Wireshark Wireshark 1 4 Manual
Here you can find all about Wireshark Wireshark 1 4 like manual and other informations. For example: review.
Wireshark Wireshark 1 4 manual (user guide) is ready to download for free.
On the bottom of page users can write a review. If you own a Wireshark Wireshark 1 4 please write about it to help other people. [ Report abuse or wrong photo | Share your Wireshark Wireshark 1 4 photo ]
CVE 2010 0304 : Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
User reviews and opinions
|atristao||6:55pm on Wednesday, October 6th, 2010|
|Bought the 16G WiFi for my wife. She enjoys playing games, surfing the web, reading books, reading email and catching up on her Soaps at ABC.com. Awesome game player, and has replaced my laptop but I do not have to need for business and so I do not know about how those work. Great for traveling,...|
|indolering||2:35pm on Monday, June 21st, 2010|
|Does this device have any real flaws? Lets address some real shortcomingsÂ of the iPad. you will love the 9 inches screen. You will enjoy the touchscreen experience with iPad Fast, Lightweight, Compact|
|!! ambarad !!||11:00pm on Thursday, June 3rd, 2010|
|I came into Vanns on a whim on the iPads launch day not really expecting to see any there still available. I replaced my first-gen iPod Touch, which I had since they first came out a few years ago, with this new beast of a device. First of all.|
|anisha raj||8:27am on Thursday, May 20th, 2010|
|This product is EXACTLY what I wanted. It fits perfectly and it got here very fast. The item was all that the description said it would be! I am very pleased with this product and would recommend it to friends.|
|gcremella||2:18am on Friday, May 14th, 2010|
|The iPad is exactly what I expected, easy to use, very well executed so long as you understand that it is mainly a device to consume media.|
|Stu_yak||5:16am on Sunday, April 25th, 2010|
|Overpriced content consumption table. Very responsive touch screen, high res screen Content Consumption only. Not great value for money. No camera.|
Comments posted on www.ps2netdrivers.net are solely the views and opinions of the people posting them and do not necessarily reflect the views or opinions of us.
7.6.2. How Wireshark handles it.. 7.7. Name Resolution.... 7.7.1. Name Resolution drawbacks... 7.7.2. Ethernet name resolution (MAC layer).. 7.7.3. IP name resolution (network layer).. 7.7.4. IPX name resolution (network layer)... 7.7.5. TCP/UDP port name resolution (transport layer).. 7.8. Checksums.... 7.8.1. Wireshark checksum validation.. 7.8.2. Checksum offloading... 8. Statistics.... 8.1. Introduction... 8.2. The "Summary" window... 8.3. The "Protocol Hierarchy" window... 8.4. Conversations... 8.4.1. What is a Conversation?... 8.4.2. The "Conversations" window.. 8.4.3. The protocol specific "Conversation List" windows.. 8.5. Endpoints.... 8.5.1. What is an Endpoint?... 8.5.2. The "Endpoints" window... 8.5.3. The protocol specific "Endpoint List" windows.. 8.6. The "IO Graphs" window... 8.7. Service Response Time... 8.7.1. The "Service Response Time DCE-RPC" window.. 8.8. Compare two capture files.... 8.9. WLAN Traffic Statistics... 8.10. The protocol specific statistics windows.. 9. Telephony.... 9.1. Introduction... 9.2. RTP Analysis.... 9.3. VoIP Calls.... 9.4. LTE MAC Traffic Statistics... 9.5. LTE RLC Traffic Statistics... 9.6. The protocol specific statistics windows... 10. Customizing Wireshark.... 10.1. Introduction.... 10.2. Start Wireshark from the command line.. 10.3. Packet colorization... 10.4. Control Protocol dissection... 10.4.1. The "Enabled Protocols" dialog box.. 10.4.2. User Specified Decodes... 10.4.3. Show User Specified Decodes... 10.5. Preferences.... 10.5.1. Interface Options.... 10.6. Configuration Profiles... 10.7. User Table... 10.8. Display Filter Macros... 10.9. ESS Category Attributes.... 10.10. GeoIP Database Paths... 10.11. IKEv2 decryption table.... 10.12. Object Identifiers... 10.13. PRES Users Context List... 10.14. SCCP users Table... 10.15. SMI (MIB and PIB) Modules... 10.16. SMI (MIB and PIB) Paths... 10.17. SNMP Enterprise Specific Trap Types.. 10.18. SNMP users Table...
10.19. Tektronix K12xx/15 RF5 protocols Table... 10.20. User DLTs protocol table... 11. Lua Support in Wireshark... 11.1. Introduction.... 11.2. Example of Dissector written in Lua... 11.3. Example of Listener written in Lua... 11.4. Wireshark's Lua API Reference Manual.. 11.5. Saving capture files... 11.5.1. Dumper.... 11.5.2. PseudoHeader... 11.6. Obtaining dissection data... 11.6.1. Field... 11.6.2. FieldInfo... 11.6.3. Non Method Functions... 11.7. GUI support... 11.7.1. ProgDlg.... 11.7.2. TextWindow... 11.7.3. Non Method Functions... 11.8. Post-dissection packet analysis... 11.8.1. Listener.... 11.9. Obtaining packet information... 11.9.1. Address.... 11.9.2. Column... 11.9.3. Columns... 11.9.4. Pinfo... 11.10. Functions for writing dissectors... 11.10.1. Dissector... 11.10.2. DissectorTable... 11.10.3. Pref... 11.10.4. Prefs.... 11.10.5. Proto... 11.10.6. ProtoField... 11.10.7. Non Method Functions.. 11.11. Adding information to the dissection tree... 11.11.1. TreeItem... 11.12. Functions for handling packet data... 11.12.1. ByteArray... 11.12.2. Int.... 11.12.3. Tvb... 11.12.4. TvbRange... 11.12.5. UInt.... 11.13. Utility Functions... 11.13.1. Dir.... 11.13.2. Non Method Functions.. A. Files and Folders.... A.1. Capture Files.... A.1.1. Libpcap File Contents... A.1.2. Not Saved in the Capture File... A.2. Configuration Files and Folders... A.2.1. Protocol help configuration... A.3. Windows folders.... A.3.1. Windows profiles.... A.3.2. Windows 7, Vista, XP, 2000, and NT roaming profiles.. A.3.3. Windows temporary folder... B. Protocols and Protocol Fields.... C. Wireshark Messages.... C.1. Packet List Messages... C.1.1. [Malformed Packet]...
