Wireshark User's Guide 27488 for Wireshark 1.0.
Wireshark User's Guide: 27488 for Wireshark 1.0.0 by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright © 2004-2008 Ulf Lamping Richard Sharpe Ed Warnicke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Table of Contents Preface ............................................................................................................... ix 1. Foreword ................................................................................................ ix 2. Who should read this document? .................................................................. x 3. Acknowledgements ................................................................................... xi 4. About this document ..........................
Wireshark User's Guide 3.5. The "File" menu .....................................................................................31 3.6. The "Edit" menu ....................................................................................34 3.7. The "View" menu ...................................................................................36 3.8. The "Go" menu ......................................................................................40 3.9. The "Capture" menu ................................
Wireshark User's Guide 6.2.1. Pop-up menu of the "Packet List" pane .......................................... 107 6.2.2. Pop-up menu of the "Packet Details" pane ...................................... 109 6.3. Filtering packets while viewing ............................................................... 112 6.4. Building display filter expressions ........................................................... 114 6.4.1. Display filter fields ..................................................................
Wireshark User's Guide 8.5.2. The "Endpoints" window ............................................................. 155 8.5.3. The protocol specific "Endpoint List" windows ............................... 156 8.6. The "IO Graphs" window ....................................................................... 157 8.7. WLAN Traffic Statistics ........................................................................ 159 8.8. Service Response Time ..................................................................
Wireshark User's Guide D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark ................... 249 D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark .................. 250 D.5. capinfos: Print information about capture files .......................................... 251 D.6. editcap: Edit capture files ..................................................................... 252 D.7. mergecap: Merging multiple capture files into one .................................... 255 D.8.
Preface 1. Foreword Wireshark is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Wireshark because of the lack of documentation. This document is part of an effort by the Wireshark team to improve the usability of Wireshark. We hope that you find it useful, and look forward to your comments.
Preface 2. Who should read this document? The intended audience of this book is anyone using Wireshark. This book will explain all the basics and also some of the advanced features that Wireshark provides. As Wireshark has become a very complex program since the early days, not every feature of Wireshark may be explained in this book. This book is not intended to explain network sniffing in general and it will not provide details about specific network protocols.
Preface 3. Acknowledgements The authors would like to thank the whole Wireshark team for their assistance. In particular, the authors would like to thank: • Gerald Combs, for initiating the Wireshark project and funding to do this documentation. • Guy Harris, for many helpful hints and a great deal of patience in reviewing this document. • Gilbert Ramirez, for general encouragement and helpful hints along the way.
Preface 4. About this document This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It is written in DocBook/XML. You will find some specially marked parts in this book: This is a warning! You should pay attention to a warning, as otherwise data loss might occur. This is a note! A note will point you to common mistakes and things that might not be obvious.
Preface 5. Where to get the latest copy of this document? The latest copy of this documentation can always be found at: http://www.wireshark.org/docs/.
Preface 6. Providing feedback about this document Should you have any feedback about this document, please send it to the authors through wiresharkdev[AT]wireshark.org.
Preface xv
Chapter 1. Introduction 1.1. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).
Introduction Figure 1.1. Wireshark captures packets and allows you to examine their content. 1.1.3. Live capture from many different network media Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using. An overview of the supported media types can be found at: http:// wiki.wireshark.org/CaptureSetup/NetworkMedia. 1.1.4.
Introduction Wireshark is an open source software project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do! 1.1.8.
Introduction 1.2. System Requirements What you'll need to get Wireshark up and running ... 1.2.1. General Remarks • The values below are the minimum requirements and only "rules of thumb" for use on a moderately used network • Working with a busy network can easily produce huge memory and disk space usage! For example: Capturing on a fully saturated 100MBit/s Ethernet will produce ~ 750MBytes/min! Having a fast processor, lots of memory and disk space is a good idea in that case.
Introduction systems. BTW: Microsoft no longer supports 98/ME since July 11, 2006! • Windows NT 4.0 will no longer work with Wireshark. The last known version to work was Wireshark 0.99.4 (which includes WinPcap 3.1), you still can get it from: http:/ / prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.4.exe. BTW: Microsoft no longer supports NT 4.
Introduction 1.3. Where to get Wireshark? You can get the latest copy of the program from the Wireshark website: http://www.wireshark.org/download.html. The website allows you to choose from among several mirrors for downloading. A new Wireshark version will typically become available every 4-8 months. If you want to be notified about new Wireshark releases, you should subscribe to the wireshark-announce mailing list. You will find more details in Section 1.6.4, “Mailing Lists”.
Introduction 1.4. A brief history of Wireshark In late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted to learn more about networking, so he started writing Ethereal (the former name of the Wireshark project) as a way to solve both problems. Ethereal was initially released, after several pauses in development, in July 1998 as version 0.2.0. Within days, patches, bug reports, and words of encouragement started arriving, so Ethereal was on its way to success.
Introduction 1.5. Development and maintenance of Wireshark Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of Wireshark is handled by the Wireshark team, a loose group of individuals who fix bugs and provide new functionality. There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue.
Introduction 1.6. Reporting problems and getting help If you have problems, or need help with Wireshark, there are several places that may be of interest to you (well, besides this guide of course). 1.6.1. Website You will find lots of useful information on the Wireshark homepage at http://www.wireshark.org. 1.6.2. Wiki The Wireshark Wiki at http://wiki.wireshark.org provides a wide range of information related to Wireshark and packet capturing in general.
Introduction 1.6.5. Reporting Problems Note! Before reporting any problems, please make sure you have installed the latest version of Wireshark. When reporting problems with Wireshark, it is helpful if you supply the following information: 1. The version number of Wireshark and the dependent libraries linked with it, e.g. GTK+, etc. You can obtain this with the command wireshark -v. 2. Information about the platform you run Wireshark on. 3. A detailed description of your problem. 4.
Introduction the D key together) will cause gdb to exit. This will leave you with a file called bt.txt in the current directory. Include the file with your bug report. Note If you do not have gdb available, you will have to check out your operating system's debugger. You should mail the traceback to the wireshark-dev[AT]wireshark.org mailing list. 1.6.7. Reporting Crashes on Windows platforms The Windows distributions don't contain the symbol files (.pdb), because they are very large.
Introduction 12
Chapter 2. Building and Installing Wireshark 2.1. Introduction As with all things, there must be a beginning, and so it is with Wireshark. To use Wireshark, you must: • Obtain a binary package for your operating system, or • Obtain the source and build Wireshark for your operating system. Currently, only two or three Linux distributions ship Wireshark, and they are commonly shipping an out-of-date version.
Building and Installing Wireshark 2.2. Obtaining the source and binary distributions You can obtain both source and binary distributions from the Wireshark web site: http://www.wireshark.org. Simply select the download link, and then select either the source package or binary package of your choice from the mirror site closest to you.
Building and Installing Wireshark 2.3. Before you build Wireshark under UNIX Before you build Wireshark from sources, or install a binary package, you must ensure that you have the following other packages installed: • GTK+, The GIMP Tool Kit. You will also need Glib. Both can be obtained from www.gtk.org • libpcap, the packet capture software that Wireshark uses. You can obtain libpcap from www.tcpdump.org Depending on your system, you may be able to install these from binaries, e.g.
Building and Installing Wireshark Example 2.2. Building and installing libpcap gzip -dc libpcap-0.9.4.tar.Z | tar xvf cd libpcap-0.9.4 ./configure make make install Note! The directory you should change to will depend on the version of libpcap you have downloaded. In all cases, tar xvf - will show you the name of the directory that has been unpacked. Under Red Hat 6.
Building and Installing Wireshark 2.4. Building Wireshark from source under UNIX Use the following general steps if you are building Wireshark from source under a UNIX operating system: 1. Unpack the source from its gzip'd tar file. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command: tar zxvf wireshark-1.0.0-tar.gz For other versions of UNIX, you will want to use the following commands: gzip -d wireshark-1.0.0-tar.gz tar xvf wireshark-1.0.
Building and Installing Wireshark 2.5. Installing the binaries under UNIX In general, installing the binary under your version of UNIX will be specific to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld. 2.5.1.
Building and Installing Wireshark 2.6. Troubleshooting during the install on Unix A number of errors can occur during the installation process. Some hints on solving these are provided here. If the configure stage fails, you will need to find out why. You can check the file config.log in the source directory to find out what failed. The last few lines of this file should help in determining the problem.
Building and Installing Wireshark 2.7. Building from source under Windows It is recommended to use the binary installer for Windows, until you want to start developing Wireshark on the Windows platform. For further information how to build Wireshark for Windows from the sources, have a look at the Development Wiki: http://wiki.wireshark.org/Development for the latest available development documentation.
Building and Installing Wireshark 2.8. Installing Wireshark under Windows In this section we explore installing Wireshark under Windows from the binary packages. 2.8.1. Install Wireshark You may acquire a binary installer of Wireshark named something like: wiresharksetup-x.y.z.exe. The Wireshark installer includes WinPcap, so you don't need to download and install two separate packages. Simply download the Wireshark installer from: http://www.wireshark.org/download.html and execute it.
Building and Installing Wireshark 2.8.1.2. "Additional Tasks" page • Start Menu Shortcuts - add some start menu shortcuts. • Desktop Icon - add a Wireshark icon to the desktop. • Quick Launch Icon - add a Wireshark icon to the Explorer quick launch toolbar. • Associate file extensions to Wireshark - Associate standard network trace files to Wireshark. 2.8.1.3. "Install WinPcap?" page The Wireshark installer contains the latest released WinPcap installer.
Building and Installing Wireshark Example: wireshark-setup-1.0.0.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo 2.8.2. Manual WinPcap Installation Note! As mentioned above, the Wireshark installer takes care of the installation of WinPcap, so usually you don't have to worry about WinPcap at all! The following is only necessary if you want to try a different version than the one included in the Wireshark installer, e.g. because a new WinPcap (beta) version was released.
Building and Installing Wireshark WinPcap won't be uninstalled by default, as other programs than Wireshark may use it as well. 2.8.6. Uninstall WinPcap You can uninstall WinPcap independently of Wireshark, using the "WinPcap" entry in the "Add or Remove Programs" of the Control Panel. Note! After uninstallation of WinPcap you can't capture anything with Wireshark. It might be a good idea to reboot Windows afterwards.
