Wireshark User's Guide 36153 for Wireshark 1.
Wireshark User's Guide: 36153 for Wireshark 1.5 by Ulf Lamping, Richard Sharpe, and Ed Warnicke Copyright © 2004-2011 Ulf Lamping , Richard Sharpe , Ed Warnicke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. All logos and trademarks in this document are property of their respective owner.
Preface ............................................................................................................................ ix 1. Foreword .............................................................................................................. ix 2. Who should read this document? .............................................................................. ix 3. Acknowledgements ................................................................................................ ix 4.
Wireshark User's Guide 3.2. Start Wireshark .................................................................................................. 3.3. The Main window .............................................................................................. 3.3.1. Main Window Navigation .......................................................................... 3.4. The Menu ......................................................................................................... 3.5. The "File" menu ......
Wireshark User's Guide 5.4.1. The "Merge with Capture File" dialog box .................................................... 72 5.5. Import text file ................................................................................................... 73 5.5.1. The "File import" dialog box ...................................................................... 74 5.6. File Sets ............................................................................................................ 75 5.6.1.
Wireshark User's Guide 7.3.2. "Expert Info Composite" dialog ................................................................. 7.3.3. "Colorized" Protocol Details Tree .............................................................. 7.3.4. "Expert" Packet List Column (optional) ...................................................... 7.4. Time Stamps .................................................................................................... 7.4.1. Wireshark internals ..................................
Wireshark User's Guide 10.4.3. Show User Specified Decodes ................................................................. 10.5. Preferences ..................................................................................................... 10.5.1. Interface Options .................................................................................. 10.6. Configuration Profiles ...................................................................................... 10.7. User Table ........................
Wireshark User's Guide 11.12.3. Tvb ................................................................................................... 11.12.4. TvbRange .......................................................................................... 11.12.5. UInt .................................................................................................. 11.13. Utility Functions ........................................................................................... 11.13.1. Dir .......................
Preface 1. Foreword Wireshark is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Wireshark because of the lack of documentation. This document is part of an effort by the Wireshark team to improve the usability of Wireshark. We hope that you find it useful, and look forward to your comments. 2. Who should read this document? The intended audience of this book is anyone using Wireshark.
Preface • Ashok Narayanan from whose text2pcap man page Section D.9, “text2pcap: Converting ASCII hexdumps to network captures ” is derived. • Frank Singleton from whose README.idl2wrs Section D.10, “idl2wrs: Creating dissectors from CORBA IDL files ” is derived. 4. About this document This book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping. It is written in DocBook/XML.
Chapter 1. Introduction 1.1. What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).
Introduction Figure 1.1, “ Wireshark captures packets and allows you to examine their content. ” shows Wireshark having captured some packets and waiting for you to examine them. Figure 1.1. Wireshark captures packets and allows you to examine their content. 1.1.3. Live capture from many different network media Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well.
Introduction 1.1.7. Open Source Software Wireshark is an open source software project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do! 1.1.8.
Introduction • Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment. • 802.11: See the Wireshark wiki page. Capturing raw 802.11 information may be difficult without special equipment. • Other media: See http://wiki.wireshark.org/CaptureSetup/NetworkMedia Remarks: • Many older Windows versions are no longer supported for three reasons: None of the developers use those systems which makes support difficult.
Introduction • Sun Solaris/i386 • Sun Solaris/Sparc • Canonical Ubuntu If a binary package is not available for your platform, you should download the source and try to build it. Please report your experiences to wireshark-dev[AT]wireshark.org . 1.3. Where to get Wireshark? You can get the latest copy of the program from the Wireshark website: http://www.wireshark.org/ download.html. The website allows you to choose from among several mirrors for downloading.
Introduction There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue. You can find a list of the people who have contributed code to Wireshark by checking the about dialog box of Wireshark, or at the authors page on the Wireshark web site. Wireshark is an open source software project, and is released under the GNU General Public License (GPL). All source code is freely available under the GPL.
Introduction Read the FAQ! Before sending any mail to the mailing lists below, be sure to read the FAQ, as it will often answer the question(s) you might have. This will save yourself and others a lot of time (keep in mind that a lot of people are subscribed to the mailing lists). You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the FAQ page in the dialog shown. An online version is available at the Wireshark website: http://www.wireshark.org/faq.html.
Introduction Don't send large files! Do not send large files (>100KB) to the mailing lists, just place a note that further data is available on request. Large files will only annoy a lot of people on the list who are not interested in your specific problem. If required, you will be asked for further data by the persons who really can help you.
Chapter 2. Building and Installing Wireshark 2.1. Introduction As with all things, there must be a beginning, and so it is with Wireshark. To use Wireshark, you must: • Obtain a binary package for your operating system, or • Obtain the source and build Wireshark for your operating system. Currently, several Linux distributions ship Wireshark, but they are commonly shipping an out-of-date version. No other versions of UNIX ship Wireshark so far, and Microsoft does not ship it with any version of Windows.
Building and Installing Wireshark For this reason, you might want to pull down the source distribution and build it, as the process is relatively simple. 2.3. Before you build Wireshark under UNIX Before you build Wireshark from sources, or install a binary package, you must ensure that you have the following other packages installed: • GTK+, The GIMP Tool Kit. You will also need Glib. Both can be obtained from www.gtk.org • libpcap, the packet capture software that Wireshark uses.
Building and Installing Wireshark If you have downloaded the source to libpcap, the general instructions shown in Example 2.2, “Building and installing libpcap” will assist in building it. Also, if your operating system does not support tcpdump, you might also want to download it from the tcpdump web site and install it. Example 2.2. Building and installing libpcap gzip -dc libpcap-1.0.0.tar.Z | tar xvf cd libpcap-1.0.0 .
Building and Installing Wireshark 1. Unpack the source from its gzip'd tar file. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command: tar zxvf wireshark-1.5-tar.gz For other versions of UNIX, you will want to use the following commands: gzip -d wireshark-1.5-tar.gz tar xvf wireshark-1.5-tar Note! The pipeline gzip -dc wireshark-1.5-tar.gz | tar xvf - will work here as well.
Building and Installing Wireshark rpm -ivh wireshark-1.5.i386.rpm If the above step fails because of missing dependencies, install the dependencies first, and then retry the step above. See Example 2.3, “ Installing required RPMs under Red Hat Linux 6.2 and beyond ” for information on what RPMs you will need to have installed. 2.5.2.
Building and Installing Wireshark is used by the libtool script to construct the final link command, this leads to mysterious problems. This can be resolved by downloading a recent version of sed from http://directory.fsf.org/project/sed/. If you cannot determine what the problems are, send an email to the wireshark-dev mailing list explaining your problem, and including the output from config.log and anything else you think is relevant, like a trace of the make stage. 2.7.
Building and Installing Wireshark Tools (additional command line tools to work with capture files): • Editcap - Editcap is a program that reads a capture file and writes some or all of the packets into another capture file. • Text2Pcap - Text2pcap is a program that reads in an ASCII hex dump and writes the data into a libpcapstyle capture file. • Mergecap - Mergecap is a program that combines multiple saved capture files into a single output file.
Building and Installing Wireshark • /S runs the installer or uninstaller silently with default values. Please note: The silent installer won't install WinPCap! • /desktopicon installation of the desktop icon, =yes - force installation, =no - don't install, otherwise use defaults / user settings. This option can be useful for a silent installer. • /quicklaunchicon installation of the quick launch icon, =yes - force installation, =no - don't install, otherwise use defaults / user settings.
Building and Installing Wireshark Warning! If you have an older version of WinPcap installed, you must uninstall it before installing the current version. Recent versions of the WinPcap installer will take care of this. 2.8.5. Uninstall Wireshark You can uninstall Wireshark the usual way, using the "Add or Remove Programs" option inside the Control Panel. Select the "Wireshark" entry to start the uninstallation procedure.
Chapter 3. User Interface 3.1. Introduction By now you have installed Wireshark and are most likely keen to get started capturing your first packets. In the next chapters we will explore: • How the Wireshark user interface works • How to capture packets in Wireshark • How to view packets in Wireshark • How to filter packets in Wireshark • ... and many other things! 3.2. Start Wireshark You can start Wireshark from your shell or window manager.
User Interface Figure 3.1. The Main window Wireshark's main window consists of parts that are commonly known from many other GUI programs. 1. The menu (see Section 3.4, “The Menu”) is used to start actions. 2. The main toolbar (see Section 3.16, “The "Main" toolbar”) provides quick access to frequently used items from the menu. 3. The filter toolbar (see Section 3.17, “The "Filter" toolbar”) provides a way to directly manipulate the currently used display filter (see Section 6.
User Interface 3.3.1. Main Window Navigation Packet list and detail navigation can be done entirely from the keyboard. Table 3.1, “Keyboard Navigation” shows a list of keystrokes that will let you quickly move around a capture file. See Table 3.5, “Go menu items” for additional navigation keystrokes. Table 3.1. Keyboard Navigation Accelerator Description Tab, Shift+Tab Move between screen elements, e.g. from the toolbars to the packet list to the packet detail.
User Interface Edit This menu contains items to find a packet, time reference or mark one or more packets, handle configuration profiles, and set your preferences; (cut, copy, and paste are not presently implemented). See Section 3.6, “The "Edit" menu”. View This menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details, .... See Section 3.7, “The "View" menu”.
User Interface Figure 3.3. The "File" Menu Table 3.2. File menu items Menu Item Accelerator Description Open... Ctrl+O This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”. Open Recent This menu item shows a submenu containing the recently opened capture files. Clicking on one of the submenu items will open the corresponding capture file directly. Merge...
User Interface Menu Item Accelerator Description is discussed further in Section 5.3.1, “The "Save Capture File As" dialog box”). Note! If you have already saved the current capture, this menu item will be greyed out. Note! You cannot save a live capture while the capture is in progress. You must stop the capture in order to save. Save As... Shift+Ctrl+S This menu item allows you to save the current capture file to whatever file you would like.