1.2.1. General Remarks
The values below are the minimum requirements and only "rules of thumb" for use on a moderately used network Working with a busy network can easily produce huge memory and disk space usage! For example: Capturing on a fully saturated 100MBit/s Ethernet will produce ~ 750MBytes/min! Having a fast processor, lots of memory and disk space is a good idea in that case. If Wireshark is running out of memory it crashes, see: http://wiki.wireshark.org/KnownBugs/ OutOfMemory for details and workarounds Wireshark won't benefit much from Multiprocessor/Hyperthread systems as time consuming tasks like filtering packets are single threaded. No rule is without exception: during an "Update list of packets in real time" capture, capturing traffic runs in one process and dissecting and displaying packets runs in another process - which should benefit from two processors.
1.2.2. Microsoft Windows
Windows XP Home, XP Pro, XP Tablet PC, XP Media Center, Server 2003, Vista, 2008, 7, or 2008 R2 Any modern 32-bit x86 or 64-bit AMD64/x86-64 processor. 128MB available RAM. Larger capture files require more RAM. 75MB available disk space. Capture files require additional disk space. 800*600 (1280*1024 or higher recommended) resolution with at least 65536 (16bit) colors (256 colors should work if Wireshark is installed with the "legacy GTK1" selection of the Wireshark 1.0.x releases) A supported network card for capturing: Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment. 802.11: See the Wireshark wiki page. Capturing raw 802.11 information may be difficult without special equipment.
Other media: See http://wiki.wireshark.org/CaptureSetup/NetworkMedia Remarks: Many older Windows versions are no longer supported for three reasons: None of the developers use those systems which makes support difficult. The libraries Wireshark depends on (GTK, WinPcap, ) have dropped support for older releases. Microsoft has also dropped support for these systems. Windows 95, 98 and ME are no longer supported. The "old technology" releases of Windows lack memory protection (specifically VirutalProtect) which we use to improve program safety and security. The last known version to work was Ethereal 0.10.14 (which includes WinPcap 3.1). You can get it from http://ethereal.com/download.html. According to this bug report, you may need to install Ethereal 0.10.0 on some systems. Microsoft retired support for Windows 98 and ME in 2006. Windows NT 4.0 no longer works with Wireshark. The last known version to work was Wireshark 0.99.4 (which includes WinPcap 3.1). You still can get it from http://www.wireshark.org/download/ win32/all-versions/wireshark-setup-0.99.4.exe. Microsoft retired support for Windows NT 4.0 in 2004. Windows 2000 no longer works with Wireshark. The last known version to work was Wireshark 1.2.x (which includes WinPcap 4.1.2). You still can get it from http://www.wireshark.org/ download/win32/all-versions/. Microsoft retired support for Windows 2000 in 2010. Windows CE and the embedded versions of Windows are not currently supported. Multiple monitor setups are supported but may behave a bit strangely.
2.5.2. Installing from deb's under Debian, Ubuntu and other Debian derivatives
If you can just install from the repository then use:
aptitude install wireshark
aptitude should take care of all of the dependency issues for you. Use the following command to install downloaded Wireshark deb's under Debian:
dpkg -i wireshark-common_1.7.0-1_i386.deb wireshark_1.7.0-1_i386.deb
dpkg doesn't take care of all dependencies, but reports what's missing.
By installing Wireshark packages non-root users won't gain rights automatically to capture packets. To allow non-root users to capture packets follow the procedure described in /usr/share/doc/wireshark-common/README.Debian
2.5.3. Installing from portage under Gentoo Linux
Use the following command to install Wireshark under Gentoo Linux with all of the extra features:
USE="adns gtk ipv6 portaudio snmp ssl kerberos threads selinux" emerge wireshark
2.5.4. Installing from packages under FreeBSD
Use the following command to install Wireshark under FreeBSD:
pkg_add -r wireshark
pkg_add should take care of all of the dependency issues for you.
2.6. Troubleshooting during the install on Unix
A number of errors can occur during the installation process. Some hints on solving these are provided here. If the configure stage fails, you will need to find out why. You can check the file config.log in the source directory to find out what failed. The last few lines of this file should help in determining the problem. The standard problems are that you do not have GTK+ on your system, or you do not have a recent enough version of GTK+. The configure will also fail if you do not have libpcap (at least the required include files) on your system. Another common problem is for the final compile and link stage to terminate with a complaint of: Output too long. This is likely to be caused by an antiquated sed (such as the one shipped with Solaris). Since sed is used by the libtool script to construct the final link command, this leads to mysterious
Start Stop Restart -----Open.
If you currently have a temporary capture file, the Save icon shown instead. will be
Toolbar Toolbar Item Icon Close
Corresponding Menu Item File/Close
Description This item closes the current capture. If you have not saved the capture, you will be asked to save it first. This item allows you to reload the current capture file. This item allows you to print all (or some of) the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in Section 5.8, Printing packets).
-----Find Packet. Edit/Find Packet. This item brings up a dialog box that allows you to find a packet. There is further information on finding packets in Section 6.8, Finding packets. Go/Go Back Go/Go Forward This item jumps back in the packet history. This item jumps forward in the packet history.
Go Back Go Forward Go to Packet. Go To Packet Go To Packet -----Colorize Auto Scroll Live Capture -----Zoom In Zoom Out Normal Size Resize Columns ------
Go/Go to Packet. This item brings up a dialog box that allows you to specify a packet number to go to that packet. This item jumps to the first packet of the capture file. This item jumps to the last packet of the capture file. Colorize the packet list (or not).
First Go/First Packet Last Go/Last Packet
in View/Auto Scroll Auto scroll packet list while doing a live capture in Live Capture (or not). View/Zoom In View/Zoom Out Zoom into the packet data (increase the font size). Zoom out of the packet data (decrease the font size).
View/Normal Size Set zoom level back to 100%. View/Resize Columns Resize columns, so the content fits into them.
Capture Filters. Capture/Capture Filters.
This item brings up a dialog box that allows you to create and edit capture filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, Defining and saving filters. This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, Defining and saving filters. This item brings up a dialog box that allows you color packets in the packet list pane according to
Coloring Rules. View/Coloring Rules.
Toolbar Toolbar Item Icon
Corresponding Menu Item
Description filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in Section 10.3, Packet colorization.
This item brings up a dialog box that allows you to set preferences for many parameters that control Wireshark. You can also save your preferences so Wireshark will use them the next time you start it. More detail is provided in Section 10.5, Preferences This item brings up help dialog box.
