WebSVN – nexmon – Blame – Rev 1 – /utilities/wireshark/doc/wireshark.pod.template

1

office

1

=begin man

=encoding utf8

=end man

=head1 NAME

wireshark - Interactively dump and analyze network traffic

=head1 SYNOPSIS

B<wireshark>

S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>

15

S<[ B<-b> E<lt>capture ring buffer optionE<gt> ] ...>

16

S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >

17

S<[ B<-c> E<lt>capture packet countE<gt> ]>

18

S<[ B<-C> E<lt>configuration profileE<gt> ]>

19

S<[ B<-d> E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt> ]>

20

S<[ B<-D> ]>

21

S<[ B<--display=>E<lt>X display to useE<gt> ] >

22

S<[ B<-f> E<lt>capture filterE<gt> ]>

23

S<[ B<-g> E<lt>packet numberE<gt> ]>

24

S<[ B<-h> ]>

25

S<[ B<-H> ]>

26

S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>

27

S<[ B<-I> ]>

28

S<[ B<-j> ]>

29

S<[ B<-J> E<lt>jump filterE<gt> ]>

30

S<[ B<-k> ]>

31

S<[ B<-K> E<lt>keytabE<gt> ]>

32

S<[ B<-l> ]>

33

S<[ B<-L> ]>

34

S<[ B<-m> E<lt>fontE<gt> ]>

35

S<[ B<-n> ]>

36

S<[ B<-N> E<lt>name resolving flagsE<gt> ] >

37

S<[ B<-o> E<lt>preference/recent settingE<gt> ] ...>

38

S<[ B<-p> ]>

39

S<[ B<-P> E<lt>path settingE<gt>]>

40

S<[ B<-r> E<lt>infileE<gt> ]>

41

S<[ B<-R> E<lt>read (display) filterE<gt> ]>

42

S<[ B<-s> E<lt>capture snaplenE<gt> ]>

43

S<[ B<-S> ]>

44

S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>

45

S<[ B<-v> ]>

46

S<[ B<-w> E<lt>outfileE<gt> ]>

47

S<[ B<-X> E<lt>eXtension optionE<gt> ]>

48

S<[ B<-y> E<lt>capture link typeE<gt> ]>

49

S<[ B<-Y> E<lt>displaY filterE<gt> ]>

50

S<[ B<-z> E<lt>statisticsE<gt> ]>

51

S<[ E<lt>infileE<gt> ]>

=head1 DESCRIPTION

B<Wireshark> is a GUI network protocol analyzer. It lets you

56

interactively browse packet data from a live network or from a

57

previously saved capture file. B<Wireshark>'s native capture file format

58

is B<pcap> format, which is also the format used by B<tcpdump> and

59

various other tools.

60

61

B<Wireshark> can read / import the following file formats:

=over 4

=item *

pcap - captures from B<Wireshark>/B<TShark>/B<dumpcap>, B<tcpdump>,

67

and various other tools using libpcap's/WinPcap's/tcpdump's/WinDump's

capture format

=item *

pcap-ng - "next-generation" successor to pcap format

72

73

=item *

74

B<snoop> and B<atmsnoop> captures

75

76

=item *

77

Shomiti/Finisar B<Surveyor> captures

78

79

=item *

80

Novell B<LANalyzer> captures

81

82

=item *

83

Microsoft B<Network Monitor> captures

84

85

=item *

86

AIX's B<iptrace> captures

87

88

=item *

89

Cinco Networks B<NetXRay> captures

90

91

=item *

92

Network Associates Windows-based B<Sniffer> captures

93

94

=item *

95

Network General/Network Associates DOS-based B<Sniffer> (compressed or uncompressed) captures

96

97

=item *

98

AG Group/WildPackets/Savvius B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>/B<PacketGrabber> captures

99

100

=item *

101

B<RADCOM>'s WAN/LAN analyzer captures

102

103

=item *

104

Network Instruments B<Observer> version 9 captures

105

106

=item *

107

B<Lucent/Ascend> router debug output

108

109

=item *

110

files from HP-UX's B<nettl>

111

112

=item *

113

B<Toshiba's> ISDN routers dump output

114

115

=item *

116

the output from B<i4btrace> from the ISDN4BSD project

117

118

=item *

119

traces from the B<EyeSDN> USB S0.

120

121

=item *

122

the output in B<IPLog> format from the Cisco Secure Intrusion Detection System

123

124

=item *

125

B<pppd logs> (pppdump format)

126

127

=item *

128

the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities

129

130

=item *

131

the text output from the B<DBS Etherwatch> VMS utility

132

133

=item *

134

Visual Networks' B<Visual UpTime> traffic capture

135

136

=item *

137

the output from B<CoSine> L2 debug

138

139

=item *

140

the output from InfoVista's B<5View> LAN agents

141

142

=item *

143

Endace Measurement Systems' ERF format captures

144

145

=item *

146

Linux Bluez Bluetooth stack B<hcidump -w> traces

147

148

=item *

149

Catapult DCT2000 .out files

150

151

=item *

152

Gammu generated text output from Nokia DCT3 phones in Netmonitor mode

153

154

=item *

155

IBM Series (OS/400) Comm traces (ASCII & UNICODE)

156

157

=item *

158

Juniper Netscreen snoop files

159

160

=item *

161

Symbian OS btsnoop files

162

163

=item *

164

TamoSoft CommView files

165

166

=item *

167

Textronix K12xx 32bit .rf5 format files

168

169

=item *

170

Textronix K12 text file format captures

171

172

=item *

173

Apple PacketLogger files

174

175

=item *

176

Files from Aethra Telecommunications' PC108 software for their test

instruments

=item *

MPEG-2 Transport Streams as defined in ISO/IEC 13818-1

181

182

=item *

183

Rabbit Labs CAM Inspector files

184

185

=item *

186

Colasoft Capsa files

=back

There is no need to tell B<Wireshark> what type of

191

file you are reading; it will determine the file type by itself.

192

B<Wireshark> is also capable of reading any of these file formats if they

193

are compressed using gzip. B<Wireshark> recognizes this directly from

194

the file; the '.gz' extension is not required for this purpose.

195

196

Like other protocol analyzers, B<Wireshark>'s main window shows 3 views

197

of a packet. It shows a summary line, briefly describing what the

198

packet is. A packet details display is shown, allowing you to drill

199

down to exact protocol or field that you interested in. Finally, a hex

200

dump shows you exactly what the packet looks like when it goes over the

201

wire.

202

203

In addition, B<Wireshark> has some features that make it unique. It can

204

assemble all the packets in a TCP conversation and show you the ASCII

205

(or EBCDIC, or hex) data in that conversation. Display filters in

206

B<Wireshark> are very powerful; more fields are filterable in B<Wireshark>

207

than in other protocol analyzers, and the syntax you can use to create

208

your filters is richer. As B<Wireshark> progresses, expect more and more

209

protocol fields to be allowed in display filters.

210

211

Packet capturing is performed with the pcap library. The capture filter

212

syntax follows the rules of the pcap library. This syntax is different

213

from the display filter syntax.

214

215

Compressed file support uses (and therefore requires) the zlib library.

216

If the zlib library is not present, B<Wireshark> will compile, but will

217

be unable to read compressed files.

218

219

The pathname of a capture file to be read can be specified with the

220

B<-r> option or can be specified as a command-line argument.

=head1 OPTIONS

Most users will want to start B<Wireshark> without options and configure

225

it from the menus instead. Those users may just skip this section.

=over 4

=item -a E<lt>capture autostop conditionE<gt>

230

231

Specify a criterion that specifies when B<Wireshark> is to stop writing

232

to a capture file. The criterion is of the form I<test>B<:>I<value>,

233

where I<test> is one of:

234

235

B<duration>:I<value> Stop writing to a capture file after I<value> seconds have

236

elapsed.

237

238

B<filesize>:I<value> Stop writing to a capture file after it reaches a size of

239

I<value> kB. If this option is used together with the -b option, Wireshark

240

will stop writing to the current capture file and switch to the next one if

241

filesize is reached. Note that the filesize is limited to a maximum value of

242

2 GiB.

243

244

B<files>:I<value> Stop writing to capture files after I<value> number of files

245

were written.

246

247

=item -b E<lt>capture ring buffer optionE<gt>

248

249

Cause B<Wireshark> to run in "multiple files" mode. In "multiple files" mode,

250

B<Wireshark> will write to several capture files. When the first capture file

251

fills up, B<Wireshark> will switch writing to the next file and so on.

252

253

The created filenames are based on the filename given with the B<-w> flag,

254

the number of the file and on the creation date and time,

255

e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...

256

257

With the I<files> option it's also possible to form a "ring buffer".

258

This will fill up new files until the number of files specified,

259

at which point B<Wireshark> will discard the data in the first file and start

260

writing to that file and so on. If the I<files> option is not set,

261

new files filled up until one of the capture stop conditions match (or

262

until the disk is full).

263

264

The criterion is of the form I<key>B<:>I<value>,

265

where I<key> is one of:

266

267

B<duration>:I<value> switch to the next file after I<value> seconds have

268

elapsed, even if the current file is not completely filled up.

269

270

B<filesize>:I<value> switch to the next file after it reaches a size of

271

I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.

272

273

B<files>:I<value> begin again with the first file after I<value> number of

274

files were written (form a ring buffer). This value must be less than 100000.

275

Caution should be used when using large numbers of files: some filesystems do

276

not handle many files in a single directory well. The B<files> criterion

277

requires either B<duration> or B<filesize> to be specified to control when to

278

go to the next file. It should be noted that each B<-b> parameter takes exactly

279

one criterion; to specify two criterion, each must be preceded by the B<-b>

280

option.

281

282

Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files

283

of size one megabyte each.

284

285

=item -B E<lt>capture buffer sizeE<gt>

286

287

Set capture buffer size (in MiB, default is 2 MiB). This is used by

288

the capture driver to buffer packet data until that data can be written

289

to disk. If you encounter packet drops while capturing, try to increase

290

this size. Note that, while B<Wireshark> attempts to set the buffer size

291

to 2 MiB by default, and can be told to set it to a larger value, the

292

system or interface on which you're capturing might silently limit the

293

capture buffer size to a lower value or raise it to a higher value.

294

295

This is available on UNIX systems with libpcap 1.0.0 or later and on

296

Windows. It is not available on UNIX systems with earlier versions of

297

libpcap.

298

299

This option can occur multiple times. If used before the first

300

occurrence of the B<-i> option, it sets the default capture buffer size.

301

If used after an B<-i> option, it sets the capture buffer size for

302

the interface specified by the last B<-i> option occurring before

303

this option. If the capture buffer size is not set specifically,

304

the default capture buffer size is used instead.

305

306

=item -c E<lt>capture packet countE<gt>

307

308

Set the maximum number of packets to read when capturing live

309

data.

310

311

=item -C E<lt>configuration profileE<gt>

312

313

Start with the given configuration profile.

314

315

=item -d E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt>

316

317

Like Wireshark's B<Decode As...> feature, this lets you specify how a

318

layer type should be dissected. If the layer type in question (for example,

319

B<tcp.port> or B<udp.port> for a TCP or UDP port number) has the specified

320

selector value, packets should be dissected as the specified protocol.

321

322

Example: B<-d tcp.port==8888,http> will decode any traffic running over

323

TCP port 8888 as HTTP.

324

325

See the tshark(1) manual page for more examples.

=item -D

Print a list of the interfaces on which B<Wireshark> can capture, and

330

exit. For each network interface, a number and an

331

interface name, possibly followed by a text description of the

332

interface, is printed. The interface name or the number can be supplied

333

to the B<-i> flag to specify an interface on which to capture.

334

335

This can be useful on systems that don't have a command to list them

336

(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);

337

the number can be useful on Windows 2000 and later systems, where the

338

interface name is a somewhat complex string.

339

340

Note that "can capture" means that B<Wireshark> was able to open

341

that device to do a live capture; if, on your system, a program doing a

342

network capture must be run from an account with special privileges (for

343

example, as root), then, if B<Wireshark> is run with the B<-D> flag and

344

is not run from such an account, it will not list any interfaces.

345

346

=item --display=E<lt>X display to useE<gt>

347

348

Specifies the X display to use. A hostname and screen (otherhost:0.0)

349

or just a screen (:0.0) can be specified. This option is not available

350

under Windows.

351

352

=item -f E<lt>capture filterE<gt>

353

354

Set the capture filter expression.

