select the data according to your needs, optionally type a filter value into the `Display Filter` field. For more information about filter syntax, see the link:https://www.wireshark.org/docs/man-pages/wireshark-filter.html[Wireshark Filters] man page. + +. In the field below the `Display Filter` field you can choose the level from which you want to export the PDUs to the file. There are seven levels: ++ +.. `DLT User`. You can export a protocol, which is framed in the user data link type table without the need to reconfigure the DLT user table. For more information, see the link:https://gitlab.com/wireshark/wireshark/-/wikis/HowToDissectAnything[How to Dissect Anything] page. ++ +.. `DVB-CI`. You can use it for the Digital Video Broadcasting (DVB) protocol. ++ +.. `Logcat` and `Logcat Text`. You can use them for the Android logs. ++ +.. `OSI layer 3`. You can use it to export PDUs encapsulated in the IPSec or SCTP protocols. ++ +.. `OSI layer 4`. You can use it to export PDUs encapsulated in the TCP or UDP protocols. ++ +.. `OSI layer 7`. You can use it to export the following protocols: CredSSP over TLS, Diameter, protocols encapsulated in TLS and DTLS, H.248, Megaco, RELOAD framing, SIP, SMPP. ++ +NOTE: As a developer you can add any dissector to the existing list or define a new entry in the list by using the functions in `epan/exported_pdu.h`. + +. To finish exporting PDUs to file, click the btn:[OK] button in the bottom-right corner. This will close the originally captured file and open the exported results instead as a temporary file in the main Wireshark window. + +. You may save the temporary file just like any captured file. See <<ChIOSaveSection>> for details. ++ +NOTE: The file produced has a `Wireshark Upper PDU` encapsulation type that has somewhat limited support outside of Wireshark, but is very flexible and can contain PDUs for any protocol for which there is a Wireshark dissector. + +[#ChIOStripHeaders] + +==== The “Strip Headers...” Dialog Box + +The “Strip Headers...” dialog box allows you to filter known encapsulation types on whatever protocol layer they appear and export them into a new capture file, removing lower-level protocols. It allows you to export reassembled packets and frames without lower layers such as GPF, GRE, GSE, GTP-U, MPLS, MPE, PPP, and more. If Wireshark has performed decryption, then you can export decrypted IP from protocols like IEEE 802.11 or IPSec without having to save encryption keys. + +The procedure is similar to that of <<ChIOExportPDUSDialog>>: + +. In the main menu select menu:File[Strip Headers...]. Wireshark will open a corresponding dialog. + +. To select the data according to your needs, optionally type a filter value into the `Display Filter` field. For more information about filter syntax, see the link:https://www.wireshark.org/docs/man-pages/wireshark-filter.html[Wireshark Filters] man page. + +. In the field below the `Display Filter` field you can choose the encapsulation type you want to find and export to the file. There are two encapsulations supported: ++ +.. `Ethernet`. You can use it to export Ethernet encapsulated in other protocols. ++ +.. `IP`. You can use it to export IPv4 and IPv6 encapsulated in other protocols. ++ +NOTE: As a developer you can add encapsulations to the list by using the functions in `epan/exported_pdu.h`. + +. To finish exporting to file, click the btn:[OK] button in the bottom-right corner. This will close the originally captured file and open the exported results instead as a temporary file in the main Wireshark window. + +. You may save the temporary file just like any captured file. See <<ChIOSaveSection>> for details. ++ +NOTE: The new capture files produced have standard encapsulation types and can be read in nearly any tool. + +[#ChIOExportTLSSessionKeys] + +==== The “Export TLS Session Keys...” Dialog Box + +Transport Layer Security (TLS) encrypts the communication between a client and a server. The most common use for it is web browsing via HTTPS. + +Decryption of TLS traffic requires TLS secrets. You can get them in the form of stored session keys in a "key log file", or by using an RSA private key file. For more details, see the link:{wireshark-wiki-url}TLS[TLS wiki page]. + +The menu:File[Export TLS Session Keys…] menu option generates a new "key log file" which contains TLS session secrets known by Wireshark. This feature is useful if you typically decrypt TLS sessions using the RSA private key file. The RSA private key is very sensitive because it can be used to decrypt other TLS sessions and impersonate the server. Session keys can be used only to decrypt sessions from the packet capture file. However, session keys are the preferred mechanism for sharing data over the Internet. + +To export captured TLS session keys, follow the steps below: + +. In the main menu select menu:File[Export TLS Session Keys...]. Wireshark will open a corresponding dialog <<TlsSessionKeys>>. ++ +[#TlsSessionKeys] ++ +.Export TLS Session Keys window +image::images/ws-tls-session-keys.png[{screenshot-attrs}] + +. Type the desired file name in the `Save As` field. + +. Choose the destination folder for your file in the `Where` field. + +. Press the btn:[Save] button to complete the export file procedure. + +[#ChIOExportObjectsDialog] + +==== The “Export Objects” Dialog Box + +This feature scans through the selected protocol's streams in the currently +open capture file or running capture and allows the user to export reassembled +objects to the disk. For example, if you select HTTP, you can export HTML +documents, images, executables, and any other files transferred over HTTP +to the disk. If you have a capture running, this list is automatically +updated every few seconds with any new objects seen. The saved objects can then +be opened or examined independently of Wireshark. + +.The “Export Objects” dialog box +image::images/ws-export-objects.png[{screenshot-attrs}] + +Columns: + +Packet:: +The packet number in which this object was found. In some +cases, there can be multiple objects in the same packet. + +Hostname:: +The hostname of the server that sent this object. + +Content Type:: +The content type of this object. + +Size:: +The size of this object in bytes. + +Filename: +The filename for this object. Each protocol generates +the filename differently. For example, HTTP uses the +final part of the URI and IMF uses the subject of the email. + +Inputs: + +Text Filter:: +Only displays objects containing the specified text string. + +Help:: +Opens this section of the “User’s Guide”. + +Save All:: +Saves all objects (including those not displayed) using the filename from the +filename column. You will be asked what directory or folder to save them in. + +Close:: +Closes the dialog without exporting. + +Save:: +Saves the currently selected object as a filename you specify. The +default filename to save as is taken from the filename column of the objects +list. + +[#ChIOPrintSection] + +=== Printing Packets + +To print packets, select the menu:File[Print...] menu item. +Wireshark will display the “Print” dialog box as shown below. + +[WARNING] +.It’s easy to waste paper doing this +==== +Printed output can contain lots of text, particularly if you print packet details and bytes. +==== + +==== The “Print” Dialog Box + +[#ChIOPrintDialogBox] + +.The “Print” dialog box +image::images/ws-print.png[{medium-screenshot-attrs}] + +The “Print” dialog box shows a preview area which shows the result of changing the packet format settings. +You can zoom in and out using the kbd:[{plus}] and kbd:[-] keys and reset the zoom level using the kbd:[0] key. +The following settings are available in the Print dialog box: + +Packet Format:: +Lets you specify what gets printed. See <<ChIOPacketFormatFrame>> for details. + +Summary line::: +Include a summary line for each packet. +The line will contain the same fields as the packet list. + +Details::: +Print details for each packet. + +Bytes::: +Print a hex dump of each packet. + +Packet Range:: +Select the packets to be printed. See <<ChIOPacketRangeSection>> for details. + +btn:[Page Setup...] lets you select the page size and orientation. + +btn:[Print...] prints to your default printer. + +btn:[Cancel] will close the dialog without printing. + +btn:[Help] will display this section of the “User’s Guide”. + +[#ChIOPacketRangeSection] + +=== The “Packet Range” Frame + +The packet range frame is a part of the “<<ChIOExportSpecifiedPacketsDialog,Export Specified Packets>>,” “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>,” and “<<ChIOPrintSection,Print>>” dialog boxes. +You can use it to specify which packets will be exported or printed. + +[#ChIOPacketRangeFrame] + +.The “Packet Range” frame +image::images/ws-packet-range.png[{medium-screenshot-attrs}] + +By default, the btn:[Displayed] button is set, which only exports or prints the packets that match the current display filter. +Selecting btn:[Captured] will export or print all packets. +You can further limit what you export or print to the following: + +All packets:: +All captured or displayed packets depending on the primary selection above. + +Selected packet:: +Only the selected packet. + +Marked packets:: +Only marked packets. See <<ChWorkMarkPacketSection>>. + +First to last marked:: +Lets you mark an inclusive range of packets. + +Range:: +Lets you manually specify a range of packets, e.g., _5,10-15,20-_ will process the packet number five, the packets from packet number ten to fifteen (inclusive) and every packet from number twenty to the end of the capture. + +Remove ignored packets:: +Don't export or print ignored packets. +See <<ChWorkIgnorePacketSection>>. + +[#ChIOPacketFormatSection] + +=== The Packet Format Frame + +The packet format frame is also a part of the “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>” and “<<ChIOPrintSection,Print>>” dialog boxes. +You can use it to specify which parts of dissection are exported or printed. + +[#ChIOPacketFormatFrame] + +.The “Packet Format” frame +image::images/ws-packet-format.png[{small-screenshot-attrs}] + +Each of the settings below correspond to the packet list, packet detail, and packet bytes in the main window. + +Packet summary line:: +Export or print each summary line as shown in the “Packet List” pane. + +Packet details:: +Export or print the contents of the “Packet Details” tree. + +All collapsed::: +Export or print as if the “Packet Details” tree is in the “all collapsed” state. + +As displayed::: +Export or print as if the “Packet Details” tree is in the “as displayed” state. + +All expanded::: +Export or print as if the “Packet Details” tree is in the “all expanded” state. + +Packet Bytes:: +Export or print the contents of the “Packet Bytes” pane. + +Each packet on a new page:: +For printing and some export formats, put each packet on a separate page. +For example, when exporting to a text file this will put a form feed character between each packet. + +Capture information header:: +Add a header to each page with capture filename and the number of total packets and shown packets. + +// End of WSUG Chapter IO diff --git a/docbook/wsug_src/wsug_mate.adoc b/docbook/wsug_src/wsug_mate.adoc new file mode 100644 index 0000000..6de78c7 --- /dev/null +++ b/docbook/wsug_src/wsug_mate.adoc @@ -0,0 +1,2318 @@ +[#ChMate] + +== MATE + +[#ChMateIntroduction] + +=== Introduction + +MATE: Meta Analysis and Tracing Engine + +What is MATE? Well, to keep it very short, with MATE you can create user +configurable extension(s) of the display filter engine. + +MATE's goal is to enable users to filter frames based on information extracted +from related frames or information on how frames relate to each other. MATE +was written to help troubleshooting gateways and other systems where a "use" +involves more protocols. However, MATE can be used as well to analyze other +issues regarding an interaction between packets like response times, +incompleteness of transactions, presence/absence of certain attributes in a +group of PDUs and more. + +MATE is a Wireshark plugin that allows the user to specify how different +frames are related to each other. To do so, MATE extracts data from the frames' +tree and then, using that information, tries to group the frames based on how +MATE is configured. Once the PDUs are related, MATE will create a "protocol" +tree with fields the user can filter with. The fields will be almost the same +for all the related frames, so one can filter a complete session spanning +several frames containing more protocols based on an attribute appearing in +some related frame. Other than that MATE allows to filter frames based on +response times, number of PDUs in a group and a lot more. + +So far MATE has been used to: + +* Filter all packets of a call using various protocols knowing just the +calling number. (MATE's original goal) +* Filter all packets of all calls using various protocols based on the release +cause of one of its "segments". +* Extrapolate slow transactions from very "dense" captures. (finding requests +that timeout) +* Find incomplete transactions (no responses) +* Follow requests through more gateways/proxies. +* more... + +[#ChMateGettingStarted] + +=== Getting Started + +These are the steps to try out MATE: + +* Run Wireshark and check if the plugin is installed correct (MATE should +appear in Help->About->Plugins) +* Get a configuration file e.g., tcp.mate (see {wireshark-wiki-url}Mate/Examples[Mate/Examples] +for more) and place it somewhere on your harddisk. +* Go to Preferences->Protocols->MATE and set the config filename to the file +you want to use (you don't have to restart Wireshark) +* Load a corresponding capture file (e.g., +{wireshark-wiki-url}uploads/27707187aeb30df68e70c8fb9d614981/http.cap[http.cap]) and see if MATE +has added some new display filter fields, something like: `mate tcp_pdu:1->tcp_ses:1` +or, at prompt: `path_to/wireshark -o "mate.config: tcp.mate" -r http.cap`. + +If anything went well, your packet details might look something like this: + +image::images/ws-mate-tcp-output.png[] + +[#ChMateManual] + +=== MATE Manual + +==== Introduction + +MATE creates a filterable tree based on information contained in frames that +share some relationship with information obtained from other frames. The way +these relationships are made is described in a configuration file. The +configuration file tells MATE what makes a PDU and how to relate it to other +PDUs. + +MATE analyzes each frame to extract relevant information from the "protocol" +tree of that frame. The extracted information is contained in MATE PDUs; +these contain a list of relevant attributes taken from the tree. From now on, I +will use the term "PDU" to refer to the objects created by MATE containing the +relevant information extracted from the frame; I'll use "frame" to refer to the +"raw" information extracted by the various dissectors that pre-analyzed the frame. + +For every PDU, MATE checks if it belongs to an existing "Group of PDUs" (Gop). +If it does, it assigns the PDU to that Gop and moves any new relevant attributes +to the Gop's attribute list. How and when do PDUs belong to Gops is described +in the configuration file as well. + +Every time a Gop is assigned a new PDU, MATE will check if it matches the +conditions to make it belong to a "Group of Groups" (Gog). Naturally the +conditions that make a Gop belong to a Gog are taken from the configuration +file as well. + +Once MATE is done analyzing the frame it will be able to create a "protocol" +tree for each frame based on the PDUs, the Gops they belong to and naturally any +Gogs the former belongs to. + +How to tell MATE what to extract, how to group it and then how to relate those +groups is made using AVPs and AVPLs. + +Information in MATE is contained in Attribute/Value Pairs (AVPs). AVPs are made +of two strings: the name and the value. AVPs are used in the configuration and +there they have an operator as well. There are various ways AVPs can be matched +against each other using those operators. + +AVPs are grouped into AVP Lists (AVPLs). PDUs, Gops and Gogs have an AVPL each. +Their AVPLs will be matched in various ways against others coming from the +configuration file. + +MATE will be instructed how to extract AVPs from frames in order to create a PDU +with an AVPL. It will be instructed as well, how to match that AVPL against the +AVPLs of other similar PDUs in order to relate them. In MATE the relationship +between PDUs is a Gop, it has an AVPL as well. MATE will be configured with other +AVPLs to operate against the Gop's AVPL to relate Gops together into Gogs. + +A good understanding on how AVPs and AVPLs work is fundamental to understand how +MATE works. + +[#AVP] +==== Attribute Value Pairs + +Information used by MATE to relate different frames is contained in Attribute/ +Value Pairs (AVPs). AVPs are made of two strings - the name and the value. When +AVPs are used in the configuration, an operator is defined as well. There are +various ways AVPs can be matched against each other using those operators. + +---- + avp_name="avp's value" + another_name= "1234 is the value" +---- + +The name is a string used to refer to a "kind" of an AVP. Two AVPs won't match +unless their names are identical. + +You should not use uppercase characters in names, or names that start with “.” or +“_”. Capitalized names are reserved for configuration parameters (we'll call them +keywords); nothing forbids you from using capitalized strings for other things as +well but it probably would be confusing. I'll avoid using capitalized words for +anything but the keywords in this document, the reference manual, the examples +and the base library. Names that start with a “.” would be very confusing as well +because in the old grammar, AVPL transformations use names starting with a “.” to +indicate they belong to the replacement AVPL. + +The value is a string that is either set in the configuration (for configuration +AVPs) or by Wireshark while extracting interesting fields from a frame's tree. +The values extracted from fields use the same representation as they do in filter +strings except that no quotes are used. + +The name can contain only alphanumeric characters, "_", and ".". The name ends +with an operator. + +The value will be dealt with as a string even if it is a number. If there are +any spaces in the value, the value must be between quotes "". + +---- + ip_addr=10.10.10.11, + tcp_port=1234, + binary_data=01:23:45:67:89:ab:cd:ef, + parameter12=0x23aa, + parameter_with_spaces="this value has spaces" +---- + +The way two AVPs with the same name might match is described by the operator. +Remember two AVPs won't match unless their names are identical. In MATE, match +operations are always made between the AVPs extracted from frames (called data +AVPs) and the configuration's AVPs. + +Currently defined MATE's AVP match operators are: + +* <<Equal,Equal>> _=_ will match if the string given completely matches the data +AVP's value string +* <<NotEqual,Not Equal>> _!_ will match only if the given value string is not equal to +the data AVP's value string +* <<OneOf,One Of>> _{}_ will match if one of the possible strings listed is equal to +the data AVP's value string +* <<StartsWith,Starts With>> _^_ will match if the string given matches the first +characters of the data AVP's value string +* <<EndsWith,Ends With>> _$_ will match if the string given matches the last characters +of the data AVP's value string +* <<Contains,Contains>> _~_ will match if the string given matches any substring of the +data AVP's value string +* <<LowerThan,Lower Than>> _<_ will match if the data AVP's value string is semantically +lower than the string given +* <<HigherThan,Higher Than>> _>_ will match if the data AVP's value string is semantically +higher than the string given +* <<Exists,Exists>> _?_ (the ? can be omitted) will match as far as a data AVP of the +given name exists + +==== AVP lists + +An AVPL is a set of diverse AVPs that can be matched against other AVPLs. Every +PDU, Gop and Gog has an AVPL that contains the information regarding it. The +rules that MATE uses to group Pdus and Gops are AVPL operations. + +There will never be two identical AVPs in a given AVPL. However, we can have +more than one AVP with the same name in an AVPL as long as their values are +different. + +Some AVPL examples: +---- + ( addr=10.20.30.40, addr=192.168.0.1, tcp_port=21, tcp_port=32534, user_cmd=PORT, data_port=12344, data_addr=192.168.0.1 ) + ( addr=10.20.30.40, addr=192.168.0.1, channel_id=22:23, message_type=Setup, calling_number=1244556673 ) + ( addr=10.20.30.40, addr=192.168.0.1, ses_id=01:23:45:67:89:ab:cd:ef ) + ( user_id=pippo, calling_number=1244556673, assigned_ip=10.23.22.123 ) +---- + +In MATE there are two types of AVPLs: + +* data AVPLs that contain information extracted from frames. +* operation AVPLs that come from the configuration and are used to tell MATE how +to relate items based on their data AVPLs. + +Data AVPLs can be operated against operation AVPLs in various ways: + +* <<Loose,Loose Match>>: Will match if at least one of the AVPs of each AVPL +match. If it matches it will return an AVPL containing all AVPs from the operand +AVPL that did match the operator's AVPs. +* <<Every,"Every" Match>>: Will match if none of the AVPs of the operator AVPL +fails to match a present AVP in the operand AVPL, even if not all of the +operator's AVPs have a match. If it matches it will return an AVPL containing +all AVPs from the operand AVPL that did match one AVP in the operator AVPL. +* <<Strict,Strict Match>>: Will match if and only if every one of the operator's +AVPs have at least one match in the operand AVPL. If it matches it will return +an AVPL containing the AVPs from the operand that matched. +* There's also a <<Merge,Merge>> operation that is to be performed between AVPLs +where all the AVPs that don't exist in the operand AVPL but exist in the operand +will be added to the operand AVPL. +* Other than that, there are <<Transform,Transformations>> - a combination +of a match AVPL and an AVPL to merge. + +==== MATE Analysis + +MATE's analysis of a frame is performed in three phases: + +* In the first phase, MATE attempts to extract a MATE Pdu from the frame's +protocol tree. MATE will create a Pdu if MATE's config has a _Pdu_ declaration +whose _Proto_ is contained in the frame. + +* In the second phase, if a Pdu has been extracted from the frame, MATE will try +to group it to other Pdus into a Gop (Group of Pdus) by matching the key +criteria given by a _Gop_ declaration. If there is no Gop yet with the key +criteria for the Pdu, MATE will try to create a new Gop for it if it matches the +_Start_ criteria given in the Gop declaration. + +* In the third phase, if there's a Gop for the Pdu, MATE will try to group this +Gop with other Gops into a Gog (Group of Groups) using the criteria given by the +_Member_ criteria of a Gog declaration. + +image::images/ws-mate-analysis.png[] + +The extraction and matching logic comes from MATE's configuration; MATE's +configuration file is declared by the _mate.config_ preference. By default it is +an empty string which means: do not configure MATE. + +The config file tells MATE what to look for in frames; How to make PDUs out of +it; How will PDUs be related to other similar PDUs into Gops; And how Gops +relate into Gogs. + +The MATE configuration file is a list of declarations. There are 4 types of +declarations: _Transform_, _Pdu_, _Gop_ and _Gog_. + +===== Mate's PDU's + +MATE will look in the tree of every frame to see if there is useful data to +extract, and if there is, it will create one or more PDU objects containing the +useful information. + +The first part of MATE's analysis is the "PDU extraction"; there are various +"Actions" that are used to instruct MATE what has to be extracted from the +current frame's tree into MATE's PDUs. + +====== PDU data extraction + +MATE will make a Pdu for each different proto field of Proto type present in the +frame. MATE will fetch from the field's tree those fields that are defined in +the <<Pdu>> declaration whose initial offset in the frame is within the +boundaries of the current Proto and those of the given Transport and Payload +statements. + +---- +Pdu dns_pdu Proto dns Transport ip { + Extract addr From ip.addr; + Extract dns_id From dns.id; + Extract dns_resp From dns.flags.response; +}; +---- +MATE will make a Pdu for each different proto field of Proto type present in the +frame. MATE will fetch from the field's tree those fields that are defined in +the <<Pdu>> AVPL whose initial offset in the frame is within the boundaries of +the current Proto and those of the various assigned Transports. + +image::images/ws-mate-dns_pane.png[] + +Once MATE has found a _Proto_ field for which to create a Pdu from the frame it +will move backwards in the frame looking for the respective _Transport_ fields. +After that it will create AVPs named as each of those given in the rest of the +AVPL for every instance of the fields declared as its values. + +image::images/ws-mate-dns_pdu.png[] + +Sometimes we need information from more than one _Transport_ protocol. In that +case MATE will check the frame looking backwards to look for the various +_Transport_ protocols in the given stack. MATE will choose only the closest +transport boundary per "protocol" in the frame. + +This way we'll have all Pdus for every _Proto_ that appears in a frame match its +relative transports. + +---- +Pdu isup_pdu Proto isup Transport mtp3/ip { + Extract m3pc From mtp3.dpc; + Extract m3pc From mtp3.opc; + Extract cic From isup.cic; + Extract addr From ip.addr; + Extract isup_msg From isup.message_type; +}; +---- + +image::images/ws-mate-isup_over_mtp3_over_ip.png[] + +This allows to assign the right _Transport_ to the Pdu avoiding duplicate +transport protocol entries (in case of tunneled ip over ip for example). + +---- +Pdu ftp_pdu Proto ftp Transport tcp/ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract ftp_cmd From ftp.command; +}; +---- + +image::images/ws-mate-ftp_over_gre.png[] + +Other than the mandatory _Transport_ there is also an optional _Payload_ +statement, which works pretty much as _Transport_ but refers to elements after +the _Proto_'s range. It is useful in those cases where the payload protocol +might not appear in a Pdu but nevertheless the Pdu belongs to the same category. + +---- +Pdu mmse_over_http_pdu Proto http Transport tcp/ip { + + Payload mmse; + + Extract addr From ip.addr; + Extract port From tcp.port; + Extract method From http.request.method; + Extract content From http.content_type; + Extract http_rq From http.request; + Extract resp From http.response.code; + Extract host From http.host; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; +}; +---- + +image::images/ws-mate-mmse_over_http.png[] + +====== Conditions on which to create PDUs + +There might be cases in which we won't want MATE to create a PDU unless some of +its extracted attributes meet or do not meet some criteria. For that we use the +_Criteria_ statements of the _Pdu_ declarations. + +---- +Pdu isup_pdu Proto isup Transport mtp3/ip { + ... + + // MATE will create isup_pdu PDUs only when there is not a point code '1234' + Criteria Reject Strict (m3pc=1234); +}; + +Pdu ftp_pdu Proto ftp Transport tcp/ip { + ... + + // MATE will create ftp_pdu PDUs only when they go to port 21 of our ftp_server + Criteria Accept Strict (addr=10.10.10.10, port=21); +}; +---- + +The _Criteria_ statement is given an action (_Accept_ or _Reject_), a match mode +(_Strict_, _Loose_ or _Every_) and an AVPL against which to match the currently +extracted one. + +====== Transforming the attributes of a PDU + +Once the fields have been extracted into the Pdu's AVPL, MATE will apply any +declared transformation to it. The way transforms are applied and how they work +is described later on. However, it's useful to know that once the AVPL for the +Pdu is created, it may be transformed before being analyzed. That way we can +massage the data to simplify the analysis. + +====== MATE's PDU tree + +Every successfully created Pdu will add a MATE tree to the frame dissection. If +the Pdu is not related to any Gop, the tree for the Pdu will contain just the +Pdu's info, if it is assigned to a Gop, the tree will also contain the Gop items, +and the same applies for the Gog level. + +---- +mate dns_pdu:1 + dns_pdu: 1 + dns_pdu time: 3.750000 + dns_pdu Attributes + dns_resp: 0 + dns_id: 36012 + addr: 10.194.4.11 + addr: 10.194.24.35 +---- + +The Pdu's tree contains some filterable fields + +* _mate.dns_pdu_ will contain the number of the "dns_pdu" Pdu +* _mate.dns_pdu.RelativeTime_ will contain the time passed since the beginning +of the capture in seconds +* the tree will contain the various attributes of the Pdu as well, these will +all be strings (to be used in filters as "10.0.0.1", not as 10.0.0.1) +** mate.dns_pdu.dns_resp +** mate.dns_pdu.dns_id +** mate.dns_pdu.addr + +===== Grouping Pdus together (Gop) + +Once MATE has created the Pdus it passes to the Pdu analysis phase. During the +PDU analysis phase MATE will try to group Pdus of the same type into 'Groups of +Pdus' (aka *Gop*s) and copy some AVPs from the Pdu's AVPL to the Gop's AVPL. + +image::images/ws-mate-pdu_analysis.png[] + +====== What can belong to a Gop + +Given a Pdu, the first thing MATE will do is to check if there is any Gop +declaration in the configuration for the given Pdu type. If so, it will use its +_Match_ AVPL to match it against the Pdu's AVPL; if they don't match, the +analysis phase is done. If there is a match, the AVPL is the Gop's candidate key +which will be used to search the Gop's index for the Gop to which to assign +the current PDU. If there is no such Gop and this Pdu does not match the +_Start_ criteria of a Gop declaration for the Pdu type, the Pdu will remain +unassigned and only the analysis phase will be done. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port); +Gop dns_req On dns_pdu Match (addr, addr, dns_id); +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic); +---- + +====== Start of a Gop + +If there was a match, the candidate key will be used to search the Gop's index +to see if there is already a Gop matching the Gop's key the same way. If there +is such a match in the Gops collection, and the PDU doesn't match the _Start_ +AVPL for its kind, the PDU will be assigned to the matching Gop. If it is a +_Start_ match, MATE will check whether or not that Gop has been already +stopped. If the Gop has been stopped, a new Gop will be created and will replace +the old one in the Gop's index. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); +}; + +Gop dns_req On dns_pdu Match (addr, addr, dns_id) { + Start (dns_resp=0); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); +}; +---- + +If no _Start_ is given for a Gop, a Pdu whose AVPL matches an existing Gog's +key will act as the start of a Gop. + +====== What goes into the Gop's AVPL + +Once we know a Gop exists and the Pdu has been assigned to it, MATE will copy +into the Gop's AVPL all the attributes matching the key plus any AVPs of the +Pdu's AVPL matching the _Extra_ AVPL. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); + Extra (pasv_prt, pasv_addr); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); + Extra (calling, called); +}; +---- + +====== End of a Gop + +Once the Pdu has been assigned to the Gop, MATE will check whether or not the +Pdu matches the _Stop_, if it happens, MATE will mark the Gop as stopped. Even +after stopped, a Gop may get assigned new Pdus matching its key, unless such +Pdu matches _Start_. If it does, MATE will instead create a new Gop starting +with that Pdu. + +---- +Gop ftp_ses On ftp_pdu Match (addr, addr, port, port) { + Start (ftp_cmd=USER); + Stop (ftp_cmd=QUIT); // The response to the QUIT command will be assigned to the same Gop + Extra (pasv_prt, pasv_addr); +}; + +Gop dns_req On dns_pdu Match (addr, addr, dns_id) { + Start (dns_resp=0); + Stop (dns_resp=1); +}; + +Gop isup_leg On isup_pdu Match (m3pc, m3pc, cic) { + Start (isup_msg=1); // IAM + Stop (isup_msg=16); // RLC + Extra (calling, called); +}; +---- + +If no _Stop_ criterium is stated for a given Gop, the Gop will be stopped as +soon as it is created. However, as with any other Gop, Pdus matching the Gop's +key will still be assigned to the Gop unless they match a _Start_ condition, +in which case a new Gop using the same key will be created. + +===== Gop's tree + +For every frame containing a Pdu that belongs to a Gop, MATE will create a tree +for that Gop. + +The example below represents the tree created by the _dns_pdu_ and _dns_req_ +examples. + +---- +... +mate dns_pdu:6->dns_req:1 + dns_pdu: 6 + dns_pdu time: 2.103063 + dns_pdu time since beginning of Gop: 2.103063 + dns_req: 1 + dns_req Attributes + dns_id: 36012 + addr: 10.194.4.11 + addr: 10.194.24.35 + dns_req Times + dns_req start time: 0.000000 + dns_req hold time: 2.103063 + dns_req duration: 2.103063 + dns_req number of PDUs: 2 + Start PDU: in frame 1 + Stop PDU: in frame 6 (2.103063 : 2.103063) + dns_pdu Attributes + dns_resp: 1 + dns_id: 36012 + addr: 10.194.4.11 + addr: 10.194.24.35 +---- + +Other than the pdu's tree, this one contains information regarding the +relationship between the Pdus that belong to the Gop. That way we have: + +* mate.dns_req which contains the id of this dns_req Gop. This will be present +in frames that belong to dns_req Gops. +* mate.dns_req.dns_id and mate.dns_req.addr which represent the values of the +attributes copied into the Gop. +* the timers of the Gop +** mate.dns_req.StartTime time (in seconds) passed since beginning of capture +until Gop's start. +** mate.dns_req.Time time passed between the start Pdu and the stop Pdu assigned +to this Gop (only created if a Stop criterion has been declared for the Gop and +a matching Pdu has arrived). +** mate.dns_req.Duration time passed between the start Pdu and the last Pdu +assigned to this Gop. +* mate.dns_req.NumOfPdus the number of Pdus that belong to this Gop +** a filterable list of frame numbers of the pdus of this Gop + +====== Gop's timers + +Note that there are two "timers" for a Gop: + +* *Time*, which is defined only for Gops that have been Stopped, and gives the +time passed between the _Start_ and the _Stop_ Pdus. +* *Duration*, which is defined for every Gop regardless of its state, and give +the time passed between its _Start_ Pdu and the last Pdu that was assigned to +that Gop. + +So: + +* we can filter for Pdus that belong to Gops that have been Stopped with +*mate.xxx.Time* +* we can filter for Pdus that belong to unstopped Gops with *mate.xxx && +mate.xxx.Time* +* we can filter for Pdus that belong to stopped Gops using *mate.xxx.Duration* +* we can filter for Pdus that belong to Gops that have taken more (or less) time +that 0.5s to complete with *mate.xxx.Time > 0.5* (you can try these also as +color filters to find out when response times start to grow) + +===== Grouping Gops together (Gog) + +When Gops are created, or whenever their AVPL changes, Gops are (re)analyzed to +check if they match an existent group of groups (Gog) or can create a new one. +The Gop analysis is divided into two phases. In the first phase, the still +unassigned Gop is checked to verify whether it belongs to an already existing +Gog or may create a new one. The second phase eventually checks the Gog and +registers its keys in the Gogs index. + +image::images/ws-mate-gop_analysis.png[] + +There are several reasons for the author to believe that this feature needs to +be reimplemented, so probably there will be deep changes in the way this is done +in the near future. This section of the documentation reflects the version of +MATE as of Wireshark 0.10.9; in future releases this will change. + +====== Declaring a Group Of Groups + +The first thing we have to do configuring a Gog is to tell MATE that it exists. + +---- +Gog web_use { + ... +}; +---- + +====== Telling MATE what could be a Gog member + +Then we have to tell MATE what to look for a match in the candidate Gops. + +---- +Gog web_use { + Member http_ses (host); + Member dns_req (host); +}; +---- + +====== Getting interesting data into the Gop + +Most often, also other attributes than those used for matching would be +interesting. In order to copy from Gop to Gog other interesting attributes, we +might use _Extra_ like we do for Gops. + +---- +Gog web_use { + ... + Extra (cookie); +}; +---- + +====== Gog's tree + +---- +mate http_pdu:4->http_req:2->http_use:1 + http_pdu: 4 + http_pdu time: 1.309847 + http_pdu time since beginning of Gop: 0.218930 + http_req: 2 + ... (the gop's tree for http_req: 2) .. + http_use: 1 + http_use Attributes + host: www.example.com + http_use Times + http_use start time: 0.000000 + http_use duration: 1.309847 + number of GOPs: 3 + dns_req: 1 + ... (the gop's tree for dns_req: 1) .. + http_req: 1 + ... (the gop's tree for http_req: 1) .. + http_req of current frame: 2 +---- + +We can filter on: + +* *mate.http_use.Duration* time