5.10. The Packet Format frame
The packet format frame is a part of various output related dialog boxes. It provides options to select which parts of a packet should be used for the output function.
Figure 5.20. The "Packet Format" frame
Packet summary line enable the output of the summary line, just as in the "Packet List" pane. Packet details enable the output of the packet details tree.
All collapsed the info from the "Packet Details" pane in "all collapsed" state. As displayed the info from the "Packet Details" pane in the current state. All expanded the info from the "Packet Details" pane in "all expanded" state. Packet bytes enable the output of the packet bytes, just as in the "Packet Bytes" pane. Each packet on a new page put each packet on a separate page (e.g. when saving/printing to a text file, this will put a form feed character between the packets).
Chapter 6. Working with captured packets
6.1. Viewing packets you have captured
Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes. You can then expand any part of the tree view by clicking on the plus sign (the symbol itself may vary) to the left of that part of the payload, and you can select individual fields by clicking on them in the tree view pane. An example with a TCP packet selected is shown in Figure 6.1, Wireshark with a TCP packet selected for viewing. It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.
Figure 6.1. Wireshark with a TCP packet selected for viewing
You can also select and view packets the same way, while Wireshark is capturing, if you selected "Update list of packets in real time" in the Wireshark Capture Preferences dialog box. In addition, you can view individual packets in a separate window as shown in Figure 6.2, Viewing a packet in a separate window. Do this by selecting the packet in which you are interested in the packet list pane, and then select "Show Packet in New Windows" from the Display menu. This allows you to easily compare two or even more packets.
6.4.2. Comparing values
You can build display filters that compare values using a number of different comparison operators. They are shown in Table 6.4, Display Filter comparison operators.
You can use English and C-like terms in the same way, they can even be mixed in a filter string!
Table 6.4. Display Filter comparison operators
English eq C-like
Description and example Equal
frame.len > 10
frame.len < 128
Greater than or equal to
frame.len ge 0x100
Less than or equal to
frame.len <= 0x20
In addition, all protocol fields are typed. Table 6.5, Display Filter Field Types provides a list of the types and example of how to express them.
Table 6.5. Display Filter Field Types
Type Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) Example You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent:
ip.len le 1500 ip.len le 02734 ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Example A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment header. Thus the filter expression tcp.flags.syn will select only those packets for which this flag exists, that is, TCP segments where the segment header contains the SYN flag. Similarly, to find sourcerouted token ring packets, use a filter expression of tr.sr.
Ethernet address (6 bytes)
Separators can be a colon (:), dot (.) or dash (-) and can have one or two bytes between separators:
eth.dst == ff:ff:ff:ff:ff:ff eth.dst == ff-ff-ff-ff-ff-ff eth.dst == ffff.ffff.ffff
ip.addr == 192.168.0.1 Classless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain subnet. For example, this display filter will find all packets in the 129.111 Class-B network: ip.addr == 220.127.116.11/16
IPv6 address IPX address String (text)
ipv6.addr == ::1 ipx.addr == 00000000.ffffffffffff http.request.uri == "http://www.wireshark.org/"
6.4.3. Combining expressions
You can combine filter expressions in Wireshark using the logical operators shown in Table 6.6, Display Filter Logical Operations
Table 6.6. Display Filter Logical Operations
English and C-like && Description and example Logical AND
ip.src==10.0.0.5 and tcp.flags.fin
ip.scr==10.0.0.5 or ip.src==18.104.22.168
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
Substring Operator Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets  containing a comma separated list of range specifiers.
Statistics of the endpoints captured.
If you are looking for a feature other network tools call a hostlist, here is the right place to look. The list of Ethernet or IP endpoints is usually what you're looking for.
8.5.1. What is an Endpoint?
A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer. The endpoint statistics of Wireshark will take the following endpoints into account: Ethernet: an Ethernet endpoint is identical to the Ethernet's MAC address. Fibre Channel: XXX - insert info here. FDDI: a FDDI endpoint is identical to the FDDI MAC address. IPv4: an IP endpoint is identical to its IP address. IPX: an IPX endpoint is concatenation of a 32 bit network number and 48 bit node address, be default the Ethernets' MAC address. JXTA: a JXTA endpoint is a 160 bit SHA-1 URN. NCP: XXX - insert info here. RSVP: XXX - insert info here. SCTP: a SCTP endpoint is a combination of the host IP addresses (plural) and the SCTP port used. So different SCTP ports on the same IP address are different SCTP endpoints, but the same SCTP port on different IP addresses of the same host are still the same endpoint. TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP ports on the same IP address are different TCP endpoints. Token Ring: a Token Ring endpoint is identical to the Token Ring MAC address. UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. USB: XXX - insert info here. WLAN: XXX - insert info here.
Broadcast / multicast endpoints
Broadcast / multicast traffic will be shown separately as additional endpoints. Of course, as these endpoints are virtual endpoints, the real traffic will be received by all (multicast: some) of the listed unicast endpoints.
8.5.2. The "Endpoints" window
This window shows statistics about the endpoints captured.
Figure 8.4. The "Endpoints" window
For each supported protocol, a tab is shown in this window. Each tab label shows the number of endpoints captured (e.g. the tab label "Ethernet: 5" tells you that five ethernet endpoints have been captured). If no endpoints of a specific protocol were captured, the tab label will be greyed out (although the related page can still be selected). Each row in the list shows the statistical values for exactly one endpoint. Name resolution will be done if selected in the window and if it is active for the specific protocol layer (MAC layer for the selected Ethernet endpoints page). As you might have noticed, the first row has a name resolution of the first three bytes "Netgear", the second row's address was resolved to an IP address (using ARP) and the third was resolved to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff); the last two Ethernet addresses remain unresolved. Limit to display filter will only show conversations matching the current display filter. The copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format.