User Interface Menu Item Accelerator Description Print... Ctrl+P This menu item allows you to print all (or some) of the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in Section 5.8, “Printing packets”). Ctrl+Q This menu item allows you to quit from Wireshark. Wireshark will ask to save your capture file if you haven't previously saved it (this can be disabled by a preference setting). -----Quit 3.6.
User Interface Menu Item Copy Filter > Accelerator As Shift+Ctrl+C Description This menu item will use the selected item in the detail view to create a display filter. This display filter is then copied to the clipboard. -----Find Packet... Ctrl+F This menu item brings up a dialog box that allows you to find a packet by many criteria. There is further information on finding packets in Section 6.8, “Finding packets”.
User Interface Menu Item Accelerator Find Previous Ctrl+Alt+B Time Reference Description This menu item tries to find the previous time referenced packet. -----Configuration Profiles... Shift+Ctrl+A This menu item brings up a dialog box for handling configuration profiles. More detail is provided in Section 10.6, “Configuration Profiles”. Preferences... Shift+Ctrl+P This menu item brings up a dialog box that allows you to set preferences for many parameters that control Wireshark.
User Interface Menu Item Accelerator Description Wireless Toolbar (Windows only) This menu item hides or shows the wireless toolbar. See the AirPcap documentation for more information. Statusbar This menu item hides or shows the statusbar, see Section 3.21, “The Statusbar”. -----Packet List This menu item hides or shows the packet list pane, see Section 3.18, “The "Packet List" pane”. Packet Details This menu item hides or shows the packet details pane, see Section 3.
User Interface Menu Item Time Display Format > Seconds Since Previous Displayed Packet: 1.123456 Accelerator Description Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see Section 6.12, “Time display formats and time references”. Time Display Format > -----Time Display Format > Automatic (File Format Precision) Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see Section 6.
User Interface Menu Item Accelerator Description Note! Enabling colorization will slow down the display of new packets while capturing / loading capture files. Auto Scroll in Live Capture This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
User Interface Menu Item Accelerator Coloring Rules... Description This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see Section 10.3, “Packet colorization”. -----Show Packet in New Window Reload This menu item brings up the selected packet in a separate window. The separate window shows only the tree view and byte view panes.
User Interface Menu Item Accelerator Description Go to Packet... Ctrl+G Bring up a dialog box that allows you to specify a packet number, and then goes to that packet. See Section 6.9, “Go to a specific packet” for details. Go to Corresponding Packet Go to the corresponding packet of the currently selected protocol field. If the selected field doesn't correspond to a packet, this item is greyed out. -----Previous Packet Ctrl+Up Move to the previous packet in the list.
User Interface Figure 3.7. The "Capture" Menu Table 3.6. Capture menu items Menu Item Accelerator Description Interfaces... Ctrl+I This menu item brings up a dialog box that shows what's going on at the network interfaces Wireshark knows of, see Section 4.4, “The "Capture Interfaces" dialog box”) . Options... Ctrl+K This menu item brings up the Capture Options dialog box (discussed further in Section 4.5, “The "Capture Options" dialog box”) and allows you to start capturing packets.
User Interface Figure 3.8. The "Analyze" Menu Table 3.7. Analyze menu items Menu Item Accelerator Description Display Filters... This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters” Display Filter Macros... This menu item brings up a dialog box that allows you to create and edit display filter macros.
User Interface Menu Item Accelerator Description Enabled Protocols... Shift+Ctrl+E This menu item allows the user to enable/disable protocol dissectors, see Section 10.4.1, “The "Enabled Protocols" dialog box” Decode As... This menu item allows the user to force Wireshark to decode certain packets as a particular protocol, see Section 10.4.2, “User Specified Decodes” User Specified Decodes...
User Interface Figure 3.9. The "Statistics" Menu All menu items will bring up a new window showing specific statistical information. Table 3.8. Statistics menu items Menu Item Accelerator Description Summary Show information about the data captured, see Section 8.2, “The "Summary" window”. Protocol Hierarchy Display a hierarchical tree of protocol statistics, see Section 8.3, “The "Protocol Hierarchy" window”.
User Interface Menu Item Accelerator Description Endpoint List Display a list of endpoints, obsoleted by the combined window of Endpoints above, see Section 8.5.3, “The protocol specific "Endpoint List" windows”. Service Response Time Display the time between a request and the corresponding response, see Section 8.7, “Service Response Time”. -----ANCP... See Section 8.10, “The protocol specific statistics windows” BOOTPDHCP... See Section 8.
User Interface Figure 3.10. The "Telephony" Menu All menu items will bring up a new window showing specific telephony related statistical information. Table 3.9. Telephony menu items Menu Item Accelerator Description IAX2 See Section 9.6, “The protocol specific statistics windows” SMPP Operations... See Section 9.6, “The protocol specific statistics windows” SCTP See Section 9.6, “The protocol specific statistics windows” ANSI See Section 9.
User Interface Menu Item Accelerator WAP-WSP... Description See Section 9.6, “The protocol specific statistics windows” 3.13. The "Tools" menu The Wireshark Tools menu contains the fields shown in Table 3.10, “Tools menu items”. Figure 3.11. The "Tools" Menu Table 3.10.
User Interface Figure 3.12. The "Internals" Menu Table 3.11. Help menu items Menu Item Accelerator Description Dissector tables This menu item brings up a dialog box showing the tables with subdissector relationships. Supported Protocols (slow!) This menu item brings up a dialog box showing the supported protocols and protocol fields. 3.15. The "Help" menu The Wireshark Help menu contains the fields shown in Table 3.12, “Help menu items”.
User Interface Figure 3.13. The "Help" Menu Table 3.12. Help menu items Menu Item Accelerator Description Contents F1 This menu item brings up a basic help system. Manual Pages > ... This menu item starts a Web browser showing one of the locally installed html manual pages. -----Website This menu item starts a Web browser showing the webpage from: http://www.wireshark.org. FAQ's This menu item starts a Web browser showing various FAQ's.
User Interface Note! Calling a Web browser might be unsupported in your version of Wireshark. If this is the case, the corresponding menu items will be hidden. Note! If calling a Web browser fails on your machine, maybe because just nothing happens or the browser is started but no page is shown, have a look at the web browser setting in the preferences dialog. 3.16. The "Main" toolbar The main toolbar provides quick access to frequently used items from the menu.
User Interface Toolbar Toolbar Item Icon Corresponding Menu Item Description Note! If you currently have a temporary capture file, the Save icon instead. will be shown Close File/Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View/Reload This item allows you to reload the current capture file. Print... File/Print... This item allows you to print all (or some of) the packets in the capture file.
User Interface Toolbar Toolbar Item Icon Display Filters... Corresponding Menu Item Description Analyze/Display Filters... This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Section 6.6, “Defining and saving filters”. Coloring Rules... View/Coloring Rules...
User Interface Toolbar Toolbar Item Icon Description Note! This field is also where the current filter in effect is displayed. Expression... The middle button labeled "Add Expression..." opens a dialog box that lets you edit a display filter from a list of protocol fields, described in Section 6.5, “The "Filter Expression" dialog box” Clear Reset the current display filter and clears the edit area. Apply Apply the current value in the edit area as the new display filter.
User Interface • Time The timestamp of the packet. The presentation format of this timestamp can be changed, see Section 6.12, “Time display formats and time references”. • Source The address where this packet is coming from. • Destination The address where this packet is going to. • Protocol The protocol name in a short (perhaps abbreviated) version. • Info Additional information about the packet content. There is a context menu (right mouse click) available, see details in Figure 6.
User Interface As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed. Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has reassembled some packets into a single chunk of data, see Section 7.6, “Packet Reassembling”.
User Interface • Marked: the number of marked packets • Dropped: the number of dropped packets (only displayed if Wireshark was unable to capture all packets) • Ignored: the number of ignored packets (only displayed if packets are ignored) • The right side shows the selected configuration profile. Clicking in this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile. Figure 3.22.
Chapter 4. Capturing Live Network Data 4.1. Introduction Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: • Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...). • Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets. • Simultaneously show decoded packets while Wireshark keeps on capturing.
Capturing Live Network Data 4.3. Start Capturing One of the following methods can be used to start capturing packets with Wireshark: • You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box, see Figure 4.1, “The "Capture Interfaces" dialog box on Microsoft Windows” or Figure 4.2, “The "Capture Interfaces" dialog box on Unix/Linux”. You can start a capture from this dialog box, using (one of) the "Capture" button(s).
Capturing Live Network Data Figure 4.2. The "Capture Interfaces" dialog box on Unix/Linux Device (Unix/Linux only) The interface device name. Description The interface description provided by the operating system, or the user defined comment added in Section 10.5.1, “Interface Options”. IP The first IP address Wireshark could find for this interface. You can click on the address to cycle through other addresses assigned to it, if available. If no address could be found "unknown" will be displayed.
Capturing Live Network Data Figure 4.3. The "Capture Options" dialog box Tip! If you are unsure which options to choose in this dialog box, just try keeping the defaults as this should work well in many cases. You can set the following fields in this dialog box: 4.5.1. Capture frame Interface (Windows only) The drop down list allows you to select the group of interfaces you want look at. Normally that would be the local interfaces, but here you can also select a remote interface.
Capturing Live Network Data IP address The IP address(es) of the selected interface. If no address could be resolved from the system, "unknown" will be shown. Link-layer header type Unless you are in the rare situation that you need this, just keep the default. For a detailed description, see Section 4.9, “Link-layer header type” Wireless settings (Windows only) Here you can set the settings for wireless capture using the AirPCap adapter. For a detailed description, see the AirPCap Users Guide.
