Wireshark User's Guide 21443 for Wireshark 0.99.
Wireshark User's Guide: 21443 for Wireshark 0.99.5 by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright © 2004-2007 Ulf Lamping Richard Sharpe Ed Warnicke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Table of Contents Preface ............................................................................................................. viii 1. Foreword .............................................................................................. viii 2. Who should read this document? ................................................................. ix 3. Acknowledgements .................................................................................... x 4. About this document ..........................
Wireshark User's Guide 3.5. The "File" menu .....................................................................................31 3.6. The "Edit" menu ....................................................................................34 3.7. The "View" menu ...................................................................................36 3.8. The "Go" menu ......................................................................................40 3.9. The "Capture" menu ................................
Wireshark User's Guide 6.4. Building display filter expressions ........................................................... 110 6.4.1. Display filter fields .................................................................... 110 6.4.2. Comparing values ...................................................................... 110 6.4.3. Combining expressions ............................................................... 111 6.4.4. A common mistake .............................................................
Wireshark User's Guide 9.3. Packet colorization ............................................................................... 160 9.4. Control Protocol dissection .................................................................... 163 9.4.1. The "Enabled Protocols" dialog box .............................................. 163 9.4.2. User Specified Decodes .............................................................. 165 9.4.3. Show User Specified Decodes ................................................
Preface 1. Foreword Wireshark is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Wireshark because of the lack of documentation. This document is part of an effort by the Wireshark team to improve the usability of Wireshark. We hope that you find it useful, and look forward to your comments.
Preface 2. Who should read this document? The intended audience of this book is anyone using Wireshark. This book will explain all the basics and also some of the advanced features that Wireshark provides. As Wireshark has become a very complex program since the early days, not every feature of Wireshark may be explained in this book. This book is not intended to explain network sniffing in general and it will not provide details about specific network protocols.
Preface 3. Acknowledgements The authors would like to thank the whole Wireshark team for their assistance. In particular, the authors would like to thank: • Gerald Combs, for initiating the Wireshark project and funding to do this documentation. • Guy Harris, for many helpful hints and a great deal of patience in reviewing this document. • Gilbert Ramirez, for general encouragement and helpful hints along the way.
Preface 4. About this document This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It is written in DocBook/XML. You will find some specially marked parts in this book: This is a warning! You should pay attention to a warning, as otherwise data loss might occur. This is a note! A note will point you to common mistakes and things that might not be obvious.
Preface 5. Where to get the latest copy of this document? The latest copy of this documentation can always be found at: http:/ / www.wireshark.org/ docs/ #usersguide.
Preface 6. Providing feedback about this document Should you have any feedback about this document, please send them to the authors through wireshark-dev[AT]wireshark.org.
Preface xiv
Chapter 1. Introduction 1.1. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).
Introduction Figure 1.1. Wireshark captures packets and allows you to examine their content. 1.1.3. Live capture from many different network media Wireshark can capture traffic from many different network media types - and despite it's name including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using. An overview of the supported media types can be found at: http:// wiki.wireshark.org/CaptureSetup/NetworkMedia. 1.1.4.
Introduction Wireshark is an open source software project, and is released under the GNU General Public Licence (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do! 1.1.8.
Introduction 1.2. System Requirements What you'll need to get Wireshark up and running ... 1.2.1. General Remarks • The values below are the minimum requirements and only "rules of thumb" for use on a moderately used network • Working with a busy network can easily produce huge memory and disk space usage! For example: Capturing on a fully saturated 100MBit/s Ethernet will produce ~ 750MBytes/min! Having a fast processor, lots of memory and disk space is a good idea in that case.
Introduction • Windows NT 4.0 will no longer work with Wireshark. The last known version to work was Wireshark 0.99.4 (which includes WinPcap 3.1), you still can get it from: http:/ / prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.4.exe. BTW: Microsoft no longer supports NT 4.0 since December 31, 2005! • Windows CE and the embedded (NT/XP) versions are not supported! • 64-bit processors run Wireshark in 32 bit emulation (called WoW64), at least WinPcap 4.
Introduction 1.3. Where to get Wireshark? You can get the latest copy of the program from the Wireshark website: http://www.wireshark.org/download.html. The website allows you to choose from among several mirrors for downloading. A new Wireshark version will typically become available every 4-8 weeks. If you want to be notified about new Wireshark releases, you should subscribe to the wireshark-announce mailing list. You will find more details in Section 1.6.4, “Mailing Lists”.
Introduction 1.4. A brief history of Wireshark In late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted to learn more about networking, so he started writing Ethereal (the former name of the Wireshark project) as a way to solve both problems. Ethereal was initially released, after several pauses in development, in July 1998 as version 0.2.0. Within days, patches, bug reports, and words of encouragement started arriving, so Ethereal was on its way to success.
Introduction 1.5. Development and maintenance of Wireshark Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of Wireshark is handled by the Wireshark team, a loose group of individuals who fix bugs and provide new functionality. There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue.
Introduction 1.6. Reporting problems and getting help If you have problems, or need help with Wireshark, there are several places that may be of interest to you (well, besides this guide of course). 1.6.1. Website You will find lots of useful information on the Wireshark homepage at http://www.wireshark.org. 1.6.2. Wiki The Wireshark Wiki at http://wiki.wireshark.org provides a wide range of information related to Wireshark and packet capturing in general.
Introduction 1.6.5. Reporting Problems Note! Before reporting any problems, please make sure you have installed the latest version of Wireshark. When reporting problems with Wireshark, it is helpful if you supply the following information: 1. The version number of Wireshark and the dependent libraries linked with it, eg GTK+, etc. You can obtain this with the command wireshark -v. 2. Information about the platform you run Wireshark on. 3. A detailed description of your problem. 4.
Introduction the D key together) will cause gdb to exit. This will leave you with a file called bt.txt in the current directory. Include the file with your bug report. Note If you do not have gdb available, you will have to check out your operating system's debugger. You should mail the traceback to the wireshark-dev[AT]wireshark.org mailing list. 1.6.7. Reporting Crashes on Windows platforms The Windows distributions don't contain the symbol files (.pdb), because they are very large.
Introduction 12
Chapter 2. Building and Installing Wireshark 2.1. Introduction As with all things, there must be a beginning, and so it is with Wireshark. To use Wireshark, you must: • Obtain a binary package for your operating system, or • Obtain the source and build Wireshark for your operating system. Currently, only two or three Linux distributions ship Wireshark, and they are commonly shipping an out-of-date version.
Building and Installing Wireshark 2.2. Obtaining the source and binary distributions You can obtain both source and binary distributions from the Wireshark web site: http://www.wireshark.org. Simply select the download link, and then select either the source package or binary package of your choice from the mirror site closest to you.
Building and Installing Wireshark 2.3. Before you build Wireshark under UNIX Before you build Wireshark from sources, or install a binary package, you must ensure that you have the following other packages installed: • GTK+, The GIMP Tool Kit. You will also need Glib. Both can be obtained from www.gtk.org • libpcap, the packet capture software that Wireshark uses. You can obtain libpcap from www.tcpdump.org Depending on your system, you may be able to install these from binaries, e.g.
Building and Installing Wireshark Example 2.2. Building and installing libpcap gzip -dc libpcap-0.9.4.tar.Z | tar xvf cd libpcap-0.9.4 ./configure make make install Note! The directory you should change to will depend on the version of libpcap you have downloaded. In all cases, tar xvf - will show you the name of the directory that has been unpacked. Under RedHat 6.
