summaryrefslogtreecommitdiffstats
path: root/doc/wsug_src/wsug_use.adoc
blob: c2511ba43bbad9b4919fb17408a8b70acf0cc059 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
// WSUG User Interface Chapter

[#ChapterUsing]

== User Interface

[#ChUseIntroductionSection]

=== Introduction

By now you have installed Wireshark and are likely keen to get started
capturing your first packets. In the next chapters we will explore:

* How the Wireshark user interface works
* How to capture packets in Wireshark
* How to view packets in Wireshark
* How to filter packets in Wireshark
* ... and many other things!

[#ChUseStartSection]

=== Start Wireshark

You can start Wireshark from your shell or window manager.

[TIP]
.Power user tip
====
When starting Wireshark it’s possible to specify optional settings using the
command line. See <<ChCustCommandLine>> for details.
====

The following chapters contain many screenshots of Wireshark. As
Wireshark runs on many different platforms with many different window managers,
different styles applied and there are different versions of the underlying GUI
toolkit used, your screen might look different from the provided screenshots.
But as there are no real differences in functionality these screenshots should
still be well understandable.

[#ChUseMainWindowSection]

=== The Main window

Let’s look at Wireshark’s user interface. <<ChUseFig01>> shows Wireshark as you
would usually see it after some packets are captured or loaded (how to do this
will be described later).

[#ChUseFig01]
.The Main window
image::images/ws-main.png[{screenshot-attrs}]

Wireshark’s main window consists of parts that are commonly known from many
other GUI programs.

. The _menu_ (see <<ChUseMenuSection>>) is used to start actions.
. The _main toolbar_ (see <<ChUseMainToolbarSection>>) provides quick access to
  frequently used items from the menu.
. The _filter toolbar_ (see <<ChUseFilterToolbarSection>>) allows users to
  set _display filters_ to filter which packets are displayed (see
  <<ChWorkDisplayFilterSection>>).
. The _packet list pane_ (see <<ChUsePacketListPaneSection>>) displays a summary
  of each packet captured. By clicking on packets in this pane you control what is
  displayed in the other two panes.
. The _packet details pane_ (see <<ChUsePacketDetailsPaneSection>>) displays the
  packet selected in the packet list pane in more detail.
. The _packet bytes pane_ (see <<ChUsePacketBytesPaneSection>>) displays the
  data from the packet selected in the packet list pane, and highlights the field
  selected in the packet details pane.
. The _packet diagram pane_ (see <<ChUsePacketDiagramPaneSection>>) displays the
  packet selected in the packet list as a textbook-style diagram.
. The _statusbar_ (see <<ChUseStatusbarSection>>) shows some detailed
  information about the current program state and the captured data.

[TIP]
====
The layout of the main window can be customized by changing preference settings.
See <<ChCustPreferencesSection>> for details.
====

[#ChUseMainWindowNavSection]

==== Main Window Navigation

Packet list and detail navigation can be done entirely from the keyboard.
<<ChUseTabNav>> shows a list of keystrokes that will let you quickly move around
a capture file. See <<ChUseTabGo>> for additional navigation keystrokes.

[#ChUseTabNav]
.Keyboard Navigation
[options="header",cols="1,3"]
|===
|Accelerator               |Description
|kbd:[Tab] or kbd:[Shift+Tab]|Move between screen elements, e.g., from the toolbars to the packet list to the packet detail.
|kbd:[↓]                   |Move to the next packet or detail item.
|kbd:[↑]                   |Move to the previous packet or detail item.
|kbd:[Ctrl+↓] or kbd:[F8]  |Move to the next packet, even if the packet list isn’t focused.
|kbd:[Ctrl+↑] or kbd:[F7]  |Move to the previous packet, even if the packet list isn’t focused.
|kbd:[Ctrl+.]              |Move to the next packet of the conversation (TCP, UDP or IP).
|kbd:[Ctrl+&#44;]          |Move to the previous packet of the conversation (TCP, UDP or IP).
|kbd:[Alt+→] or kbd:[Option+→] (macOS) |Move to the next packet in the selection history.
|kbd:[Alt+←] or kbd:[Option+←] (macOS)  |Move to the previous packet in the selection history.
|kbd:[←]                   |In the packet detail, closes the selected tree item. If it’s already closed, jumps to the parent node.
|kbd:[→]                   |In the packet detail, opens the selected tree item.
|kbd:[Shift+→]             |In the packet detail, opens the selected tree item and all of its subtrees.
|kbd:[Ctrl+→]              |In the packet detail, opens all tree items.
|kbd:[Ctrl+←]              |In the packet detail, closes all tree items.
|kbd:[Backspace]           |In the packet detail, jumps to the parent node.
|kbd:[Return] or kbd:[Enter] |In the packet detail, toggles the selected tree item.
|===

menu:Help[About Wireshark,Keyboard Shortcuts] will show a list of all shortcuts
in the main window. Additionally, typing anywhere in the main window will start
filling in a display filter.

[#ChUseMenuSection]

=== The Menu

Wireshark’s main menu is located either at the top of the main window (Windows,
Linux) or at the top of your main screen (macOS). An example is shown in
<<ChUseWiresharkMenu>>.

[NOTE]
====
Some menu items will be disabled (greyed out) if the corresponding feature isn’t
available. For example, you cannot save a capture file if you haven’t captured
or loaded any packets.
====

[#ChUseWiresharkMenu]
.The Menu
image::images/ws-menu.png[{screenshot-attrs}]

The main menu contains the following items:

menu:File[]::
This menu contains items to open and merge capture files, save, print, or export
capture files in whole or in part, and to quit the Wireshark application. See
<<ChUseFileMenuSection>>.

menu:Edit[]::
This menu contains items to find a packet, time reference or mark one or more
packets, handle configuration profiles, and set your preferences; (cut, copy,
and paste are not presently implemented). See <<ChUseEditMenuSection>>.

menu:View[]::
This menu controls the display of the captured data, including colorization of
packets, zooming the font, showing a packet in a separate window, expanding and
collapsing trees in packet details, .... See <<ChUseViewMenuSection>>.

menu:Go[]::
This menu contains items to go to a specific packet. See <<ChUseGoMenuSection>>.

menu:Capture[]::
This menu allows you to start and stop captures and to edit capture filters. See
<<ChUseCaptureMenuSection>>.

menu:Analyze[]::
This menu contains items to manipulate display filters, enable or disable the
dissection of protocols, configure user specified decodes and follow a TCP
stream. See <<ChUseAnalyzeMenuSection>>.

menu:Statistics[]::
This menu contains items to display various statistic windows, including a
summary of the packets that have been captured, display protocol hierarchy
statistics and much more. See <<ChUseStatisticsMenuSection>>.

menu:Telephony[]::
This menu contains items to display various telephony related statistic windows,
including a media analysis, flow diagrams, display protocol hierarchy statistics
and much more. See <<ChUseTelephonyMenuSection>>.

menu:Wireless[]::
This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics.

menu:Tools[]::
This menu contains various tools available in Wireshark, such as creating
Firewall ACL Rules. See <<ChUseToolsMenuSection>>.

menu:Help[]::
This menu contains items to help the user, e.g., access to some basic help,
manual pages of the various command line tools, online access to some of the
webpages, and the usual about dialog. See <<ChUseHelpMenuSection>>.