Capturing Live Network Data Warning This is an experimental feature. The resulting saved file may or may not be valid. See http: //wiki.wireshark.org/Development/PcapNg for more details on pcap-ng. Limit each packet to n bytes This field allows you to specify the maximum amount of data that will be captured for each packet, and is sometimes referred to as the snaplen. If disabled, the value is set to the maximum 65535, which will be sufficient for most protocols.
Capturing Live Network Data Next file every n megabyte(s) Multiple files only: Switch to the next file after the given number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been captured. Next file every n minute(s) Multiple files only: Switch to the next file after the given number of second(s)/minutes(s)/hours(s)/days(s) have elapsed. Ring buffer with n files Multiple files only: Form a ring buffer of the capture files, with the given number of files.
Capturing Live Network Data 4.5.6. Buttons Once you have set the values you desire and have selected the options you need, simply click on Start to commence the capture, or Cancel to cancel the capture. If you start a capture, Wireshark allows you to stop capturing when you have enough packets captured, for details see Section 4.11, “While a Capture is running ...”. 4.6.
Capturing Live Network Data 4.6.1. Remote Capture Interfaces Figure 4.4. The "Remote Capture Interfaces" dialog box You have to set the following parameter in this dialog: Host Enter the IP address or host name of the target platform where the Remote Packet Capture Protocol service is listening. Port Set the port number where the Remote Packet Capture Protocol service is listening on. Leave open to use the default port (2002).
Capturing Live Network Data 4.6.2. Remote Capture When the connection to the Remote Packet Capture Protocol service is successfully established the "Capture Options" dialog looks like this, see Figure 4.5, “The "Remote Capture" dialog box”. Figure 4.5. The "Remote Capture" dialog box The Interface dropdown list now shows the IP address or host name of the Remote Packet Capture Protocol service and the other field shows the interfaces on the remote target.
Capturing Live Network Data Figure 4.6. The "Remote Capture Settings" dialog box You can set the following parameters in this dialog: Do not capture own RPCAP traffic This option sets a capture filter so that the traffic flowing back from the Remote Packet Capture Protocol service to Wireshark isn't captured as well and also send back. The recursion in this saturates the link with duplicate traffic.
Capturing Live Network Data of packets. This allows capture over a narrow band remote capture session of a higher bandwidth interface. Sampling option 1 every x milliseconds This option limits the Remote Packet Capture Protocol service to send only a sub sampling of the captured data, in terms of time. This allows capture over a narrow band capture session of a higher bandwidth interface. 4.7.
Capturing Live Network Data options. This will spread the captured packets over several smaller files which can be much more pleasant to work with. Note! Using Multiple files may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g. where data is exchanged at the establishing phase and only referred to in later packets).
Capturing Live Network Data 4.9. Link-layer header type In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe the exceptional cases, where selecting this type is possible, so you will have a guide of what to do: If you are capturing on an 802.11 device on some versions of BSD, this might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause the captured packets to have fake Ethernet headers; "802.11" will cause them to have IEEE 802.11 headers.
Capturing Live Network Data Example 4.2. Capturing all telnet traffic not from 10.0.0.5 tcp port 23 and not src host 10.0.0.5 XXX - add examples to the following list. A primitive is simply one of the following: [src|dst] host This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src| dst to specify that you are only interested in source or destination addresses.
Capturing Live Network Data man page at http://www.tcpdump.org/tcpdump_man.html for more details. 4.10.1. Automatic Remote Traffic Filtering If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...), the remote content has to be transported over the network, adding a lot of (usually unimportant) packets to the actually interesting traffic.
Capturing Live Network Data 4.11.1. Stop the running capture A running capture session will be stopped in one of the following ways: 1. Using the " Stop" button from the Capture Info dialog box . Note! The Capture Info dialog box might be hidden, if the option "Hide capture info dialog" is used. 2. Using the menu item "Capture/ 3. Using the toolbar item " Stop". Stop". 4. Pressing the accelerator keys: Ctrl+E. 5. The capture will be automatically stopped, if one of the Stop Conditions is exceeded, e.
Chapter 5. File Input / Output and Printing 5.1. Introduction This chapter will describe input and output of capture data. • Open/Import capture files in various capture file formats • Save/Export capture files in various capture file formats • Merge capture files together • Print packets 5.2. Open capture files Wireshark can read in previously saved capture files. To read them, simply select the menu or toolbar item: "File/ Open".
File Input / Output and Printing Wireshark extensions to the standard behaviour of these dialogs: • View file preview information (like the filesize, the number of packets, ...), if you've selected a capture file. • Specify a display filter with the "Filter:" button and filter field. This filter will be used when opening the new file. The text field background becomes green for a valid filter string and red for an invalid one.
File Input / Output and Printing items like: "Home", "Desktop", and "Filesystem" cannot be removed). • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Open" button. Figure 5.3. "Open" - old GTK version Unix/Linux: GTK version < 2.4 This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. Specific for this dialog: • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Ok" button. 5.2.2.
File Input / Output and Printing • traces from the EyeSDN USB S0 • IPLog format from the Cisco Secure Intrusion Detection System • pppd logs (pppdump format) • the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities • the text output from the DBS Etherwatch VMS utility • Visual Networks' Visual UpTime traffic capture • the output from CoSine L2 debug • the output from Accellent's 5Views LAN agents • Endace Measurement Systems' ERF format captures • Linux Bluez Bluetooth stack hcidump -w traces • Cata
File Input / Output and Printing 5.3.1. The "Save Capture File As" dialog box The "Save Capture File As" dialog box allows you to save the current capture to a file. Table 5.2, “The system specific "Save Capture File As" dialog box” shows some examples of this dialog box. The dialog appearance depends on your system! The appearance of this dialog depends on the system and GTK+ toolkit version used. However, the functionality remains basically the same on any particular system. Table 5.2.
File Input / Output and Printing Figure 5.6. "Save" - old GTK version Unix/Linux: GTK version < 2.4 This is the file save dialog of former Gimp/GNOME versions - plus some Wireshark extensions. With this dialog box, you can perform the following actions: 1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system. 2. Select the directory to save the file into. 3. Select the range of the packets to be saved, see Section 5.
File Input / Output and Printing File formats have different time stamp accuracies! Saving from the currently used file format to a different format may reduce the time stamp accuracy; see the Section 7.4, “Time Stamps” for details. The following file formats can be saved by Wireshark (with the known file extensions): • libpcap, tcpdump and various other tools using tcpdump's capture format (*.pcap,*.cap,*.dmp) • Accellent 5Views (*.5vw) • HP-UX's nettl (*.TRC0,*.
File Input / Output and Printing • Use the mergecap tool, which is a command line tool to merge capture files. This tool provides the most options to merge capture files, see Section D.8, “mergecap: Merging multiple capture files into one ”. 5.4.1. The "Merge with Capture File" dialog box This dialog box let you select a file to be merged into the currently loaded file.
File Input / Output and Printing Figure 5.9. "Merge" - old GTK version Unix/Linux: GTK version < 2.4 This is the file open dialog of former Gimp/ GNOME versions - plus some Wireshark extensions. 5.5. Import text file Wireshark can read in an ASCII hex dump and write the data described into a temporary libpcap capture file. It can read hex dumps with multiple packets in them, and build a capture file of multiple packets.
File Input / Output and Printing elect to insert Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each packet. This allows Wireshark or any other full-packet decoder to handle these dumps. 5.5.1. The "File import" dialog box This dialog box lets you select a file to be imported and set import parameters. Figure 5.10.
File Input / Output and Printing Encapsulation type Here you can select which type of frames you are importing. This all depends on from what type of medium the dump to import was taken. It lists all types that Wireshark understands, so as to pass the capture file contents to the right dissector. Dummy header When Ethernet encapsulation is selected you have to option to prepend dummy headers to the frames to import.
File Input / Output and Printing 5.6.1. The "List Files" dialog box Figure 5.11. The "List Files" dialog box Each line contains information about a file of the file set: • Filename the name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.
File Input / Output and Printing 5.7.1. The "Export as Plain Text File" dialog box Export packet data into a plain ASCII text file, much like the format used to print packets.
File Input / Output and Printing Figure 5.12. The "Export as Plain Text File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. • The Packet Details frame is described in Section 5.10, “The Packet Format frame”. 5.7.2. The "Export as PostScript File" dialog box Export packet data into PostScript, much like the format used to print packets. Tip! You can easily convert PostScript files to PDF files using ghostscript. For example: export to a file named foo.ps and then call: ps2pdf foo.
File Input / Output and Printing Figure 5.13. The "Export as PostScript File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. • The Packet Details frame is described in Section 5.10, “The Packet Format frame”. 5.7.3. The "Export as CSV (Comma Separated Values) File" dialog box XXX - add screenshot Export packet summary into CSV, used e.g. by spreadsheet programs to im-/export data. • Export to file: frame chooses the file to export the packet data to. • The Packet Range frame is described in Section 5.
File Input / Output and Printing Figure 5.14. The "Export as PSML File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. There's no such thing as a packet details frame for PSML export, as the packet format is defined by the PSML specification. 5.7.6. The "Export as PDML File" dialog box Export packet data into PDML. This is an XML based format including the packet details. The PDML file specification is available at: http://www.nbee.org/doku.php?id=netpdl:pdml_specification.
File Input / Output and Printing Figure 5.15. The "Export as PDML File" dialog box • Export to file: frame chooses the file to export the packet data to.
File Input / Output and Printing • The Packet Range frame is described in Section 5.9, “The Packet Range frame”. There's no such thing as a packet details frame for PDML export, as the packet format is defined by the PDML specification. 5.7.7. The "Export selected packet bytes" dialog box Export the bytes selected in the "Packet Bytes" pane into a raw binary file.
File Input / Output and Printing Figure 5.16. The "Export Selected Packet Bytes" dialog box • Name: the filename to export the packet data to.