355

356

This option can occur multiple times. If used before the first

357

occurrence of the B<-i> option, it sets the default capture filter expression.

358

If used after an B<-i> option, it sets the capture filter expression for

359

the interface specified by the last B<-i> option occurring before

360

this option. If the capture filter expression is not set specifically,

361

the default capture filter expression is used if provided.

362

363

Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,

364

can be used by prefixing the argument with "predef:".

365

Example: B<-f "predef:MyPredefinedHostOnlyFilter">

366

367

=item -g E<lt>packet numberE<gt>

368

369

After reading in a capture file using the B<-r> flag, go to the given I<packet number>.

=item -h

Print the version and options and exit.

=item -H

Hide the capture info dialog during live packet capture.

378

379

=item -i E<lt>capture interfaceE<gt>|-

380

381

Set the name of the network interface or pipe to use for live packet

382

capture.

383

384

Network interface names should match one of the names listed in

385

"B<wireshark -D>" (described above); a number, as reported by

386

"B<wireshark -D>", can also be used. If you're using UNIX, "B<netstat

387

-i>" or "B<ifconfig -a>" might also work to list interface names,

388

although not all versions of UNIX support the B<-a> flag to B<ifconfig>.

389

390

If no interface is specified, B<Wireshark> searches the list of

391

interfaces, choosing the first non-loopback interface if there are any

392

non-loopback interfaces, and choosing the first loopback interface if

393

there are no non-loopback interfaces. If there are no interfaces at all,

394

B<Wireshark> reports an error and doesn't start the capture.

395

396

Pipe names should be either the name of a FIFO (named pipe) or ``-'' to

397

read data from the standard input. On Windows systems, pipe names must be

398

of the form ``\\pipe\.\B<pipename>''. Data read from pipes must be in

399

standard pcap format.

400

401

This option can occur multiple times. When capturing from multiple

402

interfaces, the capture file will be saved in pcap-ng format.

=item -I

Put the interface in "monitor mode"; this is supported only on IEEE

407

802.11 Wi-Fi interfaces, and supported only on some operating systems.

408

409

Note that in monitor mode the adapter might disassociate from the

410

network with which it's associated, so that you will not be able to use

411

any wireless networks with that adapter. This could prevent accessing

412

files on a network server, or resolving host names or network addresses,

413

if you are capturing in monitor mode and are not connected to another

414

network with another adapter.

415

416

This option can occur multiple times. If used before the first

417

occurrence of the B<-i> option, it enables the monitor mode for all interfaces.

418

If used after an B<-i> option, it enables the monitor mode for

419

the interface specified by the last B<-i> option occurring before

this option.

=item -j

Use after B<-J> to change the behavior when no exact match is found for

425

the filter. With this option select the first packet before.

426

427

=item -J E<lt>jump filterE<gt>

428

429

After reading in a capture file using the B<-r> flag, jump to the packet

430

matching the filter (display filter syntax). If no exact match is found

431

the first packet after that is selected.

=item -k

Start the capture session immediately. If the B<-i> flag was

436

specified, the capture uses the specified interface. Otherwise,

437

B<Wireshark> searches the list of interfaces, choosing the first

438

non-loopback interface if there are any non-loopback interfaces, and

439

choosing the first loopback interface if there are no non-loopback

440

interfaces; if there are no interfaces, B<Wireshark> reports an error and

441

doesn't start the capture.

442

443

=item -K E<lt>keytabE<gt>

444

445

Load kerberos crypto keys from the specified keytab file.

446

This option can be used multiple times to load keys from several files.

447

448

Example: B<-K krb5.keytab>

=item -l

Turn on automatic scrolling if the packet display is being updated

453

automatically as packets arrive during a capture (as specified by the

B<-S> flag).

=item -L

List the data link types supported by the interface and exit.

459

460

=item -m E<lt>fontE<gt>

461

462

GTK+ only. Deprecated.

463

464

Set the name of the monospace font used in the packet list, packet detail,

465

packet bytes, and other views. This option is deprecated and will be removed

466

in a future version of Wireshark. Use B<-o gui.qt.font_name> or

467

B<-o gui.gtk2.font_name> instead.

=item -n

Disable network object name resolution (such as hostname, TCP and UDP port

472

names), the B<-N> flag might override this one.

473

474

=item -N E<lt>name resolving flagsE<gt>

475

476

Turn on name resolving only for particular types of addresses and port

477

numbers, with name resolving for other types of addresses and port

478

numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are

479

present. If both B<-N> and B<-n> flags are not present, all name resolutions

480

are turned on.

481

482

The argument is a string that may contain the letters:

483

484

B<m> to enable MAC address resolution

485

486

B<n> to enable network address resolution

487

488

B<N> to enable using external resolvers (e.g., DNS) for network address

489

resolution

490

491

B<t> to enable transport-layer port number resolution

492

493

B<d> to enable resolution from captured DNS packets

494

495

=item -o E<lt>preference/recent settingE<gt>

496

497

Set a preference or recent value, overriding the default value and any value

498

read from a preference/recent file. The argument to the flag is a string of

499

the form I<prefname>B<:>I<value>, where I<prefname> is the name of the

500

preference/recent value (which is the same name that would appear in the

501

preference/recent file), and I<value> is the value to which it should be set.

502

Since B<Ethereal> 0.10.12, the recent settings replaces the formerly used

503

-B, -P and -T flags to manipulate the GUI dimensions.

504

505

If I<prefname> is "uat", you can override settings in various user access

506

tables using the form uatB<:>I<uat filename>:I<uat record>. I<uat filename>

507

must be the name of a UAT file, e.g. I<user_dlts>. I<uat_record> must be in

508

the form of a valid record for that file, including quotes. For instance, to

509

specify a user DLT from the command line, you would use

510

511

-o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""

=item -p

I<Don't> put the interface into promiscuous mode. Note that the

516

interface might be in promiscuous mode for some other reason; hence,

517

B<-p> cannot be used to ensure that the only traffic that is captured is

518

traffic sent to or from the machine on which B<Wireshark> is running,

519

broadcast traffic, and multicast traffic to addresses received by that

520

machine.

521

522

This option can occur multiple times. If used before the first

523

occurrence of the B<-i> option, no interface will be put into the

524

promiscuous mode.

525

If used after an B<-i> option, the interface specified by the last B<-i>

526

option occurring before this option will not be put into the

527

promiscuous mode.

528

529

=item -P E<lt>path settingE<gt>

530

531

Special path settings usually detected automatically. This is used for

532

special cases, e.g. starting Wireshark from a known location on an USB stick.

533

534

The criterion is of the form I<key>B<:>I<path>, where I<key> is one of:

535

536

B<persconf>:I<path> path of personal configuration files, like the

537

preferences files.

538

539

B<persdata>:I<path> path of personal data files, it's the folder initially

540

opened. After the very first initialization, the recent file will keep the

541

folder last used.

542

543

=item -r E<lt>infileE<gt>

544

545

Read packet data from I<infile>, can be any supported capture file format

546

(including gzipped files). It's not possible to use named pipes or stdin

547

here! To capture from a pipe or from stdin use B<-i ->

548

549

=item -R E<lt>read (display) filterE<gt>

550

551

When reading a capture file specified with the B<-r> flag, causes the

552

specified filter (which uses the syntax of display filters, rather than

553

that of capture filters) to be applied to all packets read from the

554

capture file; packets not matching the filter are discarded.

555

556

=item -s E<lt>capture snaplenE<gt>

557

558

Set the default snapshot length to use when capturing live data.

559

No more than I<snaplen> bytes of each network packet will be read into

560

memory, or saved to disk. A value of 0 specifies a snapshot length of

561

65535, so that the full packet is captured; this is the default.

562

563

This option can occur multiple times. If used before the first

564

occurrence of the B<-i> option, it sets the default snapshot length.

565

If used after an B<-i> option, it sets the snapshot length for

566

the interface specified by the last B<-i> option occurring before

567

this option. If the snapshot length is not set specifically,

568

the default snapshot length is used if provided.

=item -S

Automatically update the packet display as packets are coming in.

573

574

=item -t a|ad|adoy|d|dd|e|r|u|ud|udoy

575

576

Set the format of the packet timestamp displayed in the packet list

577

window. The format can be one of:

578

579

B<a> absolute: The absolute time, as local time in your time zone,

580

is the actual time the packet was captured, with no date displayed

581

582

B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,

583

and time, as local time in your time zone, is the actual time and date

584

the packet was captured

585

586

B<adoy> absolute with date using day of year: The absolute date,

587

displayed as YYYY/DOY, and time, as local time in your time zone,

588

is the actual time and date the packet was captured

589

590

B<d> delta: The delta time is the time since the previous packet was

591

captured

592

593

B<dd> delta_displayed: The delta_displayed time is the time since the

594

previous displayed packet was captured

595

596

B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)

597

598

B<r> relative: The relative time is the time elapsed between the first packet

599

and the current packet

600

601

B<u> UTC: The absolute time, as UTC, is the actual time the packet was

602

captured, with no date displayed

603

604

B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,

605

and time, as UTC, is the actual time and date the packet was captured

606

607

B<udoy> UTC with date using day of year: The absolute date, displayed

608

as YYYY/DOY, and time, as UTC, is the actual time and date the packet

609

was captured

610

611

The default format is relative.

=item -v

Print the version and exit.

616

617

=item -w E<lt>outfileE<gt>

618

619

Set the default capture file name.

620

621

=item -X E<lt>eXtension optionsE<gt>

622

623

Specify an option to be passed to an B<Wireshark> module. The eXtension option

624

is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:

625

626

B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the

627

default Lua scripts.

628

629

B<lua_script>I<num>:I<argument> tells B<Wireshark> to pass the given argument

630

to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.

631

For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'

632

will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'

633

and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua

634

script, namely 'other.lua'.

635

636

B<read_format>:I<file_format> tells B<Wireshark> to use the given file format to read in the

637

file (the file given in the B<-r> command option).

638

639

B<stdin_descr>:I<description> tells B<Wireshark> to use the given description when

640

capturing from standard input (B<-i ->).

641

642

=item -y E<lt>capture link typeE<gt>

643

644

If a capture is started from the command line with B<-k>, set the data

645

link type to use while capturing packets. The values reported by B<-L>

646

are the values that can be used.

647

648

This option can occur multiple times. If used before the first

649

occurrence of the B<-i> option, it sets the default capture link type.

650

If used after an B<-i> option, it sets the capture link type for

651

the interface specified by the last B<-i> option occurring before

652

this option. If the capture link type is not set specifically,

653

the default capture link type is used if provided.

654

655

=item -Y E<lt>displaY filterE<gt>

656

657

Start with the given display filter.

658

659

=item -z E<lt>statisticsE<gt>

660

661

Get B<Wireshark> to collect various types of statistics and display the result

662

in a window that updates in semi-real time.

663

664

Currently implemented statistics are:

=over 4

=item B<-z help>

Display all possible values for B<-z>.

671

672

=item B<-z> afp,srt[,I<filter>]

673

674

Show Apple Filing Protocol service response time statistics.

675

676

=item B<-z> conv,I<type>[,I<filter>]

677

678

Create a table that lists all conversations that could be seen in the

679

capture. I<type> specifies the conversation endpoint types for which we

680

want to generate the statistics; currently the supported ones are:

681

682

"eth" Ethernet addresses

683

"fc" Fibre Channel addresses

684

"fddi" FDDI addresses

685

"ip" IPv4 addresses

686

"ipv6" IPv6 addresses

687

"ipx" IPX addresses

688

"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported

689

"tr" Token Ring addresses

690

"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported

691

692

If the optional I<filter> is specified, only those packets that match the

693

filter will be used in the calculations.

694

695

The table is presented with one line for each conversation and displays

696

the number of packets/bytes in each direction as well as the total

697

number of packets/bytes. By default, the table is sorted according to

698

the total number of packets.

699

700

These tables can also be generated at runtime by selecting the appropriate

701

conversation type from the menu "Tools/Statistics/Conversation List/".

702

703

=item B<-z> dcerpc,srt,I<name-or-uuid>,I<major>.I<minor>[,I<filter>]

704

705

Collect call/reply SRT (Service Response Time) data for DCERPC interface

706

I<name> or I<uuid>, version I<major>.I<minor>.

707

Data collected is the number of calls for each procedure, MinSRT, MaxSRT

708

and AvgSRT.