elapsed between the first frame of a Gog and the last one assigned to it. +* the attributes passed to the Gog +** *mate.http_use.host* + +===== AVPL Transforms + +A Transform is a sequence of Match rules optionally completed with modification +of the match result by an additional AVPL. Such modification may be an Insert +(merge) or a Replace. Transforms can be used as helpers to manipulate an item's +AVPL before it is processed further. They come to be very helpful in several +cases. + +====== Syntax + +AVPL Transformations are declared in the following way: + +---- + Transform name { + Match [Strict|Every|Loose] match_avpl [Insert|Replace] modify_avpl ; + ... + }; +---- + +The *name* is the handle to the AVPL transformation. It is used to refer to the +transform when invoking it later. + +The _Match_ declarations instruct MATE what and how to match against the data +AVPL and how to modify the data AVPL if the match succeeds. They will be +executed in the order they appear in the config file whenever they are invoked. + +The optional match mode qualifier (_Strict_, _Every_, or _Loose_) is used +to choose the match mode as explained above; _Strict_ is a default value which +may be omitted. + +The optional modification mode qualifier instructs MATE how the modify AVPL +should be used: + +* the default value _Insert_ (which may be omitted) causes the _modify_avpl_ +to be *merged* to the existing data AVPL, +* the _Replace_ causes all the matching AVPs from the data AVPL to be +*replaced* by the _modify_avpl_. + +The _modify_avpl_ may be an empty one; this comes useful in some cases for +both _Insert_ and _Replace_ modification modes. + +Examples: + +---- + Transform insert_name_and { + Match Strict (host=10.10.10.10, port=2345) Insert (name=JohnDoe); +}; +---- + +adds name=JohnDoe to the data AVPL if it contains host=10.10.10.10 *and* +port=2345 + +---- +Transform insert_name_or { + Match Loose (host=10.10.10.10, port=2345) Insert (name=JohnDoe); +}; +---- + +adds name=JohnDoe to the data AVPL if it contains host=10.10.10.10 *or* +port=2345 + +---- +Transform replace_ip_address { + Match (host=10.10.10.10) Replace (host=192.168.10.10); +}; +---- + +replaces the original host=10.10.10.10 by host=192.168.10.10 + +---- +Transform add_ip_address { + Match (host=10.10.10.10) (host=192.168.10.10); +}; +---- + +adds (inserts) host=192.168.10.10 to the AVPL, keeping the original +host=10.10.10.10 in it too + +---- + Transform replace_may_be_surprising { + Match Loose (a=aaaa, b=bbbb) Replace (c=cccc, d=dddd); + }; +---- + +gives the following results: + +* (a=aaaa, b=eeee) gets transformed to (b=eeee, c=cccc, d=dddd) because a=aaaa +did match so it got replaced while b=eeee did not match so it has been left +intact, +* (a=aaaa, b=bbbb) gets transformed to (c=cccc, d=dddd) because both a=aaaa and +b=bbbb did match. + +====== Usage + +Once declared, Transforms can be added to the declarations of PDUs, Gops or +Gogs. This is done by adding the _Transform name_list_ statement to the +declaration: + +---- +Pdu my_proto_pdu Proto my_proto Transport ip { + Extract addr From ip.addr; + ... + Transform my_pdu_transform[, other_pdu_transform[, yet_another_pdu_transform]]; +}; +---- + +* In case of PDU, the list of transforms is applied against the PDU's AVPL +after its creation. +* In case of Gop and Gog, the list of transforms is applied against their +respective AVPLs when they are created and every time they change. + +===== Operation + +image::images/ws-mate-transform.png[] + +* A list of previously declared Transforms may be given to every Item (Pdu, Gop, +or Gog), using the Transform statement. +* Every time the AVPL of an item changes, it will be operated against *all* the +Transforms on the list given to that item. The Transforms on the list are +applied left to right. +* Inside each of the Transforms, the item's AVPL will be operated against the +Transform's Match clauses starting from the topmost one, until all have been +tried or until one of them succeeds. + +MATE's Transforms can be used for many different things, like: + +====== Multiple Start/Stop conditions for a Gop + +Using _Transforms_ we can add more than one start or stop condition to a Gop. + +---- +Transform start_cond { + Match (attr1=aaa,attr2=bbb) (msg_type=start); + Match (attr3=www,attr2=bbb) (msg_type=start); + Match (attr5^a) (msg_type=stop); + Match (attr6$z) (msg_type=stop); +}; + +Pdu pdu ... { + ... + Transform start_cond; +} + +Gop gop ... { + Start (msg_type=start); + Stop (msg_type=stop); + ... +} +---- + +====== Marking Gops and Gogs to filter them easily + +---- +Transform marks { + Match (addr=10.10.10.10, user=john) (john_at_host); + Match (addr=10.10.10.10, user=tom) (tom_at_host); +} + +... + +Gop my_gop ... { + ... + Transform marks; +} +---- + +After that we can use a display filter *mate.gop.john_at_host* or +*mate.gop.tom_at_host* + +====== Adding direction knowledge to MATE + +---- +Transform direction_as_text { + Match (src=192.168.0.2, dst=192.168.0.3) Replace (direction=from_2_to_3); + Match (src=192.168.0.3, dst=192.168.0.2) Replace (direction=from_3_to_2); +}; + +Pdu my_pdu Proto my_proto Transport tcp/ip { + Extract src From ip.src; + Extract dst From ip.dst; + Extract addr From ip.addr; + Extract port From tcp.port; + Extract start From tcp.flags.syn; + Extract stop From tcp.flags.fin; + Extract stop From tcp.flags.rst; + Transform direction_as_text; +} + +Gop my_gop On my_pdu Match (addr,addr,port,port) { + ... + Extra (direction); +} +---- + +====== NAT + +NAT can create problems when tracing, but we can easily work around it by +Transforming the NATed IP address and the Ethernet address of the router into +the non-NAT address: + +---- +Transform denat { + Match (addr=192.168.0.5, ether=01:02:03:04:05:06) Replace (addr=123.45.67.89); + Match (addr=192.168.0.6, ether=01:02:03:04:05:06) Replace (addr=123.45.67.90); + Match (addr=192.168.0.7, ether=01:02:03:04:05:06) Replace (addr=123.45.67.91); +} + +Pdu my_pdu Proto my_proto transport tcp/ip/eth { + Extract ether From eth.addr; + Extract addr From ip.addr; + Extract port From tcp.port; + Transform denat; +} +---- + +==== About MATE + +MATE was originally written by Luis Ontanon, a Telecommunications systems +troubleshooter, as a way to save time filtering out the packets of a single call +from huge capture files using just the calling number. Later he used the time he +had saved to make it flexible enough to work with protocols other than the ones +he was directly involved with. + +[#ChMateConfigurationTutorial] + +=== MATE's configuration tutorial + +We'll show a MATE configuration that first creates Gops for every DNS and HTTP +request, then it ties the Gops together in a Gop based on the host. Finally, +we'll separate into different Gogs request coming from different users. + +With this MATE configuration loaded we can: + +* use *mate.http_use.Duration > 5.5* to filter frames based on the time it takes +to load a complete page from the DNS request to resolve its name until the last +image gets loaded. +* use *mate.http_use.client == "10.10.10.20" && mate.http_use.host == "www.example.com"* +to isolate DNS and HTTP packets related to a visit of a certain user. +* use *mate.http_req.Duration > 1.5* to filter all the packets of HTTP requests +that take more than 1.5 seconds to complete. + +The complete config file is available on the Wireshark Wiki: +https://gitlab.com/wireshark/wireshark/-/wikis/Mate/Tutorial + +Note: This example uses _dns.qry.name_ which is defined since Wireshark +version 0.10.9. Supposing you have a mate plugin already installed you can test +it with the current Wireshark version. + +==== A Gop for DNS requests + +First we'll tell MATE how to create a Gop for each DNS request/response. + +MATE needs to know what makes a DNS PDU. We describe it this using a Pdu +declaration: + +---- +Pdu dns_pdu Proto dns Transport ip { + Extract addr From ip.addr; + Extract dns_id From dns.id; + Extract dns_resp From dns.flags.response; +}; +---- + +Using _Proto dns_ we tell MATE to create Pdus every time it finds _dns_. Using +_Transport ip_ we inform MATE that some of the fields we are interested are +in the _ip_ part of the frame. Finally, we tell MATE to import _ip.addr_ as +_addr_, _dns.id_ as _dns_id_ and _dns.flags.response_ as _dns_resp_. + +Once we've told MATE how to extract _dns_pdus_ we'll tell it how to match +requests and responses and group them into a Gop. For this we'll use a _Gop_ +declaration to define the Gop, and then, _Start_ and _Stop_ statements to +tell it when the Gop starts and ends. + +---- +Gop dns_req On dns_pdu Match (addr,addr,dns_id) { + Start (dns_resp=0); + Stop (dns_resp=1); +}; +---- + +Using the *Gop* declaration we tell MATE that the *Name* of the Gop is _dns_req_, +that _dns_pdus_ can become members of the Gop, and what is the key used to match +the Pdus to the Gop. + +The key for this Gop is _"addr, addr, dns_id"_. That means that in order to +belong to the same Gop, _dns_pdus_ have to have both addresses and the +_request id_ identical. We then instruct MATE that a _dns_req_ starts whenever +a _dns_pdu_ matches _"dns_resp=0"_ and that it stops when another _dns_pdu_ +matches _"dns_resp=1"_. + +At this point, if we open a capture file using this configuration, we are able +to use a display filter *mate.dns_req.Time > 1* to see only the packets of +DNS requests that take more than one second to complete. + +We can use a display filter *mate.dns_req && ! mate.dns_req.Time* to find +requests for which no response was given. *mate.xxx.Time* is set only for Gops +that have being stopped. + +==== A Gop for HTTP requests + +This other example creates a Gop for every HTTP request. + +---- +Pdu http_pdu Proto http Transport tcp/ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request.method; + Extract http_rs From http.response; + DiscardPduData true; +}; + +Gop http_req On http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); +}; +---- + +So, if we open a capture using this configuration + +* filtering with *mate.http_req.Time > 1* will give all the requests where the +response header takes more than one second to come +* filtering with *mate.http_req.Duration > 1.5* will show those request that +take more than 1.5 seconds to complete. + +You have to know that *mate.xxx.Time* gives the time in seconds between the pdu +matching the GopStart and the Pdu matching the GopStop (yes, you can create +timers using this!). On the other hand, *mate.xxx.Duration* gives you the time +passed between the GopStart and the last pdu assigned to that Gop regardless +whether it is a stop or not. After the GopStop, Pdus matching the Gop's Key will +still be assigned to the same Gop as far as they don't match the GopStart, in +which case a new Gop with the same key will be created. + +==== Getting DNS and HTTP together into a Gog + +We'll tie together to a single Gog all the http packets belonging to requests +and responses to a certain host and the dns request and response used to resolve +its domain name using the Pdu and Gop definitions of the previous examples + +To be able to group DNS and HTTP requests together, we need to import into the +Pdus and Gops some part of information that both those protocols share. Once the +Pdus and Gops have been defined, we can use _Extract_ (for Pdus) and +_Extract_ (for Gops) statements to tell MATE what other protocol fields are to +be added to Pdus' and Gops' AVPLs. We add the following statements to the +appropriate declarations: + +---- +Extract host From http.host; // to Pdu http_pdu as the last Extract in the list +Extra (host); // to Gop http_req after the Stop + +Extract host From dns.qry.name; // to Pdu dns_pdu as the last Extract in the list +Extra (host); // to Gop dns_req after the Stop +---- + +Here we've told MATE to import _http.host_ into _http_pdu_ and _dns.qry.name_ +into _dns_pdu_ as _host_. We also have to tell MATE to copy the _host_ +attribute from the Pdus to the Gops, we do this using _Extra_. + +Once we have all the data we need in Pdus and Gops, we tell MATE what makes +different Gops belong to a certain Gog. + +---- +Gog http_use { + Member http_req (host); + Member dns_req (host); + Expiration 0.75; +}; +---- + +Using the _Gog_ declaration, we tell MATE to define a Gog type _Named_ +_http_use_ whose expiration is 0.75 seconds after all the Gops that belong to it +had been stopped. After that time, an eventual new Gop with the same key match +will create a new Gog instead of been added to the previous Gog. + +Using the _Member_ statements, we tell MATE that *http_req*s with the same +*host* belong to the same Gog, same thing for *dns_req*s. + +So far we have instructed mate to group every packet related to sessions towards +a certain host. At this point if we open a capture file and: + +* a display filter *mate.http_use.Duration > 5* will show only those requests +that have taken more than 5 seconds to complete starting from the DNS request +and ending with the last packet of the http responses. + +* a display filter *mate.http_use.host == "www.w3c.org"* will show all the +packets (both DNS and HTTP) related to the requests directed to www.w3c.org + +==== Separating requests from multiple users + +"Houston: we've had a problem here." + +This configuration works fine if used for captures taken at the client's side +but deeper in the network we'd got a real mess. Requests from many users get +mixed together into _http_uses_. Gogs are created and stopped almost randomly +(depending on the timing in which Gops start and stop). How do we get requests +from individual users separated from each other? + +MATE has a tool that can be used to resolve this kind of grouping issues. This +tool are the _Transforms_. Once defined, they can be applied against Pdus, +Gops and Gogs and they might replace or insert more attributes based on what's +there. We'll use them to create an attribute named client, using which we'll +separate different requests. + +For DNS we need the ip.src of the request moved into the Gop only from the DNS +request. + +So we first tell MATE to import ip.src as client: + +---- +Extract client From ip.src; +---- + +Next, we tell MATE to replace ( *dns_resp=1, client* ) with just *dns_resp=1* in +the Pdu. That way, we'll keep the attribute *client* only in the DNS request +Pdus (i.e., packets coming from the client).To do so, we have to add a +_Transform_ declaration (in this case, with just one clause) before the Pdu +declaration which uses it: + +---- +Transform rm_client_from_dns_resp { + Match (dns_resp=1, client) Replace (dns_resp=1); +}; +---- + +Next, we invoke the transform by adding the following line after the _Extract_ +list of the dns_pdu Pdu: + +---- + Transform rm_client_from_dns_resp; +---- + +HTTP is a little trickier. We have to remove the attribute carrying ip.src from +both the response and the "continuations" of the response, but as there is +nothing to filter on for the continuations, we have to add a fake attribute +first. And then we have to remove client when the fake attribute appears. +This is possible due to the fact that the _Match_ clauses in the _Transform_ +are executed one by one until one of them succeeds. First, we declare another +two _Transforms_: + +---- +Transform rm_client_from_http_resp1 { + Match (http_rq); //first match wins so the request won't get the not_rq attribute inserted + Match Every (addr) Insert (not_rq); //this line won't be evaluated if the first one matched so not_rq won't be inserted to requests +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq, client) Replace (); //replace "client and not_rq" with nothing (will happen only in the response and eventual parts of it) +}; +---- + +Next, we add another _Extract_ statement to the _http_pdu_ declaration, and +apply both _Transforms_ declared above in a proper order: + +---- + Extract client From ip.src; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; +---- + +In MATE, all the _Transform_s listed for an item will be evaluated, while +inside a single _Transform_, the evaluation will stop at the first successful +_Match_ clause. That's why we first just match _http_rq_ to get out of the +first sequence before adding the _not_rq_ attribute. Then we apply the second +_Transform_ which removes both _not_rq_ and _client_ if both are there. Yes, +_Transform_s are cumbersome, but they are very useful. + +Once we got all what we need in the Pdus, we have to tell MATE to copy the +attribute _client_ from the Pdus to the respective Gops, by adding client to +_Extra_ lists of both Gop declarations: + +---- +Extra (host, client); +---- + +On top of that, we need to modify the old declarations of Gop key to new ones +that include both _client_ and _host_. So we change the Gog *Member* +declarations the following way: + +---- + Member http_req (host, client); + Member dns_req (host, client); +---- + +Now we got it, every "usage" gets its own Gog. + +[#ChMateConfigurationExamples] + +=== MATE configuration examples + +The following is a collection of various configuration examples for MATE. Many +of them are useless because the "conversations" facility does a better job. +Anyway they are meant to help users understanding how to configure MATE. + +==== TCP session + +The following example creates a GoP out of every TCP session. + +---- +Pdu tcp_pdu Proto tcp Transport ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_stop From tcp.flags.reset; + Extract tcp_stop From tcp.flags.fin; +}; + +Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) { + Start (tcp_start=1); + Stop (tcp_stop=1); +}; + +Done; +---- + +This probably would do fine in 99.9% of the cases but 10.0.0.1:20->10.0.0.2:22 and 10.0.0.1:22->10.0.0.2:20 would both fall into the same gop if they happen to overlap in time. + +* filtering with *mate.tcp_ses.Time > 1* will give all the sessions that last less than one second +* filtering with *mate.tcp_ses.NumOfPdus < 5* will show all tcp sessions that have less than 5 packets. +* filtering with *mate.tcp_ses.Id == 3* will show all the packets for the third tcp session MATE has found + +==== a Gog for a complete FTP session + +This configuration allows to tie a complete passive ftp session (including the +data transfer) in a single Gog. + +---- +Pdu ftp_pdu Proto ftp Transport tcp/ip { + Extract ftp_addr From ip.addr; + Extract ftp_port From tcp.port; + Extract ftp_resp From ftp.response.code; + Extract ftp_req From ftp.request.command; + Extract server_addr From ftp.passive.ip; + Extract server_port From ftp.passive.port; + + LastPdu; +}; + +Pdu ftp_data_pdu Proto ftp-data Transport tcp/ip{ + Extract server_addr From ip.src; + Extract server_port From tcp.srcport; + +}; + +Gop ftp_data On ftp_data_pdu (server_addr, server_port) { + Start (server_addr); +}; + +Gop ftp_ctl On ftp_pdu (ftp_addr, ftp_addr, ftp_port, ftp_port) { + Start (ftp_resp=220); + Stop (ftp_resp=221); + Extra (server_addr, server_port); +}; + +Gog ftp_ses { + Member ftp_ctl (ftp_addr, ftp_addr, ftp_port, ftp_port); + Member ftp_data (server_addr, server_port); +}; + +Done; +---- + +Note: not having anything to distinguish between ftp-data packets makes this +config to create one Gop for every ftp-data packet instead of each transfer. +Pre-started Gops would avoid this. + +==== using RADIUS to filter SMTP traffic of a specific user + +Spying on people, in addition to being immoral, is illegal in many countries. +This is an example meant to explain how to do it not an invitation to do so. +It's up to the police to do this kind of job when there is a good reason to do +so. + +---- +Pdu radius_pdu On radius Transport udp/ip { + Extract addr From ip.addr; + Extract port From udp.port; + Extract radius_id From radius.id; + Extract radius_code From radius.code; + Extract user_ip From radius.framed_addr; + Extract username From radius.username; +} + +Gop radius_req On radius_pdu (radius_id, addr, addr, port, port) { + Start (radius_code {1|4|7} ); + Stop (radius_code {2|3|5|8|9} ); + Extra (user_ip, username); +} + +// we define the smtp traffic we want to filter +Pdu user_smtp Proto smtp Transport tcp/ip { + Extract user_ip From ip.addr; + Extract smtp_port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_stop From tcp.flags.reset; +} + +Gop user_smtp_ses On user_smtp (user_ip, user_ip, smtp_port!25) { + Start (tcp_start=1); + Stop (tcp_stop=1); +} + +// with the following group of groups we'll group together the radius and the smtp +// we set a long expiration to avoid the session expire on long pauses. +Gog user_mail { + Expiration 1800; + Member radius_req (user_ip); + Member user_smtp_ses (user_ip); + Extra (username); +} + +Done; +---- + +Filtering the capture file with *mate.user_mail.username == "theuser"* will +filter the radius packets and smtp traffic for _"theuser"_. + +==== H323 Calls + +This configuration will create a Gog out of every call. + +---- +Pdu q931 Proto q931 Transport ip { + Extract addr From ip.addr; + Extract call_ref From q931.call_ref; + Extract q931_msg From q931.message_type; + Extract calling From q931.calling_party_number.digits; + Extract called From q931.called_party_number.digits; + Extract guid From h225.guid; + Extract q931_cause From q931.cause_value; +}; + +Gop q931_leg On q931 Match (addr, addr, call_ref) { + Start (q931_msg=5); + Stop (q931_msg=90); + Extra (calling, called, guid, q931_cause); +}; + +Pdu ras Proto h225.RasMessage Transport ip { + Extract addr From ip.addr; + Extract ras_sn From h225.requestSeqNum; + Extract ras_msg From h225.RasMessage; + Extract guid From h225.guid; +}; + +Gop ras_req On ras Match (addr, addr, ras_sn) { + Start (ras_msg {0|3|6|9|12|15|18|21|26|30} ); + Stop (ras_msg {1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31}); + Extra (guid); +}; + +Gog call { + Member ras_req (guid); + Member q931_leg (guid); + Extra (called,calling,q931_cause); +}; + +Done; +---- + +with this we can: + +* filter all signalling for a specific caller: *mate.call.caller == "123456789"* +* filter all signalling for calls with a specific release cause: *mate.call.q931_cause == 31* +* filter all signalling for very short calls: *mate.q931_leg.Time < 5* + +==== MMS + +With this example, all the components of an MMS send or receive will be tied +into a single Gog. Note that this example uses the _Payload_ clause because +MMS delivery uses MMSE over either HTTP or WSP. As it is not possible to relate +the retrieve request to a response by the means of MMSE only (the request is +just an HTTP GET without any MMSE), a Gop is made of HTTP Pdus but MMSE data +need to be extracted from the bodies. + +---- +## WARNING: this example has been blindly translated from the "old" MATE syntax +## and it has been verified that Wireshark accepts it. However, it has not been +## tested against any capture file due to lack of the latter. + +Transform rm_client_from_http_resp1 { + Match (http_rq); + Match Every (addr) Insert (not_rq); +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq,ue) Replace (); +}; + +Pdu mmse_over_http_pdu Proto http Transport tcp/ip { + Payload mmse; + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request; + Extract content From http.content_type; + Extract resp From http.response.code; + Extract method From http.request.method; + Extract host From http.host; + Extract content From http.content_type; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; +}; + +Gop mmse_over_http On mmse_over_http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); + Extra (host, ue, resp, notify_status, send_status, trx); +}; + +Transform mms_start { + Match Loose() Insert (mms_start); +}; + +Pdu mmse_over_wsp_pdu Proto wsp Transport ip { + Payload mmse; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform mms_start; +}; + +Gop mmse_over_wsp On mmse_over_wsp_pdu Match (trx) { + Start (mms_start); + Stop (never); + Extra (ue, notify_status, send_status); +}; + +Gog mms { + Member mmse_over_http (trx); + Member mmse_over_wsp (trx); + Extra (ue, notify_status, send_status, resp, host, trx); + Expiration 60.0; +}; +---- + +[#ChMateConfigurationLibrary] + +=== MATE's configuration library + +The MATE library (will) contains GoP definitions for several protocols. Library +protocols are included in your MATE config using: +_Action=Include; +Lib=proto_name;_+. + +For Every protocol with a library entry, we'll find defined what from the PDU is +needed to create a GoP for that protocol, eventually any criteria and the very +essential GoP definition (i.e., __GopDef__, _GopStart_ and _GopStop_). + +[NOTE] +==== +It seems that this code is written in the old syntax of MATE. So far it has not +been transcribed into the new format. It may still form the basis to recreate +these in the new format. +==== + +==== General use protocols + +===== TCP + +It will create a GoP for every TCP session, If it is used it should be the last +one in the list. And every other proto on top of TCP should be declared with +_Stop=TRUE;_ so the a TCP PDU is not created where we got already one going on. + +---- + Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; addr=ip.addr; port=tcp.port; tcp_start=tcp.flags.syn; tcp_stop=tcp.flags.fin; tcp_stop=tcp.flags.reset; + Action=GopDef; Name=tcp_session; On=tcp_pdu; addr; addr; port; port; + Action=GopStart; For=tcp_session; tcp_start=1; + Action=GopStop; For=tcp_session; tcp_stop=1; +---- + +===== DNS + +will create a GoP containing every request and its response (eventually +retransmissions too). + +---- +Action=PduDef; Name=dns_pdu; Proto=dns; Transport=udp/ip; addr=ip.addr; port=udp.port; dns_id=dns.id; dns_rsp=dns.flags.response; + +Action=GopDef; Name=dns_req; On=dns_pdu; addr; addr; port!53; dns_id; +Action=GopStart; For=dns_req; dns_rsp=0; +Action=GopStop; For=dns_req; dns_rsp=1; +---- + +===== RADIUS + +A Gop for every transaction. + +---- +Action=PduDef; Name=radius_pdu; Proto=radius; Transport=udp/ip; addr=ip.addr; port=udp.port; radius_id=radius.id; radius_code=radius.code; + +Action=GopDef; Name=radius_req; On=radius_pdu; radius_id; addr; addr; port; port; +Action=GopStart; For=radius_req; radius_code|1|4|7; +Action=GopStop; For=radius_req; radius_code|2|3|5|8|9; +---- + +===== RTSP + +---- +Action=PduDef; Name=rtsp_pdu; Proto=rtsp; Transport=tcp/ip; addr=ip.addr; port=tcp.port; rtsp_method=rtsp.method; +Action=PduExtra; For=rtsp_pdu; rtsp_ses=rtsp.session; rtsp_url=rtsp.url; + +Action=GopDef; Name=rtsp_ses; On=rtsp_pdu; addr; addr; port; port; +Action=GopStart; For=rtsp_ses; rtsp_method=DESCRIBE; +Action=GopStop; For=rtsp_ses; rtsp_method=TEARDOWN; +Action=GopExtra; For=rtsp_ses; rtsp_ses; rtsp_url; +---- + +==== VoIP/Telephony + +Most protocol definitions here will create one Gop for every Call Leg unless +stated. + +===== ISUP + +---- +Action=PduDef; Name=isup_pdu; Proto=isup; Transport=mtp3; mtp3pc=mtp3.dpc; mtp3pc=mtp3.opc; cic=isup.cic; isup_msg=isup.message_type; + +Action=GopDef; Name=isup_leg; On=isup_pdu; ShowPduTree=TRUE; mtp3pc; mtp3pc; cic; +Action=GopStart; For=isup_leg; isup_msg=1; +Action=GopStop; For=isup_leg; isup_msg=16; +---- + +===== Q931 + +---- +Action=PduDef; Name=q931_pdu; Proto=q931; Stop=TRUE; Transport=tcp/ip; addr=ip.addr; call_ref=q931.call_ref; q931_msg=q931.message_type; + +Action=GopDef; Name=q931_leg; On=q931_pdu; addr; addr; call_ref; +Action=GopStart; For=q931_leg; q931_msg=5; +Action=GopStop; For=q931_leg; q931_msg=90; +---- + +===== H225 RAS + +---- +Action=PduDef; Name=ras_pdu; Proto=h225.RasMessage; Transport=udp/ip; addr=ip.addr; ras_sn=h225.RequestSeqNum; ras_msg=h225.RasMessage; +Action=PduExtra; For=ras_pdu; guid=h225.guid; + +Action=GopDef; Name=ras_leg; On=ras_pdu; addr; addr; ras_sn; +Action=GopStart; For=ras_leg; ras_msg|0|3|6|9|12|15|18|21|26|30; +Action=GopStop; For=ras_leg; ras_msg|1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31; +Action=GopExtra; For=ras_leg; guid; +---- + +===== SIP + +---- +Action=PduDef; Proto=sip_pdu; Transport=tcp/ip; addr=ip.addr; port=tcp.port; sip_method=sip.Method; sip_callid=sip.Call-ID; calling=sdp.owner.username; + +Action=GopDef; Name=sip_leg; On=sip_pdu; addr; addr; port; port; +Action=GopStart; For=sip; sip_method=INVITE; +Action=GopStop; For=sip; sip_method=BYE; +---- + +===== MEGACO + +Will create a Gop out of every transaction. + +To "tie" them to your call's GoG use: _Action=GogKey; Name=your_call; On=mgc_tr; +addr!mgc_addr; megaco_ctx;_ + +---- +Action=PduDef; Name=mgc_pdu; Proto=megaco; Transport=ip; addr=ip.addr; megaco_ctx=megaco.context; megaco_trx=megaco.transid; megaco_msg=megaco.transaction; term=megaco.termid; + +Action=GopDef; Name=mgc_tr; On=mgc_pdu; addr; addr; megaco_trx; +Action=GopStart; For=mgc_tr; megaco_msg|Request|Notify; +Action=GopStop; For=mgc_tr; megaco_msg=Reply; +Action=GopExtra; For=mgc_tr; term^DS1; megaco_ctx!Choose one; +---- + +[#ChMateReferenceManual] + +=== MATE's reference manual + +==== Attribute Value Pairs + +MATE uses AVPs for almost everything: to keep the data it has extracted from the +frames' trees as well as to keep the elements of the configuration. + +These "pairs" (actually tuples) are made of a name, a value and, in case of +configuration AVPs, an operator. Names and values are strings. AVPs with +operators other than '=' are used only in the configuration and are used for +matching AVPs of Pdus, GoPs and GoGs in the analysis phase. + +===== Name + +The name is a string used to refer to a class of AVPs. Two attributes won't +match unless their names are identical. Capitalized names are reserved for +keywords (you can use them for your elements if you want but I think it's not +the case). MATE attribute names can be used in Wireshark's display filters the +same way like names of protocol fields provided by dissectors, but they are not +just references to (or aliases of) protocol fields. + +===== Value + +The value is a string. It is either set in the configuration (for configuration +AVPs) or by MATE while extracting interesting fields from a dissection tree +and/or manipulating them later. The values extracted from fields use the same +representation as they do in filter strings. + +===== Operators + +Currently only match operators are defined (there are plans to (re)add transform +attributes but some internal issues have to be solved before that). The match +operations are always performed between two operands: the value of an AVP stated +in the configuration and the value of an AVP (or several AVPs with the same name) +extracted from packet data (called "data AVPs"). It is not possible to match +data AVPs to each other. + +The defined match operators are: + +* <<Equal,Equal>> _=_ test for equality, that is: either the value strings are identical +or the match will fail. +* <<NotEqual,Not Equal>> _!_ will match only if the value strings aren't equal. +* <<OneOf,One Of>> _{}_ will match if one of the value strings listed is equal to the +data AVP's string. Items inside the list's curly braces are +separated with the | character. +* <<StartsWith,Starts With>> _^_ will match if the configuration value string matches the +first characters of the data AVP's value string. +* <<EndsWith,Ends With>> _$_ will match if the configuration value string matches the +last characters of the data AVP's value string. +* <<Contains,Contains>> _~_ will match if the configuration value string matches a +substring of the characters of the data AVP's value string. +* <<LowerThan,Lower Than>> _<_ will match if the data AVP's value string is semantically +lower than the configuration value string. +* <<HigherThan,Higher Than>> _>_ will match if the data AVP's value string is semantically +higher than the configuration value string. +* <<Exists,Exists>> _?