File Input / Output and Printing • The Save in folder: field lets you select the folder to save to (from some predefined folders). • Browse for other folders provides a flexible way to choose a folder. 5.7.8. The "Export Objects" dialog box This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.
File Input / Output and Printing • Help: Opens this section in the user's guide. • Close: Closes this dialog. • Save As: Saves the currently selected object as a filename you specify. The default filename to save as is taken from the filename column of the objects list. • Save All: Saves all objects in the list using the filename from the filename column. You will be asked what directory / folder to save them in.
File Input / Output and Printing Note! These Print command fields are not available on windows platforms. This field specifies the command to use for printing. It is typically lpr. You would change it to specify a particular queue if you need to print to a queue other than the default. An example might be: lpr -Pmypostscript This field is greyed out if Output to file: is checked above. Packet Range Select the packets to be printed, see Section 5.
File Input / Output and Printing Figure 5.20. The "Packet Format" frame • Packet summary line enable the output of the summary line, just as in the "Packet List" pane. • Packet details enable the output of the packet details tree. • All collapsed the info from the "Packet Details" pane in "all collapsed" state. • As displayed the info from the "Packet Details" pane in the current state. • All expanded the info from the "Packet Details" pane in "all expanded" state.
Chapter 6. Working with captured packets 6.1. Viewing packets you have captured Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.
Working with captured packets Figure 6.2. Viewing a packet in a separate window 6.2. Pop-up menus You can bring up a pop-up menu over either the "Packet List", its column header, or "Packet Details" pane by clicking your right mouse button at the corresponding pane. 6.2.1. Pop-up menu of the "Packet List" column header Figure 6.3.
Working with captured packets Table 6.1. The menu items of the "Packet List" column header pop-up menu Item Identical to main Description menu's item: Sort Ascending Sort the packet list in ascending order based on this column. Sort Descending Sort the packet list in descending order based on this column. No Sort Remove sorting order based on this column. ----Align Left Set left alignment of the values in this column. Align Center Set center alignment of the values in this column.
Working with captured packets 6.2.2. Pop-up menu of the "Packet List" pane Figure 6.4. Pop-up menu of the "Packet List" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.2. The menu items of the "Packet List" pop-up menu Item Identical to main Description menu's item: Mark (toggle) Packet Edit Mark/unmark a packet.
Working with captured packets Item Identical to main Description menu's item: Conversation Filter - This menu item applies a display filter with the address information from the selected packet. E.g. the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. XXX - add a new section describing this better. Colorize Conversation - This menu item uses a display filter with the address information from the selected packet to build a new colorizing rule.
Working with captured packets 6.2.3. Pop-up menu of the "Packet Details" pane Figure 6.5. Pop-up menu of the "Packet Details" pane The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item. Table 6.3. The menu items of the "Packet Details" pop-up menu Item Identical to main Description menu's item: Expand Subtrees View Expand the currently selected subtree.
Working with captured packets Item Identical to main Description menu's item: Colorize Filter with - This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule. Follow Stream TCP Analyze Allows you to view all the data on a TCP stream between a pair of nodes. Follow Stream UDP Analyze Allows you to view all the data on a UDP datagram stream between a pair of nodes. Follow Stream SSL Analyze Same as "Follow TCP Stream" but for SSL.
Working with captured packets Item Identical to main Description menu's item: Protocol Preferences... - The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in Figure 10.8, “The preferences dialog box”. Analyze Change or apply a new relation between two dissectors. ----Decode As...
Working with captured packets Figure 6.6. Filtering on the TCP protocol As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. Note! When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content! You can filter on any protocol that Wireshark understands.
Working with captured packets Tip! You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter page at http://wiki.wireshark.org/DisplayFilters. 6.4.1. Display filter fields Every field in the packet details pane can be used as a filter string, this will result in showing only the packets where this field exists. For example: the filter string: tcp will show all packets containing the tcp protocol.
Working with captured packets Table 6.5. Display Filter Field Types Type Example Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent: ip.len le 1500 ip.len le 02734 ip.len le 0x436 Signed integer (8-bit, 16-bit, 24-bit, 32-bit) Boolean A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.
Working with captured packets English C-like Description and example or || Logical OR ip.scr==10.0.0.5 or ip.src==192.1.1.1 xor ^^ Logical XOR tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 not ! Logical NOT not llc [...] Substring Operator Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [] containing a comma separated list of range specifiers. eth.
Working with captured packets Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4. Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected. Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.
Working with captured packets first few letters of the protocol name). By clicking on the "+" next to a protocol name you can get a list of the field names available for filtering for that protocol. Relation Select a relation from the list of available relation. The is present is a unary relation which is true if the selected field is present in a packet. All other listed relations are binary relations which require additional data (e.g. a Value to match) to complete.
Working with captured packets Figure 6.8. The "Capture Filters" and "Display Filters" dialog boxes New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to "new". Delete This button deletes the selected filter. It will be greyed out, if no filter is selected.
Working with captured packets Close Close this dialog. This will discard unsaved settings. 6.7. Defining and saving filter macros You can define filter macros with Wireshark and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. XXX - add an explanation of this. 6.8. Finding packets You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet...
Working with captured packets You can choose the search direction: • Up Search upwards in the packet list (decreasing packet numbers). • Down Search downwards in the packet list (increasing packet numbers). 6.8.2. The "Find Next" command "Find Next" will continue searching with the same options used in the last "Find Packet". 6.8.3. The "Find Previous" command "Find Previous" will do the same thing as "Find Next", but with reverse search direction. 6.9.
Working with captured packets 6.9.5. The "Go to First Packet" command This command will simply jump to the first packet displayed. 6.9.6. The "Go to Last Packet" command This command will simply jump to the last packet displayed. 6.10. Marking packets You can mark packets in the "Packet List" pane. A marked packet will be shown with black background, regardless of the coloring rules set. Marking a packet can be useful to find it later while analyzing in a large capture file.
Working with captured packets These ignore functions are available from the "Edit" menu, and the "Ignore packet (toggle)" function is also available from the pop-up menu of the "Packet List" pane. 6.12. Time display formats and time references While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. A detailed description of timestamps, timezones and alike can be found at: Section 7.4, “Time Stamps”.
Working with captured packets Note! Time referencing will only be useful, if the time display format is set to "Seconds Since Beginning of Capture". If one of the other time display formats are used, time referencing will have no effect (and will make no sense either). To work with time references, choose one of the "Time Reference" items in the "Edit" menu , see Section 3.6, “The "Edit" menu”, or from the pop-up menu of the "Packet List" pane.
Chapter 7. Advanced Topics 7.1. Introduction In this chapter some of the advanced features of Wireshark will be described. 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream.
Advanced Topics The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. If you like, you can change these colors in the Edit/Preferences "Colors" page. Non-printable characters will be replaced by dots. XXX - What about line wrapping (maximum line length) and CRNL conversions? The stream content won't be updated while doing a live capture.
Advanced Topics The following will first describe the components of a single expert info, then the User Interface. 7.3.1. Expert Info Entries Each expert info will contain the following things which will be described in detail below: Table 7.1. Some example expert infos Packet # Severity Group Protocol Summary 1 Note Sequence TCP Duplicate ACK (#1) 2 Chat Sequence TCP Connection reset (RST) 8 Note Sequence TCP Keep-Alive 9 Warn Sequence TCP Fast retransmission (suspected) 7.3.1.
Advanced Topics 7.3.1.3. Protocol The protocol in which the expert info was caused. 7.3.1.4. Summary Each expert info will also have a short additional text with some further explanation. 7.3.2. "Expert Info Composite" dialog From the main menu you can open the expert info dialog, using: "Analyze/Expert Info Composite" XXX - "Analyze/Expert Info" also exists but is subject to removal and therefore not explained here. XXX - add explanation of the dialogs context menu. 7.3.2.1.
Advanced Topics The protocol field causing an expert info is colorized, e.g. uses a cyan background for a note severity level. This color is propagated to the toplevel protocol item in the tree, so it's easy to find the field that caused the expert info. For the example screenshot above, the IP "Time to live" value is very low (only 1), so the corresponding protocol field is marked with a cyan background. To easier find that item in the packet tree, the IP protocol toplevel item is marked cyan as well. 7.
Advanced Topics 7.4.2. Capture file formats Every capture file format that Wireshark knows supports time stamps. The time stamp precision supported by a specific capture file format differs widely and varies from one second "0" to one nanosecond "0.123456789". Most file formats store the time stamps with a fixed precision (e.g. microseconds), while some file formats are even capable of storing the time stamp precision itself (whatever the benefit may be).
Advanced Topics What are time zones? People expect that the time reflects the sunset. Dawn should be in the morning maybe around 06:00 and dusk in the evening maybe at 20:00. These times will obviously vary depending on the season. It would be very confusing if everyone on earth would use the same global time as this would correspond to the sunset only at a small part of the world.
Advanced Topics This way you will tell your computer both the local time and also the time offset to UTC. Tip! If you travel around the world, it's an often made mistake to adjust the hours of your computer clock to the local time.
Advanced Topics Los Angeles New York Displayed 02:00 Time (Local Time) 05:00 Madrid London Berlin Tokyo 09:00 10:00 11:00 19:00 An example: Let's assume that someone in Los Angeles captured a packet with Wireshark at exactly 2 o'clock local time and sends you this capture file. The capture file's time stamp will be represented in UTC as 10 o'clock. You are located in Berlin and will see 11 o'clock on your Wireshark display.
Advanced Topics Note! You will find the reassembled data in the last packet of the chunk. An example: In a HTTP GET response, the requested data (e.g. an HTML page) is returned. Wireshark will show the hex dump of the data in a new tab "Uncompressed entity body" in the "Packet Bytes" pane. Reassembling is enabled in the preferences by default. The defaults were changed from disabled to enabled in September 2005.