Building and Installing Wireshark 25
Chapter 3. User Interface 3.1. Introduction By now you have installed Wireshark and are most likely keen to get started capturing your first packets. In the next chapters we will explore: • How the Wireshark user interface works • How to capture packets in Wireshark • How to view packets in Wireshark • How to filter packets in Wireshark • ...
User Interface 3.2. Start Wireshark You can start Wireshark from your shell or window manager. Tip! When starting Wireshark it's possible to specify optional settings using the command line. See Section 9.2, “Start Wireshark from the command line” for details. Note! In the following chapters, a lot of screenshots from Wireshark will be shown. As Wireshark runs on many different platforms and there are different versions of the underlying GUI toolkit (GTK 1.x / 2.
User Interface 3.3. The Main window Let's look at Wireshark's user interface. Figure 3.1, “The Main window” shows Wireshark as you would usually see it after some packets are captured or loaded (how to do this will be described later). Figure 3.1. The Main window Wireshark's main window consists of parts that are commonly known from many other GUI programs. 1. The menu (see Section 3.4, “The Menu”) is used to start actions. 2. The main toolbar (see Section 3.
User Interface 7. The statusbar (see Section 3.19, “The Statusbar”) shows some detailed information about the current program state and the captured data. Tip! The layout of the main window can be customized by changing preference settings. See Section 9.5, “Preferences” for details! 3.3.1. Main Window Navigation Packet list and detail navigation can be done entirely from the keyboard. Table 3.1, “Keyboard Navigation” shows a list of keystrokes that will let you quickly move around a capture file.
User Interface 3.4. The Menu The Wireshark menu sits on top of the Wireshark window. An example is shown in Figure 3.2, “The Menu”. Note! Menu items will be greyed out if the corresponding feature isn't available. For example, you cannot save a capture file if you didn't capture or load any data before. Figure 3.2. The Menu It contains the following items: File This menu contains items to open and merge capture files, save / print / export capture files in whole or in part, and to quit from Wireshark.
User Interface 3.5. The "File" menu The Wireshark file menu contains the fields shown in Table 3.2, “File menu items”. Figure 3.3. The "File" Menu Table 3.2. File menu items Menu Item Accelerator Open... Ctrl+O Description This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. Open Recent This menu item shows a submenu containing the recently opened capture files.
User Interface Menu Item Accelerator Description -----Save Ctrl+S This menu item saves the current capture. If you have not set a default capture file name (perhaps with the -w option), Wireshark pops up the Save Capture File As dialog box (which is discussed further in Section 5.3.1, “The "Save Capture File As" dialog box”). Note! If you have already saved the current capture, this menu item will be greyed out. Note! You cannot save a live capture while the capture is in progress.
User Interface Menu Item Accelerator Export > as "C Arrays" (packet bytes) file... Description This menu item allows you to export all (or some) of the packet bytes in the capture file to a .c file so you can import the stream data into your own C program. It pops up the Wireshark Export dialog box (which is discussed further in Section 5.6.4, “The "Export as C Arrays (packet bytes) file" dialog box”). -----Export > as "PSML" file...
User Interface 3.6. The "Edit" menu The Wireshark Edit menu contains the fields shown in Table 3.3, “Edit menu items”. Figure 3.4. The "Edit" Menu Table 3.3. Edit menu items Menu Item Accelerator Copy > As Fil- Shift+Ctrl+C ter Description This menu item will use the selected item in the detail view to create a display filter. This display filter is then copied to the clipboard. -----Find Packet... Ctrl+F This menu item brings up a dialog box that allows you to find a packet by many criteria.
User Interface Menu Item Accelerator Description Section 6.10, “Marking packets” for details. Find Mark Next Shift+Ctrl+N Find the next marked packet. Find Previous Shift+Ctrl+B Mark Find the previous marked packet. Mark All Packets This menu item "marks" all packets. Unmark Packets This menu item "unmarks" all marked packets. All -----Set Time Refer- Ctrl+T ence (toggle) Find Next Reference This menu item set a time reference on the currently selected packet. See Section 6.11.
User Interface 3.7. The "View" menu The Wireshark View menu contains the fields shown in Table 3.4, “View menu items”. Figure 3.5. The "View" Menu Table 3.4. View menu items Menu Item Accelerator Description Main Toolbar This menu item hides or shows the main toolbar, see Section 3.14, “The "Main" toolbar”. Filter Toolbar This menu item hides or shows the filter toolbar, see Section 3.15, “The "Filter" toolbar”. Statusbar This menu item hides or shows the statusbar, see Section 3.19, “The Statusbar”.
User Interface Menu Item Accelerator Description Packet Bytes This menu item hides or shows the packet bytes pane, see Section 3.18, “The "Packet Bytes" pane”. -----Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.12345 6 Selecting this tells Wireshark to display the time stamps in date and time of day format, see Section 6.11, “Time display formats and time references”.
User Interface Menu Item Accelerator Time Display Format > Seconds: 0 Description Selecting this tells Wireshark to display time stamps with a precision of one second, see Section 6.11, “Time display formats and time references”. Time Display Format > ...seconds: 0.... Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see Section 6.11, “Time display formats and time references”.
User Interface Menu Item Expand trees Accelerator Description SubThis menu item expands the currently selected subtree in the packet details tree. Expand All Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture. Collapse All This menu item collapses the tree view of all packets in the capture list.
User Interface 3.8. The "Go" menu The Wireshark Go menu contains the fields shown in Table 3.5, “Go menu items”. Figure 3.6. The "Go" Menu Table 3.5. Go menu items Menu Item Accelerator Back Alt+Left Description Jump to the recently visited packet in the packet history, much like the page history in a web browser. Forward Alt+Right Jump to the next visited packet in the packet history, much like the page history in a web browser. Go to Packet...
User Interface Menu Item Accelerator Description move to the previous packet even if the packet list doesn't have keyboard focus. Next Packet Ctrl+Down Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus. First Packet Jump to the first packet of the capture file. Last Packet Jump to the last packet of the capture file.
User Interface 3.9. The "Capture" menu The Wireshark Capture menu contains the fields shown in Table 3.6, “Capture menu items”. Figure 3.7. The "Capture" Menu Table 3.6. Capture menu items Menu Item Accelerator Description Interfaces... This menu item brings up a dialog box that shows what's going on at the network interfaces Wireshark knows of, see Section 4.4, “The "Capture Interfaces" dialog box”) . Options...
User Interface Menu Item Capture ters... Accelerator Description FilThis menu item brings up a dialog box that allows you to create and edit capture filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.
User Interface 3.10. The "Analyze" menu The Wireshark Analyze menu contains the fields shown in Table 3.7, “Analyze menu items”. Figure 3.8. The "Analyze" Menu Table 3.7. Analyze menu items Menu Item Display ters... Accelerator Description Fil- Display Filter Macros... Apply as Filter > ... This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.
User Interface Menu Item Accelerator Prepare a Filter > ... Description These menu items will change the current display filter but won't apply the changed filter. Depending on the chosen menu item, the current display filter string will be replaced or appended to by the selected protocol field in the packet details pane. -----Enabled Proto- Shift+Ctrl+R cols... This menu item allows the user to enable/disable protocol dissectors, see Section 9.4.1, “The "Enabled Protocols" dialog box” Decode As...
User Interface 3.11. The "Statistics" menu The Wireshark Statistics menu contains the fields shown in Table 3.8, “Statistics menu items”. Figure 3.9. The "Statistics" Menu All menu items will bring up a new window showing specific statistical information. Table 3.8. Statistics menu items Menu Item Accelerator Description Summary Show information about the data captured, see Section 8.2, “The "Summary" window”. Protocol Hierarchy Display a hierarchical tree of protocol statistics, see Section 8.
User Interface Menu Item Accelerator Description -----Conversation List Display a list of conversations, obsoleted by the combined window of Conversations above, see Section 8.4.3, “The protocol specific "Conversation List" windows”. Endpoint List Display a list of endpoints, obsoleted by the combined window of Endpoints above, see Section 8.5.3, “The protocol specific "Endpoint List" windows”. Service Response Time Display the time between a request and the corresponding response, see Section 8.
User Interface Menu Item Accelerator Description SMPP Operations... See Section 8.9, “The protocol specific statistics windows” TCP Stream Graph See Section 8.9, “The protocol specific statistics windows” UCP sages... See Section 8.9, “The protocol specific statistics windows” Mes- UDP Multicast Streams See Section 8.9, “The protocol specific statistics windows” WLAN Traffic See Section 8.
User Interface 3.12. The "Tools" menu The Wireshark Tools menu contains the fields shown in Table 3.9, “Tools menu items”. Table 3.9. Tools menu items Menu Item Firewall Rules Accelerator Description ACL This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported.
User Interface 3.13. The "Help" menu The Wireshark Help menu contains the fields shown in Table 3.10, “Help menu items”. Figure 3.10. The "Help" Menu Table 3.10. Help menu items Menu Item Accelerator Contents F1 Description This menu item brings up a basic help system. FAQ's This menu item starts a Web browser showing various FAQ's. Manual Pages > ... This menu item starts a Web browser showing one of the locally installed html manual pages. -----Wireshark Online > ...
User Interface Menu Item About shark Accelerator Description WireThis menu item brings up an information window that provides some information on Wireshark, such as the plugins, the used folders, ... Note! Calling a Web browser might be unsupported in your version of Wireshark. If this is the case, the corresponding menu items will be hidden.
User Interface 3.14. The "Main" toolbar The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu, if the space on the screen is needed to show even more packet data. As in the menu, only the items useful in the current program state will be available. The others will be greyed out (e.g. you cannot save a capture file if you haven't loaded one). Figure 3.11. The "Main" toolbar Table 3.11.
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Close Description File/Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View/Reload This item allows you to reload the current capture file. Print... File/Print... This item allows you to print all (or some of) the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in Section 5.7, “Printing packets”).
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Description More detail on this subject is provided in Section 6.6, “Defining and saving filters”. Display Filters... Analyze/Display Filters... Coloring Rules... View/Coloring Rules... Preferences... This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters”.
User Interface 3.15. The "Filter" toolbar The filter toolbar lets you quickly edit and apply display filters. More information on display filters is available in Section 6.3, “Filtering packets while viewing”. Figure 3.12. The "Filter" toolbar Table 3.12. Filter toolbar items Toolbar Toolbar Item Icon Description Filter: Brings up the filter construction dialog, described in Figure 6.7, “The "Capture Filters" and "Display Filters" dialog boxes”.