Building and Installing Wireshark 2.4. Building Wireshark from source under UNIX Use the following general steps if you are building Wireshark from source under a UNIX operating system: 1. Unpack the source from its gzip'd tar file. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command: tar zxvf wireshark-0.99.5-tar.gz For other versions of UNIX, You will want to use the following commands: gzip -d wireshark-0.99.5-tar.gz tar xvf wireshark-0.99.
Building and Installing Wireshark 2.5. Installing the binaries under UNIX In general, installing the binary under your version of UNIX will be specific to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld. 2.5.1.
Building and Installing Wireshark 2.6. Troubleshooting during the install on Unix A number of errors can occur during the installation process. Some hints on solving these are provided here. If the configure stage fails, you will need to find out why. You can check the file config.log in the source directory to find out what failed. The last few lines of this file should help in determining the problem.
Building and Installing Wireshark 2.7. Building from source under Windows It is recommended to use the binary installer for Windows, until you want to start developing Wireshark on the Windows platform. For further information how to build Wireshark for Windows from the sources, have a look at the Development Wiki: http://wiki.wireshark.org/Development for the latest available development documentation.
Building and Installing Wireshark 2.8. Installing Wireshark under Windows In this section we explore installing Wireshark under Windows from the binary packages. 2.8.1. Install Wireshark You may acquire a binary installer of Wireshark named something like: wiresharksetup-x.y.z.exe. The Wireshark installer includes WinPcap, so you don't need to download and install two separate packages. Simply download the Wireshark installer from: http://www.wireshark.org/download.html#releases and execute it.
Building and Installing Wireshark • Capinfos - Capinfos is a program that provides information on capture files. User's Guide - Local installation of the User's Guide. The Help buttons on most dialogs will require an internet connection to show help pages if the User's Guide is not installed locally. 2.8.1.2. "Additional Tasks" page • Start Menu Shortcuts - add some start menu shortcuts. • Desktop Icon - add a Wireshark icon to the desktop.
Building and Installing Wireshark stall, otherwise use defaults / user settings. • /D sets the default installation directory ($INSTDIR), overriding InstallDir and InstallDirRegKey. It must be the last parameter used in the command line and must not contain any quotes, even if the path contains spaces. Example: wireshark-setup-0.99.5.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo 2.8.2.
Building and Installing Wireshark You can uninstall Wireshark the usual way, using the "Add or Remove Programs" option inside the Control Panel. Select the "Wireshark" entry to start the uninstallation procedure. The Wireshark uninstaller will provide several options which things to be uninstalled, the default is to remove the core components but keep the personal settings, WinPcap and alike. WinPcap won't be uninstalled by default, as other programs than Wireshark may use it as well. 2.8.6.
Building and Installing Wireshark 25
Chapter 3. User Interface 3.1. Introduction By now you have installed Wireshark and are most likely keen to get started capturing your first packets. In the next chapters we will explore: • How the Wireshark user interface works • How to capture packets in Wireshark • How to view packets in Wireshark • How to filter packets in Wireshark • ...
User Interface 3.2. Start Wireshark You can start Wireshark from your shell or window manager. Tip! When starting Wireshark it's possible to specify optional settings using the command line. See Section 9.2, “Start Wireshark from the command line” for details. Note! In the following chapters, a lot of screenshots from Wireshark will be shown. As Wireshark runs on many different platforms and there are different versions of the underlying GUI toolkit (GTK 1.x / 2.
User Interface 3.3. The Main window Lets look at Wireshark's user interface. Figure 3.1, “The Main window” shows Wireshark as you would usually see it after some packets captured or loaded (how to do this will be described later). Figure 3.1. The Main window Wireshark's main window consist of parts that are commonly known from many other GUI programs. 1. The menu (see Section 3.4, “The Menu”) is used to start actions. 2. The main toolbar (see Section 3.
User Interface 7. The statusbar (see Section 3.18, “The Statusbar”) shows some detailed information about the current program state and the captured data. Tip! The layout of the main window can be customized by changing preference settings. See Section 9.5, “Preferences” for details! 3.3.1. Main Window Navigation Packet list and detail navigation can be done entirely from the keyboard. Table 3.1, “Keyboard Navigation” shows a list of keystrokes that will let you quickly move around a capture file.
User Interface 3.4. The Menu The Wireshark menu sits on top of the Wireshark window. An example is shown in Figure 3.2, “The Menu”. Note! Menu items will be greyed out if the corresponding feature isn't available. For example, you cannot save a capture file if you didn't capture or load any data before. Figure 3.2. The Menu It contains the following items: File This menu contains items to open and merge capture files, save / print / export capture files in whole or in part, and to quit from Wireshark.
User Interface 3.5. The "File" menu The Wireshark file menu contains the fields shown in Table 3.2, “File menu items”. Figure 3.3. The "File" Menu Table 3.2. File menu items Menu Item Accelerator Open... Ctrl+O Description This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. Open Recent This menu item shows a submenu containing the recently opened capture files.
User Interface Menu Item Accelerator Description -----Save Ctrl+S This menu item saves the current capture. If you have not set a default capture file name (perhaps with the -w option), Wireshark pops up the Save Capture File As dialog box (which is discussed further in Section 5.3.1, “The "Save Capture File As" dialog box”). Note! If you have already saved the current capture, this menu item will be greyed out. Note! You cannot save a live capture while it is in progress.
User Interface Menu Item Accelerator Export > as "PSML" file... Description This menu item allows you to export the (or some) of the packets in the capture file to a PSML (packet summary markup language) XML file. It pops up the Wireshark Export dialog box (which is discussed further in Section 5.6.4, “The "Export as PSML File" dialog box”). Export > as "PDML" file...
User Interface 3.6. The "Edit" menu The Wireshark Edit menu contains the fields shown in Table 3.3, “Edit menu items”. Figure 3.4. The "Edit" Menu Table 3.3. Edit menu items Menu Item Accelerator Copy > As Fil- Shift+Ctrl+C ter Description This menu item will use the selected item in the detail view to create a display filter. This display filter is then copied to the clipboard. -----Find Packet... Ctrl+F This menu item brings up a dialog box that allows you to find a packet by many criteria.
User Interface Menu Item Accelerator Description Section 6.9, “Marking packets” for details. Find Mark Next Shift+Ctrl+N Find the next marked packet. Find Previous Shift+Ctrl+B Mark Find the previous marked packet. Mark All Packets This menu item "marks" all packets. Unmark Packets This menu item "unmarks" all marked packets. All -----Set Time Refer- Ctrl+T ence (toggle) Find Next Reference This menu item set a time reference on the currently selected packet. See Section 6.10.
User Interface 3.7. The "View" menu The Wireshark View menu contains the fields shown in Table 3.4, “View menu items”. Figure 3.5. The "View" Menu Table 3.4. View menu items Menu Item Accelerator Description Main Toolbar This menu item hides or shows the main toolbar, see Section 3.13, “The "Main" toolbar”. Filter Toolbar This menu item hides or shows the filter toolbar, see Section 3.14, “The "Filter" toolbar”. Statusbar This menu item hides or shows the statusbar, see Section 3.18, “The Statusbar”.
