Wireshark User’s Guide For Wireshark 1.99 Ulf Lamping Richard Sharpe, NS Computer Software and Services P/L Ed Warnicke
Wireshark User’s Guide: For Wireshark 1.99 by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright © 2004-2014 Ulf Lamping, Richard Sharpe, Ed Warnicke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Preface ...................................................................................................................... viii 1. Foreword ....................................................................................................... viii 2. Who should read this document? ....................................................................... viii 3. Acknowledgements .......................................................................................... viii 4. About this document .........
Wireshark User’s Guide 3.3. The Main window .......................................................................................... 3.3.1. Main Window Navigation ..................................................................... 3.4. The Menu ..................................................................................................... 3.5. The “File” menu ............................................................................................ 3.6. The “Edit” menu .........................
Wireshark User’s Guide 5.4.1. The “Merge with Capture File” dialog box ............................................... 90 5.5. Import hex dump ........................................................................................... 91 5.5.1. The “Import from Hex Dump” dialog box ............................................... 92 5.6. File Sets ....................................................................................................... 94 5.6.1. The “List Files” dialog box ....................
Wireshark User’s Guide 7.4.1. Wireshark internals ............................................................................ 140 7.4.2. Capture file formats ........................................................................... 141 7.4.3. Accuracy .......................................................................................... 141 7.5. Time Zones ................................................................................................. 141 7.5.1.
Wireshark User’s Guide 10.16. SMI (MIB and PIB) Paths .......................................................................... 188 10.17. SNMP Enterprise Specific Trap Types .......................................................... 189 10.18. SNMP users Table .................................................................................... 189 10.19. Tektronix K12xx/15 RF5 protocols Table ...................................................... 189 10.20. User DLTs protocol table ......................
Preface 1. Foreword Wireshark is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Wireshark because of the lack of documentation. This document is part of an effort by the Wireshark team to improve the usability of Wireshark. We hope that you find it useful and look forward to your comments. 2. Who should read this document? The intended audience of this book is anyone using Wireshark.
Preface 4. About this document This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It was originally written in DocBook/XML and converted to AsciiDoc by Gerald Combs. You will find some specially marked parts in this book: This is a warning You should pay attention to a warning, otherwise data loss might occur.
Chapter 1. Introduction 1.1. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what’s going on inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on inside an electric cable (but at a higher level, of course).
Introduction Figure 1.1, “Wireshark captures packets and lets you examine their contents.” shows Wireshark having captured some packets and waiting for you to examine them. Figure 1.1. Wireshark captures packets and lets you examine their contents.
Introduction 1.1.3. Live capture from many different network media Wireshark can capture traffic from many different network media types - and despite its name including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using. An overview of the supported media types can be found at https:// wiki.wireshark.org/CaptureSetup/NetworkMedia. 1.1.4.
Introduction Although Wireshark captures packets using a separate process the main interface is single-threaded and won’t benefit much from multi-core systems. 1.2.1. Microsoft Windows • The current version of Wireshark should support any version of Windows that is still within its extended support lifetime. At the time of writing this includes Windows 8, 7, Vista, Server 2012, Server 2008 R2, Server 2008, and Server 2003. • Any modern 32-bit x86 or 64-bit AMD64/x86-64 processor. • 200 MB available RAM.
Introduction • Red Hat Enterprise/Fedora Linux • Sun Solaris/i386 • Sun Solaris/SPARC • Canonical Ubuntu If a binary package is not available for your platform you can download the source and try to build it. Please report your experiences to wireshark-dev[AT]wireshark.org. 1.3. Where to get Wireshark You can get the latest copy of the program from the Wireshark website at https://www.wireshark.org/ download.html.
Introduction There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue. You can find a list of the people who have contributed code to Wireshark by checking the about dialog box of Wireshark, or at the authors page on the Wireshark web site. Wireshark is an open source software project, and is released under the GNU General Public License (GPL) version 2. All source code is freely available under the GPL.
Introduction Read the FAQ Before sending any mail to the mailing lists below, be sure to read the FAQ. It will often answer any questions you might have. This will save yourself and others a lot of time. Keep in mind that a lot of people are subscribed to the mailing lists. You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the FAQ page in the dialog shown. An online version is available at the Wireshark website: https://www.wireshark.org/faq.html.
Introduction not interested in your specific problem. If required you will be asked for further data by the persons who really can help you. Don’t send confidential information! If you send capture files to the mailing lists be sure they don’t contain any sensitive or confidential information like passwords or personally identifiable information (PII). 1.6.7.
Chapter 2. Building and Installing Wireshark 2.1. Introduction As with all things there must be a beginning and so it is with Wireshark. To use Wireshark you must first install it. If you are running Windows or Mac OS X you can download an official release at https: //www.wireshark.org/download.html, install it, and skip the rest of this chapter. If you are running another operating system such as Linux or FreeBSD you might want to install from source.
Building and Installing Wireshark • Wireshark - The network protocol analyzer that we all know and mostly love. • TShark - A command-line network protocol analyzer. If you haven’t tried it you should. • Wireshark 1 Legacy - The old (GTK+) user interface in case you need it. • Plugins & Extensions - Extras for the Wireshark and TShark dissection engines • Dissector Plugins - Plugins with some extended dissections. • Tree Statistics Plugins - Extended statistics.
Building and Installing Wireshark 2.3.5. Windows installer command line options For special cases, there are some command line parameters available: • /S runs the installer or uninstaller silently with default values. The silent installer will not install WinPCap. • /desktopicon installation of the desktop icon, =yes - force installation, =no - don’t install, otherwise use default settings. This option can be useful for a silent installer.
Building and Installing Wireshark 2.3.10. Uninstall WinPcap You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs and Features control panel. Remember that if you uninstall WinPcap you won’t be able to capture anything with Wireshark. 2.4. Installing Wireshark under Mac OS X The official Mac OS X packages are distributed as disk images (.dmg) containing the application installer. To install Wireshark simply open the disk image and run the enclosed installer.
Building and Installing Wireshark 2.6.1. Installing from rpm’s under Red Hat and alike Use the following command to install the Wireshark RPM that you have downloaded from the Wireshark web site: rpm -ivh wireshark-2.0.5.i386.rpm If the above step fails because of missing dependencies, install the dependencies first, and then retry the step above. 2.6.2.
Building and Installing Wireshark You need to install its development package as well. configure will also fail if you do not have libpcap (at least the required include files) on your system. If you cannot determine what the problems are, send an email to the wireshark-dev mailing list explaining your problem. Include the output from config.log and anything else you think is relevant such as a trace of the make stage. 2.8.
Chapter 3. User Interface 3.1. Introduction By now you have installed Wireshark and are most likely keen to get started capturing your first packets. In the next chapters we will explore: • How the Wireshark user interface works • How to capture packets in Wireshark • How to view packets in Wireshark • How to filter packets in Wireshark • … and many other things! 3.2. Start Wireshark You can start Wireshark from your shell or window manager.
User Interface Figure 3.1. The Main window Wireshark’s main window consists of parts that are commonly known from many other GUI programs. 1. The menu (see Section 3.4, “The Menu”) is used to start actions.
User Interface 2. The main toolbar (see Section 3.16, “The “Main” toolbar”) provides quick access to frequently used items from the menu. 3. The filter toolbar (see Section 3.17, “The “Filter” toolbar”) provides a way to directly manipulate the currently used display filter (see Section 6.3, “Filtering packets while viewing”). 4. The packet list pane (see Section 3.18, “The “Packet List” pane”) displays a summary of each packet captured.
User Interface Accelerator Description Return, Enter In the packet detail, toggles the selected tree item. Additionally, typing anywhere in the main window will start filling in a display filter. 3.4. The Menu Wireshark’s main menu is located either at the top of the main window (Windows, Linux) or at the top of your main screen (OS X). An example is shown in Figure 3.2, “The Menu”. Note Some menu items will be disabled (greyed out( if the corresponding feature isn’t available.
User Interface Internals This menu contains items that show information about the internals of Wireshark. See Section 3.14, “The “Internals” menu”. Help This menu contains items to help the user, e.g. access to some basic help, manual pages of the various command line tools, online access to some of the webpages, and the usual about dialog. See Section 3.15, “The “Help” menu”. Each of these menu items is described in more detail in the sections that follow.
User Interface Figure 3.3.
