1 <!-- EUG Chapter Customizing -->
4 <chapter id="ChapterCustomize">
5 <title>Customizing Ethereal</title>
7 <section id="ChCustIntroduction"><title>Introduction</title>
9 Ethereal's default behaviour will usually suit your needs pretty well.
10 However, as you become more familiar with Ethereal, it can be customized
11 in various ways to suit your needs even better. In this chapter we explore:
15 How to start Ethereal with command line parameters
20 How to colorize the <application>Ethereal</application> display
25 How to use the various preference settings
32 <section id="ChCustCommandLine"><title>Start Ethereal from the command line</title>
34 You can start <application>Ethereal</application> from the command
35 line, but it can also be started from most Window managers
36 as well. In this section we will look at starting it from the command
40 <application>Ethereal</application> supports a large number of
41 command line parameters. To see what they are, simply enter the
42 command <command> ethereal -h</command> and the help information
43 shown in <xref linkend="ChCustEx1"/> (or something similar) should be
45 <example id="ChCustEx1">
46 <title>Help information available from Ethereal</title>
48 This is GNU ethereal 0.10.5
49 Compiled with GTK+ 2.4.3, with GLib 2.4.2, with WinPcap (version unknown),
50 with libz 1.2.1, with libpcre 4.4, with Net-SNMP 5.1, with ADNS.
52 Running with WinPcap version 3.0 (packet.dll version 3, 1, 0, 20), based
53 on libpcap version 0.8 on Windows XP Service Pack 1, build 2600.
55 ethereal [ -vh ] [ -klLnpQS ] [ -a <capture autostop condition> ] ...
56 [ -b <number of ringbuffer files>[:<duration>] ]
57 [ -B <byte view height> ] [ -c <count> ] [ -f <capture filter> ]
58 [ -i <interface> ] [ -m <medium font> ] [ -N <resolving> ]
59 [ -o <preference setting> ] ... [ -P <packet list height> ]
60 [ -r <infile> ] [ -R <read filter> ] [ -s <snaplen> ]
61 [ -t <time stamp format> ] [ -T <tree view height> ]
62 [ -w <savefile> ] [ -y <link type> ] [ -z <statistics string> ]
67 We will examine each of the command line options in turn.
70 The first thing to notice is that issuing the command
71 <command>ethereal</command> by itself will bring up
72 <application>Ethereal</application>.
73 However, you can include as many of the command line parameters as
74 you like. Their meanings are as follows ( in alphabetical order ):
75 XXX - is the alphabetical order a good choice? Maybe better task based?
77 <varlistentry><term><command>-a <capture autostop condition></command></term>
80 Specify a criterion that specifies when Ethereal is to stop writing
81 to a capture file. The criterion is of the form test:value, where test
84 <varlistentry><term><command>duration</command></term>
86 Stop writing to a capture file after value of seconds have elapsed.
89 <varlistentry><term><command>filesize</command></term>
91 Stop writing to a capture file after it reaches a size of value
92 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
99 <varlistentry><term><command>-b <number of ringbuffer files></command></term>
102 If a maximum capture file size was specified, cause Ethereal to run
103 in "ring buffer" mode, with the specified number of files. In "ring
104 buffer" mode, Ethereal will write to several capture files. Their
105 name is based on the number of the file and on the creation date and
109 When the first capture file fills up, Ethereal will switch to writing
110 to the next file, until it fills up the last file, at which point
111 it'll discard the data in the first file (unless 0 is specified, in
112 which case, the number of files is unlimited) and start writing to
116 If the optional duration is specified, Ethereal will switch also to
117 the next file when the specified number of seconds has elapsed even
118 if the current file is not completely fills up.
122 <varlistentry><term><command>-B <byte view height></command></term>
125 This option sets the initial height of the "Packet Bytes" pane.
126 This pane is usually the bottom pane in the Ethereal display.
130 <varlistentry><term><command>-c <count></command></term>
133 This option specifies the maximum number of packets to capture
134 when capturing live data. It would be used in conjunction
135 with the <command>-k</command> option.
139 <varlistentry><term><command>-f <capture filter></command></term>
142 This option sets the initial capture filter expression to
143 be used when capturing packets.