User Interface 3.16. The "Packet List" pane The packet list pane displays all the packets in the current capture file. Figure 3.13. The "Packet List" pane Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns.
User Interface 3.17. The "Packet Details" pane The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. Figure 3.14. The "Packet Details" pane This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. There is a context menu (right mouse click) available, see details in Figure 6.
User Interface 3.18. The "Packet Bytes" pane The packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in a hexdump style. Figure 3.15. The "Packet Bytes" pane As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed.
User Interface 3.19. The Statusbar The statusbar displays informational messages. In general, the left side will show context related information, the middle part will show the current number of packets, and the right side will show the selected configuration profile. Drag the handles between the text areas to change the size. Figure 3.17. The initial Statusbar This statusbar is shown while no capture file is loaded, e.g. when Wireshark is started. Figure 3.18.
User Interface Figure 3.20. The Statusbar with a selected protocol field This is displayed if you have selected a protocol field from the "Packet Details" pane. Tip! The value between the brackets (in this example arp.opcode) can be used as a display filter string, representing the selected protocol field. Figure 3.21. The Statusbar with a display filter message This is displayed if you are trying to use a display filter which may have unexpected results. For a detailed description, see Section 6.4.
User Interface 61
Chapter 4. Capturing Live Network Data 4.1. Introduction Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: • Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...). • Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets. • Simultaneously show decoded packets while Wireshark keeps on capturing.
Capturing Live Network Data 4.2. Prerequisites Setting up Wireshark to capture packets for the first time can be tricky. Tip! A comprehensive guide "How To setup a Capture" is available at: http://wiki.wireshark.org/CaptureSetup. Here are some common pitfalls: • You need to have root / Administrator privileges to start a live capture. • You need to choose the right network interface to capture packet data from.
Capturing Live Network Data 4.3. Start Capturing One of the following methods can be used to start capturing packets with Wireshark: • You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box, see Figure 4.1, “The "Capture Interfaces" dialog box on Microsoft Windows” or Figure 4.2, “The "Capture Interfaces" dialog box on Unix/Linux”. You can start a capture from this dialog box, using (one of) the "Capture" button(s).
Capturing Live Network Data 4.4. The "Capture Interfaces" dialog box When you select "Interfaces..." from the Capture menu, Wireshark pops up the "Capture Interfaces" dialog box as shown in Figure 4.1, “The "Capture Interfaces" dialog box on Microsoft Windows” or Figure 4.2, “The "Capture Interfaces" dialog box on Unix/Linux”. This dialog consumes lot's of system resources! As the "Capture Interfaces" dialog is showing live captured data, it is consuming a lot of system resources.
Capturing Live Network Data address could be resolved, only the first is shown (unpredictable which one in that case). Packets The number of packets captured from this interface, since this dialog was opened. Will be greyed out, if no packet was captured in the last second. Packets/s Number of packets captured in the last second. Will be greyed out, if no packet was captured in the last second. Stop Stop a currently running capture.
Capturing Live Network Data 4.5. The "Capture Options" dialog box When you select Start... from the Capture menu (or use the corresponding item in the "Main" toolbar), Wireshark pops up the "Capture Options" dialog box as shown in Figure 4.3, “The "Capture Options" dialog box”. Figure 4.3. The "Capture Options" dialog box Tip! If you are unsure which options to choose in this dialog box, just try keeping the defaults as this should work well in many cases.
Capturing Live Network Data drop-down list, so simply click on the button on the right hand side and select the interface you want. It defaults to the first non-loopback interface that supports capturing, and if there are none, the first loopback interface. On some systems, loopback interfaces cannot be used for capturing (loopback interfaces are not available on Windows platforms). This field performs the same function as the -i command line option.
Capturing Live Network Data CPU time is required for copying packets, less buffer space is required for packets, and thus perhaps fewer packets will be dropped if traffic is very heavy. • Capture Filter If you don't capture all of the data in a packet, you might find that the packet data you want is in the part that's dropped, or that reassembly isn't possible as the data required for reassembly is missing. This field allows you to specify a capture filter.
Capturing Live Network Data ... after n minute(s) Stop capturing after the given number second(s)/minutes(s)/hours(s)/days(s) have elapsed. of 4.5.4. Display Options frame Update list of packets in real time This option allows you to specify that Wireshark should update the packet list pane in real time. If you do not specify this, Wireshark does not display any packets until you stop the capture.
Capturing Live Network Data 4.6. The "Interface Details" dialog box When you select Details from the Capture Interface menu, Wireshark pops up the "Interface Details" dialog box as shown in Figure 4.4, “The "Interface Details" dialog box”. This dialog shows various characteristics and statistics for the selected interface. Microsoft Windows only This dialog is only available on Microsoft Windows Figure 4.4.
Capturing Live Network Data 4.7. Capture files and file modes While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into the capture file(s) the user specified. Different modes of operation are available when saving this packet data to the capture file(s). Tip! Working with large files (several 100 MB's) can be quite slow.
Capturing Live Network Data Single named file A single capture file will be used. If you want to place the new capture file to a specific folder, choose this mode. Multiple files, continuous Like the "Single named file" mode, but a new file is created and used, after reaching one of the multiple file switch conditions (one of the "Next file every ..." values).
Capturing Live Network Data 4.8. Link-layer header type In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe the exceptional cases, where selecting this type is possible, so you will have a guide of what to do: If you are capturing on an 802.11 device on some versions of BSD, this might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause the captured packets to have fake Ethernet headers; "802.11" will cause them to have IEEE 802.11 headers.
Capturing Live Network Data 4.9. Filtering while capturing Wireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump man page, which can be hard to understand, so it's explained here to some extent. Tip! You will find a lot of tp://wiki.wireshark.org/CaptureFilters. Capture Filter examples at ht- You enter the capture filter into the Filter field of the Wireshark Capture Options dialog box, as shown in Figure 4.3, “The "Capture Options" dialog box”.
Capturing Live Network Data present, packets where the specified address appears in either the source or destination address will be selected. gateway host This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net [{mask }|{len }] This primitive allows you to filter on network numbers.
Capturing Live Network Data DISPLAY (x11) [remote name]: SESSIONNAME (terminal server) 77
Capturing Live Network Data 4.10. While a Capture is running ... While a capture is running, the following dialog box is shown: Figure 4.5. The "Capture Info" dialog box This dialog box will inform you about the number of captured packets and the time since the capture was started. The selection of which protocols are counted cannot be changed. Tip! This Capture Info dialog box can be hidden, using the "Hide capture info dialog" option in the Capture Options dialog box. 4.10.1.
Capturing Live Network Data Note! The Capture Info dialog box might be hidden, if the option "Hide capture info dialog" is used. 2. Using the menu item "Capture/ Stop". 3. Using the toolbar item " 4. Pressing the accelerator keys: Ctrl+E. 5. The capture will be automatically stopped, if one of the Stop Conditions is exceeded, e.g. the maximum amount of data was captured. Stop". 4.10.2.
Capturing Live Network Data 80
Chapter 5. File Input / Output and Printing 5.1. Introduction This chapter will describe input and output of capture data.
File Input / Output and Printing 5.2. Open capture files Wireshark can read in previously saved capture files. To read them, simply select the menu or toolbar item: "File/ Open". Wireshark will then pop up the File Open dialog box, which is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. It's convenient to use drag-and-drop! ... to open a file, by simply dragging the desired file from your file manager and dropping it onto Wireshark's main window.
File Input / Output and Printing Save a lot of time loading huge capture files! You can change the display filter and name resolution settings later while viewing the packets. However, loading huge capture files can take a significant amount of extra time if these settings are changed later, so in such situations it can be a good idea to set at least the filter in advance here. Table 5.1. The system specific "Open Capture File" dialog box Microsoft Windows Figure 5.1.
File Input / Output and Printing This is the file open dialog of former Gimp/ Figure 5.3. "Open" - old GTK version GNOME versions - plus some Wireshark extensions. Specific for this dialog: • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Ok" button. 5.2.2.
File Input / Output and Printing • the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities • the text output from the DBS Etherwatch VMS utility • Visual Networks' Visual UpTime traffic capture • the output from CoSine L2 debug • the output from Accellent's 5Views LAN agents • Endace Measurement Systems' ERF format captures • Linux Bluez Bluetooth stack hcidump -w traces • Catapult DCT2000 .
File Input / Output and Printing 5.3. Saving captured packets You can save captured packets simply by using the Save As... menu item from the File menu under Wireshark. You can choose which packets to save and which file format to be used. Saving may reduce the available information! Saving the captured packets will slightly reduce the amount of information, e.g. the number of dropped packets will be lost; see Section A.1, “Capture Files” for details. 5.3.1.
File Input / Output and Printing Unix/Linux: GTK version < 2.4 Figure 5.6. "Save" - old GTK version This is the file save dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. With this dialog box, you can perform the following actions: 1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system. 2. Select the directory to save the file into.
File Input / Output and Printing 3. Select the range of the packets to be saved, see Section 5.8, “The Packet Range frame” 4. Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from the types, described in Section 5.3.2, “Output File Formats”. The selection of capture formats may be reduced! Some capture formats may not be available, depending on the packet types captured.
File Input / Output and Printing Third party protocol analyzers may require specific file extensions! Other protocol analyzers than Wireshark may require that the file has a certain file extension in order to read the files you generate with Wireshark, e.g.: ".
File Input / Output and Printing 5.4. Merging capture files Sometimes you need to merge several capture files into one. For example this can be useful, if you have captured simultaneously from multiple interfaces at once (e.g. using multiple instances of Wireshark). Merging capture files can be done in three ways: • Use the menu item "Merge" from the "File" menu, to open the merge dialog, see Section 5.4.1, “The "Merge with Capture File" dialog box”.
File Input / Output and Printing Unix/Linux: GTK version >= 2.4 Figure 5.8. "Merge" - new GTK This is the common Gimp/GNOME file open dialog - plus some Wireshark extensions. version Unix/Linux: GTK version < 2.4 Figure 5.9. "Merge" - old GTK This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extenversion sions.
File Input / Output and Printing 5.5. File Sets When using the "Multiple Files" option while doing a capture (see: Section 4.7, “Capture files and file modes”), the capture data is spread over several capture files, called a file set. As it can become tedious to work with a file set by hand, Wireshark provides some features to handle these file sets in a convenient way.