Each of these menu items is described in more detail in the sections that follow.

[TIP]
.Shortcuts make life easier
====
Most common menu items have keyboard shortcuts. For example, you can
press the Control and the K keys together to open the
“Capture Options” dialog.
====

[#ChUseFileMenuSection]

=== The “File” Menu

The Wireshark file menu contains the fields shown in <<ChUseTabFile>>.

[#ChUseWiresharkFileMenu]
.The “File” Menu
image::images/ws-file-menu.png[{screenshot-attrs}]

[#ChUseTabFile]
.File menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                            |Accelerator |Description

|menu:Open...[]                       |kbd:[Ctrl+O]|
This shows the file open dialog box that allows you to load a
capture file for viewing. It is discussed in more detail in <<ChIOOpen>>.

|menu:Open Recent[]                   |            |
This lets you open recently opened capture files.
Clicking on one of the submenu items will open the corresponding capture file
directly.

|menu:Merge...[]                      |            |
This menu item lets you merge a capture file into the currently loaded one. It
is discussed in more detail in <<ChIOMergeSection>>.

|menu:Import from Hex Dump...[]       |            |
This menu item brings up the import file dialog box that allows you to import a
text file containing a hex dump into a new temporary capture. It is discussed in
more detail in <<ChIOImportSection>>.

|menu:Close[]                         |kbd:[Ctrl+W]|
This menu item closes the current capture. If you haven’t saved the capture, you
will be asked to do so first (this can be disabled by a preference setting).

|menu:Save[]                          |kbd:[Ctrl+S]|
This menu item saves the current capture. If you have not set a default capture
file name (perhaps with the -w <capfile> option), Wireshark pops up the
Save Capture File As dialog box (which is discussed further in <<ChIOSaveAs>>).

If you have already saved the current capture, this menu item will be greyed
out.

You cannot save a live capture while the capture is in progress. You must
stop the capture in order to save.

|menu:Save As...[]                    |kbd:[Shift+Ctrl+S]|
This menu item allows you to save the current capture file to whatever file you
would like. It pops up the Save Capture File As dialog box (which is discussed
further in <<ChIOSaveAs>>).

|menu:File Set[List Files]            ||
This menu item allows you to show a list of files in a file set. It pops up the
Wireshark List File Set dialog box (which is discussed further in
<<ChIOFileSetSection>>).

|menu:File Set[Next File]             ||
If the currently loaded file is part of a file set, jump to the next file in the
set. If it isn’t part of a file set or just the last file in that set, this item
is greyed out.

|menu:File Set[Previous File]         ||
If the currently loaded file is part of a file set, jump to the previous file in
the set. If it isn’t part of a file set or just the first file in that set, this
item is greyed out.

|menu:Export Specified Packets...[]                 ||
This menu item allows you to export all (or some) of the packets in the capture
file to file. It pops up the Wireshark Export dialog box (which is discussed
further in <<ChIOExportSection>>).

|menu:Export Packet Dissections...[]|kbd:[Ctrl+H]|
These menu items allow you to export the currently selected bytes in the packet
bytes pane to a text file in a number of formats including plain, CSV,
and XML. It is discussed further in <<ChIOExportSelectedDialog>>.

|menu:Export Objects[]           ||
These menu items allow you to export captured DICOM, FTP-DATA, HTTP, IMF, SMB,
or TFTP objects into local files. It pops up a corresponding object list
(which is discussed further in <<ChIOExportObjectsDialog>>)

|menu:Print...[]                      |kbd:[Ctrl+P]|
This menu item allows you to print all (or some) of the packets in the capture
file. It pops up the Wireshark Print dialog box (which is discussed further in
<<ChIOPrintSection>>).

|menu:Quit[]                          |kbd:[Ctrl+Q]|
This menu item allows you to quit from Wireshark. Wireshark will ask to save
your capture file if you haven’t previously saved it (this can be disabled by a
preference setting).

|===

[#ChUseEditMenuSection]

=== The “Edit” Menu

The Wireshark Edit menu contains the fields shown in <<ChUseTabEdit>>.

[#ChUseWiresharkEditMenu]
.The “Edit” Menu
image::images/ws-edit-menu.png[{screenshot-attrs}]

[#ChUseTabEdit]
.Edit menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                                    |Accelerator       |Description
|menu:Copy[]                                  ||
These menu items will copy the packet list, packet detail, or properties of
the currently selected packet to the clipboard.

|menu:Find Packet...[]                        |kbd:[Ctrl+F]      |
This menu item brings up a toolbar that allows you to find a packet by many
criteria. There is further information on finding packets in
<<ChWorkFindPacketSection>>.

|menu:Find Next[]                             |kbd:[Ctrl+N]      |
This menu item tries to find the next packet matching the settings from “Find
Packet...”.

|menu:Find Previous[]                         |kbd:[Ctrl+B]      |
This menu item tries to find the previous packet matching the settings from
“Find Packet...”.

|menu:Mark/Unmark Selected[]                  |kbd:[Ctrl+M]      |
This menu item marks the currently selected packet. See
<<ChWorkMarkPacketSection>> for details.

|menu:Mark All Displayed Packets[]            |kbd:[Ctrl+Shift+M]|
This menu item marks all displayed packets.

|menu:Unmark All Displayed Packets[]          |kbd:[Ctrl+Alt+M]  |
This menu item unmarks all displayed packets.

|menu:Next Mark[]                             |kbd:[Ctrl+Shift+N] |
Find the next marked packet.

|menu:Previous Mark[]                         |kbd:[Ctrl+Shift+B] |
Find the previous marked packet.

|menu:Ignore/Unignore Selected[]              |kbd:[Ctrl+D]      |
This menu item marks the currently selected packet as ignored. See
<<ChWorkIgnorePacketSection>> for details.