_ (can be omitted) will match if the AVP name matches, regardless +what the value string is. + +[#Equal] +====== Equal AVP Operator + +This operator tests whether the values of the operator and the operand AVP are +equal. + +Example:: +attrib=aaa *matches* attrib=aaa + +attrib=aaa *does not match* attrib=bbb + +[#NotEqual] +====== Not equal AVP operator + +This operator matches if the value strings of two AVPs are not equal. + +Example:: +attrib=aaa matches attrib!bbb + +attrib=aaa does not match attrib!aaa + +[#OneOf] +====== "One of" AVP operator + +The "one of" operator matches if the data AVP value is equal to one of the +values listed in the "one of" AVP. + +Example:: +attrib=1 matches attrib{1|2|3} + +attrib=2 matches attrib{1|2|3} + +attrib=4 does not match attrib{1|2|3} + +[#StartsWith] +====== "Starts with" AVP operator + +The "starts with" operator matches if the first characters of the data AVP +value are identical to the configuration AVP value. + +Example:: +attrib=abcd matches attrib^abc + +attrib=abc matches attrib^abc + +attrib=ab does not match attrib^abc + +attrib=abcd does not match attrib^bcd + +attrib=abc does not match attrib^abcd + + +[#EndsWith] +====== "Ends with" operator + +The ends with operator will match if the last bytes of the data AVP value are +equal to the configuration AVP value. + +Example:: +attrib=wxyz matches attrib$xyz + +attrib=yz does not match attrib$xyz + +attrib=abc...wxyz does not match attrib$abc + +[#Contains] +====== Contains operator + +The "contains" operator will match if the data AVP value contains a string +identical to the configuration AVP value. + +Example:: +attrib=abcde matches attrib~bcd + +attrib=abcde matches attrib~abc + +attrib=abcde matches attrib~cde + +attrib=abcde does not match attrib~xyz + +[#LowerThan] +====== "Lower than" operator + +The "lower than" operator will match if the data AVP value is semantically lower +than the configuration AVP value. + +Example:: +attrib=abc matches attrib<bcd + +attrib=1 matches attrib<2 + +but beware: attrib=10 does not match attrib<9 + +attrib=bcd does not match attrib<abc + +attrib=bcd does not match attrib<bcd + + +BUGS + +It should check whether the values are numbers and compare them numerically + +[#HigherThan] +====== "Higher than" operator + +The "higher than" operator will match if the data AVP value is semantically +higher than the configuration AVP value. + +Examples + +attrib=bcd matches attrib>abc + +attrib=3 matches attrib>2 + +but beware: attrib=9 does not match attrib>10 + +attrib=abc does not match attrib>bcd + +attrib=abc does not match attrib>abc + + +BUGS + +It should check whether the values are numbers and compare them numerically + +[#Exists] +====== Exists operator + +The exists operator will always match as far as the two operands have the same +name. + +Examples + +attrib=abc matches attrib? + +attrib=abc matches attrib (this is just an alternative notation of the previous example) + +obviously attrib=abc does not match other_attrib? + + +==== Attribute/Value Pair List (AVPL) +Pdus, GoPs and GoGs use an AVPL to contain the tracing information. An AVPL is +an unsorted set of <<AVP,AVPs>> that can be matched against other AVPLs. + +===== Operations between AVPLs + +There are three types of match operations that can be performed between AVPLs. +The Pdu's/GoP's/GoG's AVPL will be always one of the operands; the AVPL operator +(match type) and the second operand AVPL will always come from the +<<Config,configuration>>. +Note that a diverse AVP match operator may be specified for each AVP in the +configuration AVPL. + +An AVPL match operation returns a result AVPL. In <<Transform,Transform>>s, the +result AVPL may be replaced by another AVPL. The replacement means that the +existing data AVPs are dropped and the replacement AVPL from the +<<Config,configuration>> is <<Merge,Merged>> to the data AVPL of the +Pdu/GoP/GoG. + +* <<Loose,Loose Match>>: Will match if at least one of the AVPs of the two +operand AVPLs match. If it matches, it returns a result AVPL containing all AVPs +from the data AVPL that did match the configuration's AVPs. +* <<Every,"Every" Match>>: Will match if none of the AVPs of the configuration +AVPL fails to match an AVP in the data AVPL, even if not all of the +configuration AVPs have a match. If it matches, it returns a result AVPL +containing all AVPs from the data AVPL that did match an AVP in the +configuration AVPL. +* <<Strict,Strict Match>>: Will match if and only if each of the AVPs in the +configuration AVPL has at least one match in the data AVPL. If it matches, it +returns a result AVPL containing those AVPs from the data AVPL that matched. + +[#Loose] +====== Loose Match + +A loose match between AVPLs succeeds if at least one of the data AVPs matches at +least one of the configuration AVPs. Its result AVPL contains all the data AVPs +that matched. + +Loose matches are used in Extra operations against the <<Pdu,Pdu>>'s AVPL to +merge the result into <<Gop,Gop>>'s AVPL, and against <<Gop,Gop>>'s AVPL to +merge the result into <<Gog,Gog>>'s AVPL. They may also be used in +<<Criteria,Criteria>> and <<Transform,Transform>>s. + +[NOTE] +==== +As of current (2.0.1), Loose Match does not work as described here, see +https://gitlab.com/wireshark/wireshark/issues/12184[issue 12184]. Only use +in Transforms and Criteria is effectively affected by the bug. +==== + +Loose Match Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c=ccc) ==> (attr_a=aaa) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a=xxx; attr_c=ccc) ==> No Match! + +[#Every] +====== Every Match + +An "every" match between AVPLs succeeds if none of the configuration's AVPs that +have a counterpart in the data AVPL fails to match. Its result AVPL contains all +the data AVPs that matched. + +These may only be used in <<Criteria,Criteria>> and <<Transform,Transform>>s. + +[NOTE] +==== +As of current (2.0.1), Loose Match does not work as described here, see +https://gitlab.com/wireshark/wireshark/-/issues/12184[issue 12184]. +==== + +"Every" Match Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?, attr_d=ddd) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c=ccc) ==> No Match! + +(attr_a=aaa; attr_b=bbb; attr_c=xxx) Match Every (attr_a=xxx, attr_c=ccc) ==> No Match! + +[#Strict] +====== Strict Match + +A Strict match between AVPLs succeeds if and only if every AVP in the +configuration AVPL has at least one counterpart in the data AVPL and none of the +AVP matches fails. The result AVPL contains all the data AVPs that matched. + +These are used between Gop keys (key AVPLs) and Pdu AVPLs. They may also be used +in <<Criteria,Criteria>> and <<Transform,Transform>>s. + +Examples + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=xxx) ==> (attr_a=aaa, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_c=yyy) Match Strict (attr_a?, attr_c?) ==> (attr_a=aaa, attr_c=xxx, attr_c=yyy) + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=ccc) ==> No Match! + +(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c?, attr_d?) ==> No Match! + +[#Merge] +====== AVPL Merge + +An AVPL may be merged into another one. That would add to the latter every AVP +from the former that does not already exist there. + +This operation is done + +* between the result of a key match and the Gop's or Gog's AVPL, +* between the result of an Extra match and the Gop's or Gog's AVPL, +* between the result of a <<Transform,Transform>> match and Pdu's/Gop's AVPL. If +the operation specified by the Match clause is Replace, the result AVPL of the +match is removed from the item's AVPL before the modify_avpl is merged into it. + +Examples + +(attr_a=aaa, attr_b=bbb) Merge (attr_a=aaa, attr_c=xxx) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx) + +(attr_a=aaa, attr_b=bbb) Merge (attr_a=aaa, attr_a=xxx) former becomes (attr_a=aaa, attr_a=xxx, attr_b=bbb) + +(attr_a=aaa, attr_b=bbb) Merge (attr_c=xxx, attr_d=ddd) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_d=ddd) + +[#Transform] +====== Transforms + +A Transform is a sequence of Match rules optionally followed by an instruction +how to modify the match result using an additional AVPL. Such modification may +be an Insert (merge) or a Replace. The syntax is as follows: + +---- +Transform name { + Match [Strict|Every|Loose] match_avpl [[Insert|Replace] modify_avpl] ; // may occur multiple times, at least once +}; +---- + +For examples of Transforms, check the <<ChMateManual,Manual>> page. + +TODO: migrate the examples here? + +The list of Match rules inside a Transform is processed top to bottom; +the processing ends as soon as either a Match rule succeeds or all have been +tried in vain. + +Transforms can be used as helpers to manipulate an item's AVPL before the item +is processed further. An item declaration may contain a Transform clause +indicating a list of previously declared Transforms. Regardless whether the +individual transforms succeed or fail, the list is always executed completely +and in the order given, i.e., left to right. + +In MATE configuration file, a Transform must be declared before declaring any +item which uses it. + +[#Config] +=== Configuration AVPLs +[#Pdu] +==== Pdsu's configuration actions + +The following configuration AVPLs deal with PDU creation and data extraction. + +===== Pdu declaration block header + +In each frame of the capture, MATE will look for source _proto_name_'s PDUs in +the order in which the declarations appear in its configuration and will create +Pdus of every type it can from that frame, unless specifically instructed that +some Pdu type is the last one to be looked for in the frame. If told so for a +given type, MATE will extract all Pdus of that type and the previously declared +types it finds in the frame but not those declared later. + +The complete declaration of a Pdu looks as below; the mandatory order of the +diverse clauses is as shown. + +---- + Pdu name Proto proto_name Transport proto1[/proto2/proto3[/...]]] { + Payload proto; //optional, no default value + Extract attribute From proto.field ; //may occur multiple times, at least once + Transform (transform1[, transform2[, ...]]); //optional + Criteria [{Accept|Reject}] [{Strict|Every|Loose} match_avpl]; + DropUnassigned {true|false}; //optional, default=false + DiscardPduData {true|false}; //optional, default=false + LastExtracted {true|false}; //optional, default=false + }; +---- + +===== Pdu name + +The _name_ is a mandatory attribute of a Pdu declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of Pdus, Gops, and Gogs. The _name_ +is also used as part of the filterable fields' names related to this type of Pdu +which MATE creates. + +However, several Pdu declarations may share the same _name_. In such case, all +of them are created from each source PDU matching their _Proto_, _Transport_, +and _Payload_ clauses, while the bodies of their declarations may be totally +different from each other. Together with the _Accept_ (or _Reject_) clauses, +this feature is useful when it is necessary to build the Pdu's AVPL from +different sets of source fields depending on contents (or mere presence) of +other source fields. + +====== Proto and Transport clauses + +Every instance of the protocol _proto_name_ PDU in a frame will generate one +Pdu with the AVPs extracted from fields that are in the _proto_name_'s range +and/or the ranges of underlying protocols specified by the _Transport_ list. +It is a mandatory attribute of a Pdu declaration. The _proto_name_ is the name +of the protocol as used in Wireshark display filter. + +The Pdu's _Proto_, and its _Transport_ list of protocols separated by / tell +MATE which fields of a frame can get into the Pdu's AVPL. In order that MATE +would extract an attribute from a frame's protocol tree, the area representing +the field in the hex display of the frame must be within the area of either the +_Proto_ or its relative _Transport_ s. _Transport_ s are chosen moving backwards +from the protocol area, in the order they are given. + +_Proto http Transport tcp/ip_ does what you'd expect it to - it selects the +nearest tcp range that precedes the current http range, and the nearest ip range +that precedes that tcp range. If there is another ip range before the nearest +one (e.g., in case of IP tunneling), that one is not going to be selected. +_Transport_ tcp/ip/ip that "logically" should select the encapsulating IP header +too doesn't work so far. + +Once we've selected the _Proto_ and _Transport_ ranges, MATE will fetch those +protocol fields belonging to them whose extraction is declared using the +_Extract_ clauses for the Pdu type. The _Transport_ list is also mandatory, +if you actually don't want to use any transport protocol, use _Transport mate_. +(This didn't work until 0.10.9). + +====== Payload clause + +Other than the Pdu's _Proto_ and its _Transport_ protocols, there is also a +_Payload_ attribute to tell MATE from which ranges of _Proto_'s payload to +extract fields of a frame into the Pdu. In order to extract an attribute from a +frame's tree the highlighted area of the field in the hex display must be within +the area of the _Proto_'s relative payload(s). _Payload_ s are chosen moving +forward from the protocol area, in the order they are given. +_Proto http Transport tcp/ip Payload mmse_ will select the first mmse range +after the current http range. Once we've selected the _Payload_ ranges, MATE +will fetch those protocol fields belonging to them whose extraction is declared +using the _Extract_ clauses for the Pdu type. + +====== Extract clause + +Each _Extract_ clause tells MATE which protocol field value to extract as an AVP +value and what string to use as the AVP name. The protocol fields are referred +to using the names used in Wireshark display filters. If there is more than one +such protocol field in the frame, each instance that fulfills the criteria +stated above is extracted into its own AVP. The AVP names may be chosen +arbitrarily, but to be able to match values originally coming from different +Pdus (e.g., hostname from DNS query and a hostname from HTTP GET request) later +in the analysis, identical AVP names must be assigned to them and the dissectors +must provide the field values in identical format (which is not always the case). + +====== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_ s to +be performed on the Pdu's AVPL after all protocol fields have been extracted to +it. The list is always executed completely, left to right. On the contrary, the +list of Match clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +[#Criteria] +====== Criteria clause + +This clause tells MATE whether to use the Pdu for analysis. It specifies a match +AVPL, an AVPL match type (_Strict_, _Every_, or _Loose_) and the action to be +performed (_Accept_ or _Reject_) if the match succeeds. Once every attribute has +been extracted and eventual transform list has been executed, and if the +_Criteria_ clause is present, the Pdu's AVPL is matched against the match AVPL; +if the match succeeds, the action specified is executed, i.e., the Pdu is +accepted or rejected. The default behaviors used if the respective keywords are +omitted are _Strict_ and _Accept_. Accordingly, if the clause is omitted, all +Pdus are accepted. + +====== DropUnassigned clause + +If set to _TRUE_, MATE will destroy the Pdu if it cannot assign it to a Gop. +If set to _FALSE_ (the default if not given), MATE will keep them. + +====== DiscardPduData clause + +If set to _TRUE_, MATE will delete the Pdu's AVPL once it has analyzed it and +eventually extracted some AVPs from it into the Gop's AVPL. This is useful to +save memory (of which MATE uses a lot). If set to _FALSE_ (the default if not +given), MATE will keep the Pdu attributes. + +====== LastExtracted clause + +If set to _FALSE_ (the default if not given), MATE will continue to look for +Pdus of other types in the frame. If set to _TRUE_, it will not try to create +Pdus of other types from the current frame, yet it will continue to try for the +current type. + +[#Gop] +===== Gop's configuration actions + +====== Gop declaration block header + +Declares a Gop type and its prematch candidate key. + +---- + Gop name On pduname Match key { + Start match_avpl; // optional + Stop match_avpl; // optional + Extra match_avpl; // optional + Transform transform_list; // optional + Expiration time; // optional + IdleTimeout time; // optional + Lifetime time; // optional + DropUnassigned [TRUE|FALSE]; //optional + ShowTree [NoTree|PduTree|FrameTree|BasicTree]; //optional + ShowTimes [TRUE|FALSE]; //optional, default TRUE + }; +---- + +====== Gop name + +The _name_ is a mandatory attribute of a Gop declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of Pdus, Gops, and Gogs. The _name_ +is also used as part of the filterable fields' names related to this type of +Gop which MATE creates. + +====== On clause + +The _name_ of Pdus which this type of Gop is supposed to be groupping. It is +mandatory. + +====== Match clause + +Defines what AVPs form up the _key_ part of the Gop's AVPL (the Gop's _key_ AVPL +or simply the Gop's _key_). All Pdus matching the _key_ AVPL of an active Gop +are assigned to that Gop; a Pdu which contains the AVPs whose attribute names +are listed in the Gop's _key_ AVPL, but they do not strictly match any active +Gop's _key_ AVPL, will create a new Gop (unless a _Start_ clause is given). +When a Gop is created, the elements of its key AVPL are copied from the creating +Pdu. + +====== Start clause + +If given, it tells MATE what match_avpl must a Pdu's AVPL match, in addition to +matching the Gop's _key_, in order to start a Gop. If not given, any Pdu whose +AVPL matches the Gop's _key_ AVPL will act as a start for a Gop. The Pdu's AVPs +matching the match_avpl are not automatically copied into the Gop's AVPL. + +====== Stop clause + +If given, it tells MATE what match_avpl must a Pdu's AVPL match, in addition to +matching the Gop's key, in order to stop a Gop. If omitted, the Gop is +"auto-stopped" - that is, the Gop is marked as stopped as soon as it is created. +The Pdu's AVPs matching the match_avpl are not automatically copied into the +Gop's AVPL. + +====== Extra clause + +If given, tells MATE which AVPs from the Pdu's AVPL are to be copied into the +Gop's AVPL in addition to the Gop's key. + +====== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_ s to +be performed on the Gop's AVPL after the AVPs from each new Pdu, specified by +the key AVPL and the _Extra_ clause's match_avpl, have been merged into it. +The list is always executed completely, left to right. On the contrary, the list +of _Match_ clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +====== Expiration clause + +A (floating) number of seconds after a Gop is _Stop_ ped during which further +Pdus matching the _Stop_ ped Gop's key but not the _Start_ condition will still +be assigned to that Gop. The default value of zero has an actual meaning of +infinity, as it disables this timer, so all Pdus matching the _Stop_ ped Gop's +key will be assigned to that Gop unless they match the _Start_ condition. + +====== IdleTimeout clause + +A (floating) number of seconds elapsed from the last Pdu assigned to the Gop +after which the Gop will be considered released. The default value of zero has +an actual meaning of infinity, as it disables this timer, so the Gop won't be +released even if no Pdus arrive - unless the _Lifetime_ timer expires. + +====== Lifetime clause + +A (floating) of seconds after the Gop _Start_ after which the Gop will be +considered released regardless anything else. The default value of zero has an +actual meaning of infinity. + +====== DropUnassigned clause + +Whether or not a Gop that has not being assigned to any Gog should be discarded. +If _TRUE_, the Gop is discarded right after creation. If _FALSE_, the default, +the unassigned Gop is kept. Setting it to _TRUE_ helps save memory and speed up +filtering. + +====== TreeMode clause + +Controls the display of Pdus subtree of the Gop: + +* _NoTree_: completely suppresses showing the tree +* _PduTree_: the tree is shown and shows the Pdus by Pdu Id +* _FrameTree_: the tree is shown and shows the Pdus by the frame number in which +they are +* _BasicTree_: needs investigation + +====== ShowTimes clause + +Whether or not to show the times subtree of the Gop. If _TRUE_, the default, +the subtree with the timers is added to the Gop's tree. If _FALSE_, the subtree +is suppressed. + +[#Gog] +===== Gog's configuration actions + +====== Gop declaration block header + +Declares a Gog type and its prematch candidate key. + +---- + Gog name { + Member gopname (key); // mandatory, at least one + Extra match_avpl; // optional + Transform transform_list; // optional + Expiration time; // optional, default 2.0 + GopTree [NoTree|PduTree|FrameTree|BasicTree]; // optional + ShowTimes [TRUE|FALSE]; // optional, default TRUE + }; +---- + +====== Gop name + +The _name_ is a mandatory attribute of a Gog declaration. It is chosen +arbitrarily, except that each _name_ may only be used once in MATE's +configuration, regardless the class of an item it is used for. The _name_ is +used to distinguish between different types of Pdus, Gops, and Gogs. The _name_ +is also used as part of the filterable fields' names related to this type of +Gop which MATE creates. + +====== Member clause + +Defines the _key_ AVPL for the Gog individually for each Gop type _gopname_. +All _gopname_ type Gops whose _key_ AVPL matches the corresponding _key_ AVPL +of an active Gog are assigned to that Gog; a Gop which contains the AVPs whose +attribute names are listed in the Gog's corresponding _key_ AVPL, but they do +not strictly match any active Gog's _key_ AVPL, will create a new Gog. When a +Gog is created, the elements of its _key_ AVPL are copied from the creating Gop. + +Although the _key_ AVPLs are specified separately for each of the Member +_gopname_ s, in most cases they are identical, as the very purpose of a Gog is +to group together Gops made of Pdus of different types. + +====== Extra clause + +If given, tells MATE which AVPs from any of the Gop's AVPL are to be copied +into the Gog's AVPL in addition to the Gog's key. + +====== Expiration clause + +A (floating) number of seconds after all the Gops assigned to a Gog have been +released during which new Gops matching any of the session keys should still be +assigned to the existing Gog instead of creating a new one. Its value can range +from 0.0 to infinite. Defaults to 2.0 seconds. + +====== Transform clause + +The _Transform_ clause specifies a list of previously declared _Transform_ s to +be performed on the Gog's AVPL after the AVPs from each new Gop, specified by +the _key_ AVPL and the _Extra_ clause's match_avpl, have been merged into it. +The list is always executed completely, left to right. On the contrary, the list +of _Match_ clauses inside each individual _Transform_ is executed only until +the first match succeeds. + +====== TreeMode clause + +Controls the display of Gops subtree of the Gog: + +* _NoTree_: completely suppresses showing the tree +* _BasicTree_: needs investigation +* _FullTree_: needs investigation + +====== ShowTimes clause + +Whether or not to show the times subtree of the Gog. If _TRUE_, the default, +the subtree with the timers is added to the Gog's tree. If _FALSE_, the subtree +is suppressed. + +===== Settings Config AVPL + +The *Settings* config element is used to pass to MATE various operational +parameters. the possible parameters are + +====== GogExpiration + +How long in seconds after all the gops assigned to a gog have been released new +gops matching any of the session keys should create a new gog instead of being +assigned to the previous one. Its value can range from 0.0 to infinite. +Defaults to 2.0 seconds. + +====== DiscardPduData + +Whether or not the AVPL of every Pdu should be deleted after it was being +processed (saves memory). It can be either _TRUE_ or _FALSE_. Defaults to _TRUE_. +Setting it to _FALSE_ can save you from a headache if your config does not work. + +====== DiscardUnassignedPdu + +Whether Pdus should be deleted if they are not assigned to any Gop. It can be +either _TRUE_ or _FALSE_. Defaults to _FALSE_. Set it to _TRUE_ to save memory +if unassigned Pdus are useless. + +====== DiscardUnassignedGop + +Whether GoPs should be deleted if they are not assigned to any session. It can +be either _TRUE_ or _FALSE_. Defaults to _FALSE_. Setting it to _TRUE_ saves +memory. + +====== ShowPduTree + +====== ShowGopTimes + +===== Debugging Stuff + +The following settings are used to debug MATE and its configuration. All levels +are integers ranging from 0 (print only errors) to 9 (flood me with junk), +defaulting to 0. + +====== Debug declaration block header + +---- + Debug { + Filename "path/name"; //optional, no default value + Level [0-9]; //optional, generic debug level + Pdu Level [0-9]; //optional, specific debug level for Pdu handling + Gop Level [0-9]; //optional, specific debug level for Gop handling + Gog Level [0-9]; //optional, specific debug level for Gog handling + }; +---- + +====== Filename clause + +The {{{path/name}}} is a full path to the file to which debug output is to be +written. Non-existent file will be created, existing file will be overwritten +at each opening of a capture file. If the statement is missing, debug messages +are written to console, which means they are invisible on Windows. + +====== Level clause + +Sets the level of debugging for generic debug messages. It is an integer +ranging from 0 (print only errors) to 9 (flood me with junk). + +====== Pdu Level clause + +Sets the level of debugging for messages regarding Pdu creation. It is an +integer ranging from 0 (print only errors) to 9 (flood me with junk). + +====== Gop Level clause + +Sets the level of debugging for messages regarding Pdu analysis (that is how do +they fit into ?GoPs). It is an integer ranging from 0 (print only errors) to 9 +(flood me with junk). + +====== Gog Level clause + +Sets the level of debugging for messages regarding GoP analysis (that is how do +they fit into ?GoGs). It is an integer ranging from 0 (print only errors) to 9 +(flood me with junk). + +====== Settings Example +---- +Action=Settings; SessionExpiration=3.5; DiscardPduData=FALSE; +---- + +===== Action=Include + +Will include a file to the configuration. + +---- +Action=Include; {Filename=filename;|Lib=libname;} +---- + +====== Filename + +The filename of the file to include. If it does not begin with '/' it will look +for the file in the current path. + +====== Lib + +The name of the lib config to include. will look for libname.mate in +wiresharks_dir/matelib. + +====== Include Example +---- +Action=Include; Filename=rtsp.mate; +---- + +This will include the file called "rtsp.mate" into the current config. diff --git a/docbook/wsug_src/wsug_messages.adoc b/docbook/wsug_src/wsug_messages.adoc new file mode 100644 index 0000000..bd3291e --- /dev/null +++ b/docbook/wsug_src/wsug_messages.adoc @@ -0,0 +1,81 @@ +// WSUG Appendix Messages + +[#AppMessages] + +[appendix] +== Wireshark Messages + +Wireshark provides you with additional information generated out of the plain +packet data or it may need to indicate dissection problems. Messages generated +by Wireshark are usually placed in square brackets (“[]”). + +[#AppMessagesList] + +=== Packet List Messages + +These messages might appear in the packet list. + +==== [Malformed Packet] + +Malformed packet means that the protocol dissector can’t dissect the contents of +the packet any further. There can be various reasons: + +* __Wrong dissector__: Wireshark erroneously has chosen the wrong protocol + dissector for this packet. This will happen e.g., if you are using a protocol + not on its well known TCP or UDP port. You may try Analyze|Decode As to + circumvent this problem. + +* __Packet not reassembled__: The packet is longer than a single frame and it is + not reassembled, see <<ChAdvReassemblySection>> for further details. + +* __Packet is malformed__: The packet is actually wrong (malformed), meaning + that a part of the packet is just not as expected (not following the protocol + specifications). + +* __Dissector is buggy__: The corresponding protocol dissector is simply buggy + or still incomplete. + +Any of the above is possible. You’ll have to look into the specific situation to +determine the reason. You could disable the dissector by disabling the protocol +on the Analyze menu and check how Wireshark displays the packet then. You could +(if it’s TCP) enable reassembly for TCP and the specific dissector (if possible) +in the Edit|Preferences menu. You could check the packet contents yourself by +reading the packet bytes and comparing it to the protocol specification. This +could reveal a dissector bug. Or you could find out that the packet is indeed +wrong. + +==== [Packet size limited during capture] + +The packet size was limited during capture, see “Limit each packet to n bytes” +at the <<ChCapCaptureOptions>>. While dissecting, the current protocol dissector +was simply running out of packet bytes and had to give up. There’s nothing else +you can do now, except to repeat the whole capture process again with a higher +(or no) packet size limitation. + +[#AppMessagesDetails] + +=== Packet Details Messages + +These messages might appear in the packet details. + +==== [Response in frame: 123] + +The current packet is the request of a detected request/response pair. You can +directly jump to the corresponding response packet by double clicking on +the message. + +==== [Request in frame: 123] + +Same as “Response in frame: 123” above, but the other way round. + +==== [Time from request: 0.123 seconds] + +The time between the request and the response packets. + +==== [Stream setup by PROTOCOL (frame 123)] + +The session control protocol (SDP, H225, etc.) message which signaled the +creation of this session. You can directly jump to the corresponding packet +by double clicking on this message. + +// End of WSUG Appendix Messages diff --git a/docbook/wsug_src/wsug_preface.adoc b/docbook/wsug_src/wsug_preface.adoc new file mode 100644 index 0000000..c343a80 --- /dev/null +++ b/docbook/wsug_src/wsug_preface.adoc @@ -0,0 +1,91 @@ +[#Preface] +["preface",id="Preface"] +== Preface + +[#PreForeword] + +=== Foreword + +Wireshark is the world’s foremost network protocol analyzer, +but the rich feature set can be daunting for the unfamiliar. +This document is part of an effort by the Wireshark team to improve +Wireshark's usability. +We hope that you find it useful and look forward to your comments. + +[#PreAudience] + +=== Who should read this document? + +The intended audience of this book is anyone using Wireshark. + +This book explains all of the basic and some advanced features +of Wireshark. As Wireshark has become a very complex program, +not every feature may be explained in this book. + +This book is not intended to explain network sniffing in general and it +will not provide details about specific network protocols. A lot of +useful information regarding these topics can be found at the Wireshark +Wiki at link:{wireshark-wiki-url}[]. + +By reading this book, you will learn how to install Wireshark, how to use the +basic elements of the graphical user interface (such as the menu) and what’s +behind some of the advanced features that are not always obvious at first sight. +It will hopefully guide you around some common problems that frequently appear +for new (and sometimes even advanced) Wireshark users. + +[#PreAck] + +=== Acknowledgements + +The authors would like to thank the whole Wireshark team for their assistance. +In particular, the authors would like to thank: + +* Gerald Combs, for initiating the Wireshark project and funding to do this + documentation. + +* Guy Harris, for many helpful hints and a great deal of patience in reviewing + this document. + +* Gilbert Ramirez, for general encouragement and helpful hints along the way. + +The authors would also like to thank the following people for their helpful +feedback on this document: + +* Pat Eyler, for his suggestions on improving the example on generating a backtrace. + +* Martin Regner, for his various suggestions and corrections. + +* Graeme Hewson, for many grammatical corrections. + +The authors would like to acknowledge those man page and README authors for the +Wireshark project from who sections of this document borrow heavily: + +* Scott Renfro from whose `mergecap` man page <<AppToolsmergecap>> is derived. + +* Ashok Narayanan from whose `text2pcap` man page <<AppToolstext2pcap>> is derived. + +[#PreAbout] + +=== About this document + +This book was originally developed by mailto:{wsug-author-email2}[Richard +Sharpe] with funds provided from the Wireshark Fund. It was updated by +mailto:{wsug-author-email3}[Ed Warnicke] and more recently redesigned and +updated by mailto:{wsug-author-email}[Ulf Lamping]. + +It was originally written in DocBook/XML and converted to AsciiDoc by +Gerald Combs. + +[#PreDownload] + +=== Where to get the latest copy of this document? + +The latest copy of this documentation can always be found at +{wireshark-users-guide-url}. + +[#PreFeedback] + +=== Providing feedback about this document + +Should you have any feedback about this document, please send it to the +authors through mailto:{wireshark-dev-list-email}[]. diff --git a/docbook/wsug_src/wsug_protocols.adoc b/docbook/wsug_src/wsug_protocols.adoc new file mode 100644 index 0000000..8f2b8b9 --- /dev/null +++ b/docbook/wsug_src/wsug_protocols.adoc @@ -0,0 +1,15 @@ +// WSUG Appendix Protocols + +[#AppProtocols] + +[appendix] +== Protocols and Protocol Fields + +Wireshark distinguishes between protocols (e.g., tcp) and protocol fields (e.g., +tcp.port). + +A comprehensive list of all protocols and protocol fields can be found +in the “Display Filter Reference” at +{wireshark-display-filter-reference-url} + +// End of WSUG Appendix Protocols diff --git a/docbook/wsug_src/wsug_statistics.adoc b/docbook/wsug_src/wsug_statistics.adoc new file mode 100644 index 0000000..93d4f17 --- /dev/null +++ b/docbook/wsug_src/wsug_statistics.adoc @@ -0,0 +1,928 @@ +// WSUG Chapter Statistics + +[#ChStatistics] + +== Statistics + +[#ChStatIntroduction] + +=== Introduction + +Wireshark provides a wide range of network statistics which can be accessed via +the menu:Statistics[] menu. + +These statistics range from general information about the loaded capture file +(like the number of captured packets), to statistics about specific protocols +(e.g., statistics about the number of HTTP requests and responses captured). + +.General statistics + + - *Capture File Properties* about the capture file. + + - *Protocol Hierarchy* of the captured packets. + + - *Conversations* e.g., traffic between specific IP addresses. + + - *Endpoints* e.g., traffic to and from IP addresses. + + - *I/O Graphs* visualizing the number of packets (or similar) in time. + +.Protocol specific statistics + + - *Service Response Time* between request and response of some protocols. + + - Various other protocol specific statistics. + +[NOTE] +==== +The protocol specific statistics require detailed knowledge about the specific +protocol. Unless you are familiar with that protocol, statistics about it may +be difficult to understand. +==== + +Wireshark has many other statistics windows that display detailed +information about specific protocols and might be described in a later +version of this document. + +Some of these statistics are described at +{wireshark-wiki-url}Statistics. + +[#ChStatSummary] + +=== The “Capture File Properties” Dialog + +General information about the current capture file. + +.The “Capture File Properties” dialog +image::images/ws-capture-file-properties.png[{screenshot-attrs}] + +This dialog shows the following information: + +Details:: +Notable information about the capture file. + +File::: +General information about the capture file, including its full path, size, cryptographic hashes, file format, and encapsulation. + +Time::: +The timestamps of the first and the last packet in the file along with their difference. + +Capture::: +Information about the capture environment. +This will only be shown for live captures or if this information is present in a saved capture file. +The pcapng format supports this, while pcap doesn’t. + +Interfaces::: +Information about the capture interface or interfaces. + +Statistics::: +A statistical summary of the capture file. +If a display filter is set, you will see values in the _Captured_ column, and if any packets are marked, you will see values in the _Marked_ column. +The values in the _Captured_ column will remain the same as before, while the values in the _Displayed_ column will reflect the values corresponding to the packets shown in the display. +The values in the _Marked_ column will reflect the values corresponding to the marked packages. + +Capture file comments:: +Some capture file formats (notably pcapng) allow a text comment for the entire file. +You can view and edit this comment here. + +btn:[Refresh]:: +Updates the information in the dialog. + +btn:[Save Comments]:: +Saves the contents of the “Capture file comments” text entry. + +btn:[Close]:: +Closes the dialog + +btn:[Copy To Clipboard]:: +Copies the “Details” information to the clipboard. + +btn:[Help]:: +Opens this section of the User’s Guide. + +[#ChStatResolvedAddresses] + +=== Resolved Addresses + +The Resolved Addresses window shows the list of resolved addresses and their host names. Users can choose the `Hosts` field to display IPv4 and IPv6 addresses only. In this case, the dialog displays host names for each IP address in a capture file with a known host. This host is typically taken from DNS answers in a capture file. In case of an unknown host name, users can populate it based on a reverse DNS lookup. To do so, follow these steps: + +. Enable `Resolve Network Addresses` in the menu:View[Name Resolution] menu as this option is disabled by default. + +. Select `Use an external network name resolver` in the menu:Preferences[Name Resolution] menu. This option is enabled by default. + +NOTE: The resolved addresses are not updated automatically after a user changes the settings. To display newly available names, the user has to reopen the dialog. + +The `Ports` tab shows the list of service names, ports and types. + +Wireshark reads the entries for port mappings from the `hosts` service configuration files. See <<ChAppFilesConfigurationSection>> section for more information. + +.Resolved Addresses window +image::images/ws-resolved-addr.png[{screenshot-attrs}] + +[#ChStatHierarchy] + +=== The “Protocol Hierarchy” Window + +The protocol hierarchy of the captured packets. + +.The “Protocol Hierarchy” Window +image::images/ws-stats-hierarchy.png[{screenshot-attrs}] + +This is a tree of all the protocols in the capture. Each row contains the +statistical values of one protocol. Two of the columns (_Percent Packets_ and +_Percent Bytes_) serve double duty as bar graphs. If a display filter is set it +will be shown at the bottom. + +The btn:[Copy] button will let you copy the window contents as CSV or YAML. + +.Protocol hierarchy columns + +Protocol:: +This protocol’s name. + +Percent Packets:: +The percentage of protocol packets relative to all packets in the capture. + +Packets:: +The total number of packets that contain this protocol. + +Percent Bytes:: +The percentage of protocol bytes relative to the total bytes in the capture. + +Bytes:: +The total number of bytes of this protocol. + +Bits/s:: +The bandwidth of this protocol relative to the capture time. + +End Packets:: +The absolute number of packets of this protocol where it was the highest protocol in the stack (last dissected). + +End Bytes:: +The absolute number of bytes of this protocol where it was the highest protocol in the stack (last dissected). + +End Bits/s:: +The bandwidth of this protocol relative to the capture time where was the highest protocol in the stack (last dissected). + +PDUs:: +The total number of PDUs of this protocol. + +Packets usually contain multiple protocols. As a result, more than one protocol +will be counted for each packet. Example: In the screenshot 100% of packets +are IP and 99.3% are TCP (which is together much more than 100%). + +Protocol layers can consist of packets that won’t contain any higher layer +protocol, so the sum of all higher layer packets may not sum to the protocol's +packet count. This can be caused by segments and fragments reassembled in other +frames, TCP protocol overhead, and other undissected data. Example: In the +screenshot 99.3% of the packets are TCP but the sum of the subprotocols +(TLS, HTTP, Git, etc.) is much less. + +A single packet can contain the same protocol more than once. In this case, the +entry in the `PDUs` column will be greater than that of `Packets`. Example: +In the screenshot there are many more TLS and Git PDUs than there are packets. + +[#ChStatConversations] + +=== Conversations + +A network conversation is the traffic between two specific endpoints. For +example, an IP conversation is all the traffic between two IP addresses. The +description of the known endpoint types can be found in +<<ChStatEndpoints>>. + +[#ChStatConversationsWindow] + +==== The “Conversations” Window + +The conversations window is similar to the endpoint Window. See +<<ChStatEndpointsWindow>> for a description of their common features. Along with +addresses, packet counters, and byte counters the conversation window adds four +columns: the start time of the conversation (“Rel Start”) or (“Abs Start”), +the duration of the conversation in seconds, and the average bits (not bytes) +per second in each direction. A timeline graph is also drawn across the +“Rel Start” / “Abs Start” and “Duration” columns. + +.The “Conversations” window +image::images/ws-stats-conversations.png[{screenshot-attrs}] + +Each row in the list shows the statistical values for exactly one conversation. + +_Name resolution_ will be done if selected in the window and if it is active for +the specific protocol layer (MAC layer for the selected Ethernet endpoints +page). _Limit to display filter_ will only show conversations matching the +current display filter. _Absolute start time_ switches the start time column +between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start +times match the “Seconds Since First Captured Packet” time display format in the +packet list and absolute start times match the “Time of Day” display format. + +If a display filter had been applied before the dialog is opened, _Limit to +display filter_ will be set automatically. Additionally, after a display filter +had been applied, two columns ("Total Packets") and ("Percent Filtered") show +the number of unfiltered total packets and the percentage of packets in this filter +display. + +The btn:[Copy] button will copy the list values to the clipboard in CSV +(Comma Separated Values), YAML format or JSON format. The numbers are generally +exported without special formatting, but this can be enabled if needed. + +The btn:[Follow Stream...] button will show the stream contents as described +in <<ChAdvFollowStream>> dialog. The btn:[Graph...] button will show a graph +as described in <<ChStatIOGraphs>>. + +btn:[Conversation Types] lets you choose which traffic type tabs are shown. +See <<ChStatEndpoints>> for a list of endpoint types. The enabled types +are saved in your profile settings. + +[TIP] +==== +This window will be updated frequently so it will be useful even if you open +it before (or while) you are doing a live capture. +==== + +// Removed: +// [[ChStatConversationListWindow]] + +[#ChStatEndpoints] + +=== Endpoints + +A network endpoint is the logical endpoint of separate protocol traffic of a +specific protocol layer. The endpoint statistics of Wireshark will take the +following endpoints into account: + +[TIP] +==== +If you are looking for a feature other network tools call a _hostlist_, here is +the right place to look. The list of Ethernet or IP endpoints is usually what +you’re looking for. +==== + +.Endpoint and Conversation types + +Bluetooth:: A MAC-48 address similar to Ethernet. + +Ethernet:: Identical to the Ethernet device’s MAC-48 identifier. + +Fibre Channel:: A MAC-48 address similar to Ethernet. + +IEEE 802.11:: A MAC-48 address similar to Ethernet. + +FDDI:: Identical to the FDDI MAC-48 address. + +IPv4:: Identical to the 32-bit IPv4 address. + +IPv6:: Identical to the 128-bit IPv6 address. + +IPX:: A concatenation of a 32-bit network number and 48-bit node address, by +default the Ethernet interface’s MAC-48 address. + +JXTA:: A 160-bit SHA-1 URN. + +NCP:: Similar to IPX. + +RSVP:: A combination of various RSVP session attributes and IPv4 addresses. + +SCTP:: A combination of the host IP addresses (plural) and +the SCTP port used. So different SCTP ports on the same IP address are different +SCTP endpoints, but the same SCTP port on different IP addresses of the same +host are still the same endpoint. + +TCP:: A combination of the IP address and the TCP port used. +Different TCP ports on the same IP address are different TCP endpoints. + +Token Ring:: Identical to the Token Ring MAC-48 address. + +UDP:: A combination of the IP address and the UDP port used, so different UDP +ports on the same IP address are different UDP endpoints. + +USB:: Identical to the 7-bit USB address. + +[NOTE] +.Broadcast and multicast endpoints +==== +Broadcast and multicast traffic will be shown separately as additional +endpoints. Of course, as these aren’t physical endpoints the real traffic +will be received by some or all of the listed unicast endpoints. +==== + +[#ChStatEndpointsWindow] + +==== The “Endpoints” Window + +This window shows statistics about the endpoints captured. + +.The “Endpoints” window +image::images/ws-stats-endpoints.png[{screenshot-attrs}] + +For each supported protocol, a tab is shown in this window. Each tab label shows +the number of endpoints captured (e.g., the tab label “Ethernet · 4” tells +you that four ethernet endpoints have been captured). If no endpoints of a +specific protocol were captured, the tab label will be greyed out (although the +related page can still be selected). + +Each row in the list shows the statistical values for exactly one endpoint. + +_Name resolution_ will be done if selected in the window and if it is +active for the specific protocol layer (MAC layer for the selected +Ethernet endpoints page). _Limit to display filter_ will only show +conversations matching the current display filter. Note that in this +example we have MaxMind DB configured which gives us extra geographic +columns. See <<ChMaxMindDbPaths>> for more information. + +If a display filter had been applied before the dialog is opened, _Limit to +display filter_ will be set automatically. Additionally, after a display filter +had been applied, two columns ("Total Packets") and ("Percent Filtered") show +the number of unfiltered total packets and the percentage of packets in this filter +display. + +The btn:[Copy] button will copy the list values to the clipboard in CSV +(Comma Separated Values), YAML format or JSON format. The numbers are generally +exported without special formatting, but this can be enabled if needed. +The btn:[Map] button will show the endpoints mapped in your web browser. + +btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See +<<ChStatEndpoints>> above for a list of endpoint types. The enabled +types are saved in your profile settings. + +[TIP] +==== +This window will be updated frequently, so it will be useful even if you open +it before (or while) you are doing a live capture. +==== + +// Removed: +// [[ChStatEndpointListWindow]] + + +[#ChStatPacketLengths] + +=== Packet Lengths + +Shows the distribution of packet lengths and related information. + +.The “Packet Lengths” window +image::images/ws-stats-packet-lengths.png[{medium-screenshot-attrs}] + +Information is broken down by packet length ranges as shown above. + +Packet Lengths:: +The range of packet lengths. ++ +Ranges can be configured in the “Statistics -> Stats Tree” section of the <<ChCustPreferencesSection,Preferences Dialog>>. + +Count:: +The number of packets that fall into this range. + +Average:: +The arithmetic mean of the packet lengths in this range. + +Min Val, Max Val:: +The minimum and maximum lengths in this range. + +Rate (ms):: +The average packets per millisecond for the packets in this range. + +Percent:: +The percentage of packets in this range, by count. + +Burst Rate:: +Packet bursts are detected by counting the number of packets in a given time interval and comparing that count to the intervals across a window of time. +Statistics for the interval with the maximum number of packets are shown. +By default, bursts are detected across 5 millisecond intervals and intervals are compared across 100 millisecond windows. ++ +These calculations can be adjusted in the “Statistics” section of the <<ChCustPreferencesSection,Preferences Dialog>>. + +Burst Start:: +The start time, in seconds from the beginning of the capture, for the interval with the maximum number of packets. + +You can show statistics for a portion of the capture by entering a display filter into the _Display filter_ entry and pressing btn:[Apply]. + +btn:[Copy] copies the statistics to the clipboard. +btn:[Save as...] lets you save the data as text, CSV, YAML, or XML. + +[#ChStatIOGraphs] + +=== The “I/O Graphs” Window + +Lets you plot packet and protocol data in a variety of ways. + +.The “I/O Graphs” window +image::images/ws-stats-iographs.png[{screenshot-attrs}] + +As shown above, this window contains a chart drawing area along with a customizable list of graphs. +Graphs are saved in your current <<ChCustConfigProfilesSection,profile>>. +They are divided into time intervals, which can be set as described below. +Hovering over the graph shows the last packet in each interval except as noted below. +Clicking on the graph takes you to the associated packet in the packet list. +Individual graphs can be configured using the following options: + +Enabled:: +Draw or don’t draw this graph. + +Graph Name:: +The name of this graph. + +Display Filter:: +Limits the graph to packets that match this filter. + +Color:: +The color to use for plotting the graph’s lines, bars, or points. + +Style:: +How to visually represent the graph’s data, e.g., by drawing a line, bar, circle, plus, etc. + +Y Axis:: +The value to use for the graph’s Y axis. Can be one of: + +Packets, Bytes, or Bits::: +The total number of packets, packet bytes, or packet bits that match the graph’s display filter per interval. +<<ChStatIOGraphsMissingValues, Zero values>> are omitted in some cases. + +SUM(Y Field)::: +The sum of the values of the field specified in “Y Field” per interval. + +COUNT FRAMES(Y Field)::: +The number of frames that contain the field specified in “Y Field” per interval. +Unlike the plain “Packets” graph, this always displays <<ChStatIOGraphsMissingValues, zero values>>. + +COUNT FIELDS(Y Field)::: +The number of instances of the field specified in “Y Field” per interval. +Some fields, such as _dns.resp.name_, can show up multiple times in a packet. + +MAX(Y Field), MIN(Y Field), AVG(Y Field)::: +The maximum, minimum, and arithmetic mean values of the specified “Y Field” per interval. +For MAX and MIN values, hovering and clicking the graph will show and take you to the packet with the MAX or MIN value in the interval instead of the most recent packet. + +// io_graph_item.c says: +// "LOAD graphs plot the QUEUE-depth of the connection over time" +// (for response time fields such as smb.time, rpc.time, etc.) +// This interval is expressed in milliseconds. +LOAD(Y Field)::: +If the “Y Field” is a relative time value, this is the sum of the “Y Field” values divided by the interval time. +This can be useful for tracking response times. + +Y Field:: +The display filter field from which to extract values for the Y axis calculations listed above. + +SMA Period:: +Show an average of values over a specified period of intervals. + +The chart as a whole can be configured using the controls under the graph list: + +btn:[{plus}]:: +Add a new graph. + +btn:[-]:: +Add a new graph. + +btn:[Copy]:: +Copy the selected graph. + +btn:[Clear]:: +Remove all graphs. + +Mouse drags / zooms:: +When using the mouse inside the graph area, either drag the graph contents or select a zoom area. + +Interval:: +Set the interval period for the graph. + +Time of day:: +Switch between showing the absolute time of day or the time relative from the start of capture in the X axis. + +Log scale:: +Switch between a logarithmic or linear Y axis. + +Automatic updates:: +Redraw each graph automatically. + +Enable legend:: +Show a legend for graphs with more than one type of Y axis. + +The main dialog buttons along the bottom let you do the following: + +The btn:[Help] button will take you to this section of the User’s Guide. + +The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV +(Comma Separated Values) format. + +btn:[Copy from] will let you copy graphs from another profile. + +btn:[Close] will close this dialog. + +btn:[Save As...] will save the currently displayed graph as an image or CSV data. + +[TIP] +==== +You can see a list of useful keyboard shortcuts by right-clicking on the graph. +==== + +[#ChStatIOGraphsMissingValues] + +[discrete] +==== Missing Values Are Zero + +Wireshark's I/O Graph window doesn’t distinguish between missing and zero values. +For scatter plots it is assumed that zero values indicate missing data, and those values are omitted. +Zero values are shown in line graphs, and bar charts. + +// No longer true as of eb4e2cca69. +// For _plain_ (Packets, Bytes, and Bits) scatter plots, it is assumed that zero values indicate missing data, and those values are omitted. +// Zero values are shown in line graphs, bar charts, and _calculated_ scatter plots. +// Scatter plots are considered calculated if they have a calculated Y axis field or if a moving average is set. + +// If you need to display zero values in a scatter plot, you can do so by making the Y Axis a calculated field. +// For example, the calculated equivalent of “Packets” is a “COUNT FRAMES” Y Axis with a Y Field set to “frame”. + +[#ChStatSRT] + +=== Service Response Time + +The service response time is the time between a request and the corresponding response. +This information is available for many protocols, including the following: + +* AFP +* CAMEL +* DCE-RPC +* Diameter +* Fibre Channel +* GTP +* H.225 RAS +* LDAP +* MEGACO +* MGCP +* NCP +* ONC-RPC +* RADIUS +* SCSI +* SMB +* SMB2 +* SNMP + +As an example, the SMB2 service response time is described below in more detail. +The other Service Response Time windows will show statistics specific to their respective protocols, but will offer the same menu options. + +[#ChStatSRTSMB2] + +==== The “SMB2 Service Response Time Statistics” Window + +This window shows the number of transactions for each SMB2 opcode present in the capture file along with various response time statistics. +Right-clicking on a row will let you apply or prepare filters for, search for, or colorize a specific opcode. +You can also copy all of the response time information or save it in a variety of formats. + +.The “SMB2 Service Response Time Statistics” window +image::images/ws-stats-srt-smb2.png[{screenshot-attrs}] + +You can optionally apply a display filter in order to limit the statistics to a specific set of packets. + +The main dialog buttons along the bottom let you do the following: + +The btn:[Copy] button will copy the response time information as text. + +btn:[Save As...] will save the response time information in various formats. + +btn:[Close] will close this dialog. + +[#ChStatDHCPBOOTP] + +=== DHCP (BOOTP) Statistics + +The Dynamic Host Configuration Protocol (DHCP) is an option of the Bootstrap Protocol (BOOTP). It dynamically assigns IP addresses and other parameters to a DHCP client. The DHCP (BOOTP) Statistics window displays a table over the number of occurrences of a DHCP message type. The user can filter, copy or save the data into a file. + +[#ChStatNetPerfMeter] + +=== NetPerfMeter Statistics + +The NetPerfMeter Protocol{nbsp}(NPMP) is the control and data transfer protocol of NetPerfMeter, the transport protocol performance testing tool. It transmits data streams over TCP, SCTP, UDP and DCCP with given parameters, such as frame rate, frame size, saturated flows, etc. + +With these statistics you can: + +* Observed number of messages and bytes per message type. +* The share of messages and bytes for each message type. +* See the first and last occurrence of each message type. +* See the interval between first and last occurrence of each message type (if there are at least 2 messages of the corresponding type). +* See the message and byte rate within the interval for each message type (if there are at least 2 messages of the corresponding type). + +See link:https://www.uni-due.de/~be0001/netperfmeter/[NetPerfMeter – A TCP/MPTCP/UDP/SCTP/DCCP Network Performance Meter Tool] and Section{nbsp}6.3 of +link:https://duepublico2.uni-due.de/servlets/MCRFileNodeServlet/duepublico_derivate_00029737/Dre2012_final.pdf[Evaluation and Optimisation of Multi-Path Transport using the Stream Control Transmission Protocol] for more details about NetPerfMeter and the NetPerfMeter Protocol. + +.NetPerfMeter Statistics window +image::images/ws-netperfmeter-statistics.png[{screenshot-attrs}] + +[#ChStatONCRPC] + +=== ONC-RPC Programs + +Open Network Computing (ONC) Remote Procedure Call (RPC) uses TCP or UDP protocols to map a program number to a specific port on a remote machine and call a required service at that port. The ONC-RPC Programs window shows the description for captured program calls, such as program name, its number, version, and other data. +[#ChStat29West] + +=== 29West + +The 29West technology now refers to Ultra-Low Latency Messaging (ULLM) technology. It allows sending and receiving a high number of messages per second with microsecond delivery times for zero-latency data delivery. + +The menu:Statistics[29West] shows: +[cols="1,1"] +|=== +|The `Topics` submenu shows counters for: +a|* Advertisement by Topic +* Advertisement by Source +* Advertisement by Transport +* Queries by Topic +* Queries by Receiver +* Wildcard Queries by Pattern +* Wildcard Queries by Receiver + +|The `Queues` submenu shows counters for: +a|* Advertisement by Queue +* Advertisement by Source +* Queries by Queue +* Queries by Receiver + +|The `UIM` submenu shows `Streams`: +| Each stream is provided by Endpoints, Messages, Bytes, and the First and Last Frame statistics. + +|The `LBT-RM` submenu +|The LBT-RM Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data. + +|The `LBT-RU` submenu +|The LBT-Ru Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data. +|=== + +[#ChStatANCP] + +=== ANCP + +The Access Node Control Protocol (ANCP) is an TCP based protocol, which operates between an Access Node and Network Access Server. The Wireshark ANCP dissector supports the listed below messages: + +* Adjacency Message +* Topology Discovery Extensions, such as Port-Up and Port-Down Messages +* Operation And Maintenance (OAM) Extension, such as Port Management Message. + +The ANCP window shows the related statistical data. The user can filter, copy or save the data into a file. + +[#ChStatBACnet] + +=== BACnet + +Building Automation and Control Networks (BACnet) is a communication protocol which provides control for various building automated facilities, such as light control, fire alarm control, and others. Wireshark provides the BACnet statistics which is a packet counter. You can sort packets by instance ID, IP address, object type or service. + +[#ChStatCollectd] + +=== Collectd + +Collectd is a system statistics collection daemon. It collects various statistics from your system and converts it for the network use. The Collectd statistics window shows counts for values, which split into type, plugin, and host as well as total packets counter. You can filter, copy or save the data to a file. + +[#ChStatDNS] + +=== DNS + +The Domain Name System (DNS) associates different information, such as IP addresses, with domain names. DNS returns different codes, request-response and counters for various aggregations. The DNS statistics window enlists a total count of DNS messages, which are divided into groups by request types (opcodes), response code (rcode), query type, and others. + +.DNS statistics window +image::images/ws-dns.png[{screenshot-attrs}] + +You might find these statistics useful for quickly examining the health of a DNS service or other investigations. See the few possible scenarios below: + +* The DNS server might have issues if you see that DNS queries have a long request-response time or, if there are too many unanswered queries. +* DNS requests with abnormally large requests and responses might be indicative of DNS tunneling or command and control traffic. +* The order of magnitude more DNS responses than requests and the responses are very large might indicate that the target is being attacked with a DNS-based DDoS. + +You can filter, copy or save the data into a file. + +[#ChStatFlowGraph] + +=== Flow Graph + +The Flow Graph window shows connections between hosts. It displays the packet time, direction, ports and comments for each captured connection. You can filter all connections by ICMP Flows, ICMPv6 Flows, UIM Flows and TCP Flows. Flow Graph window is used for showing multiple different topics. Based on it, it offers different controls. + +.Flow Graph window +image::images/ws-flow-graph.png[{screenshot-attrs}] + +Each vertical line represents the specific host, which you can see in the top of the window. + +The numbers in each row at the very left of the window represent the time packet. You can change the time format in the menu:View[Time Display Format]. If you change the time format, you must relaunch the Flow Graph window to observe the time in a new format. + +The numbers at the both ends of each arrow between hosts represent the port numbers. + +Left-click a row to select a corresponding packet in the packet list. + +Right-click on the graph for additional options, such as selecting the previous, current, or next packet in the packet list. This menu also contains shortcuts for moving the diagram. + +Available controls: + +* btn:[Limit to display filter] filters calls just to ones matching display filter. When display filter is active before window is opened, checkbox is checked. +* btn:[Flow type] allows limit type of protocol flows should be based on. +* btn:[Addresses] allows switch shown addresses in diagram. +* btn:[Reset Diagram] resets view position and zoom to default state. +* btn:[Export] allows export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG and ASCII (diagram is stored with ASCII characters only)). + +.Flow Graph window showing VoIP call sequences +image::images/ws-tel-seq-dialog.png[{screenshot-attrs}] + +Additional shortcuts available for VoIP calls: + +* On selected RTP stream +** kbd:[S] - Selects the stream in <<ChTelRTPStreams,RTP Streams>> window (if not opened, it opens it and put it on background). +** kbd:[D] - Deselects the stream in <<ChTelRTPStreams,RTP Streams>> window (if not opened, it opens it and put it on background). + +Additional controls available for VoIP calls: + +* btn:[Reset Diagram] resets view position and zoom to default state. +* btn:[Play Streams] sends selected RTP stream to playlist of <<ChTelRtpPlayer,RTP Player>> window. +* btn:[Export] allows to export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG and ASCII (diagram is stored with ASCII characters only)). + + + +[#ChStatHARTIP] + +=== HART-IP + +Highway Addressable Remote Transducer over IP (HART-IP) is an application layer protocol. It sends and receives digital information between smart devices and control or monitoring systems. The HART-IP statistics window shows the counter for response, request, publish and error packets. You can filter, copy or save the data to a file. + +[#ChStatHPFEEDS] + +=== HPFEEDS + +Hpfeeds protocol provides a lightweight authenticated publishing and subscription. It supports arbitrary binary payloads which can be separated into different channels. HPFEEDS statistics window shows a counter for payload size per channel and opcodes. You can filter, copy or save the data to a file. + +[#ChStatHTTP] + +=== HTTP Statistics + +[#ChStatHTTPPacketCounter] + +==== HTTP Packet Counter + +Statistics for HTTP request types and response codes. + +[#ChStatHTTPRequests] + +==== HTTP Requests + +HTTP statistics based on the host and URI. + +[#ChStatHTTPLoadDistribution] + +==== HTTP Load Distribution + +HTTP request and response statistics based on the server address and host. + +[#ChStatHTTPRequestSequences] + +==== HTTP Request Sequences + +HTTP Request Sequences uses HTTP's Referer and Location headers to sequence a +capture's HTTP requests as a tree. This enables analysts to see how one HTTP +request leads to the next. + +.The “HTTP Request Sequences” window +image::images/ws-stats-http-requestsequences.png[{screenshot-attrs}] + + +[#ChStatHTTP2] + +=== HTTP2 + +Hypertext Transfer Protocol version 2 (HTTP/2) allows multiplexing various HTTP requests and responses over a single connection. It uses a binary encoding which is consisting of frames. The HTTP/2 statistics window shows the total number of HTTP/2 frames and also provides a breakdown per frame types, such as `HEADERS`, `DATA`, and others. + +As HTTP/2 traffic is typically encrypted with TLS, you must configure decryption to observe HTTP/2 traffic. For more details, see the link:{wireshark-wiki-url}TLS[TLS wiki page]. + +[#ChStatSametime] + +=== Sametime + +Sametime is a protocol for the IBM Sametime software. The Sametime statistics window shows the counter for message type, send type, and user status. + +[#ChStatTCPStreamGraphs] + +=== TCP Stream Graphs + +Show different visual representations of the TCP streams in a capture. + +Time Sequence (Stevens):: This is a simple graph of the TCP sequence +number over time, similar to the ones used in Richard Stevens’ “TCP/IP +Illustrated” series of books. + +Time Sequence (tcptrace):: Shows TCP metrics similar to the +http://www.tcptrace.org/[tcptrace] utility, including forward segments, +acknowledgments, selective acknowledgments, reverse window sizes, and +zero windows. + +Throughput:: Average throughput and goodput. + +Round Trip Time:: Round trip time vs time or sequence number. RTT is +based on the acknowledgment timestamp corresponding to a particular +segment. + +Window Scaling:: Window size and outstanding bytes. + +[#ChStatUDPMulticastStreams] + +=== UDP Multicast Streams + +The UDP Multicast Streams window shows statistics for all UDP multicast streams. It includes source addresses and ports, destination addresses and ports, packets counter and other data. You can specify the burst interval, the alarm limits and output speeds. To apply new settings, press btn:[Enter]. + +With these statistics you can: + +* Measure the burst size for a video stream. This uses the sliding window algorithm. +* Measure of the output buffer size limit, that no packet drop will occur. This uses the Leaky bucket algorithm. +* Detect the packet loss inside the MPEG2 video stream. + +.UDP Multicast Streams window +image::images/ws-udp-multicast-stream.png[{screenshot-attrs}] + +[#ChStatRSerPool] + +=== Reliable Server Pooling (RSerPool) + +The Reliable Server Pooling (RSerPool) windows show statistics for the different protocols of Reliable Server Pooling (RSerPool): + +* Aggregate Server Access Protocol{nbsp}(ASAP) +* Endpoint Handlespace Redundancy Protocol{nbsp}(ENRP) + +Furthermore, statistics for application protocols provided by link:https://www.uni-due.de/~be0001/rserpool/[RSPLIB] are provided as well: + +* Component Status Protocol{nbsp}(CSP) +* CalcApp Protocol +* Fractal Generator Protocol +* Ping Pong Protocol +* Scripting Service Protocol{nbsp}(SSP) + +With these statistics you can: + +* Observed number of messages and bytes per message type. +* The share of messages and bytes for each message type. +* See the first and last occurrence of each message type. +* See the interval between first and last occurrence of each message type (if there are at least 2 messages of the corresponding type). +* See the message and byte rate within the interval for each message type (if there are at least 2 messages of the corresponding type). + +See link:https://www.uni-due.de/~be0001/rserpool/[Thomas Dreibholz's Reliable Server Pooling (RSerPool) Page] and Chapter{nbsp}3 of link:https://duepublico.uni-duisburg-essen.de/servlets/DerivateServlet/Derivate-16326/Dre2006_final.pdf[Reliable Server Pooling – Evaluation, Optimization and Extension of a Novel IETF Architecture] for more details about RSerPool and its protocols. + +.ASAP Statistics window +image::images/ws-asap-statistics.png[{screenshot-attrs}] + +.ENRP Statistics window +image::images/ws-enrp-statistics.png[{screenshot-attrs}] + +.Component Status Protocol Statistics window +image::images/ws-csp-statistics.png[{screenshot-attrs}] + +.CalcApp Protocol Statistics window +image::images/ws-calcappprotocol-statistics.png[{screenshot-attrs}] + +.Fractal Generator Protocol Statistics window +image::images/ws-fgp-statistics.png[{screenshot-attrs}] + +.Ping Pong Protocol Statistics window +image::images/ws-pingpongprotocol-statistics.png[{screenshot-attrs}] + +.Scripting Service Protocol Statistics window +image::images/ws-ssp-statistics.png[{screenshot-attrs}] + +[#ChStatF5] + +=== F5 + +In F5 Networks, *TMM* stands for Traffic Management Microkernel. It processes all load-balanced traffic on the BIG-IP system. + +The F5 statistics menu shows packet and byte counts for both `Virtual Server Distribution` and `tmm Distribution` submenus. + +Each `Virtual Server Distribution` window contains the statistics for the following data: + +* A line for each named virtual server name. +* A line for traffic with a flow ID and no virtual server name. +* A line for traffic without a flow ID. + +Each `tmm Distribution` window contains the statistics for the following data: + +* A line for each tmm, which contains: +** A line for each ingress and egress (should add to tmm total), which contains: +*** Traffic with a virtual server name. +*** Traffic with a flow ID and no virtual server name. +*** Traffic without a flow ID. + + +[#ChStatIPv4] + +=== IPv4 Statistics + +Internet Protocol version 4 (IPv4) is a core protocol for the internet layer. It uses 32-bit addresses and allows packets routing from one source host to the next one. + +The menu:Statistics[IPv4] menu provides the packet counter by submenus: + +* `All Addresses`. Divides data by IP address. +* `Destination and Ports`. Divides data by IP address, and further by IP protocol type, such as TCP, UDP, and others. It also shows port number. +* `IP Protocol Types`. Divides data by IP protocol type. +* `Source TTLs`. Divides data by source IP address and then by TTL. Also shows the destination IP address for each TTL value. +* `Source and Destination addresses`. Divides data by source and destination IP address. + +You can see similar statistics in the menu:Statistics[Conversations] and menu:Statistics[Endpoints] menus. + +[#ChStatIPv6] + +=== IPv6 Statistics + +Internet Protocol version 6 (IPv6) is a core protocol for the internet layer. It uses 128-bit addresses and routes internet traffic. Similar to <<ChStatIPv4>>, the menu:Statistics[IPv6] menu shows the packet counter in each submenu. + +// End of WSUG Chapter Statistics diff --git a/docbook/wsug_src/wsug_telephony.adoc b/docbook/wsug_src/wsug_telephony.adoc new file mode 100644 index 0000000..4f856f0 --- /dev/null +++ b/docbook/wsug_src/wsug_telephony.adoc @@ -0,0 +1,619 @@ +// WSUG Chapter Telephony + +[#ChTelephony] + +== Telephony + +[#ChTelIntroduction] + +=== Introduction + +Wireshark provides a wide range of telephony related network statistics which +can be accessed via the menu:Telephony[] menu. + +These statistics range from specific signaling protocols, to analysis of +signaling and media flows. If encoded in a compatible encoding the media flow +can even be played. + +The protocol specific statistics windows display detailed information of +specific protocols and might be described in a later version of this document. + +Some of these statistics are described at the +{wireshark-wiki-url}Statistics pages. + +[#ChTelPlayingCalls] + +=== Playing VoIP Calls + +The tool for playing VoIP calls is called <<ChTelRtpPlayer,RTP Player>>. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depend on supported codecs. + +==== Supported codecs + +RTP Player is able to play any codec supported by an installed plugin. The codecs supported by RTP Player depend on the version of Wireshark you're using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark installation's installed codec plugins, do the following: + +* Open menu:Help[About Wireshark] window +* Select the menu:Plugins[] tab +* In the menu:Filter by type[] menu on the top-right, select codec + +.List of supported codecs +image::images/ws-about-codecs.png[{screenshot-attrs}] + +==== Work with RTP streams - Playlist + +Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose. + +Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained. + +When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways: + +* button menu:Play Streams[Set playlist] clears existing playlist and adds streams selected in the tool. +* button menu:Play Streams[Add to playlist] adds streams selected in the tool to playlist. Duplicated streams are not inserted again. +* button menu:Play Streams[Remove from playlist] removes streams selected in the tool from playlist, if they are in the playlist. + +.btn:[Play Streams] button with opened action menu +image::images/ws-tel-rtp-player_button.png[] + +btn:[Play Streams] button can be clicked directly and opens RTP Player window directly with btn:[Set playlist] action. All actions can be selected with the small down arrow next to the button. + +When the playlist is empty, there is no difference between btn:[Set playlist] and btn:[Add to playlist]. When the RTP Player window is not opened, all three actions above open it. + +btn:[Remove from playlist] is useful e.g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with menu:VoIPCalls[]. + +Tools below can be used to maintain content of playlist, they contain btn:[Play Streams] button. You can use one of procedures (Note: btn:[Add to playlist] action is demonstrated): + +* Open menu:Telephony[RTP > RTP Streams] window, it will show all streams in the capture. Select one or more streams and then press btn:[Play Streams]. Selected streams are added to playlist. +* Select any RTP packet in packet list, open menu:Telephony[RTP > Stream Analysis] window. It will show analysis of selected forward stream and its reverse stream (if btn:[Ctrl] is pressed during window opening). Then press btn:[Play Streams]. Forward and reverse stream is added to playlist. +** menu:RTP Stream Analysis[] window can be opened from other tools too. +* Open menu:Telephony[VoIP Calls] or menu:Telephony[SIP Flows] window, it will show all calls. Select one or more calls and then press btn:[Play Streams]. It will add all RTP streams related to selected calls to playlist. +* Open btn:[Flow Sequence] window in menu:Telephony[VoIP Calls] or menu:Telephony[SIP Flows] window, it will show flow sequence of calls. Select any RTP stream and then press btn:[Play Streams]. It will add selected RTP stream to playlist. + +.Tools for modifying playlist in RTP Player window +image::images/ws-tel-playlist.png[] + +[NOTE] +==== +Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see <<ChTelRTPAnalysis,RTP Stream Analysis>> window. +==== + +[#ChTelPlayingCallsLive] + +==== Playing audio during live capture + +Decoding RTP payload and showing waveforms is time consuming task. To speedup it RTP Player window uses copy of packet payload for all streams in the playlist. During live capture the dialog is not refreshed automatically as other Wireshark dialogs, but user must initiate it. + +The copy is created or refreshed and dialog updated: + +* Every time window is opened. +* Every time a new stream is added or set. +* During live capture, when btn:[Refresh streams] is pressed. +* Every time live capture is finished/stopped by a user. + +When capture file is opened (no live capturing), streams are read complete, no user action is required. Button btn:[Refresh streams] is disabled as it is useless. + +When live capture is running, streams are read only till "now" and are shown. When stream is continuous and user would like to see additional part, they must press btn:[Refresh stream]. When the user ends live capture, view is refreshed and button is disabled. + +[NOTE] +==== +RTP Player dialog stays open even live capture is stopped and then started again. Play list stays unchanged. Therefore, btn:[Refresh stream] tries to read same streams as before and shows them if they are still running. Past part of them (from previous live capture) is lost. +==== + +==== RTP Decoding Settings + +RTP is carried usually in UDP packets with random source and destination ports. Therefore, Wireshark can only recognize RTP streams based on VoIP signaling, e.g., based on SDP messages in SIP signaling. If signaling is not captured, Wireshark shows just UDP packets. However, there are multiple settings which help Wireshark recognize RTP even when there is no related signaling. + +You can use <<ChAdvDecodeAsFig,Decode As...>> function from menu:Analyze[Decode As...] menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use. + +Use of menu:Decode As...[] menu works fine, but is arduous for many streams. + +You can enable heuristic dissector menu:rtp_udp[] in menu:Analyze[Enabled Protocols...]