User Interface Menu Item Accelerator Description Packet Bytes This menu item hides or shows the packet bytes pane, see Section 3.17, “The "Packet Bytes" pane”. -----Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.12345 6 Selecting this tells Wireshark to display the time stamps in date and time of day format, see Section 6.10, “Time display formats and time references”.
User Interface Menu Item Accelerator Description ...seconds: 0.... precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see Section 6.10, “Time display formats and time references”. Name Resolution > Resolve Name This item allows you to trigger a name resolve of the current packet only, see Section 7.6, “Name Resolution”.
User Interface Menu Item Accelerator Description panded when you display a packet. This menu item expands all subtrees in all packets in the capture. Collapse All This menu item collapses the tree view of all packets in the capture list. -----Coloring Rules... This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see Section 9.3, “Packet colorization”.
User Interface 3.8. The "Go" menu The Wireshark Go menu contains the fields shown in Table 3.5, “Go menu items”. Figure 3.6. The "Go" Menu Table 3.5. Go menu items Menu Item Accelerator Back Alt+Left Description Jump to the recently visited packet in the packet history, much like the page history in a web browser. Forward Alt+Right Jump to the next visited packet in the packet history, much like the page history in a web browser. Go to Packet...
User Interface Menu Item Accelerator Description move to the previous packet even if the packet list doesn't have keyboard focus. Next Packet Ctrl+Down Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus. First Packet Jump to the first packet of the capture file. Last Packet Jump to the last packet of the capture file.
User Interface 3.9. The "Capture" menu The Wireshark Capture menu contains the fields shown in Table 3.6, “Capture menu items”. Figure 3.7. The "Capture" Menu Table 3.6. Capture menu items Menu Item Accelerator Description Interfaces... This menu item brings up a dialog box that shows what's going on at the network interfaces Wireshark knows of, see Section 4.4, “The "Capture Interfaces" dialog box”) . Options...
User Interface Menu Item Capture ters... Accelerator Description FilThis menu item brings up a dialog box that allows you to create and edit capture filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.
User Interface 3.10. The "Analyze" menu The Wireshark Analyze menu contains the fields shown in Table 3.7, “Analyze menu items”. Figure 3.8. The "Analyze" Menu Table 3.7. Analyze menu items Menu Item Display ters... Accelerator Description Fil- Apply as Filter > ... Prepare a Filter > ... This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.
User Interface Menu Item Firewall Rules Accelerator Description ACL This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. It is assumed that the rules will be applied to an outside interface. -----Enabled Proto- Shift+Ctrl+R cols...
User Interface 3.11. The "Statistics" menu The Wireshark Statistics menu contains the fields shown in Table 3.8, “Statistics menu items”. Figure 3.9. The "Statistics" Menu All menu items will bring up a new window showing specific statistical information. Table 3.8. Statistics menu items Menu Item Accelerator Description Summary Show information about the data captured, see Section 8.2, “The "Summary" window”. Protocol Hierarchy Display a hierarchical tree of protocol statistics, see Section 8.
User Interface Menu Item Accelerator Description -----Conversation List Display a list of conversations, obsoleted by the combined window of Conversations above, see Section 8.5.3, “The protocol specific "Conversation List" windows”. Endpoint List Display a list of endpoints, obsoleted by the combined window of Endpoints above, see Section 8.4.3, “The protocol specific "Endpoint List" windows”. Service Response Time Display the time between a request and the corresponding response, see Section 8.
User Interface 3.12. The "Help" menu The Wireshark Help menu contains the fields shown in Table 3.9, “Help menu items”. Figure 3.10. The "Help" Menu Table 3.9. Help menu items Menu Item Accelerator Contents F1 Description This menu item brings up a basic help system. Supported Protocols Manual Pages > ... Wireshark Online > ... This menu item brings up a dialog box showing the supported protocols and protocol fields.
User Interface Note! Calling a Web browser might be unsupported in your version of Wireshark. If this is the case, the corresponding menu items will be hidden. Note! If calling a Web browser fails on your machine, maybe because just nothing happens or the browser is started but no page is shown, have a look at the web browser setting in the preferences dialog.
User Interface 3.13. The "Main" toolbar The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu, if the space on the screen is needed to show even more packet data. As in the menu, only the items useful in the current program state will be available. The others will be greyed out (e.g. you cannot save a capture file if you haven't loaded one). Figure 3.11. The "Main" toolbar Table 3.10.
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Close Description File/Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View/Reload This item allows you to reload the current capture file. Print... File/Print... This item allows you to print all (or some of) the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in Section 5.7, “Printing packets”).
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Description More detail on this subject is provided in Section 6.6, “Defining and saving filters”. Display Filters... Analyze/Display Filters... Coloring Rules... View/Coloring Rules... Preferences... This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters”.
User Interface 3.14. The "Filter" toolbar The filter toolbar lets you quickly edit and apply display filters. More information on display filters is available in Section 6.3, “Filtering packets while viewing”. Figure 3.12. The "Filter" toolbar Table 3.11. Filter toolbar items Toolbar Toolbar Item Icon Description Filter: Brings up the filter construction dialog, described in Figure 6.7, “The "Capture Filters" and "Display Filters" dialog boxes”.
User Interface 3.15. The "Packet List" pane The packet list pane displays all the packets in the current capture file. Figure 3.13. The "Packet List" pane Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns.
User Interface 3.16. The "Packet Details" pane The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. Figure 3.14. The "Packet Details" pane This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. There is a context menu (right mouse click) available, see details in Figure 6.
User Interface 3.17. The "Packet Bytes" pane The packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in a hexdump style. Figure 3.15. The "Packet Bytes" pane As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed.
User Interface 3.18. The Statusbar The statusbar displays informational messages. In general, the left side will show context related information, while the right side will show the current number of packets. Figure 3.17. The initial Statusbar This statusbar is shown while no capture file is loaded, e.g. when Wireshark is started. Figure 3.18.
User Interface 58
Chapter 4. Capturing Live Network Data 4.1. Introduction Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: • Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...). • Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets. • Simultaneously show decoded packets while keep on capturing.
Capturing Live Network Data 4.2. Prerequisites Setting up Wireshark to capture packets for the first time can be tricky. Tip! A comprehensive guide "How To setup a Capture" is available at: http://wiki.wireshark.org/CaptureSetup. Here are some common pitfalls: • You need to have root / Administrator privileges to start a live capture. • You need to choose the right network interface to capture packet data from.
Capturing Live Network Data 4.3. Start Capturing One of the following methods can be used to start capturing packets with Wireshark: • You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box, see Figure 4.1, “The "Capture Interfaces" dialog box”. You can start a capture from this dialog box, using (one of) the "Capture" button(s). • You can start capturing using the " Capture Options" dialog box, see Figure 4.2, “The "Capture Options" dialog box”.
Capturing Live Network Data 4.4. The "Capture Interfaces" dialog box When you select "Interfaces..." from the Capture menu, Wireshark pops up the "Capture Interfaces" dialog box as shown in Figure 4.1, “The "Capture Interfaces" dialog box”. Warning! As the "Capture Interfaces" dialog is showing live captured data, it is consuming a lot of system resources. Close this dialog as soon as possible to prevent excessive system load. Note! This dialog box will only show the local interfaces Wireshark knows of.
