1 <!-- WSUG Chapter Three -->
4 <chapter id="ChapterUsing">
5 <title>User Interface</title>
6 <section id="ChUseIntroductionSection"><title>Introduction</title>
8 By now you have installed <application>Wireshark</application> and
9 are most likely keen to get started capturing your first packets. In
10 the next chapters we will explore:
14 How the Wireshark user interface works
19 How to capture packets in <application>Wireshark</application>
24 How to view packets in <application>Wireshark</application>
29 How to filter packets in <application>Wireshark</application>
34 ... and many other things!
41 <section id="ChUseStartSection"><title>Start Wireshark</title>
43 You can start Wireshark from your shell or window manager.
44 <tip><title>Tip!</title>
46 When starting Wireshark it's possible to specify optional settings using
47 the command line. See <xref linkend="ChCustCommandLine"/> for details.
50 <note><title>Note!</title>
52 In the following chapters, a lot of screenshots from Wireshark will be shown.
53 As Wireshark runs on many different platforms with many different window
54 managers, different styles applied and there are different versions of the
55 underlying GUI toolkit used, your screen might look different from the provided
56 screenshots. But as there are no real differences in functionality, these
57 screenshots should still be well understandable.
63 <section id="ChUseMainWindowSection"><title>The Main window</title>
65 Let's look at Wireshark's user interface. <xref linkend="ChUseFig01"/> shows
66 Wireshark as you would usually see it after some packets are captured or loaded
67 (how to do this will be described later).
68 <figure id="ChUseFig01">
69 <title>The Main window</title>
70 <graphic scale="100" entityref="WiresharkThreePane1" format="PNG"/>
74 Wireshark's main window consists of parts that are commonly known from many
79 The <emphasis>menu</emphasis> (see <xref linkend="ChUseMenuSection"/>)
80 is used to start actions.
85 The <emphasis>main toolbar</emphasis> (see <xref linkend="ChUseMainToolbarSection"/>)
86 provides quick access to frequently used items from the menu.
91 The <emphasis>filter toolbar</emphasis> (see <xref linkend="ChUseFilterToolbarSection"/>)
92 provides a way to directly manipulate the currently used display filter
93 (see <xref linkend="ChWorkDisplayFilterSection"/>).
98 The <emphasis>packet list pane</emphasis> (see <xref linkend="ChUsePacketListPaneSection"/>)
99 displays a summary of each packet captured. By clicking on packets
100 in this pane you control what is displayed in the other two panes.
105 The <emphasis>packet details pane</emphasis> (see <xref linkend="ChUsePacketDetailsPaneSection"/>)
106 displays the packet selected in the packet list pane in more detail.
111 The <emphasis>packet bytes pane</emphasis> (see <xref linkend="ChUsePacketBytesPaneSection"/>)
112 displays the data from the packet selected in the packet list pane, and
113 highlights the field selected in the packet details pane.
118 The <emphasis>statusbar</emphasis> (see <xref linkend="ChUseStatusbarSection"/>)
119 shows some detailed information about the current program state and
124 <tip><title>Tip!</title>
126 The layout of the main window can be customized by changing preference settings.
127 See <xref linkend="ChCustPreferencesSection"/> for details!
133 <section id="ChUseMainWindowNavSection"><title>Main Window Navigation</title>
135 Packet list and detail navigation can be done entirely from the
136 keyboard. <xref linkend="ChUseTabNav"/> shows a list of keystrokes
137 that will let you quickly move around a capture file. See
138 <xref linkend="ChUseTabGo"/> for additional navigation keystrokes.
140 <table id="ChUseTabNav" frame="none">
142 <title>Keyboard Navigation</title>
144 <colspec colnum="1" colwidth="72pt"/>
147 <entry>Accelerator</entry>
148 <entry>Description</entry>
153 <entry>Tab, Shift+Tab</entry>
155 Move between screen elements, e.g. from the toolbars
156 to the packet list to the packet detail.