|menu:Ignore All Displayed[]                  |kbd:[Ctrl+Shift+D]|
This menu item marks all displayed packets as ignored.

|menu:Unignore All Displayed[]                |kbd:[Ctrl+Alt+D]  |
This menu item unmarks all ignored packets.

|menu:Set/Unset Time Reference[]              |kbd:[Ctrl+T]      |
This menu item set a time reference on the currently selected packet. See
<<ChWorkTimeReferencePacketSection>> for more information about the time
referenced packets.

|menu:Unset All Time References[]             |kbd:[Ctrl+Alt+T]  |
This menu item removes all time references on the packets.

|menu:Next Time Reference[]                   |kbd:[Ctrl+Alt+N]  |
This menu item tries to find the next time referenced packet.

|menu:Previous Time Reference[]               |kbd:[Ctrl+Alt+B]  |
This menu item tries to find the previous time referenced packet.

|menu:Time Shift...[]                         |kbd:[Ctrl+Shift+T]|
Opens the “Time Shift” dialog, which allows you to adjust the timestamps
of some or all packets.

|menu:Packet Comment...[]                      |kbd:[Ctrl+Alt+C] |
Opens the “Packet Comment” dialog, which lets you add a comment to a
single packet. Note that the ability to save packet comments depends on
your file format. E.g., pcapng supports comments, pcap does not.

|menu:Delete All Packet Comments[]             ||
This will delete all comments from all packets. Note that the ability to save
capture comments depends on your file format. E.g., pcapng supports
comments, pcap does not.

|menu:Inject TLS Secrets[]                        ||
Embeds the used TLS decryption secrets into the capture file, which lets
TLS be decrypted without having the separate keylog file.
Note that the ability to save decryption secrets depends on your file
format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

|menu:Discard All Secrets[]                   ||
This will discard all embedded decryption secrets from the capture file.
Note that the ability to save decryption secrets depends on your file
format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

|menu:Configuration Profiles...[]             |kbd:[Ctrl+Shift+A]|
This menu item brings up a dialog box for handling configuration profiles.  More
detail is provided in <<ChCustConfigProfilesSection>>.

|menu:Preferences...[]                        |kbd:[Ctrl+Shift+P] or kbd:[Cmd+,] (macOS)|
This menu item brings up a dialog box that allows you to set preferences for
many parameters that control Wireshark.  You can also save your preferences so
Wireshark will use them the next time you start it. More detail is provided in
<<ChCustPreferencesSection>>.

|===

[#ChUseViewMenuSection]

=== The “View” Menu

The Wireshark View menu contains the fields shown in <<ChUseTabView>>.

[#ChUseWiresharkViewMenu]
.The “View” Menu
image::images/ws-view-menu.png[{screenshot-attrs}]

[#ChUseTabView]
.View menu items
[options="header",cols="3,2,5"]
|===
|Menu Item              |Accelerator|Description
|menu:Main Toolbar[]    ||This menu item hides or shows the main toolbar, see <<ChUseMainToolbarSection>>.
|menu:Filter Toolbar[]  ||This menu item hides or shows the filter toolbar, see <<ChUseFilterToolbarSection>>.
|menu:Wireless Toolbar[]||This menu item hides or shows the wireless toolbar. May not be present on some platforms.
|menu:Statusbar[]       ||This menu item hides or shows the statusbar, see <<ChUseStatusbarSection>>.
|menu:Packet List[]     ||This menu item hides or shows the packet list pane, see <<ChUsePacketListPaneSection>>.
|menu:Packet Details[]  ||This menu item hides or shows the packet details pane, see <<ChUsePacketDetailsPaneSection>>.
|menu:Packet Bytes[]    ||This menu item hides or shows the packet bytes pane, see <<ChUsePacketBytesPaneSection>>.
|menu:Packet Diagram[]  ||This menu item hides or shows the packet diagram pane. See <<ChUsePacketDiagramPaneSection>>.
|menu:Time Display Format[Date and Time of Day: 1970-01-01 01:02:03.123456]|| Selecting this tells Wireshark to display the time stamps in date and time of day format, see <<ChWorkTimeFormatsSection>>.

The fields “Time of Day”, “Date and Time of Day”, “Seconds Since First
Captured Packet”, “Seconds Since Previous Captured Packet” and “Seconds
Since Previous Displayed Packet” are mutually exclusive.

|menu:Time Display Format[Time of Day: 01:02:03.123456]||Selecting this tells Wireshark to display time stamps in time of day format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Epoch (1970-01-01): 1234567890.123456]||Selecting this tells Wireshark to display time stamps in seconds since 1970-01-01 00:00:00, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since First Captured Packet: 123.123456]||Selecting this tells Wireshark to display time stamps in seconds since first captured packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Previous Captured Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous captured packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Previous Displayed Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Automatic (File Format Precision)]||Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see <<ChWorkTimeFormatsSection>>.

The fields “Automatic”, “Seconds” and “...seconds” are mutually exclusive.

|menu:Time Display Format[Seconds: 0]||Selecting this tells Wireshark to display time stamps with a precision of one second, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[...seconds: 0....]||Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Display Seconds with hours and minutes]||Selecting this tells Wireshark to display time stamps in seconds, with hours and minutes.
|menu:Name Resolution[Edit Resolved Name]||This item allows you to manually enter names to resolve IP addresses in the current packet, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for MAC Layer]||This item allows you to control whether or not Wireshark translates MAC addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Network Layer]||This item allows you to control whether or not Wireshark translates network addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Transport Layer]||This item allows you to control whether or not Wireshark translates transport addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Zoom In[]                     |kbd:[Ctrl+&#43;]   | Zoom into the packet data (increase the font size).
|menu:Zoom Out[]                    |kbd:[Ctrl+-]       | Zoom out of the packet data (decrease the font size).
|menu:Normal Size[]                 |kbd:[Ctrl+=]       | Set zoom level back to 100% (set font size back to normal).
|menu:Expand Subtrees[]                             |kbd:[Shift+→]|This menu item expands the currently selected subtree in the packet details tree.
|menu:Collapse Subtrees[]                           |kbd:[Shift+←]|This menu item collapses the currently selected subtree in the packet details tree.
|menu:Expand All[]                                  |kbd:[Ctrl+→] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.
|menu:Collapse All[]                                |kbd:[Ctrl+←] |This menu item collapses the tree view of all packets in the capture list.
|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list.