User Interface Table 3.2. File menu items Menu Item Accelerator Description Open… Ctrl+O This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, “The “Open Capture File” dialog box”. Open Recent This menu item shows a submenu containing the recently opened capture files. Clicking on one of the submenu items will open the corresponding capture file directly.
User Interface Menu Item Accelerator Description Save As… Shift+Ctrl+S This menu item allows you to save the current capture file to whatever file you would like. It pops up the Save Capture File As dialog box (which is discussed further in Section 5.3.1, “The “Save Capture File As” dialog box”). File Set → List Files This menu item allows you to show a list of files in a file set. It pops up the Wireshark List File Set dialog box (which is discussed further in Section 5.6, “File Sets”).
User Interface Menu Item Accelerator Description Wireshark DICOM object list (which is discussed further in Section 5.7.8, “The "Export Objects" dialog box”) This menu item allows you to export all or some of the captured SMB objects into local files. It pops up the Wireshark SMB object list (which is discussed further in Section 5.7.8, “The "Export Objects" dialog box”) Export → Objects → SMB Print… Ctrl+P This menu item allows you to print all (or some) of the packets in the capture file.
User Interface Figure 3.4.
User Interface Table 3.3. Edit menu items Menu Item Accelerator Description Copy → Description Shift+Ctrl+D This menu item will copy the description of the selected item in the detail view to the clipboard. Copy → Fieldname Shift+Ctrl+F This menu item will copy the fieldname of the selected item in the detail view to the clipboard. Copy → Value Shift+Ctrl+V This menu item will copy the value of the selected item in the detail view to the clipboard.
User Interface Menu Item Accelerator Description selected packet. See Section 6.12.1, “Packet time referencing” for more information about the time referenced packets. Unset All Time References Ctrl+Alt+T This menu item removes all time references on the packets. Next Time Reference Ctrl+Alt+N This menu item tries to find the next time referenced packet. Previous Time Reference Ctrl+Alt+B This menu item tries to find the previous time referenced packet.
User Interface Figure 3.5.
User Interface Table 3.4. View menu items Menu Item Accelerator Description Main Toolbar This menu item hides or shows the main toolbar, see Section 3.16, “The “Main” toolbar”. Filter Toolbar This menu item hides or shows the filter toolbar, see Section 3.17, “The “Filter” toolbar”. Wireless Toolbar This menu item hides or shows the wireless toolbar. May not be present on some platforms. Statusbar This menu item hides or shows the statusbar, see Section 3.21, “The Statusbar”.
User Interface Menu Item Accelerator Description Time Display Format → Seconds Since Beginning of Capture: 123.123456 Selecting this tells Wireshark to display time stamps in seconds since beginning of capture format, see Section 6.12, “Time display formats and time references”. Time Display Format → Seconds Since Previous Captured Packet: 1.123456 Selecting this tells Wireshark to display time stamps in seconds since previous captured packet format, see Section 6.
User Interface Menu Item Accelerator Description Name Resolution → Enable for Network Layer This item allows you to control whether or not Wireshark translates network addresses into names, see Section 7.7, “Name Resolution”. Name Resolution → Enable for Transport Layer This item allows you to control whether or not Wireshark translates transport addresses into names, see Section 7.7, “Name Resolution”.
User Interface Menu Item Accelerator Description expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture. Collapse All Ctrl+← This menu item collapses the tree view of all packets in the capture list. Colorize Conversation This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet.
User Interface Figure 3.6.
User Interface Table 3.5. Go menu items Menu Item Accelerator Description Back Alt+← Jump to the recently visited packet in the packet history, much like the page history in a web browser. Forward Alt+→ Jump to the next visited packet in the packet history, much like the page history in a web browser. Go to Packet… Ctrl+G Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See Section 6.9, “Go to a specific packet” for details.
User Interface Figure 3.7.
User Interface Table 3.6. Capture menu items Menu Item Accelerator Description Interfaces… Ctrl+I This menu item brings up a dialog box that shows what’s going on at the network interfaces Wireshark knows of, see Section 4.4, “The “Capture Interfaces” dialog box”) . Options… Ctrl+K This menu item brings up the Capture Options dialog box (discussed further in Section 4.5, “The “Capture Options” dialog box”) and allows you to start capturing packets.
User Interface Figure 3.8.
User Interface Table 3.7. Analyze menu items Menu Item Accelerator Description Display Filters… This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters” Display Filter Macros… This menu item brings up a dialog box that allows you to create and edit display filter macros.
User Interface Menu Item Accelerator Description a particular protocol, see Section 10.4.3, “Show User Specified Decodes” Follow TCP Stream This menu item brings up a separate window and displays all the TCP segments captured that are on the same TCP connection as a selected packet, see Section 7.2, “Following TCP streams” Follow UDP Stream Same functionality as “Follow TCP Stream” but for UDP streams. Follow SSL Stream Same functionality as “Follow TCP Stream” but for SSL streams.
User Interface Figure 3.9. The “Statistics” Menu All menu items will bring up a new window showing specific statistical information.
User Interface Table 3.8. Statistics menu items Menu Item Accelerator Description Summary Show information about the data captured, see Section 8.2, “The Summary window”. Protocol Hierarchy Display a hierarchical tree of protocol statistics, see Section 8.3, “The "Protocol Hierarchy" window”. Conversations Display a list of conversations (traffic between two endpoints), see Section 8.4.1, “The “Conversations” window”.
User Interface Menu Item Accelerator Description TCP Stream Graph See Section 8.10, “The protocol specific statistics windows” UDP Multicast Streams See Section 8.10, “The protocol specific statistics windows” WLAN Traffic See Section 8.9, “WLAN Traffic Statistics” BOOTP-DHCP See Section 8.10, “The protocol specific statistics windows” 3.12. The “Telephony” menu The Wireshark Telephony menu contains the fields shown in Table 3.9, “Telephony menu items”.
User Interface Figure 3.10. The “Telephony” Menu All menu items will bring up a new window showing specific telephony related statistical information.
User Interface Table 3.9. Telephony menu items Menu Item Accelerator Description IAX2 See Section 9.6, “The protocol specific statistics windows” SMPP Operations… See Section 9.6, “The protocol specific statistics windows” SCTP See Section 9.6, “The protocol specific statistics windows” ANSI See Section 9.6, “The protocol specific statistics windows” GSM See Section 9.6, “The protocol specific statistics windows” H.225… See Section 9.
User Interface Figure 3.11.
User Interface Table 3.10. Tools menu items Menu Item Accelerator Firewall ACL Rules Description This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. It is assumed that the rules will be applied to an outside interface.
User Interface Figure 3.12.
User Interface Table 3.11. Help menu items Menu Item Accelerator Description Dissector tables This menu item brings up a dialog box showing the tables with subdissector relationships. Supported Protocols (slow!) This menu item brings up a dialog box showing the supported protocols and protocol fields. 3.15. The “Help” menu The Wireshark Help menu contains the fields shown in Table 3.12, “Help menu items”.
User Interface Figure 3.13.
User Interface Table 3.12. Help menu items Menu Item Accelerator Description Contents F1 This menu item brings up a basic help system. Manual Pages → … This menu item starts a Web browser showing one of the locally installed html manual pages. Website This menu item starts a Web browser showing the webpage from: https:// www.wireshark.org/. FAQ’s This menu item starts a Web browser showing various FAQ’s. Downloads This menu item starts a Web browser showing the downloads from: https:// www.
User Interface Figure 3.14. The “Main” toolbar Table 3.13. Main toolbar items Toolbar Icon Toolbar Item Corresponding Menu Description Item Interfaces… Capture → Interfaces… This item brings up the Capture Interfaces List dialog box (discussed further in Section 4.3, “Start Capturing”). Options… Capture → Options… This item brings up the Capture Options dialog box (discussed further in Section 4.3, “Start Capturing”) and allows you to start capturing packets.
User Interface Toolbar Icon Toolbar Item Corresponding Menu Description Item If you currently have a temporary capture file, the Save icon will be shown instead. Close File → Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View → Reload This item allows you to reload the current capture file. Print… File → Print… This item allows you to print all (or some of) the packets in the capture file.
User Interface Toolbar Icon Toolbar Item Corresponding Menu Description Item Zoom In View → Zoom In Zoom into the packet data (increase the font size). Zoom Out View → Zoom Out Zoom out of the packet data (decrease the font size). Normal Size View → Normal Size Set zoom level back to 100%. Resize Columns View → Resize Columns Resize columns, so the content fits into them.