709

Interface I<name> and I<uuid> are case-insensitive.

710

711

Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.

712

713

This option can be used multiple times on the command line.

714

715

If the optional I<filter> is provided, the stats will only be calculated

716

on those calls that match that filter.

717

718

Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR

719

SRT statistics for a specific host.

720

721

=item B<-z> bootp,stat[,I<filter>]

722

723

Show DHCP (BOOTP) statistics.

=item B<-z> expert

Show expert information.

728

729

=item B<-z> fc,srt[,I<filter>]

730

731

Collect call/reply SRT (Service Response Time) data for FC. Data collected

732

is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT.

733

734

Example: B<-z fc,srt>

735

will calculate the Service Response Time as the time delta between the

736

First packet of the exchange and the Last packet of the exchange.

737

738

The data will be presented as separate tables for all normal FC commands,

739

Only those commands that are seen in the capture will have its stats

740

displayed.

741

742

This option can be used multiple times on the command line.

743

744

If the optional I<filter> is provided, the stats will only be calculated

745

on those calls that match that filter.

746

747

Example: B<-z "fc,srt,fc.id==01.02.03"> will collect stats only for

748

FC packets exchanged by the host at FC address 01.02.03 .

749

750

=item B<-z> h225,counter[I<,filter>]

751

752

Count ITU-T H.225 messages and their reasons. In the first column you get a

753

list of H.225 messages and H.225 message reasons which occur in the current

754

capture file. The number of occurrences of each message or reason is displayed

755

in the second column.

756

757

Example: B<-z h225,counter>

758

759

This option can be used multiple times on the command line.

760

761

If the optional I<filter> is provided, the stats will only be calculated

762

on those calls that match that filter.

763

764

Example: B<-z "h225,counter,ip.addr==1.2.3.4"> will collect stats only for

765

H.225 packets exchanged by the host at IP address 1.2.3.4 .

766

767

=item B<-z> h225,srt[I<,filter>]

768

769

Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS.

770

Data collected is the number of calls of each ITU-T H.225 RAS Message Type,

771

Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet.

772

You will also get the number of Open Requests (Unresponded Requests),

773

Discarded Responses (Responses without matching request) and Duplicate Messages.

774

775

Example: B<-z h225,srt>

776

777

This option can be used multiple times on the command line.

778

779

If the optional I<filter> is provided, the stats will only be calculated

780

on those calls that match that filter.

781

782

Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will collect stats only for

783

ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .

784

785

=item B<-z> io,stat

786

787

Collect packet/bytes statistics for the capture in intervals of 1 second.

788

This option will open a window with up to 5 color-coded graphs where

789

number-of-packets-per-second or number-of-bytes-per-second statistics

790

can be calculated and displayed.

791

792

This option can be used multiple times on the command line.

793

794

This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat

795

menu item.

796

797

=item B<-z> ldap,srt[,I<filter>]

798

799

Collect call/reply SRT (Service Response Time) data for LDAP. Data collected

800

is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT.

801

802

Example: B<-z ldap,srt>

803

will calculate the Service Response Time as the time delta between the

804

Request and the Response.

805

806

The data will be presented as separate tables for all implemented LDAP commands,

807

Only those commands that are seen in the capture will have its stats

808

displayed.

809

810

This option can be used multiple times on the command line.

811

812

If the optional I<filter> is provided, the stats will only be calculated

813

on those calls that match that filter.

814

815

Example: use B<-z "ldap,srt,ip.addr==10.1.1.1"> will collect stats only for

816

LDAP packets exchanged by the host at IP address 10.1.1.1 .

817

818

The only LDAP commands that are currently implemented and for which the stats will be available are:

BIND

SEARCH

MODIFY

ADD

DELETE

MODRDN

COMPARE

EXTENDED

=item B<-z> megaco,srt[I<,filter>]

829

830

Collect request/response SRT (Service Response Time) data for MEGACO.

831

(This is similar to B<-z smb,srt>). Data collected is the number of calls

832

for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT.

833

834

Example: B<-z megaco,srt>

835

836

This option can be used multiple times on the command line.

837

838

If the optional I<filter> is provided, the stats will only be calculated

839

on those calls that match that filter.

840

841

Example: B<-z "megaco,srt,ip.addr==1.2.3.4"> will collect stats only for

842

MEGACO packets exchanged by the host at IP address 1.2.3.4 .

843

844

=item B<-z> mgcp,srt[I<,filter>]

845

846

Collect request/response SRT (Service Response Time) data for MGCP.

847

(This is similar to B<-z smb,srt>). Data collected is the number of calls

848

for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT.

849

850

Example: B<-z mgcp,srt>

851

852

This option can be used multiple times on the command line.

853

854

If the optional I<filter> is provided, the stats will only be calculated

855

on those calls that match that filter.

856

857

Example: B<-z "mgcp,srt,ip.addr==1.2.3.4"> will collect stats only for

858

MGCP packets exchanged by the host at IP address 1.2.3.4 .

859

860

=item B<-z> mtp3,msus[,<filter>]

861

862

Show MTP3 MSU statistics.

863

864

=item B<-z> multicast,stat[,<filter>]

865

866

Show UDP multicast stream statistics.

867

868

=item B<-z> rpc,programs

869

870

Collect call/reply SRT data for all known ONC-RPC programs/versions.

871

Data collected is the number of calls for each protocol/version, MinSRT,

872

MaxSRT and AvgSRT.

873

874

=item B<-z> rpc,srt,I<name-or-number>,I<version>[,<filter>]

875

876

Collect call/reply SRT (Service Response Time) data for program

877

I<name>/I<version> or I<number>/I<version>.

878

Data collected is the number of calls for each procedure, MinSRT, MaxSRT and

879

AvgSRT.

880

Program I<name> is case-insensitive.

881

882

Example: B<-z rpc,srt,100003,3> will collect data for NFS v3.

883

884

This option can be used multiple times on the command line.

885

886

If the optional I<filter> is provided, the stats will only be calculated

887

on those calls that match that filter.

888

889

Example: S<B<-z rpc,srt,nfs,3,nfs.fh.hash==0x12345678>> will collect NFS v3

890

SRT statistics for a specific file.

891

892

=item B<-z> scsi,srt,I<cmdset>[,<filter>]

893

894

Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>.

895

896

Commandsets are 0:SBC 1:SSC 5:MMC

897

898

Data collected

899

is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.

900

901

Example: B<-z scsi,srt,0> will collect data for SCSI BLOCK COMMANDS (SBC).

902

903

This option can be used multiple times on the command line.

904

905

If the optional I<filter> is provided, the stats will only be calculated

906

on those calls that match that filter.

907

908

Example: B<-z scsi,srt,0,ip.addr==1.2.3.4> will collect SCSI SBC

909

SRT statistics for a specific iscsi/ifcp/fcip host.

910

911

=item B<-z> sip,stat[I<,filter>]

912

913

This option will activate a counter for SIP messages. You will get the number

914

of occurrences of each SIP Method and of each SIP Status-Code. Additionally you

915

also get the number of resent SIP Messages (only for SIP over UDP).

916

917

Example: B<-z sip,stat>

918

919

This option can be used multiple times on the command line.

920

921

If the optional I<filter> is provided, the stats will only be calculated

922

on those calls that match that filter.

923

924

Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will collect stats only for

925

SIP packets exchanged by the host at IP address 1.2.3.4 .

926

927

=item B<-z> smb,srt[,I<filter>]

928

929

Collect call/reply SRT (Service Response Time) data for SMB. Data collected

930

is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.

931

932

Example: B<-z smb,srt>

933

934

The data will be presented as separate tables for all normal SMB commands,

935

all Transaction2 commands and all NT Transaction commands.

936

Only those commands that are seen in the capture will have their stats

937

displayed.

938

Only the first command in a xAndX command chain will be used in the

939

calculation. So for common SessionSetupAndX + TreeConnectAndX chains,

940

only the SessionSetupAndX call will be used in the statistics.

941

This is a flaw that might be fixed in the future.

942

943

This option can be used multiple times on the command line.

944

945

If the optional I<filter> is provided, the stats will only be calculated

946

on those calls that match that filter.

947

948

Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will collect stats only for

949

SMB packets exchanged by the host at IP address 1.2.3.4 .

950

951

=item B<-z> voip,calls

952

953

This option will show a window that shows VoIP calls found in the capture file.

954

This is the same window shown as when you go to the Statistics Menu and choose

955

VoIP Calls.

956

957

Example: B<-z voip,calls>

958

959

=item B<-z> wlan,stat[,<filter>]

960

961

Show IEEE 802.11 network and station statistics.

962

963

=item B<-z> wsp,stat[,<filter>]

964

965

Show WSP packet counters.

966

967

=item --disable-protocol E<lt>proto_nameE<gt>

968

969

Disable dissection of proto_name.

970

971

=item --enable-heuristic E<lt>short_nameE<gt>

972

973

Enable dissection of heuristic protocol.

974

975

=item --disable-heuristic E<lt>short_nameE<gt>

976

977

Disable dissection of heuristic protocol.

=back

=back

=head1 INTERFACE

=head2 MENU ITEMS

=over 4

=item File:Open

=item File:Open Recent

=item File:Merge

Merge another capture file to the currently loaded one. The I<File:Merge>

996

dialog box allows the merge "Prepended", "Chronologically" or "Appended",

997

relative to the already loaded one.

=item File:Close

Open or close a capture file. The I<File:Open> dialog box

1002

allows a filter to be specified; when the capture file is read, the

1003

filter is applied to all packets read from the file, and packets not

1004

matching the filter are discarded. The I<File:Open Recent> is a submenu

1005

and will show a list of previously opened files.

=item File:Save

=item File:Save As

Save the current capture, or the packets currently displayed from that

1012

capture, to a file. Check boxes let you select whether to save all

1013

packets, or just those that have passed the current display filter and/or

1014

those that are currently marked, and an option menu lets you select (from

1015

a list of file formats in which at particular capture, or the packets

1016

currently displayed from that capture, can be saved), a file format in

1017

which to save it.

1018

1019

=item File:File Set:List Files

1020

1021

Show a dialog box that lists all files of the file set matching the currently

1022

loaded file. A file set is a compound of files resulting from a capture using

1023

the "multiple files" / "ringbuffer" mode, recognizable by the filename pattern,

1024

e.g.: Filename_00001_20050604101530.pcap.

1025

1026

=item File:File Set:Next File

1027

1028

=item File:File Set:Previous File

1029

1030

If the currently loaded file is part of a file set (see above), open the

1031

next / previous file in that set.

=item File:Export

Export captured data into an external format. Note: the data cannot be

1036

imported back into Wireshark, so be sure to keep the capture file.

=item File:Print

Print packet data from the current capture. You can select the range of

1041

packets to be printed (which packets are printed), and the output format of

1042

each packet (how each packet is printed). The output format will be similar

1043

to the displayed values, so a summary line, the packet details view, and/or

1044

the hex dump of the packet can be printed.

1045

1046

Printing options can be set with the I<Edit:Preferences> menu item, or in the

1047

dialog box popped up by this menu item.

=item File:Quit

Exit the application.

1052

1053

=item Edit:Copy:Description

1054

1055

Copies the description of the selected field in the protocol tree to

1056

the clipboard.

1057

1058

=item Edit:Copy:Fieldname

1059

1060

Copies the fieldname of the selected field in the protocol tree to

1061

the clipboard.

1062

1063

=item Edit:Copy:Value

1064

1065

Copies the value of the selected field in the protocol tree to

1066

the clipboard.

1067

1068

=item Edit:Copy:As Filter

1069

1070

Create a display filter based on the data currently highlighted in the

1071

packet details and copy that filter to the clipboard.

1072

1073

If that data is a field that can be tested in a display filter

1074

expression, the display filter will test that field; otherwise, the

1075

display filter will be based on the absolute offset within the packet.

1076

Therefore it could be unreliable if the packet contains protocols with

1077

variable-length headers, such as a source-routed token-ring packet.

1078

1079

=item Edit:Find Packet

1080

1081

Search forward or backward, starting with the currently selected packet

1082

(or the most recently selected packet, if no packet is selected). Search

1083

criteria can be a display filter expression, a string of hexadecimal

1084

digits, or a text string.

1085

1086

When searching for a text string, you can search the packet data, or you

1087

can search the text in the Info column in the packet list pane or in the

1088

packet details pane.