File Input / Output and Printing Each line contains information about a file of the file set: • Filename the name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.
File Input / Output and Printing 5.6. Exporting data Wireshark provides several ways and formats to export packet data. This section describes general ways to export data from Wireshark. Note! There are more specialized functions to export specific data, which will be described at the appropriate places. XXX - add detailed descriptions of the output formats and some sample output, too. 5.6.1.
File Input / Output and Printing Tip! You can easily convert PostScript files to PDF files using ghostscript. For example: export to a file named foo.ps and then call: ps2pdf foo.ps Figure 5.12. The "Export as PostScript File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.8, “The Packet Range frame”. • The Packet Details frame is described in Section 5.9, “The Packet Format frame”. 5.6.3.
File Input / Output and Printing dialog box XXX - add screenshot Export packet bytes into C arrays so you can import the stream data into your own C program. • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.8, “The Packet Range frame”. 5.6.5. The "Export as PSML File" dialog box Export packet data into PSML. This is an XML based format including only the packet summary. The PSML file specification is available at: http:/ / www.
File Input / Output and Printing Export packet data into PDML. This is an XML based format including the packet details. The PDML file specification is available at: http:/ / www.nbee.org/ doku.php?id=netpdl:pdml_specification. The PDML specification is not officially released and Wireshark's implementation of it is still in an early beta state, so please expect changes in future Wireshark versions. Figure 5.14.
File Input / Output and Printing • Name: the filename to export the packet data to. • The Save in folder: field lets you select the folder to save to (from some predefined folders). • Browse for other folders provides a flexible way to choose a folder. 5.6.8.
File Input / Output and Printing Columns: • Packet num: The packet number in which this object was found. In some cases, there can be multiple objects in the same packet. • Hostname: The hostname of the server that sent the object as a response to an HTTP request. • Content Type: The HTTP content type of this object. • Bytes: The size of this object in bytes. • Filename: The final part of the URI (after the last slash).
File Input / Output and Printing 5.7. Printing packets To print packets, select the "Print..." menu item from the File menu. When you do this, Wireshark pops up the Print dialog box as shown in Figure 5.17, “The "Print" dialog box”. 5.7.1. The "Print" dialog box Figure 5.17. The "Print" dialog box The following fields are available in the Print dialog box: Printer This field contains a pair of mutually exclusive radio buttons: • Plain Text specifies that the packet print should be in plain text.
File Input / Output and Printing Note! These Print command fields are not available on windows platforms. This field specifies the command to use for printing. It is typically lpr. You would change it to specify a particular queue if you need to print to a queue other than the default. An example might be: lpr -Pmypostscript This field is greyed out if Output to file: is checked above. Packet Range Select the packets to be printed, see Section 5.
File Input / Output and Printing 5.8. The Packet Range frame The packet range frame is a part of various output related dialog boxes. It provides options to select which packets should be processed by the output function. Figure 5.18. The "Packet Range" frame If the Captured button is set (default), all packets from the selected rule will be processed. If the Displayed button is set, only the currently displayed packets are taken into account to the selected rule.
File Input / Output and Printing 5.9. The Packet Format frame The packet format frame is a part of various output related dialog boxes. It provides options to select which parts of a packet should be used for the output function. Figure 5.19. The "Packet Format" frame • Packet summary line enable the output of the summary line, just as in the "Packet List" pane. • Packet details enable the output of the packet details tree.
File Input / Output and Printing 104
Chapter 6. Working with captured packets 6.1. Viewing packets you have captured Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.
Working with captured packets Figure 6.2.
Working with captured packets 6.2. Pop-up menus You can bring up a pop-up menu over either the "Packet List" or "Packet Details" pane by clicking your right mouse button at the corresponding pane. 6.2.1. Pop-up menu of the "Packet List" pane Figure 6.3. Pop-up menu of the "Packet List" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.1.
Working with captured packets Item Identical to main Description menu's item: ter formation from the selected packet. E.g. the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. XXX - add a new section describing this better. Colorize Conver- sation SCTP This menu item uses a display filter with the address information from the selected packet to build a new colorizing rule. XXX - add an explanation of this.
Working with captured packets Item Identical to main Description menu's item: Show Packet in View New Window Display the selected packet in a new window. 6.2.2. Pop-up menu of the "Packet Details" pane Figure 6.4. Pop-up menu of the "Packet Details" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.2.
Working with captured packets Item Identical to main Description menu's item: ----Copy/ tion Descrip- Copy the displayed text of the selected field to the system clipboard. Copy/ As Filter Edit Prepare a display filter based on the currently selected item and copy it to the clipboard.
Working with captured packets Item Identical to main Description menu's item: Stream Same as "Follow TCP Stream" but for SSL. XXX - add a new section describing this better. ----Wiki Page Protocol Show the wiki page corresponding to the currently selected protocol in your web browser. Filter Field Ref- erence Protocol Prefer- ences... Show the filter field reference web page corresponding to the currently selected protocol in your web browser.
Working with captured packets 6.3. Filtering packets while viewing Wireshark has two filtering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of filter: Display filters. The first one has already been dealt with in Section 4.9, “Filtering while capturing”. Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones.
Working with captured packets As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. Note! When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content! You can filter on any protocol that Wireshark understands.
Working with captured packets 6.4. Building display filter expressions Wireshark provides a simple but powerful display filter language that allows you to build quite complex filter expressions. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this. Tip! You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter page at http://wiki.wireshark.org/DisplayFilters. 6.4.1.
Working with captured packets English ge C-like Description and example >= Greater than or equal to frame.len ge 0x100 le <= Less than or equal to frame.len <= 0x20 In addition, all protocol fields are typed. Table 6.4, “Display Filter Field Types” provides a list of the types and example of how to express them. Table 6.4. Display Filter Field Types Type Example Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or hexadecimal.
Working with captured packets Type Example IPX address ipx.addr == 00000000.ffffffffffff String (text) http.request.uri == "http://www.wireshark.org/" 6.4.3. Combining expressions You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5, “Display Filter Logical Operations” Table 6.5. Display Filter Logical Operations English C-like and && Description and example Logical AND ip.src==10.0.0.5 and tcp.flags.fin or || Logical OR ip.scr==10.0.0.5 or ip.
Working with captured packets English C-like Description and example beginning of a sequence to offset m. It is equivalent to 0:m eth.src[4:] == 20:20 The example above uses the n: format, which takes everything from offset n to the end of the sequence. eth.src[2] == 83 The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent to n:1. eth.
Working with captured packets 6.5. The "Filter Expression" dialog box When you are accustomed to Wireshark's filtering system and know what labels you wish to use in your filters it can be very quick to simply type a filter string. However if you are new to Wireshark or are working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to type. The Filter Expression dialog box helps with this.
Working with captured packets Value You may enter an appropriate value in the Value text box. The Value will also indicate the type of value for the field name you have selected (like character string). Predefined values Some of the protocol fields have predefined values available, much like enum's in C. If the selected protocol field has such values defined, you can choose one of them here.
Working with captured packets 6.6. Defining and saving filters You can define filters with Wireshark and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. To define a new filter or edit an existing one, select the Capture Filters... menu item from the Capture menu or the Display Filters... menu item from the Analyze menu. Wireshark will then pop up the Filters dialog as shown in Figure 6.
Working with captured packets New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to "new". Delete This button deletes the selected filter. It will be greyed out, if no filter is selected. Filter You can select a filter from this list (which will fill in the filter name and filter string in the fields down at the bottom of the dialog box).
Working with captured packets 6.7. Defining and saving filter macros You can define filter macros with Wireshark and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. XXX - add an explanation of this.
Working with captured packets 6.8. Finding packets You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet... menu item from the Edit menu. Wireshark will pop up the dialog box shown in Figure 6.8, “The "Find Packet" dialog box”. 6.8.1. The "Find Packet" dialog box Figure 6.8.
Working with captured packets You can choose the search direction: • Up Search upwards in the packet list (decreasing packet numbers). • Down Search downwards in the packet list (increasing packet numbers). 6.8.2. The "Find Next" command "Find Next" will continue searching with the same options used in the last "Find Packet". 6.8.3. The "Find Previous" command "Find Previous" will do the same thing as "Find Next", but with reverse search direction.
Working with captured packets 6.9. Go to a specific packet You can easily jump to specific packets with one of the menu items in the Go menu. 6.9.1. The "Go Back" command Go back in the packet history, works much like the page history in current web browsers. 6.9.2. The "Go Forward" command Go forward in the packet history, works much like the page history in current web browsers. 6.9.3. The "Go to Packet" dialog box Figure 6.9.
Working with captured packets 6.10. Marking packets You can mark packets in the "Packet List" pane. A marked packet will be shown with black background, regardless of the coloring rules set. Marking a packet can be useful to find it later while analyzing in a large capture file. Warning! The packet marks are not stored in the capture file or anywhere else, so all packet marks will be lost if you close the capture file.
Working with captured packets 6.11. Time display formats and time references While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. A detailed description of timestamps, timezones and alike can be found at: Section 7.4, “Time Stamps”. The timestamp presentation format and the precision in the packet list can be chosen using the View menu, see Figure 3.5, “The "View" Menu”.
Working with captured packets Note! Time referencing will only be useful, if the time display format is set to "Seconds Since Beginning of Capture". If one of the other time display formats are used, time referencing will have no effect (and will make no sense either). To work with time references, choose one of the "Time Reference" items in the "Edit" menu , see Section 3.6, “The "Edit" menu”, or from the pop-up menu of the "Packet List" pane.
Working with captured packets 129
Chapter 7. Advanced Topics 7.1. Introduction In this chapter some of the advanced features of Wireshark will be described.
Advanced Topics 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream. If so, Wireshark's ability to follow a TCP stream will be useful to you.
Advanced Topics length) and CRNL conversions? The stream content won't be updated while doing a live capture. To get the latest content you'll have to reopen the dialog. You can choose from the following actions: 1. Save As: Save the stream data in the currently selected format. 2. Print: Print the stream data in the currently selected format. 3. Direction: Choose the stream direction to be displayed ("Entire conversation", "data from A to B only" or "data from B to A only"). 4.