Enabling colorization will slow down the display of new packets while
capturing or loading capture files.

|menu:Colorize Conversation[]                       |                   |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>.
|menu:Colorize Conversation[Color 1-10]             |                   |These menu items enable one of the ten temporary color filters based on the currently selected conversation.
|menu:Colorize Conversation[Reset coloring]         |                   |This menu item clears all temporary coloring rules.
|menu:Colorize Conversation[New Coloring Rule...]   |                   |This menu item opens a dialog window in which a new permanent coloring rule can be created based on the currently selected conversation.
|menu:Coloring Rules...[]                           |                   |This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see <<ChCustColorizationSection>>.
|menu:Resize All Columns[]          |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it.

Resizing may take a significant amount of time, especially if a large capture file is loaded.

|menu:Internals[]                                   |                   |Information about various internal data structures. See <<ChUseInternals>> below for more information.

|menu:Show Packet in New Window[] ||
Shows the selected packet in a separate window. The separate window
shows only the packet details and bytes of that packet, and will
continue to do so even if another packet is selected in the main window.
See <<ChWorkPacketSepView>> for details.

|menu:Reload[]                                      |kbd:[Ctrl+R]       |This menu item allows you to reload the current capture file.
|===

[#ChUseInternals]
.Internals menu items
[options="header",cols="3,5"]
|===
|Menu Item|Description
|menu:Conversation Hash Tables[]| Shows the tuples (address and port combinations) used to identify each conversation.
|menu:Dissector Tables[]| Shows tables of subdissector relationships.
|menu:Supported Protocols[]| Displays supported protocols and protocol fields.
|===


[#ChUseGoMenuSection]

=== The “Go” Menu

The Wireshark Go menu contains the fields shown in <<ChUseTabGo>>.

[#ChUseWiresharkGoMenu]
.The “Go” Menu
image::images/ws-go-menu.png[{screenshot-attrs}]

[#ChUseTabGo]
.Go menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                              |Accelerator        |Description
|menu:Back[]                            |kbd:[Alt+←] |Jump to the recently visited packet in the packet history, much like the page history in a web browser.
|menu:Forward[]                         |kbd:[Alt+→] |Jump to the next visited packet in the packet history, much like the page history in a web browser.
|menu:Go to Packet...[]                 |kbd:[Ctrl+G]       |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details.
|menu:Go to Corresponding Packet[]      |                   |Go to the corresponding packet of the currently selected protocol field (e.g., the reply
corresponding to a request packet, or vice versa). If the selected field doesn’t correspond to a packet, this item is greyed out.
|menu:Previous Packet[]                 |kbd:[Ctrl+↑]|Move to the previous packet in the list.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet[]                     |kbd:[Ctrl+↓]|Move to the next packet in the list.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:First Packet[]                    |kbd:[Ctrl+Home]    |Jump to the first packet of the capture file.
|menu:Last Packet[]                     |kbd:[Ctrl+End]     |Jump to the last packet of the capture file.
|menu:Previous Packet In Conversation[] |kbd:[Ctrl+&#44;]  |Move to the previous packet in the current conversation.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet In Conversation[]     |kbd:[Ctrl+.]       |Move to the next packet in the current conversation.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Auto Scroll in Live Capture[] |                   |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet.  If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
|===

[#ChUseCaptureMenuSection]

=== The “Capture” Menu

The Wireshark Capture menu contains the fields shown in <<ChUseTabCap>>.

[#ChUseWiresharkCaptureMenu]
.The “Capture” Menu
image::images/ws-capture-menu.png[{screenshot-attrs}]

[#ChUseTabCap]
.Capture menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                  |Accelerator    |Description

|menu:Options...[]          |kbd:[Ctrl+K]   |
Shows the Capture Options dialog box, which allows you to configure
interfaces and capture options.
See <<ChCapCaptureOptions>>.

|menu:Start[]               |kbd:[Ctrl+E]   |
Immediately starts capturing packets with the same settings as the last
time.

|menu:Stop[]                |kbd:[Ctrl+E]   |
Stops the currently running capture. See <<ChCapStopSection>>.

|menu:Restart[]             |kbd:[Ctrl+R]   |
Stops the currently running capture and starts it again with the same
options.

|menu:Capture Filters...[]  |               |
Shows a dialog box that allows you to create and edit capture filters.
You can name filters and save them for future use.
See <<ChWorkDefineFilterSection>>.

|menu:Refresh Interfaces[]  |kbd:[F5]       |
Clear and recreate the interface list.

|===

[#ChUseAnalyzeMenuSection]

=== The “Analyze” Menu

The Wireshark Analyze menu contains the fields shown in <<ChUseAnalyze>>.

[#ChUseWiresharkAnalyzeMenu]
.The “Analyze” Menu
image::images/ws-analyze-menu.png[{screenshot-attrs}]

[#ChUseAnalyze]
.Analyze menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Display Filters...[]          ||
Displays a dialog box that allows you to create and edit display
filters. You can name filters, and you can save them for future use.
See <<ChWorkDefineFilterSection>>.

|menu:Display Filter Macros...[]    ||
Shows a dialog box that allows you to create and edit display filter
macros. You can name filter macros, and you can save them for future
use.
See <<ChWorkDefineFilterMacrosSection>>.

|menu:Display Filter Expression...[]    ||
Shows a dialog box that allows you to build a display filter expression
to apply. This shows possible fields and their applicable relations and
values, and allows you to search by name and description.
See <<ChWorkFilterAddExpressionSection>>.

|menu:Apply as Column[]             |kbd:[Shift+Ctrl+I]|
Adds the selected protocol item in the packet details pane as a column
to the packet list.

|menu:Apply as Filter[]             ||
Change the current display filter and apply it immediately. Depending on
the chosen menu item, the current display filter string will be replaced
or appended to by the selected protocol field in the packet details
pane.

|menu:Prepare as Filter[]            ||
Change the current display filter but won’t apply it. Depending on the
chosen menu item, the current display filter string will be replaced or
appended to by the selected protocol field in the packet details pane.

|menu:Conversation Filter[]         ||
Apply a conversation filter for various protocols.

|menu:Enabled Protocols...[]        |kbd:[Shift+Ctrl+E]|
Enable or disable various protocol dissectors. See <<ChAdvEnabledProtocols>>.

|menu:Decode As...[]                ||
Decode certain packets as a particular protocol. See <<ChAdvDecodeAs>>.

|menu:Follow[TCP Stream]            ||
Open a window that displays all the TCP segments captured that are on
the same TCP connection as a selected packet.
See <<ChAdvFollowStreamSection>>.

|menu:Follow[UDP Stream]            ||
Same functionality as “Follow TCP Stream” but for UDP “streams”.

|menu:Follow[TLS Stream]            ||
Same functionality as “Follow TCP Stream” but for TLS or SSL streams.
See the wiki page on link:{wireshark-wiki-url}TLS[TLS] for instructions
on providing TLS keys.

|menu:Follow[HTTP Stream]           ||
Same functionality as “Follow TCP Stream” but for HTTP streams.

|menu:Show Packet Bytes[]           ||
Open a window allowing for decoding and reformatting packet bytes.
You can do actions like Base64 decode, decompress, interpret as
a different character encoding, interpret bytes as an image format,
and save, print, or copy to the clipboard the results.
See <<ChAdvShowPacketBytes>> for more information.

|menu:Expert Info[]                 ||
Open a window showing expert information found in the capture.
Some protocol dissectors add packet detail items for notable or unusual
behavior, such as invalid checksums or retransmissions.
Those items are shown here.
See <<ChAdvExpert>> for more information.