Capturing Live Network Data 63
Capturing Live Network Data 4.5. The "Capture Options" dialog box When you select Start... from the Capture menu (or use the corresponding item in the "Main" toolbar), Wireshark pops up the "Capture Options" dialog box as shown in Figure 4.2, “The "Capture Options" dialog box”. Figure 4.2. The "Capture Options" dialog box Tip! If you are unsure which options to choose in this dialog box, just try keeping the defaults as this should work well in many cases.
Capturing Live Network Data drop-down list, so simply click on the button on the right hand side and select the interface you want. It defaults to the first non-loopback interface that supports capturing, and if there are none, the first loopback interface. On some systems, loopback interfaces cannot be used for capturing (loopback interfaces are not available on Windows platforms). This field performs the same function as the -i command line option.
Capturing Live Network Data CPU time is required for copying packets, less buffer space is required for packets, and thus perhaps fewer packets will be dropped if traffic is very heavy. • Capture Filter If you don't capture all of the data in a packet, you might find that the packet data you want is in the part that's dropped, or that reassembly isn't possible as the data required for reassembly is missing. This field allows you to specify a capture filter.
Capturing Live Network Data ... after n minute(s) Stop capturing after the given number second(s)/minutes(s)/hours(s)/days(s) have elapsed. of 4.5.4. Display Options frame Update list of packets in real time This option allows you to specify that Wireshark should update the packet list pane in real time. If you do not specify this, Wireshark does not display any packets until you stop the capture.
Capturing Live Network Data 4.6. Capture files and file modes While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into the capture file(s) the user specified. Different modes of operation are available when saving this packet data to the capture file(s). Tip! Working with large files (several 100 MB's) can be quite slow.
Capturing Live Network Data Single named file A single capture file will be used. If you want to place the new capture file to a specific folder, choose this mode. Multiple files, continuous Like the "Single named file" mode, but a new file is created and used, after reaching one of the multiple file switch conditions (one of the "Next file every ..." values).
Capturing Live Network Data 4.7. Link-layer header type In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe the exceptional cases, where selecting this type is possible, so you will have a guide of what to do: If you are capturing on an 802.11 device on some versions of BSD, this might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause the captured packets to have fake Ethernet headers; "802.11" will cause them to have IEEE 802.11 headers.
Capturing Live Network Data 4.8. Filtering while capturing Wireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump man page, which can be hard to understand, so it's explained here to some extent. Tip! You will find a lot of tp://wiki.wireshark.org/CaptureFilters. Capture Filter examples at ht- You enter the capture filter into the Filter field of the Wireshark Capture Options dialog box, as shown in Figure 4.2, “The "Capture Options" dialog box”.
Capturing Live Network Data present, packets where the specified address appears in either the source or destination address will be selected. gateway host This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net [{mask }|{len }] This primitive allows you to filter on network numbers.
Capturing Live Network Data DISPLAY (x11) [remote name]: SESSIONNAME (terminal server) 73
Capturing Live Network Data 4.9. While a Capture is running ... While a capture is running, the following dialog box is shown: Figure 4.3. The "Capture Info" dialog box This dialog box will inform you about the number of captured packets and the time since the capture was started. The selection of which protocols are counted cannot be changed. Tip! This Capture Info dialog box can be hidden, using the "Hide capture info dialog" option in the Capture Options dialog box. 4.9.1.
Capturing Live Network Data Note! The Capture Info dialog box might be hidden, if the option "Hide capture info dialog" is used. 2. Using the menu item "Capture/ Stop". 3. Using the toolbar item " 4. Pressing the accelerator keys: Ctrl+E. 5. The capture will be automatically stopped, if one of the Stop Conditions is exceeded, e.g. the maximum amount of data was captured. Stop". 4.9.2.
Capturing Live Network Data 76
Chapter 5. File Input / Output and Printing 5.1. Introduction This chapter will describe input and output of capture data.
File Input / Output and Printing 5.2. Open capture files Wireshark can read in previously saved capture files. To read them, simply select the menu or toolbar item: "File/ Open". Wireshark will then pop up the File Open dialog box, which is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. It's convenient to use drag-and-drop! ... to open a file, by simply dragging the desired file from your file manager and dropping it onto Wireshark's main window.
File Input / Output and Printing Save a lot of time on huge capture files! You can change the display filter and name resolution settings later while viewing the packets. However, for huge capture files it can take a significant amount of extra time changing these settings later, so in such situations it can be a good idea to set at least the filter in advance here. Table 5.1. The system specific "Open Capture File" dialog box Microsoft Windows (GTK2 installed) Figure 5.1.
File Input / Output and Printing Windows (GTK1 installed) Figure 5.3. "Open" - old GTK version This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. Specific for this dialog: • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Ok" button. 5.2.2.
File Input / Output and Printing • the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities • the text output from the DBS Etherwatch VMS utility • Visual Networks' Visual UpTime traffic capture • the output from CoSine L2 debug • the output from Accellent's 5Views LAN agents • Endace Measurement Systems' ERF format captures • Linux Bluez Bluetooth stack hcidump -w traces • Catapult DCT2000 .
File Input / Output and Printing 5.3. Saving captured packets You can save captured packets simply by using the Save As... menu item from the File menu under Wireshark. You can choose which packets to save and which file format to be used. Saving may reduce the available information! Saving the captured packets will slightly reduce the amount of information, e.g. the number of dropped packets will be lost, see Section A.1, “Capture Files” for details. 5.3.1.
File Input / Output and Printing Unix/Linux: GTK version < 2.4 / Microsoft Windows (GTK1 installed) Figure 5.6. "Save" - old GTK version This is the file save dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. With this dialog box, you can perform the following actions: 1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system. 2. Select the directory to save the file into.
File Input / Output and Printing 3. Select the range of the packets to be saved, see Section 5.8, “The Packet Range frame” 4. Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from the types, described in Section 5.3.2, “Output File Formats”. The selection of capture formats may be reduced! Some capture formats may not be available, depending on the packet types captured.
File Input / Output and Printing Third party protocol analyzers may require specific file extensions! Other protocol analyzers than Wireshark may require that the file has a certain file extension in order to read the files you generate with Wireshark, e.g.: ".
File Input / Output and Printing 5.4. Merging capture files Sometimes you need to merge several capture files into one. For example this can be useful, if you have captured simultaneously from multiple interfaces at once (e.g. using multiple instances of Wireshark). Merging capture files can be done in three ways: • Use the menu item "Merge" from the "File" menu, to open the merge dialog, see Section 5.4.1, “The "Merge with Capture File" dialog box”.
File Input / Output and Printing Unix/Linux: GTK version >= 2.4 Figure 5.8. "Merge" - new GTK This is the common Gimp/GNOME file open dialog - plus some Wireshark extensions. version Unix/Linux: GTK version < 2.4 / Microsoft Windows (GTK1 installed) Figure 5.9. "Merge" - old GTK This is the file open dialog of former Gimp/ version GNOME versions - plus some Wireshark extensions.
File Input / Output and Printing 5.5. File Sets When using the "Multiple Files" option while doing a capture (see: Section 4.6, “Capture files and file modes”), the capture data is spread over several capture files, called a file set. As it can become tedious to work with a file set by hand, Wireshark provides some features to handle these file sets in a convenient way.
File Input / Output and Printing Each line contains information about a file of the file set: • Filename the name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.
