Wireshark User's Guide for Wireshark 1.
Wireshark User's Guide: for Wireshark 1.9 by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright © 2004-2012 Ulf Lamping , Richard Sharpe , Ed Warnicke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Preface ............................................................................................................................ ix 1. Foreword .............................................................................................................. ix 2. Who should read this document? .............................................................................. ix 3. Acknowledgements ................................................................................................ ix 4.
Wireshark User's Guide 3.2. Start Wireshark .................................................................................................. 3.3. The Main window .............................................................................................. 3.3.1. Main Window Navigation .......................................................................... 3.4. The Menu ......................................................................................................... 3.5. The "File" menu ......
Wireshark User's Guide 5.3. Saving captured packets ....................................................................................... 74 5.3.1. The "Save Capture File As" dialog box ........................................................ 75 5.3.2. Output File Formats .................................................................................. 76 5.4. Merging capture files .......................................................................................... 77 5.4.1.
Wireshark User's Guide 7.2. Following TCP streams ...................................................................................... 7.2.1. The "Follow TCP Stream" dialog box ......................................................... 7.3. Expert Infos ..................................................................................................... 7.3.1. Expert Info Entries ................................................................................. 7.3.2. "Expert Info" dialog .................
Wireshark User's Guide 10.3. Packet colorization .......................................................................................... 10.4. Control Protocol dissection ................................................................................ 10.4.1. The "Enabled Protocols" dialog box ......................................................... 10.4.2. User Specified Decodes .......................................................................... 10.4.3. Show User Specified Decodes .............
Wireshark User's Guide 11.10.7. Non Method Functions ......................................................................... 11.11. Adding information to the dissection tree ........................................................... 11.11.1. TreeItem ............................................................................................ 11.12. Functions for handling packet data .................................................................... 11.12.1. ByteArray ..................................
Preface 1. Foreword Wireshark is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Wireshark because of the lack of documentation. This document is part of an effort by the Wireshark team to improve the usability of Wireshark. We hope that you find it useful, and look forward to your comments. 2. Who should read this document? The intended audience of this book is anyone using Wireshark.
Preface • Ashok Narayanan from whose text2pcap man page Section D.9, “text2pcap: Converting ASCII hexdumps to network captures ” is derived. • Frank Singleton from whose README.idl2wrs Section D.10, “idl2wrs: Creating dissectors from CORBA IDL files ” is derived. 4. About this document This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It is written in DocBook/XML.
Chapter 1. Introduction 1.1. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).
Introduction Figure 1.1, “ Wireshark captures packets and allows you to examine their content. ” shows Wireshark having captured some packets and waiting for you to examine them. Figure 1.1. Wireshark captures packets and allows you to examine their content. 1.1.3. Live capture from many different network media Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well.
Introduction 1.1.7. Open Source Software Wireshark is an open source software project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do! 1.1.8.
Introduction • A supported network card for capturing: • Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment. • 802.11: See the Wireshark wiki page. Capturing raw 802.11 information may be difficult without special equipment. • Other media: See http://wiki.wireshark.
Introduction • NetBSD • OpenPKG • Red Hat Enterprise/Fedora Linux • rPath Linux • Sun Solaris/i386 • Sun Solaris/Sparc • Canonical Ubuntu If a binary package is not available for your platform, you should download the source and try to build it. Please report your experiences to wireshark-dev[AT]wireshark.org . 1.3. Where to get Wireshark? You can get the latest copy of the program from the Wireshark website: http://www.wireshark.org/ download.html.
Introduction 1.5. Development and maintenance of Wireshark Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of Wireshark is handled by the Wireshark team, a loose group of individuals who fix bugs and provide new functionality. There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue.
Introduction 1.6.3. Q&A Forum The Wireshark Q and A forum at http://ask.wireshark.org offers a resource where questions and answers come together. You have the option to search what questions were asked before and what answers were given by people who knew about the issue. Answers are graded, so you can pick out the best ones easily. If your issue isn't discussed before you can post one yourself. 1.6.4. FAQ The "Frequently Asked Questions" will list often asked questions and the corresponding answers.
Introduction 1. The version number of Wireshark and the dependent libraries linked with it, e.g. GTK+, etc. You can obtain this from the about dialog box of Wireshark, or with the command wireshark -v. 2. Information about the platform you run Wireshark on. 3. A detailed description of your problem. 4. If you get an error/warning message, copy the text of that message (and also a few lines before and after it, if there are some), so others may find the place where things go wrong.
Introduction 1.6.8. Reporting Crashes on Windows platforms The Windows distributions don't contain the symbol files (.pdb), because they are very large. For this reason it's not possible to create a meaningful backtrace file from it. You should report your crash just like other problems, using the mechanism described above.
Chapter 2. Building and Installing Wireshark 2.1. Introduction As with all things, there must be a beginning, and so it is with Wireshark. To use Wireshark, you must: • Obtain a binary package for your operating system, or • Obtain the source and build Wireshark for your operating system. Currently, several Linux distributions ship Wireshark, but they are commonly shipping an out-of-date version. No other versions of UNIX ship Wireshark so far, and Microsoft does not ship it with any version of Windows.
Building and Installing Wireshark current released version, as they are contributed by people who have the platforms they are built for. For this reason, you might want to pull down the source distribution and build it, as the process is relatively simple. 2.3. Before you build Wireshark under UNIX Before you build Wireshark from sources, or install a binary package, you must ensure that you have the following other packages installed: • GTK+, The GIMP Tool Kit. You will also need Glib.
Building and Installing Wireshark You should consult the GTK+ web site if any errors occur in carrying out the instructions in Example 2.1, “Building GTK+ from source”. If you have downloaded the source to libpcap, the general instructions shown in Example 2.2, “Building and installing libpcap” will assist in building it. Also, if your operating system does not support tcpdump, you might also want to download it from the tcpdump web site and install it. Example 2.2.
Building and Installing Wireshark 2.4. Building Wireshark from source under UNIX Use the following general steps if you are building Wireshark from source under a UNIX operating system: 1. Unpack the source from its gzip'd tar file. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command: tar zxvf wireshark-1.9-tar.gz For other versions of UNIX, you will want to use the following commands: gzip -d wireshark-1.9-tar.gz tar xvf wireshark-1.
Building and Installing Wireshark 2.5. Installing the binaries under UNIX In general, installing the binary under your version of UNIX will be specific to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld. 2.5.1.
Building and Installing Wireshark pkg_add -r wireshark pkg_add should take care of all of the dependency issues for you. 2.6. Troubleshooting during the install on Unix A number of errors can occur during the installation process. Some hints on solving these are provided here. If the configure stage fails, you will need to find out why. You can check the file config.log in the source directory to find out what failed. The last few lines of this file should help in determining the problem.
Building and Installing Wireshark 2.8.1.1. "Choose Components" page Wireshark • Wireshark GTK - Wireshark is a GUI network protocol analyzer. TShark - TShark is a command-line based network protocol analyzer. Plugins / Extensions (for the Wireshark and TShark dissection engines): • Dissector Plugins - Plugins with some extended dissections. • Tree Statistics Plugins - Plugins with some extended statistics.
Building and Installing Wireshark • Start WinPcap service "NPF" at startup - so users without administrative privileges can capture. More WinPcap info: • Wireshark related: http://wiki.wireshark.org/WinPcap • General WinPcap info: http://www.winpcap.org 2.8.1.4. Command line options You can simply start the Wireshark installer without any command line parameters, it will show you the usual interactive installer.
Building and Installing Wireshark 2.8.3. Update Wireshark From time to time you may want to update your installed Wireshark to a more recent version. If you join Wireshark's announce mailing list, you will be informed about new Wireshark versions, see Section 1.6.5, “Mailing Lists” for details how to subscribe to this list. New versions of Wireshark usually become available every 4 to 8 months. Updating Wireshark is done the same way as installing it, you simply download and start the installer exe.
Chapter 3. User Interface 3.1. Introduction By now you have installed Wireshark and are most likely keen to get started capturing your first packets. In the next chapters we will explore: • How the Wireshark user interface works • How to capture packets in Wireshark • How to view packets in Wireshark • How to filter packets in Wireshark • ... and many other things! 3.2. Start Wireshark You can start Wireshark from your shell or window manager.
User Interface Figure 3.1. The Main window Wireshark's main window consists of parts that are commonly known from many other GUI programs. 1. The menu (see Section 3.4, “The Menu”) is used to start actions. 2. The main toolbar (see Section 3.16, “The "Main" toolbar”) provides quick access to frequently used items from the menu. 3. The filter toolbar (see Section 3.17, “The "Filter" toolbar”) provides a way to directly manipulate the currently used display filter (see Section 6.
User Interface 3.3.1. Main Window Navigation Packet list and detail navigation can be done entirely from the keyboard. Table 3.1, “Keyboard Navigation” shows a list of keystrokes that will let you quickly move around a capture file. See Table 3.5, “Go menu items” for additional navigation keystrokes. Table 3.1. Keyboard Navigation Accelerator Description Tab, Shift+Tab Move between screen elements, e.g. from the toolbars to the packet list to the packet detail.
User Interface Edit This menu contains items to find a packet, time reference or mark one or more packets, handle configuration profiles, and set your preferences; (cut, copy, and paste are not presently implemented). See Section 3.6, “The "Edit" menu”. View This menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details, .... See Section 3.7, “The "View" menu”.
User Interface Figure 3.3. The "File" Menu Table 3.2. File menu items Menu Item Accelerator Description Open... Ctrl+O This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. Open Recent This menu item shows a submenu containing the recently opened capture files. Clicking on one of the submenu items will open the corresponding capture file directly. Merge...
User Interface Menu Item Accelerator Description is discussed further in Section 5.3.1, “The "Save Capture File As" dialog box”). Note! If you have already saved the current capture, this menu item will be greyed out. Note! You cannot save a live capture while the capture is in progress. You must stop the capture in order to save. Save As... Shift+Ctrl+S This menu item allows you to save the current capture file to whatever file you would like.
