image Wireshark User's Guide

exported for Wireshark 1.4

Ulf Lamping

Richard Sharpe

NS Computer Software and Services P/L

Ed Warnicke

Copyright © 2004-2010 Ulf Lamping , Richard Sharpe , Ed Warnicke

Legal Notice

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

All logos and trademarks in this document are property of their respective owner.

Preface
1. Foreword
2. Who should read this document?
3. Acknowledgements
4. About this document
5. Where to get the latest copy of this document?
6. Providing feedback about this document
1. Introduction
1.1. What is Wireshark?
1.1.1. Some intended purposes
1.1.2. Features
1.1.3. Live capture from many different network media
1.1.4. Import files from many other capture programs
1.1.5. Export files for many other capture programs
1.1.6. Many protocol decoders
1.1.7. Open Source Software
1.1.8. What Wireshark is not
1.2. System Requirements
1.2.1. General Remarks
1.2.2. Microsoft Windows
1.2.3. Unix / Linux
1.3. Where to get Wireshark?
1.4. A brief history of Wireshark
1.5. Development and maintenance of Wireshark
1.6. Reporting problems and getting help
1.6.1. Website
1.6.2. Wiki
1.6.3. FAQ
1.6.4. Mailing Lists
1.6.5. Reporting Problems
1.6.6. Reporting Crashes on UNIX/Linux platforms
1.6.7. Reporting Crashes on Windows platforms
2. Building and Installing Wireshark
2.1. Introduction
2.2. Obtaining the source and binary distributions
2.3. Before you build Wireshark under UNIX
2.4. Building Wireshark from source under UNIX
2.5. Installing the binaries under UNIX
2.5.1. Installing from rpm's under Red Hat and alike
2.5.2. Installing from deb's under Debian
2.5.3. Installing from portage under Gentoo Linux
2.5.4. Installing from packages under FreeBSD
2.6. Troubleshooting during the install on Unix
2.7. Building from source under Windows
2.8. Installing Wireshark under Windows
2.8.1. Install Wireshark
2.8.2. Manual WinPcap Installation
2.8.3. Update Wireshark
2.8.4. Update WinPcap
2.8.5. Uninstall Wireshark
2.8.6. Uninstall WinPcap
3. User Interface
3.1. Introduction
3.2. Start Wireshark
3.3. The Main window
3.3.1. Main Window Navigation
3.4. The Menu
3.5. The "File" menu
3.6. The "Edit" menu
3.7. The "View" menu
3.8. The "Go" menu
3.9. The "Capture" menu
3.10. The "Analyze" menu
3.11. The "Statistics" menu
3.12. The "Telephony" menu
3.13. The "Tools" menu
3.14. The "Help" menu
3.15. The "Main" toolbar
3.16. The "Filter" toolbar
3.17. The "Packet List" pane
3.18. The "Packet Details" pane
3.19. The "Packet Bytes" pane
3.20. The Statusbar
4. Capturing Live Network Data
4.1. Introduction
4.2. Prerequisites
4.3. Start Capturing
4.4. The "Capture Interfaces" dialog box
4.5. The "Capture Options" dialog box
4.5.1. Capture frame
4.5.2. Capture File(s) frame
4.5.3. Stop Capture... frame
4.5.4. Display Options frame
4.5.5. Name Resolution frame
4.5.6. Buttons
4.6. The "Remote Capture Interfaces" dialog box
4.6.1. Remote Capture Interfaces
4.6.2. Remote Capture
4.6.3. Remote Capture Settings
4.7. The "Interface Details" dialog box
4.8. Capture files and file modes
4.9. Link-layer header type
4.10. Filtering while capturing
4.10.1. Automatic Remote Traffic Filtering
4.11. While a Capture is running ...
4.11.1. Stop the running capture
4.11.2. Restart a running capture
5. File Input / Output and Printing
5.1. Introduction
5.2. Open capture files
5.2.1. The "Open Capture File" dialog box
5.2.2. Input File Formats
5.3. Saving captured packets
5.3.1. The "Save Capture File As" dialog box
5.3.2. Output File Formats
5.4. Merging capture files
5.4.1. The "Merge with Capture File" dialog box
5.5. File Sets
5.5.1. The "List Files" dialog box
5.6. Exporting data
5.6.1. The "Export as Plain Text File" dialog box
5.6.2. The "Export as PostScript File" dialog box
5.6.3. The "Export as CSV (Comma Separated Values) File" dialog box
5.6.4. The "Export as C Arrays (packet bytes) file" dialog box
5.6.5. The "Export as PSML File" dialog box
5.6.6. The "Export as PDML File" dialog box
5.6.7. The "Export selected packet bytes" dialog box
5.6.8. The "Export Objects" dialog box
5.7. Printing packets
5.7.1. The "Print" dialog box
5.8. The Packet Range frame
5.9. The Packet Format frame
6. Working with captured packets
6.1. Viewing packets you have captured
6.2. Pop-up menus
6.2.1. Pop-up menu of the "Packet List" pane
6.2.2. Pop-up menu of the "Packet Details" pane
6.3. Filtering packets while viewing
6.4. Building display filter expressions
6.4.1. Display filter fields
6.4.2. Comparing values
6.4.3. Combining expressions
6.4.4. A common mistake
6.5. The "Filter Expression" dialog box
6.6. Defining and saving filters
6.7. Defining and saving filter macros
6.8. Finding packets
6.8.1. The "Find Packet" dialog box