1089

1090

Hexadecimal digits can be separated by colons, periods, or dashes.

1091

Text string searches can be ASCII or Unicode (or both), and may be

1092

case insensitive.

1093

1094

=item Edit:Find Next

1095

1096

=item Edit:Find Previous

1097

1098

Search forward / backward for a packet matching the filter from the previous

1099

search, starting with the currently selected packet (or the most recently

1100

selected packet, if no packet is selected).

1101

1102

=item Edit:Mark Packet (toggle)

1103

1104

Mark (or unmark if currently marked) the selected packet. The field

1105

"frame.marked" is set for packets that are marked, so that, for example,

1106

a display filters can be used to display only marked packets, and so that

1107

the L</"Edit:Find Packet"> dialog can be used to find the next or previous

1108

marked packet.

1109

1110

=item Edit:Find Next Mark

1111

1112

=item Edit:Find Previous Mark

1113

1114

Find next/previous marked packet.

1115

1116

=item Edit:Mark All Packets

1117

1118

=item Edit:Unmark All Packets

1119

1120

Mark / Unmark all packets that are currently displayed.

1121

1122

=item Edit:Time Reference:Set Time Reference (toggle)

1123

1124

Set (or unset if currently set) the selected packet as a Time Reference packet.

1125

When a packet is set as a Time Reference packet, the timestamps in the packet

1126

list pane will be replaced with the string "*REF*".

1127

The relative time timestamp in later packets will then be calculated relative

1128

to the timestamp of this Time Reference packet and not the first packet in

1129

the capture.

1130

1131

Packets that have been selected as Time Reference packets will always be

1132

displayed in the packet list pane. Display filters will not affect or

1133

hide these packets.

1134

1135

If there is a column displayed for "Cumulative Bytes" this counter will

1136

be reset at every Time Reference packet.

1137

1138

=item Edit:Time Reference:Find Next

1139

1140

=item Edit:Time Reference:Find Previous

1141

1142

Search forward / backward for a time referenced packet.

1143

1144

=item Edit:Configuration Profiles

1145

1146

Manage configuration profiles to be able to use more than one set of

1147

preferences and configurations.

1148

1149

=item Edit:Preferences

1150

1151

Set the GUI, capture, printing and protocol options

1152

(see L</Preferences> dialog below).

1153

1154

=item View:Main Toolbar

1155

1156

=item View:Filter Toolbar

1157

1158

=item View:Statusbar

1159

1160

Show or hide the main window controls.

1161

1162

=item View:Packet List

1163

1164

=item View:Packet Details

1165

1166

=item View:Packet Bytes

1167

1168

Show or hide the main window panes.

1169

1170

=item View:Time Display Format

1171

1172

Set the format of the packet timestamp displayed in the packet list window.

1173

1174

=item View:Name Resolution:Resolve Name

1175

1176

Try to resolve a name for the currently selected item.

1177

1178

=item View:Name Resolution:Enable for ... Layer

1179

1180

Enable or disable translation of addresses to names in the display.

1181

1182

=item View:Colorize Packet List

1183

1184

Enable or disable the coloring rules. Disabling will improve performance.

1185

1186

=item View:Auto Scroll in Live Capture

1187

1188

Enable or disable the automatic scrolling of the

1189

packet list while a live capture is in progress.

=item View:Zoom In

=item View:Zoom Out

1194

1195

Zoom into / out of the main window data (by changing the font size).

1196

1197

=item View:Normal Size

1198

1199

Reset the zoom factor of zoom in / zoom out back to normal font size.

1200

1201

=item View:Resize All Columns

1202

1203

Resize all columns to best fit the current packet display.

1204

1205

=item View:Expand / Collapse Subtrees

1206

1207

Expands / Collapses the currently selected item and it's subtrees in the packet details.

1208

1209

=item View:Expand All

1210

1211

=item View:Collapse All

1212

1213

Expand / Collapse all branches of the packet details.

1214

1215

=item View:Colorize Conversation

1216

1217

Select color for a conversation.

1218

1219

=item View:Reset Coloring 1-10

1220

1221

Reset Color for a conversation.

1222

1223

=item View:Coloring Rules

1224

1225

Change the foreground and background colors of the packet information in

1226

the list of packets, based upon display filters. The list of display

1227

filters is applied to each packet sequentially. After the first display

1228

filter matches a packet, any additional display filters in the list are

1229

ignored. Therefore, if you are filtering on the existence of protocols,

1230

you should list the higher-level protocols first, and the lower-level

protocols last.

=over

=item How Colorization Works

1236

1237

Packets are colored according to a list of color filters. Each filter

1238

consists of a name, a filter expression and a coloration. A packet is

1239

colored according to the first filter that it matches. Color filter

1240

expressions use exactly the same syntax as display filter expressions.

1241

1242

When Wireshark starts, the color filters are loaded from:

=over

=item 1.

The user's personal color filters file or, if that does not exist,

=item 2.

The global color filters file.

=back

If neither of these exist then the packets will not be colored.

=back

=item View:Show Packet In New Window

1261

1262

Create a new window containing a packet details view and a hex dump

1263

window of the currently selected packet; this window will continue to

1264

display that packet's details and data even if another packet is

selected.

=item View:Reload

Reload a capture file. Same as I<File:Close> and I<File:Open> the same

file again.

=item Go:Back

Go back in previously visited packets history.

=item Go:Forward

Go forward in previously visited packets history.

1279

1280

=item Go:Go To Packet

1281

1282

Go to a particular numbered packet.

1283

1284

=item Go:Go To Corresponding Packet

1285

1286

If a field in the packet details pane containing a packet number is

1287

selected, go to the packet number specified by that field. (This works

1288

only if the dissector that put that entry into the packet details put it

1289

into the details as a filterable field rather than just as text.) This

1290

can be used, for example, to go to the packet for the request

1291

corresponding to a reply, or the reply corresponding to a request, if

1292

that packet number has been put into the packet details.

1293

1294

=item Go:Previous Packet

1295

1296

=item Go:Next Packet

1297

1298

=item Go:First Packet

1299

1300

=item Go:Last Packet

1301

1302

Go to the previous / next / first / last packet in the capture.

1303

1304

=item Go:Previous Packet In Conversation

1305

1306

=item Go:Next Packet In Conversation

1307

1308

Go to the previous / next packet of the conversation (TCP, UDP or IP)

1309

1310

=item Capture:Interfaces

1311

1312

Shows a dialog box with all currently known interfaces and displaying the

1313

current network traffic amount. Capture sessions can be started from here.

1314

Beware: keeping this box open results in high system load!

1315

1316

=item Capture:Options

1317

1318

Initiate a live packet capture (see L</"Capture Options Dialog">

1319

below). If no filename is specified, a temporary file will be created

1320

to hold the capture. The location of the file can be chosen by setting your

1321

TMPDIR environment variable before starting B<Wireshark>. Otherwise, the

1322

default TMPDIR location is system-dependent, but is likely either F</var/tmp>

1323

or F</tmp>.

1324

1325

=item Capture:Start

1326

1327

Start a live packet capture with the previously selected options. This won't

1328

open the options dialog box, and can be convenient for repeatedly capturing

1329

with the same options.

=item Capture:Stop

Stop a running live capture.

1334

1335

=item Capture:Restart

1336

1337

While a live capture is running, stop it and restart with the same options

1338

again. This can be convenient to remove irrelevant packets, if no valuable

1339

packets were captured so far.

1340

1341

=item Capture:Capture Filters

1342

1343

Edit the saved list of capture filters, allowing filters to be added,

1344

changed, or deleted.

1345

1346

=item Analyze:Display Filters

1347

1348

Edit the saved list of display filters, allowing filters to be added,

1349

changed, or deleted.

1350

1351

=item Analyze:Display Filter Macros

1352

1353

Create shortcuts for complex macros

1354

1355

=item Analyze:Apply as Filter

1356

1357

Create a display filter based on the data currently highlighted in the

1358

packet details and apply the filter.

1359

1360

If that data is a field that can be tested in a display filter

1361

expression, the display filter will test that field; otherwise, the

1362

display filter will be based on the absolute offset within the packet.

1363

Therefore it could be unreliable if the packet contains protocols with

1364

variable-length headers, such as a source-routed token-ring packet.

1365

1366

The B<Selected> option creates a display filter that tests for a match

1367

of the data; the B<Not Selected> option creates a display filter that

1368

tests for a non-match of the data. The B<And Selected>, B<Or Selected>,

1369

B<And Not Selected>, and B<Or Not Selected> options add to the end of

1370

the display filter in the strip at the top (or bottom) an AND or OR

1371

operator followed by the new display filter expression.

1372

1373

=item Analyze:Prepare a Filter

1374

1375

Create a display filter based on the data currently highlighted in the

1376

packet details. The filter strip at the top (or bottom) is updated but

1377

it is not yet applied.

1378

1379

=item Analyze:Enabled Protocols

1380

1381

Allow protocol dissection to be enabled or disabled for a specific

1382

protocol. Individual protocols can be enabled or disabled by clicking

1383

on them in the list or by highlighting them and pressing the space bar.

1384

The entire list can be enabled, disabled, or inverted using the buttons

1385

below the list.

1386

1387

When a protocol is disabled, dissection in a particular packet stops

1388

when that protocol is reached, and Wireshark moves on to the next packet.

1389

Any higher-layer protocols that would otherwise have been processed will

1390

not be displayed. For example, disabling TCP will prevent the dissection

1391

and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively

1392

dependent on TCP.

1393

1394

The list of protocols can be saved, so that Wireshark will start up with

1395

the protocols in that list disabled.

1396

1397

=item Analyze:Decode As

1398

1399

If you have a packet selected, present a dialog allowing you to change

1400

which dissectors are used to decode this packet. The dialog has one

1401

panel each for the link layer, network layer and transport layer

1402

protocol/port numbers, and will allow each of these to be changed

1403

independently. For example, if the selected packet is a TCP packet to

1404

port 12345, using this dialog you can instruct Wireshark to decode all

1405

packets to or from that TCP port as HTTP packets.

1406

1407

=item Analyze:User Specified Decodes

1408

1409

Create a new window showing whether any protocol ID to dissector

1410

mappings have been changed by the user. This window also allows the

1411

user to reset all decodes to their default values.

1412

1413

=item Analyze:Follow TCP Stream

1414

1415

If you have a TCP packet selected, display the contents of the data

1416

stream for the TCP connection to which that packet belongs, as text, in

1417

a separate window, and leave the list of packets in a filtered state,

1418

with only those packets that are part of that TCP connection being

1419

displayed. You can revert to your old view by pressing ENTER in the

1420

display filter text box, thereby invoking your old display filter (or

1421

resetting it back to no display filter).

1422

1423

The window in which the data stream is displayed lets you select:

=over 8

=item *

whether to display the entire conversation, or one or the other side of

it;

=item *

whether the data being displayed is to be treated as ASCII or EBCDIC

1435

text or as raw hex data;

=back

and lets you print what's currently being displayed, using the same

1440

print options that are used for the I<File:Print Packet> menu item, or

1441

save it as text to a file.

1442

1443

=item Analyze:Follow UDP Stream

1444

1445

=item Analyze:Follow SSL Stream

1446

1447

(Similar to Analyze:Follow TCP Stream)

1448

1449

=item Analyze:Expert Info

1450

1451

=item Analyze:Expert Info Composite

1452

1453

(Kind of) a log of anomalies found by Wireshark in a capture file.

1454

1455

=item Analyze:Conversation Filter

1456

1457

=item Statistics:Summary

1458

1459

Show summary information about the capture, including elapsed time,

1460

packet counts, byte counts, and the like. If a display filter is in

1461

effect, summary information will be shown about the capture and about

1462

the packets currently being displayed.

1463

1464

=item Statistics:Protocol Hierarchy

1465

1466

Show the number of packets, and the number of bytes in those packets,

1467

for each protocol in the trace. It organizes the protocols in the same

1468

hierarchy in which they were found in the trace. Besides counting the

1469

packets in which the protocol exists, a count is also made for packets

1470

in which the protocol is the last protocol in the stack. These

1471

last-protocol counts show you how many packets (and the byte count

1472

associated with those packets) B<ended> in a particular protocol. In

1473

the table, they are listed under "End Packets" and "End Bytes".

1474

1475

=item Statistics:Conversations

1476

1477

Lists of conversations; selectable by protocol. See Statistics:Conversation List below.