A frame number (for hyperlinks between frames)
22.214.171.124. ProtoField.bool(abbr, [name], [display], [string], [mask], [desc])
abbr name (optional) display (optional) string (optional) mask (optional) desc (optional) Abbreviated name of the field (the string used in filters) Actual name of the field (the string that appears in the tree) how wide the parent bitfield is (BASE_NONE is used for NULL-value) A table containing the text that corresponds to the values Integer mask of this field Description of the field
126.96.36.199. ProtoField.ipv4(abbr, [name], [desc])
abbr name (optional) Abbreviated name of the field (the string used in filters) Actual name of the field (the string that appears in the tree)
188.8.131.52. ProtoField.ipv6(abbr, [name], [desc])
abbr name (optional) desc (optional) Abbreviated name of the field (the string used in filters) Actual name of the field (the string that appears in the tree) Description of the field
184.108.40.206. ProtoField.ether(abbr, [name], [desc])
220.127.116.11. ProtoField.float(abbr, [name], [desc])
18.104.22.168. ProtoField.double(abbr, [name], [desc])
22.214.171.124. ProtoField.string(abbr, [name], [desc])
126.96.36.199. ProtoField.stringz(abbr, [name], [desc])
188.8.131.52. ProtoField.bytes(abbr, [name], [desc])
184.108.40.206. ProtoField.ubytes(abbr, [name], [desc])
220.127.116.11. ProtoField.guid(abbr, [name], [desc])
Description IPX resolution.
name /etc/ipxnets, %WIRESHARK%\ipxnets, %APPDATA $HOME/.wireshark/%\Wireshark\ipxnets ipxnets
Plugin directories. /usr/share/ %WIRESHARK%\plugins\<version>, wireshark/ %APPDATA%\Wireshark\plugins plugins, /usr/local/ share/wireshark/ plugins, $HOME/.wireshark/ plugins Temporary files. Environment: TMPDIR Environment: TMPDIR or TEMP
%APPDATA% points to the personal configuration folder, e.g.: C:\Documents and Settings\<username>\Application Data (details can be found at: Section A.3.1, Windows profiles), %WIRESHARK% points to the Wireshark program folder, e.g.: C:\Program Files \Wireshark
The /etc folder is the global Wireshark configuration folder. The folder actually used on your system may vary, maybe something like: /usr/local/etc. $HOME is usually something like: /home/<username> preferences/wireshark.conf This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form:
The settings from this file are read in at program start and written to disk when you press the Save button in the "Preferences" dialog box. recent This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form:
It is read at program start and written at program exit. cfilters This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
"<filter name>" <filter string>
The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box. dfilters This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box. colorfilters This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
Capture output: -b <ringbuffer opt.>. duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files Input file: -r <infile> set the filename to read from (no pipes or stdin!) Processing: -R <read filter> packet filter in Wireshark display filter syntax -n disable all name resolutions (def: all enabled) -N <name resolve flags> enable specific name resolution(s): "mntC" -d <layer_type>==<selector>,<decode_as_protocol>. "Decode As", see the man page for details Example: tcp.port==8888,http Output: -w <outfile|-> write packets to a pcap-format file named "outfile" (or to the standard output for "-") -C <config profile> start with specified configuration profile -F <output file type> set the output file type, default is libpcap an empty "-F" option will list the file types -V add output of packet tree (Packet Details) -O <protocols> Only show packet details of these protocols, comma separated -S display packets even when writing to a file -x add output of hex and ASCII dump (Packet Bytes) -T pdml|ps|psml|text|fields format of text output (def: text) -e <field> field to print if -Tfields selected (e.g. tcp.port); this option can be repeated to print multiple fields -E<fieldsoption>=<value> set options for output when -Tfields selected: header=y|n switch headers on and off separator=/t|/s|<char> select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s|<char> select comma, space, printable character as aggregator quote=d|s|n select double, single, no quotes for values -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first) -u s|hms output format of seconds (def: s: seconds) -l flush standard output after each packet -q be more quiet on stdout (e.g. when using statistics) -X <key>:<value> eXtension options, see the man page for details -z <statistics> various statistics, see the man page for details Miscellaneous: -h -v -o <name>:<value>. -K <keytab> -G [report]
display this help and exit display version info and exit override preference setting keytab file to use for kerberos decryption dump one of several available reports and exit default report="fields" use "-G ?" for more help
Related command line tools
D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark
There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture). However, the default tcpdump parameters result in a capture file where each packet is truncated, because most versions of tcpdump, will, by default, only capture the first 68 or 96 bytes of each packet. To ensure that you capture complete packets, use the following command:
D.6. rawshark: Dump and analyze network traffic.
Rawshark reads a stream of packets from a file or pipe, and prints a line describing its output, followed by a set of matching fields for each packet on stdout.
Example D.4. Help information available from rawshark
Rawshark 1.6.0 (SVN Rev 37205 from /trunk-1.6) Dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2011 Gerald Combs <firstname.lastname@example.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: rawshark [options]. Input file: -r <infile>
set the pipe or file name to read from
Processing: -d <encap:dlt>|<proto:protoname> packet encapsulation or protocol -F <field> field to display -n disable all name resolution (def: all enabled) -N <name resolve flags> enable specific name resolution(s): "mntC" -p use the system's packet header format (which may have 64-bit timestamps) -R <read filter> packet filter in Wireshark display filter syntax -s skip PCAP header on input Output: -l flush output after each packet -S format string for fields (%D - name, %S - stringval, %N numval) -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first) Miscellaneous: -h -o <name>:<value>. -v
display this help and exit override preference setting display version info and exit
D.7. editcap: Edit capture files
Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as to print information about capture files.
Example D.5. Help information available from editcap
Editcap 1.6.0 (SVN Rev 37205 from /trunk-1.6) Edit and/or translate the format of capture files. See http://www.wireshark.org for more information. Usage: editcap [options]. <infile> <outfile> [ <packet#>[-<packet#>]. ] <infile> and <outfile> must both be present. A single packet or a range of packets can be selected. Packet selection: -r -A <start time> -B <stop time>
keep the selected packets; default is to delete them. only output packets whose timestamp is after (or equal to) the given time (format as YYYY-MM-DD hh:mm:ss). only output packets whose timestamp is before the given time (format as YYYY-MM-DD hh:mm:ss).
Appendix E. This Document's License (GPL)
As with the original license and documentation distributed with Wireshark, this document is covered by the GNU General Public License (GNU GPL). If you haven't read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation.
GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and
Wireshark User's Guide
for Wireshark 1.7
Ulf Lamping, Richard Sharpe, NS Computer Software and Services P/L Ed Warnicke,
Wireshark User's Guide: for Wireshark 1.7
by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright 2004-2011 Ulf Lamping , Richard Sharpe , Ed Warnicke
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Preface.... ix 1. Foreword.... ix 2. Who should read this document?... ix 3. Acknowledgements... ix 4. About this document.... x 5. Where to get the latest copy of this document?... x 6. Providing feedback about this document... x 1. Introduction.... 1 1.1. What is Wireshark?.... 1 1.1.1. Some intended purposes... 1 1.1.2. Features.... 1 1.1.3. Live capture from many different network media.. 2 1.1.4. Import files from many other capture programs.. 2 1.1.5. Export files for many other capture programs.. 2 1.1.6. Many protocol decoders... 2 1.1.7. Open Source Software... 3 1.1.8. What Wireshark is not... 3 1.2. System Requirements.... 3 1.2.1. General Remarks.... 3 1.2.2. Microsoft Windows... 3 1.2.3. Unix / Linux... 4 1.3. Where to get Wireshark?.... 5 1.4. A brief history of Wireshark.... 5 1.5. Development and maintenance of Wireshark.. 6 1.6. Reporting problems and getting help.. 6 1.6.1. Website.... 6 1.6.2. Wiki.... 6 1.6.3. Q&A Forum... 7 1.6.4. FAQ.... 7 1.6.5. Mailing Lists... 7 1.6.6. Reporting Problems... 7 1.6.7. Reporting Crashes on UNIX/Linux platforms.. 8 1.6.8. Reporting Crashes on Windows platforms.. 9 2. Building and Installing Wireshark... 10 2.1. Introduction... 10 2.2. Obtaining the source and binary distributions... 10 2.3. Before you build Wireshark under UNIX... 11 2.4. Building Wireshark from source under UNIX... 13 2.5. Installing the binaries under UNIX... 14 2.5.1. Installing from rpm's under Red Hat and alike.. 14 2.5.2. Installing from deb's under Debian, Ubuntu and other Debian derivatives. 14 2.5.3. Installing from portage under Gentoo Linux.. 14 2.5.4. Installing from packages under FreeBSD.. 14 2.6. Troubleshooting during the install on Unix.. 15 2.7. Building from source under Windows... 15 2.8. Installing Wireshark under Windows... 15 2.8.1. Install Wireshark... 15 2.8.2. Manual WinPcap Installation... 17 2.8.3. Update Wireshark... 18 2.8.4. Update WinPcap... 18 2.8.5. Uninstall Wireshark.... 18 2.8.6. Uninstall WinPcap... 18 3. User Interface.... 19 3.1. Introduction... 19
3.2. Start Wireshark... 3.3. The Main window.... 3.3.1. Main Window Navigation... 3.4. The Menu.... 3.5. The "File" menu.... 3.6. The "Edit" menu.... 3.7. The "View" menu.... 3.8. The "Go" menu... 3.9. The "Capture" menu.... 3.10. The "Analyze" menu.... 3.11. The "Statistics" menu.... 3.12. The "Telephony" menu... 3.13. The "Tools" menu... 3.14. The "Internals" menu.... 3.15. The "Help" menu.... 3.16. The "Main" toolbar... 3.17. The "Filter" toolbar... 3.18. The "Packet List" pane.... 3.19. The "Packet Details" pane.... 3.20. The "Packet Bytes" pane... 3.21. The Statusbar.... 4. Capturing Live Network Data... 4.1. Introduction... 4.2. Prerequisites.... 4.3. Start Capturing.... 4.4. The "Capture Interfaces" dialog box... 4.5. The "Capture Options" dialog box... 4.5.1. Capture frame... 4.5.2. Capture File(s) frame... 4.5.3. Stop Capture. frame... 4.5.4. Display Options frame... 4.5.5. Name Resolution frame.... 4.5.6. Buttons.... 4.6. The "Remote Capture Interfaces" dialog box.. 4.6.1. Remote Capture Interfaces... 4.6.2. Remote Capture.... 4.6.3. Remote Capture Settings... 4.7. The "Interface Details" dialog box... 4.8. Capture files and file modes... 4.9. Link-layer header type.... 4.10. Filtering while capturing... 4.10.1. Automatic Remote Traffic Filtering.. 4.11. While a Capture is running... 4.11.1. Stop the running capture... 4.11.2. Restart a running capture... 5. File Input / Output and Printing.... 5.1. Introduction... 5.2. Open capture files.... 5.2.1. The "Open Capture File" dialog box.. 5.2.2. Input File Formats... 5.3. Saving captured packets.... 5.3.1. The "Save Capture File As" dialog box... 5.3.2. Output File Formats.... 5.4. Merging capture files...
The authors would like to thank the whole Wireshark team for their assistance. In particular, the authors would like to thank: Gerald Combs, for initiating the Wireshark project and funding to do this documentation. Guy Harris, for many helpful hints and a great deal of patience in reviewing this document. Gilbert Ramirez, for general encouragement and helpful hints along the way. The authors would also like to thank the following people for their helpful feedback on this document: Pat Eyler, for his suggestions on improving the example on generating a backtrace. Martin Regner, for his various suggestions and corrections. Graeme Hewson, for a lot of grammatical corrections. The authors would like to acknowledge those man page and README authors for the Wireshark project from who sections of this document borrow heavily: Scott Renfro from whose mergecap man page Section D.8, mergecap: Merging multiple capture files into one is derived.
Ashok Narayanan from whose text2pcap man page Section D.9, text2pcap: Converting ASCII hexdumps to network captures is derived. Frank Singleton from whose README.idl2wrs Section D.10, idl2wrs: Creating dissectors from CORBA IDL files is derived.
4. About this document
This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It is written in DocBook/XML. You will find some specially marked parts in this book:
This is a warning!
You should pay attention to a warning, as otherwise data loss might occur.
This is a note!
A note will point you to common mistakes and things that might not be obvious.
This is a tip!
Tips will be helpful for your everyday work using Wireshark.
5. Where to get the latest copy of this document?
The latest copy of this documentation can always be found at: http://www.wireshark.org/docs/.
6. Providing feedback about this document
Should you have any feedback about this document, please send it to the authors through wiresharkdev[AT]wireshark.org.
Chapter 1. Introduction
1.1. What is Wireshark?
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.
1.1.1. Some intended purposes
Here are some examples people use Wireshark for: network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals Beside these examples, Wireshark can be helpful in many other situations too.
The following are some of the many features Wireshark provides: Available for UNIX and Windows. Capture live packet data from a network interface. Display packets with very detailed protocol information. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various statistics. . and a lot more! However, to really appreciate its power, you have to start using it.
Figure 1.1, Wireshark captures packets and allows you to examine their content. shows Wireshark having captured some packets and waiting for you to examine them.
Figure 1.1. Wireshark captures packets and allows you to examine their content.
1.1.3. Live capture from many different network media
Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using. An overview of the supported media types can be found at: http://wiki.wireshark.org/ CaptureSetup/NetworkMedia.