Advanced Topics 7.3. Expert Infos The expert infos is a kind of log of the anomalies found by Wireshark in a capture file. The general idea behind the following "Expert Info" is to have a better display of "uncommon" or just notable network behaviour. This way, both novice and expert users will hopefully find probable network problems a lot faster, compared to scanning the packet list "manually" . Expert infos are only a hint! Take expert infos as a hint what's worth looking at, but not more.
Advanced Topics There are some common groups of expert infos. The following are currently implemented: • Checksum: a checksum was invalid • Sequence: protocol sequence suspicious, e.g. sequence wasn't continuous or a retransmission was detected or ... • Response Code: problem with application response code, e.g. HTTP 404 page not found • Request Code: an application request (e.g.
Advanced Topics infos will be combined into a single line - with a count column showing how often they appeared in the capture file. Clicking on the plus sign shows the individual packet numbers in a tree view. 7.3.2.2. Details tab The Details tab provides the expert infos in a "log like" view, each entry on its own line (much like the packet list). As the amount of expert infos for a capture file can easily become very large, getting an idea of the interesting infos with this view can take quite a while.
Advanced Topics 7.4. Time Stamps Time stamps, their precisions and all that can be quite confusing. This section will provide you with information about what's going on while Wireshark processes time stamps. While packets are captured, each packet is time stamped as it comes in. These time stamps will be saved to the capture file, so they also will be available for (later) analysis.
Advanced Topics inaccurate.
Advanced Topics 7.5. Time Zones If you travel across the planet, time zones can be confusing. If you get a capture file from somewhere around the world time zones can even be a lot more confusing ;-) First of all, there are two reasons why you may not need to think about time zones at all: • You are only interested in the time differences between the packet time stamps and don't need to know the exact date and time of the captured packets (which is often the case).
Advanced Topics 7.5.1. Set your computer's time correctly! If you work with people around the world, it's very helpful to set your computer's time and time zone right. You should set your computers time and time zone in the correct sequence: 1. Set your time zone to your current location 2. Set your computer's clock to the local time This way you will tell your computer both the local time and also the time offset to UTC.
Advanced Topics Table 7.2. Time zone examples for UTC arrival times (without DST) Los Angeles New York Madrid London Berlin Tokyo 10:00 10:00 10:00 10:00 10:00 10:00 Local Offset -8 to UTC -5 -1 0 +1 +9 Displayed 02:00 Time (Local Time) 05:00 09:00 10:00 11:00 19:00 Capture File (UTC) An example: Let's assume that someone in Los Angeles captured a packet with Wireshark at exactly 2 o'clock local time and sends you this capture file.
Advanced Topics 7.6. Packet Reassembling 7.6.1. What is it? Network protocols often need to transport large chunks of data, which are complete in themselves, e.g. when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation of the network packet size), or is stream-based like TCP, which doesn't know data chunks at all. In that case the network protocol has to handle the chunk boundaries itself and (if required) spread the data over multiple packets.
Advanced Topics 2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble fragmented protocol data. This too can often be enabled or disabled via the protocol preferences. The tooltip of the higher level protocol setting will notify you if and which lower level protocol setting also has to be considered.
Advanced Topics 7.7. Name Resolution Name resolution tries to resolve some of the numerical address values into a human readable format. There are two possible ways to do these conversations, depending on the resolution to be done: calling system/network services (like the gethostname function) and/or evaluate from Wireshark specific configuration files. For details about the configuration files Wireshark uses for name resolution and alike, see Appendix A, Files and Folders.
Advanced Topics 7.7.3. IP name resolution (network layer) Try to resolve an IP address (e.g. 216.239.37.99) to something more "human readable". DNS/ADNS name resolution (system/library service): Wireshark will ask the operating system (or the ADNS library), to convert an IP address to the hostname associated with it (e.g. 216.239.37.99 -> www.1.google.com). The DNS service is using synchronous calls to the DNS server. So Wireshark will stop responding until a response to a DNS request is returned.
Advanced Topics 7.8. Checksums Several network protocols use checksums to ensure data integrity. Tip! Applying checksums as described here is also known as redundancy checking. What are checksums for? Checksums are used to ensure the integrity of data portions for data transmission or storage. A checksum is basically a calculated summary of such a data portion. Network data transmissions often produce errors, such as toggled, missing or duplicated bits.
Advanced Topics 7.8.2. Checksum offloading The checksum calculation might be done by the network driver, protocol driver or even in hardware. For example: The Ethernet transmitting hardware calculates the Ethernet CRC32 checksum and the receiving hardware validates this checksum. If the received checksum is wrong Wireshark won't even see the packet, as the Ethernet hardware internally throws away the packet.
Advanced Topics 147
Chapter 8. Statistics 8.1. Introduction Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). • • General statistics: • Summary about the capture file. • Protocol Hierarchy of the captured packets. • Conversations e.g.
Statistics 8.2. The "Summary" window General statistics about the current capture file. Figure 8.1. The "Summary" window • File: general information about the capture file.
Statistics • Time: the timestamps when the first and the last packet were captured (and the time between them). • Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). • Display: some display related information. • Traffic: some statistics of the network traffic seen.
Statistics 8.3. The "Protocol Hierarchy" window The protocol hierarchy of the captured packets. Figure 8.2. The "Protocol Hierarchy" window This is a tree of all the protocols in the capture. You can collapse or expand subtrees, by clicking on the plus / minus icons. By default, all trees are expanded. Each row contains the statistical values of one protocol. The Display filter will show the current display filter.
Statistics Note! Packets will usually contain multiple protocols, so more than one protocol will be counted for each packet. Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together much more than 100%). Note! Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less.
Statistics 8.4. Conversations Statistics of the captured conversations. 8.4.1. What is a Conversation? A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses. The description of the known endpoint types can be found in Section 8.5.1, “What is an Endpoint?”. 8.4.2. The "Conversations" window The conversations window is similar to the endpoint Window; see Section 8.5.
Statistics 8.4.3. The protocol specific "Conversation List" windows Before the combined window described above was available, each of its pages was shown as a separate window. Even though the combined window is much more convenient to use, these separate windows are still available. The main reason is that they might process faster for very large capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.
Statistics 8.5. Endpoints Statistics of the endpoints captured. Tip! If you are looking for a feature other network tools call a hostlist, here is the right place to look. The list of Ethernet or IP endpoints is usually what you're looking for. 8.5.1. What is an Endpoint? A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer.
Statistics For each supported protocol, a tab is shown in this window. Each tab label shows the number of endpoints captured (e.g. the tab label "Ethernet: 5" tells you that five ethernet endpoints have been captured). If no endpoints of a specific protocol were captured, the tab label will be greyed out (although the related page can still be selected). Each row in the list shows the statistical values for exactly one endpoint.
Statistics 8.6. The "IO Graphs" window User configurable graph of the captured network packets. You can define up to five differently colored graphs. Figure 8.5.
Statistics describe the Advanced feature.] • Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...) The save button will save the currently displayed portion of the graph as one of various file formats. The save feature is only available when using GTK version 2.6 or higher (the latest Windows versions comply with this requirement) and Wireshark version 0.99.7 or higher. The copy button will copy values from selected graphs to the clipboard in CSV (Comma Separated Values) format.
Statistics 8.7. WLAN Traffic Statistics Statistics of the captured WLAN traffic. This window will summarize the wireless network traffic found in the capture. Probe requests will be merged into an existing network if the SSID matches. Figure 8.6. The "WLAN Traffic Statistics" window Each row in the list shows the statistical values for exactly one wireless network. Name resolution will be done if selected in the window and if it is active for the MAC layer.
Statistics 8.8. Service Response Time The service response time is the time between a request and the corresponding response. This information is available for many protocols. Service response time statistics are currently available for the following protocols: • DCE-RPC • Fibre Channel • H.225 RAS • LDAP • MGCP • ONC-RPC • SMB As an example, the DCE-RPC service response time is described in more detail.
Statistics Figure 8.8. The "DCE-RPC Statistic for ..." window Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls, and the statistics of the SRT time is calculated.
Statistics 8.9. The protocol specific statistics windows The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document. Some of these statistics are described at the http://wiki.wireshark.org/Statistics pages.
Statistics 163
Chapter 9. Customizing Wireshark 9.1. Introduction Wireshark's default behaviour will usually suit your needs pretty well. However, as you become more familiar with Wireshark, it can be customized in various ways to suit your needs even better.
Customizing Wireshark 9.2. Start Wireshark from the command line You can start Wireshark from the command line, but it can also be started from most Window managers as well. In this section we will look at starting it from the command line. Wireshark supports a large number of command line parameters. To see what they are, simply enter the command wireshark -h and the help information shown in Example 9.1, “Help information available from Wireshark” (or something similar) should be printed. Example 9.1.
Customizing Wireshark task based? -a -b Specify a criterion that specifies when Wireshark is to stop writing to a capture file. The criterion is of the form test:value, where test is one of: duration:value Stop writing to a capture file after value of seconds have elapsed. filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
Customizing Wireshark supplied to the -i flag to specify an interface on which to capture. This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.
Customizing Wireshark -N Turns on name resolving for particular types of addresses and port numbers; the argument is a string that may contain the letters m to enable MAC address resolution, n to enable network address resolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present. The letter C enables concurrent (asynchronous) DNS lookups.
Customizing Wireshark -Q This option forces Wireshark to exit when capturing is complete. It can be used with the -c option. It must be used in conjunction with the -i and -w options. -r This option provides the name of a capture file for Wireshark to read and display. This capture file can be in one of the formats Wireshark understands. -R This option specifies a display filter to be applied when reading packets from a capture file.
Customizing Wireshark 170
Customizing Wireshark 9.3. Packet colorization A very useful mechanism available in Wireshark is packet colorization. You can set-up Wireshark so that it will colorize packets according to a filter. This allows you to emphasize the packets you are (usually) interested in. Tip! You will find a lot of Coloring Rule examples at the Wireshark Wiki Coloring Rules page at http://wiki.wireshark.org/ColoringRules. There are two types of coloring rules in Wireshark.
Customizing Wireshark If this is the first time you have used Coloring Rules, click on the New button which will bring up the Edit color filter dialog box as shown in Figure 9.2, “The "Edit Color Filter" dialog box”. Figure 9.2. The "Edit Color Filter" dialog box In the Edit Color dialog box, simply enter a name for the color filter, and enter a filter string in the Filter text field. Figure 9.