User Interface Menu Item Accelerator Description Print... Ctrl+P This menu item allows you to print all (or some) of the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in Section 5.8, “Printing packets”). Ctrl+Q This menu item allows you to quit from Wireshark. Wireshark will ask to save your capture file if you haven't previously saved it (this can be disabled by a preference setting). -----Quit 3.6.
User Interface Menu Item Copy Filter > Accelerator As Shift+Ctrl+C Description This menu item will use the selected item in the detail view to create a display filter. This display filter is then copied to the clipboard. -----Find Packet... Ctrl+F This menu item brings up a dialog box that allows you to find a packet by many criteria. There is further information on finding packets in Section 6.8, “Finding packets”.
User Interface Menu Item Accelerator Find Previous Ctrl+Alt+B Time Reference Description This menu item tries to find the previous time referenced packet. -----Configuration Profiles... Shift+Ctrl+A This menu item brings up a dialog box for handling configuration profiles. More detail is provided in Section 10.6, “Configuration Profiles”. Preferences... Shift+Ctrl+P This menu item brings up a dialog box that allows you to set preferences for many parameters that control Wireshark.
User Interface Menu Item Accelerator Description Wireless Toolbar (Windows only) This menu item hides or shows the wireless toolbar. See the AirPcap documentation for more information. Statusbar This menu item hides or shows the statusbar, see Section 3.21, “The Statusbar”. -----Packet List This menu item hides or shows the packet list pane, see Section 3.18, “The "Packet List" pane”. Packet Details This menu item hides or shows the packet details pane, see Section 3.
User Interface Menu Item Time Display Format > Seconds Since Previous Displayed Packet: 1.123456 Accelerator Description Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see Section 6.12, “Time display formats and time references”. Time Display Format > -----Time Display Format > Automatic (File Format Precision) Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see Section 6.
User Interface Menu Item Accelerator Description Note! Enabling colorization will slow down the display of new packets while capturing / loading capture files. Auto Scroll in Live Capture This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
User Interface Menu Item Accelerator Coloring Rules... Description This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see Section 10.3, “Packet colorization”. -----Show Packet in New Window Reload This menu item brings up the selected packet in a separate window. The separate window shows only the tree view and byte view panes.
User Interface Menu Item Accelerator Description Go to Packet... Ctrl+G Bring up a dialog box that allows you to specify a packet number, and then goes to that packet. See Section 6.9, “Go to a specific packet” for details. Go to Corresponding Packet Go to the corresponding packet of the currently selected protocol field. If the selected field doesn't correspond to a packet, this item is greyed out. -----Previous Packet Ctrl+Up Move to the previous packet in the list.
User Interface Figure 3.7. The "Capture" Menu Table 3.6. Capture menu items Menu Item Accelerator Description Interfaces... Ctrl+I This menu item brings up a dialog box that shows what's going on at the network interfaces Wireshark knows of, see Section 4.4, “The "Capture Interfaces" dialog box”) . Options... Ctrl+K This menu item brings up the Capture Options dialog box (discussed further in Section 4.5, “The "Capture Options" dialog box”) and allows you to start capturing packets.
User Interface Figure 3.8. The "Analyze" Menu Table 3.7. Analyze menu items Menu Item Accelerator Description Display Filters... This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters” Display Filter Macros... This menu item brings up a dialog box that allows you to create and edit display filter macros.
User Interface Menu Item Accelerator Description Enabled Protocols... Shift+Ctrl+E This menu item allows the user to enable/disable protocol dissectors, see Section 10.4.1, “The "Enabled Protocols" dialog box” Decode As... This menu item allows the user to force Wireshark to decode certain packets as a particular protocol, see Section 10.4.2, “User Specified Decodes” User Specified Decodes...
User Interface Figure 3.9. The "Statistics" Menu All menu items will bring up a new window showing specific statistical information. Table 3.8. Statistics menu items Menu Item Accelerator Description Summary Show information about the data captured, see Section 8.2, “The "Summary" window”. Protocol Hierarchy Display a hierarchical tree of protocol statistics, see Section 8.3, “The "Protocol Hierarchy" window”.
User Interface Menu Item Accelerator Description Endpoint List Display a list of endpoints, obsoleted by the combined window of Endpoints above, see Section 8.5.3, “The protocol specific "Endpoint List" windows”. Service Response Time Display the time between a request and the corresponding response, see Section 8.7, “Service Response Time”. -----ANCP... See Section 8.10, “The protocol specific statistics windows” BOOTPDHCP... See Section 8.
User Interface Figure 3.10. The "Telephony" Menu All menu items will bring up a new window showing specific telephony related statistical information. Table 3.9. Telephony menu items Menu Item Accelerator Description IAX2 See Section 9.6, “The protocol specific statistics windows” SMPP Operations... See Section 9.6, “The protocol specific statistics windows” SCTP See Section 9.6, “The protocol specific statistics windows” ANSI See Section 9.
User Interface Menu Item Accelerator WAP-WSP... Description See Section 9.6, “The protocol specific statistics windows” 3.13. The "Tools" menu The Wireshark Tools menu contains the fields shown in Table 3.10, “Tools menu items”. Figure 3.11. The "Tools" Menu Table 3.10.
User Interface Figure 3.12. The "Internals" Menu Table 3.11. Help menu items Menu Item Accelerator Description Dissector tables This menu item brings up a dialog box showing the tables with subdissector relationships. Supported Protocols (slow!) This menu item brings up a dialog box showing the supported protocols and protocol fields. 3.15. The "Help" menu The Wireshark Help menu contains the fields shown in Table 3.12, “Help menu items”.
User Interface Figure 3.13. The "Help" Menu Table 3.12. Help menu items Menu Item Accelerator Description Contents F1 This menu item brings up a basic help system. Manual Pages > ... This menu item starts a Web browser showing one of the locally installed html manual pages. -----Website This menu item starts a Web browser showing the webpage from: http://www.wireshark.org. FAQ's This menu item starts a Web browser showing various FAQ's.
User Interface Note! Calling a Web browser might be unsupported in your version of Wireshark. If this is the case, the corresponding menu items will be hidden. Note! If calling a Web browser fails on your machine, maybe because just nothing happens or the browser is started but no page is shown, have a look at the web browser setting in the preferences dialog. 3.16. The "Main" toolbar The main toolbar provides quick access to frequently used items from the menu.
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Description Note! If you currently have a temporary capture file, the Save icon instead. will be shown Close File/Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View/Reload This item allows you to reload the current capture file. Print... File/Print... This item allows you to print all (or some of) the packets in the capture file.
User Interface Toolbar Toolbar Item Icon Display Filters... Corresponding Menu Item Description Analyze/Display Filters... This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters”. Coloring Rules... View/Coloring Rules...
User Interface Toolbar Toolbar Item Icon Description Note! This field is also where the current filter in effect is displayed. Expression... The middle button labeled "Add Expression..." opens a dialog box that lets you edit a display filter from a list of protocol fields, described in Section 6.5, “The "Filter Expression" dialog box” Clear Reset the current display filter and clears the edit area. Apply Apply the current value in the edit area as the new display filter.
User Interface • Time The timestamp of the packet. The presentation format of this timestamp can be changed, see Section 6.12, “Time display formats and time references”. • Source The address where this packet is coming from. • Destination The address where this packet is going to. • Protocol The protocol name in a short (perhaps abbreviated) version. • Info Additional information about the packet content. There is a context menu (right mouse click) available, see details in Figure 6.
User Interface As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed. Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has reassembled some packets into a single chunk of data, see Section 7.6, “Packet Reassembling”.
User Interface • Marked: the number of marked packets • Dropped: the number of dropped packets (only displayed if Wireshark was unable to capture all packets) • Ignored: the number of ignored packets (only displayed if packets are ignored) • The right side shows the selected configuration profile. Clicking in this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile. Figure 3.22.
Chapter 4. Capturing Live Network Data 4.1. Introduction Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: • Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...). • Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets. • Simultaneously show decoded packets while Wireshark keeps on capturing.
Capturing Live Network Data 4.3. Start Capturing One of the following methods can be used to start capturing packets with Wireshark: • You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box, see Figure 4.1, “The "Capture Interfaces" dialog box on Microsoft Windows” or Figure 4.2, “The "Capture Interfaces" dialog box on Unix/Linux”. You can start a capture from this dialog box, using (one of) the "Capture" button(s).
Capturing Live Network Data Figure 4.1. The "Capture Interfaces" dialog box on Microsoft Windows Figure 4.2. The "Capture Interfaces" dialog box on Unix/Linux Device (Unix/Linux only) The interface device name. Description The interface description provided by the operating system, or the user defined comment added in Section 10.5.1, “Interface Options”. IP The first IP address Wireshark could find for this interface.
Capturing Live Network Data Packets/s Number of packets captured in the last second. Will be greyed out, if no packet was captured in the last second. Stop Stop a currently running capture. Start Start a capture on all selected interfaces immediately, using the settings from the last capture or the default settings, if no options have been set. Options Open the Capture Options dialog with the marked interfaces selected, see Section 4.5, “The "Capture Options" dialog box”.
Capturing Live Network Data Figure 4.3.
Capturing Live Network Data Tip! If you are unsure which options to choose in this dialog box, just try keeping the defaults as this should work well in many cases. 4.5.1. Capture frame The table shows the settings for all available interfaces: • The name of the interface and its IP addresses. If no address could be resolved from the system, "none" will be shown. Note loopback interfaces are not available on Windows platforms. • The link-layer header type.
Capturing Live Network Data Use multiple files Instead of using a single file, Wireshark will automatically switch to a new one, if a specific trigger condition is reached. Use pcap-ng format This checkbox allows you to specify that Wireshark saves the captured packets in pcap-ng format. This next generation capture file format is currently in development. If more than one interface is chosen for capturing, this checkbox is set by default. See http:// wiki.wireshark.
Capturing Live Network Data 4.5.5. Name Resolution frame Enable MAC name resolution This option allows you to control whether or not Wireshark translates MAC addresses into names, see Section 7.7, “Name Resolution”. Enable network name resolution This option allows you to control whether or not Wireshark translates network addresses into names, see Section 7.7, “Name Resolution”.