1.1.4. Import files from many other capture programs
Wireshark can open packets captured from a large number of other capture programs. For a list of input formats see Section 5.2.2, Input File Formats.
1.1.5. Export files for many other capture programs
Wireshark can save packets captured in a large number of formats of other capture programs. For a list of output formats see Section 5.3.2, Output File Formats.
1.1.6. Many protocol decoders
There are protocol decoders (or dissectors, as they are known in Wireshark) for a great many protocols: see Appendix B, Protocols and Protocol Fields.
1.1.7. Open Source Software
Service Response Time -----ANCP. BOOTPDHCP. Colledtd. Compare. Flow Graph. HTTP IP Addresses. IP Destinations. IP Protocol Types. ONC-RPC Programs Sametime TCP Stream Graph UDP Multicast Streams WLAN Traffic
3.12. The "Telephony" menu
The Wireshark Telephony menu contains the fields shown in Table 3.9, Telephony menu items.
Figure 3.10. The "Telephony" Menu
All menu items will bring up a new window showing specific telephony related statistical information.
Table 3.9. Telephony menu items
Menu Item IAX2 SMPP Operations. SCTP ANSI GSM H.225. ISUP Messages. LTE MTP3 RTP SIP. UCP Messages. VoIP Calls. Accelerator Description See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.4, LTE MAC Traffic Statistics See Section 9.6, The protocol specific statistics windows See Section 9.2, RTP Analysis See Section 9.6, The protocol specific statistics windows See Section 9.6, The protocol specific statistics windows See Section 9.3, VoIP Calls
Menu Item WAP-WSP.
Description See Section 9.6, The protocol specific statistics windows
3.13. The "Tools" menu
The Wireshark Tools menu contains the fields shown in Table 3.10, Tools menu items.
Figure 3.11. The "Tools" Menu
Table 3.10. Tools menu items
Menu Item Firewall Rules ACL Accelerator Description This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. It is assumed that the rules will be applied to an outside interface. Lua These options allow you to work with the Lua interpreter optionally build into Wireshark, see Section 11.1, Introduction.
3.14. The "Internals" menu
The Wireshark Internals menu contains the fields shown in Table 3.11, Help menu items.
Figure 3.12. The "Internals" Menu
Table 3.11. Help menu items
Menu Item Dissector tables Supported Protocols (slow!) Accelerator Description This menu item brings up a dialog box showing the tables with subdissector relationships. This menu item brings up a dialog box showing the supported protocols and protocol fields.
3.15. The "Help" menu
The Wireshark Help menu contains the fields shown in Table 3.12, Help menu items.
Figure 3.13. The "Help" Menu
Table 3.12. Help menu items
Menu Item Contents Manual Pages >. -----Website FAQ's Downloads -----Wiki Sample Captures -----About Wireshark This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it's build, the plugins loaded, the used folders,. This menu item starts a Web browser showing the front page from: http://wiki.wireshark.org. This menu item starts a Web browser showing the sample captures from: http://wiki.wireshark.org. This menu item starts a Web browser showing the webpage from: http://www.wireshark.org. This menu item starts a Web browser showing various FAQ's. This menu item starts a Web browser showing the downloads from: http://www.wireshark.org. Accelerator F1 Description This menu item brings up a basic help system. This menu item starts a Web browser showing one of the locally installed html manual pages.
Calling a Web browser might be unsupported in your version of Wireshark. If this is the case, the corresponding menu items will be hidden.
If calling a Web browser fails on your machine, maybe because just nothing happens or the browser is started but no page is shown, have a look at the web browser setting in the preferences dialog.
3.16. The "Main" toolbar
The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu, if the space on the screen is needed to show even more packet data. As in the menu, only the items useful in the current program state will be available. The others will be greyed out (e.g. you cannot save a capture file if you haven't loaded one).
Figure 3.14. The "Main" toolbar
Table 3.13. Main toolbar items
Toolbar Toolbar Item Icon Interfaces. Corresponding Menu Item Capture/ Interfaces. Description This item brings up the Capture Interfaces List dialog box (discussed further in Section 4.3, Start Capturing).
Capture/Options. This item brings up the Capture Options dialog box (discussed further in Section 4.3, Start Capturing) and allows you to start capturing packets. Capture/Start Capture/Stop Capture/Restart This item starts capturing packets with the options form the last time. This item stops the currently running live capture process Section 4.3, Start Capturing). This item stops the currently running live capture process and restarts it again, for convenience. This item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, The "Open Capture File" dialog box. This item allows you to save the current capture file to whatever file you would like. It pops up the Save Capture File As dialog box (which is discussed further in Section 5.3.1, The "Save Capture File As" dialog box).
Time The timestamp of the packet. The presentation format of this timestamp can be changed, see Section 6.12, Time display formats and time references. Source The address where this packet is coming from. Destination The address where this packet is going to. Protocol The protocol name in a short (perhaps abbreviated) version. Info Additional information about the packet content. There is a context menu (right mouse click) available, see details in Figure 6.4, Pop-up menu of the "Packet List" pane.
3.19. The "Packet Details" pane
The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form.
Figure 3.17. The "Packet Details" pane
This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. There is a context menu (right mouse click) available, see details in Figure 6.5, Pop-up menu of the "Packet Details" pane. Some protocol fields are specially displayed. Generated fields Wireshark itself will generate additional protocol fields which are surrounded by brackets. The information in these fields is derived from the known context to other packets in the capture file. For example, Wireshark is doing a sequence/acknowledge analysis of each TCP stream, which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol. Links If Wireshark detected a relationship to another packet in the capture file, it will generate a link to that packet. Links are underlined and displayed in blue. If double-clicked, Wireshark jumps to the corresponding packet.
3.20. The "Packet Bytes" pane
The packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in a hexdump style.
Figure 3.18. The "Packet Bytes" pane
As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or. if not appropriate) are displayed. Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has reassembled some packets into a single chunk of data, see Section 7.6, Packet Reassembling. In this case there are some additional tabs shown at the bottom of the pane to let you select the page you want to see.
Figure 3.19. The "Packet Bytes" pane with tabs
The additional pages might contain data picked from multiple packets. The context menu (right mouse click) of the tab labels will show a list of all available pages. This can be helpful if the size in the pane is too small for all the tab labels.
3.21. The Statusbar
The statusbar displays informational messages. In general, the left side will show context related information, the middle part will show the current number of packets, and the right side will show the selected configuration profile. Drag the handles between the text areas to change the size.