Advanced Topics Tip! The name resolution in the packet list is done while the list is filled. If a name could be resolved after a packet was added to the list, that former entry won't be changed. As the name resolution results are cached, you can use "View/Reload" to rebuild the packet list, this time with the correctly resolved names. However, this isn't possible while a capture is in progress. 7.7.2. Ethernet name resolution (MAC layer) Try to resolve an Ethernet MAC address (e.g.
Advanced Topics 7.7.4. IPX name resolution (network layer) ipxnet name resolution (ipxnets file): XXX - add ipxnets name resolution explanation. 7.7.5. TCP/UDP port name resolution (transport layer) Try to resolve a TCP/UDP port (e.g. 80) to something more "human readable". TCP/UDP port conversion (system service): Wireshark will ask the operating system to convert a TCP or UDP port to its well known name (e.g. 80 # http).
Advanced Topics 7.8.1. Wireshark checksum validation Wireshark will validate the checksums of several protocols, e.g.: IP, TCP, UDP, ... It will do the same calculation as a "normal receiver" would do, and shows the checksum fields in the packet details with a comment, e.g.: [correct], [invalid, must be 0x12345678] or alike. Checksum validation can be switched off for various protocols in the Wireshark protocol preferences, e.g. to (very slightly) increase performance.
Chapter 8. Statistics 8.1. Introduction Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). • General statistics: • Summary about the capture file. • Protocol Hierarchy of the captured packets. • Conversations e.g.
Statistics Figure 8.1. The "Summary" window • File: general information about the capture file. • Time: the timestamps when the first and the last packet were captured (and the time between them). • Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). • Display: some display related information. • Traffic: some statistics of the network traffic seen.
Statistics Figure 8.2. The "Protocol Hierarchy" window This is a tree of all the protocols in the capture. You can collapse or expand subtrees, by clicking on the plus / minus icons. By default, all trees are expanded. Each row contains the statistical values of one protocol. The Display filter will show the current display filter.
Statistics Note! Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less. This may be caused by TCP protocol overhead, e.g. TCP ACK packets won't be counted as packets of the higher layer). Note! A single packet can contain the same protocol more than once.
Statistics Each row in the list shows the statistical values for exactly one conversation. Name resolution will be done if selected in the window and if it is active for the specific protocol layer (MAC layer for the selected Ethernet endpoints page). Limit to display filter will only show conversations matching the current display filter. The copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format.
Statistics • TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP ports on the same IP address are different TCP endpoints. • Token Ring: a Token Ring endpoint is identical to the Token Ring MAC address. • UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. • USB: XXX - insert info here. • WLAN: XXX - insert info here.
Statistics ARP) and the third was resolved to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff); the last two Ethernet addresses remain unresolved. Limit to display filter will only show conversations matching the current display filter. The copy button will copy the list values to the clipboard in CSV (Comma Separated Values) format. Tip! This window will be updated frequently, so it will be useful, even if you open it before (or while) you are doing a live capture. 8.5.3.
Statistics • Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph) • Style: the style of the graph (Line/Impulse/FBar/Dot) • X Axis • Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.
Statistics Note! The other Service Response Time windows will work the same way (or only slightly different) compared to the following description. 8.7.1. The "Service Response Time DCE-RPC" window The service response time of DCE-RPC is the time between the request and the corresponding response. First of all, you have to select the DCE-RPC interface: Figure 8.6. The "Compute DCE-RPC statistics" window You can optionally set a display filter, to reduce the amount of packets. Figure 8.7.
Statistics The merged capture data is checked for missing packets. If a matching connection is found it is checked for: • IP header checksums • Excessive delay (defined by the "Time variance" setting) • Packet order Figure 8.8. The "Compare" window You can configure the following: • Start compare: Start comparing when this many IP IDs are matched. A zero value starts comparing immediately. • Stop compare: Stop comparing when we can no longer match this many IP IDs. Zero always compares.
Statistics Tip! If you click on an item in the error list its corresponding packet will be selected in the main window. 8.9. WLAN Traffic Statistics Statistics of the captured WLAN traffic. This window will summarize the wireless network traffic found in the capture. Probe requests will be merged into an existing network if the SSID matches. Figure 8.9. The "WLAN Traffic Statistics" window Each row in the list shows the statistical values for exactly one wireless network.
Chapter 9. Telephony 9.1. Introduction Wireshark provides a wide range of telephony related network statistics which can be accessed via the Telephony menu. These statistics range from specific signaling protocols, to analysis of signaling and media flows. If encoded in a compatible encoding the media flow can even be played. 9.2. RTP Analysis The RTP analysis function takes the selected RTP stream (and the reverse stream, if possible) and generates a list of statistics on it. Figure 9.1.
Telephony More details are described at the http://wiki.wireshark.org/VoIP_calls page. 9.4. LTE MAC Traffic Statistics Statistics of the captured LTE MAC traffic. This window will summarize the LTE MAC traffic found in the capture. Figure 9.2. The "LTE MAC Traffic Statistics" window The top pane shows statistics for common channels. Each row in the middle pane shows statistical highlights for exactly one UE/C-RNTI.
Telephony Figure 9.3. The "LTE RLC Traffic Statistics" window At the top, the check-box allows this window to include RLC PDUs found withing MAC PDUs or not. This will affect both the PDUs counted as well as the display filters generated (see below). The upper list shows summaries of each active UE. Each row in the lower list shows statistical highlights for individual channels within the selected UE. The lower part of the windows allows display filters to be generated and set for the selected channel.
Chapter 10. Customizing Wireshark 10.1. Introduction Wireshark's default behaviour will usually suit your needs pretty well. However, as you become more familiar with Wireshark, it can be customized in various ways to suit your needs even better. In this chapter we explore: • How to start Wireshark with command line parameters • How to colorize the packet list • How to control protocol dissection • How to use the various preference settings 10.2.
Customizing Wireshark Example 10.1. Help information available from Wireshark Wireshark 1.3.2 Interactively dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2009 Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: wireshark [options] ...
Customizing Wireshark The first thing to notice is that issuing the command wireshark by itself will bring up Wireshark. However, you can include as many of the command line parameters as you like. Their meanings are as follows ( in alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better task based? -a -b Specify a criterion that specifies when Wireshark is to stop writing to a capture file.
Customizing Wireshark -c This option specifies the maximum number of packets to capture when capturing live data. It would be used in conjunction with the -k option. -D Print a list of the interfaces on which Wireshark can capture, and exit. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
Customizing Wireshark -k The -k option specifies that Wireshark should start capturing packets immediately. This option requires the use of the -i parameter to specify the interface that packet capture will occur from. -l This option turns on automatic scrolling if the packet list pane is being updated automatically as packets arrive during a capture ( as specified by the -S flag). -L List the data link types supported by the interface and exit.
Customizing Wireshark -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Wireshark is running, broadcast traffic, and multicast traffic to addresses received by that machine. -P Special path settings usually detected automatically. This is used for special cases, e.g.
Customizing Wireshark • e epoch, which specifies that timestamps are seconds since epoch (Jan 1, 1970 00:00:00) -v The -v option requests Wireshark to print out its version information and exit. -w This option sets the name of the savefile to be used when saving a capture file. -y If a capture is started from the command line with -k, set the data link type to use while capturing packets. The values reported by L are the values that can be used.
Customizing Wireshark Figure 10.1. The "Coloring Rules" dialog box Once the Coloring Rules dialog box is up, there are a number of buttons you can use, depending on whether or not you have any color filters installed already. Note! You will need to carefully select the order the coloring rules are listed as they are applied in order from top to bottom. So, more specific rules need to be listed before more general rules.
Customizing Wireshark Figure 10.3. The "Choose color" dialog box Select the color you desire for the selected packets and click on OK. Note! You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to select the color you want. Figure 10.4, “Using color filters with Wireshark” shows an example of several color filters being used in Wireshark. You may not like the color choices, however, feel free to choose your own.
Customizing Wireshark 10.4. Control Protocol dissection The user can control how protocols are dissected. Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g.
Customizing Wireshark Figure 10.5. The "Enabled Protocols" dialog box To disable or enable a protocol, simply click on it using the mouse or press the space bar when the protocol is highlighted. Note that typing the first few letters of the protocol name when the Enabled Protocols dialog box is active will temporarily open a search text box and automatically select the first matching protocol name (if it exists). Warning! You have to use the Save button to save your settings.
Customizing Wireshark Decode As is accessed by selecting the Decode As... item from the Analyze menu; Wireshark will pop up the "Decode As" dialog box as shown in Figure 10.6, “The "Decode As" dialog box”. Figure 10.6. The "Decode As" dialog box The content of this dialog box depends on the selected packet when it was opened. Warning! The user specified decodes can not be saved. If you quit Wireshark, these settings will be lost. 1. Decode: Decode packets the selected way. 2.
Customizing Wireshark Figure 10.7. The "Decode As: Show" dialog box 1. OK: Close this dialog box. 2. Clear: Removes all user specified decodes. 10.5. Preferences There are a number of preferences you can set. Simply select the Preferences... menu item from the Edit menu; and Wireshark will pop up the Preferences dialog box as shown in Figure 10.8, “The preferences dialog box”, with the "User Interface" page as default. On the left side is a tree where you can select the page to be shown.
Customizing Wireshark Figure 10.8. The preferences dialog box 10.5.1. Interface Options In the Capture preferences it is possible to configure several options for the interfaces available on your computer. Select the Capture pane and press the Interfaces: Edit button. In this window it is possible to change the default link-layer header type for the interface, add a comment or choose to hide a interface from other parts of the program. Figure 10.9.
Customizing Wireshark • Default link-layer: each interface may provide several link-layer header types. The default link-layer chosen here is the one used when you first start Wireshark. It is also possible to change this value in Section 4.5, “The "Capture Options" dialog box” when you start a capture. For a detailed description, see Section 4.9, “Link-layer header type”. • Comment: a user provided description of the interface.