147 <varlistentry><term><command>-h</command></term>
150 The <command>-h</command> option requests Ethereal to print
151 its version and usage instructions (as shown above) and exit.
155 <varlistentry><term><command>-i <interface></command></term>
158 The <command>-i</command> option allows you to specify,
159 from the command line, which interface packet capture should
160 occur on if capturing packets.
163 An example would be: <command>ethereal -i eth0</command>.
166 To get a listing of all the interfaces you can capture on,
167 use the command <command>ifconfig -a</command> or
168 <command>netstat -i</command>. Unfortunately, some versions of
169 UNIX do not support <command>ifconfig -a</command>, so you
170 will have to use <command>netstat -i</command> in these cases.
174 <varlistentry><term><command>-k</command></term>
177 The <command>-k</command> option specifies that Ethereal
178 should start capturing packets immediately. This option
179 requires the use of the <command>-i</command> parameter to
180 specify the interface that packet capture will occur from.
184 <varlistentry><term><command>-l</command></term>
187 This option turns on automatic scrolling if the packet
188 list pane is being updated automatically as packets arrive
189 during a capture ( as specified by the <command>-S</command>
194 <varlistentry><term><command>-L</command></term>
197 List the data link types supported by the interface and exit.
201 <varlistentry><term><command>-m <medium font></command></term>
204 This option sets the name of the font used for most text
205 displayed by Ethereal. XXX - add an example!
209 <varlistentry><term><command>-n</command></term>
212 Disable network object name resolution (such as hostname, TCP and UDP
217 <varlistentry><term><command>-N <resolving></command></term>
220 Turns on name resolving for particular types of addresses
221 and port numbers; the argument is a string that may contain
222 the letters <command>m</command> to enable MAC address
223 resolution, <command>n</command> to enable network address
224 resolution, and <command>t</command> to enable transport-layer
225 port number resolution. This overrides <command>-n</command>
226 if both <command>-N</command> and <command>-n</command> are
227 present. The letter C enables concurrent (asynchronous) DNS lookups.
232 <term><command>-o <preference settings></command></term>
235 Sets a preference value, overriding the default value and
236 any value read from a preference file. The argument to the
237 flag is a string of the form prefname:value, where prefname
238 is the name of the preference (which is the same name that
239 would appear in the preference file), and value is the value
240 to which it should be set. Multiple instances of
241 <command>-o <preference settings> </command> can be
242 given on a single command line.
244 <para>An example of setting a single preference would be: </para>
247 ethereal -o mgcp.display_dissect_tree:TRUE
251 An example of setting multiple preferences would be:
255 ethereal -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
258 <tip><title>Tip!</title>
260 You can get a list of all available preference strings from the
261 preferences file, see <xref linkend="AppFiles"/>.
266 <varlistentry><term><command>-p</command></term>
269 Don't put the interface into promiscuous mode. Note that
270 the interface might be in promiscuous mode for some other
271 reason; hence, -p cannot be used to ensure that the only
272 traffic that is captured is traffic sent to or from the
273 machine on which Ethereal is running, broadcast traffic, and
274 multicast traffic to addresses received by that machine.
279 <term><command>-P <packet list height></command></term>
282 This option sets the initial height of the "Packet List" pane,
287 <varlistentry><term><command>-Q</command></term>
290 This option forces Ethereal to exit when capturing is
291 complete. It can be used with the <command>-c</command> option.
292 It must be used in conjunction with the
293 <command>-i</command> and <command>-w</command> options.
297 <varlistentry><term><command>-r <infile></command></term>
300 This option provides the name of a capture file for Ethereal
301 to read and display. This capture file can be in one of the
302 formats Ethereal understands.
306 <varlistentry><term><command>-R <read filter></command></term>
309 This option specifies a display filter to be applied when
310 reading packets from a capture file. The syntax of this
311 filter is that of the display filters discussed in
312 <xref linkend="ChWorkDisplayFilterSection"/>. Packets not
313 matching the filter are discarded.