The amount of information will vary depend on the protocol
|===

[#ChUseStatisticsMenuSection]

=== The “Statistics” Menu

The Wireshark Statistics menu contains the fields shown in <<ChUseStatistics>>.

[#ChUseWiresharkStatisticsMenu]
.The “Statistics” Menu
image::images/ws-statistics-menu.png[{screenshot-attrs}]

Each menu item brings up a new window showing specific statistics.

[#ChUseStatistics]
.Statistics menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Capture File Properties[]|| Show information about the capture file, see <<ChStatSummary>>.
|menu:Resolved Addresses[]||See <<ChStatResolvedAddresses>>
|menu:Protocol Hierarchy[]|| Display a hierarchical tree of protocol statistics, see <<ChStatHierarchy>>.
|menu:Conversations[]|| Display a list of conversations (traffic between two endpoints), see <<ChStatConversationsWindow>>.
|menu:Endpoints[]|| Display a list of endpoints (traffic to/from an address), see <<ChStatEndpointsWindow>>.
|menu:Packet Lengths[]||See <<ChStatPacketLengths>>
|menu:I/O Graphs[]|| Display user specified graphs (e.g., the number of packets in the course of time), see <<ChStatIOGraphs>>.
|menu:Service Response Time[]|| Display the time between a request and the corresponding response, see <<ChStatSRT>>.
|menu:DHCP (BOOTP)[]||See <<ChStatDHCPBOOTP>>
|menu:NetPerfMeter[]||See <<ChStatNetPerfMeter>>
|menu:ONC-RPC Programs[]||See <<ChStatONCRPC>>
|menu:29West[]||See <<ChStat29West>>
|menu:ANCP[]||See <<ChStatANCP>>
|menu:BACnet[]||See <<ChStatBACnet>>
|menu:Collectd[]||See <<ChStatCollectd>>
|menu:DNS[]||See <<ChStatDNS>>
//|menu:Compare...[]||See <<ChStatOtherProtocols>>
|menu:Flow Graph[]||See <<ChStatFlowGraph>>
|menu:HART-IP[]||See <<ChStatHARTIP>>
|menu:HPFEEDS[]||See <<ChStatHPFEEDS>>
|menu:HTTP[]||HTTP request/response statistics, see <<ChStatHTTP>>
|menu:HTTP2[]||See <<ChStatHTTP2>>
|menu:Sametime[]||See <<ChStatSametime>>
|menu:TCP Stream Graphs[]||See <<ChStatTCPStreamGraphs>>
|menu:UDP Multicast Streams[]||See <<ChStatUDPMulticastStreams>>
|menu:Reliable Server Pooling (RSerPool)[]||See <<ChStatRSerPool>>
|menu:F5[]||See <<ChStatF5>>
|menu:IPv4 Statistics[]||See <<ChStatIPv4>>
|menu:IPv6 Statistics[]||See <<ChStatIPv6>>


|===

[#ChUseTelephonyMenuSection]

=== The “Telephony” Menu

The Wireshark Telephony menu contains the fields shown in <<ChUseTelephony>>.

[#ChUseWiresharkTelephonyMenu]
.The “Telephony” Menu
image::images/ws-telephony-menu.png[{screenshot-attrs}]

Each menu item shows specific telephony related statistics.

[#ChUseTelephony]
.Telephony menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:VoIP Calls...[]||See <<ChTelVoipCalls>>
|menu:ANSI[]||See <<ChTelANSI>>
|menu:GSM[]||See <<ChTelGSM>>
|menu:IAX2 Stream Analysis[]||See <<ChTelIAX2Analysis>>
|menu:ISUP Messages[]||See <<ChTelISUPMessages>>
|menu:LTE[]||See <<ChTelLTE>>
|menu:MTP3[]||See <<ChTelMTP3>>
|menu:Osmux[]||See <<ChTelOsmux>>
|menu:RTP[]||See <<ChTelRTPStreams>> and <<ChTelRTPAnalysis>>
|menu:RTSP[]||See <<ChTelRTSP>>
|menu:SCTP[]||See <<ChTelSCTP>>
|menu:SMPP Operations[]||See <<ChTelSMPPOperations>>
|menu:UCP Messages[]||See <<ChTelUCPMessages>>
|menu:H.225[]||See <<ChTelH225>>
|menu:SIP Flows[]||See <<ChTelSIPFlows>>
|menu:SIP Statistics[]||See <<ChTelSIPStatistics>>
|menu:WAP-WSP Packet Counter[]||See <<ChTelWAPWSPPacketCounter>>

|===

[#ChUseWirelessMenuSection]

=== The “Wireless” Menu

The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in <<ChUseWiresharkWirelessMenu>>.

[#ChUseWiresharkWirelessMenu]
.The “Wireless” Menu
image::images/ws-wireless-menu.png[{screenshot-attrs}]

Each menu item shows specific Bluetooth and IEEE 802.11 statistics.

[#ChUseWireless]
.Wireless menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description

|menu:Bluetooth ATT Server Attributes[]||See <<ChWirelessBluetoothATTServerAttributes>>
|menu:Bluetooth Devices[]||See <<ChWirelessBluetoothDevices>>
|menu:Bluetooth HCI Summary[]||See <<ChWirelessBluetoothHCISummary>>
|menu:WLAN Traffic[]||See <<ChWirelessWLANTraffic>>

|===

[#ChUseToolsMenuSection]

=== The “Tools” Menu

The Wireshark Tools menu contains the fields shown in <<ChUseTools>>.