Capturing Live Network Data Figure 4.4. The "Edit Interface Settings" dialog box You can set the following fields in this dialog box: IP address The IP address(es) of the selected interface. If no address could be resolved from the system, "none" will be shown. Link-layer header type Unless you are in the rare situation that you need this, just keep the default. For a detailed description, see Section 4.
Capturing Live Network Data Note Even in promiscuous mode you still won't necessarily see all packets on your LAN segment, see http:// www.wireshark.org/faq.html#promiscsniff for some more explanations. Limit each packet to n bytes This field allows you to specify the maximum amount of data that will be captured for each packet, and is sometimes referred to as the snaplen. If disabled, the value is set to the maximum 65535, which will be sufficient for most protocols.
Capturing Live Network Data can help in understanding the working of the capture filter you created. 4.7. The "Add New Interfaces" dialog box As a central point to manage interfaces this dialog box consists of three tabs to add or remove interfaces. Figure 4.5.
Capturing Live Network Data 4.7.1. Add or remove pipes Figure 4.6. The "Add New Interfaces - Pipes" dialog box To successfully add a pipe, this pipe must have already been created. Click the "New" button and type the name of the pipe including its path. Alternatively, the "Browse" button can be used to locate the pipe. With the "Save" button the pipe is added to the list of available interfaces. Afterwards, other pipes can be added. To remove a pipe from the list of interfaces it first has to be selected.
Capturing Live Network Data 4.7.2. Add or hide local interfaces Figure 4.7. The "Add New Interfaces - Local Interfaces" dialog box The tab "Local Interfaces" contains a list of available local interfaces, including the hidden ones, which are not shown in the other lists. If a new local interface is added, for example, a wireless interface has been activated, it is not automatically added to the list to prevent the constant scanning for a change in the list of available interfaces.
Capturing Live Network Data 4.7.3. Add or hide remote interfaces Figure 4.8. The "Add New Interfaces - Remote Interfaces" dialog box In this tab interfaces on remote hosts can be added. One or more of these interfaces can be hidden. In contrast to the local interfaces they are not saved in the "Preferences" file. To remove a host including all its interfaces from the list, it has to be selected. Then click the "Delete" button. For a detailed description, see Section 4.
Capturing Live Network Data on the target. Once installation is completed go to the Services control panel, find the Remote Packet Capture Protocol service and start it. Note Make sure you have outside access to port 2002 on the target platform. This is the port where the Remote Packet Capture Protocol service can be reached, by default. To access the Remote Capture Interfaces dialog use the "Add New Interfaces - Remote" dialog, see Figure 4.
Capturing Live Network Data Null authentication Select this if you don't need authentication to take place for a remote capture to be started. This depends on the target platform. Configuring the target platform like this makes it insecure. Password authentication This is the normal way of connecting to a target platform. Set the credentials needed to connect to the Remote Packet Capture Protocol service. 4.8.2.
Capturing Live Network Data Sampling option None This option instructs the Remote Packet Capture Protocol service to send back all captured packets which have passed the capture filter. This is usually not a problem on a remote capture session with sufficient bandwidth. Sampling option 1 of x packets This option limits the Remote Packet Capture Protocol service to send only a sub sampling of the captured data, in terms of number of packets.
Capturing Live Network Data Different modes of operation are available when saving this packet data to the capture file(s). Tip! Working with large files (several 100 MB's) can be quite slow. If you plan to do a long term capture or capturing from a high traffic network, think about using one of the "Multiple files" options. This will spread the captured packets over several smaller files which can be much more pleasant to work with. Note! Using Multiple files may cut context related information.
Capturing Live Network Data This mode will limit the maximum disk usage, even for an unlimited amount of capture input data, keeping the latest captured data. 4.11. Link-layer header type In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe the exceptional cases, where selecting this type is possible, so you will have a guide of what to do: If you are capturing on an 802.
Capturing Live Network Data This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives and the and conjunction. Another example is shown in Example 4.2, “ Capturing all telnet traffic not from 10.0.0.5”, and shows how to capture all telnet traffic except that from 10.0.0.5. Example 4.2. Capturing all telnet traffic not from 10.0.0.5 tcp port 23 and not src host 10.0.0.5 XXX - add examples to the following list.
Capturing Live Network Data ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts. relop This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man page at http://www.tcpdump.org/tcpdump_man.html for more details. 4.12.1. Automatic Remote Traffic Filtering If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ..
Capturing Live Network Data Tip! This Capture Info dialog box can be hidden, using the "Hide capture info dialog" option in the Capture Options dialog box. 4.13.1. Stop the running capture A running capture session will be stopped in one of the following ways: 1. Using the " Stop" button from the Capture Info dialog box . Note! The Capture Info dialog box might be hidden, if the option "Hide capture info dialog" is used. 2. Using the menu item "Capture/ 3. Using the toolbar item " Stop". Stop". 4.
Chapter 5. File Input / Output and Printing 5.1. Introduction This chapter will describe input and output of capture data. • Open/Import capture files in various capture file formats • Save/Export capture files in various capture file formats • Merge capture files together • Print packets 5.2. Open capture files Wireshark can read in previously saved capture files. To read them, simply select the menu or toolbar item: "File/ Open".
File Input / Output and Printing Wireshark extensions to the standard behaviour of these dialogs: • View file preview information (like the filesize, the number of packets, ...), if you've selected a capture file. • Specify a display filter with the "Filter:" button and filter field. This filter will be used when opening the new file. The text field background becomes green for a valid filter string and red for an invalid one.
File Input / Output and Printing items like: "Home", "Desktop", and "Filesystem" cannot be removed). • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Open" button. Figure 5.3. "Open" - old GTK version Unix/Linux: GTK version < 2.4 This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. Specific for this dialog: • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Ok" button. 5.2.2.
File Input / Output and Printing • ISDN4BSD i4btrace utility • traces from the EyeSDN USB S0 • IPLog format from the Cisco Secure Intrusion Detection System • pppd logs (pppdump format) • the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities • the text output from the DBS Etherwatch VMS utility • Visual Networks' Visual UpTime traffic capture • the output from CoSine L2 debug • the output from Accellent's 5Views LAN agents • Endace Measurement Systems' ERF format captures • Linux Bluez Bluetooth st
File Input / Output and Printing Saving may reduce the available information! Saving the captured packets will slightly reduce the amount of information, e.g. the number of dropped packets will be lost; see Section A.1, “Capture Files” for details. 5.3.1. The "Save Capture File As" dialog box The "Save Capture File As" dialog box allows you to save the current capture to a file. Table 5.2, “The system specific "Save Capture File As" dialog box” shows some examples of this dialog box.
File Input / Output and Printing Figure 5.6. "Save" - old GTK version Unix/Linux: GTK version < 2.4 This is the file save dialog of former Gimp/GNOME versions - plus some Wireshark extensions. With this dialog box, you can perform the following actions: 1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system. 2. Select the directory to save the file into. 3. Select the range of the packets to be saved, see Section 5.
File Input / Output and Printing File formats have different time stamp accuracies! Saving from the currently used file format to a different format may reduce the time stamp accuracy; see the Section 7.4, “Time Stamps” for details. The following file formats can be saved by Wireshark (with the known file extensions): • libpcap, tcpdump and various other tools using tcpdump's capture format (*.pcap,*.cap,*.dmp) • Accellent 5Views (*.5vw) • HP-UX's nettl (*.TRC0,*.
File Input / Output and Printing • Use the mergecap tool, which is a command line tool to merge capture files. This tool provides the most options to merge capture files, see Section D.8, “mergecap: Merging multiple capture files into one ”. 5.4.1. The "Merge with Capture File" dialog box This dialog box let you select a file to be merged into the currently loaded file.
File Input / Output and Printing Figure 5.9. "Merge" - old GTK version Unix/Linux: GTK version < 2.4 This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. 5.5. Import text file Wireshark can read in an ASCII hex dump and write the data described into a temporary libpcap capture file. It can read hex dumps with multiple packets in them, and build a capture file of multiple packets.
File Input / Output and Printing elect to insert Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each packet. This allows Wireshark or any other full-packet decoder to handle these dumps. 5.5.1. The "File import" dialog box This dialog box lets you select a file to be imported and set import parameters. Figure 5.10.
File Input / Output and Printing Encapsulation type Here you can select which type of frames you are importing. This all depends on from what type of medium the dump to import was taken. It lists all types that Wireshark understands, so as to pass the capture file contents to the right dissector. Dummy header When Ethernet encapsulation is selected you have to option to prepend dummy headers to the frames to import.
File Input / Output and Printing 5.6.1. The "List Files" dialog box Figure 5.11. The "List Files" dialog box Each line contains information about a file of the file set: • Filename the name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.
File Input / Output and Printing 5.7.1. The "Export as Plain Text File" dialog box Export packet data into a plain ASCII text file, much like the format used to print packets.
File Input / Output and Printing Figure 5.12. The "Export as Plain Text File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. • The Packet Details frame is described in Section 5.10, “The Packet Format frame”. 5.7.2. The "Export as PostScript File" dialog box Export packet data into PostScript, much like the format used to print packets. Tip! You can easily convert PostScript files to PDF files using ghostscript. For example: export to a file named foo.ps and then call: ps2pdf foo.
File Input / Output and Printing Figure 5.13. The "Export as PostScript File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. • The Packet Details frame is described in Section 5.10, “The Packet Format frame”. 5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box XXX - add screenshot Export packet summary into CSV, used e.g. by spreadsheet programs to im-/export data. • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.
File Input / Output and Printing Figure 5.14. The "Export as PSML File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. There's no such thing as a packet details frame for PSML export, as the packet format is defined by the PSML specification. 5.7.6. The "Export as PDML File" dialog box Export packet data into PDML. This is an XML based format including the packet details. The PDML file specification is available at: http://www.nbee.org/doku.php?id=netpdl:pdml_specification.
File Input / Output and Printing Figure 5.15. The "Export as PDML File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. There's no such thing as a packet details frame for PDML export, as the packet format is defined by the PDML specification. 5.7.7. The "Export selected packet bytes" dialog box Export the bytes selected in the "Packet Bytes" pane into a raw binary file.