317 <varlistentry><term><command>-s <snaplen></command></term>
320 This option specifies the snapshot length to use when
321 capturing packets. Ethereal will only capture
322 <command><snaplen></command> bytes of data for each packet.
326 <varlistentry><term><command>-S</command></term>
329 This option specifies that Ethereal will display packets as
330 it captures them. This is done by capturing in one process
331 and displaying them in a separate process. This is the same
332 as "Update list of packets in real time" in the Capture Options
338 <term><command>-t <time stamp format></command></term>
341 This option sets the format of packet timestamps that are
342 displayed in the packet list window. The format can be one of:
346 <command>r</command> relative, which specifies timestamps are
347 displayed relative to the first packet captured.
352 <command>a</command> absolute, which specifies that actual times
353 be displayed for all packets.
358 <command>ad</command> absolute with date, which specifies that
359 actual dates and times be displayed for all packets.
364 <command>d</command> delta, which specifies that timestamps
365 are relative to the previous packet.
373 <term><command>-T <tree view height></command></term>
376 This option sets the initial height of the "Packet Details" pane.
380 <varlistentry><term><command>-v</command></term>
383 The <command>-v</command> option requests
384 Ethereal to print out its version information and exit.
388 <varlistentry><term><command>-w <savefile></command></term>
391 This option sets the name of the <command>savefile</command>
392 to be used when saving a capture file.
396 <varlistentry><term><command>-y <link type></command></term>
399 If a capture is started from the command line with -k, set the data
400 link type to use while capturing packets. The values reported by -L
401 are the values that can be used.
405 <varlistentry><term><command>-z <statistics-string></command></term>
408 Get Ethereal to collect various types of statistics and display the
409 result in a window that updates in semi-real time.
410 XXX - add more details here!
418 <section id="ChCustColorizationSection"><title>Packet colorization</title>
420 A very useful mechanism available in Ethereal is packet colorization.
421 You can set Ethereal up so that it colorizes packets according to a
422 filter. This allows you to emphasize the packets you are interested in.
425 To colorize packets, select the Coloring Rules... menu item from
426 the View menu, and Ethereal will pop up the "Coloring Rules"
427 dialog box as shown in <xref linkend="ChCustColoringRulesDialog"/>.
429 <figure id="ChCustColoringRulesDialog">
430 <title>The "Coloring Rules" dialog box</title>
431 <graphic entityref="EtherealColoringRulesDialog" format="PNG"/>
434 Once the Coloring Rules dialog box is up, there are a number
435 of buttons you can use, depending on whether or not you have any
436 color filters installed already.
438 <note><title>Note!</title>
440 You will need to carefully select the order that rules are listed
441 (and thus applied) as they are applied in order from top to bottom.
442 So, more specific rules need to be listed before more general rules.
443 For example, if you have a color rule for UDP before the one for DNS,
444 the color rule for DNS will never be applied (as DNS uses UDP, so the
445 UDP rule will be matching first).
449 If this is the first time you have used Coloring Rules, click on the New
450 button which will bring up the Edit color filter dialog box as shown in
451 <xref linkend="ChCustEditColorDialog"/>.
453 <figure id="ChCustEditColorDialog">
454 <title>The "Edit Color Filter" dialog box</title>
455 <graphic entityref="EtherealEditColorDialog" format="PNG"/>
458 In the Edit Color dialog box, simply enter a name for the color filter,
459 and enter a filter string in the Filter text field.
460 <xref linkend="ChCustEditColorDialog"/> shows the values
461 <command>arp</command> and <command>arp</command> which means that
462 the name of the color filter is <command>arp</command> and the filter
463 will select protocols of type <command>arp</command>. Once you have
464 entered these values, you can choose a foreground and background
465 color for packets that match the filter expression. Click on
466 <command>Foreground color...</command> or
467 <command>Background color...</command> to achieve this and
468 Ethereal will pop up the Choose foreground/background color for
469 protocol dialog box as shown in
470 <xref linkend="ChCustChooseColorDialog"/>.