[#ChUseWiresharkToolsMenu]
.The “Tools” Menu
image::images/ws-tools-menu.png[{screenshot-attrs}]

[#ChUseTools]
.Tools menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Firewall ACL Rules[]|| This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh).  Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported.

It is assumed that the rules will be applied to an outside interface.

Menu item is greyed out unless one (and only one) frame is selected in the packet list.
|menu:Credentials[]|| This allows you to extract credentials from the current capture file. Some of the dissectors (ftp, http, imap, pop, smtp) have been instrumented to provide the module with usernames and passwords and more will be instrumented in the future. The window dialog provides you the packet number where the credentials have been found, the protocol that provided them, the username and protocol specific information.
|menu:MAC Address Blocks[]|| This allows viewing the IEEE MAC address registry data that Wireshark uses to resolve MAC address blocks to vendor names. The table can be searched by address prefix or vendor name.
|menu:TLS Keylog Launcher[]|| This can launch an application such as a web browser or a terminal window with the SSLKEYLOGFILE environment variable set to the same value as the TLS secret log file. Note that you will probably have to quit your existing web browser session in order to have it run under a fresh environment.
|menu:Lua Console[]|| This option allows you to work with the Lua interpreter optionally built into Wireshark, to inspect Lua internals and evaluate code.
See “Lua Support in Wireshark” in the Wireshark Developer’s Guide.
|===

[#ChUseHelpMenuSection]

=== The “Help” Menu

The Wireshark Help menu contains the fields shown in <<ChUseHelp>>.

[#ChUseWiresharkHelpMenu]
.The “Help” Menu
image::images/ws-help-menu.png[{screenshot-attrs}]

[#ChUseHelp]
.Help menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:User's Guide[]|F1| This menu item brings up the Wireshark User's Guide you're reading right now.
|menu:Manual Pages[...]|| This menu item starts a Web browser showing one of the locally installed html manual pages.
|menu:Website[]|| This menu item starts a Web browser showing the webpage from: link:{wireshark-main-url}[].
|menu:FAQs[]|| This menu item starts a Web browser showing various FAQs.
|menu:Downloads[]|| This menu item starts a Web browser showing the downloads from: link:{wireshark-download-url}[].
|menu:Wiki[]|| This menu item starts a Web browser showing the front page from: link:{wireshark-wiki-url}[].
|menu:Sample Captures[]|| This menu item starts a Web browser showing the sample captures from: link:{wireshark-wiki-url}SampleCaptures[].
|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it’s built, the plugins loaded, the used folders, ...

|===

[NOTE]
====
Opening a Web browser might be unsupported in your version of Wireshark. If this
is the case the corresponding menu items will be hidden.

If calling a Web browser fails on your machine, nothing happens, or the browser
starts but no page is shown, have a look at the web browser setting in the
preferences dialog.
====

[#ChUseMainToolbarSection]

=== The “Main” Toolbar

The main toolbar provides quick access to frequently used items
from the menu. This toolbar cannot be customized by the user, but it can
be hidden using the View menu if the space on the screen is needed to
show more packet data.

Items in the toolbar will be enabled or disabled (greyed out) similar to
their corresponding menu items. For example, in the image below shows
the main window toolbar after a file has been opened. Various
file-related buttons are enabled, but the stop capture button is
disabled because a capture is not in progress.

[#ChUseWiresharkMainToolbar]

.The “Main” toolbar
image::images/ws-main-toolbar.png[{screenshot-attrs}]

:toolbar-icon-attrs: height=24,width=24

[#ChUseMainToolbar]
.Main toolbar items
[options="header",cols="1,2,2,4"]
|===
|Toolbar Icon|Toolbar Item|Menu Item|Description
|image:images/toolbar/x-capture-start.png[{toolbar-icon-attrs}] |btn:[Start]|menu:Capture[Start]| Starts capturing packets with the same options as the last capture or the default options if none were set (<<ChCapCapturingSection>>).
|image:images/toolbar/x-capture-stop.png[{toolbar-icon-attrs}]      |btn:[Stop]|menu:Capture[Stop]| Stops the currently running capture (<<ChCapCapturingSection>>).
|image:images/toolbar/x-capture-restart.png[{toolbar-icon-attrs}]   |btn:[Restart]|menu:Capture[Restart]| Restarts the current capture session.
|image:images/toolbar/x-capture-options.png[{toolbar-icon-attrs}]   |btn:[Options...]|menu:Capture[Options...]| Opens the “Capture Options” dialog box. See <<ChCapCapturingSection>> for details.
// --
|image:images/toolbar/document-open.png[{toolbar-icon-attrs}]         |btn:[Open...]|menu:File[Open...]| Opens the file open dialog box, which allows you to load a capture file for viewing. It is discussed in more detail in <<ChIOOpen>>.
|image:images/toolbar/x-capture-file-save.png[{toolbar-icon-attrs}]   |btn:[Save As...]|menu:File[Save As...]| Save the current capture file to whatever file you would like. See <<ChIOSaveAs>> for details. If you currently have a temporary capture file open the “Save” icon  will be shown instead.
|image:images/toolbar/x-capture-file-close.png[{toolbar-icon-attrs}]  |btn:[Close]|menu:File[Close]|Closes the current capture. If you have not saved the capture, you will be asked to save it first.
|image:images/toolbar/x-capture-file-reload.png[{toolbar-icon-attrs}] |btn:[Reload]|menu:View[Reload]| Reloads the current capture file.
// --
|image:images/toolbar/edit-find.png[{toolbar-icon-attrs}]   |btn:[Find Packet...]|menu:Edit[Find Packet...]|Find a packet based on different criteria. See <<ChWorkFindPacketSection>> for details.
|image:images/toolbar/go-previous.png[{toolbar-icon-attrs}] |btn:[Go Back]|menu:Go[Go Back]|Jump back in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go back in the selection history.
|image:images/toolbar/go-next.png[{toolbar-icon-attrs}]     |btn:[Go Forward]|menu:Go[Go Forward]|Jump forward in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go forward in the selection history.
|image:images/toolbar/go-jump.png[{toolbar-icon-attrs}]     |btn:[Go to Packet...]|menu:Go[Go to Packet...]| Go to a specific packet.
|image:images/toolbar/go-first.png[{toolbar-icon-attrs}]    |btn:[Go To First Packet]|menu:Go[First Packet]| Jump to the first packet of the capture file.
|image:images/toolbar/go-last.png[{toolbar-icon-attrs}]     |btn:[Go To Last Packet]|menu:Go[Last Packet]| Jump to the last packet of the capture file.
|image:images/toolbar/x-stay-last.png[{toolbar-icon-attrs}] |btn:[Auto Scroll in Live Capture]|menu:View[Auto Scroll in Live Capture]| Auto scroll packet list while doing a live capture (or not).
// --
|image:images/toolbar/x-colorize-packets.png[{toolbar-icon-attrs}] |btn:[Colorize]|menu:View[Colorize]| Colorize the packet list (or not).
// --
|image:images/toolbar/zoom-in.png[{toolbar-icon-attrs}]          |btn:[Zoom In]|menu:View[Zoom In]| Zoom into the packet data (increase the font size).
|image:images/toolbar/zoom-out.png[{toolbar-icon-attrs}]         |btn:[Zoom Out]|menu:View[Zoom Out]| Zoom out of the packet data (decrease the font size).
|image:images/toolbar/zoom-original.png[{toolbar-icon-attrs}]    |btn:[Normal Size]|menu:View[Normal Size]| Set zoom level back to 100%.
|image:images/toolbar/x-resize-columns.png[{toolbar-icon-attrs}] |btn:[Resize Columns]|menu:View[Resize Columns]| Resize columns, so the content fits into them.
|image:images/toolbar/x-reset-layout_2.png[{toolbar-icon-attrs}] |btn:[Reset Layout]|menu:View[Reset Layout]| Reset layout to default size.
// --
//|image:images/toolbar/stock_colorselector_24.png[{toolbar-icon-attrs}]|btn:[Coloring Rules...]|menu:View[Coloring Rules...]| This item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in <<ChCustColorizationSection>>.
|===