User Interface Toolbar Icon Toolbar Item Corresponding Menu Description Item your preferences so Wireshark will use them the next time you start it. More detail is provided in Section 10.5, “Preferences” Help Help → Contents This item brings up help dialog box. 3.17. The “Filter” toolbar The filter toolbar lets you quickly edit and apply display filters. More information on display filters is available in Section 6.3, “Filtering packets while viewing”. Figure 3.15. The “Filter” toolbar Table 3.14.
User Interface Toolbar Icon Toolbar Item Description This field is also where the current filter in effect is displayed. Expression… The middle button labeled "Add Expression…" opens a dialog box that lets you edit a display filter from a list of protocol fields, described in Section 6.5, “The “Filter Expression” dialog box” Clear Reset the current display filter and clears the edit area. Apply Apply the current value in the edit area as the new display filter.
User Interface While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns. As higher level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only. For example, let’s look at a packet containing TCP inside IP inside an Ethernet packet.
User Interface • Links If Wireshark detected a relationship to another packet in the capture file, it will generate a link to that packet. Links are underlined and displayed in blue. If double-clicked, Wireshark jumps to the corresponding packet. 3.20. The “Packet Bytes” pane The packet bytes pane shows the data of the current packet (selected in the “Packet List” pane) in a hexdump style. Figure 3.18.
User Interface This statusbar is shown while no capture file is loaded, e.g. when Wireshark is started. Figure 3.21. The Statusbar with a loaded capture file • The colorized bullet on the left shows the highest expert info level found in the currently loaded capture file. Hovering the mouse over this icon will show a textual description of the expert info level, and clicking the icon will bring up the Expert Infos dialog box. For a detailed description of expert info, see Section 7.
User Interface Figure 3.24. The Statusbar with a display filter message This is displayed if you are trying to use a display filter which may have unexpected results. For a detailed description, see Section 6.4.4, “A common mistake”.
Chapter 4. Capturing Live Network Data 4.1. Introduction Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: • Capture from different kinds of network hardware such as Ethernet or 802.11. • Stop the capture on different triggers such as the amount of captured data, elapsed time, or the number of packets. • Simultaneously show decoded packets while Wireshark is capturing.
Capturing Live Network Data Windows” or Figure 4.2, “The “Capture Interfaces” dialog box on Unix/Linux” for more information. You can start a capture from this dialog box using the Start button. • You can immediately start a capture using your current settings by selecting Capture → Start or by cliking the first toolbar button. • If you already know the name of the capture interface you can start Wireshark from the command line: $ wireshark -i eth0 -k This will start Wireshark capturing on interface eth0.
Capturing Live Network Data Figure 4.2. The “Capture Interfaces” dialog box on Unix/Linux Device (Unix/Linux only) The interface device name. Description The interface description provided by the operating system, or the user defined comment added in Section 10.5.1, “Interface Options”. IP The first IP address Wireshark could find for this interface. You can click on the address to cycle through other addresses assigned to it, if available. If no address could be found “none” will be displayed.
Capturing Live Network Data 4.5. The “Capture Options” dialog box When you select Capture → Options… (or use the corresponding item in the main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in Figure 4.3, “The “Capture Options” dialog box”.
Capturing Live Network Data Figure 4.3.
Capturing Live Network Data Tip If you are unsure which options to choose in this dialog box just try keeping the defaults as this should work well in many cases. 4.5.1. Capture frame The table shows the settings for all available interfaces: • The name of the interface and its IP addresses. If no address could be resolved from the system, “none” will be shown. Note Loopback interfaces are not available on Windows platforms. • The link-layer header type.
Capturing Live Network Data The execution of BPFs can be sped up on Linux by turning on BPF JIT by executing $ echo 1 >/proc/sys/net/core/bpf_jit_enable if it is not enabled already. To make the change persistent you can use sysfsutils. Manage Interfaces The Manage Interfaces button opens the Figure 4.6, “The “Add New Interfaces” dialog box” where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added (Windows only). 4.5.2.
Capturing Live Network Data Wireshark does not display any packets until you stop the capture. When you check this, Wireshark captures in a separate process and feeds the captures to the display process. Automatic scrolling in live capture This option allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet.
Capturing Live Network Data Figure 4.4. The “Edit Interface Settings” dialog box You can set the following fields in this dialog box: IP address The IP address(es) of the selected interface. If no address could be resolved from the system “none” will be shown. Link-layer header type Unless you are in the rare situation that requires this keep the default setting. For a detailed description. See Section 4.
Capturing Live Network Data Limit each packet to n bytes This field allows you to specify the maximum amount of data that will be captured for each packet, and is sometimes referred to as the snaplen. If disabled the value is set to the maximum 65535 which will be sufficient for most protocols. Some rules of thumb: • If you are unsure just keep the default value.
Capturing Live Network Data Figure 4.5. The “Compile Results” dialog box In the left window the interface names are listed. The results of an individual interface are shown in the right window when it is selected. 4.8. The “Add New Interfaces” dialog box As a central point to manage interfaces this dialog box consists of three tabs to add or remove interfaces.
Capturing Live Network Data Figure 4.6.
Capturing Live Network Data 4.8.1. Add or remove pipes Figure 4.7. The “Add New Interfaces - Pipes” dialog box To successfully add a pipe, this pipe must have already been created. Click the New button and type the name of the pipe including its path. Alternatively, the Browse button can be used to locate the pipe. With the Save button the pipe is added to the list of available interfaces. Afterwards, other pipes can be added. To remove a pipe from the list of interfaces it first has to be selected.
Capturing Live Network Data 4.8.2. Add or hide local interfaces Figure 4.8. The “Add New Interfaces - Local Interfaces” dialog box The tab “Local Interfaces” contains a list of available local interfaces, including the hidden ones, which are not shown in the other lists. If a new local interface is added, for example, a wireless interface has been activated, it is not automatically added to the list to prevent the constant scanning for a change in the list of available interfaces.
Capturing Live Network Data 4.8.3. Add or hide remote interfaces Figure 4.9. The “Add New Interfaces - Remote Interfaces” dialog box In this tab interfaces on remote hosts can be added. One or more of these interfaces can be hidden. In contrast to the local interfaces they are not saved in the preferences file. To remove a host including all its interfaces from the list, it has to be selected. Then click the Delete button. For a detailed description see Section 4.
Capturing Live Network Data Note Make sure you have outside access to port 2002 on the target platform. This is the port where the Remote Packet Capture Protocol service can be reached by default. To access the Remote Capture Interfaces dialog use the “Add New Interfaces - Remote” dialog. See Figure 4.9, “The “Add New Interfaces - Remote Interfaces” dialog box” and select Add. 4.9.1. Remote Capture Interfaces Figure 4.10.
Capturing Live Network Data Password authentication This is the normal way of connecting to a target platform. Set the credentials needed to connect to the Remote Packet Capture Protocol service. 4.9.2. Remote Capture Settings The remote capture can be further fine tuned to match your situation. The Remote Settings button in Figure 4.4, “The “Edit Interface Settings” dialog box” gives you this option. It pops up the dialog shown in Figure 4.11, “The “Remote Capture Settings” dialog box”. Figure 4.11.
Capturing Live Network Data number of packets. This allows capture over a narrow band remote capture session of a higher bandwidth interface. Sampling option 1 every x milliseconds This option limits the Remote Packet Capture Protocol service to send only a sub sampling of the captured data in terms of time. This allows capture over a narrow band capture session of a higher bandwidth interface. 4.10.
Capturing Live Network Data Figure 4.12. The “Interface Details” dialog box 4.11. Capture files and file modes While capturing the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into the capture file(s) the user specified. Different modes of operation are available when saving this packet data to the capture file(s).
Capturing Live Network Data Using Multiple files may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g. where data is exchanged at the establishing phase and only referred to in later packets). As it keeps this information only for the loaded file, using one of the multiple file modes may cut these contexts.
Capturing Live Network Data headers. “802.11” will cause them to have full IEEE 802.11 headers. Unless the capture needs to be read by an application that doesn’t support 802.11 headers you should select “802.11”. If you are capturing on an Endace DAG card connected to a synchronous serial line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If the protocol on the serial line is PPP, select “PPP over serial” and if the protocol on the serial line is Cisco HDLC, select “Cisco HDLC”.