Customizing Wireshark • Some recent settings (recent), such as pane sizes in the Main window (Section 3.3, “The Main window”), column widths in the packet list (Section 3.18, “The "Packet List" pane”), all selections in the "View" menu (Section 3.7, “The "View" menu”) and the last directory navigated to in the File Open dialog. Other configurations All other configurations are stored in the personal configuration folder, and are common to all profiles. Figure 10.10.
Customizing Wireshark Illegal characters On Windows the profile name cannot start or end with a period (.), and cannot contain any of the following characters: \ / : * ? " < > | On Unix the profile name cannot contain the '/' character. OK This button saves all changes, applies the selected profile and closes the dialog. Apply This button saves all changes, applies the selected profile and keeps the dialog open. Cancel Close this dialog.
Customizing Wireshark 10.10. GeoIP Database Paths If your copy of Wireshark supports MaxMind's GeoIP library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, ISPs, and other bits of information. Some databases are available at no cost, while others require a licensing fee. See the MaxMind web site for more information. This table is handled by an Section 10.7, “User Table” with the following fields.
Customizing Wireshark 10.12. Object Identifiers Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify certain pieces of information. In many cases, they are used in an extension mechanism so that new object identifiers (and associated values) may be defined without needing to change the base standard. Whilst Wireshark has knowledge about many of the OIDs and the syntax of their associated values, the extensibility means that other values may be encountered.
Customizing Wireshark 10.15. SMI (MIB and PIB) Modules If your copy of Wireshark supports libSMI, you can specify a list of MIB and PIB modules here. The COPS and SNMP dissectors can use them to resolve OIDs. Module name The name of the module, e.g. IF-MIB. 10.16. SMI (MIB and PIB) Paths If your copy of Wireshark supports libSMI, you can specify one or more paths to MIB and PIB modules here. Directory name A module directory, e.g. /usr/local/snmp/mibs.
Customizing Wireshark For example the hex password 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'. 10.19. Tektronix K12xx/15 RF5 protocols Table The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are used by a certain interface. Wireshark doesn't read these stk files, it uses a table that helps it identify which lowest layer protocol to use. Stk file to protocol matching is handled by an Section 10.7, “User Table” with the following fields.
Chapter 11. Lua Support in Wireshark 11.1. Introduction Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and Lua.org are laboratories of the Department of Computer Science.
Lua Support in Wireshark [9] = Dissector.get("rrc"), [10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua [11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp } function p_multi.dissector(buf,pkt,root) local t = root:add(p_multi,buf(0,2)) t:add(f_proto,buf(0,1)) t:add(f_dir,buf(1,1)) local proto_id = buf(0,1):uint() local dissector = protos[proto_id] if dissector ~= nil then dissector:call(buf(2):tvb(),pkt,root) elseif proto_id < 2 then t:add(f_text,buf(2)) -- pkt.cols.
Lua Support in Wireshark ips[tostring(pinfo.dst)] = dst + 1 end -- this function will be called once every few seconds to update our window function tap.draw(t) tw:clear() for ip,num in pairs(ips) do tw:append(ip .. "\t" .. num .. "\n"); end end -- this function will be called whenever a reset is needed -- e.g. when reloading the capture file function tap.
Lua Support in Wireshark 11.5.1.2.1. Errors • Cannot operate on a closed dumper 11.5.1.3. dumper:flush() Writes all unsaved data of a dumper to the disk. 11.5.1.4. dumper:dump(timestamp, pseudoheader, bytearray) Dumps an arbitrary packet. Note: Dumper:dump_current() will fit best in most cases. 11.5.1.4.1. Arguments timestamp The absolute timestamp the packet will have pseudoheader The Pseudoheader to use. bytearray the data to be saved 11.5.1.5.
Lua Support in Wireshark 11.5.2.2. PseudoHeader.eth([fcslen]) Creates an ethernet pseudoheader 11.5.2.2.1. Arguments fcslen (optional) The fcs length 11.5.2.2.2. Returns The ethernet pseudoheader 11.5.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len]) Creates an ATM pseudoheader 11.5.2.3.1.
Lua Support in Wireshark 11.6.1.1.1. Arguments fieldname The filter name of the field (e.g. ip.addr) 11.6.1.1.2. Returns The field extractor 11.6.1.1.3. Errors • A Field extractor must be defined before Taps or Dissectors get called 11.6.1.2. field:__call() Obtain all values (see FieldInfo) for this field. 11.6.1.2.1. Returns All the values of this field 11.6.1.2.2. Errors • Fields cannot be used outside dissectors or taps 11.6.2. FieldInfo An extracted Field 11.6.2.1.
Lua Support in Wireshark 11.6.2.7. fieldinfo:__lt() Checks whether the end byte of rhs is before the beginning of rhs 11.6.2.7.1. Errors • Data source must be the same for both fields 11.6.2.8. fieldinfo.name The name of this field 11.6.2.9. fieldinfo.label The string representing this field 11.6.2.10. fieldinfo.value The value of this field 11.6.2.11. fieldinfo.len The length of this field 11.6.2.12. fieldinfo.offset The offset of this field 11.6.3. Non Method Functions 11.6.3.1.
Lua Support in Wireshark 11.7.1.1.2. Returns The newly created TextWindow object. 11.7.1.2. progdlg:update(progress, [task]) Appends text 11.7.1.2.1. Arguments progress Part done ( e.g. 0.75 ). task (optional) Current task, defaults to "". 11.7.1.2.2. Errors • Cannot be called for something not a ProgDlg • Progress value out of range (must be between 0.0 and 1.0) 11.7.1.3. progdlg:stopped() Checks wheher the user has pressed the stop button. 11.7.1.3.1.
Lua Support in Wireshark 11.7.2.2. textwindow:set_atclose(action) Set the function that will be called when the window closes 11.7.2.2.1. Arguments action A function to be executed when the user closes the window 11.7.2.2.2. Returns The TextWindow object. 11.7.2.2.3. Errors • Cannot be called for something not a TextWindow 11.7.2.3. textwindow:set(text) Sets the text. 11.7.2.3.1. Arguments text The text to be used. 11.7.2.3.2. Returns The TextWindow object. 11.7.2.3.3.
Lua Support in Wireshark 11.7.2.5.2. Returns The TextWindow object. 11.7.2.5.3. Errors • Cannot be called for something not a TextWindow 11.7.2.6. textwindow:clear() Erases all text in the window. 11.7.2.6.1. Returns The TextWindow object. 11.7.2.6.2. Errors • Cannot be called for something not a TextWindow 11.7.2.7. textwindow:get_text() Get the text of the window 11.7.2.7.1. Returns The TextWindow's text. 11.7.2.7.2. Errors • Cannot be called for something not a TextWindow 11.7.2.8.
Lua Support in Wireshark 11.7.2.9.2. Returns The TextWindow object. 11.7.2.9.3. Errors • Cannot be called for something not a TextWindow 11.7.3. Non Method Functions 11.7.3.1. gui_enabled() Checks whether the GUI facility is enabled. 11.7.3.1.1. Returns A boolean: true if it is enabled, false if it isn't. 11.7.3.2. register_menu(name, action, [group]) Register a menu item in one of the main menus. 11.7.3.2.1. Arguments name The name of the menu item. The submenus are to be separated by '/'s.
Lua Support in Wireshark • All fields must be strings 11.7.3.4. retap_packets() Rescan all packets and just run taps - don't reconstruct the display. 11.7.3.5. copy_to_clipboard(text) Copy a string into the clipboard 11.7.3.5.1. Arguments text The string to be copied into the clipboard. 11.7.3.6. open_capture_file(filename, filter) Open and display a capture file 11.7.3.6.1. Arguments filename The name of the file to be opened. filter A filter to be applied as the file gets opened. 11.7.3.7.
Lua Support in Wireshark 11.8. Post-dissection packet analysis 11.8.1. Listener A Listener, is called once for every packet that matches a certain filter or has a certain tap. It can read the tree, the packet's Tvb eventually the tapped data but it cannot add elements to the tree. 11.8.1.1. Listener.new([tap], [filter]) Creates a new Listener listener 11.8.1.1.1. Arguments tap (optional) The name of this tap filter (optional) A filter that when matches the tap.
Lua Support in Wireshark 11.9.1.1.1. Arguments hostname The address or name of the IP host. 11.9.1.1.2. Returns The Address object 11.9.1.2. address:__tostring() 11.9.1.2.1. Returns The string representing the address. 11.9.1.3. address:__eq() Compares two Addresses 11.9.1.4. address:__le() Compares two Addresses 11.9.1.5. address:__lt() Compares two Addresses 11.9.2. Column A Column in the packet list 11.9.2.1. column:__tostring() 11.9.2.1.1. Returns A string representing the column 11.9.2.2.
Lua Support in Wireshark 11.9.2.4.1. Arguments text The text to append to the Column 11.9.2.5. column:preppend(text) Prepends text to a Column 11.9.2.5.1. Arguments text The text to prepend to the Column 11.9.3. Columns The Columns of the packet list. 11.9.3.1. columns:__tostring() 11.9.3.1.1. Returns The string "Columns", no real use, just for debugging purposes. 11.9.3.2. columns:__newindex(column, text) Sets the text of a specific column 11.9.3.2.1.
Lua Support in Wireshark 11.9.4.5. pinfo.rel_ts Number of seconds passed since beginning of capture 11.9.4.6. pinfo.delta_ts Number of seconds passed since the last captured packet 11.9.4.7. pinfo.delta_dis_ts Number of seconds passed since the last displayed packet 11.9.4.8. pinfo.visited Whether this packet hass been already visited 11.9.4.9. pinfo.src Source Address of this Packet 11.9.4.10. pinfo.dst Destination Address of this Packet 11.9.4.11. pinfo.lo lower Address of this Packet 11.9.4.12.