[#ChUseFilterToolbarSection]

=== The “Filter” Toolbar

The filter toolbar lets you quickly edit and apply display filters. More
information on display filters is available in <<ChWorkDisplayFilterSection>>.

[#ChUseWiresharkFilterToolbar]

.The “Filter” toolbar
image::images/ws-filter-toolbar.png[{screenshot-attrs}]

// Icons themselves are 32px high.
:filter-icon-attrs: height=24

[#ChUseFilterToolbar]
.Filter toolbar items
[options="header",cols="1,3,5"]
|===
|Toolbar Icon|Name|Description
|image:images/toolbar/filter-toolbar-bookmark.png[{filter-icon-attrs}]|Bookmarks|Manage or select <<ChWorkDefineFilterSection,saved filters>>.
|image:images/toolbar/filter-toolbar-input.png[{filter-icon-attrs}]|Filter Input|The area to enter or edit a display filter string, see <<ChWorkBuildDisplayFilterSection>>. A syntax check of your filter string is done while you are typing. The background will turn red if you enter an incomplete or invalid string, and will become green when you enter a valid string.

After you’ve changed something in this field, don’t forget to press the Apply
button (or the Enter/Return key), to apply this filter string to the display.

This field is also where the current applied filter is displayed.

|image:images/toolbar/filter-toolbar-clear.png[{filter-icon-attrs}]|Clear|Reset the current display filter and clear the edit area.
|image:images/toolbar/filter-toolbar-apply.png[{filter-icon-attrs}]|Apply|Apply the current value in the edit area as the new display filter.

Applying a display filter on large capture files might take quite a long time.

|image:images/toolbar/filter-toolbar-recent.png[{filter-icon-attrs}]|Recent|Select from a list of recently applied filters.
|image:images/toolbar/filter-toolbar-add.png[{filter-icon-attrs}]|Add Button|Add a new filter button.
|btn:[Squirrels]|Filter Button|
Filter buttons are handy shortcuts that apply a display filter as soon as you press them.
You can create filter buttons by pressing the btn:[{plus}] button, right-clicking in the filter button area, or opening the <<ChCustFilterButtons,Filter Button>> section of the <<ChCustPreferencesSection,Preferences Dialog>>.
The example shows a filter button with the label “Squirrels”.
If you have lots of buttons you can arrange them into groups by using “//” as a label separator.
For example, if you create buttons named “Not Squirrels // Rabbits” and “Not Squirrels // Capybaras” they will show up in the toolbar under a single button named “Not Squirrels”.

|===


[#ChUsePacketListPaneSection]

=== The “Packet List” Pane

The packet list pane displays all the packets in the current capture file.

[#ChUseWiresharkListPane]
.The “Packet List” pane
image::images/ws-list-pane.png[{screenshot-attrs}]

Each line in the packet list corresponds to one packet in the capture file. If
you select a line in this pane, more details will be displayed in the “Packet
Details” and “Packet Bytes” panes.

While dissecting a packet, Wireshark will place information from the protocol
dissectors into the columns. As higher-level protocols might overwrite
information from lower levels, you will typically see the information from the
highest possible level only.

For example, let’s look at a packet containing TCP inside IP inside an Ethernet
packet. The Ethernet dissector will write its data (such as the Ethernet
addresses), the IP dissector will overwrite this by its own (such as the IP
addresses), the TCP dissector will overwrite the IP information, and so on.

There are many different columns available. You can choose which columns are
displayed in the preferences. See <<ChCustPreferencesSection>>.

The default columns will show:

* btn:[No.] The number of the packet in the capture file. This number won’t
  change, even if a display filter is used.

* btn:[Time] The timestamp of the packet. The presentation format of this
  timestamp can be changed, see <<ChWorkTimeFormatsSection>>.

* btn:[Source] The address where this packet is coming from.

* btn:[Destination] The address where this packet is going to.

* btn:[Protocol] The protocol name in a short (perhaps abbreviated) version.

* btn:[Length] The length of each packet.

* btn:[Info] Additional information about the packet content.

The first column shows how each packet is related to the selected packet. For
example, in the image above the first packet is selected, which is a DNS
request. Wireshark shows a rightward arrow for the request itself, followed by a
leftward arrow for the response in packet 2. Why is there a dashed line? There
are more DNS packets further down that use the same port numbers. Wireshark
treats them as belonging to the same conversation and draws a line connecting
them.

// Images were created on macOS 10.11 using a retina display. Lines were
// 36 physical pixels high.

[horizontal]
.Related packet symbols

image:images/related-first.png[{related-attrs}]::
  First packet in a conversation.

image:images/related-current.png[{related-attrs}]::
  Part of the selected conversation.

image:images/related-other.png[{related-attrs}]::
  _Not_ part of the selected conversation.

image:images/related-last.png[{related-attrs}]::
  Last packet in a conversation.

image:images/related-request.png[{related-attrs}]::
  Request.

image:images/related-response.png[{related-attrs}]::
  Response.

image:images/related-ack.png[{related-attrs}]::
  The selected packet acknowledges this packet.

image:images/related-dup-ack.png[{related-attrs}]::
  The selected packet is a duplicate acknowledgement of this packet.

image:images/related-segment.png[{related-attrs}]::
  The selected packet is related to this packet in some other way, e.g., as part
  of reassembly.