Capturing Live Network Data gateway host This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net [{mask }|{len }] This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src| dst to specify that you are only interested in a source or destination network.
Capturing Live Network Data 4.14. While a Capture is running … While a capture is running, the following dialog box is shown: Figure 4.13. The “Capture Info” dialog box This dialog box will inform you about the number of captured packets and the time since the capture was started. The selection of which protocols are counted cannot be changed. Tip This “Capture Info” dialog box can be hidden using the “Hide capture info dialog” option in the Capture Options dialog box. 4.14.1.
Capturing Live Network Data 1. Using the Capture → Stop menu item. 2. Using the Stop toolbar button. 3. Pressing Ctrl+E. 4. The capture will be automatically stopped if one of the Stop Conditions is met, e.g. the maximum amount of data was captured. 4.14.2. Restart a running capture A running capture session can be restarted with the same capture options as the last time, this will remove all packets previously captured.
Chapter 5. File Input, Output, and Printing 5.1. Introduction This chapter will describe input and output of capture data. • Open capture files in various capture file formats • Save/Export capture files in various capture file formats • Merge capture files together • Import text files containing hex dumps of packets • Print packets 5.2. Open capture files Wireshark can read in previously saved capture files. To read them, simply select the File → Open menu or toolbar item.
File Input, Output, and Printing • View file preview information such as the filesize and the number of packets in a selected a capture file. • Specify a display filter with the Filter button and filter field. This filter will be used when opening the new file. The text field background becomes green for a valid filter string and red for an invalid one. Clicking on the Filter button causes Wireshark to pop up the “Filters” dialog box (which is discussed further in Section 6.
File Input, Output, and Printing Figure 5.2. “Open” - Linux and UNIX This is the common Gimp/GNOME file open dialog plus some Wireshark extensions. Specific for this dialog: • The + button allows you to add a directory selected in the right-hand pane to the favorites list on the left. These changes are persistent. • The - button allows you to remove a selected directory from the list. Some items (such as “Desktop”) cannot be removed from the favorites list.
File Input, Output, and Printing • Network Associates Windows-based Sniffer and Sniffer Pro captures • Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures • AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures • RADCOM’s WAN/LAN Analyzer captures • Network Instruments Observer version 9 captures • Lucent/Ascend router debug output • HP-UX’s nettl • Toshiba’s ISDN routers dump output • ISDN4BSD i4btrace utility • traces from the EyeSDN USB
File Input, Output, and Printing It may not be possible to read some formats dependent on the packet types captured. Ethernet captures are usually supported for most file formats but it may not be possible to read other packet types such as PPP or IEEE 802.11 from all file formats. 5.3. Saving captured packets You can save captured packets simply by using the File → Save As… menu item. You can choose which packets to save and which file format to be used.
File Input, Output, and Printing Figure 5.4. “Save” on Linux and UNIX This is the common Gimp/GNOME file save dialog with additional Wireshark extensions. Specific for this dialog: • Clicking on the + at "Browse for other folders" will allow you to browse files and folders in your file system. With this dialog box, you can perform the following actions: 1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system. 2.
File Input, Output, and Printing 1. Click the Save or OK button to accept your selected file and save to it. If Wireshark has a problem saving the captured packets to the file you specified it will display an error dialog box. After clicking OK on that error dialog box you can try again. 2. Click on the Cancel button to go back to Wireshark without saving any packets. 5.3.2.
File Input, Output, and Printing • Use the File → Merge menu to open the “Merge” dialog. See Section 5.4.1, “The “Merge with Capture File” dialog box”. This menu item will be disabled unless you have loaded a capture file. • Use drag-and-drop to drop multiple files on the main window. Wireshark will try to merge the packets in chronological order from the dropped files into a newly created temporary file. If you drop only a single file it will simply replace the existing capture.
File Input, Output, and Printing Figure 5.6. “Merge” on Linux and UNIX This is the common Gimp/GNOME file open dialog with additional Wireshark extensions. 5.5. Import hex dump Wireshark can read in an ASCII hex dump and write the data described into a temporary libpcap capture file. It can read hex dumps with multiple packets in them, and build a capture file of multiple packets.
File Input, Output, and Printing There are a couple of other special features to note. Any line where the first non-whitespace character is # will be ignored as a comment. Any line beginning with #TEXT2PCAP is a directive and options can be inserted after this command to be processed by Wireshark. Currently there are no directives implemented. In the future these may be used to give more fine grained control on the dump and the way it should be processed e.g. timestamps, encapsulation type etc.
File Input, Output, and Printing Figure 5.7. The “Import from Hex Dump” dialog Specific controls of this import dialog are split in two sections: Input Determine which input file has to be imported and how it is to be interpreted. Import Determine how the data is to be imported. The input parameters are as follows: Filename / Browse Enter the name of the text file to import. You can use Browse to browse for a file. Offsets Select the radix of the offsets given in the text file to import.
File Input, Output, and Printing Date/Time Tick this checkbox if there are timestamps associated with the frames in the text file to import you would like to use. Otherwise the current time is used for timestamping the frames. Format This is the format specifier used to parse the timestamps in the text file to import. It uses a simple syntax to describe the format of the timestamps, using %H for hours, %M for minutes, %S for seconds, etc. The straightforward HH:MM:SS format is covered by %T.
File Input, Output, and Printing • The “List Files” dialog box will list the files Wireshark has recognized as being part of the current file set. • Next File closes the current and opens the next file in the file set. • Previous File closes the current and opens the previous file in the file set. 5.6.1. The “List Files” dialog box Figure 5.8. The "List Files" dialog box Each line contains information about a file of the file set: • Filename the name of the file.
File Input, Output, and Printing • Created the creation time of the file • Last Modified the last time the file was modified • Size the size of the file The last line will contain info about the currently used directory where all of the files in the file set can be found. The content of this dialog box is updated each time a capture file is opened/closed. The Close button will, well, close the dialog box. 5.7. Exporting data Wireshark provides several ways and formats to export packet data.
File Input, Output, and Printing Figure 5.9. The “Export as Plain Text File” dialog box • The “Export to file:” frame chooses the file to export the packet data to. • The “Packet Range” frame is described in Section 5.9, “The “Packet Range” frame”. • The “Packet Details” frame is described in Section 5.10, “The Packet Format frame”.
File Input, Output, and Printing 5.7.2. The “Export as PostScript File” dialog box Figure 5.10. The "Export as PostScript File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.9, “The “Packet Range” frame”.
File Input, Output, and Printing • The Packet Details frame is described in Section 5.10, “The Packet Format frame”. 5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box Export packet summary into CSV, used e.g. by spreadsheet programs to im-/export data. • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.9, “The “Packet Range” frame”. 5.7.4.
File Input, Output, and Printing Figure 5.11. The "Export as PSML File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.9, “The “Packet Range” frame”. There’s no such thing as a packet details frame for PSML export, as the packet format is defined by the PSML specification.
File Input, Output, and Printing 5.7.6. The "Export as PDML File" dialog box Export packet data into PDML. This is an XML based format including the packet details. The PDML file specification is available at: http://www.nbee.org/doku.php?id=netpdl:pdml_specification. Note The PDML specification is not officially released and Wireshark’s implementation of it is still in an early beta state, so please expect changes in future Wireshark versions.
File Input, Output, and Printing Figure 5.12. The "Export as PDML File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.9, “The “Packet Range” frame”. There’s no such thing as a packet details frame for PDML export, as the packet format is defined by the PDML specification.
File Input, Output, and Printing 5.7.7. The "Export selected packet bytes" dialog box Export the bytes selected in the "Packet Bytes" pane into a raw binary file. Figure 5.13. The "Export Selected Packet Bytes" dialog box • Name: the filename to export the packet data to.
File Input, Output, and Printing • The Save in folder: field lets you select the folder to save to (from some predefined folders). • Browse for other folders provides a flexible way to choose a folder. 5.7.8. The "Export Objects" dialog box This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.
File Input, Output, and Printing • Save All: Saves all objects in the list using the filename from the filename column. You will be asked what directory / folder to save them in. If the filename is invalid for the operating system / file system you are running Wireshark on, then an error will appear and that object will not be saved (but all of the others will be). 5.8. Printing packets To print packets, select the File → Print… menu item.