File Input / Output and Printing 5.6. Exporting data Wireshark provides several ways and formats to export packet data. This section describes general ways to export data from Wireshark. Note! There are more specialized functions to export specific data, which will be described at the appropriate places. XXX - add detailed descriptions of the output formats and some sample output, too. 5.6.1.
File Input / Output and Printing Tip! You can easily convert PostScript files to PDF files using ghostscript. For example: export to a file named foo.ps and then call: ps2pdf foo.ps Figure 5.12. The "Export as PostScript File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.8, “The Packet Range frame”. • The Packet Details frame is described in Section 5.9, “The Packet Format frame”. 5.6.3.
File Input / Output and Printing Export packet data into PSML. This is an XML based format including only the packet summary. The PSML file specification is available at: http://www.nbee.org/Docs/NetPDL/PSML.htm. Figure 5.13. The "Export as PSML File" dialog box • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.8, “The Packet Range frame”.
File Input / Output and Printing • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.8, “The Packet Range frame”. There's no such thing as a packet details frame for PDML export, as the packet format is defined by the PDML specification. 5.6.6. The "Export selected packet bytes" dialog box Export the bytes selected in the "Packet Bytes" pane into a raw binary file. Figure 5.15.
File Input / Output and Printing • Name: the filename to export the packet data to. • The Save in folder: field lets you select the folder to save to (from some predefined folders). • Browse for other folders provides a flexible way to choose a folder. 5.6.7.
File Input / Output and Printing Columns: • Packet num: The packet number in which this object was found. In some cases, there can be multiple objects in the same packet. • Hostname: The hostname of the server that sent the object as a response to an HTTP request. • Content Type: The HTTP content type of this object. • Bytes: The size of this object in bytes. • Filename: The final part of the URI (after the last slash).
File Input / Output and Printing 5.7. Printing packets To print packets, select the "Print..." menu item from the File menu. When you do this, Wireshark pops up the Print dialog box as shown in Figure 5.17, “The "Print" dialog box”. 5.7.1. The "Print" dialog box Figure 5.17. The "Print" dialog box The following fields are available in the Print dialog box: Printer This field contains a pair of mutually exclusive radio buttons: • Plain Text specifies that the packet print should be in plain text.
File Input / Output and Printing Note! These Print command fields are not available on windows platforms. This field specifies the command to use for printing. It is typically lpr. You would change it to specify a particular queue if you need to print to a queue other than the default. An example might be: lpr -Pmypostscript This field is greyed out if Output to file: is checked above. Packet Range Select the packets to be printed, see Section 5.
File Input / Output and Printing 5.8. The Packet Range frame The packet range frame is a part of various output related dialog boxes. It provides options to select which packets should be processed by the output function. Figure 5.18. The "Packet Range" frame If the Captured button is set (default), all packets from the selected rule will be processed. If the Displayed button is set, only the currently displayed packets are taken into account to the selected rule.
File Input / Output and Printing 5.9. The Packet Format frame The packet format frame is a part of various output related dialog boxes. It provides options to select which parts of a packet should be used for the output function. Figure 5.19. The "Packet Format" frame • Packet summary line enable the output of the summary line, just as in the "Packet List" pane. • Packet details enable the output of the packet details tree.
File Input / Output and Printing 100
Chapter 6. Working with captured packets 6.1. Viewing packets you have captured Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.
Working with captured packets Figure 6.2.
Working with captured packets 6.2. Pop-up menus You can bring up a pop-up menu over either the "Packet List", "Packet Details" or "Packet Bytes" pane by clicking your right mouse button at the corresponding pane. 6.2.1. Pop-up menu of the "Packet List" pane Figure 6.3. Pop-up menu of the "Packet List" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.1.
Working with captured packets Item Identical to main Description menu's item: ter formation from the selected packet. E.g. the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. XXX - add a new section describing this better. SCTP - Follow Stream TCP Analyze Follow Stream SSL Analyze XXX - add an explanation of this. Allows you to view all the data on a TCP stream between a pair of nodes. Same as "Follow TCP Stream" but for SSL.
Working with captured packets 6.2.2. Pop-up menu of the "Packet Details" pane Figure 6.4. Pop-up menu of the "Packet Details" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.2. The menu items of the "Packet Details" pop-up menu Item Identical to main Description menu's item: Expand Subtrees View Expand the currently selected subtree.
Working with captured packets Item Identical to main Description menu's item: Copy/ Bytes (Offset Hex Text) Copy/ Bytes (Offset Hex) Copy/ Bytes (Printable Text Only) Copy/ Bytes (Hex Stream) Copy/ Bytes (Binary Stream) Copy the packet bytes to the clipboard in hexdump-like format; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
Working with captured packets Item Identical to main Description menu's item: ences... The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in Figure 9.8, “The preferences dialog box”. ----Decode As... Analyze Change or apply a new relation between two dissectors.
Working with captured packets 6.3. Filtering packets while viewing Wireshark has two filtering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of filter: Display filters. The first one has already been dealt with in Section 4.8, “Filtering while capturing”. Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones.
Working with captured packets As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. Note! When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content! You can filter on any protocol that Wireshark understands.
Working with captured packets 6.4. Building display filter expressions Wireshark provides a simple but powerful display filter language that you can build quite complex filter expressions with. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this. Tip! You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter page at http://wiki.wireshark.org/DisplayFilters. 6.4.1.
Working with captured packets English ge C-like Description and example >= Greater than or equal to frame.pkt_len ge 0x100 le <= Less than or equal to frame.pkt_len <= 0x20 In addition, all protocol fields are typed. Table 6.4, “Display Filter Field Types” provides a list of the types and example of how to express them. Table 6.4. Display Filter Field Types Type Example Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or hexadecimal.
Working with captured packets You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5, “Display Filter Logical Operations” Table 6.5. Display Filter Logical Operations English C-like and && Description and example Logical AND ip.addr==10.0.0.5 and tcp.flags.fin or || Logical OR ip.addr==10.0.0.5 or ip.addr==192.1.1.1 xor ^^ Logical XOR tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 not ! Logical NOT not llc [...
Working with captured packets English C-like Description and example eth.src[2] == 83 The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent to n:1. eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83 Wireshark allows you to string together single ranges in a comma separated list to form compound ranges as shown above. 6.4.4.
Working with captured packets 6.5. The "Filter Expression" dialog box When you are accustomed to Wireshark's filtering system and know what labels you wish to use in your filters it can be very quick to simply type a filter string. However if you are new to Wireshark or are working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to type. The Filter Expression dialog box helps with this.
Working with captured packets Value You may enter an appropriate value in the Value text box. The Value will also indicate the type of value for the field name you have selected (like character string). Predefined values Some of the protocol fields have predefined values available, much like enum's in C. If the selected protocol field has such values defined, you can choose one of them here.
Working with captured packets 6.6. Defining and saving filters You can define filters with Wireshark and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. To define a new filter or edit an existing one, select the Capture Filters... menu item from the Capture menu or the Display Filters... menu item from the Analyze menu. Wireshark will then pop up the Filters dialog as shown in Figure 6.
Working with captured packets New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to "new". Delete This button deletes the selected filter. It will be greyed out, if no filter is selected. Filter You can select a filter from this list (which will fill in the filter name and filter string in the fields down the bottom of the dialog box).