162 Move to the next packet or detail item.
168 Move to the previous packet or detail item.
172 <entry>Ctrl+Down, F8</entry>
174 Move to the next packet, even if the packet
179 <entry>Ctrl+Up, F7</entry>
181 Move to the previous packet, even if the packet
186 <entry>Ctrl+.</entry>
188 Move to the next packet of the conversation
193 <entry>Ctrl+,</entry>
195 Move to the previous packet of the conversation
202 In the packet detail, closes the selected tree item.
203 If it's already closed, jumps to the parent node.
209 In the packet detail, opens the selected tree item.
213 <entry>Shift+Right</entry>
215 In the packet detail, opens the selected tree item
216 and all of its subtrees.
220 <entry>Ctrl+Right</entry>
222 In the packet detail, opens all tree items.
226 <entry>Ctrl+Left</entry>
228 In the packet detail, closes all tree items.
232 <entry>Backspace</entry>
234 In the packet detail, jumps to the parent node.
238 <entry>Return, Enter</entry>
240 In the packet detail, toggles the selected
248 Additionally, typing anywhere in the main window will start filling
254 <section id="ChUseMenuSection"><title>The Menu</title>
256 The Wireshark menu sits on top of the Wireshark window.
257 An example is shown in <xref linkend="ChUseWiresharkMenu"/>.
259 <note><title>Note!</title>
261 Menu items will be greyed out if the corresponding feature isn't
262 available. For example, you cannot save a capture file if you didn't
263 capture or load any data before.
267 <figure id="ChUseWiresharkMenu"><title>The Menu</title>
268 <graphic entityref="WiresharkMenuOnly" format="PNG"/>
272 It contains the following items:
274 <varlistentry><term><command>File</command></term>
277 This menu contains items to open and merge capture files,
278 save / print / export capture files in whole or in part,
279 and to quit from Wireshark. See <xref linkend="ChUseFileMenuSection"/>.
283 <varlistentry><term><command>Edit</command></term>
286 This menu contains items to find a packet, time reference or mark one
287 or more packets, handle configuration profiles, and set your preferences;
288 (cut, copy, and paste are not presently implemented).
289 See <xref linkend="ChUseEditMenuSection"/>.
293 <varlistentry><term><command>View</command></term>
295 <para>This menu controls the display of the captured data,
296 including colorization of packets, zooming the font,
297 showing a packet in a separate window, expanding and collapsing trees in packet details, ....
298 See <xref linkend="ChUseViewMenuSection"/>.
302 <varlistentry><term><command>Go</command></term>
304 <para>This menu contains items to go to a specific packet.
305 See <xref linkend="ChUseGoMenuSection"/>.
309 <varlistentry><term><command>Capture</command></term>
311 <para>This menu allows you to start and stop captures and to edit capture filters.
312 See <xref linkend="ChUseCaptureMenuSection"/>.
316 <varlistentry><term><command>Analyze</command></term>
319 This menu contains items to manipulate display filters, enable or
320 disable the dissection of protocols, configure user specified decodes
321 and follow a TCP stream.
322 See <xref linkend="ChUseAnalyzeMenuSection"/>.
326 <varlistentry><term><command>Statistics</command></term>
329 This menu contains items to display various statistic windows,
330 including a summary of the packets that have been captured,
331 display protocol hierarchy statistics and much more.
332 See <xref linkend="ChUseStatisticsMenuSection"/>.
336 <varlistentry><term><command>Telephony</command></term>
339 This menu contains items to display various telephony related
340 statistic windows, including a media analysis, flow diagrams,
341 display protocol hierarchy statistics and much more.
342 See <xref linkend="ChUseTelephonyMenuSection"/>.
346 <varlistentry><term><command>Tools</command></term>
349 This menu contains various tools available in Wireshark, such as
350 creating Firewall ACL Rules.