File Input, Output, and Printing • Output to file: specifies that printing be done to a file, using the filename entered in the field or selected with the browse button. This field is where you enter the file to print to if you have selected Print to a file, or you can click the button to browse the filesystem. It is greyed out if Print to a file is not selected. • Print command specifies that a command be used for printing. Note! These Print command fields are not available on windows platforms.
File Input, Output, and Printing • Selected packet only process only the selected packet. • Marked packets only process only the marked packets. • From first to last marked packet process the packets from the first to the last marked one. • Specify a packet range process a user specified range of packets, e.g. specifying 5,10-15,20- will process the packet number five, the packets from packet number ten to fifteen (inclusive) and every packet from number twenty to the end of the capture. 5.10.
Chapter 6. Working with captured packets 6.1. Viewing packets you have captured Once you have captured some packets or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes. You can then expand any part of the tree to view detailed information about each protocol in each packet.
Working with captured packets Figure 6.1. Wireshark with a TCP packet selected for viewing You can also select and view packets the same way while Wireshark is capturing if you selected “Update list of packets in real time” in the “Capture Preferences” dialog box. In addition you can view individual packets in a separate window as shown in Figure 6.2, “Viewing a packet in a separate window”.
Working with captured packets selecting the packet in which you are interested in the packet list pane and selecting View → Show Packet in New Window. This allows you to easily compare two or more packets, even across multiple files. Figure 6.2. Viewing a packet in a separate window Along with double-clicking the packet list and using the main menu there are a number of other ways to open a new packet window: • Hold down the shift key and double-click on a frame link in the packet details.
Working with captured packets 6.2. Pop-up menus You can bring up a pop-up menu over either the “Packet List”, its column header, or “Packet Details” pane by clicking your right mouse button at the corresponding pane.
Working with captured packets 6.2.1. Pop-up menu of the “Packet List” column header Figure 6.3.
Working with captured packets The following table gives an overview of which functions are available in this header, where to find the corresponding function in the main menu, and a short description of each item. Table 6.1. The menu items of the “Packet List” column header pop-up menu Item Identical to main menu’s item: Description Sort Ascending Sort the packet list in ascending order based on this column. Sort Descending Sort the packet list in descending order based on this column.
Working with captured packets 6.2.2. Pop-up menu of the “Packet List” pane Figure 6.4.
Working with captured packets The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.2. The menu items of the “Packet List” pop-up menu Item Identical to main menu’s item: Description Mark Packet (toggle) Edit Mark/unmark a packet. Ignore Packet (toggle) Edit Ignore or inspect this packet while dissecting the capture file.
Working with captured packets Item Identical to main menu’s item: Description Copy/ As Filter Prepare a display filter based on the currently selected item and copy that filter to the clipboard. Copy/ Bytes (Offset Hex Text) Copy the packet bytes to the clipboard in hexdump-like format. Copy/ Bytes (Offset Hex) Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion.
Working with captured packets 6.2.3. Pop-up menu of the “Packet Details” pane Figure 6.5.
Working with captured packets The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.3. The menu items of the “Packet Details” pop-up menu Item Identical to main menu’s item: Description Expand Subtrees View Expand the currently selected subtree. Collapse Subtrees View Collapse the currently selected subtree.
Working with captured packets Item Identical to main menu’s item: Description Copy/ Bytes (Offset Hex Text) Copy the packet bytes to the clipboard in hexdump-like format; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
Working with captured packets Item Identical to main menu’s item: Description Filter Field Reference Show the filter field reference web page corresponding to the currently selected protocol in your web browser. Protocol Preferences… The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in Figure 10.7, “The preferences dialog box”.
Working with captured packets Note All protocol and field names are entered in lowercase. Also, don’t forget to press enter after entering the filter expression. Figure 6.6.
Working with captured packets As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. Note When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content! You can filter on any protocol that Wireshark understands.
Working with captured packets English C-like Description and example ne != Not equal. ip.src! =10.0.0.5 gt > Greater than. frame.len > 10 lt < Less than. frame.len < 128 ge >= Greater than or equal to. frame.len ge 0x100 le <= Less than or equal to. frame.len <= 0x20 In addition, all protocol fields have a type. Table 6.5, “Display Filter Field Types” provides a list of the types and example of how to express them. Table 6.5.
Working with captured packets 6.4.3. Combining expressions You can combine filter expressions in Wireshark using the logical operators shown in Table 6.6, “Display Filter Logical Operations” Table 6.6. Display Filter Logical Operations English C-like Description and example and && Logical AND. `ip.src==10.0.0.5 and tcp.flag or || Logical OR. `ip.scr==10.0.0.5 or ip.src==19 xor ^^ Logical XOR. `tr.dst[0:3] == 0.6.29 xor tr. not ! Logical NOT. `not llc` Substring Operator.
Working with captured packets sequence at offset n is selected. This is equivalent to n:1. eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83 Wireshark allows you to string together single ranges in a comma separated list to form compound ranges as shown above. 6.4.4. A common mistake Using the != operator on combined expressions like eth.addr, ip.addr, tcp.port, and udp.port will probably not work as expected. Often people use a filter string to display something like ip.addr == 1.2.3.
Working with captured packets Figure 6.7. The “Filter Expression” dialog box When you first bring up the Filter Expression dialog box you are shown a tree list of field names, organized by protocol, and a box for selecting a relation. Field Name Select a protocol field from the protocol field tree. Every protocol with filterable fields is listed at the top level. (You can search for a particular protocol entry by entering the first few letters of the protocol name).
Working with captured packets Predefined values Some of the protocol fields have predefined values available, much like enum’s in C. If the selected protocol field has such values defined, you can choose one of them here. Range A range of integers or a group of ranges, such as 1-12 or 39-42,98-2000. OK When you have built a satisfactory expression click OK and a filter string will be built for you.
Working with captured packets Figure 6.8. The “Capture Filters” and “Display Filters” dialog boxes New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to “new”. Delete This button deletes the selected filter. It will be greyed out, if no filter is selected.
Working with captured packets about the Add Expression dialog in Section 6.5, “The “Filter Expression” dialog box” OK Display Filter only: This button applies the selected filter to the current display and closes the dialog. Apply Display Filter only: This button applies the selected filter to the current display, and keeps the dialog open. Save Save the current settings in this dialog. The file location and format is explained in Appendix B, Files and Folders. Close Close this dialog.
Working with captured packets ip.src==192.168.0.1 and tcp.flags.syn==1 For more details on display filters, see Section 6.3, “Filtering packets while viewing” • Hex Value Search for a specific byte sequence in the packet data. For example, use “00:00” to find the next packet including two null bytes in the packet data. • String Find a string in the packet data, with various options. The value to be found will be syntax checked while you type it in.
Working with captured packets This dialog box will let you enter a packet number. When you press OK, Wireshark will jump to that packet. 6.9.4. The “Go to Corresponding Packet” command If a protocol field is selected which points to another packet in the capture file, this command will jump to that packet. As these protocol fields now work like links (just as in your Web browser), it’s easier to simply doubleclick on the field to jump to the corresponding field. 6.9.5.
Working with captured packets 6.12. Time display formats and time references While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. A detailed description of timestamps, timezones and alike can be found at: Section 7.4, “Time Stamps”. The timestamp presentation format and the precision in the packet list can be chosen using the View menu, see Figure 3.5, “The “View” Menu”.
Working with captured packets • Find Previous Find the previous time referenced packet in the “Packet List” pane. Figure 6.11. Wireshark showing a time referenced packet A time referenced packet will be marked with the string *REF* in the Time column (see packet number 10). All subsequent packets will show the time since the last time reference.
Chapter 7. Advanced Topics 7.1. Introduction This chapter some of Wireshark’s advanced features. 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream.
Advanced Topics 7.2.1. The “Follow TCP Stream” dialog box Figure 7.1. The “Follow TCP Stream” dialog box The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. If you like, you can change these colors in the “Colors” page if the “Preferences” dialog.
Advanced Topics Non-printable characters will be replaced by dots. The stream content won’t be updated while doing a live capture. To get the latest content you’ll have to reopen the dialog. You can choose from the following actions: 1. Save As: Save the stream data in the currently selected format. 2. Print: Print the stream data in the currently selected format. 3. Direction: Choose the stream direction to be displayed (“Entire conversation”, “data from A to B only” or “data from B to A only”). 4.