. See <<ChCustProtocolDissectionSection>> for details. Once menu:rtp_udp[] is enabled, Wireshark tries to decode every UDP packet as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP. + +When an RTP stream uses a well-known port, the heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol menu:Preferences[Protocols > udp > Try heuristic sub-dissectors first], see <<ChCustPreferencesSection>>. In this case heuristics dissector tries to decode UDP packet even it uses a well-known port. + +[NOTE] +==== +Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected. + +When you enable menu:udp[Try heuristic sub-dissectors first], it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high. +==== + +RTP Player must store decoded data somewhere to be able to play it. When data are decoded, there are audio samples and dictionary for fast navigation. Both types of data are stored in memory for default, but you can configure Wireshark to store it on disk. There are two settings: + +* ui.rtp_player_use_disk1 - When set to FALSE (default), audio samples are kept in memory. When set to TRUE, audio samples are stored on temporary file. +* ui.rtp_player_use_disk2 - When set to FALSE (default), dictionary is kept in memory. When set to TRUE, dictionary is stored on temporary file. + +When any data are configured to be stored on disk, one file is created for each stream. Therefore, there might be up to two files for one RTP stream (audio samples and dictionary). If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see fewer streams that was added to playlist. Warnings are printed on console in this case and you will see fewer streams in the playlist than you send to it from other tools. + +For common use you can use default settings - store everything in memory. When you will be out of memory, switch ui.rtp_player_use_disk1 to TRUE first - it saves much more memory than ui.rtp_player_use_disk2. + + +==== VoIP Processing Performance and Related Limits + +Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines... + +RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU. + +RTP Player can handle 1000+ streams, but take into account that waveforms are very small and difficult to recognize in this case. + +RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again. + +RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams. + + +[#ChTelVoipCalls] + +=== VoIP Calls Window + +The VoIP Calls window shows a list of all detected VoIP calls in the captured +traffic. It finds calls by their signaling and shows related RTP streams. The current VoIP supported protocols are: + +* H.323 +* IAX2 +* ISUP +* MGCP/MEGACO +* SIP +* SKINNY +* UNISTIM + +See https://gitlab.com/wireshark/wireshark/-/wikis/VOIPProtocolFamily[VOIPProtocolFamily] for an overview of the used VoIP protocols. + +VoIP Calls window can be opened as window showing all protocol types (menu:Telephony[VoIP Calls] window) or limited to SIP messages only (menu:Telephony[SIP Flows] window). + +.VoIP Calls window +image::images/ws-tel-voip-calls.png[{screenshot-attrs}] + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* On selected call/calls +** kbd:[S] - Selects stream/streams related to call in RTP Streams window (if not opened, it opens it and put it on background). +** kbd:[D] - Deselects stream/streams related to call in RTP Streams window (if not opened, it opens it and put it on background). + +Available controls are: + +* btn:[Limit to display filter] filters calls just to ones matching display filter. When display filter is active before window is opened, checkbox is checked. +* btn:[Time of Day] switches format of shown time between relative to start of capture or absolute time of received packets. +* btn:[Flow Sequence] opens <<ChStatFlowGraph,Flow Sequence>> window and shows selected calls in it. +* btn:[Prepare Filter] generates display filter matching to selected calls (signaling and RTP streams) and apply it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Copy] copies information from table to clipboard in CSV or YAML. + +[#ChTelANSI] + +=== ANSI + +This menu shows groups of statistic data for mobile communication protocols according to ETSI GSM standards. + +==== A-I/F BSMAP Statistics Window + +The A-Interface Base Station Management Application Part (BSMAP) Statistics window shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file. + +==== A-I/F DTAP Statistics Window + +The A-Interface Direct Transfer Application Part (DTAP) Statistics widow shows the messages list and the number of the captured messages. There is a possibility to filter the messages, copy or save the date into a file. + +[#ChTelGSM] + +=== GSM Windows + +The Global System for Mobile Communications (GSM) is a standard for mobile networks. This menu shows a group of statistic data for mobile communication protocols according to ETSI GSM standard. + +[#ChTelIAX2Analysis] + +=== IAX2 Stream Analysis Window + +The “IAX2 Stream Analysis” window shows statistics for the forward and reverse +streams of a selected IAX2 call along with a graph. + +[#ChTelISUPMessages] + +=== ISUP Messages Window + +Integrated Service User Part (ISUP) protocol provides voice and non-voice signaling for telephone communications. ISUP Messages menu opens the window which shows the related statistics. The user can filter, copy or save the data into a file. + +[#ChTelLTE] + +=== LTE + +[#ChTelLTEMACTraffic] + +==== LTE MAC Traffic Statistics Window + +Statistics of the captured LTE MAC traffic. This window will summarize the LTE +MAC traffic found in the capture. + +.The “LTE MAC Traffic Statistics” window +image::images/ws-stats-lte-mac-traffic.png[{screenshot-attrs}] + +The top pane shows statistics for common channels. Each row in the middle pane +shows statistical highlights for exactly one UE/C-RNTI. In the lower pane, you +can see the for the currently selected UE/C-RNTI the traffic broken down by +individual channel. + +[#ChTelLTERLCGraph] + +==== LTE RLC Graph Window + +The LTE RLC Graph menu launches a graph which shows LTE Radio Link Control protocol sequence numbers changing over time along with acknowledgements which are received in the opposite direction. + +NOTE: That graph shows data of a single bearer and direction. The user can also launch it from the `RLC Statistics` window. + +.The RLC Graph window +image::images/ws-rlc-graph.png[{screenshot-attrs}] + +[.small]#_The image of the RLC Graph is borrowed from link:https://gitlab.com/wireshark/wireshark/-/wikis/RLC-LTE[Wireshark wiki]._# + +[#ChTelLTERLCTraffic] + +==== LTE RLC Traffic Statistics Window + +Statistics of the captured LTE RLC traffic. This window will summarize the LTE +RLC traffic found in the capture. + +.The “LTE RLC Traffic Statistics” window +image::images/ws-stats-lte-rlc-traffic.png[{screenshot-attrs}] + +At the top, the check-box allows this window to include RLC PDUs found within +MAC PDUs or not. This will affect both the PDUs counted as well as the display +filters generated (see below). + +The upper list shows summaries of each active UE. Each row in the lower list +shows statistical highlights for individual channels within the selected UE. + +The lower part of the windows allows display filters to be generated and set for +the selected channel. Note that in the case of Acknowledged Mode channels, if a +single direction is chosen, the generated filter will show data in that +direction and control PDUs in the opposite direction. + +[#ChTelMTP3] + +=== MTP3 Windows + +The Message Transfer Part level 3 (MTP3) protocol is a part of the Signaling System 7 (SS7). The Public Switched Telephone Networks use it for reliable, unduplicated and in-sequence transport of SS7 messaging between communication partners. + +This menu shows MTP3 Statistics and MTP3 Summary windows. + +[#ChTelOsmux] + +=== Osmux Windows + +OSmux is a multiplex protocol designed to reduce bandwidth usage of satellite-based GSM systems's voice (RTP-AMR) and signaling traffic. The OSmux menu opens the packet counter window with the related statistic data. The user can filter, copy or save the data into a file. + +[#ChTelRTP] + +=== RTP + +[#ChTelRTPStreams] + +==== RTP Streams Window + +The RTP streams window shows all RTP streams in capture file. Streams can be selected there and on selected streams other tools can be initiated. + +.The “RTP Streams” window +image::images/ws-tel-rtp-streams.png[{screenshot-attrs}] + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* Find Reverse +** kbd:[R] - Try search for reverse streams related to already selected streams. If found, selects them in the list too. +** btn:[Shift+R] - Select all pair streams (forward/reverse relation). +** btn:[Ctrl+R] - Select all single streams (no reverse stream does exist). +* kbd:[G] - Go to packet of stream under the mouse cursor. +* kbd:[M] - Mark all packets of selected streams. +* kbd:[P] - Prepare filter matching selected streams and apply it. +* kbd:[E] - Export selected streams in RTPDump format. +* kbd:[A] - Open <<ChTelRTPAnalysis,RTP Stream Analysis>> window and add selected streams to it. + +Available controls are: + +* Find Reverse +** btn:[Find Reverse] search for reverse stream of every selected stream. If found, selects it in the list too. +** btn:[Find All Pairs] select all streams which have forward/reverse relation. +** btn:[Find Only Single] select all streams which are single - have no reverse stream. +* btn:[Analyze] opens <<ChTelRTPAnalysis,RTP Stream Analysis>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Prepare Filter] prepares filter matching selected streams and apply it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Copy] copies information from table to clipboard in CSV or YAML. +* btn:[Export] exports selected streams in RTPDump format. + + +[#ChTelRTPAnalysis] + +==== RTP Stream Analysis Window + +The RTP analysis function takes the selected RTP streams and generates a list of +statistics on them including a graph. + +The menu:Telephony[RTP > RTP Stream Analysis] menu item is enabled only when the +selected packet is an RTP packet. When the action is selected, the RTP Stream +Analysis window is opened (if not already) and the RTP stream of the current +packet is added for analysis. If btn:[Ctrl] is pressed when selecting the +menu item, other RTP streams on the same addresses and ports (in both forward +and reverse direction) are scanned for and added to the window too if found. + +Every stream is shown on its own tab. Tabs are numbered as streams are added +and each tooltip shows the identification of the stream. When a tab is closed, +its number is not reused. The tab color matches the color of the corresponding +graph on the graph tab. + +.The “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_1.png[{screenshot-attrs}] + +.Error indicated in “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_3.png[{screenshot-attrs}] + +Per packet statistic shows: + +* Packet number +* Sequence number +* Delta (ms) to last packet +* Jitter (ms) +* Skew +* Bandwidth +* Marker - packet is marked in RTP header +* Status - information related to the packet. E. g. change of codec, DTMF number, warning about incorrect sequence number. + +Side panel left to packet list shows stream statistics: + +* Maximal delta and at which packet it occurred +* Maximal jitter +* Mean jitter +* Maximal skew +* Count of packets +* Count of lost packets - calculated from sequence numbers +* When the stream starts and first packet number +* Duration of the stream +* Clock drift +* Frequency drift + +[NOTE] +==== +Some statistic columns are calculated only when Wireshark is able to decode codec of RTP stream. +==== + +Available shortcuts are: + +* kbd:[G] - Go to selected packet of stream in packet list +* kbd:[N] - Move to next problem packet + +Available controls are: + +* Prepare Filter +** btn:[Current Tab] prepares filter matching current tab and applies it. +** btn:[All Tabs] prepares filter matching all tabs and applies it. +* btn:[Play Streams] opens <<ChTelRtpPlayer,RTP Player>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Export] allows export current stream or all streams as CSV or export graph as image in multiple different formats (PDF, PNG, BMP and JPEG). + +.Graph in “RTP Stream Analysis” window +image::images/ws-tel-rtpstream-analysis_2.png[{screenshot-attrs}] + +Graph view shows graph of: + +* jitter +* difference - absolute value of difference between expected and real time of packet arrival +* delta - time difference from reception of previous packet + +for every stream. Checkboxes below graph are enabling or disabling showing of a graph for every stream. btn:[Stream X] checkbox enables or disables all graphs for the stream. + +[NOTE] +==== +Stream Analysis window contained tool for save audio and payload for analyzed streams. This tool was moved in Wireshark 3.5.0 to <<ChTelRtpPlayer,RTP Player>> window. New tool has more features. +==== + +[#ChTelRtpPlayer] + +==== RTP Player Window + +The RTP Player function is a tool for playing VoIP calls. It shows RTP streams +and their waveforms, and can play the streams and export them to file as audio +or raw payload. See related concepts in <<ChTelPlayingCalls>>. + +The menu:Telephony[RTP > RTP Player] menu item is enabled only when the +selected packet is an RTP packet. When the action is selected, the RTP Player +window is opened (if not already) and the RTP stream of the current packet is +added to the playlist. If btn:[Ctrl] is pressed when selecting the menu item, +other RTP streams on the same addresses and ports (in both forward and reverse +direction) are scanned for and added to the playlist too if found. + +.RTP Player window +image::images/ws-tel-rtp-player_1.png[{screenshot-attrs}] + +RTP Player Window consists of three parts: + +. Waveform view +. Playlist +. Controls + +Waveform view shows visual presentation of RTP stream. Color of waveform and playlist row are matching. Height of wave shows volume. + +Waveform shows error marks for Out of Sequence, Jitter Drops, Wrong Timestamps and Inserted Silence marks if it happens in a stream. + +.Waveform with error marks +image::images/ws-tel-rtp-player_3.png[{screenshot-attrs}] + +Playlist shows information about every stream: + +* Play - Audio routing +* Source Address, Source Port, Destination Address, Destination Port, SSRC +* Setup Frame +** SETUP <number> is shown, when there is known signaling packet. Number is packet number of signaling packet. Note: Word SETUP is shown even RTP stream was initiated e. g. by SKINNY where no SETUP message exists. +** RTP <number> is shown, when no related signaling was found. Number is packet number of first packet of the stream. +* Packets - Count of packets in the stream. +* Time Span - Start - Stop (Duration) of the stream +* SR - Sample rate of used codec +* PR - Decoded play rate used for stream playing +* Payloads - One or more payload types used by the stream + +[NOTE] +==== +When rtp_udp is active, most of streams shows just RTP <number> even there is setup frame in capture. + +When RTP stream contains multiple codecs, SR and PR is based on first observed coded. Later codecs in stream are resampled to first one. +==== + +Controls allow a user to: + +* btn:[Start]/btn:[Pause]/btn:[Stop] playing of unmuted streams +* btn:[>>] enabling/disabling silence skipping +** Min silence - Minimal duration of silence to skip in seconds. Shorter silence is played as it is. +* Select btn:[Output audio device] and btn:[Output audio rate] +* Select btn:[Playback Timing] +** Jitter Buffer - Packets outside btn:[Jitter Buffer] size are discarded during decoding +** RTP Timestamp - Packets are ordered and played by its Timestamp, no Jitter Buffer is used +** Uninterrupted Mode - All gaps (e. g. Comfort Noise, lost packets) are discarded therefore audio is shorted than timespan +* btn:[Time of Day] selects whether waveform timescale is shown in seconds from start of capture or in absolute time of received packets +* btn:[Refresh streams] refreshes streams during live capture (see <<ChTelPlayingCallsLive>>). Button is disabled when no live capture is running. +* Inaudible streams +** btn:[Select] select all inaudible streams (streams with zero play rate) +** btn:[Deselect] deselect all inaudible streams (streams with zero play rate) +* btn:[Analyze] open <<ChTelRTPAnalysis,RTP Stream Analysis>> window. Actions btn:[Set], btn:[Add] and btn:[Remove] are available. +* btn:[Prepare Filter] prepare filter matching selected streams and apply it. +* btn:[Export] - See <<tel-rtp-export>>. + +[NOTE] +==== +RTP Player detects silence just by missing voice samples (Comfort Noise, interrupted RTP, missing RTP, ...) or when some streams are muted. +==== + +.RTP stream state indication +image::images/ws-tel-rtp-player_2.png[{screenshot-attrs}] + +Waveform view and playlist shows state of a RTP stream: + +. stream is muted (dashed waveform, menu:Muted[] is shown in Play column) or unmuted (non-dashed waveform, audio routing is shown in Play column) +. stream is selected (blue waveform, blue row) +. stream is below mouse cursor (bold waveform, bold font) + +User can control to where audio of a stream is routed to: + +* L - Left channel +* L+R - Left and Right (Middle) channel +* R - Left channel +* P - Play (when mono soundcard is available only) +* M - Muted + +Audio routing can be changed by double clicking on first column of a row, by shortcut or by menu. + +User can use shortcuts: + +* Selection +** kbd:[Ctrl + A] - Select all streams +** kbd:[Ctrl + I] - Invert selection +** kbd:[Ctrl + Shift + A] - Select none +** Note: Common kbd:[Mouse click], kbd:[Shift + Mouse click] and kbd:[Ctrl + Mouse click] works too +* Go to packet +** kbd:[G] - Go to packet of stream under the mouse cursor +** kbd:[Shift + G] - Go to setup packet of stream under the mouse cursor +* Audio routing +** kbd:[M] - Mute all selected streams +** kbd:[Shift + M] - Unmute all selected streams +** kbd:[Ctrl + M] - Invert muting of all selected streams +* kbd:[P] - Play audio +* kbd:[S] - Stop playing +* kbd:[Del] or kbd:[Ctrl + X] - Remove all selected streams from playlist +* Inaudible steams +** kbd:[N] - Select all inaudible streams +** kbd:[Shift + N] - Deselect all inaudible streams + +[#tel-rtp-export] + +===== Export + +[NOTE] +==== +menu:Export[] was moved from menu:RTP Stream Analysis[] window to menu:RTP Player[] window in 3.5.0. + +Wireshark is able to export decoded audio in .au or .wav file format. Prior to version 3.2.0, Wireshark only supported exporting audio using the G.711 codec. From 3.2.0 it supports audio export using any codec with 8000 Hz sampling. From 3.5.0 is supported export of any codec, rate is defined by Output Audio Rate. +==== + +Export options available: + +* for one or more selected non-muted streams +** From cursor - Streams are saved from play start cursor. If some streams are shorter, they are removed from the list before save and count of saved streams is lower than count of selected streams. +** Stream Synchronized Audio - File starts at the begin of earliest stream in export, therefore there is no silence at beginning of exported file. +** File Synchronized Audio - Streams starts at beginning of file, therefore silence can be at start of file. +* for just one selected stream +** Payload - just payload with no information about coded is stored in the file + +Audio is exported as multi-channel file - one channel per RTP stream. One or two channels are equal to mono or stereo, but Wireshark can export e.g., 100 channels. For playing a tool with multi-channel support must be used (e.g., https://www.audacityteam.org/). + +Export of payload function is useful for codecs not supported by Wireshark. + +[NOTE] +==== +Default value of btn:[Output Audio Rate] is btn:[Automatic]. When multiple codecs with different codec rates are captured, Wireshark decodes each stream with its own play audio rate. Therefore, each stream can have a different audio rate. If you attempt to export audio when there are multiple audio rates, it will fail because .au or .wav require a fixed audio rate. + +In this case user must manually select one of rates in btn:[Output Audio Rate], streams will be resampled and audio export succeeds. +==== + +[#ChTelRTSP] + +=== RTSP Window + +In the Real Time Streaming Protocol (RTSP) menu the user can check the Packet Counter window. It shows Total RTCP Packets and divided into RTSP Response Packets, RTSP Request Packets and Other RTSP packets. The user can filter, copy or save the data into a file. + +[#ChTelSCTP] + +=== SCTP Windows + +Stream Control Transmission Protocol (SCTP) is a computer network protocol which provides a message transfer in telecommunication in the transport layer. It overcomes some lacks of User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). The SCTP packets consist of the _common header_ and the _data chunks_. + +The SCTP Analyze Association window shows the statistics of the captured packets between two Endpoints. You can check the different chunk types by pressing btn:[Chunk Statistics] button in the `Statistics` tab. In the `Endpoint` tabs you can see various statistics, such as IP addresses, ports and others. You can also check different graphs here. + +.SCTP Analyze Association window +image::images/ws-sctp-1-association.png[{screenshot-attrs}] + +The SCTP Associations window shows the table with the data for captured packets, such as port and counter. You can also call for the SCTP Analyze Association window by pressing the btn:[Analyze] button. + +.SCTP Associations window +image::images/ws-sctp.png[{screenshot-attrs}] + +[#ChTelSMPPOperations] + +=== SMPP Operations Window + +Short Message Peer-to-Peer (SMPP) protocol uses TCP protocol as its transfer for exchanging Short Message Service (SMS) Messages, mainly between Short Message Service Centers (SMSC). The dissector determines whether the captured packet is SMPP or not by using the heuristics in the fixed header. The SMPP Operations window displays the related statistical data. The user can filter, copy or save the data into a file. + +[#ChTelUCPMessages] + +=== UCP Messages Window + +The Universal Computer Protocol (UCP) plays role in transferring Short Messages between a Short Message Service Centre (SMSC) and an application, which is using transport protocol, such as TCP or X.25. The UCP Messages window displays the related statistical data. The user can filter, copy or save the data into a file. + +[#ChTelH225] + +=== H.225 Window + +H.225 telecommunication protocol which is responsible for messages in call signaling and media stream packetization for packet-based multimedia communication systems. The H.225 window shows the counted messages by types and reasons. The user can filter, copy or save the data into a file. + +[#ChTelSIPFlows] + +=== SIP Flows Window + +Session Initiation Protocol (SIP) Flows window shows the list of all captured SIP transactions, such as client registrations, messages, calls and so on. + +This window will list both complete and in-progress SIP transactions. + +Window has same features as <<ChTelVoipCalls,VoIP Calls>> window. + +[#ChTelSIPStatistics] + +=== SIP Statistics Window + +SIP Statistics window shows captured SIP transactions. It is divided into SIP Responses and SIP Requests. In this window the user can filter, copy or save the statistics into a file. + +[#ChTelWAPWSPPacketCounter] + +=== WAP-WSP Packet Counter Window + +The WAP-WSP Packet Counter menu displays the number of packets for each Status Code and PDU Type in Wireless Session Protocol traffic. The user can filter, copy or save the data into a file. + +// End of WSUG Chapter Telephony diff --git a/docbook/wsug_src/wsug_tools.adoc b/docbook/wsug_src/wsug_tools.adoc new file mode 100644 index 0000000..3a83d05 --- /dev/null +++ b/docbook/wsug_src/wsug_tools.adoc @@ -0,0 +1,301 @@ +// WSUG Appendix Tools + +[#AppTools] + +[appendix] +== Related command line tools + +[#AppToolsIntroduction] + +=== Introduction + +Wireshark comes with an array of +command line tools which can be helpful for packet analysis. Some of +these tools are described in this chapter. You can find more +information about all of Wireshark’s command line tools on +link:{wireshark-man-page-url}[the web site]. + +[#AppToolstshark] + +=== __tshark__: Terminal-based Wireshark + +TShark is a terminal oriented version of Wireshark designed for capturing and +displaying packets when an interactive user interface isn’t necessary or +available. It supports the same options as `wireshark`. For more information on +`tshark` consult your local manual page (`man tshark`) or +link:{wireshark-man-page-url}tshark.html[the online version]. + +[#AppToolstsharkEx] +.Help information available from `tshark` +---- +include::tshark-h.txt[] +---- + +[#AppToolstcpdump] + +=== __tcpdump__: Capturing with “tcpdump” for viewing with Wireshark + +It’s often more useful to capture packets using `tcpdump` rather than +`wireshark`. For example, you might want to do a remote capture and either don’t +have GUI access or don’t have Wireshark installed on the remote machine. + +Older versions of `tcpdump` truncate packets to 68 or 96 bytes. If this is the case, +use `-s` to capture full-sized packets: + +---- +$ tcpdump -i <interface> -s 65535 -w <file> +---- + +You will have to specify the correct _interface_ and the name of a _file_ to +save into. In addition, you will have to terminate the capture with ^C when you +believe you have captured enough packets. + +`tcpdump` is not part of the Wireshark distribution. You can get it from +{tcpdump-main-url} or as a standard package in most Linux distributions. +For more information on `tcpdump` consult your local manual page (`man +tcpdump`) or link:{tcpdump-man-page-url}[the online version]. + +[#AppToolsdumpcap] + +=== __dumpcap__: Capturing with “dumpcap” for viewing with Wireshark + +Dumpcap is a network traffic dump tool. It captures packet data from a live +network and writes the packets to a file. Dumpcap’s native capture file format +is pcapng, which is also the format used by Wireshark. + +By default, Dumpcap uses the pcap library to capture traffic +from the first available network interface and writes the received raw +packet data, along with the packets’ time stamps into a pcapng file. The +capture filter syntax follows the rules of the pcap library. For more +information on `dumpcap` consult your local manual page (`man dumpcap`) +or link:{wireshark-man-page-url}dumpcap.html[the online version]. + +[#AppToolsdumpcapEx] +.Help information available from `dumpcap` +---- +include::dumpcap-h.txt[] +---- + +[#AppToolscapinfos] + +=== __capinfos__: Print information about capture files + +`capinfos` can print information about capture files including the file +type, number of packets, date and time information, and file hashes. +Information can be printed in human and machine readable formats. For +more information on `capinfos` consult your local manual page (`man +capinfos`) or link:{wireshark-man-page-url}capinfos.html[the online +version]. + +[#AppToolscapinfosEx] +.Help information available from `capinfos` +---- +include::capinfos-h.txt[] +---- + +[#AppToolsrawshark] + +=== __rawshark__: Dump and analyze network traffic. + +Rawshark reads a stream of packets from a file or pipe, and prints a +line describing its output, followed by a set of matching fields for +each packet on stdout. For more information on `rawshark` consult your +local manual page (`man rawshark`) or +link:{wireshark-man-page-url}rawshark.html[the online version]. + +[#AppToolsrawsharkEx] +.Help information available from `rawshark` +---- +include::rawshark-h.txt[] +---- + +[#AppToolseditcap] + +=== __editcap__: Edit capture files + +`editcap` is a general-purpose utility for modifying capture files. Its +main function is to remove packets from capture files, but it can also +be used to convert capture files from one format to another, as well as +to print information about capture files. For more information on +`editcap` consult your local manual page (`man editcap`) or +link:{wireshark-man-page-url}editcap.html[the online version]. + +[#AppToolseditcapEx] +.Help information available from editcap +---- +include::editcap-h.txt[] +---- + +[#AppToolseditcapEx1] +.Capture file types available from `editcap -F` +---- +include::editcap-F.txt[] +---- + +[#AppToolseditcapEx2] +.Encapsulation types available from `editcap -T` + +---- +include::editcap-T.txt[] +---- + +[#AppToolsmergecap] + +=== __mergecap__: Merging multiple capture files into one + +Mergecap is a program that combines multiple saved capture files into a single +output file specified by the `-w` argument. Mergecap can read libpcap +capture files, including those of tcpdump. In addition, Mergecap can read +capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer +(compressed or uncompressed), Microsoft Network Monitor, AIX’s iptrace, NetXray, +Sniffer Pro, RADCOM’s WAN/LAN analyzer, Lucent/Ascend router debug output, +HP-UX’s nettl, and the dump output from Toshiba’s ISDN routers. There is no need +to tell Mergecap what type of file you are reading; it will determine the file +type by itself. Mergecap is also capable of reading any of these file formats if +they are compressed using `gzip`. Mergecap recognizes this directly from the +file; the “.gz” extension is not required for this purpose. + +By default, Mergecap writes all of the packets in the input capture files to a +pcapng file. The `-F` flag can be used +to specify the capture file's output format ; it can write the file +in libpcap format (standard libpcap format, a modified format used by some +patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format +used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft +Network Monitor 1.x format, and the format used by Windows-based versions of the +Sniffer software. + +Packets from the input files are merged in chronological order based on each +frame’s timestamp, unless the `-a` flag is specified. Mergecap assumes that +frames within a single capture file are already stored in chronological order. +When the `-a` flag is specified, packets are copied directly from each input +file to the output file, independent of each frame’s timestamp. + +If the `-s` flag is used to specify a snapshot length, frames in the input file +with more captured data than the specified snapshot length will have only the +amount of data specified by the snapshot length written to the output file. This +may be useful if the program that is to read the output file cannot handle +packets larger than a certain size (for example, the versions of snoop in +Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the +standard Ethernet MTU, making them incapable of handling gigabit Ethernet +captures if jumbo frames were used). + +If the `-T` flag is used to specify an encapsulation type, the encapsulation +type of the output capture file will be forced to the specified type, rather +than being the type appropriate to the encapsulation type of the input capture +file. Note that this merely forces the encapsulation type of the output file to +be the specified type; the packet headers of the packets will not be translated +from the encapsulation type of the input capture file to the specified +encapsulation type (for example, it will not translate an Ethernet capture to an +FDDI capture if an Ethernet capture is read and `-T fddi` is specified). + +For more information on `mergecap` consult your local manual page (`man +mergecap`) or link:{wireshark-man-page-url}mergecap.html[the online +version]. + +[#AppToolsmergecapEx] +.Help information available from `mergecap` +---- +include::mergecap-h.txt[] +---- + +A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into +`outfile.pcapng` is shown below. + +[#AppToolsmergecapExSimple] +.Simple example of using mergecap +---- +$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng +---- + +[#AppToolstext2pcap] + +=== __text2pcap__: Converting ASCII hexdumps to network captures + +There may be some occasions when you wish to convert a hex dump of some network +traffic into a capture file. + +`text2pcap` is a program that reads in an ASCII hex dump and writes the data +described into any capture file format supported by libwiretap. `text2pcap` can +read hexdumps with multiple packets in them, and build a capture file of +multiple packets. +`text2pcap` is also capable of generating dummy Ethernet, IP, UDP, TCP or SCTP +headers, in order to build fully processable packet dumps from hexdumps of +application-level data only. + +`text2pcap` understands a hexdump of the form generated by `od -A x -t x1`. In +other words, each byte is individually displayed and surrounded with a space. +Each line begins with an offset describing the position in the packet, each new +packet starts with an offset of 0 and there is a space separating the offset +from the following bytes. The offset +is a hex number (can also be octal - see `-o`), of more than two hex digits. Here +is a sample dump that `text2pcap` can recognize: + +---- +000000 00 e0 1e a7 05 6f 00 10 ........ +000008 5a a0 b9 12 08 00 46 00 ........ +000010 03 68 00 00 00 00 0a 2e ........ +000018 ee 33 0f 19 08 7f 0f 19 ........ +000020 03 80 94 04 00 00 10 01 ........ +000028 16 a2 0a 00 03 50 00 0c ........ +000030 01 01 0f 19 03 80 11 01 ........ +---- + +There is no limit on the width or number of bytes per line. Also the text dump +at the end of the line is ignored. Bytes/hex numbers can be uppercase or +lowercase. Any text before the offset is ignored, including email forwarding +characters “>”. Any lines of text between the bytestring lines is ignored. +The offsets are used to track the bytes, so offsets must be correct. Any line +which has only bytes without a leading offset is ignored. An offset is +recognized as being a hex number longer than two characters. Any text after the +bytes is ignored (e.g., the character dump). Any hex numbers in this text are +also ignored. An offset of zero is indicative of starting a new packet, so a +single text file with a series of hexdumps can be converted into a packet +capture with multiple packets. Packets may be preceded by a timestamp. These +are interpreted according to the format given on the command line. If not, the +first packet is timestamped with the current time the conversion takes place. +Multiple packets are written with timestamps differing by one microsecond each. +In general, short of these restrictions, `text2pcap` +is pretty liberal about reading in hexdumps and has been tested with a variety +of mangled outputs (including being forwarded through email multiple times, with +limited line wrap etc.) + +There are a couple of other special features to note. Any line where the first +non-whitespace character is “#” will be ignored as a comment. Any line beginning +with #TEXT2PCAP is a directive and options can be inserted after this command to +be processed by `text2pcap`. Currently there are no directives implemented; in the +future, these may be used to give more fine-grained control on the dump and the +way it should be processed e.g., timestamps, encapsulation type etc. + +`text2pcap` also allows the user to read in dumps of application-level data, by +inserting dummy L2, L3 and L4 headers before each packet. Possibilities include +inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or TCP, +or SCTP before each packet. This allows Wireshark or any other full-packet +decoder to handle these dumps. + +For more information on `text2pcap` consult your local manual page (`man +text2pcap`) or link:{wireshark-man-page-url}text2pcap.html[the online +version]. + +[#AppToolstext2pcapEx] +.Help information available from text2pcap + +---- +include::text2pcap-h.txt[] +---- + +[#AppToolsreordercap] + +=== __reordercap__: Reorder a capture file + +`reordercap` lets you reorder a capture file according to the packets +timestamp. For more information on `reordercap` consult your local +manual page (`man reordercap`) or +link:{wireshark-man-page-url}reordercap.html[the online version]. + +[#AppToolsreordercapEx] +.Help information available from reordercap +---- +include::reordercap-h.txt[] +---- + +// End of WSUG Appendix Tools diff --git a/docbook/wsug_src/wsug_troubleshoot.adoc b/docbook/wsug_src/wsug_troubleshoot.adoc new file mode 100644 index 0000000..ededd77 --- /dev/null +++ b/docbook/wsug_src/wsug_troubleshoot.adoc @@ -0,0 +1,79 @@ +// WSUG Chapter Four + +[#Chap04] + +== Troubleshooting with Wireshark + +=== An approach to troubleshooting with Wireshark + +Wireshark is a very useful tool for network troubleshooting, since it contains a +number of features that allow you to quickly focus on problems in your network +for several reasons: + +* It allows you to focus in on specific packets and protocols, as you can see a + large amount of detail associated with various protocols. + +* It supports a large number of protocols, and the list of protocols supported + is growing as more people contribute dissectors + +* By giving you a visual view of traffic in parts of your network, and providing + tools to filter and colorize that information, you can get a better feel for + your network traffic, and can understand your network better. + +The following general approach is suggested: + +* Determine that the problem looks like a networking problem. There is no point + in capturing packets if the problem is not networking related. + +* Figure out where to capture packets. You will have to capture packets from a + part of the network where you can actually get network traffic related to the + problem. This is especially important in the presence of switches and routers. + See <<Ch04ROUSWI>> for more details. ++ +Because Wireshark can read many capture file formats, you can capture using any +convenient tool. One useful approach is to use _tcpdump_ to capture on remote +systems and then copy the capture file to your system for later analysis. For +more details on capturing with _tcpdump_, see <<Ch05tcpdump>>. + +* Once you have captured packets that you think relate to the problem, load them + into Wireshark and look for your problem. Using Wireshark’s filtering and + colorization capabilities, you can quickly narrow down the capture to the area + of interest. + +* Examine the appropriate fields within the packets where the problem appears to + be. These can often help to reveal the problem. + +[#Ch04ROUSWI] + +=== Capturing in the presence of switches and routers + +In the old days of Ethernet, all network traffic was spread over one “yellow” +cable through the whole network. Capturing data was easy, as all packets from +the network could be captured using the “promiscuous mode” at any place in the +network. The only devices blocking network traffic, were routers. But as routers +were extremely expensive, they were not widely used. + +Then Ethernet wiring using hubs become the state of the art. As the hubs still +spaded the packets all over the network, things regarding capturing didn’t +change. + +At the next stage, Ethernet switches became widely available. This complicated +things a lot. When capturing traffic on a computer connected to a switch, +usually the switch will only forward packets to the computer, which are directed +to it, or to all computers (broadcasts). It’s much the same like deactivating +the promiscuous mode of the capturing network card. + +There are some ways to circumvent this. + +Many vendor’s switches support a feature known as “port spanning” or “port +mirroring” in which all of the traffic to and from port A are also sent out +port B. + +=== Examples of troubleshooting + +Troubleshooting often requires a reasonable knowledge of the protocols in +question. However, as Wireshark will often give you some good hints, you might +get an idea of what is going wrong simply by looking in the packets being +exchanged. + +// End of WSUG Chapter 4 diff --git a/docbook/wsug_src/wsug_use.adoc b/docbook/wsug_src/wsug_use.adoc new file mode 100644 index 0000000..7861a7d --- /dev/null +++ b/docbook/wsug_src/wsug_use.adoc @@ -0,0 +1,1171 @@ +// WSUG User Interface Chapter + +[#ChapterUsing] + +== User Interface + +[#ChUseIntroductionSection] + +=== Introduction + +By now you have installed Wireshark and are likely keen to get started +capturing your first packets. In the next chapters we will explore: + +* How the Wireshark user interface works +* How to capture packets in Wireshark +* How to view packets in Wireshark +* How to filter packets in Wireshark +* ... and many other things! + +[#ChUseStartSection] + +=== Start Wireshark + +You can start Wireshark from your shell or window manager. + +[TIP] +.Power user tip +==== +When starting Wireshark it’s possible to specify optional settings using the +command line. See <<ChCustCommandLine>> for details. +==== + +The following chapters contain many screenshots of Wireshark. As +Wireshark runs on many different platforms with many different window managers, +different styles applied and there are different versions of the underlying GUI +toolkit used, your screen might look different from the provided screenshots. +But as there are no real differences in functionality these screenshots should +still be well understandable. + +[#ChUseMainWindowSection] + +=== The Main window + +Let’s look at Wireshark’s user interface. <<ChUseFig01>> shows Wireshark as you +would usually see it after some packets are captured or loaded (how to do this +will be described later). + +[#ChUseFig01] +.The Main window +image::images/ws-main.png[{screenshot-attrs}] + +Wireshark’s main window consists of parts that are commonly known from many +other GUI programs. + +. The _menu_ (see <<ChUseMenuSection>>) is used to start actions. +. The _main toolbar_ (see <<ChUseMainToolbarSection>>) provides quick access to + frequently used items from the menu. +. The _filter toolbar_ (see <<ChUseFilterToolbarSection>>) allows users to + set _display filters_ to filter which packets are displayed (see + <<ChWorkDisplayFilterSection>>). +. The _packet list pane_ (see <<ChUsePacketListPaneSection>>) displays a summary + of each packet captured. By clicking on packets in this pane you control what is + displayed in the other two panes. +. The _packet details pane_ (see <<ChUsePacketDetailsPaneSection>>) displays the + packet selected in the packet list pane in more detail. +. The _packet bytes pane_ (see <<ChUsePacketBytesPaneSection>>) displays the + data from the packet selected in the packet list pane, and highlights the field + selected in the packet details pane. +. The _packet diagram pane_ (see <<ChUsePacketDiagramPaneSection>>) displays the + packet selected in the packet list as a textbook-style diagram. +. The _statusbar_ (see <<ChUseStatusbarSection>>) shows some detailed + information about the current program state and the captured data. + +[TIP] +==== +The layout of the main window can be customized by changing preference settings. +See <<ChCustPreferencesSection>> for details. +==== + +[#ChUseMainWindowNavSection] + +==== Main Window Navigation + +Packet list and detail navigation can be done entirely from the keyboard. +<<ChUseTabNav>> shows a list of keystrokes that will let you quickly move around +a capture file. See <<ChUseTabGo>> for additional navigation keystrokes. + +[#ChUseTabNav] +.Keyboard Navigation +[options="header",cols="1,3"] +|=== +|Accelerator |Description +|kbd:[Tab] or kbd:[Shift+Tab]|Move between screen elements, e.g., from the toolbars to the packet list to the packet detail. +|kbd:[↓] |Move to the next packet or detail item. +|kbd:[↑] |Move to the previous packet or detail item. +|kbd:[Ctrl+↓] or kbd:[F8] |Move to the next packet, even if the packet list isn’t focused. +|kbd:[Ctrl+↑] or kbd:[F7] |Move to the previous packet, even if the packet list isn’t focused. +|kbd:[Ctrl+.] |Move to the next packet of the conversation (TCP, UDP or IP). +|kbd:[Ctrl+,] |Move to the previous packet of the conversation (TCP, UDP or IP). +|kbd:[Alt+→] or kbd:[Option+→] (macOS) |Move to the next packet in the selection history. +|kbd:[Alt+←] or kbd:[Option+←] (macOS) |Move to the previous packet in the selection history. +|kbd:[←] |In the packet detail, closes the selected tree item. If it’s already closed, jumps to the parent node. +|kbd:[→] |In the packet detail, opens the selected tree item. +|kbd:[Shift+→] |In the packet detail, opens the selected tree item and all of its subtrees. +|kbd:[Ctrl+→] |In the packet detail, opens all tree items. +|kbd:[Ctrl+←] |In the packet detail, closes all tree items. +|kbd:[Backspace] |In the packet detail, jumps to the parent node. +|kbd:[Return] or kbd:[Enter] |In the packet detail, toggles the selected tree item. +|=== + +menu:Help[About Wireshark,Keyboard Shortcuts] will show a list of all shortcuts +in the main window. Additionally, typing anywhere in the main window will start +filling in a display filter. + +[#ChUseMenuSection] + +=== The Menu + +Wireshark’s main menu is located either at the top of the main window (Windows, +Linux) or at the top of your main screen (macOS). An example is shown in +<<ChUseWiresharkMenu>>. + +[NOTE] +==== +Some menu items will be disabled (greyed out) if the corresponding feature isn’t +available. For example, you cannot save a capture file if you haven’t captured +or loaded any packets. +==== + +[#ChUseWiresharkMenu] +.The Menu +image::images/ws-menu.png[{screenshot-attrs}] + +The main menu contains the following items: + +menu:File[]:: +This menu contains items to open and merge capture files, save, print, or export +capture files in whole or in part, and to quit the Wireshark application. See +<<ChUseFileMenuSection>>. + +menu:Edit[]:: +This menu contains items to find a packet, time reference or mark one or more +packets, handle configuration profiles, and set your preferences; (cut, copy, +and paste are not presently implemented). See <<ChUseEditMenuSection>>. + +menu:View[]:: +This menu controls the display of the captured data, including colorization of +packets, zooming the font, showing a packet in a separate window, expanding and +collapsing trees in packet details, .... See <<ChUseViewMenuSection>>. + +menu:Go[]:: +This menu contains items to go to a specific packet. See <<ChUseGoMenuSection>>. + +menu:Capture[]:: +This menu allows you to start and stop captures and to edit capture filters. See +<<ChUseCaptureMenuSection>>. + +menu:Analyze[]:: +This menu contains items to manipulate display filters, enable or disable the +dissection of protocols, configure user specified decodes and follow a TCP +stream. See <<ChUseAnalyzeMenuSection>>. + +menu:Statistics[]:: +This menu contains items to display various statistic windows, including a +summary of the packets that have been captured, display protocol hierarchy +statistics and much more. See <<ChUseStatisticsMenuSection>>. + +menu:Telephony[]:: +This menu contains items to display various telephony related statistic windows, +including a media analysis, flow diagrams, display protocol hierarchy statistics +and much more. See <<ChUseTelephonyMenuSection>>. + +menu:Wireless[]:: +This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics. + +menu:Tools[]:: +This menu contains various tools available in Wireshark, such as creating +Firewall ACL Rules. See <<ChUseToolsMenuSection>>. + +menu:Help[]:: +This menu contains items to help the user, e.g., access to some basic help, +manual pages of the various command line tools, online access to some of the +webpages, and the usual about dialog. See <<ChUseHelpMenuSection>>. + +Each of these menu items is described in more detail in the sections that follow. + +[TIP] +.Shortcuts make life easier +==== +Most common menu items have keyboard shortcuts. For example, you can +press the Control and the K keys together to open the +“Capture Options” dialog. +==== + +[#ChUseFileMenuSection] + +=== The “File” Menu + +The Wireshark file menu contains the fields shown in <<ChUseTabFile>>. + +[#ChUseWiresharkFileMenu] +.The “File” Menu +image::images/ws-file-menu.png[{screenshot-attrs}] + +[#ChUseTabFile] +.File menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description + +|menu:Open...[] |kbd:[Ctrl+O]| +This shows the file open dialog box that allows you to load a +capture file for viewing. It is discussed in more detail in <<ChIOOpen>>. + +|menu:Open Recent[] | | +This lets you open recently opened capture files. +Clicking on one of the submenu items will open the corresponding capture file +directly. + +|menu:Merge...[] | | +This menu item lets you merge a capture file into the currently loaded one. It +is discussed in more detail in <<ChIOMergeSection>>. + +|menu:Import from Hex Dump...[] | | +This menu item brings up the import file dialog box that allows you to import a +text file containing a hex dump into a new temporary capture. It is discussed in +more detail in <<ChIOImportSection>>. + +|menu:Close[] |kbd:[Ctrl+W]| +This menu item closes the current capture. If you haven’t saved the capture, you +will be asked to do so first (this can be disabled by a preference setting). + +|menu:Save[] |kbd:[Ctrl+S]| +This menu item saves the current capture. If you have not set a default capture +file name (perhaps with the -w <capfile> option), Wireshark pops up the +Save Capture File As dialog box (which is discussed further in <<ChIOSaveAs>>). + +If you have already saved the current capture, this menu item will be greyed +out. + +You cannot save a live capture while the capture is in progress. You must +stop the capture in order to save. + +|menu:Save As...[] |kbd:[Shift+Ctrl+S]| +This menu item allows you to save the current capture file to whatever file you +would like. It pops up the Save Capture File As dialog box (which is discussed +further in <<ChIOSaveAs>>). + +|menu:File Set[List Files] || +This menu item allows you to show a list of files in a file set. It pops up the +Wireshark List File Set dialog box (which is discussed further in +<<ChIOFileSetSection>>). + +|menu:File Set[Next File] || +If the currently loaded file is part of a file set, jump to the next file in the +set. If it isn’t part of a file set or just the last file in that set, this item +is greyed out. + +|menu:File Set[Previous File] || +If the currently loaded file is part of a file set, jump to the previous file in +the set. If it isn’t part of a file set or just the first file in that set, this +item is greyed out. + +|menu:Export Specified Packets...[] || +This menu item allows you to export all (or some) of the packets in the capture +file to file. It pops up the Wireshark Export dialog box (which is discussed +further in <<ChIOExportSection>>). + +|menu:Export Packet Dissections...[]|kbd:[Ctrl+H]| +These menu items allow you to export the currently selected bytes in the packet +bytes pane to a text file in a number of formats including plain, CSV, +and XML. It is discussed further in <<ChIOExportSelectedDialog>>. + +|menu:Export Objects[] || +These menu items allow you to export captured DICOM, HTTP, IMF, SMB, or +TFTP objects into local files. It pops up a corresponding object list +(which is discussed further in <<ChIOExportObjectsDialog>>) + +|menu:Print...[] |kbd:[Ctrl+P]| +This menu item allows you to print all (or some) of the packets in the capture +file. It pops up the Wireshark Print dialog box (which is discussed further in +<<ChIOPrintSection>>). + +|menu:Quit[] |kbd:[Ctrl+Q]| +This menu item allows you to quit from Wireshark. Wireshark will ask to save +your capture file if you haven’t previously saved it (this can be disabled by a +preference setting). + +|=== + +[#ChUseEditMenuSection] + +=== The “Edit” Menu + +The Wireshark Edit menu contains the fields shown in <<ChUseTabEdit>>. + +[#ChUseWiresharkEditMenu] +.The “Edit” Menu +image::images/ws-edit-menu.png[{screenshot-attrs}] + +[#ChUseTabEdit] +.Edit menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description +|menu:Copy[] || +These menu items will copy the packet list, packet detail, or properties of +the currently selected packet to the clipboard. + +|menu:Find Packet...[] |kbd:[Ctrl+F] | +This menu item brings up a toolbar that allows you to find a packet by many +criteria. There is further information on finding packets in +<<ChWorkFindPacketSection>>. + +|menu:Find Next[] |kbd:[Ctrl+N] | +This menu item tries to find the next packet matching the settings from “Find +Packet...”. + +|menu:Find Previous[] |kbd:[Ctrl+B] | +This menu item tries to find the previous packet matching the settings from +“Find Packet...”. + +|menu:Mark/Unmark Packet[] |kbd:[Ctrl+M] | +This menu item marks the currently selected packet. See +<<ChWorkMarkPacketSection>> for details. + +|menu:Mark All Displayed Packets[] |kbd:[Ctrl+Shift+M]| +This menu item marks all displayed packets. + +|menu:Unmark All Displayed Packets[] |kbd:[Ctrl+Alt+M] | +This menu item unmarks all displayed packets. + +|menu:Next Mark[] |kbd:[Ctrl+Shift+N] | +Find the next marked packet. + +|menu:Previous Mark[] |kbd:[Ctrl+Shift+B] | +Find the previous marked packet. + +|menu:Ignore/Unignore Packet[] |kbd:[Ctrl+D] | +This menu item marks the currently selected packet as ignored. See +<<ChWorkIgnorePacketSection>> for details. + +|menu:Ignore All Displayed[] |kbd:[Ctrl+Shift+D]| +This menu item marks all displayed packets as ignored. + +|menu:Unignore All Displayed[] |kbd:[Ctrl+Alt+D] | +This menu item unmarks all ignored packets. + +|menu:Set/Unset Time Reference[] |kbd:[Ctrl+T] | +This menu item set a time reference on the currently selected packet. See +<<ChWorkTimeReferencePacketSection>> for more information about the time +referenced packets. + +|menu:Unset All Time References[] |kbd:[Ctrl+Alt+T] | +This menu item removes all time references on the packets. + +|menu:Next Time Reference[] |kbd:[Ctrl+Alt+N] | +This menu item tries to find the next time referenced packet. + +|menu:Previous Time Reference[] |kbd:[Ctrl+Alt+B] | +This menu item tries to find the previous time referenced packet. + +|menu:Time Shift...[] |kbd:[Ctrl+Shift+T]| +Opens the “Time Shift” dialog, which allows you to adjust the timestamps +of some or all packets. + +|menu:Packet Comment...[] |kbd:[Ctrl+Alt+C] | +Opens the “Packet Comment” dialog, which lets you add a comment to a +single packet. Note that the ability to save packet comments depends on +your file format. E.g., pcapng supports comments, pcap does not. + +|menu:Delete All Packet Comments[] || +This will delete all comments from all packets. Note that the ability to save +capture comments depends on your file format. E.g., pcapng supports +comments, pcap does not. + +|menu:Inject TLS Secrets[] || +Embeds the used TLS decryption secrets into the capture file, which lets +TLS be decrypted without having the separate keylog file. +Note that the ability to save decryption secrets depends on your file +format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not. + +|menu:Discard All Secrets[] || +This will discard all embedded decryption secrets from the capture file. +Note that the ability to save decryption secrets depends on your file +format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not. + +|menu:Configuration Profiles...[] |kbd:[Ctrl+Shift+A]| +This menu item brings up a dialog box for handling configuration profiles. More +detail is provided in <<ChCustConfigProfilesSection>>. + +|menu:Preferences...[] |kbd:[Ctrl+Shift+P] or kbd:[Cmd+,] (macOS)| +This menu item brings up a dialog box that allows you to set preferences for +many parameters that control Wireshark. You can also save your preferences so +Wireshark will use them the next time you start it. More detail is provided in +<<ChCustPreferencesSection>>. + +|=== + +[#ChUseViewMenuSection] + +=== The “View” Menu + +The Wireshark View menu contains the fields shown in <<ChUseTabView>>. + +[#ChUseWiresharkViewMenu] +.The “View” Menu +image::images/ws-view-menu.png[{screenshot-attrs}] + +[#ChUseTabView] +.View menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator|Description +|menu:Main Toolbar[] ||This menu item hides or shows the main toolbar, see <<ChUseMainToolbarSection>>. +|menu:Filter Toolbar[] ||This menu item hides or shows the filter toolbar, see <<ChUseFilterToolbarSection>>. +|menu:Wireless Toolbar[]||This menu item hides or shows the wireless toolbar. May not be present on some platforms. +|menu:Statusbar[] ||This menu item hides or shows the statusbar, see <<ChUseStatusbarSection>>. +|menu:Packet List[] ||This menu item hides or shows the packet list pane, see <<ChUsePacketListPaneSection>>. +|menu:Packet Details[] ||This menu item hides or shows the packet details pane, see <<ChUsePacketDetailsPaneSection>>. +|menu:Packet Bytes[] ||This menu item hides or shows the packet bytes pane, see <<ChUsePacketBytesPaneSection>>. +|menu:Packet Diagram[] ||This menu item hides or shows the packet diagram pane. See <<ChUsePacketDiagramPaneSection>>. +|menu:Time Display Format[Date and Time of Day: 1970-01-01 01:02:03.123456]|| Selecting this tells Wireshark to display the time stamps in date and time of day format, see <<ChWorkTimeFormatsSection>>. + +The fields “Time of Day”, “Date and Time of Day”, “Seconds Since First +Captured Packet”, “Seconds Since Previous Captured Packet” and “Seconds +Since Previous Displayed Packet” are mutually exclusive. + +|menu:Time Display Format[Time of Day: 01:02:03.123456]||Selecting this tells Wireshark to display time stamps in time of day format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Epoch (1970-01-01): 1234567890.123456]||Selecting this tells Wireshark to display time stamps in seconds since 1970-01-01 00:00:00, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since First Captured Packet: 123.123456]||Selecting this tells Wireshark to display time stamps in seconds since first captured packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Previous Captured Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous captured packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Seconds Since Previous Displayed Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Automatic (File Format Precision)]||Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see <<ChWorkTimeFormatsSection>>. + +The fields “Automatic”, “Seconds” and “...seconds” are mutually exclusive. + +|menu:Time Display Format[Seconds: 0]||Selecting this tells Wireshark to display time stamps with a precision of one second, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[...seconds: 0....]||Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see <<ChWorkTimeFormatsSection>>. +|menu:Time Display Format[Display Seconds with hours and minutes]||Selecting this tells Wireshark to display time stamps in seconds, with hours and minutes. +|menu:Name Resolution[Edit Resolved Name]||This item allows you to manually enter names to resolve IP addresses in the current packet, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for MAC Layer]||This item allows you to control whether or not Wireshark translates MAC addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for Network Layer]||This item allows you to control whether or not Wireshark translates network addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Name Resolution[Enable for Transport Layer]||This item allows you to control whether or not Wireshark translates transport addresses into names, see <<ChAdvNameResolutionSection>>. +|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list. + +Enabling colorization will slow down the display of new packets while +capturing or loading capture files. + +|menu:Auto Scroll in Live Capture[] | |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane. +|menu:Zoom In[] |kbd:[Ctrl++] | Zoom into the packet data (increase the font size). +|menu:Zoom Out[] |kbd:[Ctrl+-] | Zoom out of the packet data (decrease the font size). +|menu:Normal Size[] |kbd:[Ctrl+=] | Set zoom level back to 100% (set font size back to normal). +|menu:Resize All Columns[] |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it. + +Resizing may take a significant amount of time, especially if a large capture file is loaded. + +|menu:Displayed Columns[] | |This menu items folds out with a list of all configured columns. These columns can now be shown or hidden in the packet list. +|menu:Expand Subtrees[] |kbd:[Shift+→]|This menu item expands the currently selected subtree in the packet details tree. +|menu:Collapse Subtrees[] |kbd:[Shift+←]|This menu item collapses the currently selected subtree in the packet details tree. +|menu:Expand All[] |kbd:[Ctrl+→] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture. +|menu:Collapse All[] |kbd:[Ctrl+←] |This menu item collapses the tree view of all packets in the capture list. +|menu:Colorize Conversation[] | |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>. +|menu:Colorize Conversation[Color 1-10] | |These menu items enable one of the ten temporary color filters based on the currently selected conversation. +|menu:Colorize Conversation[Reset coloring] | |This menu item clears all temporary coloring rules. +|menu:Colorize Conversation[New Coloring Rule...] | |This menu item opens a dialog window in which a new permanent coloring rule can be created based on the currently selected conversation. +|menu:Coloring Rules...[] | |This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see <<ChCustColorizationSection>>. +|menu:Internals[] | |Information about various internal data structures. See <<ChUseInternals>> below for more information. + +|menu:Show Packet in New Window[] || +Shows the selected packet in a separate window. The separate window +shows only the packet details and bytes. See <<ChWorkPacketSepView>> for +details. + +|menu:Reload[] |kbd:[Ctrl+R] |This menu item allows you to reload the current capture file. +|=== + +[#ChUseInternals] +.Internals menu items +[options="header",cols="3,5"] +|=== +|Menu Item|Description +|menu:Conversation Hash Tables[]| Shows the tuples (address and port combinations) used to identify each conversation. +|menu:Dissector Tables[]| Shows tables of subdissector relationships. +|menu:Supported Protocols[]| Displays supported protocols and protocol fields. +|=== + + +[#ChUseGoMenuSection] + +=== The “Go” Menu + +The Wireshark Go menu contains the fields shown in <<ChUseTabGo>>. + +[#ChUseWiresharkGoMenu] +.The “Go” Menu +image::images/ws-go-menu.png[{screenshot-attrs}] + +[#ChUseTabGo] +.Go menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description +|menu:Back[] |kbd:[Alt+←] |Jump to the recently visited packet in the packet history, much like the page history in a web browser. +|menu:Forward[] |kbd:[Alt+→] |Jump to the next visited packet in the packet history, much like the page history in a web browser. +|menu:Go to Packet...[] |kbd:[Ctrl+G] |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details. +|menu:Go to Corresponding Packet[] | |Go to the corresponding packet of the currently selected protocol field. If the selected field doesn’t correspond to a packet, this item is greyed out. +|menu:Previous Packet[] |kbd:[Ctrl+↑]|Move to the previous packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:Next Packet[] |kbd:[Ctrl+↓]|Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:First Packet[] |kbd:[Ctrl+Home] |Jump to the first packet of the capture file. +|menu:Last Packet[] |kbd:[Ctrl+End] |Jump to the last packet of the capture file. +|menu:Previous Packet In Conversation[] |kbd:[Ctrl+,] |Move to the previous packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|menu:Next Packet In Conversation[] |kbd:[Ctrl+.] |Move to the next packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus. +|=== + +[#ChUseCaptureMenuSection] + +=== The “Capture” Menu + +The Wireshark Capture menu contains the fields shown in <<ChUseTabCap>>. + +[#ChUseWiresharkCaptureMenu] +.The “Capture” Menu +image::images/ws-capture-menu.png[{screenshot-attrs}] + +[#ChUseTabCap] +.Capture menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item |Accelerator |Description + +|menu:Options...[] |kbd:[Ctrl+K] | +Shows the Capture Options dialog box, which allows you to configure +interfaces and capture options. +See <<ChCapCaptureOptions>>. + +|menu:Start[] |kbd:[Ctrl+E] | +Immediately starts capturing packets with the same settings as the last +time. + +|menu:Stop[] |kbd:[Ctrl+E] | +Stops the currently running capture. See <<ChCapStopSection>>. + +|menu:Restart[] |kbd:[Ctrl+R] | +Stops the currently running capture and starts it again with the same +options. + +|menu:Capture Filters...[] | | +Shows a dialog box that allows you to create and edit capture filters. +You can name filters and save them for future use. +See <<ChWorkDefineFilterSection>>. + +|menu:Refresh Interfaces[] |kbd:[F5] | +Clear and recreate the interface list. + +|=== + +[#ChUseAnalyzeMenuSection] + +=== The “Analyze” Menu + +The Wireshark Analyze menu contains the fields shown in <<ChUseAnalyze>>. + +[#ChUseWiresharkAnalyzeMenu] +.The “Analyze” Menu +image::images/ws-analyze-menu.png[{screenshot-attrs}] + +[#ChUseAnalyze] +.Analyze menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Display Filters...[] || +Displays a dialog box that allows you to create and edit display +filters. You can name filters, and you can save them for future use. +See <<ChWorkDefineFilterSection>>. + +|menu:Display Filter Macros...[] || +Shows a dialog box that allows you to create and edit display filter +macros. You can name filter macros, and you can save them for future +use. +See <<ChWorkDefineFilterMacrosSection>>. + +|menu:Apply as Column[] |kbd:[Shift+Ctrl+I]| +Adds the selected protocol item in the packet details pane as a column +to the packet list. + +|menu:Apply as Filter[] || +Change the current display filter and apply it immediately. Depending on +the chosen menu item, the current display filter string will be replaced +or appended to by the selected protocol field in the packet details +pane. + +|menu:Prepare as Filter[] || +Change the current display filter but won’t apply it. Depending on the +chosen menu item, the current display filter string will be replaced or +appended to by the selected protocol field in the packet details pane. + +|menu:Conversation Filter[] || +Apply a conversation filter for various protocols. + +|menu:Enabled Protocols...[] |kbd:[Shift+Ctrl+E]| +Enable or disable various protocol dissectors. See <<ChAdvEnabledProtocols>>. + +|menu:Decode As...[] || +Decode certain packets as a particular protocol. See <<ChAdvDecodeAs>>. + +|menu:Follow[TCP Stream] || +Open a window that displays all the TCP segments captured that are on +the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] || +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[TLS Stream] || +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] || +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Expert Info[] || +Open a window showing expert information found in the capture. +Some protocol dissectors add packet detail items for notable or unusual +behavior, such as invalid checksums or retransmissions. +Those items are shown here. +See <<ChAdvExpert>> for more information. + +The amount of information will vary depend on the protocol +|=== + +[#ChUseStatisticsMenuSection] + +=== The “Statistics” Menu + +The Wireshark Statistics menu contains the fields shown in <<ChUseStatistics>>. + +[#ChUseWiresharkStatisticsMenu] +.The “Statistics” Menu +image::images/ws-statistics-menu.png[{screenshot-attrs}] + +Each menu item brings up a new window showing specific statistics. + +[#ChUseStatistics] +.Statistics menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Capture File Properties[]|| Show information about the capture file, see <<ChStatSummary>>. +|menu:Resolved Addresses[]||See <<ChStatResolvedAddresses>> +|menu:Protocol Hierarchy[]|| Display a hierarchical tree of protocol statistics, see <<ChStatHierarchy>>. +|menu:Conversations[]|| Display a list of conversations (traffic between two endpoints), see <<ChStatConversationsWindow>>. +|menu:Endpoints[]|| Display a list of endpoints (traffic to/from an address), see <<ChStatEndpointsWindow>>. +|menu:Packet Lengths[]||See <<ChStatPacketLengths>> +|menu:I/O Graphs[]|| Display user specified graphs (e.g., the number of packets in the course of time), see <<ChStatIOGraphs>>. +|menu:Service Response Time[]|| Display the time between a request and the corresponding response, see <<ChStatSRT>>. +|menu:DHCP (BOOTP)[]||See <<ChStatDHCPBOOTP>> +|menu:NetPerfMeter[]||See <<ChStatNetPerfMeter>> +|menu:ONC-RPC Programs[]||See <<ChStatONCRPC>> +|menu:29West[]||See <<ChStat29West>> +|menu:ANCP[]||See <<ChStatANCP>> +|menu:BACnet[]||See <<ChStatBACnet>> +|menu:Collectd[]||See <<ChStatCollectd>> +|menu:DNS[]||See <<ChStatDNS>> +//|menu:Compare...[]||See <<ChStatOtherProtocols>> +|menu:Flow Graph[]||See <<ChStatFlowGraph>> +|menu:HART-IP[]||See <<ChStatHARTIP>> +|menu:HPFEEDS[]||See <<ChStatHPFEEDS>> +|menu:HTTP[]||HTTP request/response statistics, see <<ChStatHTTP>> +|menu:HTTP2[]||See <<ChStatHTTP2>> +|menu:Sametime[]||See <<ChStatSametime>> +|menu:TCP Stream Graphs[]||See <<ChStatTCPStreamGraphs>> +|menu:UDP Multicast Streams[]||See <<ChStatUDPMulticastStreams>> +|menu:Reliable Server Pooling (RSerPool)[]||See <<ChStatRSerPool>> +|menu:F5[]||See <<ChStatF5>> +|menu:IPv4 Statistics[]||See <<ChStatIPv4>> +|menu:IPv6 Statistics[]||See <<ChStatIPv6>> + + +|=== + +[#ChUseTelephonyMenuSection] + +=== The “Telephony” Menu + +The Wireshark Telephony menu contains the fields shown in <<ChUseTelephony>>. + +[#ChUseWiresharkTelephonyMenu] +.The “Telephony” Menu +image::images/ws-telephony-menu.png[{screenshot-attrs}] + +Each menu item shows specific telephony related statistics. + +[#ChUseTelephony] +.Telephony menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:VoIP Calls...[]||See <<ChTelVoipCalls>> +|menu:ANSI[]||See <<ChTelANSI>> +|menu:GSM[]||See <<ChTelGSM>> +|menu:IAX2 Stream Analysis[]||See <<ChTelIAX2Analysis>> +|menu:ISUP Messages[]||See <<ChTelISUPMessages>> +|menu:LTE[]||See <<ChTelLTE>> +|menu:MTP3[]||See <<ChTelMTP3>> +|menu:Osmux[]||See <<ChTelOsmux>> +|menu:RTP[]||See <<ChTelRTPStreams>> and <<ChTelRTPAnalysis>> +|menu:RTSP[]||See <<ChTelRTSP>> +|menu:SCTP[]||See <<ChTelSCTP>> +|menu:SMPP Operations[]||See <<ChTelSMPPOperations>> +|menu:UCP Messages[]||See <<ChTelUCPMessages>> +|menu:H.225[]||See <<ChTelH225>> +|menu:SIP Flows[]||See <<ChTelSIPFlows>> +|menu:SIP Statistics[]||See <<ChTelSIPStatistics>> +|menu:WAP-WSP Packet Counter[]||See <<ChTelWAPWSPPacketCounter>> + +|=== + +[#ChUseWirelessMenuSection] + +=== The “Wireless” Menu + +The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in <<ChUseWiresharkWirelessMenu>>. + +[#ChUseWiresharkWirelessMenu] +.The “Wireless” Menu +image::images/ws-wireless-menu.png[{screenshot-attrs}] + +Each menu item shows specific Bluetooth and IEEE 802.11 statistics. + +[#ChUseWireless] +.Wireless menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description + +|menu:Bluetooth ATT Server Attributes[]||See <<ChWirelessBluetoothATTServerAttributes>> +|menu:Bluetooth Devices[]||See <<ChWirelessBluetoothDevices>> +|menu:Bluetooth HCI Summary[]||See <<ChWirelessBluetoothHCISummary>> +|menu:WLAN Traffic[]||See <<ChWirelessWLANTraffic>> + +|=== + +[#ChUseToolsMenuSection] + +=== The “Tools” Menu + +The Wireshark Tools menu contains the fields shown in <<ChUseTools>>. + +[#ChUseWiresharkToolsMenu] +.The “Tools” Menu +image::images/ws-tools-menu.png[{screenshot-attrs}] + +[#ChUseTools] +.Tools menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Firewall ACL Rules[]|| This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. + +It is assumed that the rules will be applied to an outside interface. + +Menu item is greyed out unless one (and only one) frame is selected in the packet list. +|menu:Credentials[]|| This allows you to extract credentials from the current capture file. Some of the dissectors (ftp, http, imap, pop, smtp) have been instrumented to provide the module with usernames and passwords and more will be instrumented in the future. The window dialog provides you the packet number where the credentials have been found, the protocol that provided them, the username and protocol specific information. +|menu:MAC Address Blocks[]|| This allows viewing the IEEE MAC address registry data that Wireshark uses to resolve MAC address blocks to vendor names. The table can be searched by address prefix or vendor name. +|menu:TLS Keylog Launcher[]|| This can launch an application such as a web browser or a terminal window with the SSLKEYLOGFILE environment variable set to the same value as the TLS secret log file. Note that you will probably have to quit your existing web browser session in order to have it run under a fresh environment. +|menu:Lua Console[]|| This option allows you to work with the Lua interpreter optionally built into Wireshark, to inspect Lua internals and evaluate code. +See “Lua Support in Wireshark” in the Wireshark Developer’s Guide. +|=== + +[#ChUseHelpMenuSection] + +=== The “Help” Menu + +The Wireshark Help menu contains the fields shown in <<ChUseHelp>>. + +[#ChUseWiresharkHelpMenu] +.The “Help” Menu +image::images/ws-help-menu.png[{screenshot-attrs}] + +[#ChUseHelp] +.Help menu items +[options="header",cols="3,2,5"] +|=== +|Menu Item|Accelerator|Description +|menu:Contents[]|F1| This menu item brings up a basic help system. +|menu:Manual Pages[...]|| This menu item starts a Web browser showing one of the locally installed html manual pages. +|menu:Website[]|| This menu item starts a Web browser showing the webpage from: link:{wireshark-main-url}[]. +|menu:FAQs[]|| This menu item starts a Web browser showing various FAQs. +|menu:Downloads[]|| This menu item starts a Web browser showing the downloads from: link:{wireshark-download-url}[]. +|menu:Wiki[]|| This menu item starts a Web browser showing the front page from: link:{wireshark-wiki-url}[]. +|menu:Sample Captures[]|| This menu item starts a Web browser showing the sample captures from: link:{wireshark-wiki-url}SampleCaptures[]. +|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it’s built, the plugins loaded, the used folders, ... + +|=== + +[NOTE] +==== +Opening a Web browser might be unsupported in your version of Wireshark. If this +is the case the corresponding menu items will be hidden. + +If calling a Web browser fails on your machine, nothing happens, or the browser +starts but no page is shown, have a look at the web browser setting in the +preferences dialog. +==== + +[#ChUseMainToolbarSection] + +=== The “Main” Toolbar + +The main toolbar provides quick access to frequently used items +from the menu. This toolbar cannot be customized by the user, but it can +be hidden using the View menu if the space on the screen is needed to +show more packet data. + +Items in the toolbar will be enabled or disabled (greyed out) similar to +their corresponding menu items. For example, in the image below shows +the main window toolbar after a file has been opened. Various +file-related buttons are enabled, but the stop capture button is +disabled because a capture is not in progress. + +[#ChUseWiresharkMainToolbar] + +.The “Main” toolbar +image::images/ws-main-toolbar.png[{screenshot-attrs}] + +:toolbar-icon-attrs: height=24,width=24 + +[#ChUseMainToolbar] +.Main toolbar items +[options="header",cols="1,2,2,4"] +|=== +|Toolbar Icon|Toolbar Item|Menu Item|Description +|image:images/toolbar/x-capture-start.png[{toolbar-icon-attrs}] |btn:[Start]|menu:Capture[Start]| Starts capturing packets with the same options as the last capture or the default options if none were set (<<ChCapCapturingSection>>). +|image:images/toolbar/x-capture-stop.png[{toolbar-icon-attrs}] |btn:[Stop]|menu:Capture[Stop]| Stops the currently running capture (<<ChCapCapturingSection>>). +|image:images/toolbar/x-capture-restart.png[{toolbar-icon-attrs}] |btn:[Restart]|menu:Capture[Restart]| Restarts the current capture session. +|image:images/toolbar/x-capture-options.png[{toolbar-icon-attrs}] |btn:[Options...]