351 See <xref linkend="ChUseToolsMenuSection"/>.
355 <varlistentry><term><command>Internals</command></term>
358 This menu contains items that show information about the internals
360 See <xref linkend="ChUseInternalsMenuSection"/>.
364 <varlistentry><term><command>Help</command></term>
367 This menu contains items to help the user, e.g. access to some basic
368 help, manual pages of the various command line tools, online access
369 to some of the webpages, and the usual about dialog.
370 See <xref linkend="ChUseHelpMenuSection"/>.
375 Each of these menu items is described in more detail in the sections
378 <tip><title>Tip!</title>
380 You can access menu items directly or by pressing the corresponding
381 accelerator keys which are shown at the right side of the
382 menu. For example, you can press the Control (or Strg in German) and the K
383 keys together to open the capture dialog.
388 <section id="ChUseFileMenuSection"><title>The "File" menu</title>
390 The Wireshark file menu contains the fields shown in
391 <xref linkend="ChUseTabFile"/>.
393 <figure id="ChUseWiresharkFileMenu">
394 <title>The "File" Menu</title>
395 <graphic entityref="WiresharkFileMenu" format="PNG"/>
397 <table id="ChUseTabFile" frame="none"><title>File menu items</title>
399 <colspec colnum="1" colwidth="72pt"/>
400 <colspec colnum="2" colwidth="80pt"/>
403 <entry>Menu Item</entry>
404 <entry>Accelerator</entry>
405 <entry>Description</entry>
410 <entry><command>Open...</command></entry>
411 <entry>Ctrl+O</entry>
413 This menu item brings up the file open dialog box that
414 allows you to load a capture file for viewing. It is
415 discussed in more detail in <xref linkend="ChIOOpen"/>.
419 <entry><command>Open Recent</command></entry>
422 This menu item shows a submenu containing the recently opened
423 capture files. Clicking on one of the submenu items will open the
424 corresponding capture file directly.
428 <entry><command>Merge...</command></entry>
431 This menu item brings up the merge file dialog box that
432 allows you to merge a capture file into the currently loaded one.
433 It is discussed in more detail in <xref linkend="ChIOMergeSection"/>.
437 <entry><command>Import...</command></entry>
440 This menu item brings up the import file dialog box that
441 allows you to import a text file into a new temporary capture.
442 It is discussed in more detail in <xref linkend="ChIOImportSection"/>.
446 <entry><command>Close</command></entry>
447 <entry>Ctrl+W</entry>
449 This menu item closes the current capture. If you
450 haven't saved the capture, you will be asked to do so first
451 (this can be disabled by a preference setting).
455 <entry><command>------</command></entry>
460 <entry><command>Save</command></entry>
461 <entry>Ctrl+S</entry>
463 This menu item saves the current capture. If you
464 have not set a default capture file name (perhaps with
465 the -w <capfile> option), Wireshark pops up the
466 Save Capture File As dialog box (which is discussed
467 further in <xref linkend="ChIOSaveAs"/>).
471 If you have already saved the current capture, this
472 menu item will be greyed out.
477 You cannot save a live capture while the capture is in
478 progress. You must stop the capture in order to
484 <entry><command>Save As...</command></entry>
485 <entry>Shift+Ctrl+S</entry>
487 This menu item allows you to save the current capture
488 file to whatever file you would like. It pops up the
489 Save Capture File As dialog box (which is discussed
490 further in <xref linkend="ChIOSaveAs"/>).
494 <entry><command>------</command></entry>
499 <entry><command>File Set > List Files</command></entry>
502 This menu item allows you to show a list of files in a file set.
503 It pops up the Wireshark List File Set dialog box (which is
504 discussed further in <xref linkend="ChIOFileSetSection"/>).
508 <entry><command>File Set > Next File</command></entry>
511 If the currently loaded file is part of a file set, jump to the
512 next file in the set. If it isn't part of a file set or just the
513 last file in that set, this item is greyed out.