Advanced Topics Packet # Severity Group Protocol Summary 2 Chat Sequence TCP Connection reset (RST) 8 Note Sequence TCP Keep-Alive 9 Warn Sequence TCP Fast retransmission (suspected) 7.3.1.1. Severity Every expert info has a specific severity level. The following severity levels are used, in parentheses are the colors in which the items will be marked in the GUI: • Chat (grey): information about usual workflow, e.g. a TCP packet with the SYN flag set • Note (cyan): notable things, e.g.
Advanced Topics 7.3.2. “Expert Info” dialog You can open the expert info dialog by selecting Analyze → Expert Info. Figure 7.2. The “Expert Info” dialog box 7.3.2.1. Errors / Warnings / Notes / Chats tabs An easy and quick way to find the most interesting infos (rather than using the Details tab), is to have a look at the separate tabs for each severity level. As the tab label also contains the number of existing entries, it’s easy to find the tab with the most important entries.
Advanced Topics 7.3.3. “Colorized” Protocol Details Tree Figure 7.3. The “Colorized” protocol details tree The protocol field causing an expert info is colorized, e.g. uses a cyan background for a note severity level. This color is propagated to the toplevel protocol item in the tree, so it’s easy to find the field that caused the expert info. For the example screenshot above, the IP “Time to live” value is very low (only 1), so the corresponding protocol field is marked with a cyan background.
Advanced Topics 7.3.4. “Expert” Packet List Column (optional) Figure 7.4. The “Expert” packet list column An optional “Expert Info Severity” packet list column is available that displays the most significant severity of a packet or stays empty if everything seems OK. This column is not displayed by default but can be easily added using the Preferences Columns page described in Section 10.5, “Preferences”. 7.4. Time Stamps Time stamps, their precisions and all that can be quite confusing.
Advanced Topics While capturing, Wireshark uses the libpcap (WinPcap) capture library which supports microsecond resolution. Unless you are working with specialized capturing hardware, this resolution should be adequate. 7.4.2. Capture file formats Every capture file format that Wireshark knows supports time stamps. The time stamp precision supported by a specific capture file format differs widely and varies from one second “0” to one nanosecond “0.123456789”.
Advanced Topics What are time zones? People expect that the time reflects the sunset. Dawn should be in the morning maybe around 06:00 and dusk in the evening maybe at 20:00. These times will obviously vary depending on the season. It would be very confusing if everyone on earth would use the same global time as this would correspond to the sunset only at a small part of the world.
Advanced Topics Tip If you travel around the world, it’s an often made mistake to adjust the hours of your computer clock to the local time. Don’t adjust the hours but your time zone setting instead! For your computer, the time is essentially the same as before, you are simply in a different time zone with a different local time. You can use the Network Time Protocol (NTP) to automatically adjust your computer to the correct time, by synchronizing it to Internet NTP clock servers.
Advanced Topics Conclusion: You may not bother about the date/time of the time stamp you currently look at unless you must make sure that the date/time is as expected. So, if you get a capture file from a different time zone and/or DST, you’ll have to find out the time zone/DST difference between the two local times and “mentally adjust” the time stamps accordingly. In any case, make sure that every computer in question has the correct time and time zone setting. 7.6. Packet Reassembly 7.6.1.
Advanced Topics The tooltip of the higher level protocol setting will notify you if and which lower level protocol setting also has to be considered. 7.7. Name Resolution Name resolution tries to convert some of the numerical address values into a human readable format. There are two possible ways to do these conversions, depending on the resolution to be done: calling system/network services (like the gethostname() function) and/or resolve from Wireshark specific configuration files.
Advanced Topics 7.7.3. IP name resolution (network layer) Try to resolve an IP address (e.g. 216.239.37.99) to something more “human readable”. DNS/concurrent DNS name resolution (system/library service): Wireshark will ask the operating system (or the concurrent DNS library), to convert an IP address to the hostname associated with it (e.g. 216.239.37.99 → www.1.google.com). The DNS service is using synchronous calls to the DNS server.
Advanced Topics What are checksums for? Checksums are used to ensure the integrity of data portions for data transmission or storage. A checksum is basically a calculated summary of such a data portion. Network data transmissions often produce errors, such as toggled, missing or duplicated bits. As a result, the data received might not be identical to the data transmitted, which is obviously a bad thing. Because of these transmission errors, network protocols very often use checksums to detect such errors.
Advanced Topics Recent network hardware can perform advanced features such as IP checksum calculation, also known as checksum offloading. The network driver won’t calculate the checksum itself but will simply hand over an empty (zero or garbage filled) checksum field to the hardware. Note Checksum offloading often causes confusion as the network packets to be transmitted are handed over to Wireshark before the checksums are actually calculated.
Chapter 8. Statistics 8.1. Introduction Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). • General statistics: • Summary about the capture file. • Protocol Hierarchy of the captured packets. • Conversations e.g.
Statistics Figure 8.1.
Statistics • File: general information about the capture file. • Time: the timestamps when the first and the last packet were captured (and the time between them). • Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). • Display: some display related information. • Traffic: some statistics of the network traffic seen.
Statistics Figure 8.2. The "Protocol Hierarchy" window This is a tree of all the protocols in the capture. Each row contains the statistical values of one protocol. Two of the columns (Percent Packets and Percent Bytes) serve double duty as bar graphs. If a display filter is set it will be shown at the bottom. The Copy button will let you copy the window contents as CSV or YAML.
Statistics Percent Bytes The percentage of protocol bytes relative to the total bytes in the capture Bytes The total number of bytes of this protocol Bits/s The bandwidth of this protocol relative to the capture time End Packets The absolute number of packets of this protocol where it was the highest protocol in the stack (last dissected) End Bytes The absolute number of bytes of this protocol where it was the highest protocol in the stack (last dissected) End Bits/s The bandwidth of this protoc
Statistics Name resolution will be done if selected in the window and if it is active for the specific protocol layer (MAC layer for the selected Ethernet endpoints page). Limit to display filter will only show conversations matching the current display filter. The Copy button will copy the list values to the clipboard in CSV (Comma Separated Values) or YAML format. The Follow Stream… button will show the stream contents as described in Figure 7.1, “The “Follow TCP Stream” dialog box” dialog.
Statistics Token Ring Identical to the Token Ring MAC-48 address. UDP A combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. USB Identical to the 7-bit USB address. Broadcast and multicast endpoints Broadcast and multicast traffic will be shown separately as additional endpoints. Of course, as these aren’t physical endpoints the real traffic will be received by some or all of the listed unicast endpoints. 8.5.1.
Statistics 8.6. The "IO Graphs" window User configurable graph of the captured network packets. You can define up to five differently colored graphs. Figure 8.5.
Statistics • Style: the style of the graph (Line/Impulse/FBar/Dot) • X Axis • Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds) • Pixels per tick: use 10/5/2/1 pixels per tick interval • View as time of day: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture • Y Axis • Unit: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced…) [XXX describe the Advanced feature.
Statistics First of all, you have to select the DCE-RPC interface: Figure 8.6. The "Compute DCE-RPC statistics" window You can optionally set a display filter, to reduce the amount of packets.
Statistics Figure 8.7. The "DCE-RPC Statistic for …" window Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls, and the statistics of the SRT time is calculated. 8.8. Compare two capture files Compare two capture files. This feature works best when you have merged two capture files chronologically, one from each side of a client/server connection. The merged capture data is checked for missing packets.
Statistics Figure 8.8.
Statistics • Start compare: Start comparing when this many IP IDs are matched. A zero value starts comparing immediately. • Stop compare: Stop comparing when we can no longer match this many IP IDs. Zero always compares. • Endpoint distinction: Use MAC addresses or IP time-to-live values to determine connection endpoints. • Check order: Check for the same IP ID in the previous packet at each end. • Time variance: Trigger an error if the packet arrives this many milliseconds after the average delay.
Statistics Figure 8.9. The "WLAN Traffic Statistics" window Each row in the list shows the statistical values for exactly one wireless network. Name resolution will be done if selected in the window and if it is active for the MAC layer. Only show existing networks will exclude probe requests with a SSID not matching any network from the list. The Copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format.