6.8.2. The "Find Next" command
6.8.3. The "Find Previous" command
6.9. Go to a specific packet
6.9.1. The "Go Back" command
6.9.2. The "Go Forward" command
6.9.3. The "Go to Packet" dialog box
6.9.4. The "Go to Corresponding Packet" command
6.9.5. The "Go to First Packet" command
6.9.6. The "Go to Last Packet" command
6.10. Marking packets
6.11. Ignoring packets
6.12. Time display formats and time references
6.12.1. Packet time referencing
7. Advanced Topics
7.1. Introduction
7.2. Following TCP streams
7.2.1. The "Follow TCP Stream" dialog box
7.3. Expert Infos
7.3.1. Expert Info Entries
7.3.2. "Expert Info Composite" dialog
7.3.3. "Colorized" Protocol Details Tree
7.3.4. "Expert" Packet List Column (optional)
7.4. Time Stamps
7.4.1. Wireshark internals
7.4.2. Capture file formats
7.4.3. Accuracy
7.5. Time Zones
7.5.1. Set your computer's time correctly!
7.5.2. Wireshark and Time Zones
7.6. Packet Reassembling
7.6.1. What is it?
7.6.2. How Wireshark handles it
7.7. Name Resolution
7.7.1. Name Resolution drawbacks
7.7.2. Ethernet name resolution (MAC layer)
7.7.3. IP name resolution (network layer)
7.7.4. IPX name resolution (network layer)
7.7.5. TCP/UDP port name resolution (transport layer)
7.8. Checksums
7.8.1. Wireshark checksum validation
7.8.2. Checksum offloading
8. Statistics
8.1. Introduction
8.2. The "Summary" window
8.3. The "Protocol Hierarchy" window
8.4. Conversations
8.4.1. What is a Conversation?
8.4.2. The "Conversations" window
8.4.3. The protocol specific "Conversation List" windows
8.5. Endpoints
8.5.1. What is an Endpoint?
8.5.2. The "Endpoints" window
8.5.3. The protocol specific "Endpoint List" windows
8.6. The "IO Graphs" window
8.7. Service Response Time
8.7.1. The "Service Response Time DCE-RPC" window
8.8. Compare two capture files
8.9. WLAN Traffic Statistics
8.10. The protocol specific statistics windows
9. Telephony
9.1. Introduction
9.2. RTP Analysis
9.3. VoIP Calls
9.4. LTE MAC Traffic Statistics
9.5. LTE RLC Traffic Statistics
9.6. The protocol specific statistics windows
10. Customizing Wireshark
10.1. Introduction
10.2. Start Wireshark from the command line
10.3. Packet colorization
10.4. Control Protocol dissection
10.4.1. The "Enabled Protocols" dialog box
10.4.2. User Specified Decodes
10.4.3. Show User Specified Decodes
10.5. Preferences
10.5.1. Interface Options
10.6. Configuration Profiles
10.7. User Table
10.8. Display Filter Macros
10.9. ESS Category Attributes
10.10. GeoIP Database Paths
10.11. IKEv2 decryption table
10.12. Object Identifiers
10.13. PRES Users Context List
10.14. SCCP users Table
10.15. SMI (MIB and PIB) Modules
10.16. SMI (MIB and PIB) Paths
10.17. SNMP Enterprise Specific Trap Types
10.18. SNMP users Table
10.19. Tektronix K12xx/15 RF5 protocols Table
10.20. User DLTs protocol table
11. Lua Support in Wireshark
11.1. Introduction
11.2. Example of Dissector written in Lua
11.3. Example of Listener written in Lua
11.4. Wireshark's Lua API Reference Manual
11.4.1. Saving capture files
11.4.2. Obtaining dissection data
11.4.3. GUI support
11.4.4. Post-dissection packet analysis
11.4.5. Obtaining packet information
11.4.6. Functions for writing dissectors
11.4.7. Adding information to the dissection tree
11.4.8. Functions for handling packet data
11.4.9. Utility Functions
A. Files and Folders
A.1. Capture Files
A.1.1. Libpcap File Contents
A.1.2. Not Saved in the Capture File
A.2. Configuration Files and Folders
A.2.1. Protocol help configuration
A.3. Windows folders
A.3.1. Windows profiles
A.3.2. Windows Vista/XP/2000/NT roaming profiles
A.3.3. Windows temporary folder
B. Protocols and Protocol Fields
C. Wireshark Messages
C.1. Packet List Messages
C.1.1. [Malformed Packet]
C.1.2. [Packet size limited during capture]
C.2. Packet Details Messages
C.2.1. [Response in frame: 123]
C.2.2. [Request in frame: 123]
C.2.3. [Time from request: 0.123 seconds]
C.2.4. [Stream setup by PROTOCOL (frame 123)]
D. Related command line tools
D.1. Introduction
D.2. tshark: Terminal-based Wireshark
D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark
D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark
D.5. capinfos: Print information about capture files
D.6. rawshark: Dump and analyze network traffic.
D.7. editcap: Edit capture files
D.8. mergecap: Merging multiple capture files into one
D.9. text2pcap: Converting ASCII hexdumps to network captures
D.10. idl2wrs: Creating dissectors from CORBA IDL files
D.10.1. What is it?
D.10.2. Why do this?
D.10.3. How to use idl2wrs
D.10.4. TODO
D.10.5. Limitations
D.10.6. Notes
E. This Document's License (GPL)
n
Next Page
p
Previos Page
h
Book Home
u
Go Up One Level
?
Press ? for Help
esc
Hide Help
Your Ad Here