1478

1479

=item Statistics:End Points

1480

1481

List of End Point Addresses by protocol with packets/bytes/.... counts.

1482

1483

=item Statistics:Packet Lengths

1484

1485

Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)

1486

1487

=item Statistics:IO Graphs

1488

1489

Open a window where up to 5 graphs in different colors can be displayed

1490

to indicate number of packets or number of bytes per second for all packets

1491

matching the specified filter.

1492

By default only one graph will be displayed showing number of packets per second.

1493

1494

The top part of the window contains the graphs and scales for the X and

1495

Y axis. If the graph is too long to fit inside the window there is a

1496

horizontal scrollbar below the drawing area that can scroll the graphs

1497

to the left or the right. The horizontal axis displays the time into

1498

the capture and the vertical axis will display the measured quantity at

1499

that time.

1500

1501

Below the drawing area and the scrollbar are the controls. On the

1502

bottom left there will be five similar sets of controls to control each

1503

individual graph such as "Display:<button>" which button will toggle

1504

that individual graph on/off. If <button> is ticked, the graph will be

1505

displayed. "Color:<color>" which is just a button to show which color

1506

will be used to draw that graph (color is only available in Gtk2

1507

version) and finally "Filter:<filter-text>" which can be used to specify

1508

a display filter for that particular graph.

1509

1510

If filter-text is empty then all packets will be used to calculate the

1511

quantity for that graph. If filter-text is specified only those packets

1512

that match that display filter will be considered in the calculation of

1513

quantity.

1514

1515

To the right of the 5 graph controls there are four menus to control

1516

global aspects of the draw area and graphs. The "Unit:" menu is used to

1517

control what to measure; "packets/tick", "bytes/tick" or "advanced..."

1518

1519

packets/tick will measure the number of packets matching the (if

1520

specified) display filter for the graph in each measurement interval.

1521

1522

bytes/tick will measure the total number of bytes in all packets matching

1523

the (if specified) display filter for the graph in each measurement

1524

interval.

1525

1526

advanced... see below

1527

1528

"Tick interval:" specifies what measurement intervals to use. The

1529

default is 1 second and means that the data will be counted over 1

1530

second intervals.

1531

1532

"Pixels per tick:" specifies how many pixels wide each measurement

1533

interval will be in the drawing area. The default is 5 pixels per tick.

1534

1535

"Y-scale:" controls the max value for the y-axis. Default value is

1536

"auto" which means that B<Wireshark> will try to adjust the maxvalue

1537

automatically.

1538

1539

"advanced..." If Unit:advanced... is selected the window will display

1540

two more controls for each of the five graphs. One control will be a

1541

menu where the type of calculation can be selected from

1542

SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a

1543

single display filter field can be specified.

1544

1545

The following restrictions apply to type and field combinations:

1546

1547

SUM: available for all types of integers and will calculate the SUM of

1548

all occurrences of this field in the measurement interval. Note that

1549

some field can occur multiple times in the same packet and then all

1550

instances will be summed up. Example: 'tcp.len' which will count the

1551

amount of payload data transferred across TCP in each interval.

1552

1553

COUNT: available for all field types. This will COUNT the number of times

1554

certain field occurs in each interval. Note that some fields

1555

may occur multiple times in each packet and if that is the case

1556

then each instance will be counted independently and COUNT

1557

will be greater than the number of packets.

1558

1559

MAX: available for all integer and relative time fields. This will calculate

1560

the max seen integer/time value seen for the field during the interval.

1561

Example: 'smb.time' which will plot the maximum SMB response time.

1562

1563

MIN: available for all integer and relative time fields. This will calculate

1564

the min seen integer/time value seen for the field during the interval.

1565

Example: 'smb.time' which will plot the minimum SMB response time.

1566

1567

AVG: available for all integer and relative time fields.This will

1568

calculate the average seen integer/time value seen for the field during

1569

the interval. Example: 'smb.time' which will plot the average SMB

1570

response time.

1571

1572

LOAD: available only for relative time fields (response times).

1573

1574

Example of advanced:

1575

Display how NFS response time MAX/MIN/AVG changes over time:

1576

1577

Set first graph to:

1578

1579

filter:nfs&&rpc.time

1580

Calc:MAX rpc.time

1581

1582

Set second graph to

1583

1584

filter:nfs&&rpc.time

Calc:AVG rpc.time

Set third graph to

filter:nfs&&rpc.time

1590

Calc:MIN rpc.time

1591

1592

Example of advanced:

1593

Display how the average packet size from host a.b.c.d changes over time.

Set first graph to

filter:ip.addr==a.b.c.d&&frame.pkt_len

1598

Calc:AVG frame.pkt_len

1599

1600

LOAD:

1601

The LOAD io-stat type is very different from anything you have ever seen

1602

before! While the response times themselves as plotted by MIN,MAX,AVG are

1603

indications on the Server load (which affects the Server response time),

1604

the LOAD measurement measures the Client LOAD.

1605

What this measures is how much workload the client generates,

1606

i.e. how fast will the client issue new commands when the previous ones

1607

completed.

1608

i.e. the level of concurrency the client can maintain.

1609

The higher the number, the more and faster is the client issuing new

1610

commands. When the LOAD goes down, it may be due to client load making

1611

the client slower in issuing new commands (there may be other reasons as

1612

well, maybe the client just doesn't have any commands it wants to issue

1613

right then).

1614

1615

Load is measured in concurrency/number of overlapping i/o and the value

1616

1000 means there is a constant load of one i/o.

1617

1618

In each tick interval the amount of overlap is measured.

1619

See the graph below containing three commands:

1620

Below the graph are the LOAD values for each interval that would be calculated.

| | | | | | | | |

| | | | | | | | |

| | o=====* | | | | | |

1625

| | | | | | | | |

1626

| o========* | o============* | | |

1627

| | | | | | | | |

1628

--------------------------------------------------> Time

1629

500 1500 500 750 1000 500 0 0

1630

1631

=item Statistics:Conversation List

1632

1633

This option will open a new window that displays a list of all

1634

conversations between two endpoints. The list has one row for each

1635

unique conversation and displays total number of packets/bytes seen as

1636

well as number of packets/bytes in each direction.

1637

1638

By default the list is sorted according to the number of packets but by

1639

clicking on the column header; it is possible to re-sort the list in

1640

ascending or descending order by any column.

1641

1642

By first selecting a conversation by clicking on it and then using the

1643

right mouse button (on those platforms that have a right

1644

mouse button) wireshark will display a popup menu offering several different

1645

filter operations to apply to the capture.

1646

1647

These statistics windows can also be invoked from the Wireshark command

1648

line using the B<-z conv> argument.

1649

1650

=item Statistics:Service Response Time

=over 4

=item *

AFP

=item *

CAMEL

=item *

DCE-RPC

Open a window to display Service Response Time statistics for an

1667

arbitrary DCE-RPC program

1668

interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,

1669

B<Maximum SRT> and B<Average SRT> for all procedures for that

1670

program/version. These windows opened will update in semi-real time to

1671

reflect changes when doing live captures or when reading new capture

1672

files into B<Wireshark>.

1673

1674

This dialog will also allow an optional filter string to be used.

1675

If an optional filter string is used only such DCE-RPC request/response pairs

1676

that match that filter will be used to calculate the statistics. If no filter

1677

string is specified all request/response pairs will be used.

=item *

Diameter

=item *

Fibre Channel

Open a window to display Service Response Time statistics for Fibre Channel

1688

and display B<FC Type>, B<Number of Calls>, B<Minimum SRT>,

1689

B<Maximum SRT> and B<Average SRT> for all FC types.

1690

These windows opened will update in semi-real time to

1691

reflect changes when doing live captures or when reading new capture

1692

files into B<Wireshark>.

1693

The Service Response Time is calculated as the time delta between the

1694

First packet of the exchange and the Last packet of the exchange.

1695

1696

This dialog will also allow an optional filter string to be used.

1697

If an optional filter string is used only such FC first/last exchange pairs

1698

that match that filter will be used to calculate the statistics. If no filter

1699

string is specified all request/response pairs will be used.

=item *

GTP

=item *

H.225 RAS

Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.

1710

Data collected is B<number of calls> for each known ITU-T H.225 RAS Message Type,

1711

B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.

1712

You will also get the number of B<Open Requests> (Unresponded Requests),

1713

B<Discarded Responses> (Responses without matching request) and Duplicate Messages.

1714

These windows opened will update in semi-real time to reflect changes when

1715

doing live captures or when reading new capture files into B<Wireshark>.

1716

1717

You can apply an optional filter string in a dialog box, before starting

1718

the calculation. The statistics will only be calculated

1719

on those calls matching that filter.

=item *

LDAP

=item *

MEGACO

=item *

MGCP

Collect requests/response SRT (Service Response Time) data for MGCP.

1734

Data collected is B<number of calls> for each known MGCP Type,

1735

B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.

1736

These windows opened will update in semi-real time to reflect changes when

1737

doing live captures or when reading new capture files into B<Wireshark>.

1738

1739

You can apply an optional filter string in a dialog box, before starting

1740

the calculation. The statistics will only be calculated

1741

on those calls matching that filter.

=item *

NCP

=item *

ONC-RPC

Open a window to display statistics for an arbitrary ONC-RPC program interface

1752

and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.

1753

These windows opened will update in semi-real time to reflect changes when

1754

doing live captures or when reading new capture files into B<Wireshark>.

1755

1756

This dialog will also allow an optional filter string to be used.

1757

If an optional filter string is used only such ONC-RPC request/response pairs

1758

that match that filter will be used to calculate the statistics. If no filter

1759

string is specified all request/response pairs will be used.

1760

1761

By first selecting a conversation by clicking on it and then using the

1762

right mouse button (on those platforms that have a right

1763

mouse button) wireshark will display a popup menu offering several different

1764

filter operations to apply to the capture.

=item *

RADIUS

=item *

SCSI

=item *

SMB

Collect call/reply SRT (Service Response Time) data for SMB. Data collected

1779

is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.

1780

1781

The data will be presented as separate tables for all normal SMB commands,

1782

all Transaction2 commands and all NT Transaction commands.

1783

Only those commands that are seen in the capture will have its stats

1784

displayed.

1785

Only the first command in a xAndX command chain will be used in the

1786

calculation. So for common SessionSetupAndX + TreeConnectAndX chains,

1787

only the SessionSetupAndX call will be used in the statistics.

1788

This is a flaw that might be fixed in the future.

1789

1790

You can apply an optional filter string in a dialog box, before starting

1791

the calculation. The stats will only be calculated

1792

on those calls matching that filter.

1793

1794

By first selecting a conversation by clicking on it and then using the

1795

right mouse button (on those platforms that have a right

1796

mouse button) wireshark will display a popup menu offering several different

1797

filter operations to apply to the capture.

=item *

SMB2

=back

=item Statistics:BOOTP-DHCP

=item Statistics:Compare

1810

1811

Compare two Capture Files

1812

1813

=item Statistics:Flow Graph

1814

1815

Flow Graph: General/TCP

1816

1817

=item Statistics:HTTP

1818

1819

HTTP Load Distribution, Packet Counter & Requests

1820

1821

=item Statistics:IP Addresses

1822

1823

Count/Rate/Percent by IP Address

1824

1825

=item Statistics:IP Destinations

1826

1827

Count/Rate/Percent by IP Address/protocol/port

1828

1829

=item Statistics:IP Protocol Types

1830

1831

Count/Rate/Percent by IP Protocol Types

1832

1833

=item Statistics:ONC-RPC Programs

1834

1835

This dialog will open a window showing aggregated SRT statistics for all

1836

ONC-RPC Programs/versions that exist in the capture file.

1837

1838

=item Statistics:TCP Stream Graph

1839

1840

Graphs: Round Trip; Throughput; Time-Sequence (Stevens); Time-Sequence (tcptrace)

1841

1842

=item Statistics:UDP Multicast streams

1843

1844

Multicast Streams Counts/Rates/... by Source/Destination Address/Port pairs

1845

1846

=item Statistics:WLAN Traffic

1847

1848

WLAN Traffic Statistics

1849

1850

=item Telephony:ITU-T H.225

1851

1852

Count ITU-T H.225 messages and their reasons. In the first column you get a

1853

list of H.225 messages and H.225 message reasons, which occur in the current

1854

capture file. The number of occurrences of each message or reason will be displayed

1855

in the second column.