5.7.4. The "Export as C Arrays (packet bytes) file" dialog box
XXX - add screenshot Export packet bytes into C arrays so you can import the stream data into your own C program. Export to file: frame chooses the file to export the packet data to. The Packet Range frame is described in Section 5.9, The Packet Range frame.
5.7.5. The "Export as PSML File" dialog box
Export packet data into PSML. This is an XML based format including only the packet summary. The PSML file specification is available at: http://www.nbee.org/doku.php?id=netpdl:psml_specification.
Figure 5.14. The "Export as PSML File" dialog box
The Packet Range frame is described in Section 5.9, The Packet Range frame. There's no such thing as a packet details frame for PSML export, as the packet format is defined by the PSML specification.
5.7.6. The "Export as PDML File" dialog box
Export packet data into PDML. This is an XML based format including the packet details. The PDML file specification is available at: http://www.nbee.org/doku.php?id=netpdl:pdml_specification.
The PDML specification is not officially released and Wireshark's implementation of it is still in an early beta state, so please expect changes in future Wireshark versions.
Figure 5.15. The "Export as PDML File" dialog box
The Packet Range frame is described in Section 5.9, The Packet Range frame. There's no such thing as a packet details frame for PDML export, as the packet format is defined by the PDML specification.
5.7.7. The "Export selected packet bytes" dialog box
Export the bytes selected in the "Packet Bytes" pane into a raw binary file.
Figure 5.16. The "Export Selected Packet Bytes" dialog box
Name: the filename to export the packet data to.
The Save in folder: field lets you select the folder to save to (from some predefined folders). Browse for other folders provides a flexible way to choose a folder.
5.7.8. The "Export Objects" dialog box
This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk. If you have a capture running, this list is automatically updated every few seconds with any new objects seen. The saved objects can then be opened with the proper viewer or executed in the case of executables (if it is for the same platform you are running Wireshark on) without any further work on your part. This feature is not available when using GTK2 versions below 2.4.
18.104.22.168. Errors / Warnings / Notes / Chats tabs
An easy and quick way to find the most interesting infos (rather than using the Details tab), is to have a look at the separate tabs for each severity level. As the tab label also contains the number of existing entries, it's easy to find the tab with the most important entries. There are usually a lot of identical expert infos only differing in the packet number. These identical infos will be combined into a single line - with a count column showing how often they appeared in the capture file. Clicking on the plus sign shows the individual packet numbers in a tree view.
22.214.171.124. Details tab
The Details tab provides the expert infos in a "log like" view, each entry on its own line (much like the packet list). As the amount of expert infos for a capture file can easily become very large, getting an idea of the interesting infos with this view can take quite a while. The advantage of this tab is to have all entries in the sequence as they appeared, this is sometimes a help to pinpoint problems.
7.3.3. "Colorized" Protocol Details Tree
The protocol field causing an expert info is colorized, e.g. uses a cyan background for a note severity level. This color is propagated to the toplevel protocol item in the tree, so it's easy to find the field that caused the expert info. For the example screenshot above, the IP "Time to live" value is very low (only 1), so the corresponding protocol field is marked with a cyan background. To easier find that item in the packet tree, the IP protocol toplevel item is marked cyan as well.
7.3.4. "Expert" Packet List Column (optional)
An optional "Expert Info Severity" packet list column is available (since SVN 22387 # 0.99.7), that displays the most significant severity of a packet, or stays empty if everything seems ok. This column is not displayed by default, but can be easily added using the Preferences Columns page described in Section 10.5, Preferences.
7.4. Time Stamps
Time stamps, their precisions and all that can be quite confusing. This section will provide you with information about what's going on while Wireshark processes time stamps. While packets are captured, each packet is time stamped as it comes in. These time stamps will be saved to the capture file, so they also will be available for (later) analysis. So where do these time stamps come from? While capturing, Wireshark gets the time stamps from the libpcap (WinPcap) library, which in turn gets them from the operating system kernel. If the capture data is loaded from a capture file, Wireshark obviously gets the data from that file.
You can use the Network Time Protocol (NTP) to automatically adjust your computer to the correct time, by synchronizing it to Internet NTP clock servers. NTP clients are available for all operating systems that Wireshark supports (and for a lot more), for examples see: http:// www.ntp.org/.
7.5.2. Wireshark and Time Zones
So what's the relationship between Wireshark and time zones anyway? Wireshark's native capture file format (libpcap format), and some other capture file formats, such as the Windows Sniffer, EtherPeek, AiroPeek, and Sun snoop formats, save the arrival time of packets as UTC values. UN*X systems, and "Windows NT based" systems (Windows NT 4.0, 2000, XP, Server 2003, Vista, Server 2008, 7) represent time internally as UTC. When Wireshark is capturing, no conversion is necessary. However, if the system time zone is not set correctly, the system's UTC time might not be correctly set even if the system clock appears to display correct local time. "Windows 9x based" systems (Windows 95, Windows 98, Windows Me) represent time internally as local time. When capturing, WinPcap has to convert the time to UTC before supplying it to Wireshark. If the system's time zone is not set correctly, that conversion will not be done correctly. Other capture file formats, such as the Microsoft Network Monitor, DOS-based Sniffer, and Network Instruments Observer formats, save the arrival time of packets as local time values. Internally to Wireshark, time stamps are represented in UTC; this means that, when reading capture files that save the arrival time of packets as local time values, Wireshark must convert those local time values to UTC values. Wireshark in turn will display the time stamps always in local time. The displaying computer will convert them from UTC to local time and displays this (local) time. For capture files saving the arrival time of packets as UTC values, this means that the arrival time will be displayed as the local time in your time zone, which might not be the same as the arrival time in the time zone in which the packet was captured. For capture files saving the arrival time of packets as local time values, the conversion to UTC will be done using your time zone's offset from UTC and DST rules, which means the conversion will not be done correctly; the conversion back to local time for display might undo this correctly, in which case the arrival time will be displayed as the arrival time in which the packet was captured.
The user can configure the following things: Graphs Graph 1-5: enable the specific graph 1-5 (only graph 1 is enabled by default) Color: the color of the graph (cannot be changed)
Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph) Style: the style of the graph (Line/Impulse/FBar/Dot) X Axis Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds) Pixels per tick: use 10/5/2/1 pixels per tick interval View as time of day: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture Y Axis Unit: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced.) [XXX - describe the Advanced feature.] Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,.) The save button will save the currently displayed portion of the graph as one of various file formats. The save feature is only available when using GTK version 2.6 or higher (the latest Windows versions comply with this requirement) and Wireshark version 0.99.7 or higher. The copy button will copy values from selected graphs to the clipboard in CSV (Comma Separated Values) format. The copy feature is only available in Wireshark version 0.99.8 or higher.