Customizing Wireshark Select the color you desire for the selected packets and click on OK. Note! You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to select the color you want. Figure 9.4, “Using color filters with Wireshark” shows an example of several color filters being used in Wireshark. You may not like the color choices, however, feel free to choose your own.
Customizing Wireshark 9.4. Control Protocol dissection The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g.
Customizing Wireshark To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. Note that typing the first few letters of the protocol name when the Enabled Protocols dialog box is active will temporarily open a search text box and automatically select the first matching protocol name (if it exists). Warning! You have to use the Save button to save your settings.
Customizing Wireshark 4. OK: Apply the changes and close the dialog box. 5. Apply: Apply the changes and keep the dialog box open. 6. Save: Save the settings to the disabled_protos, see Appendix A, Files and Folders for details. 7. Cancel: Cancel the changes and close the dialog box. 9.4.2. User Specified Decodes The "Decode As" functionality let you temporarily divert specific protocol dissections. This might be useful for example, if you do some uncommon experiments on your network.
Customizing Wireshark 3. Link/Network/Transport: Specify the network layer at which "Decode As" should take place. Which of these pages are available depends on the content of the selected packet when this dialog box is opened. 4. Show Current: Open a dialog box showing the current list of user specified decodes. 5. OK: Apply the currently selected decode and close the dialog box. 6. Apply: Apply the currently selected decode and keep the dialog box open. 7.
Customizing Wireshark 9.5. Preferences There are a number of preferences you can set. Simply select the Preferences... menu item from the Edit menu; and Wireshark will pop up the Preferences dialog box as shown in Figure 9.8, “The preferences dialog box”, with the "User Interface" page as default. On the left side is a tree where you can select the page to be shown. Note! Preference settings are added frequently.
Customizing Wireshark 9.5.1. Interface Options In the Capture preferences it is possible to configure several options for the interfaces available on your computer. Select the Capture pane and press the Interfaces: Edit button. In this window it is possible to change the default link-layer header type for the interface, add a comment or choose to hide a interface from other parts of the program. Figure 9.9.
Customizing Wireshark 9.6. Configuration Profiles Configuration Profiles can be used to configure and use more than one set of preferences and configurations. Select the Configuration Profiles... menu item from the Edit menu, or simply press Shift-Ctrl-A; and Wireshark will pop up the Configuration Profiles dialog box as shown in Figure 9.10, “The configuration profiles dialog box”.
Customizing Wireshark New This button adds a new profile to the profiles list. The name of the created profile is "New profile" and can be changed in the Properties field. Delete This button deletes the selected profile, including all configuration files used in this profile. It is not possible to delete the "Default" profile. Configuration Profiles You can select a configuration profile from this list (which will fill in the profile name in the fields down at the bottom of the dialog box).
Customizing Wireshark with a period (.), and cannot contain any of the following characters: \ / : * ? " < > | On Unix the profile name cannot contain the '/' character. OK This button saves all changes, applies the selected profile and closes the dialog. Apply This button saves all changes, applies the selected profile and keeps the dialog open. Cancel Close this dialog. This will discard unsaved settings, new profiles will not be added and deleted profiles will not be deleted.
Customizing Wireshark 9.7. User Table The User Table editor is used for managing various tables in wireshark. Its main dialog works very similarly to that of Section 9.3, “Packet colorization”.
Customizing Wireshark 9.8. Display Filter Macros Display Filter Macros are a mechanism to create shortcuts for complex filters. For example defining a display filter macro named tcp_conv whose text is ( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) ) would allow to use a display filter like ${tcp_conv:10.1.1.2;10.1.1.3;1200;1400} instead of typing the whole filter.
Customizing Wireshark 9.9. GeoIP Database Paths If your copy of Wireshark supports MaxMind's GeoIP library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, ISPs, and other bits of information. Some databases are available at no cost, while others require a licensing fee. See the MaxMind web site for more information. This table is handled by an Section 9.7, “User Table” with the following fields. path This specifies a directory containing GeoIP data files.
Customizing Wireshark 9.10. Tektronix K12xx/15 RF5 protocols Table The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are used by a certain interface. Wireshark doesn't read these stk files, it uses a table that helps it identify which lowest layer protocol to use. Stk file to protocol matching is handled by an Section 9.7, “User Table” with the following fields.
Customizing Wireshark 9.11. SCCP users Table Wireshark uses this table to map specific protocols to a certain DPC/SSN combination for SCCP. This table is handled by an Section 9.7, “User Table” with the following fields. ni An Integer representing the network indicator for which this association is valid. called_pc An range of integers representing the dpcs for which this association is valid. called_ssn An range of integers representing the ssns for which this association is valid.
Customizing Wireshark 9.12. SMI (MIB and PIB) Modules If your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB modules here. The COPS and SNMP dissectors can use them to resolve OIDs. name The name of the module, e.g. IF-MIB.
Customizing Wireshark 9.13. SMI (MIB and PIB) Paths If your copy of Wireshark supports libSMI, you can specify one or more paths to MIB and PIB modules here. name A module directory, e.g. /usr/local/snmp/mibs. Wireshark automatically uses the standard SMI path for your system, so you usually don't have to add anything here.
Customizing Wireshark 9.14. SNMP users Table Wireshark uses this table to verify authentication and to decrypt encrypted SNMPv3 packets. This table is handled by an Section 9.7, “User Table” with the following fields. engine_id If given this entry will be used only for packets whose engine id is this. This field takes an hexadecimal string in the form 0102030405. userName This is the userName.
Customizing Wireshark 9.15. User DLTs protocol table When a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know which protocol(s) to use for each user DLT. This table is handled by an Section 9.7, “User Table” with the following fields. encap One of the user dlts. payload_proto This is the name of the payload protocol (the lowest layer in the packet data). (e.g.
Customizing Wireshark 192
Chapter 10. Lua Support in Wireshark 10.1. Introduction Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and Lua.org are laboratories of the Department of Computer Science.
Lua Support in Wireshark 10.2. Example of Dissector written in Lua do local p_multi = Proto("multi","MultiProto"); local vs_protos = { [2] = "mtp2", [3] = "mtp3", [4] = "alcap", [5] = "h248", [6] = "ranap", [7] = "rnsap", [8] = "nbap" } local f_proto = ProtoField.uint8("multi.protocol","Protocol",base.DEC,vs_protos) local f_dir = ProtoField.uint8("multi.direction","Direction",base.DEC,{ [1] = "incoming", [ local f_text = ProtoField.string("multi.text","Text") p_multi.
Lua Support in Wireshark 10.3. Example of Listener written in Lua -- This program will register a menu that will open a window with a count of occurrences -- of every address in the capture do local function menuable_tap() -- Declare the window we will use local tw = TextWindow.new("Address Counter") -- This will contain a hash of counters of appereances of a certain address local ips = {} -- this is our tap local tap = Listener.
Lua Support in Wireshark 10.4. Wireshark's Lua API Reference Manual This Part of the User Guide describes the Wireshark specific functions in the embedded Lua. 10.4.1. Saving capture files 10.4.1.1. Dumper 10.4.1.1.1. Dumper.new(filename, [filetype], [encap]) Creates a file to write packets. Dumper:new_for_current() will probably be a better choice. 10.4.1.1.1.1.
Lua Support in Wireshark Creates a capture file using the same encapsulation as the one of the cuurrent packet 10.4.1.1.5.1. Arguments filetype (optional) The file type. Defaults to pcap. 10.4.1.1.5.2. Returns The newly created Dumper Object 10.4.1.1.5.3. Errors • cannot be used outside a tap or a dissector 10.4.1.1.6. dumper:dump_current() Dumps the current packet as it is. 10.4.1.1.6.1. Errors • cannot be used outside a tap or a dissector 10.4.1.2.
Lua Support in Wireshark vpi (optional) VPI vci (optional) VCI channel (optional) Channel cells (optional) Number of cells in the PDU aal5u2u (optional) AAL5 User to User indicator aal5len (optional) AAL5 Len 10.4.1.2.3.2. Returns The ATM pseudoheader 10.4.1.2.4. PseudoHeader.mtp2() Creates an MTP2 PseudoHeader 10.4.1.2.4.1. Returns The MTP2 pseudoheader 10.4.2. Obtaining dissection data 10.4.2.1. Field A Field extractor to to obtain field values. 10.4.2.1.1. Field.
Lua Support in Wireshark 10.4.2.2. FieldInfo An extracted Field 10.4.2.2.1. fieldinfo:__len() Obtain the Length of the field 10.4.2.2.2. fieldinfo:__unm() Obtain the Offset of the field 10.4.2.2.3. fieldinfo:__call() Obtain the Value of the field 10.4.2.2.4. fieldinfo:__tostring() the string representation of the field 10.4.2.2.5. fieldinfo:__eq() checks whether lhs is within rhs 10.4.2.2.5.1. Errors • data source must be the same for both fields 10.4.2.2.6.
Lua Support in Wireshark The offset of this field 10.4.2.3. Non Method Functions 10.4.2.3.1. all_field_infos() obtain all fields from the current tree 10.4.2.3.1.1. Errors • Cannot be called outside a listener or dissector 10.4.3. GUI support 10.4.3.1. ProgDlg Manages a progress bar dialog. 10.4.3.1.1. ProgDlg.new([title], [task]) Creates a new TextWindow. 10.4.3.1.1.1. Arguments title (optional) Title of the new window, defaults to "Progress". task (optional) Current task, defaults to "". 10.4.3.
Lua Support in Wireshark true if the user has asked to stop the progress. 10.4.3.1.3.2. Errors • cannot be called for something not a ProgDlg 10.4.3.1.4. progdlg:close() Appends text 10.4.3.1.4.1. Errors • cannot be called for something not a ProgDlg 10.4.3.2. TextWindow Manages a text window. 10.4.3.2.1. TextWindow.new([title]) Creates a new TextWindow. 10.4.3.2.1.1. Arguments title (optional) Title of the new window. 10.4.3.2.1.2. Returns The newly created TextWindow object. 10.4.3.2.2.
Lua Support in Wireshark 10.4.3.2.3.2. Returns The TextWindow object. 10.4.3.2.3.3. Errors • cannot be called for something not a TextWindow 10.4.3.2.4. textwindow:append(text) Appends text 10.4.3.2.4.1. Arguments text The text to be appended 10.4.3.2.4.2. Returns The TextWindow object. 10.4.3.2.4.3. Errors • cannot be called for something not a TextWindow 10.4.3.2.5. textwindow:prepend(text) Prepends text 10.4.3.2.5.1. Arguments text The text to be appended 10.4.3.2.5.2.