Working with captured packets 6.7. Finding packets You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet... menu item from the Edit menu. Wireshark will pop up the dialog box shown in Figure 6.8, “The "Find Packet" dialog box”. 6.7.1. The "Find Packet" dialog box Figure 6.8.
Working with captured packets You can choose the direction to be searched for: • Up Search upwards in the packet list (decreasing packet numbers). • Down Search downwards in the packet list (increasing packet numbers). 6.7.2. The "Find Next" command "Find Next" will continue searching with the same options like in the last "Find Packet" run. 6.7.3. The "Find Previous" command "Find Previous" will do the same thing as "Find Next", but with reverse search direction.
Working with captured packets 6.8. Go to a specific packet You can easily jump to specific packets with one of the menu items in the Go menu. 6.8.1. The "Go Back" command Go back in the packet history, works much like the page history in current web browsers. 6.8.2. The "Go Forward" command Go forward in the packet history, works much like the page history in current web browsers. 6.8.3. The "Go to Packet" dialog box Figure 6.9.
Working with captured packets 6.9. Marking packets You can mark packets in the "Packet List" pane. A marked packet will be shown with black background, regardless of the coloring rules set. Marking a packet can be useful to find it later while analyzing in a large capture file. Warning! The packet marks are not stored in the capture file or anywhere else, so all packet marks will be lost if you close the capture file.
Working with captured packets 6.10. Time display formats and time references While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. A detailed description of timestamps, timezones and alike can be found at: Section 7.3, “Time Stamps”. The timestamp presentation format and the precision in the packet list can be chosen using the View menu, see Figure 3.5, “The "View" Menu”.
Working with captured packets Note! Time referencing will only be useful, if the time display format is set to "Seconds Since Beginning of Capture". If one of the other time display formats are used, time referencing will have no effect (and will make no sense either). To work with time references, choose one of the "Time Reference" items in the "Edit" menu , see Section 3.6, “The "Edit" menu”, or from the pop-up menu of the "Packet List" pane.
Working with captured packets 124
Chapter 7. Advanced Topics 7.1. Introduction In this chapter some of the advanced features of Wireshark will be described.
Advanced Topics 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream. If so, Wireshark's ability to follow a TCP stream will be useful to you.
Advanced Topics length) and CRNL conversions? The stream content won't be updated while doing a live capture. To get the latest content you'll have to reopen the dialog. You can choose from the following actions: 1. Save As Save the stream data in the currently selected format. 2. Print Print the stream data in the currently selected format. 3. Direction Choose the stream direction to be displayed ("Entire conversation", "data from A to B only" or "data from B to A only"). 4.
Advanced Topics 7.3. Time Stamps Time stamps, their precisions and all that can be quite confusing. This section will provide you with information about what's going on while Wireshark processes time stamps. While packets are captured, each packet is time stamped as it comes in. These time stamps will be saved to the capture file, so they also will be available for (later) analysis.
Advanced Topics inaccurate.
Advanced Topics 7.4. Time Zones If you travel across the planet, time zones can be confusing. If you get a capture file from somewhere around the world time zones can even be a lot more confusing ;-) First of all, there are two reasons why you may not need to think about time zones at all: • You are only interested in the time differences between the packet time stamps and don't need to know the exact date and time of the captured packets (which is often the case).
Advanced Topics 7.4.1. Set your computer's time correct! If you work with people around the world, it's very helpful to set your computer's time and time zone right. You should set your computers time and time zone in the correct sequence: 1. Set your time zone to your current location 2. Set your computer's clock to the local time This way you will tell your computer both the local time and also the time offset to UTC.
Advanced Topics Table 7.1. Time zone examples for UTC arrival times (without DST) Los Angeles New York Madrid London Berlin Tokyo 10:00 10:00 10:00 10:00 10:00 10:00 Local Offset -8 to UTC -5 -1 0 +1 +9 Displayed 02:00 Time (Local Time) 05:00 09:00 10:00 11:00 19:00 Capture File (UTC) An example: Let's assume that someone in Los Angeles captured a packet with Wireshark at exactly 2 o'clock local time and sends you this capture file.
Advanced Topics 7.5. Packet Reassembling 7.5.1. What is it? Network protocols often need to transport large chunks of data, which are complete in itself, e.g. when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation of the network packet size), or is stream-based like TCP, which doesn't know data chunks at all. In that case the network protocol has to handle that chunk boundaries itself and (if required) spreading the data over multiple packets.
Advanced Topics 2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble fragmented protocol data. This too can often be enabled or disabled via the protocol preferences. The tooltip of the higher level protocol setting will notify you if and which lower level protocol setting has to be considered too.
Advanced Topics 7.6. Name Resolution Name resolution tries to resolve some of the numerical address values into a human readable format. There are two possible ways to do these conversations, depending on the resolution to be done: calling system/network services (like the gethostname function) and/or evaluate from Wireshark specific configuration files. For details about the configuration files Wireshark uses for name resolution and alike, see Appendix A, Files and Folders.
Advanced Topics 7.6.3. IP name resolution (network layer) Try to resolve an IP address (e.g. 216.239.37.99) to something more "human readable". DNS/ADNS name resolution (system/library service) Wireshark will ask the operating system (or the ADNS library), to convert an IP address to the hostname associated with it (e.g. 216.239.37.99 > www.1.google.com). The DNS service is using synchronous calls to the DNS server. So Wireshark will stop responding until a response to a DNS request is returned.
Advanced Topics 7.7. Checksums Several network protocols use checksums to ensure data integrity. Tip! Applying checksums as described here is also known as redundancy check. What are checksums for? Checksums are used to ensure the integrity of data portions for data transmission or storage. A checksum is basically a calculated summary of such a data portion. Network data transmissions often produce errors, such as toggled, missing or duplicated bits.
Advanced Topics 7.7.2. Checksum offloading The checksum calculation might be done by the network driver, protocol driver or even in hardware. For example: The Ethernet transmitting hardware calculates the Ethernet CRC32 checksum and the receiving hardware validates this checksum. If the received checksum is wrong Wireshark won't even see the packet, as the Ethernet hardware internally throws away the packet.
Advanced Topics 139
Chapter 8. Statistics 8.1. Introduction Wireshark provides a wide range of network statistics. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). • • General statistics: • Summary about the capture file. • Protocol Hierarchy of the captured packets. • Endpoints e.g. traffic to and from an IP addresses. • Conversations e.
Statistics 8.2. The "Summary" window General statistics about the current capture file. Figure 8.1.
Statistics • File general information about the capture file. • Time the timestamps when the first and the last packet were capturing (and the time between them). • Capture information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). • Display some display related information. • Traffic some statistics of the network traffic seen. If a display filter is set, you will see values in both columns.
Statistics 8.3. The "Protocol Hierarchy" window The protocol hierarchy of the captured packets. Figure 8.2. The "Protocol Hierarchy" window This is a tree of all the protocols in the capture. You can collapse or expand subtrees, by clicking on the plus / minus icons. By default, all trees are expanded. Each row contains the statistical values of one protocol.
Statistics Note! Packets will usually contain multiple protocols, so more than one protocol will be counted for each packet. Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together much more than 100%). Note! Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less.
Statistics 8.4. Endpoints Statistics of the endpoints captured. Tip! If you are looking for a feature other network tools call a hostlist, here is the right place to look. The list of Ethernet or IP endpoints is usually what you're looking for. 8.4.1. What is an Endpoint? A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer.