Chapter 9. Telephony 9.1. Introduction Wireshark provides a wide range of telephony related network statistics which can be accessed via the Telephony menu. These statistics range from specific signaling protocols, to analysis of signaling and media flows. If encoded in a compatible encoding the media flow can even be played. 9.2. RTP Analysis The RTP analysis function takes the selected RTP stream (and the reverse stream, if possible) and generates a list of statistics on it.
Telephony Figure 9.1. The “RTP Stream Analysis” window Starting with basic data as packet number and sequence number, further statistics are created based on arrival time, delay, jitter, packet size, etc. Besides the per packet statistics, the lower pane shows the overall statistics, with minimums and maximums for delta, jitter and clock skew. Also an indication of lost packets is included.
Telephony 9.3. VoIP Calls The VoIP Calls window shows a list of all detected VoIP calls in the captured traffic. It finds calls by their signaling. More details are described at the https://wiki.wireshark.org/VoIP_calls page. 9.4. LTE MAC Traffic Statistics Statistics of the captured LTE MAC traffic. This window will summarize the LTE MAC traffic found in the capture. Figure 9.2. The “LTE MAC Traffic Statistics” window The top pane shows statistics for common channels.
Telephony Figure 9.3. The “LTE RLC Traffic Statistics” window At the top, the check-box allows this window to include RLC PDUs found within MAC PDUs or not. This will affect both the PDUs counted as well as the display filters generated (see below). The upper list shows summaries of each active UE. Each row in the lower list shows statistical highlights for individual channels within the selected UE. The lower part of the windows allows display filters to be generated and set for the selected channel.
Telephony 9.6. The protocol specific statistics windows The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document. Some of these statistics are described at the https://wiki.wireshark.org/Statistics pages.
Chapter 10. Customizing Wireshark 10.1. Introduction Wireshark’s default behaviour will usually suit your needs pretty well. However, as you become more familiar with Wireshark, it can be customized in various ways to suit your needs even better. In this chapter we explore: • How to start Wireshark with command line parameters • How to colorize the packet list • How to control protocol dissection • How to use the various preference settings 10.2.
Customizing Wireshark Processing: -R -n -N User -C -Y -g -J -j -m -t -u -X -z interface: a|ad|d|dd|e|r|u|ud s|hms : Output: -w Miscellaneous: -h -v -P : -o : ...
Customizing Wireshark which point the data in the first file will be discarded so a new file can be written. If the optional duration is specified, Wireshark will also switch to the next file when the specified number of seconds has elapsed even if the current file is not completely fills up. duration:value Switch to the next file after value seconds have elapsed, even if the current file is not completely filled up.
Customizing Wireshark -i Set the name of the network interface or pipe to use for live packet capture. Network interface names should match one of the names listed in wireshark -D (described above). A number, as reported by wireshark -D, can also be used. If you’re using UNIX, netstat -i or ifconfig -a might also work to list interface names, although not all versions of UNIX support the -a flag to ifconfig.
Customizing Wireshark the same name that would appear in the preferences or recent file), and value is the value to which it should be set. Multiple instances of `-o ` can be given on a single command line. An example of setting a single preference would be: wireshark -o mgcp.display_dissect_tree:TRUE An example of setting multiple preferences would be: wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.
Customizing Wireshark -S This option specifies that Wireshark will display packets as it captures them. This is done by capturing in one process and displaying them in a separate process. This is the same as “Update list of packets in real time” in the “Capture Options” dialog box. -t
Customizing Wireshark to the my.lua script. If two scripts were loaded, such as -X lua_script:my.lua and -X lua_script:other.lua in that order, then a -X lua_script2:bar would pass the string bar to the second lua script, namely other.lua. -z Get Wireshark to collect various types of statistics and display the result in a window that updates in semi-real time. 10.3. Packet colorization A very useful mechanism available in Wireshark is packet colorization.
Customizing Wireshark Figure 10.1. The “Coloring Rules” dialog box If this is the first time using the Coloring Rules dialog and you’re using the default configuration profile you should see the default rules, shown above.
Customizing Wireshark The first match wins More specific rules should usually be listed before more general rules. For example, if you have a coloring rule for UDP before the one for DNS, the rule for DNS may not be applied (DNS is typically carried over UDP and the UDP rule will match first). You can create a new rule by clicking on the + button. You can delete one or more rules by clicking the - button. The “copy” button will duplicate a rule. You can edit a rule by double-clicking on its name or filter.
Customizing Wireshark Figure 10.3.
Customizing Wireshark 10.4. Control Protocol dissection The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static “routes” and heuristics ``guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won’t know if you use a common protocol on an uncommon TCP port, e.g.
Customizing Wireshark Figure 10.4. The “Enabled Protocols” dialog box To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. Note that typing the first few letters of the protocol name when the Enabled Protocols dialog box is active will temporarily open a search text box and automatically select the first matching protocol name (if it exists). You must use the Save button to save your settings.
Customizing Wireshark You can choose from the following actions: 1. Enable All: Enable all protocols in the list. 2. Disable All: Disable all protocols in the list. 3. Invert: Toggle the state of all protocols in the list. 4. OK: Apply the changes and close the dialog box. 5. Apply: Apply the changes and keep the dialog box open. 6. Save: Save the settings to the disabled_protos, see Appendix B, Files and Folders for details. 7. Cancel: Cancel the changes and close the dialog box. 10.4.2.
Customizing Wireshark 2. Do not decode: Do not decode packets the selected way. 3. Link/Network/Transport: Specify the network layer at which “Decode As” should take place. Which of these pages are available depends on the content of the selected packet when this dialog box is opened. 4. Show Current: Open a dialog box showing the current list of user specified decodes. 5. OK: Apply the currently selected decode and close the dialog box. 6.
Customizing Wireshark Figure 10.7, “The preferences dialog box”, with the “User Interface” page as default. On the left side is a tree where you can select the page to be shown. • The OK button will apply the preferences settings and close the dialog. • The Apply button will apply the preferences settings and keep the dialog open. • The Cancel button will restore all preferences settings to the last saved state. Figure 10.7.
Customizing Wireshark 10.5.1. Interface Options In the “Capture” preferences it is possible to configure several options for the interfaces available on your computer. Select the “Capture” pane and press the Edit button. In this window it is possible to change the default link-layer header type for the interface, add a comment or choose to hide a interface from other parts of the program. Figure 10.8.
Customizing Wireshark 10.6. Configuration Profiles Configuration Profiles can be used to configure and use more than one set of preferences and configurations. Select the Configuration Profiles… menu item from the Edit menu, or simply press Shift-Ctrl-A; and Wireshark will pop up the Configuration Profiles dialog box as shown in Figure 10.9, “The configuration profiles dialog box”.
Customizing Wireshark All other configurations are stored in the personal configuration folder, and are common to all profiles. Figure 10.9. The configuration profiles dialog box New This button adds a new profile to the profiles list. The name of the created profile is “New profile” and can be changed in the Properties field. Copy This button adds a new profile to the profiles list, copying all configuration from the profile currently selected in the list.
Customizing Wireshark The profile name will be used as a folder name in the configured “Personal configurations” folder. If adding multiple profiles with the same name, only one profile will be created. On Windows the profile name cannot start or end with a period (.), and cannot contain any of the following characters: ‘\’, ‘/’, ‘:’, ‘*’, ‘?’, ‘`’, ‘<’, ‘>’, ‘|’, or ‘+’. On Unix the profile name cannot contain the ‘/’ character.
Customizing Wireshark databases are available at no cost, while others require a licensing fee. See the MaxMind web site for more information. This table is handled by an Section 10.7, “User Table” with the following fields. Database pathname This specifies a directory containing GeoIP data files. Any files beginning with Geo and ending with .dat will be automatically loaded. A total of 8 files can be loaded.
Customizing Wireshark Whilst Wireshark has knowledge about many of the OIDs and the syntax of their associated values, the extensibility means that other values may be encountered. Wireshark uses this table to allow the user to define the name and syntax of Object Identifiers that Wireshark does not know about (for example, a privately defined X.400 extension). It also allows the user to override the name and syntax of Object Identifiers that Wireshark does know about (e.g.
Customizing Wireshark Directory name A module directory, e.g. /usr/local/snmp/mibs. Wireshark automatically uses the standard SMI path for your system, so you usually don’t have to add anything here. 10.17. SNMP Enterprise Specific Trap Types Wireshark uses this table to map specific-trap values to user defined descriptions in a Trap PDU. The description is shown in the packet details specific-trap element. This table is handled by an Section 10.7, “User Table” with the following fields.