The packet list has an _Intelligent Scrollbar_ which shows a miniature map of
nearby packets. Each https://en.wikipedia.org/wiki/Raster_graphics[raster line]
of the scrollbar corresponds to a single packet, so the number of packets shown
in the map depends on your physical display and the height of the packet list. A
tall packet list on a high-resolution (“Retina”) display will show you quite a
few packets. In the image above the scrollbar shows the status of more than 500
packets along with the 15 shown in the packet list itself.

Right clicking will show a context menu, described in
<<ChWorkPacketListPanePopUpMenu>>.

[#ChUsePacketDetailsPaneSection]

=== The “Packet Details” Pane

The packet details pane shows the current packet (selected in the “Packet List”
pane) in a more detailed form.

[#ChUseWiresharkDetailsPane]

.The “Packet Details” pane
image::images/ws-details-pane.png[{screenshot-attrs}]

This pane shows the protocols and protocol fields of the packet selected in the
“Packet List” pane. The protocol summary lines (subtree labels) and fields of the
packet are shown in a tree which can be expanded and collapsed.

There is a context menu (right mouse click) available. See details in
<<ChWorkPacketDetailsPanePopUpMenu>>.

Some protocol fields have special meanings.

* *Generated fields.* Wireshark itself will generate additional protocol
  information which isn’t present in the captured data. This information
  is enclosed in square brackets (“[” and “]”). Generated information
  includes response times, TCP analysis, IP geolocation information, and
  checksum validation.

* *Links.* If Wireshark detects a relationship to another packet in the capture
  file it will generate a link to that packet. Links are underlined and
  displayed in blue. If you double-clicked on a link  Wireshark will jump to the
  corresponding packet.

[#ChUsePacketBytesPaneSection]

=== The “Packet Bytes” Pane

The packet bytes pane shows the data of the current packet (selected in the
“Packet List” pane) in a hexdump style.

[#ChUseWiresharkBytesPane]

.The “Packet Bytes” pane
image::images/ws-bytes-pane.png[{screenshot-attrs}]

The “Packet Bytes” pane shows a canonical
https://en.wikipedia.org/wiki/Hex_dump[hex dump] of the packet data. Each line
contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes.
Non-printable bytes are replaced with a period (“.”).

Depending on the packet data, sometimes more than one page is available, e.g.
when Wireshark has reassembled some packets into a single chunk of data. (See
<<ChAdvReassemblySection>> for details). In this case you can see each data
source by clicking its corresponding tab at the bottom of the pane.

The default mode for viewing will highlight the bytes for a field where the
mouse pointer is hovering above. The highlight will follow the mouse cursor
as it moves. If this highlighting is not required or wanted, there are two
methods for deactivating the functionality:

* *Temporary* By holding down the Ctrl button while moving the mouse, the
  highlighted field will not change

* *Permanently* Using the context menu (right mouse click) the hover highlighting
  may be activated/deactivated. This setting is stored in the selected profile
  __recent__ file.

[#ChUseWiresharkBytesPaneTabs]
.The “Packet Bytes” pane with tabs
image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}]

Additional tabs typically contain data reassembled from multiple packets or
decrypted data.

[#ChUsePacketDiagramPaneSection]

=== The “Packet Diagram” Pane

The packet diagram pane shows the current packet (selected in the “Packet List”
pane) as a diagram, similar to ones used in textbooks and IETF RFCs.

[#ChUseWiresharkDiagramPane]

.The “Packet Diagram” pane
image::images/ws-diagram-pane.png[{screenshot-attrs}]

This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List” pane as a series of diagrams.

There is a context menu (right mouse click) available.
For details see <<ChWorkPacketDiagramPanePopUpMenu>>.

[#ChUseStatusbarSection]

=== The Statusbar

The statusbar displays informational messages.

In general, the left side will show context related information, the middle part
will show information about the current capture file, and the right side will
show the selected configuration profile. Drag the handles between the text areas
to change the size.

[#ChUseWiresharkStatusbarEmpty]
.The initial Statusbar
image::images/ws-statusbar-empty.png[{statusbar-attrs}]

This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started.

[#ChUseWiresharkStatusbarLoaded]
.The Statusbar with a loaded capture file
image::images/ws-statusbar-loaded.png[{statusbar-attrs}]

The colorized bullet...:: on the left shows the highest expert information level found in the currently loaded capture file.
Hovering the mouse over this icon will show a description of the expert info level, and clicking the icon will bring up the Expert Information dialog box.
For a detailed description of this dialog and each expert level, see <<ChAdvExpert>>.

The edit icon...:: on the left side lets you add a comment to the capture file using the <<ChStatSummary,Capture File Properties>> dialog.

The left side...:: shows the capture file name by default.
It also shows field information when hovering over and selecting items in the packet detail and packet bytes panes, as well as general notifications.

The middle...:: shows the current number of packets in the capture file.
The following values are displayed:

Packets::: The number of captured packets.

Displayed::: The number of packets currently being displayed.

Marked::: The number of marked packets. Only displayed if you marked any packets.

Dropped::: The number of dropped packets Only displayed if Wireshark was unable to capture all packets.

Ignored::: The number of ignored packets Only displayed if you ignored any packets.

//Load time::: The time it took to load the capture (wall clock time).

The right side...:: shows the selected configuration profile.
Clicking on this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile.

[#ChUseWiresharkStatusbarProfile]
.The Statusbar with a configuration profile menu
image::images/ws-statusbar-profile.png[{pdf-scaledwidth},height=192]

For a detailed description of configuration profiles, see <<ChCustConfigProfilesSection>>.

[#ChUseWiresharkStatusbarSelected]
.The Statusbar with a selected protocol field
image::images/ws-statusbar-selected.png[{statusbar-attrs}]

This is displayed if you have selected a protocol field in the “Packet Details” pane.

[TIP]
====
The value between the parentheses (in this example “ipv6.src”) is the display filter field for the selected item.
You can become more familiar with display filter fields by selecting different packet detail items.
====

[#ChUseWiresharkStatusbarFilter]

//FIXME: Remove or choose a better example of a display filter message.
.The Statusbar with a display filter message
image::images/ws-statusbar-filter.png[{statusbar-attrs}]

This is displayed if you are trying to use a display filter which may have unexpected results.

// End of WSUG Chapter 3