|menu:Capture[Options...]| Opens the “Capture Options” dialog box. See <<ChCapCapturingSection>> for details. +// -- +|image:images/toolbar/document-open.png[{toolbar-icon-attrs}] |btn:[Open...]|menu:File[Open...]| Opens the file open dialog box, which allows you to load a capture file for viewing. It is discussed in more detail in <<ChIOOpen>>. +|image:images/toolbar/x-capture-file-save.png[{toolbar-icon-attrs}] |btn:[Save As...]|menu:File[Save As...]| Save the current capture file to whatever file you would like. See <<ChIOSaveAs>> for details. If you currently have a temporary capture file open the “Save” icon will be shown instead. +|image:images/toolbar/x-capture-file-close.png[{toolbar-icon-attrs}] |btn:[Close]|menu:File[Close]|Closes the current capture. If you have not saved the capture, you will be asked to save it first. +|image:images/toolbar/x-capture-file-reload.png[{toolbar-icon-attrs}] |btn:[Reload]|menu:View[Reload]| Reloads the current capture file. +// -- +|image:images/toolbar/edit-find.png[{toolbar-icon-attrs}] |btn:[Find Packet...]|menu:Edit[Find Packet...]|Find a packet based on different criteria. See <<ChWorkFindPacketSection>> for details. +|image:images/toolbar/go-previous.png[{toolbar-icon-attrs}] |btn:[Go Back]|menu:Go[Go Back]|Jump back in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go back in the selection history. +|image:images/toolbar/go-next.png[{toolbar-icon-attrs}] |btn:[Go Forward]|menu:Go[Go Forward]|Jump forward in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go forward in the selection history. +|image:images/toolbar/go-jump.png[{toolbar-icon-attrs}] |btn:[Go to Packet...]|menu:Go[Go to Packet...]| Go to a specific packet. +|image:images/toolbar/go-first.png[{toolbar-icon-attrs}] |btn:[Go To First Packet]|menu:Go[First Packet]| Jump to the first packet of the capture file. +|image:images/toolbar/go-last.png[{toolbar-icon-attrs}] |btn:[Go To Last Packet]|menu:Go[Last Packet]| Jump to the last packet of the capture file. +|image:images/toolbar/x-stay-last.png[{toolbar-icon-attrs}] |btn:[Auto Scroll in Live Capture]|menu:View[Auto Scroll in Live Capture]| Auto scroll packet list while doing a live capture (or not). +// -- +|image:images/toolbar/x-colorize-packets.png[{toolbar-icon-attrs}] |btn:[Colorize]|menu:View[Colorize]| Colorize the packet list (or not). +// -- +|image:images/toolbar/zoom-in.png[{toolbar-icon-attrs}] |btn:[Zoom In]|menu:View[Zoom In]| Zoom into the packet data (increase the font size). +|image:images/toolbar/zoom-out.png[{toolbar-icon-attrs}] |btn:[Zoom Out]|menu:View[Zoom Out]| Zoom out of the packet data (decrease the font size). +|image:images/toolbar/zoom-original.png[{toolbar-icon-attrs}] |btn:[Normal Size]|menu:View[Normal Size]| Set zoom level back to 100%. +|image:images/toolbar/x-resize-columns.png[{toolbar-icon-attrs}] |btn:[Resize Columns]|menu:View[Resize Columns]| Resize columns, so the content fits into them. +// -- +//|image:images/toolbar/stock_colorselector_24.png[{toolbar-icon-attrs}]|btn:[Coloring Rules...]|menu:View[Coloring Rules...]| This item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in <<ChCustColorizationSection>>. +|=== + +[#ChUseFilterToolbarSection] + +=== The “Filter” Toolbar + +The filter toolbar lets you quickly edit and apply display filters. More +information on display filters is available in <<ChWorkDisplayFilterSection>>. + +[#ChUseWiresharkFilterToolbar] + +.The “Filter” toolbar +image::images/ws-filter-toolbar.png[{screenshot-attrs}] + +// Icons themselves are 32px high. +:filter-icon-attrs: height=24 + +[#ChUseFilterToolbar] +.Filter toolbar items +[options="header",cols="1,3,5"] +|=== +|Toolbar Icon|Name|Description +|image:images/toolbar/filter-toolbar-bookmark.png[{filter-icon-attrs}]|Bookmarks|Manage or select <<ChWorkDefineFilterSection,saved filters>>. +|image:images/toolbar/filter-toolbar-input.png[{filter-icon-attrs}]|Filter Input|The area to enter or edit a display filter string, see <<ChWorkBuildDisplayFilterSection>>. A syntax check of your filter string is done while you are typing. The background will turn red if you enter an incomplete or invalid string, and will become green when you enter a valid string. + +After you’ve changed something in this field, don’t forget to press the Apply +button (or the Enter/Return key), to apply this filter string to the display. + +This field is also where the current applied filter is displayed. + +|image:images/toolbar/filter-toolbar-clear.png[{filter-icon-attrs}]|Clear|Reset the current display filter and clear the edit area. +|image:images/toolbar/filter-toolbar-apply.png[{filter-icon-attrs}]|Apply|Apply the current value in the edit area as the new display filter. + +Applying a display filter on large capture files might take quite a long time. + +|image:images/toolbar/filter-toolbar-recent.png[{filter-icon-attrs}]|Recent|Select from a list of recently applied filters. +|image:images/toolbar/filter-toolbar-add.png[{filter-icon-attrs}]|Add Button|Add a new filter button. +|btn:[Squirrels]|Filter Button| +Filter buttons are handy shortcuts that apply a display filter as soon as you press them. +You can create filter buttons by pressing the btn:[{plus}] button, right-clicking in the filter button area, or opening the <<ChCustFilterButtons,Filter Button>> section of the <<ChCustPreferencesSection,Preferences Dialog>>. +The example shows a filter button with the label “Squirrels”. +If you have lots of buttons you can arrange them into groups by using “//” as a label separator. +For example, if you create buttons named “Not Squirrels // Rabbits” and “Not Squirrels // Capybaras” they will show up in the toolbar under a single button named “Not Squirrels”. + +|=== + + +[#ChUsePacketListPaneSection] + +=== The “Packet List” Pane + +The packet list pane displays all the packets in the current capture file. + +[#ChUseWiresharkListPane] +.The “Packet List” pane +image::images/ws-list-pane.png[{screenshot-attrs}] + +Each line in the packet list corresponds to one packet in the capture file. If +you select a line in this pane, more details will be displayed in the “Packet +Details” and “Packet Bytes” panes. + +While dissecting a packet, Wireshark will place information from the protocol +dissectors into the columns. As higher-level protocols might overwrite +information from lower levels, you will typically see the information from the +highest possible level only. + +For example, let’s look at a packet containing TCP inside IP inside an Ethernet +packet. The Ethernet dissector will write its data (such as the Ethernet +addresses), the IP dissector will overwrite this by its own (such as the IP +addresses), the TCP dissector will overwrite the IP information, and so on. + +There are many different columns available. You can choose which columns are +displayed in the preferences. See <<ChCustPreferencesSection>>. + +The default columns will show: + +* btn:[No.] The number of the packet in the capture file. This number won’t + change, even if a display filter is used. + +* btn:[Time] The timestamp of the packet. The presentation format of this + timestamp can be changed, see <<ChWorkTimeFormatsSection>>. + +* btn:[Source] The address where this packet is coming from. + +* btn:[Destination] The address where this packet is going to. + +* btn:[Protocol] The protocol name in a short (perhaps abbreviated) version. + +* btn:[Length] The length of each packet. + +* btn:[Info] Additional information about the packet content. + +The first column shows how each packet is related to the selected packet. For +example, in the image above the first packet is selected, which is a DNS +request. Wireshark shows a rightward arrow for the request itself, followed by a +leftward arrow for the response in packet 2. Why is there a dashed line? There +are more DNS packets further down that use the same port numbers. Wireshark +treats them as belonging to the same conversation and draws a line connecting +them. + +// Images were created on macOS 10.11 using a retina display. Lines were +// 36 physical pixels high. + +[horizontal] +.Related packet symbols + +image:images/related-first.png[{related-attrs}]:: + First packet in a conversation. + +image:images/related-current.png[{related-attrs}]:: + Part of the selected conversation. + +image:images/related-other.png[{related-attrs}]:: + _Not_ part of the selected conversation. + +image:images/related-last.png[{related-attrs}]:: + Last packet in a conversation. + +image:images/related-request.png[{related-attrs}]:: + Request. + +image:images/related-response.png[{related-attrs}]:: + Response. + +image:images/related-ack.png[{related-attrs}]:: + The selected packet acknowledges this packet. + +image:images/related-dup-ack.png[{related-attrs}]:: + The selected packet is a duplicate acknowledgement of this packet. + +image:images/related-segment.png[{related-attrs}]:: + The selected packet is related to this packet in some other way, e.g., as part + of reassembly. + +The packet list has an _Intelligent Scrollbar_ which shows a miniature map of +nearby packets. Each https://en.wikipedia.org/wiki/Raster_graphics[raster line] +of the scrollbar corresponds to a single packet, so the number of packets shown +in the map depends on your physical display and the height of the packet list. A +tall packet list on a high-resolution (“Retina”) display will show you quite a +few packets. In the image above the scrollbar shows the status of more than 500 +packets along with the 15 shown in the packet list itself. + +Right clicking will show a context menu, described in +<<ChWorkPacketListPanePopUpMenu>>. + +[#ChUsePacketDetailsPaneSection] + +=== The “Packet Details” Pane + +The packet details pane shows the current packet (selected in the “Packet List” +pane) in a more detailed form. + +[#ChUseWiresharkDetailsPane] + +.The “Packet Details” pane +image::images/ws-details-pane.png[{screenshot-attrs}] + +This pane shows the protocols and protocol fields of the packet selected in the +“Packet List” pane. The protocol summary lines (subtree labels) and fields of the +packet are shown in a tree which can be expanded and collapsed. + +There is a context menu (right mouse click) available. See details in +<<ChWorkPacketDetailsPanePopUpMenu>>. + +Some protocol fields have special meanings. + +* *Generated fields.* Wireshark itself will generate additional protocol + information which isn’t present in the captured data. This information + is enclosed in square brackets (“[” and “]”). Generated information + includes response times, TCP analysis, IP geolocation information, and + checksum validation. + +* *Links.* If Wireshark detects a relationship to another packet in the capture + file it will generate a link to that packet. Links are underlined and + displayed in blue. If you double-clicked on a link Wireshark will jump to the + corresponding packet. + +[#ChUsePacketBytesPaneSection] + +=== The “Packet Bytes” Pane + +The packet bytes pane shows the data of the current packet (selected in the +“Packet List” pane) in a hexdump style. + +[#ChUseWiresharkBytesPane] + +.The “Packet Bytes” pane +image::images/ws-bytes-pane.png[{screenshot-attrs}] + +The “Packet Bytes” pane shows a canonical +https://en.wikipedia.org/wiki/Hex_dump[hex dump] of the packet data. Each line +contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. +Non-printable bytes are replaced with a period (“.”). + +Depending on the packet data, sometimes more than one page is available, e.g. +when Wireshark has reassembled some packets into a single chunk of data. (See +<<ChAdvReassemblySection>> for details). In this case you can see each data +source by clicking its corresponding tab at the bottom of the pane. + +The default mode for viewing will highlight the bytes for a field where the +mouse pointer is hovering above. The highlight will follow the mouse cursor +as it moves. If this highlighting is not required or wanted, there are two +methods for deactivating the functionality: + +* *Temporary* By holding down the Ctrl button while moving the mouse, the + highlighted field will not change + +* *Permanently* Using the context menu (right mouse click) the hover highlighting + may be activated/deactivated. This setting is stored in the selected profile + __recent__ file. + +[#ChUseWiresharkBytesPaneTabs] +.The “Packet Bytes” pane with tabs +image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}] + +Additional tabs typically contain data reassembled from multiple packets or +decrypted data. + +[#ChUsePacketDiagramPaneSection] + +=== The “Packet Diagram” Pane + +The packet diagram pane shows the current packet (selected in the “Packet List” +pane) as a diagram, similar to ones used in textbooks and IETF RFCs. + +[#ChUseWiresharkDiagramPane] + +.The “Packet Diagram” pane +image::images/ws-diagram-pane.png[{screenshot-attrs}] + +This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List” pane as a series of diagrams. + +There is a context menu (right mouse click) available. +For details see <<ChWorkPacketDiagramPanePopUpMenu>>. + +[#ChUseStatusbarSection] + +=== The Statusbar + +The statusbar displays informational messages. + +In general, the left side will show context related information, the middle part +will show information about the current capture file, and the right side will +show the selected configuration profile. Drag the handles between the text areas +to change the size. + +[#ChUseWiresharkStatusbarEmpty] +.The initial Statusbar +image::images/ws-statusbar-empty.png[{statusbar-attrs}] + +This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started. + +[#ChUseWiresharkStatusbarLoaded] +.The Statusbar with a loaded capture file +image::images/ws-statusbar-loaded.png[{statusbar-attrs}] + +The colorized bullet...:: on the left shows the highest expert information level found in the currently loaded capture file. +Hovering the mouse over this icon will show a description of the expert info level, and clicking the icon will bring up the Expert Information dialog box. +For a detailed description of this dialog and each expert level, see <<ChAdvExpert>>. + +The edit icon...:: on the left side lets you add a comment to the capture file using the <<ChStatSummary,Capture File Properties>> dialog. + +The left side...:: shows the capture file name by default. +It also shows field information when hovering over and selecting items in the packet detail and packet bytes panes, as well as general notifications. + +The middle...:: shows the current number of packets in the capture file. +The following values are displayed: + +Packets::: The number of captured packets. + +Displayed::: The number of packets currently being displayed. + +Marked::: The number of marked packets. Only displayed if you marked any packets. + +Dropped::: The number of dropped packets Only displayed if Wireshark was unable to capture all packets. + +Ignored::: The number of ignored packets Only displayed if you ignored any packets. + +//Load time::: The time it took to load the capture (wall clock time). + +The right side...:: shows the selected configuration profile. +Clicking on this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile. + +[#ChUseWiresharkStatusbarProfile] +.The Statusbar with a configuration profile menu +image::images/ws-statusbar-profile.png[{pdf-scaledwidth},height=192] + +For a detailed description of configuration profiles, see <<ChCustConfigProfilesSection>>. + +[#ChUseWiresharkStatusbarSelected] +.The Statusbar with a selected protocol field +image::images/ws-statusbar-selected.png[{statusbar-attrs}] + +This is displayed if you have selected a protocol field in the “Packet Details” pane. + +[TIP] +==== +The value between the parentheses (in this example “ipv6.src”) is the display filter field for the selected item. +You can become more familiar with display filter fields by selecting different packet detail items. +==== + +[#ChUseWiresharkStatusbarFilter] + +//FIXME: Remove or choose a better example of a display filter message. +.The Statusbar with a display filter message +image::images/ws-statusbar-filter.png[{statusbar-attrs}] + +This is displayed if you are trying to use a display filter which may have unexpected results. + +// End of WSUG Chapter 3 diff --git a/docbook/wsug_src/wsug_wireless.adoc b/docbook/wsug_src/wsug_wireless.adoc new file mode 100644 index 0000000..2431707 --- /dev/null +++ b/docbook/wsug_src/wsug_wireless.adoc @@ -0,0 +1,74 @@ +// WSUG Chapter Wireless + +[#ChWireless] + +== Wireless + +[#ChWirelessIntroduction] + +=== Introduction + +The Wireless menu provides access to statistics related to wireless traffic. + +[#ChWirelessBluetoothATTServerAttributes] + +=== Bluetooth ATT Server Attributes + +Bluetooth ATT Server Attributes window displays a list of captured Attribute Protocol (ATT) packets. The user can filter the list by the interfaces or devices, and also exclude repetitions by checking the `Remove duplicates` check box. + +`Handle` is a unique attribute which is specific to the device. + +`UUID` is a value which defines a type of an attribute. + +`UUID Name` is a specified name for the captured packet. + +[#ChWirelessBluetoothDevices] + +=== Bluetooth Devices + +The Bluetooth Devices window displays the list of the captured information about devices, such as MAC address, Organizationally Unique Identifier (OUI), Name and other. Users can filter it by interface. + +.Bluetooth Devices window +image::images/ws-bluetooth-devices.png[{screenshot-attrs}] + +[#ChWirelessBluetoothHCISummary] + +=== Bluetooth HCI Summary + +The Bluetooth HCI Summary window displays the summary for the captured Host Controller Interface (HCI) layer packets. This window allows users to apply filters and choose to display information about specific interfaces or devices. + +.Bluetooth HCI Summary window +image::images/ws-bt-hci-summary.png[{screenshot-attrs}] + +[#ChWirelessWLANTraffic] + +=== WLAN Traffic + +Statistics about captured WLAN traffic. This can be found under the +menu:Wireless[] menu and summarizes the wireless network traffic found +in the capture. Probe requests will be merged into an existing network +if the SSID matches. + +.The “WLAN Traffic Statistics” window +image::images/ws-stats-wlan-traffic.png[{screenshot-attrs}] + +Each row in the list shows the statistical values for exactly one wireless +network. + +_Name resolution_ will be done if selected in the window and if it is active for +the MAC layer. + +_Only show existing networks_ will exclude probe requests with a SSID not +matching any network from the list. + +The btn:[Copy] button will copy the list values to the clipboard in CSV (Comma +Separated Values) format. + + +[TIP] +==== +This window will be updated frequently, so it will be useful, even if you open +it before (or while) you are doing a live capture. +==== + +// End of WSUG Chapter Wireless diff --git a/docbook/wsug_src/wsug_work.adoc b/docbook/wsug_src/wsug_work.adoc new file mode 100644 index 0000000..7c28ec3 --- /dev/null +++ b/docbook/wsug_src/wsug_work.adoc @@ -0,0 +1,1506 @@ +// WSUG Chapter Work + +[#ChapterWork] + +== Working With Captured Packets + +[#ChWorkViewPacketsSection] + +=== Viewing Packets You Have Captured + +Once you have captured some packets or you have opened a previously saved +capture file, you can view the packets that are displayed in the packet list +pane by simply clicking on a packet in the packet list pane, which will bring up +the selected packet in the tree view and byte view panes. + +You can then expand any part of the tree to view detailed information about each +protocol in each packet. Clicking on an item in the tree will highlight the +corresponding bytes in the byte view. An example with a TCP packet selected is +shown in <<ChWorkSelPack1>>. It also has the Acknowledgment number in the TCP +header selected, which shows up in the byte view as the selected bytes. + +[#ChWorkSelPack1] + +.Wireshark with a TCP packet selected for viewing +image::images/ws-packet-selected.png[{screenshot-attrs}] + +You can also select and view packets the same way while Wireshark is capturing +if you selected “Update list of packets in real time” in the “Capture +Preferences” dialog box. + +In addition you can view individual packets in a separate window as shown in +<<ChWorkPacketSepView>>. You can do this by double-clicking on an item in the +packet list or by selecting the packet in which you are interested in the packet +list pane and selecting menu:View[Show Packet in New Window]. This allows you to +easily compare two or more packets, even across multiple files. + +[#ChWorkPacketSepView] + +.Viewing a packet in a separate window +image::images/ws-packet-sep-win.png[{screenshot-attrs}] + +Along with double-clicking the packet list and using the main menu there are a +number of other ways to open a new packet window: + +- Hold down the shift key and double-click on a frame link in the packet + details. +- From <<PacketListPopupMenuTable>>. +- From <<PacketDetailsPopupMenuTable>>. + +[#ChWorkDisplayPopUpSection] + +=== Pop-up Menus + +You can open a pop-up menu over the “Packet List”, its column heading, +“Packet Details”, or “Packet Bytes” by clicking your right mouse button +on the corresponding item. + +[#ChWorkColumnHeaderPopUpMenuSection] + +==== Pop-up Menu Of The “Packet List” Column Header + +[#ChWorkColumnHeaderPopUpMenu] +.Pop-up menu of the “Packet List” column header +image::images/ws-column-header-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this header, where to find the corresponding function in the main +menu, and a description of each item. + +[#ColumnHeaderPopupMenuTable] +.The menu items of the “Packet List” column header pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Align Left[] | +Left-align values in this column. + +|menu:Align Center[] | +Center-align values in this column. + +|menu:Align Right[] | +Right-align values in this column. + +|menu:Column Preferences...[] | +Open the “Preferences” dialog for this column. + +|menu:Edit Column[] | +Open the column editor toolbar for this column. + +|menu:Resize To Contents[] | +Resize the column to fit its values. + +|menu:Resolve Names[] | +If this column contains addresses, resolve them. + +| _No., Time, Source, et al._ | +Show or hide a column by selecting its item. + +|menu:Remove Column[] | +Remove this column, similar to deleting it in the “Preferences” dialog. + +|=== + +[#ChWorkPacketListPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet List” Pane + +[#ChWorkPacketListPanePopUpMenu] + +.Pop-up menu of the “Packet List” pane +image::images/ws-packet-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane, where to find the corresponding function in the main menu, +and a short description of each item. + +[#PacketListPopupMenuTable] +.The menu items of the “Packet List” pop-up menu +[options="header",cols="3,1,6"] +|=== +|Item |Corresponding main menu item |Description +|menu:Mark Packet (toggle)[]|menu:Edit[]| Mark or unmark a packet. +|menu:Ignore Packet (toggle)[]|menu:Edit[]| Ignore or inspect this packet while dissecting the capture file. +|menu:Set Time Reference (toggle)[]|menu:Edit[]| Set or reset a time reference. + +|menu:Time Shift[] |menu:Edit[] | +Opens the “Time Shift” dialog, which allows you to adjust the timestamps +of some or all packets. + +|menu:Packet Comment...[] |menu:Edit[] | +Opens the “Packet Comment” dialog, which lets you add a comment to a +single packet. Note that the ability to save packet comments depends on +your file format. E.g., pcapng supports comments, pcap does not. + +|menu:Edit Resolved Name[]|| +Allows you to enter a name to resolve for the selected address. + +|menu:Apply as Filter[]|menu:Analyze[]| +Immediately replace or append the current display filter based on the most recent packet list or packet details item selected. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be applied. + +|menu:Prepare as Filter[]|menu:Analyze[]| +Change the current display filter based on the most recent packet list or packet details item selected, but don't apply it. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be changed. + +// XXX - add a new section describing this better. +|menu:Conversation Filter[] || +Apply a display filter with the address information from the selected packet. +For example, the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. + +|menu:Colorize Conversation[] || +Create a new colorizing rule based on address information from the selected packet. + +|menu:SCTP[] || +Allows you to analyze and prepare a filter for this SCTP association. + +|menu:Follow[TCP Stream] |menu:Analyze[] | +Open a window that displays all the TCP segments captured that are on the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[DCCP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for DCCP streams. + +|menu:Follow[TLS Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Copy[Summary as Text] || +Copy the summary fields as displayed to the clipboard as tab-separated +text. + +|menu:Copy[...as CSV] || +Copy the summary fields as displayed to the clipboard as comma-separated +text. + +|menu:Copy[...as YAML] || +Copy the summary fields as displayed to the clipboard as YAML data. + +|menu:Copy[As Filter] || +Prepare a display filter based on the currently selected item and copy +that filter to the clipboard. + +|menu:Copy[Bytes as Hex + ASCII Dump] || +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:Copy[...as Hex Dump] || +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:Copy[...as Printable Text] || +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:Copy[...as a Hex Stream] || +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:Copy[...as Raw Binary] || +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:Protocol Preferences[] || +Adjust the preferences for the selected protocol. + +|menu:Decode As...[] |menu:Analyze[] | +Change or apply a new relation between two dissectors. + +|menu:Show Packet in New Window[] |menu:View[] | +Shows the selected packet in a separate window. The separate window +shows only the packet details and bytes. See <<ChWorkPacketSepView>> for +details. + +|=== + + +[#ChWorkPacketDetailsPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Details” Pane + +[#ChWorkPacketDetailsPanePopUpMenu] + +.Pop-up menu of the “Packet Details” pane +image::images/ws-details-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available in this +pane, where to find the corresponding function in the main menu, and a short +description of each item. + +[#PacketDetailsPopupMenuTable] + +.The menu items of the “Packet Details” pop-up menu +[options="header",cols="3,1,6"] +|=== +|Item |Corresponding main menu item |Description +|menu:Expand Subtrees[]|menu:View[]| Expand the currently selected subtree. +|menu:Collapse Subtrees[]|menu:View[]| Collapse the currently selected subtree. +|menu:Expand All[]|menu:View[]| Expand all subtrees in all packets in the capture. +|menu:Collapse All[]|menu:View[]| Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list. +|menu:Edit Resolved Name[]|menu:View[]| Allows you to enter a name to resolve for the selected address. +|menu:Apply as Column[]|| Use the selected protocol item to create a new column in the packet list. + +|menu:Apply as Filter[]|menu:Analyze[]| +Immediately replace or append the current display filter based on the most recent packet list or packet details item selected. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be applied. + +|menu:Prepare as Filter[]|menu:Analyze[]| +Change the current display filter based on the most recent packet list or packet details item selected, but don't apply it. +The first submenu item shows the filter and subsequent items show the different ways that the filter can be changed. + +|menu:Colorize with Filter[]|| This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule. + +|menu:Follow[TCP Stream] |menu:Analyze[] | +Open a window that displays all the TCP segments captured that are on the same TCP connection as a selected packet. +See <<ChAdvFollowStreamSection>>. + +|menu:Follow[UDP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for UDP “streams”. + +|menu:Follow[TLS Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for TLS or SSL streams. +See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions +on providing TLS keys. + +|menu:Follow[HTTP Stream] |menu:Analyze[] | +Same functionality as “Follow TCP Stream” but for HTTP streams. + +|menu:Copy[All Visible Items] |menu:Edit[] | +Copy the packet details as displayed. + +|menu:Copy[All Visible Selected Tree Items] |menu:Edit[] | +Copy the selected packet detail and its children as displayed. + +|menu:Copy[Description] |menu:Edit[] | +Copy the displayed text of the selected field to the system clipboard. + +|menu:Copy[Fieldname] |menu:Edit[] | +Copy the name of the selected field to the system clipboard. + +|menu:Copy[Value] |menu:Edit[] | +Copy the value of the selected field to the system clipboard. + +|menu:Copy[As Filter]| menu:Edit[] | +Prepare a display filter based on the currently selected item and copy +it to the clipboard. + +|menu:Copy[Bytes as Hex + ASCII Dump] || +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:Copy[...as Hex Dump] || +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:Copy[...as Printable Text] || +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:Copy[...as a Hex Stream] || +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:Copy[...as Raw Binary] || +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:Copy[...as Escaped String] || +Copy the packet bytes to the clipboard as C-style escape sequences. + +|menu:Export Packet Bytes...[] |menu:File[] | +This menu item is the same as the File menu item of the same name. It +allows you to export raw packet bytes to a binary file. + +|menu:Wiki Protocol Page[]|| Open the wiki page for the selected protocol in your web browser. +|menu:Filter Field Reference[]|| Open the filter field reference web page for the selected protocol in your web browser. + +|menu:Protocol Preferences[] || +Adjust the preferences for the selected protocol. + +|menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors. + +|menu:Go to Linked Packet[] |menu:Go[] | +If the selected field has a corresponding packet such as the matching +request for a DNS response, go to it. + +|menu:Show Linked Packet in New Window[] |menu:Go[] | +If the selected field has a corresponding packet such as the matching +request for a DNS response, show the selected packet in a separate +window. See <<ChWorkPacketSepView>> for details. + +|=== + +[#ChWorkPacketBytesPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Bytes” Pane + +[#ChWorkPacketBytesPanePopUpMenu] + +.Pop-up menu of the “Packet Bytes” pane +image::images/ws-bytes-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane along with a short description of each item. + +[#PacketBytesPopupMenuTable] + +.The menu items of the “Packet Bytes” pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Copy Bytes as Hex + ASCII Dump[] | +Copy the packet bytes to the clipboard in full “hexdump” format. + +|menu:...as Hex Dump[] | +Copy the packet bytes to the clipboard in “hexdump” format without the +ASCII portion. + +|menu:...as Printable Text[] | +Copy the packet bytes to the clipboard as ASCII text, excluding +non-printable characters. + +|menu:...as a Hex Stream[] | +Copy the packet bytes to the clipboard as an unpunctuated list of hex +digits. + +|menu:...as Raw Binary[] | +Copy the packet bytes to the clipboard as raw binary. The data is stored +in the clipboard using the MIME type “application/octet-stream”. + +|menu:...as Escaped String[] | +Copy the packet bytes to the clipboard as C-style escape sequences. + +|menu:Show bytes as hexadecimal[] | +Display the byte data as hexadecimal digits. + +|menu:Show bytes as bits[] | +Display the byte data as binary digits. + +|menu:Show text based on packet[] | +Show the “hexdump” data with text. + +|menu:...as ASCII[] | +Use ASCII encoding when displaying “hexdump” text. + +|menu:...as EBCDIC[] | +Use EBCDIC encoding when displaying “hexdump” text. + +|=== + +[#ChWorkPacketDiagramPanePopUpMenuSection] + +==== Pop-up Menu Of The “Packet Diagram” Pane + +[#ChWorkPacketDiagramPanePopUpMenu] + +.Pop-up menu of the “Packet Diagram” pane +image::images/ws-diagram-pane-popup-menu.png[{screenshot-attrs}] + +The following table gives an overview of which functions are available +in this pane along with a short description of each item. + +[#PacketDiagramPopupMenuTable] + +.The menu items of the “Packet Diagram” pop-up menu +[options="header",cols="3,7"] +|=== +|Item |Description + +|menu:Show Field Values[] | +Display current value for each field on the packet diagram. + +|menu:Save Diagram As...[] | +Save the packet diagram to an image file (PNG, BMP, JPEG). + +|menu:Copy as Raster Image[] | +Copy the packet diagram to the clipboard in raster (ARGB32) format. + +// |menu:…as SVG[] | +// (macOS) Copy the packet diagram to the clipboard in SVG format. + +|=== + +[#ChWorkDisplayFilterSection] + +=== Filtering Packets While Viewing + +Wireshark has two filtering languages: _capture filters_ and _display filters_. +_Capture filters_ are used for filtering +when capturing packets and are discussed in <<ChCapCaptureFilterSection>>. +_Display filters_ are used for filtering +which packets are displayed and are discussed below. +For more information about _display filter_ syntax, see the +link:{wireshark-man-page-url}wireshark-filter.html[wireshark-filter(4)] man page. + +Display filters allow you to concentrate on the packets you are interested in +while hiding the currently uninteresting ones. They allow you to only display packets +based on: + +* Protocol + +* The presence of a field + +* The values of fields + +* A comparison between fields + +* ... and a lot more! + +To only display packets containing a particular protocol, type the protocol name +in the display filter toolbar of the Wireshark +window and press enter to apply the filter. <<ChWorkTCPFilter>> shows an +example of what happens when you type _tcp_ in the display filter toolbar. + +[NOTE] +==== +Protocol and field names are usually in lowercase. +==== + +[NOTE] +==== +Don’t forget to press enter or click on the apply display filter button after entering the filter +expression. +==== + + +[#ChWorkTCPFilter] + +.Filtering on the TCP protocol +image::images/ws-display-filter-tcp.png[{screenshot-attrs}] + +As you may have noticed, only packets containing the TCP protocol are now displayed, +so packets 1-10 are hidden and packet number 11 +is the first packet displayed. + +[NOTE] +==== +When using a display filter, all packets remain in the capture file. The display +filter only changes the display of the capture file but not its content! +==== + +To remove the filter, click on the btn:[Clear] button to the right of the +display filter field. All packets will become visible again. + +Display filters can be very powerful and are discussed in further detail in +<<ChWorkBuildDisplayFilterSection>> + +It's also possible to create display filters with the +_Display Filter Expression_ dialog box. More information about +the _Display Filter Expression_ dialog box is available in +<<ChWorkFilterAddExpressionSection>>. + + +[#ChWorkBuildDisplayFilterSection] + +=== Building Display Filter Expressions + +Wireshark provides a display filter language that enables you +to precisely control which packets are displayed. They can be used +to check for the presence of a protocol or field, the value of a field, or +even compare two fields to each other. These comparisons can be combined +with logical operators, like "and" and "or", and parentheses +into complex expressions. + +The following sections will go into the display filter functionality in +more detail. + +[TIP] +==== +There are many display filter examples on the _Wireshark Wiki Display +Filter page_ at: link:{wireshark-wiki-url}DisplayFilters[]. +==== + +==== Display Filter Fields + +The simplest display filter is one that displays a single protocol. +To only display packets containing a particular protocol, type the protocol +into Wireshark's display filter toolbar. For example, to only +display TCP packets, type _tcp_ into Wireshark's display filter toolbar. +Similarly, to only display +packets containing a particular field, type the field +into Wireshark's display filter toolbar. For example, to only display +HTTP requests, type _http.request_ into Wireshark's display filter toolbar. + +You can filter on any protocol that Wireshark supports. You can +also filter on any field that a dissector adds to the tree view, if the dissector +has added an abbreviation for that field. A full list of the available protocols +and fields is available through the menu item +menu:View[Internals,Supported Protocols]. + +// XXX - add some more info here and a link to the statusbar info. + +==== Comparing Values + +You can build display filters that compare values using a number of different +comparison operators. For example, to only display packets to or +from the IP address 192.168.0.1, use `ip.addr==192.168.0.1`. + +A complete list of available comparison operators is shown in <<DispCompOps>>. + +[TIP] +==== +English and C-like operators are interchangeable and can be mixed within a filter string. +==== + +[#DispCompOps] + +.Display Filter comparison operators +[options="header",cols="1,1,1,3,3"] +|=== +| English | Alias | C-like | Description | Example +| eq | any_eq | == | Equal (any if more than one) | `ip.src == 10.0.0.5` +| ne | all_ne | != | Not equal (all if more than one) | `ip.src != 10.0.0.5` +| | all_eq | === | Equal (all if more than one) | `ip.src === 10.0.0.5` +| | any_ne | !