Click in the graph to select the first package in the selected interval.
8.7. Service Response Time
The service response time is the time between a request and the corresponding response. This information is available for many protocols. Service response time statistics are currently available for the following protocols: DCE-RPC Fibre Channel H.225 RAS LDAP LTE MAC MGCP ONC-RPC SMB As an example, the DCE-RPC service response time is described in more detail.
The other Service Response Time windows will work the same way (or only slightly different) compared to the following description.
8.7.1. The "Service Response Time DCE-RPC" window
The service response time of DCE-RPC is the time between the request and the corresponding response. First of all, you have to select the DCE-RPC interface:
packet filter in Wireshark display filter syntax disable all name resolutions (def: all enabled) enable specific name resolution(s): "mntC"
start with specified configuration profile go to specified packet number after "-r" jump to the first packet matching the (display) filter search backwards for a matching packet after "-J" set the font name used for most text output format of time stamps (def: r: rel. to first) eXtension options, see man page for details show various statistics, see man page for details
Output: -w <outfile|-> Miscellaneous: -h -v -P <key>:<path> -o <name>:<value>. -K <keytab>
set the output filename (or '-' for stdout)
display this help and exit display version info and exit persconf:path - personal configuration files persdata:path - personal data files override preference or recent setting keytab file to use for kerberos decryption
We will examine each of the command line options in turn.
The first thing to notice is that issuing the command wireshark by itself will bring up Wireshark. However, you can include as many of the command line parameters as you like. Their meanings are as follows ( in alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better task based? -a <capture autostop condition> Specify a criterion that specifies when Wireshark is to stop writing to a capture file. The criterion is of the form test:value, where test is one of: duration:value Stop writing to a capture file after value of seconds have elapsed. Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If this option is used together with the -b option, Wireshark will stop writing to the current capture file and switch to the next one if filesize is reached. Stop writing to capture files after value number of files were written.
-b <capture ring buffer option>
Example D.10. Help information available for text2pcap
Text2pcap 1.6.0 (SVN Rev 37205 from /trunk-1.6) Generate a capture file from an ASCII hexdump of packets. See http://www.wireshark.org for more information. Usage: text2pcap [options] <infile> <outfile> where <infile> specifies input filename (use - for standard input) <outfile> specifies output filename (use - for standard output)
Input: -o hex|oct|dec -t <timefmt>
parse offsets as (h)ex, (o)ctal or (d)ecimal; default is hex. treat the text before the packet as a date/time code; the specified argument is a format string of the sort supported by strptime. Example: The time "10:15:14.5476" has the format code "%H:%M:%S." NOTE: The subsecond component delimiter, '.', must be given, but no pattern is required; the remaining number is assumed to be fractions of a second. NOTE: Date/time fields from the current date/time are used as the default for unspecified fields.
Output: -l <typenum>
-m <max-packet> Prepend dummy header: -e <l3pid>
link-layer type number; default is 1 (Ethernet). See the file net/bpf.h for list of numbers. Use this option if your dump is a complete hex dump of an encapsulated packet and you wish to specify the exact type of encapsulation. Example: -l 7 for ARCNet packets. max packet length in output; default is 64000
prepend dummy Ethernet II header with specified L3PID (in HEX). Example: -e 0x806 to specify an ARP packet. -i <proto> prepend dummy IP header with specified IP protocol (in DECIMAL). Automatically prepends Ethernet header as well. Example: -i 46 -u <srcp>,<destp> prepend dummy UDP header with specified dest and source ports (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -u 1000,69 to make the packets look like TFTP/UDP packets. -T <srcp>,<destp> prepend dummy TCP header with specified dest and source ports (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -T 50,60 -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified dest/source ports and verification tag (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -s 30,40,34 -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified dest/source ports and verification tag 0. Automatically prepends a dummy SCTP DATA chunk header with payload protocol identifier ppi. Example: -S 30,40,34
Miscellaneous: -h -d -q
display this help and exit. show detailed debug of parser states. generate no output at all (automatically turns off -d).
D.10. idl2wrs: Creating dissectors from CORBA IDL files
In an ideal world idl2wrs would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here.
Urc-7200 R-5G50 OM-4TI Live 07 Ique 3200 SU-V300 EOB53102X Technology X210 Nokia PT-6 3040 AF DVD-P375 MDS-JB930 RM-V310 Firestrike Xmax-2005 HD-vision 32 DMC-LX2EG Optima RSH5zlbg FWD182 FS-C5016N Emachines E525 Trainer Conquer-generals Integral 2 ES 1816 MSI 2556 Rubino12 ZWF1020W HM120JI-I YP-S3JAB IC-02E RX-V592 FAX-phone 1600 GZ-MG57E A5-S416 Printer WR426F-2001 VPL-CX120 SH-S243D TEW-450APB Vega X7 Livephone TU73 WM-EX670 6281dwpe OFX 1000 Geonaute C400 GR-D73e-93E 28PT4457 HVR-1850 VIC100 Keytronic DX1000 MVC-CD1000 Discspeed 9 7100I PX-400R ZWG390 Aruqapn GR-151SSF Sport Review APA4320 ST-5000 VL800 Scenarist Gigashot A HP 48GX VR520 Epson C79 TDA-7556R 9900F KDL-40X1 Phones Lexington C32 Fairy Tale Konica 7165 MGB100 PRO 9 TX-14P1F Gloss Fantasy VII Booklet LH-D6230A DM6 KIT HD7812 Fostex 820 Morrowind Ivsc-5501 JBL PB10 Sensitive FZ1-S-2009 Dimage Z1 UF-S2 32LG10 Personal MZ-R909 6 5 Presto PVR INA-N333r-space-software Olympus X-A
manuel d'instructions, Guide de l'utilisateur | Manual de instrucciones, Instrucciones de uso | Bedienungsanleitung, Bedienungsanleitung | Manual de Instruções, guia do usuário | инструкция | návod na použitie, Užívateľská príručka, návod k použití | bruksanvisningen | instrukcja, podręcznik użytkownika | kullanım kılavuzu, Kullanım | kézikönyv, használati útmutató | manuale di istruzioni, istruzioni d'uso | handleiding, gebruikershandleiding
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101