Customizing Wireshark Stk file to protocol matching is handled by an Section 10.7, “User Table” with the following fields. Match string A partial match for an stk filename, the first match wins, so if you have a specific case and a general one the specific one must appear first in the list. Protocol This is the name of the encapsulating protocol (the lowest layer in the packet data) it can be either just the name of the protocol (e.g.
Appendix A. Wireshark Messages Wireshark provides you with additional information generated out of the plain packet data or it may need to indicate dissection problems. Messages generated by Wireshark are usually placed in square brackets (“[]”). A.1. Packet List Messages These messages might appear in the packet list. A.1.1. [Malformed Packet] Malformed packet means that the protocol dissector can’t dissect the contents of the packet any further.
Wireshark Messages A.2.3. [Time from request: 0.123 seconds] The time between the request and the response packets. A.2.4. [Stream setup by PROTOCOL (frame 123)] The session control protocol (SDP, H225, etc) message which signaled the creation of this session. You can directly jump to the corresponding packet just by double clicking on this message.
Appendix B. Files and Folders B.1. Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it’s helpful to know a bit about the capture file contents. Wireshark uses the pcapng file format as the default format to save captured packets. It is very flexible but other tools may not support it. Wireshark also supports the libpcap file format. This is a much simpler format and is well established.
Files and Folders B.2. Configuration Files and Folders Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas. Tip A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box shown when you select About Wireshark from the Help menu.
Files and Folders File/Folder Description Unix/Linux folders Windows folders ipxnets IPX name resolution. /etc/ipxnets, $HOME/.wireshark/ ipxnets %WIRESHARK% \ipxnets, %APPDATA %\Wireshark\ipxnets plugins Plugin directories. /usr/share/wireshark/ plugins, /usr/ local/share/ wireshark/plugins, $HOME/.wireshark/ plugins %WIRESHARK% \plugins\, %APPDATA% \Wireshark\plugins temp Temporary files.
Files and Folders "" The settings from this file are read in at program start and written to disk when you press the Save button in the “Display Filters” dialog box. colorfilters This file contains all the color filters that you have defined and saved.
Files and Folders An example is: # Comments must be prepended by the # sign! 192.168.0.1 homeserver The settings from this file are read in at program start and never written by Wireshark. services Wireshark uses the files listed in Table B.1, “Configuration files and folders overview” to translate port numbers into names.
Files and Folders temp folder If you start a new capture and don’t specify a filename for it, Wireshark uses this directory to store that file; see Section 4.11, “Capture files and file modes”. B.2.1. Protocol help configuration Wireshark can use configuration files to create context-sensitive menu items for protocol detail items which will load help URLs in your web browser. To create a protocol help file, create a folder named “protocol_help” in either the personal or global configuration folders.
Files and Folders # Maps Wireshark protocol names to section names below. Each key MUST match # a valid protocol name. Each value MUST have a matching section below. [map] tcp=TCP # Mapped protocol sections. # Keys must match protocol detail items descriptions.
Files and Folders Windows NT 4 1 C:\WINNT\Profiles\\Application Data\Wireshark Windows ME, Windows 98 with user profiles 1 In Windows ME and 98 you could enable separate user profiles. In that case, something like C:\windows\Profiles\ \Application Data\Wireshark is used. Windows ME, Windows 98 without user profiles 1 Without user profiles enabled the default location for all users was C:\windows\Application Data\Wireshark B.3.2.
Appendix C. Protocols and Protocol Fields Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port). A comprehensive list of all protocols and protocol fields can be found in the “Display Filter Reference” at https://www.wireshark.
Appendix D. Related command line tools D.1. Introduction Along with the main application, Wireshark comes with an array of command line tools which can be helpful for specialized tasks. These tools will be described in this chapter. You can find more information about each command in the Manual Pages. D.2. tshark: Terminal-based Wireshark TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn’t necessary or available.
Related command line tools -w write packets to a pcap-format file named "outfile" (or to the standard output for "-") -C start with specified configuration profile -F
Related command line tools D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark. Without any options set it will use the pcap library to capture traffic from the first available network interface and write the received raw packet data, along with the packets' time stamps into a pcapng file.
Related command line tools "Capture packets from interface eth0 until 60s passed into output.pcapng" Use Ctrl-C to stop capturing at any time. D.5. capinfos: Print information about capture files capinfos can print information about binary capture files. Help information available from capinfos. Capinfos 1.12.1 (Git Rev Unknown from unknown) Prints various information (infos) about capture files. See http://www.wireshark.org for more information. Usage: capinfos [options] ...
Related command line tools D.6. rawshark: Dump and analyze network traffic. Rawshark reads a stream of packets from a file or pipe, and prints a line describing its output, followed by a set of matching fields for each packet on stdout. Help information available from rawshark. Rawshark 1.12.1 (Git Rev Unknown from unknown) Dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2014 Gerald Combs and contributors.
Related command line tools Duplicate packet removal: -d remove packet if duplicate (window == 5). -D remove packet if duplicate; configurable Valid values are 0 to 1000000. NOTE: A of 0 with -v (verbose option) is useful to print MD5 hashes. -w remove packet if duplicate packet is found EQUAL TO OR LESS THAN prior to current packet. A is specified in relative seconds (e.g. 0.000001).
Related command line tools eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer logcat - Android Logcat Binary format logcat-brief - Android Logcat Brief text format logcat-long - Android Logcat Long text format logcat-process - Android Logcat Process text format logcat-tag - Android Logcat Tag text format logcat-thread - Android Logcat Thread text format logcat-threadtime - Android Logcat Threadtime text format logcat-time - Android Logcat Time text format modli
Related command line tools fddi - FDDI fddi-nettl - FDDI with nettl headers fddi-swapped - FDDI with bit-swapped MAC addresses flexray - FlexRay frelay - Frame Relay frelay-with-direction - Frame Relay with Directional Info gcom-serial - GCOM Serial gcom-tie1 - GCOM TIE1 gprs-llc - GPRS LLC gsm_um - GSM Um Interface hhdlc - HiPath HDLC i2c - I2C ieee-802-11 - IEEE 802.11 Wireless LAN ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header ieee-802-11-avs - IEEE 802.
Related command line tools nfc-llcp - NFC LLCP nflog - NFLOG nstrace10 - NetScaler Encapsulation 1.0 of Ethernet nstrace20 - NetScaler Encapsulation 2.0 of Ethernet nstrace30 - NetScaler Encapsulation 3.0 of Ethernet null - NULL packetlogger - PacketLogger pflog - OpenBSD PF Firewall logs pflog-old - OpenBSD PF Firewall logs, pre-3.
Related command line tools D.8. mergecap: Merging multiple capture files into one Mergecap is a program that combines multiple saved capture files into a single output file specified by the -w argument. Mergecap knows how to read libpcap capture files, including those of tcpdump.
Related command line tools A simple example merging dhcp-capture.pcapng outfile.pcapng is shown below. and imap-1.pcapng into Simple example of using mergecap. $ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng D.9. text2pcap: Converting ASCII hexdumps to network captures There may be some occasions when you wish to convert a hex dump of some network traffic into a libpcap file.
Related command line tools where specifies input filename (use - for standard input) specifies output filename (use - for standard output) Input: -o hex|oct|dec -t -D -a Output: -l -m parse offsets as (h)ex, (o)ctal or (d)ecimal; default is hex. treat the text before the packet as a date/time code; the specified argument is a format string of the sort supported by strptime. Example: The time "10:15:14.5476" has the format code "%H:%M:%S.
Related command line tools -n use PCAP-NG instead of PCAP as output format. D.10. reordercap: Reorder a capture file reordercap lets you reorder a capture file according to the packets timestamp. Help information available from reordercap. Reordercap 1.12.1 Reorder timestamps of input file frames into output file. See http://www.wireshark.org for more information. Usage: reordercap [options] Options: -n -h don't write to output file if the input file is ordered.
Chapter 11. This Document’s License (GPL) As with the original license and documentation distributed with Wireshark, this document is covered by the GNU General Public License (GNU GPL). If you haven’t read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation.
This Document’s License (GPL) TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
This Document’s License (GPL) the scope of this License. 3.
This Document’s License (GPL) may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
This Document’s License (GPL) YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