File Input / Output and Printing Figure 5.16. The "Export Selected Packet Bytes" dialog box • Name: the filename to export the packet data to.
File Input / Output and Printing • The Save in folder: field lets you select the folder to save to (from some predefined folders). • Browse for other folders provides a flexible way to choose a folder. 5.7.8. The "Export Objects" dialog box This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.
File Input / Output and Printing • Help: Opens this section in the user's guide. • Close: Closes this dialog. • Save As: Saves the currently selected object as a filename you specify. The default filename to save as is taken from the filename column of the objects list. • Save All: Saves all objects in the list using the filename from the filename column. You will be asked what directory / folder to save them in.
File Input / Output and Printing Note! These Print command fields are not available on windows platforms. This field specifies the command to use for printing. It is typically lpr. You would change it to specify a particular queue if you need to print to a queue other than the default. An example might be: lpr -Pmypostscript This field is greyed out if Output to file: is checked above. Packet Range Select the packets to be printed, see Section 5.
File Input / Output and Printing Figure 5.20. The "Packet Format" frame • Packet summary line enable the output of the summary line, just as in the "Packet List" pane. • Packet details enable the output of the packet details tree. • All collapsed the info from the "Packet Details" pane in "all collapsed" state. • As displayed the info from the "Packet Details" pane in the current state. • All expanded the info from the "Packet Details" pane in "all expanded" state.
Chapter 6. Working with captured packets 6.1. Viewing packets you have captured Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.
Working with captured packets Figure 6.2. Viewing a packet in a separate window 6.2. Pop-up menus You can bring up a pop-up menu over either the "Packet List", its column header, or "Packet Details" pane by clicking your right mouse button at the corresponding pane. 6.2.1. Pop-up menu of the "Packet List" column header Figure 6.3.
Working with captured packets Table 6.1. The menu items of the "Packet List" column header pop-up menu Item Identical to main Description menu's item: Sort Ascending Sort the packet list in ascending order based on this column. Sort Descending Sort the packet list in descending order based on this column. No Sort Remove sorting order based on this column. ----Align Left Set left alignment of the values in this column. Align Center Set center alignment of the values in this column.
Working with captured packets 6.2.2. Pop-up menu of the "Packet List" pane Figure 6.4. Pop-up menu of the "Packet List" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.2. The menu items of the "Packet List" pop-up menu Item Identical to main Description menu's item: Mark (toggle) Packet Edit Mark/unmark a packet.
Working with captured packets Item Identical to main Description menu's item: Conversation Filter - This menu item applies a display filter with the address information from the selected packet. E.g. the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. XXX - add a new section describing this better. Colorize Conversation - This menu item uses a display filter with the address information from the selected packet to build a new colorizing rule.
Working with captured packets 6.2.3. Pop-up menu of the "Packet Details" pane Figure 6.5. Pop-up menu of the "Packet Details" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.3. The menu items of the "Packet Details" pop-up menu Item Identical to main Description menu's item: Expand Subtrees View Expand the currently selected subtree.
Working with captured packets Item Identical to main Description menu's item: Colorize Filter with - This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule. Follow Stream TCP Analyze Allows you to view all the data on a TCP stream between a pair of nodes. Follow Stream UDP Analyze Allows you to view all the data on a UDP datagram stream between a pair of nodes. Follow Stream SSL Analyze Same as "Follow TCP Stream" but for SSL.
Working with captured packets Item Identical to main Description menu's item: Protocol Preferences... - The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in Figure 10.8, “The preferences dialog box”. Analyze Change or apply a new relation between two dissectors. ----Decode As...
Working with captured packets Figure 6.6. Filtering on the TCP protocol As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. Note! When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content! You can filter on any protocol that Wireshark understands.
Working with captured packets Tip! You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter page at http://wiki.wireshark.org/DisplayFilters. 6.4.1. Display filter fields Every field in the packet details pane can be used as a filter string, this will result in showing only the packets where this field exists. For example: the filter string: tcp will show all packets containing the tcp protocol.
Working with captured packets Table 6.5. Display Filter Field Types Type Example Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent: ip.len le 1500 ip.len le 02734 ip.len le 0x436 Signed integer (8-bit, 16-bit, 24-bit, 32-bit) Boolean A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.
Working with captured packets English C-like Description and example or || Logical OR ip.scr==10.0.0.5 or ip.src==192.1.1.1 xor ^^ Logical XOR tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 not ! Logical NOT not llc [...] Substring Operator Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [] containing a comma separated list of range specifiers. eth.
Working with captured packets Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4. Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected. Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.
Working with captured packets first few letters of the protocol name). By clicking on the "+" next to a protocol name you can get a list of the field names available for filtering for that protocol. Relation Select a relation from the list of available relation. The is present is a unary relation which is true if the selected field is present in a packet. All other listed relations are binary relations which require additional data (e.g. a Value to match) to complete.
Working with captured packets Figure 6.8. The "Capture Filters" and "Display Filters" dialog boxes New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to "new". Delete This button deletes the selected filter. It will be greyed out, if no filter is selected.
Working with captured packets Close Close this dialog. This will discard unsaved settings. 6.7. Defining and saving filter macros You can define filter macros with Wireshark and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. XXX - add an explanation of this. 6.8. Finding packets You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet...
Working with captured packets You can choose the search direction: • Up Search upwards in the packet list (decreasing packet numbers). • Down Search downwards in the packet list (increasing packet numbers). 6.8.2. The "Find Next" command "Find Next" will continue searching with the same options used in the last "Find Packet". 6.8.3. The "Find Previous" command "Find Previous" will do the same thing as "Find Next", but with reverse search direction. 6.9.
Working with captured packets 6.9.5. The "Go to First Packet" command This command will simply jump to the first packet displayed. 6.9.6. The "Go to Last Packet" command This command will simply jump to the last packet displayed. 6.10. Marking packets You can mark packets in the "Packet List" pane. A marked packet will be shown with black background, regardless of the coloring rules set. Marking a packet can be useful to find it later while analyzing in a large capture file.
Working with captured packets These ignore functions are available from the "Edit" menu, and the "Ignore packet (toggle)" function is also available from the pop-up menu of the "Packet List" pane. 6.12. Time display formats and time references While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. A detailed description of timestamps, timezones and alike can be found at: Section 7.4, “Time Stamps”.
Working with captured packets Note! Time referencing will only be useful, if the time display format is set to "Seconds Since Beginning of Capture". If one of the other time display formats are used, time referencing will have no effect (and will make no sense either). To work with time references, choose one of the "Time Reference" items in the "Edit" menu , see Section 3.6, “The "Edit" menu”, or from the pop-up menu of the "Packet List" pane.
Chapter 7. Advanced Topics 7.1. Introduction In this chapter some of the advanced features of Wireshark will be described. 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream.
Advanced Topics The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. If you like, you can change these colors in the Edit/Preferences "Colors" page. Non-printable characters will be replaced by dots. XXX - What about line wrapping (maximum line length) and CRNL conversions? The stream content won't be updated while doing a live capture.
Advanced Topics The following will first describe the components of a single expert info, then the User Interface. 7.3.1. Expert Info Entries Each expert info will contain the following things which will be described in detail below: Table 7.1. Some example expert infos Packet # Severity Group Protocol Summary 1 Note Sequence TCP Duplicate ACK (#1) 2 Chat Sequence TCP Connection reset (RST) 8 Note Sequence TCP Keep-Alive 9 Warn Sequence TCP Fast retransmission (suspected) 7.3.1.
Advanced Topics 7.3.1.3. Protocol The protocol in which the expert info was caused. 7.3.1.4. Summary Each expert info will also have a short additional text with some further explanation. 7.3.2. "Expert Info" dialog From the main menu you can open the expert info dialog, using: "Analyze/Expert Info" XXX - add explanation of the dialogs context menu. 7.3.2.1.
Advanced Topics The protocol field causing an expert info is colorized, e.g. uses a cyan background for a note severity level. This color is propagated to the toplevel protocol item in the tree, so it's easy to find the field that caused the expert info. For the example screenshot above, the IP "Time to live" value is very low (only 1), so the corresponding protocol field is marked with a cyan background. To easier find that item in the packet tree, the IP protocol toplevel item is marked cyan as well. 7.
Advanced Topics 7.4.2. Capture file formats Every capture file format that Wireshark knows supports time stamps. The time stamp precision supported by a specific capture file format differs widely and varies from one second "0" to one nanosecond "0.123456789". Most file formats store the time stamps with a fixed precision (e.g. microseconds), while some file formats are even capable of storing the time stamp precision itself (whatever the benefit may be).
Advanced Topics What are time zones? People expect that the time reflects the sunset. Dawn should be in the morning maybe around 06:00 and dusk in the evening maybe at 20:00. These times will obviously vary depending on the season. It would be very confusing if everyone on earth would use the same global time as this would correspond to the sunset only at a small part of the world.
Advanced Topics This way you will tell your computer both the local time and also the time offset to UTC. Tip! If you travel around the world, it's an often made mistake to adjust the hours of your computer clock to the local time.
Advanced Topics Los Angeles New York Displayed 02:00 Time (Local Time) 05:00 Madrid London Berlin Tokyo 09:00 10:00 11:00 19:00 An example: Let's assume that someone in Los Angeles captured a packet with Wireshark at exactly 2 o'clock local time and sends you this capture file. The capture file's time stamp will be represented in UTC as 10 o'clock. You are located in Berlin and will see 11 o'clock on your Wireshark display.
Advanced Topics Note! You will find the reassembled data in the last packet of the chunk. An example: In a HTTP GET response, the requested data (e.g. an HTML page) is returned. Wireshark will show the hex dump of the data in a new tab "Uncompressed entity body" in the "Packet Bytes" pane. Reassembling is enabled in the preferences by default. The defaults were changed from disabled to enabled in September 2005.
Advanced Topics Tip! The name resolution in the packet list is done while the list is filled. If a name could be resolved after a packet was added to the list, that former entry won't be changed. As the name resolution results are cached, you can use "View/Reload" to rebuild the packet list, this time with the correctly resolved names. However, this isn't possible while a capture is in progress. 7.7.2. Ethernet name resolution (MAC layer) Try to resolve an Ethernet MAC address (e.g.