Statistics For each supported protocol, a tab is shown in this window. The tab labels shows the number of endpoints captured (e.g. the tab label "Ethernet: 5" tells you that five ethernet endpoints have been captured). If no endpoints of a specific protocol were captured, the tab label will be grayed out (although the related page can still be selected). Each row in the list shows the statistical values for exactly one endpoint.
Statistics 8.5. Conversations Statistics of the captured conversations. 8.5.1. What is a Conversation? A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses. The description of the known endpoint types can be found in Section 8.4.1, “What is an Endpoint?”. 8.5.2. The "Conversations" window Beside the list content, the conversations window work the same way as the endpoint ones, see Section 8.4.
Statistics 8.6. The "IO Graphs" window User configurable graph of the captured network packets. You can define up to five differently colored graphs. Figure 8.5.
Statistics • Unit the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...) • Scale the scale for the y unit (10,20,50,100,200,500,...) XXX - describe the Advanced feature.
Statistics 8.7. Service Response Time The service response time is the time between a request and the corresponding response. This information is available for many protocols. Service response time statistics are currently available for the following protocols: • DCE-RPC • Fibre Channel • H.225 RAS • LDAP • MGCP • ONC-RPC • SMB As an example, the DCE-RPC service response time is described in more detail.
Statistics Figure 8.7. The "DCE-RPC Statistic for ..." window Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls, and the statistics of the SRT time is calculated.
Statistics 8.8. The protocol specific statistics windows The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document. Some of these statistics are described at the http://wiki.wireshark.org/Statistics pages.
Statistics 153
Chapter 9. Customizing Wireshark 9.1. Introduction Wireshark's default behaviour will usually suit your needs pretty well. However, as you become more familiar with Wireshark, it can be customized in various ways to suit your needs even better.
Customizing Wireshark 9.2. Start Wireshark from the command line You can start Wireshark from the command line, but it can also be started from most Window managers as well. In this section we will look at starting it from the command line. Wireshark supports a large number of command line parameters. To see what they are, simply enter the command wireshark -h and the help information shown in Example 9.1, “Help information available from Wireshark” (or something similar) should be printed. Example 9.1.
Customizing Wireshark writing to the next file, until it fills up the last file, at which point it'll discard the data in the first file (unless 0 is specified, in which case, the number of files is unlimited) and start writing to that file and so on. If the optional duration is specified, Wireshark will switch also to the next file when the specified number of seconds has elapsed even if the current file is not completely fills up.
Customizing Wireshark Network interface names should match one of the names listed in wireshark -D (described above); a number, as reported by wireshark -D, can also be used. If you're using UNIX, netstat -i or ifconfig -a might also work to list interface names, although not all versions of UNIX support the -a flag to ifconfig.
Customizing Wireshark Tip! You can get a list of all available preference strings from the preferences file, see Appendix A, Files and Folders. -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Wireshark is running, broadcast traffic, and multicast traffic to addresses received by that machine.
Customizing Wireshark -y If a capture is started from the command line with -k, set the data link type to use while capturing packets. The values reported by -L are the values that can be used. -X Specify an option to be passed to a TShark module. The eXtension option is in the form extension_key:value, where extension_key can be: lua_script:lua_script_filename Tell Wireshark to load the given script in addition to the default Lua scripts.
Customizing Wireshark 9.3. Packet colorization A very useful mechanism available in Wireshark is packet colorization. You can set-up Wireshark so that it will colorize packets according to a filter. This allows you to emphasize the packets you are usually interested in. Tip! You will find a lot of Coloring Rule examples at the Wireshark Wiki Coloring Rules page at http://wiki.wireshark.org/ColoringRules. To colorize packets, select the Coloring Rules...
Customizing Wireshark In the Edit Color dialog box, simply enter a name for the color filter, and enter a filter string in the Filter text field. Figure 9.2, “The "Edit Color Filter" dialog box” shows the values arp and arp which means that the name of the color filter is arp and the filter will select protocols of type arp. Once you have entered these values, you can choose a foreground and background color for packets that match the filter expression. Click on Foreground color... or Background color...
Customizing Wireshark Figure 9.4, “Using color filters with Wireshark” shows an example of several color filters being used in Wireshark. You may not like the color choices, however, feel free to choose your own. If you are uncertain which coloring rule actually took place for a specific packet, have a look at the [Coloring Rule Name: ...] and [Coloring Rule String: ...] fields. Figure 9.4.
Customizing Wireshark 9.4. Control Protocol dissection The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g.
Customizing Wireshark To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. Warning! You have to use the Save button to save your settings. The OK or Apply buttons will not save your changes permanently, so they will be lost when Wireshark is closed. You can choose from the following actions: 1. Enable All Enable all protocols in the list. 2. Disable All Disable all protocols in the list. 3.
Customizing Wireshark 5. Apply Apply the changes and keep the dialog box open. 6. Save Save the settings to the disabled_protos, see Appendix A, Files and Folders for details. 7. Cancel Cancel the changes and close the dialog box. 9.4.2. User Specified Decodes The "Decode As" functionality let you temporarily divert specific protocol dissections. This might be useful for example, if you do some uncommon experiments on your network. Figure 9.6.
Customizing Wireshark 5. OK Apply the currently selected decode and close the dialog box. 6. Apply Apply the currently selected decode and keep the dialog box open. 7. Cancel Cancel the changes and close the dialog box. 9.4.3. Show User Specified Decodes This dialog box shows the currently active user specified decodes. Figure 9.7. The "Decode As: Show" dialog box 1. OK Close this dialog box. 2. Clear Removes all user specified decodes.
Customizing Wireshark 9.5. Preferences There are a number of preferences you can set. Simply select the Preferences... menu item from the Edit menu, and Wireshark will pop up the Preferences dialog box as shown in Figure 9.8, “The preferences dialog box”, with the "User Interface" page as default. On the left side is a tree where you can select the page to be shown. Note! Preference settings are added frequently.
Customizing Wireshark 9.6. User Table The User Table editor is used for managing various tables in wireshark. It's main dialog works very similarly to that of Section 9.3, “Packet colorization”.
Customizing Wireshark 9.7. Display Filter Macros Display Filter Macos are a mechanism to create shortcuts for complex filters. For example defining a display filter macro named tcp_conv whose text is ( (ip.src == $1and ip.dst == $2 and tcp.srcpt == $3 and tcp.dstpt == $4) or (ip.src == $2and ip.dst == $1 and tcp.srcpt == $4 and tcp.dstpt == $3) ) would allow to use a display filter like ${tcp_conv:10.1.1.2;10.1.1.3;1200;1400} instead of typing the whole filter.
Customizing Wireshark 9.8. Tektronics K12xx/15 RF5 protocols Table The Tektronix's K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are used by a certain interface. Wireshark doesn't read these stk files, it uses a table that helps it identify which lowest layer protocol to use. Stk file to protocol matching is handled by an Section 9.6, “User Table” with the following fields.
Customizing Wireshark 9.9. User DLTs protocol table When a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know which protocol(s) to use for each user DLT. This table is handled by an Section 9.6, “User Table” with the following fields. encap one of the user dlts. payload_proto This is the name of the payload protocol (the lowest layer in the packet data). header_size if there is a header protocol (before the payload protocol) this tells which size this header is.