472 <figure id="ChCustChooseColorDialog">
473 <title>The "Choose color" dialog box</title>
474 <graphic entityref="EtherealChooseColorDialog" format="PNG"/>
477 Select the color you desire for the selected packets and click on OK.
482 You must select a color in the colorbar next to the colorwheel to
483 load values into the RGB values. Alternatively, you can set the
484 values to select the color you want.
488 <xref linkend="ChCustColorFilterMany"/> shows an example of several color
489 filters being used in Ethereal. You may not like the color choices,
490 however, feel free to choose your own.
492 <figure id="ChCustColorFilterMany">
493 <title>Using color filters with Ethereal</title>
494 <graphic entityref="EtherealThreePane1" format="PNG"/>
498 <section id="ChCustProtocolDissectionSection">
499 <title>Control Protocol dissection</title>
501 There are some ways, to let the user control how protocols are
505 Each protocol has its own dissector, so dissecting a packet will
506 typically involve several dissectors. As Ethereal tries to find the
507 right dissector for each packet (using static "routes" and heuristics
508 "guessing"), it might choose the wrong dissector in your specific
509 case. For example, Ethereal won't know if you use a common protocol
510 on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of
511 the standard port 80.
514 There are two ways to control the relations between protocol
515 dissectors: disable a protocol dissector completely or temporarily
516 divert the way Ethereal calls the dissectors.
518 <section id="ChAdvEnabledProtocols"><title>The "Enabled Protocols" dialog
521 The Enabled Protocols dialog box lets you enable or
522 disable specific protocols, all protocols are enabled by default.
523 When a protocol is disabled, Ethereal stops processing a packet
524 whenever that protocol is encountered.
526 <note><title>Note!</title>
528 Disabling a protocol will prevent information about higher-layer
529 protocols from being displayed. For example,
530 suppose you disabled the IP protocol and selected
531 a packet containing Ethernet, IP, TCP, and HTTP
532 information. The Ethernet information would be
533 displayed, but the IP, TCP and HTTP information
534 would not - disabling IP would prevent it and
535 the other protocols from being displayed.
538 <figure id="ChAdvEnabledProtocolsFig">
539 <title>The "Enabled Protocols" dialog box</title>
540 <graphic entityref="EtherealEnabledProtocols" format="PNG"/>
543 To disable or enable a protocol, simply click on it using the
544 mouse or press the space bar when the protocol is highlighted.
546 <warning><title>Warning!</title>
548 You have to use the Save button to save your settings. The OK or Apply
549 buttons will not save your changes, so they will be lost when Ethereal
554 You can choose from the following actions:
558 <command>Enable All</command> Enable all protocols in the list.
563 <command>Disable All</command> Disable all protocols in the list.
568 <command>Invert</command> Toggle the state of all protocols in the
574 <command>OK</command> Apply the changes and close the dialog box.
579 <command>Apply</command> Apply the changes and keep the dialog box
585 <command>Save</command> Save the settings to the disabled_protos, see
586 <xref linkend="AppFiles"/> for details.
591 <command>Cancel</command> Cancel the changes and close the dialog box.
598 <section id="ChAdvDecodeAs"><title>User Specified Decodes</title>
600 The "Decode As" functionality let you temporarily divert specific
601 protocol dissections. This might be useful for example, if you do some
602 uncommon things on your network.
605 <figure id="ChAdvDecodeAsFig">
606 <title>The "Decode As" dialog box</title>
607 <graphic scale="100" entityref="EtherealDecodeAs" format="PNG"/>
609 The content of this dialog box depends on the selected packet when it
611 <warning><title>Warning!</title>
613 The user specified decodes can not be saved. If you quit Ethereal,
614 these settings will be lost.
620 <command>Decode</command> Decode packets the selected way.
625 <command>Do not decode</command> Do not decode packets the selected
631 <command>Link/Network/Transport</command> Specify the way to decode
632 packets. Which of these pages are available, depends on the content
633 of the selected packet when this dialog box was opened.
638 <command>Show Current</command> Open a dialog box showing the
639 current list of user specified decodes.
644 <command>OK</command> Apply the currently selected decode and close
650 <command>Apply</command> Apply the currently selected decode and keep
656 <command>Cancel</command> Cancel the changes and close the dialog box.