Advanced Topics 7.7.4. IPX name resolution (network layer) ipxnet name resolution (ipxnets file): XXX - add ipxnets name resolution explanation. 7.7.5. TCP/UDP port name resolution (transport layer) Try to resolve a TCP/UDP port (e.g. 80) to something more "human readable". TCP/UDP port conversion (system service): Wireshark will ask the operating system to convert a TCP or UDP port to its well known name (e.g. 80 → http).
Advanced Topics 7.8.1. Wireshark checksum validation Wireshark will validate the checksums of several protocols, e.g.: IP, TCP, UDP, ... It will do the same calculation as a "normal receiver" would do, and shows the checksum fields in the packet details with a comment, e.g.: [correct], [invalid, must be 0x12345678] or alike. Checksum validation can be switched off for various protocols in the Wireshark protocol preferences, e.g. to (very slightly) increase performance.
Chapter 8. Statistics 8.1. Introduction Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). • General statistics: • Summary about the capture file. • Protocol Hierarchy of the captured packets. • Conversations e.g.
Statistics Figure 8.1. The "Summary" window • File: general information about the capture file. • Time: the timestamps when the first and the last packet were captured (and the time between them). • Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). • Display: some display related information. • Traffic: some statistics of the network traffic seen.
Statistics Figure 8.2. The "Protocol Hierarchy" window This is a tree of all the protocols in the capture. You can collapse or expand subtrees, by clicking on the plus / minus icons. By default, all trees are expanded. Each row contains the statistical values of one protocol. The Display filter will show the current display filter.
Statistics Note! Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less. This may be caused by TCP protocol overhead, e.g. TCP ACK packets won't be counted as packets of the higher layer). Note! A single packet can contain the same protocol more than once.
Statistics Each row in the list shows the statistical values for exactly one conversation. Name resolution will be done if selected in the window and if it is active for the specific protocol layer (MAC layer for the selected Ethernet endpoints page). Limit to display filter will only show conversations matching the current display filter. The copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format.
Statistics • TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP ports on the same IP address are different TCP endpoints. • Token Ring: a Token Ring endpoint is identical to the Token Ring MAC address. • UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. • USB: XXX - insert info here. • WLAN: XXX - insert info here.
Statistics ARP) and the third was resolved to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff); the last two Ethernet addresses remain unresolved. Limit to display filter will only show conversations matching the current display filter. The copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format. Tip! This window will be updated frequently, so it will be useful, even if you open it before (or while) you are doing a live capture. 8.5.3.
Statistics • Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph) • Style: the style of the graph (Line/Impulse/FBar/Dot) • X Axis • Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.
Statistics Note! The other Service Response Time windows will work the same way (or only slightly different) compared to the following description. 8.7.1. The "Service Response Time DCE-RPC" window The service response time of DCE-RPC is the time between the request and the corresponding response. First of all, you have to select the DCE-RPC interface: Figure 8.6. The "Compute DCE-RPC statistics" window You can optionally set a display filter, to reduce the amount of packets. Figure 8.7.
Statistics The merged capture data is checked for missing packets. If a matching connection is found it is checked for: • IP header checksums • Excessive delay (defined by the "Time variance" setting) • Packet order Figure 8.8. The "Compare" window You can configure the following: • Start compare: Start comparing when this many IP IDs are matched. A zero value starts comparing immediately. • Stop compare: Stop comparing when we can no longer match this many IP IDs. Zero always compares.
Statistics Tip! If you click on an item in the error list its corresponding packet will be selected in the main window. 8.9. WLAN Traffic Statistics Statistics of the captured WLAN traffic. This window will summarize the wireless network traffic found in the capture. Probe requests will be merged into an existing network if the SSID matches. Figure 8.9. The "WLAN Traffic Statistics" window Each row in the list shows the statistical values for exactly one wireless network.
Chapter 9. Telephony 9.1. Introduction Wireshark provides a wide range of telephony related network statistics which can be accessed via the Telephony menu. These statistics range from specific signaling protocols, to analysis of signaling and media flows. If encoded in a compatible encoding the media flow can even be played. 9.2. RTP Analysis The RTP analysis function takes the selected RTP stream (and the reverse stream, if possible) and generates a list of statistics on it. Figure 9.1.
Telephony More details are described at the http://wiki.wireshark.org/VoIP_calls page. 9.4. LTE MAC Traffic Statistics Statistics of the captured LTE MAC traffic. This window will summarize the LTE MAC traffic found in the capture. Figure 9.2. The "LTE MAC Traffic Statistics" window The top pane shows statistics for common channels. Each row in the middle pane shows statistical highlights for exactly one UE/C-RNTI.
Telephony Figure 9.3. The "LTE RLC Traffic Statistics" window At the top, the check-box allows this window to include RLC PDUs found withing MAC PDUs or not. This will affect both the PDUs counted as well as the display filters generated (see below). The upper list shows summaries of each active UE. Each row in the lower list shows statistical highlights for individual channels within the selected UE. The lower part of the windows allows display filters to be generated and set for the selected channel.
Chapter 10. Customizing Wireshark 10.1. Introduction Wireshark's default behaviour will usually suit your needs pretty well. However, as you become more familiar with Wireshark, it can be customized in various ways to suit your needs even better. In this chapter we explore: • How to start Wireshark with command line parameters • How to colorize the packet list • How to control protocol dissection • How to use the various preference settings 10.2.
Customizing Wireshark Example 10.1. Help information available from Wireshark Wireshark 1.7.0 (SVN Rev 38783 from /trunk) Interactively dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2011 Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: wireshark [options] ...
Customizing Wireshark We will examine each of the command line options in turn. The first thing to notice is that issuing the command wireshark by itself will bring up Wireshark. However, you can include as many of the command line parameters as you like.
Customizing Wireshark -c This option specifies the maximum number of packets to capture when capturing live data. It would be used in conjunction with the -k option. -D Print a list of the interfaces on which Wireshark can capture, and exit. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
Customizing Wireshark -k The -k option specifies that Wireshark should start capturing packets immediately. This option requires the use of the -i parameter to specify the interface that packet capture will occur from. -l This option turns on automatic scrolling if the packet list pane is being updated automatically as packets arrive during a capture ( as specified by the -S flag). -L List the data link types supported by the interface and exit.
Customizing Wireshark -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Wireshark is running, broadcast traffic, and multicast traffic to addresses received by that machine. -P Special path settings usually detected automatically. This is used for special cases, e.g.
Customizing Wireshark • e epoch, which specifies that timestamps are seconds since epoch (Jan 1, 1970 00:00:00) -v The -v option requests Wireshark to print out its version information and exit. -w This option sets the name of the savefile to be used when saving a capture file. -y If a capture is started from the command line with -k, set the data link type to use while capturing packets. The values reported by L are the values that can be used.
Customizing Wireshark Figure 10.1. The "Coloring Rules" dialog box Once the Coloring Rules dialog box is up, there are a number of buttons you can use, depending on whether or not you have any color filters installed already. Note! You will need to carefully select the order the coloring rules are listed as they are applied in order from top to bottom. So, more specific rules need to be listed before more general rules.
Customizing Wireshark Figure 10.3. The "Choose color" dialog box Select the color you desire for the selected packets and click on OK. Note! You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to select the color you want. Figure 10.4, “Using color filters with Wireshark” shows an example of several color filters being used in Wireshark. You may not like the color choices, however, feel free to choose your own.
Customizing Wireshark 10.4. Control Protocol dissection The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g.
Customizing Wireshark Figure 10.5. The "Enabled Protocols" dialog box To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. Note that typing the first few letters of the protocol name when the Enabled Protocols dialog box is active will temporarily open a search text box and automatically select the first matching protocol name (if it exists). Warning! You have to use the Save button to save your settings.
Customizing Wireshark Decode As is accessed by selecting the Decode As... item from the Analyze menu; Wireshark will pop up the "Decode As" dialog box as shown in Figure 10.6, “The "Decode As" dialog box”. Figure 10.6. The "Decode As" dialog box The content of this dialog box depends on the selected packet when it was opened. Warning! These settings will be lost if you quit Wireshark or change profile, unless you save the entries in the Show User Specified Decodes... windows (Section 10.4.
Customizing Wireshark Figure 10.7. The "Decode As: Show" dialog box 1. OK: Close this dialog box. 2. Save: Save the entries in the table into current profile. 3. Clear: Removes all user specified decodes without updating the profile. 10.5. Preferences There are a number of preferences you can set. Simply select the Preferences... menu item from the Edit menu; and Wireshark will pop up the Preferences dialog box as shown in Figure 10.
Customizing Wireshark • The Cancel button will restore all preferences settings to the last saved state. Figure 10.8. The preferences dialog box 10.5.1. Interface Options In the Capture preferences it is possible to configure several options for the interfaces available on your computer. Select the Capture pane and press the Interfaces: Edit button.
Customizing Wireshark • Description: provided by the operating system. • Default link-layer: each interface may provide several link-layer header types. The default link-layer chosen here is the one used when you first start Wireshark. It is also possible to change this value in Section 4.5, “The "Capture Options" dialog box” when you start a capture. For a detailed description, see Section 4.11, “Link-layer header type”. • Comment: a user provided description of the interface.
Customizing Wireshark • SNMP Users (snmp_users) (Section 10.18, “SNMP users Table”) • User DLTs Table (user_dlts) (Section 10.20, “User DLTs protocol table”) • IKEv2 decryption table (ikev2_decryption_table) (Section 10.11, “IKEv2 decryption table”) • Changed dissector assignments (decode_as_entries), which can be set in Decode As... dialog box (Section 10.4.2, “User Specified Decodes”), and further saved in the User Specified Decodes... window (Section 10.4.3, “Show User Specified Decodes”).
Customizing Wireshark Profile name: You can change the name of the currently selected profile here. Used as a folder name The profile name will be used as a folder name in the configured "Personal configurations" folder. If adding multiple profiles with the same name, only one profile will be created. Illegal characters On Windows the profile name cannot start or end with a period (.