517 <entry><command>File Set > Previous File</command></entry>
520 If the currently loaded file is part of a file set, jump to the
521 previous file in the set. If it isn't part of a file set or just
522 the first file in that set, this item is greyed out.
526 <entry><command>------</command></entry>
531 <entry><command>Export > File...</command></entry>
534 This menu item allows you to export all (or some) of the packets in
535 the capture file to file.
536 It pops up the Wireshark Export dialog box (which is discussed further in
537 <xref linkend="ChIOExportSection"/>).
541 <entry><command>Export > Selected Packet Bytes...</command></entry>
542 <entry>Ctrl+H</entry>
544 This menu item allows you to export the currently selected bytes
545 in the packet bytes pane to a binary file. It pops up the
546 Wireshark Export dialog box (which is discussed further in
547 <xref linkend="ChIOExportSelectedDialog"/>)
551 <entry><command>Export > Objects > HTTP</command></entry>
554 This menu item allows you to export all or some of the captured HTTP objects
555 into local files. It pops up the Wireshark HTTP object list (which is discussed
556 further in <xref linkend="ChIOExportObjectsDialog"/>)
560 <entry><command>Export > Objects > DICOM</command></entry>
563 This menu item allows you to export all or some of the captured DICOM objects
564 into local files. It pops up the Wireshark DICOM object list (which is discussed
565 further in <xref linkend="ChIOExportObjectsDialog"/>)
569 <entry><command>Export > Objects > SMB</command></entry>
572 This menu item allows you to export all or some of the captured SMB objects
573 into local files. It pops up the Wireshark SMB object list (which is discussed
574 further in <xref linkend="ChIOExportObjectsDialog"/>)
578 <entry><command>------</command></entry>
583 <entry><command>Print...</command></entry>
584 <entry>Ctrl+P</entry>
586 This menu item allows you to print all (or some) of the packets in
587 the capture file. It pops up the Wireshark Print dialog
588 box (which is discussed further in
589 <xref linkend="ChIOPrintSection"/>).
593 <entry><command>------</command></entry>
598 <entry><command>Quit</command></entry>
599 <entry>Ctrl+Q</entry>
601 This menu item allows you to quit from Wireshark.
602 Wireshark will ask to save your capture file if you haven't previously saved
603 it (this can be disabled by a preference setting).
611 <section id="ChUseEditMenuSection"><title>The "Edit" menu</title>
613 The Wireshark Edit menu contains the fields shown in
614 <xref linkend="ChUseTabEdit"/>.
616 <figure id="ChUseWiresharkEditMenu">
617 <title>The "Edit" Menu</title>
618 <graphic entityref="WiresharkEditMenu" format="PNG"/>
620 <table id="ChUseTabEdit" frame="none">
621 <title>Edit menu items</title>
623 <colspec colnum="1" colwidth="72pt"/>
624 <colspec colnum="2" colwidth="80pt"/>
627 <entry>Menu Item</entry>
628 <entry>Accelerator</entry>
629 <entry>Description</entry>
634 <entry><command>Copy > Description</command></entry>
635 <entry>Shift+Ctrl+D</entry>
637 This menu item will copy the description of the selected item
638 in the detail view to the clipboard.
642 <entry><command>Copy > Fieldname</command></entry>
643 <entry>Shift+Ctrl+F</entry>
645 This menu item will copy the fieldname of the selected item
646 in the detail view to the clipboard.
650 <entry><command>Copy > Value</command></entry>
651 <entry>Shift+Ctrl+V</entry>
653 This menu item will copy the value of the selected item
654 in the detail view to the clipboard.
658 <entry><command>Copy > As Filter</command></entry>
659 <entry>Shift+Ctrl+C</entry>
661 This menu item will use the selected item in the detail view to
662 create a display filter. This display filter is then copied to
667 <entry><command>------</command></entry>
672 <entry><command>Find Packet...</command></entry>
673 <entry>Ctrl+F</entry>
675 This menu item brings up a dialog box that allows you
676 to find a packet by many criteria.