1856

This window opened will update in semi-real time to reflect changes when

1857

doing live captures or when reading new capture files into B<Wireshark>.

1858

1859

You can apply an optional filter string in a dialog box, before starting

1860

the counter. The statistics will only be calculated

1861

on those calls matching that filter.

1862

1863

=item Telephony:SIP

1864

1865

Activate a counter for SIP messages. You will get the number of occurrences of each

1866

SIP Method and of each SIP Status-Code. Additionally you also get the number of

1867

resent SIP Messages (only for SIP over UDP).

1868

1869

This window opened will update in semi-real time to reflect changes when

1870

doing live captures or when reading new capture files into B<Wireshark>.

1871

1872

You can apply an optional filter string in a dialog box, before starting

1873

the counter. The statistics will only be calculated

1874

on those calls matching that filter.

1875

1876

=item Tools:Firewall ACL Rules

=item Help:Contents

Some help texts.

=item Help:Supported Protocols

1885

1886

List of supported protocols and display filter protocol fields.

1887

1888

=item Help:Manual Pages

1889

1890

Display locally installed HTML versions of these manual pages in a web browser.

1891

1892

=item Help:Wireshark Online

1893

1894

Various links to online resources to be open in a web browser, like

1895

L<https://www.wireshark.org>.

1896

1897

=item Help:About Wireshark

1898

1899

See various information about Wireshark (see L</About> dialog below), like the

1900

version, the folders used, the available plugins, ...

=back

=head2 WINDOWS

=over 4

=item Main Window

The main window contains the usual things like the menu, some toolbars, the

1911

main area and a statusbar. The main area is split into three panes, you can

1912

resize each pane using a "thumb" at the right end of each divider line.

1913

1914

The main window is much more flexible than before. The layout of the main

1915

window can be customized by the I<Layout> page in the dialog box popped

1916

up by I<Edit:Preferences>, the following will describe the layout with the

default settings.

=over 6

=item Main Toolbar

Some menu items are available for quick access here. There is no way to

1924

customize the items in the toolbar, however the toolbar can be hidden by

1925

I<View:Main Toolbar>.

1926

1927

=item Filter Toolbar

1928

1929

A display filter can be entered into the filter toolbar.

1930

A filter for HTTP, HTTPS, and DNS traffic might look like this:

1931

1932

tcp.port in {80 443 53}

1933

1934

Selecting the I<Filter:> button lets you choose from a list of named

1935

filters that you can optionally save. Pressing the Return or Enter

1936

keys, or selecting the I<Apply> button, will cause the filter to be

1937

applied to the current list of packets. Selecting the I<Reset> button

1938

clears the display filter so that all packets are displayed (again).

1939

1940

There is no way to customize the items in the toolbar, however the toolbar

1941

can be hidden by I<View:Filter Toolbar>.

1942

1943

=item Packet List Pane

1944

1945

The top pane contains the list of network packets that you can scroll

1946

through and select. By default, the packet number, packet timestamp,

1947

source and destination addresses, protocol, and description are

1948

displayed for each packet; the I<Columns> page in the dialog box popped

1949

up by I<Edit:Preferences> lets you change this (although, unfortunately,

1950

you currently have to save the preferences, and exit and restart

1951

Wireshark, for those changes to take effect).

1952

1953

If you click on the heading for a column, the display will be sorted by

1954

that column; clicking on the heading again will reverse the sort order

1955

for that column.

1956

1957

An effort is made to display information as high up the protocol stack

1958

as possible, e.g. IP addresses are displayed for IP packets, but the

1959

MAC layer address is displayed for unknown packet types.

1960

1961

The right mouse button can be used to pop up a menu of operations.

1962

1963

The middle mouse button can be used to mark a packet.

1964

1965

=item Packet Details Pane

1966

1967

The middle pane contains a display of the details of the

1968

currently-selected packet. The display shows each field and its value

1969

in each protocol header in the stack. The right mouse button can be

1970

used to pop up a menu of operations.

1971

1972

=item Packet Bytes Pane

1973

1974

The lowest pane contains a hex and ASCII dump of the actual packet data.

1975

Selecting a field in the packet details highlights the corresponding

1976

bytes in this section.

1977

1978

The right mouse button can be used to pop up a menu of operations.

=item Statusbar

The statusbar is divided into three parts, on the left some context dependent

1983

things are shown, like information about the loaded file, in the center the

1984

number of packets are displayed, and on the right the current configuration

1985

profile.

1986

1987

The statusbar can be hidden by I<View:Statusbar>.

=back

=item Preferences

The I<Preferences> dialog lets you control various personal preferences

1994

for the behavior of B<Wireshark>.

=over 6

=item User Interface Preferences

1999

2000

The I<User Interface> page is used to modify small aspects of the GUI to

2001

your own personal taste:

=over 6

=item Selection Bars

2006

2007

The selection bar in the packet list and packet details can have either

2008

a "browse" or "select" behavior. If the selection bar has a "browse"

2009

behavior, the arrow keys will move an outline of the selection bar,

2010

allowing you to browse the rest of the list or details without changing

2011

the selection until you press the space bar. If the selection bar has a

2012

"select" behavior, the arrow keys will move the selection bar and change

2013

the selection to the new item in the packet list or packet details.

2014

2015

=item Save Window Position

2016

2017

If this item is selected, the position of the main Wireshark window will

2018

be saved when Wireshark exits, and used when Wireshark is started again.

2019

2020

=item Save Window Size

2021

2022

If this item is selected, the size of the main Wireshark window will

2023

be saved when Wireshark exits, and used when Wireshark is started again.

2024

2025

=item Save Window Maximized state

2026

2027

If this item is selected the maximize state of the main Wireshark window

2028

will be saved when Wireshark exists, and used when Wireshark is started again.

2029

2030

=item File Open Dialog Behavior

2031

2032

This item allows the user to select how Wireshark handles the listing

2033

of the "File Open" Dialog when opening trace files. "Remember Last

2034

Directory" causes Wireshark to automatically position the dialog in the

2035

directory of the most recently opened file, even between launches of Wireshark.

2036

"Always Open in Directory" allows the user to define a persistent directory

2037

that the dialog will always default to.

=item Directory

Allows the user to specify a persistent File Open directory. Trailing

2042

slashes or backslashes will automatically be added.

2043

2044

=item File Open Preview timeout

2045

2046

This items allows the user to define how much time is spend reading the

2047

capture file to present preview data in the File Open dialog.

2048

2049

=item Open Recent maximum list entries

2050

2051

The File menu supports a recent file list. This items allows the user to

2052

specify how many files are kept track of in this list.

2053

2054

=item Ask for unsaved capture files

2055

2056

When closing a capture file or Wireshark itself if the file isn't saved yet

2057

the user is presented the option to save the file when this item is set.

2058

2059

=item Wrap during find

2060

2061

This items determines the behavior when reaching the beginning or the end

2062

of a capture file. When set the search wraps around and continues, otherwise

2063

it stops.

2064

2065

=item Settings dialogs show a save button

2066

2067

This item determines if the various dialogs sport an explicit Save button

2068

or that save is implicit in OK / Apply.

2069

2070

=item Web browser command

2071

2072

This entry specifies the command line to launch a web browser. It is used

2073

to access online content, like the Wiki and user guide. Use '%s' to place

2074

the request URL in the command line.

2075

2076

=item Display LEDs in the Expert Infos dialog tab labels

2077

2078

This item determines if LED-like colored images are displayed in the

2079

Expert Infos dialog tab labels.

=back

=item Layout Preferences

2084

2085

The I<Layout> page lets you specify the general layout of the main window.

2086

You can choose from six different layouts and fill the three panes with the

contents you like.

=over 6

=item Scrollbars

The vertical scrollbars in the three panes can be set to be either on

2094

the left or the right.

2095

2096

=item Alternating row colors

=item Hex Display

The highlight method in the hex dump display for the selected protocol

2101

item can be set to use either inverse video, or bold characters.

2102

2103

=item Toolbar style

2104

2105

=item Filter toolbar placement

2106

2107

=item Custom window title

=back

=item Column Preferences

2112

2113

The I<Columns> page lets you specify the number, title, and format

2114

of each column in the packet list.

2115

2116

The I<Column title> entry is used to specify the title of the column

2117

displayed at the top of the packet list. The type of data that the column

2118

displays can be specified using the I<Column format> option menu.

2119

The row of buttons on the left perform the following actions:

=over 6

=item New

Adds a new column to the list.

=item Delete

Deletes the currently selected list item.

=item Up / Down

Moves the selected list item up or down one position.

=back

=item Font Preferences

2138

2139

The I<Font> page lets you select the font to be used for most text.

2140

2141

=item Color Preferences

2142

2143

The I<Colors> page can be used to change the color of the text

2144

displayed in the TCP stream window and for marked packets. To change a color,

2145

simply select an attribute from the "Set:" menu and use the color selector to

2146

get the desired color. The new text colors are displayed as a sample text.

2147

2148

=item Capture Preferences

2149

2150

The I<Capture> page lets you specify various parameters for capturing

2151

live packet data; these are used the first time a capture is started.

2152

2153

The I<Interface:> combo box lets you specify the interface from which to

2154

capture packet data, or the name of a FIFO from which to get the packet

2155

data.

2156

2157

The I<Data link type:> option menu lets you, for some interfaces, select

2158

the data link header you want to see on the packets you capture. For

2159

example, in some OSes and with some versions of libpcap, you can choose,

2160

on an 802.11 interface, whether the packets should appear as Ethernet

2161

packets (with a fake Ethernet header) or as 802.11 packets.

2162

2163

The I<Limit each packet to ... bytes> check box lets you set the

2164

snapshot length to use when capturing live data; turn on the check box,

2165

and then set the number of bytes to use as the snapshot length.

2166

2167

The I<Filter:> text entry lets you set a capture filter expression to be

2168

used when capturing.

2169

2170

If any of the environment variables SSH_CONNECTION, SSH_CLIENT,

2171

REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create a

2172

default capture filter that excludes traffic from the hosts and ports

2173

defined in those variables.

2174

2175

The I<Capture packets in promiscuous mode> check box lets you specify

2176

whether to put the interface in promiscuous mode when capturing.

2177

2178

The I<Update list of packets in real time> check box lets you specify

2179

that the display should be updated as packets are seen.

2180

2181

The I<Automatic scrolling in live capture> check box lets you specify

2182

whether, in an "Update list of packets in real time" capture, the packet

2183

list pane should automatically scroll to show the most recently captured

2184

packets.

2185

2186

=item Printing Preferences

2187

2188

The radio buttons at the top of the I<Printing> page allow you choose

2189

between printing packets with the I<File:Print Packet> menu item as text

2190

or PostScript, and sending the output directly to a command or saving it

2191

to a file. The I<Command:> text entry box, on UNIX-compatible systems,

2192

is the command to send files to (usually B<lpr>), and the I<File:> entry

2193

box lets you enter the name of the file you wish to save to.

2194

Additionally, you can select the I<File:> button to browse the file

2195

system for a particular save file.

2196

2197

=item Name Resolution Preferences

2198

2199

The I<Enable MAC name resolution>, I<Enable network name resolution> and

2200

I<Enable transport name resolution> check boxes let you specify whether

2201

MAC addresses, network addresses, and transport-layer port numbers

2202

should be translated to names.

2203

2204

The I<Enable concurrent DNS name resolution> allows Wireshark to send out

2205

multiple name resolution requests and not wait for the result before

2206

continuing dissection. This speeds up dissection with network name

2207

resolution but initially may miss resolutions. The number of concurrent

2208

requests can be set here as well.

I<SMI paths>

I<SMI modules>

=item RTP Player Preferences

2215

2216

This page allows you to select the number of channels visible in the

2217

RTP player window. It determines the height of the window, more channels

2218

are possible and visible by means of a scroll bar.

2219

2220

=item Protocol Preferences

2221

2222

There are also pages for various protocols that Wireshark dissects,

2223

controlling the way Wireshark handles those protocols.

=back

=item Edit Capture Filter List

2228

2229

=item Edit Display Filter List

2230

2231

=item Capture Filter

2232

2233

=item Display Filter

=item Read Filter

=item Search Filter

2238

2239

The I<Edit Capture Filter List> dialog lets you create, modify, and

2240

delete capture filters, and the I<Edit Display Filter List> dialog lets

2241

you create, modify, and delete display filters.