Customizing Wireshark This table is handled by an Section 10.7, “User Table” with the following fields. Tag Set An Object Identifier representing the Category Tag Set. Value The value (Label And Cert Value) representing the Category. Name The textual representation for the value. 10.10. GeoIP Database Paths If your copy of Wireshark supports MaxMind's GeoIP library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, ISPs, and other bits of information.
Customizing Wireshark SK_ar Key used to calculate Integrity Checksum Data for IKEv2 packets from initiator to responder. This field takes hexadecimal string without "0x" prefix and its length must meet the requirement of the integrity algorithm selected. Integrity Algorithm Integrity algorithm of the IKE_SA. 10.12. Object Identifiers Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify certain pieces of information.
Customizing Wireshark Called SSNs An range of integers representing the ssns for which this association is valid. User protocol The protocol that is carried over this association 10.15. SMI (MIB and PIB) Modules If your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB modules here. The COPS and SNMP dissectors can use them to resolve OIDs. Module name The name of the module, e.g. IF-MIB. 10.16.
Customizing Wireshark Privacy password The privacy password. Use '\xDD' for unprintable characters. An hexadecimal password must be entered as a sequence of '\xDD' characters. For example the hex password 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'. 10.19. Tektronix K12xx/15 RF5 protocols Table The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are used by a certain interface.
Chapter 11. Lua Support in Wireshark 11.1. Introduction Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and Lua.org are laboratories of the Department of Computer Science.
Lua Support in Wireshark [9] = Dissector.get("rrc"), [10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua [11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp } function p_multi.dissector(buf,pkt,root) local t = root:add(p_multi,buf(0,2)) t:add(f_proto,buf(0,1)) t:add(f_dir,buf(1,1)) local proto_id = buf(0,1):uint() local dissector = protos[proto_id] if dissector ~= nil then dissector:call(buf(2):tvb(),pkt,root) elseif proto_id < 2 then t:add(f_text,buf(2)) -- pkt.cols.
Lua Support in Wireshark ips[tostring(pinfo.dst)] = dst + 1 end -- this function will be called once every few seconds to update our window function tap.draw(t) tw:clear() for ip,num in pairs(ips) do tw:append(ip .. "\t" .. num .. "\n"); end end -- this function will be called whenever a reset is needed -- e.g. when reloading the capture file function tap.
Lua Support in Wireshark 11.5.1.2.1. Errors • Cannot operate on a closed dumper 11.5.1.3. dumper:flush() Writes all unsaved data of a dumper to the disk. 11.5.1.4. dumper:dump(timestamp, pseudoheader, bytearray) Dumps an arbitrary packet. Note: Dumper:dump_current() will fit best in most cases. 11.5.1.4.1. Arguments timestamp The absolute timestamp the packet will have pseudoheader The Pseudoheader to use. bytearray the data to be saved 11.5.1.5.
Lua Support in Wireshark 11.5.2.2. PseudoHeader.eth([fcslen]) Creates an ethernet pseudoheader 11.5.2.2.1. Arguments fcslen (optional) The fcs length 11.5.2.2.2. Returns The ethernet pseudoheader 11.5.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len]) Creates an ATM pseudoheader 11.5.2.3.1.
Lua Support in Wireshark 11.6.1.1.1. Arguments fieldname The filter name of the field (e.g. ip.addr) 11.6.1.1.2. Returns The field extractor 11.6.1.1.3. Errors • A Field extractor must be defined before Taps or Dissectors get called 11.6.1.2. field:__call() Obtain all values (see FieldInfo) for this field. 11.6.1.2.1. Returns All the values of this field 11.6.1.2.2. Errors • Fields cannot be used outside dissectors or taps 11.6.2. FieldInfo An extracted Field 11.6.2.1.
Lua Support in Wireshark 11.6.2.7. fieldinfo:__lt() Checks whether the end byte of rhs is before the beginning of rhs 11.6.2.7.1. Errors • Data source must be the same for both fields 11.6.2.8. fieldinfo.name The name of this field 11.6.2.9. fieldinfo.label The string representing this field 11.6.2.10. fieldinfo.value The value of this field 11.6.2.11. fieldinfo.len The length of this field 11.6.2.12. fieldinfo.offset The offset of this field 11.6.3. Non Method Functions 11.6.3.1.
Lua Support in Wireshark 11.7.1.1.2. Returns The newly created TextWindow object. 11.7.1.2. progdlg:update(progress, [task]) Appends text 11.7.1.2.1. Arguments progress Part done ( e.g. 0.75 ). task (optional) Current task, defaults to "". 11.7.1.2.2. Errors • GUI not available • Cannot be called for something not a ProgDlg • Progress value out of range (must be between 0.0 and 1.0) 11.7.1.3. progdlg:stopped() Checks wheher the user has pressed the stop button. 11.7.1.3.1.
Lua Support in Wireshark 11.7.2.1.2. Returns The newly created TextWindow object. 11.7.2.1.3. Errors • GUI not available 11.7.2.2. textwindow:set_atclose(action) Set the function that will be called when the window closes 11.7.2.2.1. Arguments action A function to be executed when the user closes the window 11.7.2.2.2. Returns The TextWindow object. 11.7.2.2.3. Errors • GUI not available • Cannot be called for something not a TextWindow 11.7.2.3. textwindow:set(text) Sets the text. 11.7.2.3.1.
Lua Support in Wireshark 11.7.2.4.3. Errors • GUI not available • Cannot be called for something not a TextWindow • Expired TextWindow 11.7.2.5. textwindow:prepend(text) Prepends text 11.7.2.5.1. Arguments text The text to be appended 11.7.2.5.2. Returns The TextWindow object. 11.7.2.5.3. Errors • GUI not available • Cannot be called for something not a TextWindow • Expired TextWindow 11.7.2.6. textwindow:clear() Erases all text in the window. 11.7.2.6.1. Returns The TextWindow object. 11.7.2.6.2.
Lua Support in Wireshark • Cannot be called for something not a TextWindow • Expired TextWindow 11.7.2.8. textwindow:set_editable([editable]) Make this window editable 11.7.2.8.1. Arguments editable (optional) A boolean flag, defaults to true 11.7.2.8.2. Returns The TextWindow object. 11.7.2.8.3. Errors • GUI not available • Cannot be called for something not a TextWindow • Expired TextWindow 11.7.2.9. textwindow:add_button(label, function) 11.7.2.9.1.
Lua Support in Wireshark 11.7.3.2. register_menu(name, action, [group]) Register a menu item in one of the main menus. 11.7.3.2.1. Arguments name The name of the menu item. The submenus are to be separated by '/'s. (string) action The function to be called when the menu item is invoked. (function taking no arguments and returning nothing) group (optional) The menu group into which the menu item is to be inserted. If omitted, defaults to MENU_STAT_GENERIC.
Lua Support in Wireshark 11.7.3.6.1. Arguments filename The name of the file to be opened. filter A filter to be applied as the file gets opened. 11.7.3.7. set_filter(text) Set the main filter text 11.7.3.7.1. Arguments text The filter's text. 11.7.3.8. set_color_filter_slot(row, text) Set packet-coloring rule for the current session 11.7.3.8.1. Arguments row The index of the desired color in the temporary coloring rules list text Display filter for selecting packets to be colorized 11.7.3.9.
Lua Support in Wireshark 11.8.1.1. Listener.new([tap], [filter]) Creates a new Listener listener 11.8.1.1.1. Arguments tap (optional) The name of this tap filter (optional) A filter that when matches the tap.packet function gets called (use nil to be called for every packet) 11.8.1.1.2. Returns The newly created Listener listener object 11.8.1.1.3. Errors • tap registration error 11.8.1.2. listener:remove() Removes a tap listener 11.8.1.3. listener.
Lua Support in Wireshark 11.9.1.2. address:__tostring() 11.9.1.2.1. Returns The string representing the address. 11.9.1.3. address:__eq() Compares two Addresses 11.9.1.4. address:__le() Compares two Addresses 11.9.1.5. address:__lt() Compares two Addresses 11.9.2. Column A Column in the packet list 11.9.2.1. column:__tostring() 11.9.2.1.1. Returns A string representing the column 11.9.2.2. column:clear() Clears a Column 11.9.2.3. column:set(text) Sets the text of a Column 11.9.2.3.1.
Lua Support in Wireshark 11.9.2.5.1. Arguments text The text to prepend to the Column 11.9.3. Columns The Columns of the packet list. 11.9.3.1. columns:__tostring() 11.9.3.1.1. Returns The string "Columns", no real use, just for debugging purposes. 11.9.3.2. columns:__newindex(column, text) Sets the text of a specific column 11.9.3.2.1. Arguments column The name of the column to set text The text for the column 11.9.4. NSTime NSTime represents a nstime_t.
Lua Support in Wireshark 11.9.4.5. nstime:__unm() Calculates the negative NSTime 11.9.4.6. nstime:__eq() Compares two NSTimes 11.9.4.6.1. Errors • Data source must be the same for both fields 11.9.4.7. nstime:__le() Compares two NSTimes 11.9.4.7.1. Errors • Data source must be the same for both fields 11.9.4.8. nstime:__lt() Compares two NSTimes 11.9.4.8.1. Errors • Data source must be the same for both fields 11.9.4.9. nstime.secs The NSTime seconds 11.9.4.10. nstime.
Lua Support in Wireshark 11.9.5.4. pinfo.abs_ts When the packet was captured 11.9.5.5. pinfo.rel_ts Number of seconds passed since beginning of capture 11.9.5.6. pinfo.delta_ts Number of seconds passed since the last captured packet 11.9.5.7. pinfo.delta_dis_ts Number of seconds passed since the last displayed packet 11.9.5.8. pinfo.visited Whether this packet hass been already visited 11.9.5.9. pinfo.src Source Address of this Packet 11.9.5.10. pinfo.dst Destination Address of this Packet 11.9.5.