Lua Support in Wireshark 11.9.4.18. pinfo.src_port Source Port of this Packet 11.9.4.19. pinfo.dst_port Source Address of this Packet 11.9.4.20. pinfo.ipproto IP Protocol id 11.9.4.21. pinfo.circuit_id For circuit based protocols 11.9.4.22. pinfo.match Port/Data we are matching 11.9.4.23. pinfo.curr_proto Which Protocol are we dissecting 11.9.4.24. pinfo.columns Accesss to the packet list columns 11.9.4.25. pinfo.cols Accesss to the packet list columns (equivalent to pinfo.columns) 11.9.4.26.
Lua Support in Wireshark 11.10.1.1. Dissector.get(name) Obtains a dissector reference by name 11.10.1.1.1. Arguments name The name of the dissector 11.10.1.1.2. Returns The Dissector reference 11.10.1.2. dissector:call(tvb, pinfo, tree) Calls a dissector against a given packet (or part of it) 11.10.1.2.1. Arguments tvb The buffer to dissect pinfo The packet info tree The tree on which to add the protocol items 11.10.2. DissectorTable A table of subdissectors of a particular protocol (e.g.
Lua Support in Wireshark 11.10.2.2.2. Returns The DissectorTable 11.10.2.3. dissectortable:add(pattern, dissector) Add a dissector to a table. 11.10.2.3.1. Arguments pattern The pattern to match (either an integer or a string depending on the table's type). dissector The dissector to add (either an Proto or a Dissector). 11.10.2.4. dissectortable:remove(pattern, dissector) Remove a dissector from a table 11.10.2.4.1.
Lua Support in Wireshark 11.10.3.1. Pref.bool(label, default, descr) Creates a boolean preference to be added to a Protocol's prefs table. 11.10.3.1.1. Arguments label The Label (text in the right side of the preference input) for this preference default The default value for this preference descr A description of what this preference is 11.10.3.2. Pref.uint(label, default, descr) Creates an (unsigned) integer preference to be added to a Protocol's prefs table. 11.10.3.2.1.
Lua Support in Wireshark 11.10.3.5.1. Arguments label The Label (text in the right side of the preference input) for this preference default The default value for this preference descr A description of what this preference is range The range max The maximum value 11.10.3.6. Pref.statictext(label, descr) Creates a static text preference to be added to a Protocol's prefs table. 11.10.3.6.1. Arguments label The static text descr The static text description 11.10.4.
Lua Support in Wireshark 11.10.5. Proto A new protocol in wireshark. Protocols have more uses, the main one is to dissect a protocol. But they can be just dummies used to register preferences for other purposes. 11.10.5.1. Proto.new(name, desc) 11.10.5.1.1. Arguments name The name of the protocol desc A Long Text description of the protocol (usually lowercase) 11.10.5.1.2. Returns The newly created protocol 11.10.5.2. proto.dissector The protocol's dissector, a function you define 11.10.5.3. proto.
Lua Support in Wireshark type Field Type (FT_*). voidstring (optional) A VoidString object. base (optional) The representation BASE_*. mask (optional) The bitmask to be used. descr (optional) The description of the field. 11.10.6.1.2. Returns The newly created ProtoField object 11.10.6.2. ProtoField.uint8(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.2.1.
Lua Support in Wireshark 11.10.6.4. ProtoField.uint24(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.4.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.OCT valuestring (optional) A table containing the text that corresponds to the values mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.
Lua Support in Wireshark desc (optional) Description of the field 11.10.6.6.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.7. ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.7.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.
Lua Support in Wireshark name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.OCT valuestring (optional) A table containing the text that corresponds to the values mask (optional) Integer mask of this field desc (optional) Description of the field 11.10.6.9.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.10. ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc]) 11.10.6.10.1.
Lua Support in Wireshark 11.10.6.12. ProtoField.framenum(abbr, [name], [base], [valuestring], [mask], [desc]) A frame number (for hyperlinks between frames) 11.10.6.12.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) base (optional) One of base.DEC, base.HEX or base.
Lua Support in Wireshark 11.10.6.15. ProtoField.ipv6(abbr, [name], [desc]) 11.10.6.15.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.15.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.16. ProtoField.ether(abbr, [name], [desc]) 11.10.6.16.1.
Lua Support in Wireshark 11.10.6.19. ProtoField.string(abbr, [name], [desc]) 11.10.6.19.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.19.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.20. ProtoField.stringz(abbr, [name], [desc]) 11.10.6.20.1.
Lua Support in Wireshark 11.10.6.23. ProtoField.guid(abbr, [name], [desc]) 11.10.6.23.1. Arguments abbr Abbreviated name of the field (the string used in filters) name (optional) Actual name of the field (the string that appears in the tree) desc (optional) Description of the field 11.10.6.23.2. Returns A protofield item to be added to a ProtoFieldArray 11.10.6.24. ProtoField.oid(abbr, [name], [desc]) 11.10.6.24.1.
Lua Support in Wireshark 11.11. Adding information to the dissection tree 11.11.1. TreeItem TreeItems represent information in the packet-details pane. A root TreeItem is passed to dissectors as first argument. 11.11.1.1. treeitem:add() Adds an child item to a given item, returning the child. tree_item:add([proto_field | proto], [tvbrange], [label], ...) if the proto_field represents a numeric value (int, uint or float) is to be treated as a Big Endian (network order) Value. 11.11.1.1.1.
Lua Support in Wireshark severity (optional) One of PI_CHAT, PI_NOTE, PI_WARN, PI_ERROR 11.11.1.6. treeitem:add_expert_info([group], [severity], [text]) Sets the expert flags of the item and adds expert info to the packet. 11.11.1.6.1. Arguments group (optional) One of PI_CHECKSUM, PI_SEQUENCE, PI_RESPONSE_CODE, PI_REQUEST_CODE, PI_UNDECODED, PI_REASSEMBLE, PI_MALFORMED or PI_DEBUG severity (optional) One of PI_CHAT, PI_NOTE, PI_WARN, PI_ERROR text (optional) The text for the expert info 11.11.1.
Lua Support in Wireshark 11.12.1.2.1. Arguments first First array second Second array 11.12.1.2.2. Returns The new composite ByteArray. 11.12.1.2.3. Errors • Both arguments must be ByteArrays 11.12.1.3. bytearray:prepend(prepended) Prepend a ByteArray to this ByteArray 11.12.1.3.1. Arguments prepended Array to be prepended 11.12.1.3.2. Errors • Both arguments must be ByteArrays 11.12.1.4. bytearray:append(appended) Append a ByteArray to this ByteArray 11.12.1.4.1.
Lua Support in Wireshark 11.12.1.6.1. Arguments index The position of the byte to be set value The char value to set [0-255] 11.12.1.7. bytearray:get_index(index) Get the value of a byte in a ByteArray 11.12.1.7.1. Arguments index The position of the byte to get 11.12.1.7.2. Returns The value [0-255] of the byte. 11.12.1.8. bytearray:len() Obtain the length of a ByteArray 11.12.1.8.1. Returns The length of the ByteArray. 11.12.1.9.
Lua Support in Wireshark them are unusable once the function has returned. To create a tvbrange the tvb must be called with offset and length as optional arguments ( the offset defaults to 0 and the length to tvb:len() ) 11.12.3.1. Tvb.new_real(bytearray, name) Creates a new Tvb from a bytearray (it gets added to the current frame too) 11.12.3.1.1. Arguments bytearray The data source for this Tvb. name The name to be given to the new data-source. 11.12.3.1.2. Returns The created Tvb. 11.12.3.2. Tvb.
Lua Support in Wireshark 11.12.3.7. wslua:__concat() Concatenate two objects to a string 11.12.4. TvbRange A TvbRange represents an usable range of a Tvb and is used to extract data from the Tvb that generated it TvbRanges are created by calling a tvb (e.g. tvb(offset,length)). If the TvbRange span is outside the Tvb's range the creation will cause a runtime error. 11.12.4.1. tvb:range([offset], [length]) Creates a tvbr from this Tvb. This is used also as the Tvb:__call() metamethod. 11.12.4.1.1.
Lua Support in Wireshark 11.12.4.6.1. Returns The signed integer value 11.12.4.7. tvbrange:le_int() Get a Little Endian signed integer from a TvbRange. The range must be 1, 2 or 4 octets long. 11.12.4.7.1. Returns The signed integer value 11.12.4.8. tvbrange:int64() Get a Big Endian (network order) signed 64 bit integer from a TvbRange. The range must be 1-8 octets long. 11.12.4.9. tvbrange:le_int64() Get a Little Endian signed 64 bit integer from a TvbRange. The range must be 1-8 octets long. 11.12.
Lua Support in Wireshark 11.12.4.14. tvbrange:ether() Get an Ethernet Address from a TvbRange. 11.12.4.14.1. Returns The Ethernet Address 11.12.4.14.2. Errors • The range must be 6 bytes long 11.12.4.15. tvbrange:string() Obtain a string from a TvbRange 11.12.4.15.1. Returns The string 11.12.4.16. tvbrange:stringz() Obtain a zero terminated string from a TvbRange 11.12.4.16.1. Returns The zero terminated string 11.12.4.17. tvbrange:bytes() Obtain a ByteArray 11.12.4.17.1. Returns The ByteArray 11.
Lua Support in Wireshark 11.12.4.19.1. Arguments offset (optional) The offset (in octets) from the begining of the TvbRange. Defaults to 0. length (optional) The length (in octets) of the range. Defaults to until the end of the TvbRange. 11.12.4.19.2. Returns The TvbRange 11.12.4.20. tvbrange:len() Obtain the length of a TvbRange 11.12.4.21. tvbrange:offset() Obtain the offset in a TvbRange 11.12.4.22. tvbrange:__tostring() Converts the TvbRange into a string.