663 <section id="ChAdvDecodeAsShow"><title>Show User Specified Decodes</title>
665 This dialog box shows the currently active user specified decodes.
666 <figure id="ChAdvDecodeAsShowFig">
667 <title>The "Decode As: Show" dialog box</title>
668 <graphic entityref="EtherealDecodeAsShow" format="PNG"/>
673 <command>OK</command> Close this dialog box.
678 <command>Clear</command> Removes all user specified decodes.
686 <section id="ChCustPreferencesSection"><title>Preferences</title>
688 There are a number of preferences you can set. Simply
689 select the Preferences... menu item from the Edit menu, and Ethereal
690 will pop up the Preferences dialog box as shown in
691 <xref linkend="ChCustGUIPrefPage"/>, with the "User Interface" page as
692 default. On the left side is a tree where you can select the page to be
693 shown. XXX - add detailed descriptions of all the preferences pages.
695 <title>Warning!</title>
697 The OK or Apply button will not save the preference settings,
698 you'll have to save the settings by clicking the Save button.
704 The <command>OK</command> button will apply the preferences
705 settings and close the dialog.
710 The <command>Apply</command> button will apply the preferences
711 settings and keep the dialog open.
716 The <command>Save</command> button will apply the preferences
717 settings, save the settings on the harddisk and keep the dialog open.
722 The <command>Cancel</command> button will restore all preferences
723 settings to the last saved state.
728 <section><title>The "User Interface" page</title>
729 <figure id="ChCustGUIPrefPage">
730 <title>The "User Interface" preferences page</title>
731 <graphic entityref="EtherealGUIPreferences" format="PNG"/>
734 This page allows you to configure various characteristics
738 <section><title>The "User Interface: Layout" page</title>
739 <figure id="ChCustGUILayoutPrefPage">
740 <title>The "User Interface: Layout" preferences page</title>
741 <graphic entityref="EtherealGUILayoutPreferences" format="PNG"/>
744 This page selects the GUI layout of the main window.
747 <section><title>The "User Interface: Columns" page</title>
749 <figure id="ChCustGUIColumnsPrefPage">
750 <title>The "User Interface: Columns" preferences page</title>
751 <graphic entityref="EtherealGUIColumnsPreferences" format="PNG"/>
753 This page allows you to select which columns appear in the
756 <note><title>Note!</title>
758 Unlike all other preference changes, you will have to save the
759 preferences and restart Ethereal in order for column changes to
765 <section><title>The "User Interface: Font" page</title>
767 <figure id="ChCustGUIFontPrefPage">
768 <title>The "User Interface: Font" preferences page</title>
769 <graphic entityref="EtherealGUIFontPreferences" format="PNG"/>
771 This page allows you to select which font to use.
775 <section><title>The "User Interface: Colors" page</title>
777 <figure id="ChCustGUIColrsPrefPage">
778 <title>The "User Interface: Colors" preferences page</title>
779 <graphic entityref="EtherealGUIColorsPreferences" format="PNG"/>
781 This page allows you to select which colors to use.
785 <section><title>The "Capture" page</title>
787 <figure id="ChCustCapturePrefPage">
788 <title>The "Capture" preferences page</title>
789 <graphic entityref="EtherealCapturePreferences" format="PNG"/>
791 This page allows you to select some defaults for the capture options dialog.
795 <section><title>The "Printing" page</title>
797 <figure id="ChCustPrintingPrefPage">
798 <title>The "Printing" preferences page</title>
799 <graphic entityref="EtherealPrintingPreferences" format="PNG"/>
801 This page allows you to select some defaults for the print dialog.
805 <section><title>The "Name Resolution" page</title>
807 <figure id="ChCustNameResolutionPrefPage">
808 <title>The "Name Resolution" preferences page</title>
809 <graphic entityref="EtherealNameResolutionPreferences" format="PNG"/>
811 This page allows you to select some defaults for the name resolution.
815 <section id="ChCustProtocolsPrefPages"><title>The "Protocols" pages</title>
817 These pages allows you to select settings for various protocols.
823 <!-- End of EUG Chapter Customizing -->
git.samba.org / obnox / wireshark / wip.git / blob