677 There is further information on finding packets in
678 <xref linkend="ChWorkFindPacketSection"/>.
682 <entry><command>Find Next</command></entry>
683 <entry>Ctrl+N</entry>
685 This menu item tries to find the next packet matching the
686 settings from "Find Packet...".
690 <entry><command>Find Previous</command></entry>
691 <entry>Ctrl+B</entry>
693 This menu item tries to find the previous packet matching the
694 settings from "Find Packet...".
698 <entry><command>------</command></entry>
703 <entry><command>Mark Packet (toggle)</command></entry>
704 <entry>Ctrl+M</entry>
706 This menu item "marks" the currently selected packet. See
707 <xref linkend="ChWorkMarkPacketSection"/> for details.
711 <entry><command>Toggle Marking Of All Displayed Packets</command></entry>
712 <entry>Shift+Ctrl+Alt+M</entry>
714 This menu item toggles the mark on all displayed packets.
718 <entry><command>Mark All Displayed Packets</command></entry>
719 <entry>Shift+Ctrl+M</entry>
721 This menu item "marks" all displayed packets.
725 <entry><command>Unmark All Displayed Packets</command></entry>
726 <entry>Ctrl+Alt+M</entry>
728 This menu item "unmarks" all displayed packets.
732 <entry><command>Find Next Mark</command></entry>
733 <entry>Shift+Ctrl+N</entry>
735 Find the next marked packet.
739 <entry><command>Find Previous Mark</command></entry>
740 <entry>Shift+Ctrl+B</entry>
742 Find the previous marked packet.
746 <entry><command>------</command></entry>
751 <entry><command>Ignore Packet (toggle)</command></entry>
752 <entry>Ctrl+D</entry>
754 This menu item marks the currently selected packet as ignored.
755 See <xref linkend="ChWorkIgnorePacketSection"/> for details.
759 <entry><command>Ignore All Displayed Packets (toggle)</command></entry>
760 <entry>Shift+Ctrl+D</entry>
762 This menu item marks all displayed packets as ignored.
766 <entry><command>Un-Ignore All Packets</command></entry>
767 <entry>Ctrl+Alt+D</entry>
769 This menu item unmarks all ignored packets.
773 <entry><command>------</command></entry>
778 <entry><command>Set Time Reference (toggle)</command></entry>
779 <entry>Ctrl+T</entry>
781 This menu item set a time reference on the currently selected
782 packet. See <xref linkend="ChWorkTimeReferencePacketSection"/> for more information
783 about the time referenced packets.
787 <entry><command>Un-Time Reference All Packets</command></entry>
788 <entry>Ctrl+Alt+T</entry>
790 This menu item removes all time references on the packets.
794 <entry><command>Find Next Time Reference</command></entry>
795 <entry>Ctrl+Alt+N</entry>
797 This menu item tries to find the next time referenced packet.
801 <entry><command>Find Previous Time Reference</command></entry>
802 <entry>Ctrl+Alt+B</entry>
804 This menu item tries to find the previous time referenced packet.
808 <entry><command>------</command></entry>
813 <entry><command>Configuration Profiles...</command></entry>
814 <entry>Shift+Ctrl+A</entry>
816 This menu item brings up a dialog box for handling configuration
817 profiles. More detail is provided in
818 <xref linkend="ChCustConfigProfilesSection"/>.
822 <entry><command>Preferences...</command></entry>
823 <entry>Shift+Ctrl+P</entry>
825 This menu item brings up a dialog box that allows
826 you to set preferences for many parameters that control
827 Wireshark. You can also save your preferences so Wireshark
828 will use them the next time you start it. More detail
829 is provided in <xref linkend="ChCustPreferencesSection"/>.