Lua Support in Wireshark 11.9.5.17. pinfo.ptype Type of Port of .src_port and .dst_port 11.9.5.18. pinfo.src_port Source Port of this Packet 11.9.5.19. pinfo.dst_port Source Address of this Packet 11.9.5.20. pinfo.ipproto IP Protocol id 11.9.5.21. pinfo.circuit_id For circuit based protocols 11.9.5.22. pinfo.match Port/Data we are matching 11.9.5.23. pinfo.curr_proto Which Protocol are we dissecting 11.9.5.24. pinfo.columns Accesss to the packet list columns 11.9.5.25. pinfo.
Lua Support in Wireshark 11.9.5.30. pinfo.ethertype Ethernet Type Code, if this is an Ethernet packet 11.9.5.31. pinfo.fragmented If the protocol is only a fragment 11.9.5.32. pinfo.in_error_pkt If we're inside an error packet 11.9.5.33. pinfo.match_uint Matched uint for calling subdissector from table 11.9.5.34. pinfo.match_string Matched string for calling subdissector from table 11.9.6. PrivateTable PrivateTable represents the pinfo->private_table. 11.9.6.1. privatetable:__tostring() 11.9.6.1.1.
Lua Support in Wireshark 11.10.1.2.1. Arguments tvb The buffer to dissect pinfo The packet info tree The tree on which to add the protocol items 11.10.2. DissectorTable A table of subdissectors of a particular protocol (e.g. TCP subdissectors like http, smtp, sip are added to table "tcp.port"). Useful to add more dissectors to a table so that they appear in the Decode As... dialog. 11.10.2.1. DissectorTable.
Lua Support in Wireshark 11.10.2.4. dissectortable:remove(pattern, dissector) Remove a dissector from a table 11.10.2.4.1. Arguments pattern The pattern to match (either an integer or a string depending on the table's type). dissector The dissector to add (either an Proto or a Dissector). 11.10.2.5. dissectortable:try(pattern, tvb, pinfo, tree) Try to call a dissector from a table 11.10.2.5.1. Arguments pattern The pattern to be matched (either an integer or a string depending on the table's type).
Lua Support in Wireshark 11.10.3.2. Pref.uint(label, default, descr) Creates an (unsigned) integer preference to be added to a Protocol's prefs table. 11.10.3.2.1. Arguments label The Label (text in the right side of the preference input) for this preference default The default value for this preference descr A description of what this preference is 11.10.3.3. Pref.string(label, default, descr) Creates a string preference to be added to a Protocol's prefs table. 11.10.3.3.1.
Lua Support in Wireshark 11.10.3.6.1. Arguments label The static text descr The static text description 11.10.4. Prefs The table of preferences of a protocol 11.10.4.1. prefs:__newindex(name, pref) Creates a new preference 11.10.4.1.1. Arguments name The abbreviation of this preference pref A valid but still unassigned Pref object 11.10.4.1.2. Errors • Unknow Pref type 11.10.4.2. prefs:__index(name) Get the value of a preference setting 11.10.4.2.1.
Lua Support in Wireshark 11.10.5.2. proto.dissector The protocol's dissector, a function you define 11.10.5.3. proto.fields The Fields Table of this dissector 11.10.5.4. proto.prefs The preferences of this dissector 11.10.5.5. proto.init The init routine of this dissector, a function you define 11.10.5.6. proto.name The name given to this dissector 11.10.5.7. proto.description The description given to this dissector 11.10.6.
Lua Support in Wireshark mask (optional) The bitmask to be used. descr (optional) The description of the field. 11.10.6.1.2. Returns The newly created ProtoField object 11.10.6.2. ProtoField.uint8(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.2.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.
Lua Support in Wireshark name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.OCT valuestring (optional) A table containing the text that corresponds to the values mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.6.4.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.5. ProtoField.uint32(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.5.1.
Lua Support in Wireshark 11.10.6.7. ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.7.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.OCT valuestring (optional) A table containing the text that corresponds to the values mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.6.
Lua Support in Wireshark mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.6.9.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.10. ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.10.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.
Lua Support in Wireshark 11.10.6.12.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.OCT valuestring (optional) A table containing the text that corresponds to the values mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.6.12.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.13.
Lua Support in Wireshark 11.10.6.15. ProtoField.relative_time(abbr, [name], [desc]) 11.10.6.15.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.15.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.16. ProtoField.ipv4(abbr, [name], [desc]) 11.10.6.16.1.
Lua Support in Wireshark 11.10.6.19. ProtoField.float(abbr, [name], [desc]) 11.10.6.19.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.19.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.20. ProtoField.double(abbr, [name], [desc]) 11.10.6.20.1.
Lua Support in Wireshark 11.10.6.23. ProtoField.bytes(abbr, [name], [desc]) 11.10.6.23.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.23.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.24. ProtoField.ubytes(abbr, [name], [desc]) 11.10.6.24.1.
Lua Support in Wireshark 11.10.6.27. ProtoField.bool(abbr, [name], [desc]) 11.10.6.27.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.27.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.28. protofield:__tostring() Returns a string with info about a protofield (for debugging purposes) 11.10.7. Non Method Functions 11.10.7.1.
Lua Support in Wireshark 11.11.1.3. treeitem:add_le() Adds (and returns) an child item to a given item, returning the child. tree_item:add([proto_field | proto], [tvbrange], [label], ...) if the proto_field represents a numeric value (int, uint or float) is to be treated as a Little Endian Value. 11.11.1.3.1. Returns The child item 11.11.1.4. treeitem:set_text(text) Sets the text of the label 11.11.1.4.1. Arguments text The text to be used. 11.11.1.5.
Lua Support in Wireshark 11.11.1.9. treeitem:set_hidden() Should not be used 11.11.1.10. treeitem:set_len(len) Set TreeItem's length inside tvb, after it has already been created. 11.11.1.10.1. Arguments len The length to be used. 11.12. Functions for handling packet data 11.12.1. ByteArray 11.12.1.1. ByteArray.new([hexbytes]) Creates a ByteArray Object 11.12.1.1.1. Arguments hexbytes (optional) A string consisting of hexadecimal bytes like "00 B1 A2" or "1a2b3c4d" 11.12.1.1.2.
Lua Support in Wireshark 11.12.1.3.2. Errors • Both arguments must be ByteArrays 11.12.1.4. bytearray:append(appended) Append a ByteArray to this ByteArray 11.12.1.4.1. Arguments appended Array to be appended 11.12.1.4.2. Errors • Both arguments must be ByteArrays 11.12.1.5. bytearray:set_size(size) Sets the size of a ByteArray, either truncating it or filling it with zeros. 11.12.1.5.1. Arguments size New size of the array 11.12.1.5.2. Errors • ByteArray size must be non-negative 11.12.1.6.
Lua Support in Wireshark 11.12.1.8.1. Returns The length of the ByteArray. 11.12.1.9. bytearray:subset(offset, length) Obtain a segment of a ByteArray 11.12.1.9.1. Arguments offset The position of the first byte length The length of the segment 11.12.1.9.2. Returns A ByteArray contaning the requested segment. A string contaning a representaion of the ByteArray. 11.12.2. Int Int64 represents a 64 bit integer.
Lua Support in Wireshark 11.12.3.3. tvb:__tostring() Convert the bytes of a Tvb into a string, to be used for debugging purposes as '...' will be appended in case the string is too long. 11.12.3.3.1. Returns The string. 11.12.3.4. tvb:reported_len() Obtain the reported length of a TVB 11.12.3.4.1. Returns The length of the Tvb. 11.12.3.5. tvb:len() Obtain the length of a TVB 11.12.3.5.1. Returns The length of the Tvb. 11.12.3.6.
Lua Support in Wireshark 11.12.4.1. tvb:range([offset], [length]) Creates a tvbr from this Tvb. This is used also as the Tvb:__call() metamethod. 11.12.4.1.1. Arguments offset (optional) The offset (in octets) from the begining of the Tvb. Defaults to 0. length (optional) The length (in octets) of the range. Defaults to until the end of the Tvb. 11.12.4.1.2. Returns The TvbRange 11.12.4.2. tvbrange:uint() Get a Big Endian (network order) unsigned integer from a TvbRange.
Lua Support in Wireshark 11.12.4.8. tvbrange:int64() Get a Big Endian (network order) signed 64 bit integer from a TvbRange. The range must be 1-8 octets long. 11.12.4.9. tvbrange:le_int64() Get a Little Endian signed 64 bit integer from a TvbRange. The range must be 1-8 octets long. 11.12.4.10. tvbrange:float() Get a Big Endian (network order) floating point number from a TvbRange. The range must be 4 or 8 octets long. 11.12.4.10.1. Returns The floating point value 11.12.4.11.
Lua Support in Wireshark 11.12.4.15. tvbrange:nstime() Obtain a nstime from a TvbRange 11.12.4.15.1. Returns The NSTime 11.12.4.15.2. Errors • The range must be 4 or 8 bytes long 11.12.4.16. tvbrange:le_nstime() Obtain a nstime from a TvbRange 11.12.4.16.1. Returns The NSTime 11.12.4.16.2. Errors • The range must be 4 or 8 bytes long 11.12.4.17. tvbrange:string() Obtain a string from a TvbRange 11.12.4.17.1. Returns The string 11.12.4.18.
Lua Support in Wireshark 11.12.4.21. tvbrange:ustringz() Obtain a Big Endian (network order) UTF-16 encoded zero terminated string from a TvbRange 11.12.4.21.1. Returns The zero terminated string, the length found in tvbr 11.12.4.22. tvbrange:le_ustringz() Obtain a Little Endian UTF-16 encoded zero terminated string from a TvbRange 11.12.4.22.1. Returns The zero terminated string, the length found in tvbr 11.12.4.23. tvbrange:bytes() Obtain a ByteArray 11.12.4.23.1. Returns The ByteArray 11.12.4.24.
Lua Support in Wireshark 11.12.4.27. tvbrange:offset() Obtain the offset in a TvbRange 11.12.4.28. tvbrange:__tostring() Converts the TvbRange into a string. As the string gets truncated you should use this only for debugging purposes or if what you want is to have a truncated string in the format 67:89:AB:... 11.12.5. UInt UInt64 represents a 64 bit unsigned integer. 11.13. Utility Functions 11.13.1. Dir A Directory 11.13.1.1. Dir.open(pathname, [extension]) Usage: for filename in Dir.open(path) do ..