== | Not equal (any if more than one) | `ip.src !== 10.0.0.5` +| gt | | > | Greater than | `frame.len > 10` +| lt | | < | Less than | `frame.len < 128` +| ge | | >= | Greater than or equal to | `frame.len ge 0x100` +| le | | \<= | Less than or equal to | `frame.len \<= 0x20` +| contains | | | Protocol, field or slice contains a value | `sip.To contains "a1762"` +| matches | | ~ | Protocol or text field matches a Perl-compatible regular expression| `http.host matches "acme\\.(org\|com\|net)"` +|=== + + +[NOTE] +==== +The meaning of != (all not equal) was changed in Wireshark 3.6. +Before it used to mean "any not equal". +==== + +All protocol fields have a type. <<ChWorkFieldTypes>> provides a list +of the types with examples of how to use them in display filters. + +[#ChWorkFieldTypes] + +===== Display Filter Field Types + +Unsigned integer:: + Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, octal, + hexadecimal or binary. The following display filters are equivalent: ++ +`ip.len le 1500` ++ +`ip.len le 02734` ++ +`ip.len le 0x5dc` ++ +`ip.len le 0b10111011100` + +Signed integer:: + Can be 8, 16, 24, 32, or 64 bits. As with unsigned integers you can use + decimal, octal, hexadecimal or binary. + +Boolean:: + Can be 1 or "True", 0 or "False" (without quotes). ++ +A Boolean field is present regardless if its value is true or false. For example, +`tcp.flags.syn` is present in all TCP packets containing the flag, whether +the SYN flag is 0 or 1. To only match TCP packets with the SYN flag set, you need +to use `tcp.flags.syn == 1` or `tcp.flags.syn == True`. + +Ethernet address:: + 6 bytes separated by a colon (:), dot (.), or dash (-) with one or two bytes between separators: ++ +`eth.dst == ff:ff:ff:ff:ff:ff` ++ +`eth.dst == ff-ff-ff-ff-ff-ff` ++ +`eth.dst == ffff.ffff.ffff` + +IPv4 address:: + `ip.addr == 192.168.0.1` ++ +Classless InterDomain Routing (CIDR) notation can be used to test if +an IPv4 address is in a certain subnet. For example, this display +filter will find all packets in the 129.111 Class-B network: ++ +`ip.addr == 129.111.0.0/16` + +IPv6 address:: + `ipv6.addr == ::1` ++ +As with IPv4 addresses, IPv6 addresses can match a subnet. + +Text string:: + `http.request.uri == "https://www.wireshark.org/"` ++ +Strings are a sequence of bytes. Functions like `lower()` use ASCII, otherwise +no particular encoding is assumed. String literals are specified with double +quotes. Characters can also be specified using a byte escape sequence using +hex \x__hh__ or octal {backslash}__ddd__, where _h_ and _d_ are hex and octal +numerical digits respectively: ++ +`dns.qry.name contains "www.\x77\x69\x72\x65\x73\x68\x61\x72\x6b.org"` ++ +Alternatively, a raw string syntax can be used. Such strings are prefixed with `r` or `R` and treat +backslash as a literal character. ++ +`http.user_agent matches r"\(X11;"` + +Date and time:: +`frame.time == "Sep 26, 2004 23:18:04.954975"` ++ +`ntp.xmt ge "2020-07-04 12:34:56"` ++ +The value of an absolute time field is expressed as a string, using one of the +two formats above. Fractional seconds can be omitted or specified up to +nanosecond precision; extra trailing zeros are allowed but not other digits. +The string cannot take a time zone suffix, and is always parsed as in the local +time zone, even for fields that are displayed in UTC. ++ +In the first format, the abbreviated month names must be in English regardless +of locale. In the second format, any number of time fields may be omitted, in +the order from least significant (seconds) to most, but at least the entire +date must be specified: ++ +`frame.time < "2022-01-01"` ++ +In the second format, a `T` may appear between the date and time as in +ISO 8601, but not when less significant times are dropped. + +[#ChWorkFilterExamples] + +===== Some Examples + +---- +udp contains 81:60:03 +---- +The display filter above matches packets that contains the 3-byte sequence 0x81, 0x60, +0x03 anywhere in the UDP header or payload. +---- +sip.To contains "a1762" +---- +The display filter above matches packets where the SIP To-header contains the string "a1762" +anywhere in the header. +---- +http.host matches "acme\\.(org|com|net)" +---- +The display filter above matches HTTP packets where the HOST header contains +acme.org, acme.com, or acme.net. +Comparisons are case-insensitive. +---- +tcp.flags & 0x02 +---- +That display filter will match all packets that contain the “tcp.flags” field with the 0x02 bit, +i.e., the SYN bit, set. + +===== Possible Pitfalls Using Regular Expressions + +String literals containing regular expressions are parsed twice. Once by Wireshark's display +filter engine and again by the PCRE2 library. It's important to keep this in mind when using +the "matches" operator with regex escape sequences and special characters. + +For example, the filter expression `+frame matches "AB\x43"+` uses the string `+"ABC"+` as input +pattern to PCRE. However, the expression `+frame matches "AB\\x43"+` uses the string `+"AB\x43"+` +as the pattern. In this case both expressions give the same result because Wireshark and PCRE +both support the same byte escape sequence (0x43 is the ASCII hex code for `C`). + +An example where this fails badly is `+foo matches "bar\x28"+`. Because 0x28 is the ASCII +code for `(` the pattern input to PCRE is `+"bar("+`. This regular expression is syntactically +invalid (missing closing parenthesis). To match a literal parenthesis in a display filter regular +expression it must be escaped (twice) with backslashes. + +TIP: Using raw strings avoids most problem with the "matches" operator and double escape requirements. + +==== Combining Expressions + +You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>> + +[#FiltLogOps] + +.Display Filter Logical Operations +[options="header",cols="1,1,1,4"] +|=== +|English |C-like |Description | Example +|and |&&| Logical AND | `ip.src==10.0.0.5 and tcp.flags.fin` +|or |\|\| | Logical OR | `ip.src==10.0.0.5 or ip.src==192.1.1.1` +|xor |^^ | Logical XOR | `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29` +|not |! | Logical NOT | `not llc` +|[...] | | Subsequence | See “Slice Operator” below. +|in | | Set Membership| http.request.method in {"HEAD", "GET"}. See “Membership Operator” below. +|=== + +==== Slice Operator +Wireshark allows you to select a subsequence of byte arrays (including +protocols) or text strings in rather elaborate ways. After a label you can +place a pair of brackets [] containing a comma separated list of range +specifiers. +---- +eth.src[0:3] == 00:00:83 +---- +The example above uses the n:m format to specify a single range. In this case n +is the beginning offset and m is the length of the range being specified. +---- +eth.src[1-2] == 00:83 +---- +The example above uses the n-m format to specify a single range. In this case n +is the beginning offset and m is the ending offset. +---- +eth.src[:4] == 00:00:83:00 +---- +The example above uses the :m format, which takes everything from the beginning +of a sequence to offset m. It is equivalent to 0:m +---- +eth.src[4:] == 20:20 +---- +The example above uses the n: format, which takes everything from offset n to +the end of the sequence. +---- +eth.src[2] == 83 +---- +The example above uses the n format to specify a single range. In this case the +element in the sequence at offset n is selected. This is equivalent to n:1. +---- +eth.src[0:3,1-2,:4,4:,2] == +00:00:83:00:83:00:00:83:00:20:20:83 +---- +Wireshark allows you to string together single ranges in a comma separated list +to form compound ranges as shown above. + +You can use the slice operator on a protocol name, too, to slice the +bytes associated with that protocol. The `+frame+` protocol can be useful, +encompassing all the captured data (not including secondary data sources +like decrypted data.) + +Offsets can be negative, indicating an offset from the end of a field. +---- +frame[-4:4] == 0.1.2.3 +frame[-4] == 0.1.2.3 +---- +The two examples above both check the last four bytes of a frame. + +Slices of string fields yield strings, and are indexed on codepoint +boundaries after conversation of the string to UTF-8, not bytes. +---- +http.content_type[0:4] == "text" +smpp.message_text[:10] == "Абвгдеёжзи" +---- +The second example above will match regardless of whether the original +string was in Windows-1251, UTF-8, or UTF-16, so long as the converted +string starts with those ten characters. + +Byte slices can be directly compared to strings; this converts the +string to the corresponding UTF-8 byte sequence. To compare string +slices with byte sequences, use the @ operator, below. + +==== The Layer Operator + +A field can be restricted to a certain layer in the protocol stack using the +layer operator (#), followed by a decimal number: + + ip.addr#2 == 192.168.30.40 + +matches only the inner (second) layer in the packet. +Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1. +For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2". + +For more complicated ranges the same syntax used with slices is valid: + + tcp.port#[2-4] + +means layers number 2, 3 or 4 inclusive. The hash symbol is required to +distinguish a layer range from a slice. + +==== The At Operator +By prefixing the field name with an at sign (@) the comparison is done against +the raw packet data for the field. + +A character string must be decoded from a source encoding during dissection. +If there are decoding errors the resulting string will usually contain +replacement characters: + +[subs="replacements"] +---- +browser.comment == "string is ����" +---- + +The at operator allows testing the raw undecoded data: +---- +@browser.comment == 73:74:72:69:6e:67:20:69:73:20:aa:aa:aa:aa +---- + +The syntactical rules for a bytes field type apply to the second example. + +[NOTE] +==== +When a bytes field is compared with a literal string, it is compared +with the UTF-8 representation of that string. The at operator compares +a string field with the actual byte representation in the original encoding, +which may not be UTF-8. + +As an example, SMPP has a bytes field, `+smpp.message+`, and a string +field, `+smpp.message_text+`, that refer to the same data. If the +first four characters of the message is the string "Text" in the UTF-16 +encoding, the following filters all match. + +---- +smpp.message[:8] == 00:54:00:65:00:73:00:74 +smpp.message[:8] == "\x00T\x00e\x00s\x00t" +smpp.message_text[:4] == "Test" +smpp.message_text[:4] == "\x54\x65\x73\x74" +@smpp.message_text[:8] == 00:54:00:65:00:73:00:74 +@smpp.message_text[:8] == "\x00T\x00e\x00s\x00t" +---- + +The following filters do *NOT* match. + +---- +@smpp.message_text[:4] == "\x00T\x00e\x00s\x00t" +smpp.message[:4] == "Test" +smpp.message[:8] == "Test" +@smpp.message_text[:4] == "Test" +@smpp.message_text[:8] == "Test" +---- + +The first filter above does not match because of operator precedence +left-to-right; `+@smpp.message_text` is converted to bytes before the +slice operator is applied, so the length of the necessary slice is 8. +The other filters do not match because the literal string "Test" is +always converted to its 4 octet UTF-8 representation when comparing +against bytes, and it does not match the UTF-16 representation of +the field bytes. + +==== + +==== Membership Operator +Wireshark allows you to test a field for membership in a set of values or +fields. After the field name, use the `in` operator followed by the set items +surrounded by braces {}. For example, to display packets with a TCP source or +destination port of 80, 443, or 8080, you can use `tcp.port in {80, 443, 8080}`. +Set elements must be separated by commas. +The set of values can also contain ranges: `tcp.port in {443,4430..4434}`. + +[NOTE] +==== +The display filter +---- +tcp.port in {80, 443, 8080} +---- +is equivalent to +---- +tcp.port == 80 || tcp.port == 443 || tcp.port == 8080 +---- +However, the display filter +---- +tcp.port in {443, 4430..4434} +---- +is not equivalent to +---- +tcp.port == 443 || (tcp.port >= 4430 && tcp.port <= 4434) +---- +This is because comparison operators are satisfied when _any_ field +matches the filter, so a packet with a source port of 56789 and +destination port of port 80 would also match the second filter +since `56789 >= 4430 && 80 \<= 4434` is true. In contrast, the +membership operator tests a single field against the range condition. +==== + + + +Sets are not just limited to numbers, other types can be used as well: +---- +http.request.method in {"HEAD", "GET"} +ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9} +frame.time_delta in {10 .. 10.5} +---- + +==== Arithmetic operators + +You can perform the arithmetic operations on numeric fields shown in <<ArithmeticOps>> + +[#ArithmeticOps] + +.Display Filter Arithmetic Operations +[options="header",cols="1,1,4"] +|=== +|Name |Syntax | Description +|Unary minus |-A | Negation of A +|Addition |A + B | Add B to A +|Subtraction |A - B | Subtract B from A +|Multiplication |A * B | Multiply A times B +|Division |A / B | Divide A by B +|Modulo |A % B | Remainder of A divided by B +|Bitwise AND |A & B | Bitwise AND of A and B +|=== + +An unfortunate quirk in the filter syntax is that the subtraction +operator must be preceded by a space character, so "A-B" must be +written as "A -B" or "A - B". + +Arithmetic expressions can be grouped using curly braces. + +For example, frames where capture length resulted in truncated TCP options: +---- +frame.cap_len < { 14 + ip.hdr_len + tcp.hdr_len } +---- + +==== Functions + +The display filter language has a number of functions to convert fields, see +<<DispFunctions>>. + +[#DispFunctions] +.Display Filter Functions +[options="header",cols="1,4"] +|=== +|Function|Description +|upper |Converts a string field to uppercase. +|lower |Converts a string field to lowercase. +|len |Returns the byte length of a string or bytes field. +|count |Returns the number of field occurrences in a frame. +|string |Converts a non-string field to a string. +|max |Return the maximum value for the arguments. +|min |Return the minimum value for the arguments. +|abs |Return the absolute value for the argument. +|=== + +The `upper` and `lower` functions can used to force case-insensitive matches: +`lower(http.server) contains "apache"`. + +To find HTTP requests with long request URIs: `len(http.request.uri) > 100`. +Note that the `len` function yields the string length in bytes rather than +(multi-byte) characters. + +Usually an IP frame has only two addresses (source and destination), but in case +of ICMP errors or tunneling, a single packet might contain even more addresses. +These packets can be found with `count(ip.addr) > 2`. + +The `string` function converts a field value to a string, suitable for use with operators +like "matches" or "contains". Integer fields are converted to their decimal representation. +It can be used with IP/Ethernet addresses (as well as others), but not with string or +byte fields. + +For example, to match odd frame numbers: +---- +string(frame.number) matches "[13579]$" +---- + +To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31): +---- +string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255" +---- + +The functions max() and min() take any number of arguments of the same type +and returns the largest/smallest respectively of the set. + +---- +max(tcp.srcport, tcp.dstport) <= 1024 +---- + +==== Field References + +An expression of the form ${some.proto.field} is called a field reference. +Its value is read from the corresponding field in the currently selected +field in the GUI. This is a powerful way to build dynamic filters, such +as frames since the last five minutes to the selected frame: + +---- +frame.time_relative >= ${frame.time_relative} - 300 +---- + +or all HTTP packets whose `+ip.dst` value equals the "A" record of +the DNS response in the current frame: + +---- +http && ip.dst eq ${dns.a} +---- + +The notation of field references is similar to that of +<<ChDisplayFilterMacrosSection,macros>> but they are syntactically +distinct. Field references, like other complex filters, make excellent +use cases for <<ChWorkDefineFilterMacrosSection,macros>>, +<<ChWorkDefineFilterSection,saved filters>>, and +<<ChCustFilterButtons,filter buttons>> + +[#ChWorkBuildDisplayFilterTransitional] + +==== Sometimes Fields Change Names + +As protocols evolve they sometimes change names or are superseded by +newer standards. For example, DHCP extends and has largely replaced +BOOTP and TLS has replaced SSL. If a protocol dissector originally used +the older names and fields for a protocol the Wireshark development team +might update it to use the newer names and fields. In such cases they +will add an alias from the old protocol name to the new one in order to +make the transition easier. + +For example, the DHCP dissector was originally developed for the BOOTP +protocol but as of Wireshark 3.0 all of the “bootp” display filter +fields have been renamed to their “dhcp” equivalents. You can still use +the old filter names for the time being, e.g., “bootp.type” is equivalent +to “dhcp.type” but Wireshark will show the warning “"bootp" is deprecated” +when you use it. Support for the deprecated fields may be removed in the future. + +==== Some protocol names can be ambiguous +In some particular cases relational expressions (equal, less than, etc.) +can be ambiguous. The filter name of a protocol or protocol field can contain +any letter and digit in any order, possibly separated by dots. That can be +indistinguishable from a literal value (usually numerical values in hexadecimal). +For example the semantic value of `fc` can be the protocol Fibre Channel or the +number 0xFC in hexadecimal because the 0x prefix is optional for hexadecimal numbers. + +Any value that matches a registered protocol or protocol field filter name is +interpreted semantically as such. If it doesn't match a protocol name the normal +rules for parsing literal values apply. + +So in the case of 'fc' the lexical token is interpreted as "Fibre Channel" and +not 0xFC. In the case of 'fd' it would be interpreted as 0xFD because it is a +well-formed hexadecimal literal value (according to the rules of display filter +language syntax) and there is no protocol registered with the filter name 'fd'. + +How ambiguous values are interpreted may change in the future. To avoid this +problem and resolve the ambiguity there is additional syntax available. +Values prefixed with a dot are always treated as a protocol name. The +dot stands for the root of the protocol namespace and is optional). Values +prefixed with a colon are always interpreted as a byte array. +---- +frame[10:] contains .fc or frame[10] == :fc +---- +If you are writing a script, or you think your expression may not be giving the +expected results because of the syntactical ambiguity of some filter expression +it is advisable to use the explicit syntax to indicate the correct meaning for +that expression. + +[#ChWorkFilterAddExpressionSection] + +=== The “Display Filter Expression” Dialog Box + +When you are accustomed to Wireshark’s filtering system and know what labels you +wish to use in your filters it can be very quick to simply type a filter string. +However, if you are new to Wireshark or are working with a slightly unfamiliar +protocol it can be very confusing to try to figure out what to type. The +“Display Filter Expression” dialog box helps with this. + +[TIP] +==== +The “Display Filter Expression” dialog box is an excellent way to learn how to write +Wireshark display filter strings. +==== + + +[#ChWorkFilterAddExpression1] + +.The “Display Filter Expression” dialog box +image::images/ws-filter-add-expression.png[{screenshot-attrs}] +// Screenshot from Wireshark 3.1.1 + +When you first bring up the Display Filter Expression dialog box you are shown a tree +of field names, organized by protocol, and a box for selecting a relation. + +Field Name:: +Select a protocol field from the protocol field tree. Every protocol with +filterable fields is listed at the top level. You can search for a particular +protocol entry by entering the first few letters of the protocol name. By +expanding a protocol name you can get a list of the field names available for +filtering for that protocol. + +Relation:: +Select a relation from the list of available relation. The _is present_ is a +unary relation which is true if the selected field is present in a packet. All +other listed relations are binary relations which require additional data (e.g. +a _Value_ to match) to complete. ++ +When you select a field from the field name list and select a binary relation +(such as the equality relation ==) you will be given the opportunity to enter a +value, and possibly some range information. + +Value:: +You may enter an appropriate value in the _Value_ text box. The _Value_ will +also indicate the type of value for the _Field Name_ you have selected (like +character string). + +Predefined Values:: +Some of the protocol fields have predefined values available, much like enumerations +in C. If the selected protocol field has such values defined, you can choose one +of them here. + +Search:: +Lets you search for a full or partial field name or description. +Regular expressions are supported. +For example, searching for “tcp.*flag” shows the TCP flags fields supported by a wide variety of dissectors, while “^tcp.flag” shows only the TCP flags fields supported by the TCP dissector. + +Range:: +A range of integers or a group of ranges, such as `1-12` or `39-42,98-2000`. + +btn:[Help]:: +Opens this section of the User’s Guide. + +btn:[OK]:: +When you have built a satisfactory expression click btn:[OK] and a filter string +will be built for you. + +btn:[Cancel]:: +You can leave the “Add Expression...” dialog box without any effect by +clicking the btn:[Cancel] button. + +[#ChWorkDefineFilterSection] + +=== Defining And Saving Filters + +You create pre-defined filters that appear in the capture and display filter bookmark menus (image:images/toolbar/filter-toolbar-bookmark.png[height=16,width=12]). +This can save time in remembering and retyping some of the more complex filters you use. + +To create or edit capture filters, select menu:Manage Capture Filters[] from the capture filter bookmark menu or menu:Capture[Capture Filters...] from the main menu. +Display filters can be created or edited by selecting menu:Manage Display Filters[] from the display filter bookmark menu or menu:Analyze[Display Filters...] from the main menu. +Wireshark will open the corresponding dialog as shown in <<FiltersDialog>>. +The two dialogs look and work similar to one another. +Both are described here, and the differences are noted as needed. + +[#FiltersDialog] + +.The “Capture Filters” and “Display Filters” dialog boxes +image::images/ws-filters.png[{screenshot-attrs}] + +btn:[{plus}]:: +Adds a new filter to the list. +You can edit the filter name or expression by double-clicking on it. ++ +The filter name is used in this dialog to identify the filter for your convenience and is not used elsewhere. +You can create multiple filters with the same name, but this is not very useful. ++ +When typing in a filter string, the background color will change depending on the validity of the filter similar to the main capture and display filter toolbars. + +btn:[-]:: +Delete the selected filter. +This will be greyed out if no filter is selected. + +// XXX Asciidoctor doesn't seem to allow images in DL terms, otherwise we could use +// list-copy.template.png here. +btn:[Copy]:: +Copy the selected filter. +This will be greyed out if no filter is selected. + +btn:[OK]:: +Saves the filter settings and closes the dialog. + +btn:[Cancel]:: +Closes the dialog without saving any changes. + +[#ChWorkDefineFilterMacrosSection] + +=== Defining And Saving Filter Macros + +You can define a filter macro with Wireshark and label it for later use. +This can save time in remembering and retyping some of the more complex filters +you use. + +To define and save your own filter macros, follow the steps below: + +. In the main menu select menu:Analyze[Display Filter Macros...]. Wireshark will open a corresponding dialog <<FilterMacrosDialog>>. ++ +[#FilterMacrosDialog] ++ +.Display Filter Macros window +image::images/ws-filter-macros.png[{screenshot-attrs}] + +. To add a new filter macro, click the btn:[{plus}] button in the bottom-left corner. A new row will appear in the Display Filter Macros table above. + +. Enter the name of your macro in the `Name` column. Enter your filter macro in the `Text` column. + +. To save your modifications, click the btn:[OK] button in the bottom-right corner of the <<FilterMacrosDialog>>. + +To learn more about display filter macro syntax, see <<ChDisplayFilterMacrosSection>>. + +[#ChWorkFindPacketSection] + +=== Finding Packets + +You can easily find packets once you have captured some packets or have +read in a previously saved capture file. Simply select menu:Edit[Find +Packet...] in the main menu. Wireshark will open a toolbar between the +main toolbar and the packet list shown in <<ChWorkFindPacketToolbar>>. + +==== The “Find Packet” Toolbar + +[#ChWorkFindPacketToolbar] + +.The “Find Packet” toolbar +image::images/ws-find-packet.png[{screenshot-attrs}] + +You can search using the following criteria: + +Display filter:: + Enter a display filter string into the text entry field and click the btn:[Find] button. + + + For example, to find the three-way handshake for a connection from host 192.168.0.1, use the following filter string: ++ +---- +ip.src==192.168.0.1 and tcp.flags.syn==1 +---- ++ +The value to be found will be syntax checked while you type it in. If +the syntax check of your value succeeds, the background of the entry +field will turn green, if it fails, it will turn red. For more details +see <<ChWorkDisplayFilterSection>> + +Hexadecimal Value:: + Search for a specific byte sequence in the packet data. ++ +For example, use “ef:bb:bf” to find the next packet that contains the +link:{wikipedia-main-url}Byte_order_mark[UTF-8 byte order mark]. + +String:: + Find a string in the packet data, with various options. + +Regular Expression:: + Search the packet data using link:{pcre2pattern-url}[Perl-compatible + regular expressions]. PCRE patterns are beyond the scope of this + document, but typing “pcre test” into your favorite search engine + should return a number of sites that will help you test and explore + your expressions. + +[#ChWorkGoToPacketSection] + +=== Go To A Specific Packet + +You can easily jump to specific packets with one of the menu items in +the menu:Go[] menu. + +==== The “Go Back” Command + +Go back in the packet history, works much like the page history in most +web browsers. + +==== The “Go Forward” Command + +Go forward in the packet history, works much like the page history in +most web browsers. + +==== The “Go to Packet” Toolbar + +[#ChWorkGoToPacketToolbar] + +.The “Go To Packet” toolbar +image::images/ws-goto-packet.png[{screenshot-attrs}] + +This toolbar can be opened by selecting menu:Go[Go to packet...] from +the main menu. It appears between the main toolbar and the packet list, +similar to the <<ChWorkFindPacketToolbar,”Find Packet” toolbar>>. + +When you enter a packet number and press btn:[Go to packet] +Wireshark will jump to that packet. + +==== The “Go to Corresponding Packet” Command + +If a protocol field is selected which points to another packet in the capture +file, this command will jump to that packet. + +As these protocol fields now work like links (just as in your Web browser), it’s +easier to simply double-click on the field to jump to the corresponding field. + +==== The “Go to First Packet” Command + +This command will jump to the first packet displayed. + +==== The “Go to Last Packet” Command + +This command will jump to the last packet displayed. + +[#ChWorkMarkPacketSection] + +=== Marking Packets + +You can mark packets in the “Packet List” pane. A marked packet will be shown +with black background, regardless of the coloring rules set. Marking a packet +can be useful to find it later while analyzing in a large capture file. + +Marked packet information is not stored in the capture file or anywhere +else. It will be lost when the capture file is closed. + +You can use packet marking to control the output of packets when saving, +exporting, or printing. To do so, an option in the packet range is available, +see <<ChIOPacketRangeSection>>. + +There are several ways to mark and unmark packets. From the menu:Edit[] menu +you can select from the following: + +* menu:Mark/Unmark Packet[] toggles the marked state of a single packet. + This option is also available in the packet list context menu. + +* menu:Mark All Displayed[] set the mark state of all displayed packets. + +* menu:Unmark All Displayed[] reset the mark state of all packets. + +You can also mark and unmark a packet by clicking on it in the packet list +with the middle mouse button. + +[#ChWorkIgnorePacketSection] + +=== Ignoring Packets + +You can ignore packets in the “Packet List” pane. Wireshark will then +pretend that they not exist in the capture file. An ignored packet will +be shown with white background and grey foreground, regardless of the +coloring rules set. + +Ignored packet information is not stored in the capture file or anywhere +else. It will be lost when the capture file is closed. + +There are several ways to ignore and unignore packets. From the +menu:Edit[] menu you can select from the following: + +* menu:Ignore/Unignore Packet[] toggles the ignored state of a single + packet. This option is also available in the packet list context menu. + +* menu:Ignore All Displayed[] set the ignored state of all displayed packets. + +* menu:Unignore All Displayed[] reset the ignored state of all packets. + +[#ChWorkTimeFormatsSection] + +=== Time Display Formats And Time References + +While packets are captured, each packet is timestamped. These timestamps will be +saved to the capture file, so they will be available for later analysis. + +A detailed description of timestamps, timezones and alike can be found at: +<<ChAdvTimestamps>>. + +The timestamp presentation format and the precision in the packet list can be +chosen using the View menu, see <<ChUseWiresharkViewMenu>>. + +The available presentation formats are: + +* menu:Date and Time of Day: 1970-01-01 01:02:03.123456[] The absolute date and time + of the day when the packet was captured. + +* menu:Time of Day: 01:02:03.123456[] The absolute time of the day when the packet + was captured. + +* menu:Seconds Since First Captured Packet: 123.123456[] The time relative to the + start of the capture file or the first “Time Reference” before this packet + (see <<ChWorkTimeReferencePacketSection>>). + +* menu:Seconds Since Previous Captured Packet: 1.123456[] The time relative to the + previous captured packet. + +* menu:Seconds Since Previous Displayed Packet: 1.123456[] The time relative to the + previous displayed packet. + +* menu:Seconds Since Epoch (1970-01-01): 1234567890.123456[] The time relative to + epoch (midnight UTC of January 1, 1970). + +The available precisions (aka. the number of displayed decimal places) are: + +* menu:Automatic (from capture file)[] The timestamp precision of the loaded capture file format will be + used (the default). + +* menu:Seconds[], menu:Tenths of a second[], menu:Hundredths of a second[], + menu:Milliseconds[], menu:Microseconds[] or menu:Nanoseconds[] The + timestamp precision will be forced to the given setting. If the + actually available precision is smaller, zeros will be appended. If + the precision is larger, the remaining decimal places will be cut off. + +Precision example: If you have a timestamp and it’s displayed using, “Seconds +Since Previous Packet” the value might be 1.123456. This will be displayed +using the “Automatic” setting for libpcap files (which is microseconds). If +you use Seconds it would show simply 1 and if you use Nanoseconds it shows +1.123456000. + +[#ChWorkTimeReferencePacketSection] + +==== Packet Time Referencing + +The user can set time references to packets. A time reference is the starting +point for all subsequent packet time calculations. It will be useful, if you +want to see the time values relative to a special packet, e.g., the start of a +new request. It’s possible to set multiple time references in the capture file. + +The time references will not be saved permanently and will be lost when you +close the capture file. + +Time referencing will only be useful if the time display format is set to +“Seconds Since First Captured Packet”. If one of the other time display formats +are used, time referencing will have no effect (and will make no sense either). + +To work with time references, choose one of the menu:Time Reference[] items in +the menu:[Edit] menu or from the pop-up menu of the “Packet List” pane. See +<<ChUseEditMenuSection>>. + +* menu:Set Time Reference (toggle)[] Toggles the time reference state of the + currently selected packet to on or off. + +* menu:Find Next[] Find the next time referenced packet in the “Packet List” pane. + +* menu:Find Previous[] Find the previous time referenced packet in the “Packet + List” pane. + +[#ChWorkTimeReference] + +.Wireshark showing a time referenced packet +image::images/ws-time-reference.png[{screenshot-attrs}] + +A time referenced packet will be marked with the string $$*REF*$$ in the Time +column (see packet number 10). All subsequent packets will show the time since +the last time reference. + +[#ChWorkShiftTimePacketSection] + +=== Time Shifting Packets + +Sometimes you will want to adjust the timestamps in a capture file. +This may be because a machine performing the capture had an inaccurate +clock, or because the capture was originally saved with timestamps in +<<ChAdvTabTimezones,local time>> (perhaps even to a capture file format +that only writes times in local time, or only writes the time of day +but not the date). One common use is to synchronize timestamps between +captures made on different machines with relative clock skew or clock +drift before <<ChIOMergeSection,merging>> them. Selecting +menu:Edit[Time Shift...] from the main menu opens the "Time Shift" dialog. + +.The “Time Shift” dialog +image::images/ws-time-shift.png[{medium-screenshot-attrs}] + +Shift all packets by...:: + +Apply a fixed offset, entered as a relative time in hours, minutes, +and seconds, to the timestamps for all packets. This is useful for +correcting small known errors or timezones. + +Set the time for packet...:: + +Apply offsets based on one or, if the box is checked, two given packets +to the timestamps for all packets. Enter the packet number and absolute +date and time for the packet(s). When one packet is used, a fixed offset +is applied that can be used to correct for clock skew. When two packets +are used, the correction for all other packets is computed linearly, +which can be used to correct for clock drift. This is useful when the +precise date and time for particular packets are known, e.g. packets +containing the NTP or PTP protocols. + +Undo all shifts:: + +This removes all unsaved time shifts from packets. + +[NOTE] +.Time shifts are applied to all packets +==== +Time shifts are applied to all packets in the capture, including +ignored packets and packets that are not displayed due to the current +filter. +Wireshark does not have a method to adjust the timestamps of individual +or selected packets. +==== + +The offset currently applied to time shifted packets is in the +`frame.offset_shift` field, which can be viewed in the packet details. + +.A Time Shifted Packet +image::images/ws-time-shift-details.png[{medium-screenshot-attrs}] + +After time shifts are applied, the file will have unsaved changes, +which are indicated with an {asterisk} beside its name in the title bar. +Beginning with Wireshark 4.2.0, <<ChIOSaveSection,saving>> the file +will write the corrected timestamps to the capture file. +If you attempt to close the capture file without saving it, a dialog +will prompt you to save in order to prevent losing your changes +(unless that warning has been disabled in the <<ChCustGUIPrefPage,preferences>>.) + +// End of WSUG Chapter Work |