Lua Support in Wireshark 10.4.3.2.7. textwindow:get_text() Get the text of the window 10.4.3.2.7.1. Returns The TextWindow's text. 10.4.3.2.7.2. Errors • cannot be called for something not a TextWindow 10.4.3.2.8. textwindow:set_editable([editable]) Make this window editable 10.4.3.2.8.1. Arguments editable (optional) A boolean flag, defaults to true 10.4.3.2.8.2. Returns The TextWindow object. 10.4.3.2.8.3. Errors • cannot be called for something not a TextWindow 10.4.3.2.9.
Lua Support in Wireshark 10.4.3.3.2. register_menu(name, action, [group]) Register a menu item in one of the main menus. 10.4.3.3.2.1. Arguments name The name of the menu item. The submenus are to be separated by '/'s. (string) action The function to be called when the menu item is invoked. (function taking no arguments and returning nothing) group (optional) The menu group into which the menu item is to be inserted. If omitted, defaults to MENU_STAT_GENERIC.
Lua Support in Wireshark 10.4.3.3.6.1. Arguments filename The name of the file to be opened. filter A filter to be applied as the file gets opened. 10.4.3.3.7. set_filter(text) set the main filter text 10.4.3.3.7.1. Arguments text The filter's text. 10.4.3.3.8. apply_filter() apply the filter in the main filter box 10.4.3.3.9. reload() reload the current capture file 10.4.3.3.10. browser_open_url(url) open an url in a browser 10.4.3.3.10.1. Arguments url The url. 10.4.3.3.11.
Lua Support in Wireshark filter (optional) a filter that when matches the tap.packet function gets called (use nil to be called for every packet) 10.4.4.1.1.2. Returns The newly created Listener listener object 10.4.4.1.1.3. Errors • tap registration error 10.4.4.1.2. listener:remove() Removes a tap listener 10.4.4.1.3. listener.packet A function that will be called once every packet matches the Listener listener filter. function tap.packet(pinfo,tvb,userdata) ... end 10.4.4.1.4. listener.
Lua Support in Wireshark 10.4.5.1.4. address:__le() compares two Addresses 10.4.5.1.5. address:__lt() compares two Addresses 10.4.5.2. Column A Column in the packet list 10.4.5.2.1. column:__tostring() 10.4.5.2.1.1. Returns A string representing the column 10.4.5.2.2. column:clear() Clears a Column 10.4.5.2.3. column:set(text) Sets the text of a Column 10.4.5.2.3.1. Arguments text The text to which to set the Column 10.4.5.2.4. column:append(text) Appends text to a Column 10.4.5.2.4.1.
Lua Support in Wireshark 10.4.5.3.2. columns:__newindex(column, text) Sets the text of a specific column 10.4.5.3.2.1. Arguments column the name of the column to set text the text for the column 10.4.5.4. Pinfo Packet information 10.4.5.4.1. pinfo.number The number of this packet in the current file 10.4.5.4.2. pinfo.len The length of the frame 10.4.5.4.3. pinfo.caplen The captured length of the frame 10.4.5.4.4. pinfo.abs_ts When the packet was captured 10.4.5.4.5. pinfo.
Lua Support in Wireshark higher Address of this Packet 10.4.5.4.13. pinfo.dl_src Data Link Source Address of this Packet 10.4.5.4.14. pinfo.dl_dst Data Link Destination Address of this Packet 10.4.5.4.15. pinfo.net_src Network Layer Source Address of this Packet 10.4.5.4.16. pinfo.net_dst Network Layer Destination Address of this Packet 10.4.5.4.17. pinfo.ptype Type of Port of .src_port and .dst_port 10.4.5.4.18. pinfo.src_port Source Port of this Packet 10.4.5.4.19. pinfo.
Lua Support in Wireshark 10.4.5.4.28. pinfo.private_data Access to private data 10.4.6. Functions for writing dissectors 10.4.6.1. Dissector A refererence to a dissector, used to call a dissector against a packet or a part of it. 10.4.6.1.1. Dissector.get(name) * Obtains a dissector reference by name 10.4.6.1.1.1. Arguments name The name of the dissector 10.4.6.1.1.2. Returns The Dissector reference 10.4.6.1.2.
Lua Support in Wireshark The newly created DissectorTable 10.4.6.2.2. DissectorTable.get(tablename) Obtain a reference to an existing dissector table. 10.4.6.2.2.1. Arguments tablename The short name of the table. 10.4.6.2.2.2. Returns The DissectorTable 10.4.6.2.3. dissectortable:add(pattern, dissector) Add a dissector to a table. 10.4.6.2.3.1. Arguments pattern The pattern to match (either an integer or a string depending on the table's type).
Lua Support in Wireshark 10.4.6.2.6.2. Returns The dissector handle if found nil if not found 10.4.6.3. Pref A preference of a Protocol. 10.4.6.3.1. Pref.bool(label, default, descr) * Creates a boolean preference to be added to a Protocol's prefs table. 10.4.6.3.1.1. Arguments label The Label (text in the right side of the preference input) for this preference default The default value for this preference descr A description of what this preference is 10.4.6.3.2. Pref.
Lua Support in Wireshark enum enum radio radio_button or combobox 10.4.6.3.5. Pref.range(label, default, descr, range, max) * Creates a range preference to be added to a Protocol's prefs table. 10.4.6.3.5.1. Arguments label The Label (text in the right side of the preference input) for this preference default The default value for this preference descr A description of what this preference is range The range max The maximum value 10.4.6.3.6. Pref.
Lua Support in Wireshark name The abbreviation of this preference 10.4.6.4.2.2. Returns the current value of the preference 10.4.6.4.2.3. Errors • unknow Pref type 10.4.6.5. Proto A new protocol in wireshark. Protocols have more uses, the main one is to dissect a protocol. But they can be just dummies used to register preferences for other purposes. 10.4.6.5.1. Proto.new(name, desc) 10.4.6.5.1.1.
Lua Support in Wireshark name Actual name of the field (the string that appears in the tree). abbr Filter name of the field (the string that is used in filters). type Field Type (FT_*). valuestring (optional) a ValueString object. base (optional) The representation BASE_*. mask (optional) the bitmask to be used. descr (optional) The description of the field. 10.4.6.6.1.2. Returns The newly created ProtoField object 10.4.6.6.2. ProtoField.
Lua Support in Wireshark 10.4.6.6.4.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) one of base.DEC, base.HEX or base.OCT valuestring (optional) a table containing the text that corresponds to the values mask (optional) integer mask of this field desc (optional) description of the field 10.4.6.6.4.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.5.
Lua Support in Wireshark 10.4.6.6.7. ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc]) 10.4.6.6.7.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) one of base.DEC, base.HEX or base.OCT valuestring (optional) a table containing the text that corresponds to the values mask (optional) integer mask of this field desc (optional) description of the field 10.4.
Lua Support in Wireshark a protofield item to be added to a ProtoFieldArray 10.4.6.6.10. ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc]) 10.4.6.6.10.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) one of base.DEC, base.HEX or base.
Lua Support in Wireshark desc (optional) description of the field 10.4.6.6.12.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.13. ProtoField.ipv4(abbr, [name], [desc]) 10.4.6.6.13.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) description of the field 10.4.6.6.13.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.14. ProtoField.
Lua Support in Wireshark desc (optional) description of the field 10.4.6.6.16.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.17. ProtoField.double(abbr, [name], [desc]) 10.4.6.6.17.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) description of the field 10.4.6.6.17.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.18. ProtoField.
Lua Support in Wireshark desc (optional) description of the field 10.4.6.6.20.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.21. ProtoField.ubytes(abbr, [name], [desc]) 10.4.6.6.21.1. Arguments abbr abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) description of the field 10.4.6.6.21.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.6.22. ProtoField.
Lua Support in Wireshark desc (optional) description of the field 10.4.6.6.24.2. Returns a protofield item to be added to a ProtoFieldArray 10.4.6.7. Non Method Functions 10.4.6.7.1. register_postdissector(proto) make a protocol (with a dissector) a postdissector. It will be called for every frame after dissection 10.4.6.7.1.1. Arguments proto the protocol to be used as postdissector 10.4.7. Adding information to the dissection tree 10.4.7.1.
Lua Support in Wireshark text The text to be appended. 10.4.7.1.5. treeitem:set_expert_flags([group], [severity]) Sets the expert flags of the item. 10.4.7.1.5.1. Arguments group (optional) One of PI_CHECKSUM, PI_SEQUENCE, PI_RESPONSE_CODE, PI_REQUEST_CODE, PI_UNDECODED, PI_REASSEMBLE, PI_MALFORMED or PI_DEBUG severity (optional) One of PI_CHAT, PI_NOTE, PI_WARN, PI_ERROR 10.4.7.1.6.
Lua Support in Wireshark concatenate two ByteArrays 10.4.8.1.2.1. Arguments first first array second second array 10.4.8.1.2.2. Returns The new composite ByteArray. 10.4.8.1.2.3. Errors • both arguments must be ByteArrays 10.4.8.1.3. bytearray:prepend(prepended) prepend a ByteArray to this ByteArray 10.4.8.1.3.1. Arguments prepended array to be prepended 10.4.8.1.3.2. Errors • both arguments must be ByteArrays 10.4.8.1.4. bytearray:append(appended) append a ByteArray to this ByteArray 10.4.8.1.4.
Lua Support in Wireshark • ByteArray size must be non-negative 10.4.8.1.6. bytearray:set_index(index, value) sets the value of an index of a ByteArray. 10.4.8.1.6.1. Arguments index the position of the byte to be set value the char value to set [0-255] 10.4.8.1.7. bytearray:get_index(index) get the value of a byte in a ByteArray 10.4.8.1.7.1. Arguments index the position of the byte to be set 10.4.8.1.7.2. Returns The value [0-255] of the byte. 10.4.8.1.8.
Lua Support in Wireshark a Tvb represents the packet's buffer. It is passed as an argument to listeners and dissectors, and can be used to extract information (via TvbRange) from the packet's data. Beware that Tvbs are usable only by the current listener or dissector call and are destroyed as soon as the listener/dissector returns, so references to them are unusable once the function has returned.