Customizing Wireshark 9.10. SNMP users Table Wireshark uses this table to verify auhentication and to decrypt encrypted SNMPv3 packets. This table is handled by an Section 9.6, “User Table” with the following fields. engine_id If given this entry will be used only for packets whose engine id is this. This field takes an hexadecimal string in the form 0102030405. userName This is the userName.
Customizing Wireshark 173
Appendix A. Files and Folders A.1. Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it's helpful to know a bit about the capture file contents. Wireshark uses the libpcap file format as the default format to save captured packets, this format exists for a long time and it's pretty simple. However, it has some drawbacks: it's not extensible and lacks some information that would be really helpful (e.g.
Files and Folders • time references set with "Edit/Time Reference" • the current display filter • ...
Files and Folders A.2. Configuration Files and Folders Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas. Tip A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box coming up, when you select About Wireshark from the Help menu.
Files and Folders File/Folder Description Unix/Linux folders Windows folders $HOME/.wireshar k/plugins temp Temporary files. Environment: TMPDIR Environment: TMPDIR or TEMP Windows folders %APPDATA% points to the personal configuration folder, e.g.: C:\Documents and Settings\\Application Data (details can be found at: Section A.3.1, “Windows profiles”), %WIRESHARK% points to the Wireshark program folder, e.g.
Files and Folders "" The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box. colorfilters This file contains all the color filters that you have defined and saved.
Files and Folders hosts Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPv4 and IPv6 addresses into names. This file has the same format as the usual /etc/hosts file in Unix systems. An example is: # Comments must be prepended by the # sign! 192.168.0.1 homeserver The settings from this file are read in at program start and never written by Wireshark. ipxnets Wireshark uses the files listed in Table A.
Files and Folders A.3. Windows folders Here you will find some details about the folders used in Wireshark on different Windows versions. As already mentioned, you can find the currently used folders in the About Wireshark dialog. A.3.1. Windows profiles Windows uses some special directories to store user configuration files in, named the user profile.
Files and Folders able will be set by the windows installer.
Files and Folders 182
Appendix B. Protocols and Protocol Fields Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port). A comprehensive list of all protocols and protocol fields can be found at: http://www.wireshark.
Appendix C. Wireshark Messages Wireshark provides you with additional information generated out of the plain packet data or it may need to indicate dissection problems. Messages generated by Wireshark are usually placed in [] parentheses. C.1. Packet List Messages These messages might appear in the packet list. C.1.1. [Malformed Packet] Malformed packet means that the protocol dissector can't work out the contents of the packet any further.
Wireshark Messages C.2. Packet Details Messages These messages might appear in the packet details. C.2.1. [Response in frame: 123] The current packet is the request of a detected request/response pair. You can directly jump to the corresponding response packet just by double clicking on this message. C.2.2. [Request in frame: 123] Same as "Response in frame: 123" above, but the other way round. C.2.3. [Time from request: 0.123 seconds] The time between the request and the response packets.
Wireshark Messages 186
Appendix D. Related command line tools D.1. Introduction Beside the Wireshark GUI application, there are some command line tools, which can be helpful for doing some more specialized things. These tools will be described in this chapter.
Related command line tools D.2. tshark: Terminal-based Wireshark TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as wireshark. For more information on tshark, see the manual pages (man tshark).
Related command line tools D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture).
Related command line tools D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark Dumpcap is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. Dumpcap's native capture file format is libpcap format, which is also the format used by Wireshark, tcpdump and various other tools.
Related command line tools D.5. capinfos: Print information about capture files Included with Wireshark is a small utility called capinfos, which is a command-line utility to print information about binary capture files. Example D.2.
Related command line tools D.6. editcap: Edit capture files Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as print information about capture files. Example D.3. Help information available from editcap $ editcap.exe -h Editcap 0.99.3 Edit and/or translate the format of capture files.
Related command line tools rawip - Raw IP arcnet - ARCNET arcnet_linux - Linux ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL ascend - Lucent/Ascend access equipment isdn - ISDN ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.
Related command line tools Where each option has the following meaning: -r This option specifies that the frames listed should be kept, not deleted. The default is to delete the listed frames. -h This option provides help. -v This option specifies verbose operation. The default is silent operation. -T {encap type} This option specifies the frame encapsulation type to use. It is mainly for converting funny captures to something that Wireshark can deal with.
Related command line tools D.7. mergecap: Merging multiple capture files into one Mergecap is a program that combines multiple saved capture files into a single output file specified by the -w argument. Mergecap knows how to read libpcap capture files, including those of tcpdump.
Related command line tools atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL ascend - Lucent/Ascend access equipment isdn - ISDN ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information ieee-802-11-bsd - IEEE 802.11 plus BSD WLAN header ieee-802-11-avs - IEEE 802.
Related command line tools -s Sets the snapshot length to use when writing the data. -w Sets the output filename. -T Sets the packet encapsulation type of the output capture file. -F Sets the file format of the output capture file. A simple example merging dhcp-capture.libpcap and imap-1.libpcap into outfile.libpcap is shown below. Example D.5. Simple example of using mergecap $ mergecap -w outfile.libpcap dhcp-capture.libpcap imap-1.
Related command line tools D.8. text2pcap: Converting ASCII hexdumps to network captures There may be some occasions when you wish to convert a hex dump of some network traffic into a libpcap file. Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcap-style capture file. text2pcap can read hexdumps with multiple packets in them, and build a capture file of multiple packets.
Related command line tools -h -d -o hex|oct -l typenum : : : : -q -e l3pid : : -i proto : -m max-packet -u srcp,destp : : -T srcp,destp : -s srcp,dstp,tag: -S srcp,dstp,ppi: -t timefmt : Display this help message Generate detailed debug of parser states Parse offsets as (h)ex or (o)ctal. Default is hex Specify link-layer type number. Default is 1 (Ethernet). See net/bpf.h for list of numbers.
Related command line tools and destination UDP ports for the packet in decimal. Use this option if your dump is the UDP payload of a packet but does not include any UDP, IP or Ethernet headers. Note that this automatically includes appropriate Ethernet and IP headers with each packet. Example: -u 1000 69 to make the packets look like TFTP/UDP packets.
Related command line tools D.9. idl2wrs: Creating dissectors from CORBA IDL files In an ideal world idl2wrs would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here. D.9.1. What is it? As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP.
Related command line tools Procedure for converting a CORBA idl file into a Wireshark dissector 1. To write the C code to stdout. idl2wrs eg: idl2wrs echo.idl 2. To write to a file, just redirect the output. idl2wrs echo.idl > packet-test-idl.c You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. 3. To write the C code to stdout.
Related command line tools 4. More I am sure :-) D.9.5. Limitations See the TODO list inside packet-giop.c D.9.6. Notes 1. The "-p ./" option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory. This may need tweaking if you place these files somewhere else. 2. If it complains about being unable to find some modules (eg tempfile.py), you may want to check if PYTHONPATH is set correctly. On my Linux box, it is PYTHONPATH=/usr/lib/python1.
Related command line tools 204
Appendix E. This Document's License (GPL) As with the original licence and documentation distributed with Wireshark, this document is covered by the GNU General Public Licence (GNU GPL). If you haven't read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
This Document's License (GPL) either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
This Document's License (GPL) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
This Document's License (GPL) Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10.
This Document's License (GPL) Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library.