2242

2243

The I<Capture Filter> dialog lets you do all of the editing operations

2244

listed, and also lets you choose or construct a filter to be used when

2245

capturing packets.

2246

2247

The I<Display Filter> dialog lets you do all of the editing operations

2248

listed, and also lets you choose or construct a filter to be used to

2249

filter the current capture being viewed.

2250

2251

The I<Read Filter> dialog lets you do all of the editing operations

2252

listed, and also lets you choose or construct a filter to be used to

2253

as a read filter for a capture file you open.

2254

2255

The I<Search Filter> dialog lets you do all of the editing operations

2256

listed, and also lets you choose or construct a filter expression to be

2257

used in a find operation.

2258

2259

In all of those dialogs, the I<Filter name> entry specifies a

2260

descriptive name for a filter, e.g. B<Web and DNS traffic>. The

2261

I<Filter string> entry is the text that actually describes the filtering

2262

action to take, as described above.The dialog buttons perform the

following actions:

=over 6

=item New

If there is text in the two entry boxes, creates a new associated list

item.

=item Edit

Modifies the currently selected list item to match what's in the entry

boxes.

=item Delete

Deletes the currently selected list item.

2280

2281

=item Add Expression...

2282

2283

For display filter expressions, pops up a dialog box to allow you to

2284

construct a filter expression to test a particular field; it offers

2285

lists of field names, and, when appropriate, lists from which to select

2286

tests to perform on the field and values with which to compare it. In

2287

that dialog box, the OK button will cause the filter expression you

2288

constructed to be entered into the I<Filter string> entry at the current

cursor position.

=item OK

In the I<Capture Filter> dialog, closes the dialog box and makes the

2294

filter in the I<Filter string> entry the filter in the I<Capture

2295

Preferences> dialog. In the I<Display Filter> dialog, closes the dialog

2296

box and makes the filter in the I<Filter string> entry the current

2297

display filter, and applies it to the current capture. In the I<Read

2298

Filter> dialog, closes the dialog box and makes the filter in the

2299

I<Filter string> entry the filter in the I<Open Capture File> dialog.

2300

In the I<Search Filter> dialog, closes the dialog box and makes the

2301

filter in the I<Filter string> entry the filter in the I<Find Packet>

dialog.

=item Apply

Makes the filter in the I<Filter string> entry the current display

2307

filter, and applies it to the current capture.

=item Save

If the list of filters being edited is the list of

2312

capture filters, saves the current filter list to the personal capture

2313

filters file, and if the list of filters being edited is the list of

2314

display filters, saves the current filter list to the personal display

filters file.

=item Close

Closes the dialog without doing anything with the filter in the I<Filter

string> entry.

=back

=item The Color Filters Dialog

2325

2326

This dialog displays a list of color filters and allows it to be

modified.

=over

=item THE FILTER LIST

2332

2333

Single rows may be selected by clicking. Multiple rows may be selected

2334

by using the ctrl and shift keys in combination with the mouse button.

=item NEW

Adds a new filter at the bottom of the list and opens the Edit Color

2339

Filter dialog box. You will have to alter the filter expression at

2340

least before the filter will be accepted. The format of color filter

2341

expressions is identical to that of display filters. The new filter is

2342

selected, so it may immediately be moved up and down, deleted or edited.

2343

To avoid confusion all filters are unselected before the new filter is

created.

=item EDIT

Opens the Edit Color Filter dialog box for the selected filter. (If this

2349

button is disabled you may have more than one filter selected, making it

2350

ambiguous which is to be edited.)

=item ENABLE

Enables the selected color filter(s).

=item DISABLE

Disables the selected color filter(s).

=item DELETE

Deletes the selected color filter(s).

=item EXPORT

Allows you to choose a file in which to save the current list of color

2367

filters. You may also choose to save only the selected filters. A

2368

button is provided to save the filters in the global color filters file

2369

(you must have sufficient permissions to write this file, of course).

=item IMPORT

Allows you to choose a file containing color filters which are then

2374

added to the bottom of the current list. All the added filters are

2375

selected, so they may be moved to the correct position in the list as a

2376

group. To avoid confusion, all filters are unselected before the new

2377

filters are imported. A button is provided to load the filters from the

2378

global color filters file.

=item CLEAR

Deletes your personal color filters file, reloads the global

2383

color filters file, if any, and closes the dialog.

=item UP

Moves the selected filter(s) up the list, making it more likely that

2388

they will be used to color packets.

=item DOWN

Moves the selected filter(s) down the list, making it less likely that

2393

they will be used to color packets.

=item OK

Closes the dialog and uses the color filters as they stand.

=item APPLY

Colors the packets according to the current list of color filters, but

2402

does not close the dialog.

=item SAVE

Saves the current list of color filters in your personal color filters

2407

file. Unless you do this they will not be used the next time you start

Wireshark.

=item CLOSE

Closes the dialog without changing the coloration of the packets. Note

2413

that changes you have made to the current list of color filters are not

undone.

=back

=item Capture Options Dialog

2419

2420

The I<Capture Options Dialog> lets you specify various parameters for

2421

capturing live packet data.

2422

2423

The I<Interface:> field lets you specify the interface from which to

2424

capture packet data or a command from which to get the packet data via a

2425

pipe.

2426

2427

The I<Link layer header type:> field lets you specify the interfaces link

2428

layer header type. This field is usually disabled, as most interface have

2429

only one header type.

2430

2431

The I<Capture packets in promiscuous mode> check box lets you specify

2432

whether the interface should be put into promiscuous mode when

2433

capturing.

2434

2435

The I<Limit each packet to ... bytes> check box and field lets you

2436

specify a maximum number of bytes per packet to capture and save; if the

2437

check box is not checked, the limit will be 65535 bytes.

2438

2439

The I<Capture Filter:> entry lets you specify the capture filter using a

2440

tcpdump-style filter string as described above.

2441

2442

The I<File:> entry lets you specify the file into which captured packets

2443

should be saved, as in the I<Printer Options> dialog above. If not

2444

specified, the captured packets will be saved in a temporary file; you

2445

can save those packets to a file with the I<File:Save As> menu item.

2446

2447

The I<Use multiple files> check box lets you specify that the capture

2448

should be done in "multiple files" mode. This option is disabled, if the

2449

I<Update list of packets in real time> option is checked.

2450

2451

The I<Next file every ... megabyte(s)> check box and fields lets

2452

you specify that a switch to a next file should be done

2453

if the specified filesize is reached. You can also select the appropriate

2454

unit, but beware that the filesize has a maximum of 2 GiB.

2455

The check box is forced to be checked, as "multiple files" mode requires a

2456

file size to be specified.

2457

2458

The I<Next file every ... minute(s)> check box and fields lets

2459

you specify that the switch to a next file should be done after the specified

2460

time has elapsed, even if the specified capture size is not reached.

2461

2462

The I<Ring buffer with ... files> field lets you specify the number

2463

of files of a ring buffer. This feature will capture into the first file

2464

again, after the specified number of files have been used.

2465

2466

The I<Stop capture after ... files> field lets you specify the number

2467

of capture files used, until the capture is stopped.

2468

2469

The I<Stop capture after ... packet(s)> check box and field let

2470

you specify that Wireshark should stop capturing after having captured

2471

some number of packets; if the check box is not checked, Wireshark will

2472

not stop capturing at some fixed number of captured packets.

2473

2474

The I<Stop capture after ... megabyte(s)> check box and field lets

2475

you specify that Wireshark should stop capturing after the file to which

2476

captured packets are being saved grows as large as or larger than some

2477

specified number of megabytes. If the check box is not checked, Wireshark

2478

will not stop capturing at some capture file size (although the operating

2479

system on which Wireshark is running, or the available disk space, may still

2480

limit the maximum size of a capture file). This option is disabled, if

2481

"multiple files" mode is used,

2482

2483

The I<Stop capture after ... second(s)> check box and field let you

2484

specify that Wireshark should stop capturing after it has been capturing

2485

for some number of seconds; if the check box is not checked, Wireshark

2486

will not stop capturing after some fixed time has elapsed.

2487

2488

The I<Update list of packets in real time> check box lets you specify

2489

whether the display should be updated as packets are captured and, if

2490

you specify that, the I<Automatic scrolling in live capture> check box

2491

lets you specify the packet list pane should automatically scroll to

2492

show the most recently captured packets as new packets arrive.

2493

2494

The I<Enable MAC name resolution>, I<Enable network name resolution> and

2495

I<Enable transport name resolution> check boxes let you specify whether

2496

MAC addresses, network addresses, and transport-layer port numbers

2497

should be translated to names.

=item About

The I<About> dialog lets you view various information about Wireshark.

2502

2503

=item About:Wireshark

2504

2505

The I<Wireshark> page lets you view general information about Wireshark,

2506

like the installed version, licensing information and such.

2507

2508

=item About:Authors

2509

2510

The I<Authors> page shows the author and all contributors.

2511

2512

=item About:Folders

2513

2514

The I<Folders> page lets you view the directory names where Wireshark is

2515

searching it's various configuration and other files.

2516

2517

=item About:Plugins

2518

2519

The I<Plugins> page lets you view the dissector plugin modules

2520

available on your system.

2521

2522

The I<Plugins List> shows the name and version of each dissector plugin

2523

module found on your system.

2524

2525

On Unix-compatible systems, the plugins are looked for in the following

2526

directories: the F<lib/wireshark/plugins/$VERSION> directory under the

2527

main installation directory (for example,

2528

F</usr/local/lib/wireshark/plugins/$VERSION>), and then

2529

F<$HOME/.wireshark/plugins>.

2530

2531

On Windows systems, the plugins are looked for in the following

2532

directories: F<plugins\$VERSION> directory under the main installation

2533

directory (for example, F<C:\Program Files\Wireshark\plugins\$VERSION>),

2534

and then F<%APPDATA%\Wireshark\plugins\$VERSION> (or, if %APPDATA% isn't

2535

defined, F<%USERPROFILE%\Application Data\Wireshark\plugins\$VERSION>).

2536

2537

$VERSION is the version number of the plugin interface, which

2538

is typically the version number of Wireshark. Note that a dissector

2539

plugin module may support more than one protocol; there is not

2540

necessarily a one-to-one correspondence between dissector plugin modules

2541

and protocols. Protocols supported by a dissector plugin module are

2542

enabled and disabled using the I<Edit:Protocols> dialog box, just as

2543

protocols built into Wireshark are.

=back

=head1 CAPTURE FILTER SYNTAX

2548

2549

See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),

2550

or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.

2551

2552

=head1 DISPLAY FILTER SYNTAX

2553

2554

For a complete table of protocol and protocol fields that are filterable

2555

in B<Wireshark> see the wireshark-filter(4) manual page.

=head1 FILES

These files contains various B<Wireshark> configuration settings.

=over 4

=item Preferences

The F<preferences> files contain global (system-wide) and personal

2566

preference settings. If the system-wide preference file exists, it is

2567

read first, overriding the default settings. If the personal preferences

2568

file exists, it is read next, overriding any previous values. Note: If

2569

the command line flag B<-o> is used (possibly more than once), it will

2570

in turn override values from the preferences files.

2571

2572

The preferences settings are in the form I<prefname>B<:>I<value>,

2573

one per line,

2574

where I<prefname> is the name of the preference

2575

and I<value> is the value to

2576

which it should be set; white space is allowed between B<:> and

2577

I<value>. A preference setting can be continued on subsequent lines by

2578

indenting the continuation lines with white space. A B<#> character

2579

starts a comment that runs to the end of the line:

2580

2581

# Vertical scrollbars should be on right side?

2582

# TRUE or FALSE (case-insensitive).

2583

gui.scrollbar_on_right: TRUE

2584

2585

The global preferences file is looked for in the F<wireshark> directory

2586

under the F<share> subdirectory of the main installation directory (for

2587

example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible

2588

systems, and in the main installation directory (for example,

2589

F<C:\Program Files\Wireshark\preferences>) on Windows systems.

2590

2591

The personal preferences file is looked for in F<$HOME/.wireshark/preferences> on

2592

UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if

2593

%APPDATA% isn't defined, F<%USERPROFILE%\Application

2594

Data\Wireshark\preferences>) on Windows systems.

2595

2596

Note: Whenever the preferences are saved by using the I<Save> button

2597

in the I<Edit:Preferences> dialog box, your personal preferences file

2598

will be overwritten with the new settings, destroying any comments and

2599

unknown/obsolete settings that were in the file.