Lua Support in Wireshark * a TvbRange represents an usable range of a Tvb and is used to extract data from the Tvb that generated it * TvbRanges are created by calling a tvb (e.g. tvb(offset,length)). If the TvbRange span is outside the Tvb's range the creation will cause a runtime error. 10.4.8.4.1. tvb:range([offset], [length]) creates a tvbr from this Tvb. This is used also as the Tvb:__call() metamethod. 10.4.8.4.1.1. Arguments offset (optional) The offset (in octets) from the begining of the Tvb.
Lua Support in Wireshark 10.4.8.4.8. tvbrange:ipv4() get an IPv4 Address from a TvbRange. 10.4.8.4.8.1. Returns the IPv4 Address 10.4.8.4.9. tvbrange:le_ipv4() get an Little Endian IPv4 Address from a TvbRange. 10.4.8.4.9.1. Returns the IPv4 Address 10.4.8.4.10. tvbrange:ether() get an Ethernet Address from a TvbRange. 10.4.8.4.10.1. Returns the Ethernet Address 10.4.8.4.10.2. Errors • The range must be 6 bytes long 10.4.8.4.11. tvbrange:string() obtain a string from a TvbRange 10.4.8.4.11.1.
Lua Support in Wireshark 10.4.9. Utility Functions 10.4.9.1. Dir A Directory 10.4.9.1.1. Dir.open(pathname, [extension]) usage: for filename in Dir.open(path) do ... end 10.4.9.1.1.1. Arguments pathname the pathname of the directory extension (optional) if given, only file with this extension will be returned 10.4.9.1.1.2. Returns the Dir object 10.4.9.1.2. dir:__call() at every invocation will return one file (nil when done) 10.4.9.1.3. dir:close() closes the directory 10.4.9.2.
Lua Support in Wireshark 10.4.9.2.3.1. Arguments text message 10.4.9.2.4. critical(...) Will add a log entry with critical severity 10.4.9.2.4.1. Arguments ... objects to be printed 10.4.9.2.5. warn(...) Will add a log entry with warn severity 10.4.9.2.5.1. Arguments ... objects to be printed 10.4.9.2.6. message(...) Will add a log entry with message severity 10.4.9.2.6.1. Arguments ... objects to be printed 10.4.9.2.7. info(...) Will add a log entry with info severity 10.4.9.2.7.1. Arguments ...
Lua Support in Wireshark filename name of the file to be loaded 10.4.9.2.10. dofile(filename) Lua's dofile() has been modified so that if a file does not exist in the current directory it will look for it in wireshark's user and system directories 10.4.9.2.10.1. Arguments filename name of the file to be run 10.4.9.2.11. persconffile_path([filename]) 10.4.9.2.11.1. Arguments filename (optional) a filename 10.4.9.2.11.2. Returns the full pathname for a file in the personal configuration directory 10.
Lua Support in Wireshark 232
Appendix A. Files and Folders A.1. Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it's helpful to know a bit about the capture file contents. Wireshark uses the libpcap file format as the default format to save captured packets; this format has existed for a long time and it's pretty simple. However, it has some drawbacks: it's not extensible and lacks some information that would be really helpful (e.g.
Files and Folders • time references set with "Edit/Time Reference" • the current display filter • ...
Files and Folders A.2. Configuration Files and Folders Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas. Tip A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box shown when you select About Wireshark from the Help menu.
Files and Folders File/Folder Description Unix/Linux folders Windows folders usr/ %APPDATA%\Wireshark\plugins share/wireshark/plugins, / usr/local/ share/wireshark/plugins, $HOME/.wireshar k/plugins temp Temporary files. Environment: TMPDIR Environment: TMPDIR or TEMP Windows folders %APPDATA% points to the personal configuration folder, e.g.: C:\Documents and Settings\\Application Data (details can be found at: Section A.3.
Files and Folders written to disk when you press the Save button in the "Capture Filters" dialog box. dfilters This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format: "" The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box.
Files and Folders 00:00:01 Xerox # XEROX CORPORATION The settings from this file are read in at program start and never written by Wireshark. hosts Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPv4 and IPv6 addresses into names. This file has the same format as the usual /etc/hosts file on Unix systems. An example is: # Comments must be prepended by the # sign! 192.168.0.
Files and Folders ipxnets Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPX network numbers into names. An example is: C0.A8.2C.00 c0-a8-1c-00 00:00:BE:EF 110f HR CEO IT_Server1 FileServer3 The settings from this file are read in at program start and never written by Wireshark. plugins folder Wireshark searches for plugins in the directories listed in Table A.1, “Configuration files and folders overview”. They are searched in the order listed.
Files and Folders A.3. Windows folders Here you will find some details about the folders used in Wireshark on different Windows versions. As already mentioned, you can find the currently used folders in the About Wireshark dialog. A.3.1. Windows profiles Windows uses some special directories to store user configuration files which define the "user profile".
Files and Folders able will be set by the Windows installer.
Files and Folders 242
Appendix B. Protocols and Protocol Fields Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port). A comprehensive list of all protocols and protocol fields can be found at: http://www.wireshark.
Appendix C. Wireshark Messages Wireshark provides you with additional information generated out of the plain packet data or it may need to indicate dissection problems. Messages generated by Wireshark are usually placed in [] parentheses. C.1. Packet List Messages These messages might appear in the packet list. C.1.1. [Malformed Packet] Malformed packet means that the protocol dissector can't dissect the contents of the packet any further.
Wireshark Messages C.2. Packet Details Messages These messages might appear in the packet details. C.2.1. [Response in frame: 123] The current packet is the request of a detected request/response pair. You can directly jump to the corresponding response packet just by double clicking on this message. C.2.2. [Request in frame: 123] Same as "Response in frame: 123" above, but the other way round. C.2.3. [Time from request: 0.123 seconds] The time between the request and the response packets. C.2.4.
Wireshark Messages 246
Appendix D. Related command line tools D.1. Introduction Besides the Wireshark GUI application, there are some command line tools which can be helpful for doing some more specialized things. These tools will be described in this chapter.
Related command line tools D.2. tshark: Terminal-based Wireshark TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as wireshark. For more information on tshark, see the manual pages (man tshark).
Related command line tools D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture).
Related command line tools D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap's native capture file format is libpcap format, which is also the format used by Wireshark, tcpdump and various other tools.
Related command line tools D.5. capinfos: Print information about capture files Included with Wireshark is a small utility called capinfos, which is a command-line utility to print information about binary capture files. Example D.2. Help information available from capinfos $ capinfos -h Capinfos 0.99.6 Prints information about capture files. See http://www.wireshark.org for more information.
Related command line tools D.6. editcap: Edit capture files Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as to print information about capture files. Example D.3. Help information available from editcap $ editcap -h Editcap 0.99.6 Edit and/or translate the format of capture files.
Related command line tools rawip - Raw IP arcnet - ARCNET arcnet_linux - Linux ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL ascend - Lucent/Ascend access equipment isdn - ISDN ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.
Related command line tools Where each option has the following meaning: -r This option specifies that the frames listed should be kept, not deleted. The default is to delete the listed frames. -h This option provides help. -v This option specifies verbose operation. The default is silent operation. -T {encap type} This option specifies the frame encapsulation type to use. It is mainly for converting funny captures to something that Wireshark can deal with.
Related command line tools D.7. mergecap: Merging multiple capture files into one Mergecap is a program that combines multiple saved capture files into a single output file specified by the -w argument. Mergecap knows how to read libpcap capture files, including those of tcpdump.
Related command line tools atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL ascend - Lucent/Ascend access equipment isdn - ISDN ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information ieee-802-11-bsd - IEEE 802.
Related command line tools Note: when merging, mergecap assumes that packets within a capture file are already in chronological order. -s Sets the snapshot length to use when writing the data. -w Sets the output filename. -T Sets the packet encapsulation type of the output capture file. -F Sets the file format of the output capture file. A simple example merging dhcp-capture.libpcap and imap-1.libpcap into outfile.libpcap is shown below. Example D.5.
Related command line tools D.8. text2pcap: Converting ASCII hexdumps to network captures There may be some occasions when you wish to convert a hex dump of some network traffic into a libpcap file. Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcap-style capture file. text2pcap can read hexdumps with multiple packets in them, and build a capture file of multiple packets.
Related command line tools specifies output filename (use - for standard output) [options] are one or more of the following -h -d -o hex|oct -l typenum : : : : -q -e l3pid : : -i proto : -m max-packet -u srcp,destp : : -T srcp,destp : -s srcp,dstp,tag: -S srcp,dstp,ppi: -t timefmt : Display this help message Generate detailed debug of parser states Parse offsets as (h)ex or (o)ctal. Default is hex Specify link-layer type number. Default is 1 (Ethernet). See net/bpf.
Related command line tools packet. -u srcport destport Include dummy UDP headers before each packet. Specify the source and destination UDP ports for the packet in decimal. Use this option if your dump is the UDP payload of a packet but does not include any UDP, IP or Ethernet headers. Note that this automatically includes appropriate Ethernet and IP headers with each packet. Example: -u 1000 69 to make the packets look like TFTP/UDP packets.
Related command line tools D.9. idl2wrs: Creating dissectors from CORBA IDL files In an ideal world idl2wrs would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here. D.9.1. What is it? As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP.
Related command line tools Procedure for converting a CORBA idl file into a Wireshark dissector 1. To write the C code to stdout. idl2wrs e.g.: idl2wrs echo.idl 2. To write to a file, just redirect the output. idl2wrs echo.idl > packet-test-idl.c You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. 3. To write the C code to stdout.
Related command line tools make 8. Good Luck !! D.9.4. TODO 1. Exception code not generated (yet), but can be added manually. 2. Enums not converted to symbolic values (yet), but can be added manually. 3. Add command line options etc 4. More I am sure :-) D.9.5. Limitations See the TODO list inside packet-giop.c D.9.6. Notes 1. The "-p ./" option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory.
Related command line tools 264
Appendix E. This Document's License (GPL) As with the original licence and documentation distributed with Wireshark, this document is covered by the GNU General Public Licence (GNU GPL). If you haven't read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
This Document's License (GPL) either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
This Document's License (GPL) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
This Document's License (GPL) Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10.
This Document's License (GPL) Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library.