Lua Support in Wireshark 11.13.2. Non Method Functions 11.13.2.1. get_version() Get Wireshark version 11.13.2.1.1. Returns version string 11.13.2.2. format_date(timestamp) Formats an absolute timestamp into a human readable date 11.13.2.2.1. Arguments timestamp A timestamp value to convert. 11.13.2.2.2. Returns A string with the formated date 11.13.2.3. format_time(timestamp) Formats a relative timestamp in a human readable form 11.13.2.3.1. Arguments timestamp A timestamp value to convert 11.13.
Lua Support in Wireshark 11.13.2.6.1. Arguments ... objects to be printed 11.13.2.7. message(...) Will add a log entry with message severity 11.13.2.7.1. Arguments ... objects to be printed 11.13.2.8. info(...) Will add a log entry with info severity 11.13.2.8.1. Arguments ... objects to be printed 11.13.2.9. debug(...) Will add a log entry with debug severity 11.13.2.9.1. Arguments ... objects to be printed 11.13.2.10.
Lua Support in Wireshark 11.13.2.13. datafile_path([filename]) 11.13.2.13.1. Arguments filename (optional) A filename 11.13.2.13.2. Returns The full pathname for a file in wireshark's configuration directory 11.13.2.14. register_stat_cmd_arg(argument, [action]) Register a function to handle a -z option 11.13.2.14.1.
Appendix A. Files and Folders A.1. Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it's helpful to know a bit about the capture file contents. Wireshark uses the libpcap file format as the default format to save captured packets; this format has existed for a long time and it's pretty simple. However, it has some drawbacks: it's not extensible and lacks some information that would be really helpful (e.g.
Files and Folders • time references set with "Edit/Time Reference" • the current display filter • ... A.2. Configuration Files and Folders Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.
Files and Folders File/Folder Description Unix/Linux folders Windows folders subnets IPv4 subnet name /etc/subnets, %WIRESHARK%\subnets, %APPDATA% resolution. $HOME/.wireshark/\Wireshark\subnets subnets ipxnets IPX resolution. plugins Plugin directories. /usr/share/ %WIRESHARK%\plugins\, wireshark/ %APPDATA%\Wireshark\plugins plugins, /usr/local/ share/wireshark/ plugins, $HOME/.wireshark/ plugins temp Temporary files. name /etc/ipxnets, %WIRESHARK%\ipxnets, $HOME/.
Files and Folders cfilters This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: "" The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box. dfilters This file contains all the display filters that you have defined and saved.
Files and Folders c0-00-ff-ff-ff-ff 00.2b.08.93.4b.a1 TR_broadcast Freds_machine The settings from this file are read in at program start and never written by Wireshark. manuf Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.
Files and Folders An example is: # Comments must be prepended by the # sign! 192.168.0.0/24 ws_test_network A partially matched name will be printed as "subnetname.remaining-address". For example, "192.168.0.1" under the subnet above would be printed as "ws_test_network.1"; if the mask length above had been 16 rather than 24, the printed address would be "ws_test_network.0.1". The settings from this file are read in at program start and never written by Wireshark.
Files and Folders [location data] Optional. Contains keys that will be used for variable substitution in the "location" value. For example, if the database section contains location = http://www.example.com/proto?cookie=${cookie}&path=${PATH} then setting cookie = anonymous-user-1138 will result in the URL "http://www.example.com/proto?cookie=anonymoususer-1138&path=${PATH}". PATH is used for help path substitution, and shouldn't be defined in this section.
Files and Folders Right-clicking on a TCP protocol detail item will display a help menu item that displays the Wikipedia page for TCP. Right-clicking on the TCP destination or source ports will display additional help menu items that take you to the "TCP ports" section of the page. The [location data] and ${PATH} can be omitted if they are not needed. For example, the following configuration is functionally equivalent to the previous configuration: [database] source=Wikipedia version=1 location=http://en.
Files and Folders A.3.2. Windows 7/Vista/XP/2000/NT roaming profiles The following will only be applicable if you are using roaming profiles. This might be the case, if you work in a Windows domain environment (used in company networks). The configurations of all programs you use won't be saved on the local hard drive of the computer you are currently working on, but on the domain server.
Appendix B. Protocols and Protocol Fields Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port). A comprehensive list of all protocols and protocol fields can be found at: http://www.wireshark.
Appendix C. Wireshark Messages Wireshark provides you with additional information generated out of the plain packet data or it may need to indicate dissection problems. Messages generated by Wireshark are usually placed in [] parentheses. C.1. Packet List Messages These messages might appear in the packet list. C.1.1. [Malformed Packet] Malformed packet means that the protocol dissector can't dissect the contents of the packet any further.
Wireshark Messages C.2.3. [Time from request: 0.123 seconds] The time between the request and the response packets. C.2.4. [Stream setup by PROTOCOL (frame 123)] The session control protocol (SDP, H225, etc) message which signaled the creation of this session. You can directly jump to the corresponding packet just by double clicking on this message.
Appendix D. Related command line tools D.1. Introduction Besides the Wireshark GUI application, there are some command line tools which can be helpful for doing some more specialized things. These tools will be described in this chapter. D.2. tshark: Terminal-based Wireshark TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as wireshark.
TShark 1.5.0 Dump and analyze network traffic. See http://www.wireshark.org for more information. Related command line tools Copyright 1998-2011 Gerald Combs and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Example D.1.[options] Help information Usage: tshark ...
Related command line tools D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture).
Related command line tools Example D.2. Help information available from dumpcap Dumpcap 1.5.0 Capture network packets and dump them into a libpcap file. See http://www.wireshark.org for more information. Usage: dumpcap [options] ... Capture interface: -i -f -s -p -I -B -y -D -L -d -S -M Stop conditions: -c -a ...
Related command line tools Example D.3. Help information available from capinfos capinfos -h Capinfos 1.4.0 Prints various information (infos) about capture files. See http://www.wireshark.org for more information. Usage: capinfos [options] ...
Related command line tools D.6. rawshark: Dump and analyze network traffic. Rawshark reads a stream of packets from a file or pipe, and prints a line describing its output, followed by a set of matching fields for each packet on stdout. Example D.4. Help information available from rawshark $ rawshark -h Rawshark 1.4.0 Dump and analyze network traffic. See http://www.wireshark.org for more information. Copyright 1998-2010 Gerald Combs and contributors.
Related command line tools $ editcap -h Editcap 1.4.0 Edit and/or translate the format of capture files. Example D.5. Help information available from editcap See http://www.wireshark.org for more information. Usage: editcap [options] ... [ [-] ... ] and must both be present. A single packet or a range of packets can be selected. Packet selection: -r -A -B keep the selected packets; default is to delete them.
Related command line tools Example D.6. Capture file types available from editcap $ editcap -F editcap: option requires an argument -- F editcap: The available capture file types for the "-F" flag are: libpcap - Wireshark/tcpdump/... - libpcap nseclibpcap - Wireshark - nanosecond libpcap modlibpcap - Modified tcpdump - libpcap nokialibpcap - Nokia tcpdump - libpcap rh6_1libpcap - RedHat 6.1 tcpdump - libpcap suse6_3libpcap - SuSE 6.
Related command line tools frelay-with-direction - Frame Relay with Directional Info chdlc - Cisco HDLC ios - Cisco IOS internal ltalk - Localtalk pflog-old - OpenBSD PF Firewall logs, pre-3.
Related command line tools raw-telnet-nettl - Raw telnet with nettl headers usb-linux - USB packets with Linux header mpeg - MPEG ppi - Per-Packet Information header erf - Endace Record File bluetooth-h4 - Bluetooth H4 with linux header sita-wan - SITA WAN packets sccp - SS7 SCCP bluetooth-hci - Bluetooth without transport layer ipmb - Intelligent Platform Management Bus wpan - IEEE 802.15.
Related command line tools If the -s flag is used to specify a snapshot length, frames in the input file with more captured data than the specified snapshot length will have only the amount of data specified by the snapshot length written to the output file. This may be useful if the program that is to read the output file cannot handle packets larger than a certain size (for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.
Related command line tools Text2pcap understands a hexdump of the form generated by od -A x -t x1. In other words, each byte is individually displayed and surrounded with a space. Each line begins with an offset describing the position in the file. The offset is a hex number (can also be octal - see -o), of more than two hex digits.
Related command line tools Example D.10. Help information available for text2pcap $ text2pcap -h Text2pcap 1.1.4 Generate a capture file from an ASCII hexdump of packets. See http://www.wireshark.org for more information.
Related command line tools D.10. idl2wrs: Creating dissectors from CORBA IDL files In an ideal world idl2wrs would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here. D.10.1. What is it? As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP.
Related command line tools Procedure for converting a CORBA idl file into a Wireshark dissector 1. To write the C code to stdout. idl2wrs e.g.: idl2wrs echo.idl 2. To write to a file, just redirect the output. idl2wrs echo.idl > packet-test-idl.c You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. If you don't want to use the shell script wrapper, then try steps 3 or 4 instead. 3. To write the C code to stdout.
Related command line tools make 8. Good Luck !! D.10.4. TODO 1. Exception code not generated (yet), but can be added manually. 2. Enums not converted to symbolic values (yet), but can be added manually. 3. Add command line options etc 4. More I am sure :-) D.10.5. Limitations See the TODO list inside packet-giop.c D.10.6. Notes 1. The "-p ./" option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory.
Appendix E. This Document's License (GPL) As with the original license and documentation distributed with Wireshark, this document is covered by the GNU General Public License (GNU GPL). If you haven't read the GPL before, please do so. It explains all the things that you are allowed to do with this code and documentation. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
This Document's License (GPL) program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0.
This Document's License (GPL) distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
This Document's License (GPL) all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.
This Document's License (GPL) Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
This Document's License (GPL) The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc.