=item Recent

The F<recent> file contains personal settings (mostly GUI related) such

2604

as the current B<Wireshark> window size. The file is saved at program exit and

2605

read in at program start automatically. Note: The command line flag B<-o>

2606

may be used to override settings from this file.

2607

2608

The settings in this file have the same format as in the F<preferences>

2609

files, and the same directory as for the personal preferences file is

2610

used.

2611

2612

Note: Whenever Wireshark is closed, your recent file

2613

will be overwritten with the new settings, destroying any comments and

2614

unknown/obsolete settings that were in the file.

2615

2616

=item Disabled (Enabled) Protocols

2617

2618

The F<disabled_protos> files contain system-wide and personal lists of

2619

protocols that have been disabled, so that their dissectors are never

2620

called. The files contain protocol names, one per line, where the

2621

protocol name is the same name that would be used in a display filter

for the protocol:

http

tcp # a comment

If a protocol is listed in the global F<disabled_protos> file, it is not

2628

displayed in the I<Analyze:Enabled Protocols> dialog box, and so cannot

2629

be enabled by the user.

2630

2631

The global F<disabled_protos> file uses the same directory as the global

2632

preferences file.

2633

2634

The personal F<disabled_protos> file uses the same directory as the

2635

personal preferences file.

2636

2637

Note: Whenever the disabled protocols list is saved by using the I<Save>

2638

button in the I<Analyze:Enabled Protocols> dialog box, your personal

2639

disabled protocols file will be overwritten with the new settings,

2640

destroying any comments that were in the file.

2641

2642

=item Name Resolution (hosts)

2643

2644

If the personal F<hosts> file exists, it is

2645

used to resolve IPv4 and IPv6 addresses before any other

2646

attempts are made to resolve them. The file has the standard F<hosts>

2647

file syntax; each line contains one IP address and name, separated by

2648

whitespace. The same directory as for the personal preferences file is used.

2649

2650

Capture filter name resolution is handled by libpcap on UNIX-compatible

2651

systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file

2652

will not be consulted for capture filter name resolution.

2653

2654

=item Name Resolution (subnets)

2655

2656

If an IPv4 address cannot be translated via name resolution (no exact

2657

match is found) then a partial match is attempted via the F<subnets> file.

2658

2659

Each line of this file consists of an IPv4 address, a subnet mask length

2660

separated only by a / and a name separated by whitespace. While the address

2661

must be a full IPv4 address, any values beyond the mask length are subsequently

ignored.

An example is:

# Comments must be prepended by the # sign!

2667

192.168.0.0/24 ws_test_network

2668

2669

A partially matched name will be printed as "subnet-name.remaining-address".

2670

For example, "192.168.0.1" under the subnet above would be printed as

2671

"ws_test_network.1"; if the mask length above had been 16 rather than 24, the

2672

printed address would be ``ws_test_network.0.1".

2673

2674

=item Name Resolution (ethers)

2675

2676

The F<ethers> files are consulted to correlate 6-byte hardware addresses to

2677

names. First the personal F<ethers> file is tried and if an address is not

2678

found there the global F<ethers> file is tried next.

2679

2680

Each line contains one hardware address and name, separated by

2681

whitespace. The digits of the hardware address are separated by colons

2682

(:), dashes (-) or periods (.). The same separator character must be

2683

used consistently in an address. The following three lines are valid

2684

lines of an F<ethers> file:

2685

2686

ff:ff:ff:ff:ff:ff Broadcast

2687

c0-00-ff-ff-ff-ff TR_broadcast

2688

00.00.00.00.00.00 Zero_broadcast

2689

2690

The global F<ethers> file is looked for in the F</etc> directory on

2691

UNIX-compatible systems, and in the main installation directory (for

2692

example, F<C:\Program Files\Wireshark>) on Windows systems.

2693

2694

The personal F<ethers> file is looked for in the same directory as the personal

2695

preferences file.

2696

2697

Capture filter name resolution is handled by libpcap on UNIX-compatible

2698

systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file

2699

will not be consulted for capture filter name resolution.

2700

2701

=item Name Resolution (manuf)

2702

2703

The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte

2704

hardware address with the manufacturer's name; it can also contain well-known

2705

MAC addresses and address ranges specified with a netmask. The format of the

2706

file is the same as the F<ethers> files, except that entries such as:

00:00:0C Cisco

can be provided, with the 3-byte OUI and the name for a vendor, and

2711

entries such as:

2712

2713

00-00-0C-07-AC/40 All-HSRP-routers

2714

2715

can be specified, with a MAC address and a mask indicating how many bits

2716

of the address must match. The above entry, for example, has 40

2717

significant bits, or 5 bytes, and would match addresses from

2718

00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a

2719

multiple of 8.

2720

2721

The F<manuf> file is looked for in the same directory as the global

2722

preferences file.

2723

2724

=item Name Resolution (services)

2725

2726

The F<services> file is used to translate port numbers into names.

2727

2728

The file has the standard F<services> file syntax; each line contains one

2729

(service) name and one transport identifier separated by white space. The

2730

transport identifier includes one port number and one transport protocol name

2731

(typically tcp, udp, or sctp) separated by a /.

An example is:

mydns 5045/udp # My own Domain Name Server

2736

mydns 5045/tcp # My own Domain Name Server

2737

2738

=item Name Resolution (ipxnets)

2739

2740

The F<ipxnets> files are used to correlate 4-byte IPX network numbers to

2741

names. First the global F<ipxnets> file is tried and if that address is not

2742

found there the personal one is tried next.

2743

2744

The format is the same as the F<ethers>

2745

file, except that each address is four bytes instead of six.

2746

Additionally, the address can be represented as a single hexadecimal

2747

number, as is more common in the IPX world, rather than four hex octets.

2748

For example, these four lines are valid lines of an F<ipxnets> file:

C0.A8.2C.00 HR

c0-a8-1c-00 CEO

00:00:BE:EF IT_Server1

2753

110f FileServer3

2754

2755

The global F<ipxnets> file is looked for in the F</etc> directory on

2756

UNIX-compatible systems, and in the main installation directory (for

2757

example, F<C:\Program Files\Wireshark>) on Windows systems.

2758

2759

The personal F<ipxnets> file is looked for in the same directory as the

2760

personal preferences file.

2761

2762

=item Capture Filters

2763

2764

The F<cfilters> files contain system-wide and personal capture filters.

2765

Each line contains one filter, starting with the string displayed in the

2766

dialog box in quotation marks, followed by the filter string itself:

"HTTP" port 80

"DCERPC" port 135

The global F<cfilters> file uses the same directory as the

2772

global preferences file.

2773

2774

The personal F<cfilters> file uses the same directory as the personal

2775

preferences file. It is written through the Capture:Capture Filters

2776

dialog.

2777

2778

If the global F<cfilters> file exists, it is used only if the personal

2779

F<cfilters> file does not exist; global and personal capture filters are

2780

not merged.

2781

2782

=item Display Filters

2783

2784

The F<dfilters> files contain system-wide and personal display filters.

2785

Each line contains one filter, starting with the string displayed in the

2786

dialog box in quotation marks, followed by the filter string itself:

"HTTP" http

"DCERPC" dcerpc

The global F<dfilters> file uses the same directory as the

2792

global preferences file.

2793

2794

The personal F<dfilters> file uses the same directory as the

2795

personal preferences file. It is written through the Analyze:Display

2796

Filters dialog.

2797

2798

If the global F<dfilters> file exists, it is used only if the personal

2799

F<dfilters> file does not exist; global and personal display filters are

2800

not merged.

2801

2802

=item Color Filters (Coloring Rules)

2803

2804

The F<colorfilters> files contain system-wide and personal color filters.

2805

Each line contains one filter, starting with the string displayed in the

2806

dialog box, followed by the corresponding display filter. Then the

2807

background and foreground colors are appended:

2808

2809

# a comment

2810

@tcp@tcp@[59345,58980,65534][0,0,0]

2811

@udp@udp@[28834,57427,65533][0,0,0]

2812

2813

The global F<colorfilters> file uses the same directory as the

2814

global preferences file.

2815

2816

The personal F<colorfilters> file uses the same directory as the

2817

personal preferences file. It is written through the View:Coloring Rules

2818

dialog.

2819

2820

If the global F<colorfilters> file exists, it is used only if the personal

2821

F<colorfilters> file does not exist; global and personal color filters are

not merged.

=item GTK rc files

The F<gtkrc> files contain system-wide and personal GTK theme settings.

2827

2828

The global F<gtkrc> file uses the same directory as the

2829

global preferences file.

2830

2831

The personal F<gtkrc> file uses the same directory as the personal

preferences file.

=item Plugins

See above in the description of the About:Plugins page.

=back

=head1 ENVIRONMENT VARIABLES

=over 4

=item WIRESHARK_APPDATA

2845

2846

On Windows, Wireshark normally stores all application data in %APPDATA% or

2847

%USERPROFILE%. You can override the default location by exporting this

2848

environment variable to specify an alternate location.

2849

2850

=item WIRESHARK_DEBUG_WMEM_OVERRIDE

2851

2852

Setting this environment variable forces the wmem framework to use the

2853

specified allocator backend for *all* allocations, regardless of which

2854

backend is normally specified by the code. This is mainly useful to developers

2855

when testing or debugging. See I<README.wmem> in the source distribution for

2856

details.

2857

2858

=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY

2859

2860

This environment variable causes the plugins and other data files to be loaded

2861

from the build directory (where the program was compiled) rather than from the

2862

standard locations. It has no effect when the program in question is running

2863

with root (or setuid) permissions on *NIX.

2864

2865

=item WIRESHARK_DATA_DIR

2866

2867

This environment variable causes the various data files to be loaded from

2868

a directory other than the standard locations. It has no effect when the

2869

program in question is running with root (or setuid) permissions on *NIX.

2870

2871

=item ERF_RECORDS_TO_CHECK

2872

2873

This environment variable controls the number of ERF records checked when

2874

deciding if a file really is in the ERF format. Setting this environment

2875

variable a number higher than the default (20) would make false positives

2876

less likely.

2877

2878

=item IPFIX_RECORDS_TO_CHECK

2879

2880

This environment variable controls the number of IPFIX records checked when

2881

deciding if a file really is in the IPFIX format. Setting this environment

2882

variable a number higher than the default (20) would make false positives

2883

less likely.

2884

2885

=item WIRESHARK_ABORT_ON_DISSECTOR_BUG

2886

2887

If this environment variable is set, B<Wireshark> will call abort(3)

2888

when a dissector bug is encountered. abort(3) will cause the program to

2889

exit abnormally; if you are running B<Wireshark> in a debugger, it

2890

should halt in the debugger and allow inspection of the process, and, if

2891

you are not running it in a debugger, it will, on some OSes, assuming

2892

your environment is configured correctly, generate a core dump file.

2893

This can be useful to developers attempting to troubleshoot a problem

2894

with a protocol dissector.

2895

2896

=item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS

2897

2898

If this environment variable is set, B<Wireshark> will call abort(3)

2899

if a dissector tries to add too many items to a tree (generally this

2900

is an indication of the dissector not breaking out of a loop soon enough).

2901

abort(3) will cause the program to exit abnormally; if you are running

2902

B<Wireshark> in a debugger, it should halt in the debugger and allow

2903

inspection of the process, and, if you are not running it in a debugger,

2904

it will, on some OSes, assuming your environment is configured correctly,

2905

generate a core dump file. This can be useful to developers attempting to

2906

troubleshoot a problem with a protocol dissector.

2907

2908

=item WIRESHARK_QUIT_AFTER_CAPTURE

2909

2910

Cause B<Wireshark> to exit after the end of the capture session. This

2911

doesn't automatically start a capture; you must still use B<-k> to do

2912

that. You must also specify an autostop condition, e.g. B<-c> or B<-a

2913

duration:...>. This means that you will not be able to see the results

2914

of the capture after it stops; it's primarily useful for testing.

=back

=head1 SEE ALSO

wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1), mergecap(1),

2921

text2pcap(1), pcap-filter(7) or tcpdump(8)

=head1 NOTES

The latest version of B<Wireshark> can be found at

2926

L<https://www.wireshark.org>.

2927

2928

HTML versions of the Wireshark project man pages are available at:

2929

L<https://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

nexmon – Blame information for rev 1