Lua Support in Wireshark 11.13.2.2. format_date(timestamp) Formats an absolute timestamp into a human readable date 11.13.2.2.1. Arguments timestamp A timestamp value to convert. 11.13.2.2.2. Returns A string with the formated date 11.13.2.3. format_time(timestamp) Formats a relative timestamp in a human readable form 11.13.2.3.1. Arguments timestamp A timestamp value to convert 11.13.2.3.2. Returns A string with the formated time 11.13.2.4. report_failure(text) Reports a failure to the user 11.
Lua Support in Wireshark 11.13.2.8. info(...) Will add a log entry with info severity 11.13.2.8.1. Arguments ... objects to be printed 11.13.2.9. debug(...) Will add a log entry with debug severity 11.13.2.9.1. Arguments ... objects to be printed 11.13.2.10. loadfile(filename) Lua's loadfile() has been modified so that if a file does not exist in the current directory it will look for it in wireshark's user and system directories 11.13.2.10.1. Arguments filename Name of the file to be loaded 11.
Lua Support in Wireshark 11.13.2.14. register_stat_cmd_arg(argument, [action]) Register a function to handle a -z option 11.13.2.14.1.
Appendix A. Files and Folders A.1. Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it's helpful to know a bit about the capture file contents. Wireshark uses the libpcap file format as the default format to save captured packets; this format has existed for a long time and it's pretty simple. However, it has some drawbacks: it's not extensible and lacks some information that would be really helpful (e.g.
Files and Folders • time references set with "Edit/Time Reference" • the current display filter • ... A.2. Configuration Files and Folders Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.
Files and Folders File/Folder Description Unix/Linux folders Windows folders subnets IPv4 subnet name /etc/subnets, %WIRESHARK%\subnets, %APPDATA% resolution. $HOME/.wireshark/\Wireshark\subnets subnets ipxnets IPX resolution. plugins Plugin directories. /usr/share/ %WIRESHARK%\plugins\, wireshark/ %APPDATA%\Wireshark\plugins plugins, /usr/local/ share/wireshark/ plugins, $HOME/.wireshark/ plugins temp Temporary files. name /etc/ipxnets, %WIRESHARK%\ipxnets, $HOME/.
Files and Folders cfilters This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: "" The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box. dfilters This file contains all the display filters that you have defined and saved.
Files and Folders c0-00-ff-ff-ff-ff 00.2b.08.93.4b.a1 TR_broadcast Freds_machine The settings from this file are read in at program start and never written by Wireshark. manuf Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.
Files and Folders An example is: # Comments must be prepended by the # sign! 192.168.0.0/24 ws_test_network A partially matched name will be printed as "subnetname.remaining-address". For example, "192.168.0.1" under the subnet above would be printed as "ws_test_network.1"; if the mask length above had been 16 rather than 24, the printed address would be "ws_test_network.0.1". The settings from this file are read in at program start and never written by Wireshark.
Files and Folders [location data] Optional. Contains keys that will be used for variable substitution in the "location" value. For example, if the database section contains location = http://www.example.com/proto?cookie=${cookie}&path=${PATH} then setting cookie = anonymous-user-1138 will result in the URL "http://www.example.com/proto?cookie=anonymoususer-1138&path=${PATH}". PATH is used for help path substitution, and shouldn't be defined in this section.
Files and Folders Right-clicking on a TCP protocol detail item will display a help menu item that displays the Wikipedia page for TCP. Right-clicking on the TCP destination or source ports will display additional help menu items that take you to the "TCP ports" section of the page. The [location data] and ${PATH} can be omitted if they are not needed. For example, the following configuration is functionally equivalent to the previous configuration: [database] source=Wikipedia version=1 location=http://en.
Files and Folders Windows ME, Windows 98 without user profiles (no longer supported, for historical reference only) Without user profiles enabled the default location for all users is C: \windows\Application Data\Wireshark A.3.2. Windows 7, Vista, XP, 2000, and NT roaming profiles The following will only be applicable if you are using roaming profiles. This might be the case, if you work in a Windows domain environment (used in company networks).
Appendix B. Protocols and Protocol Fields Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port). A comprehensive list of all protocols and protocol fields can be found at: http://www.wireshark.
Appendix C. Wireshark Messages Wireshark provides you with additional information generated out of the plain packet data or it may need to indicate dissection problems. Messages generated by Wireshark are usually placed in [] parentheses. C.1. Packet List Messages These messages might appear in the packet list. C.1.1. [Malformed Packet] Malformed packet means that the protocol dissector can't dissect the contents of the packet any further.
Wireshark Messages C.2.3. [Time from request: 0.123 seconds] The time between the request and the response packets. C.2.4. [Stream setup by PROTOCOL (frame 123)] The session control protocol (SDP, H225, etc) message which signaled the creation of this session. You can directly jump to the corresponding packet just by double clicking on this message.
Appendix D. Related command line tools D.1. Introduction Besides the Wireshark GUI application, there are some command line tools which can be helpful for doing some more specialized things. These tools will be described in this chapter. D.2. tshark: Terminal-based Wireshark TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as wireshark.
Copyright 1998-2011 Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: tshark [options] ... Related command line tools Capture interface: -i name or idx of interface (def: first non-loopback) Example D.1.
Related command line tools D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture).
Related command line tools Example D.2. Help information available from dumpcap Dumpcap 1.7.0 (SVN Rev 39165 from /trunk) Capture network packets and dump them into a libpcap file. See http://www.wireshark.org for more information. Usage: dumpcap [options] ... Capture interface: -i -f -s -p -B -y -D -L -d -S -M RPCAP options: -r -u -A : -m Stop conditions: -c -a ...
Related command line tools Example D.3. Help information available from capinfos Capinfos 1.7.0 (SVN Rev 39165 from /trunk) Prints various information (infos) about capture files. See http://www.wireshark.org for more information. Usage: capinfos [options] ...
Related command line tools D.6. rawshark: Dump and analyze network traffic. Rawshark reads a stream of packets from a file or pipe, and prints a line describing its output, followed by a set of matching fields for each packet on stdout. Example D.4. Help information available from rawshark Rawshark 1.7.0 (SVN Rev 39165 from /trunk) Dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2011 Gerald Combs and contributors.
Related command line tools Editcap 1.7.0 (SVN Rev 39165 from /trunk) Edit and/or translate the format of capture files. See http://www.wireshark.org for more information. Example D.5. Help information available from editcap Usage: editcap [options] ... [ [-] ... ] and must both be present. A single packet or a range of packets can be selected. Packet selection: -r -A -B keep the selected packets; default is to delete them.
Related command line tools Example D.6. Capture file types available from editcap $ editcap -F editcap: option requires an argument -- F editcap: The available capture file types for the "-F" flag are: 5views - Accellent 5Views capture btsnoop - Symbian OS btsnoop commview - TamoSoft CommView dct2000 - Catapult DCT2000 trace (.out format) eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer libpcap - Wireshark/tcpdump/...
Related command line tools fddi - FDDI fddi-nettl - FDDI with nettl headers fddi-swapped - FDDI with bit-swapped MAC addresses flexray - FlexRay frelay - Frame Relay frelay-with-direction - Frame Relay with Directional Info gcom-serial - GCOM Serial gcom-tie1 - GCOM TIE1 gprs-llc - GPRS LLC gsm_um - GSM Um Interface hhdlc - HiPath HDLC i2c - I2C ieee-802-11 - IEEE 802.11 Wireless LAN ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header ieee-802-11-netmon - IEEE 802.
Related command line tools rawip4 - Raw IPv4 rawip6 - Raw IPv6 redback - Redback SmartEdge sccp - SS7 SCCP sdlc - SDLC sita-wan - SITA WAN packets slip - SLIP socketcan - SocketCAN symantec - Symantec Enterprise Firewall tnef - Transport-Neutral Encapsulation Format tr - Token Ring tr-nettl - Token Ring with nettl headers tzsp - Tazmen sniffer protocol unknown - Unknown unknown-nettl - Unknown link-layer type with nettl headers usb - Raw USB packets usb-linux - USB packets with Linux header usb-linux-mmap
Related command line tools uncompressed Sniffer format, Microsoft Network Monitor 1.x format, and the format used by Windowsbased versions of the Sniffer software. Packets from the input files are merged in chronological order based on each frame's timestamp, unless the -a flag is specified. Mergecap assumes that frames within a single capture file are already stored in chronological order.
Related command line tools D.9. text2pcap: Converting ASCII hexdumps to network captures There may be some occasions when you wish to convert a hex dump of some network traffic into a libpcap file. Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcapstyle capture file. text2pcap can read hexdumps with multiple packets in them, and build a capture file of multiple packets.
Related command line tools Text2pcap 1.7.0 (SVN Rev 39165 from /trunk) Generate a capture file from an ASCII hexdump of packets. See http://www.wireshark.org for more information. Example D.10.
Related command line tools D.10. idl2wrs: Creating dissectors from CORBA IDL files In an ideal world idl2wrs would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here. D.10.1. What is it? As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP.
Related command line tools Procedure for converting a CORBA idl file into a Wireshark dissector 1. To write the C code to stdout. idl2wrs e.g.: idl2wrs echo.idl 2. To write to a file, just redirect the output. idl2wrs echo.idl > packet-test-idl.c You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. 3. To write the C code to stdout.
Related command line tools make 8. Good Luck !! D.10.4. TODO 1. Exception code not generated (yet), but can be added manually. 2. Enums not converted to symbolic values (yet), but can be added manually. 3. Add command line options etc 4. More I am sure :-) D.10.5. Limitations See the TODO list inside packet-giop.c D.10.6. Notes 1. The "-p ./" option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory.
Appendix E. This Document's License (GPL) As with the original license and documentation distributed with Wireshark, this document is covered by the GNU General Public License (GNU GPL). If you haven't read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation.
This Document's License (GPL) program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0.
This Document's License (GPL) distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
This Document's License (GPL) all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.
This Document's License (GPL) Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
This Document's License (GPL) The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc.