837 <section id="ChUseViewMenuSection"><title>The "View" menu</title>
839 The Wireshark View menu contains the fields shown in
840 <xref linkend="ChUseTabView"/>.
842 <figure id="ChUseWiresharkViewMenu">
843 <title>The "View" Menu</title>
844 <graphic entityref="WiresharkViewMenu" format="PNG"/>
846 <table id="ChUseTabView" frame="none">
847 <title>View menu items</title>
849 <colspec colnum="1" colwidth="72pt"/>
850 <colspec colnum="2" colwidth="80pt"/>
853 <entry>Menu Item</entry>
854 <entry>Accelerator</entry>
855 <entry>Description</entry>
860 <entry><command>Main Toolbar</command></entry>
863 This menu item hides or shows the main toolbar, see
864 <xref linkend="ChUseMainToolbarSection"/>.
868 <entry><command>Filter Toolbar</command></entry>
871 This menu item hides or shows the filter toolbar, see
872 <xref linkend="ChUseFilterToolbarSection"/>.
876 <entry><command>Wireless Toolbar (Windows only)</command></entry>
879 This menu item hides or shows the wireless toolbar. See
880 the AirPcap documentation for more information.
884 <entry><command>Statusbar</command></entry>
887 This menu item hides or shows the statusbar, see
888 <xref linkend="ChUseStatusbarSection"/>.
892 <entry><command>------</command></entry>
897 <entry><command>Packet List</command></entry>
900 This menu item hides or shows the packet list pane, see
901 <xref linkend="ChUsePacketListPaneSection"/>.
905 <entry><command>Packet Details</command></entry>
908 This menu item hides or shows the packet details pane, see
909 <xref linkend="ChUsePacketDetailsPaneSection"/>.
913 <entry><command>Packet Bytes</command></entry>
916 This menu item hides or shows the packet bytes pane, see
917 <xref linkend="ChUsePacketBytesPaneSection"/>.
921 <entry><command>------</command></entry>
926 <entry><command>Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.123456</command></entry>
929 Selecting this tells Wireshark to display the
930 time stamps in date and time of day format, see
931 <xref linkend="ChWorkTimeFormatsSection"/>.
932 <note><title>Note!</title>
934 The fields "Time of Day", "Date and Time of
935 Day", "Seconds Since Beginning of Capture", "Seconds Since
936 Previous Captured Packet" and "Seconds Since Previous
937 Displayed Packet" are mutually exclusive.
943 <entry><command>Time Display Format > Time of Day: 01:02:03.123456</command></entry>
946 Selecting this tells Wireshark to display time
947 stamps in time of day format, see
948 <xref linkend="ChWorkTimeFormatsSection"/>.
952 <entry><command>Time Display Format > Seconds Since Epoch (1970-01-01): 1234567890.123456</command></entry>
955 Selecting this tells Wireshark to display time stamps in
956 seconds since 1970-01-01 00:00:00, see
957 <xref linkend="ChWorkTimeFormatsSection"/>.
961 <entry><command>Time Display Format > Seconds Since Beginning of Capture: 123.123456</command></entry>
964 Selecting this tells Wireshark to display time
965 stamps in seconds since beginning of capture format, see
966 <xref linkend="ChWorkTimeFormatsSection"/>.
970 <entry><command>Time Display Format > Seconds Since Previous Captured Packet: 1.123456</command></entry>
973 Selecting this tells Wireshark to display time stamps in
974 seconds since previous captured packet format, see
975 <xref linkend="ChWorkTimeFormatsSection"/>.
979 <entry><command>Time Display Format > Seconds Since Previous Displayed Packet: 1.123456</command></entry>
982 Selecting this tells Wireshark to display time stamps in
983 seconds since previous displayed packet format, see
984 <xref linkend="ChWorkTimeFormatsSection"/>.
988 <entry><command>Time Display Format > ------</command></entry>
993 <entry><command>Time Display Format > Automatic (File Format Precision)</command></entry>
996 Selecting this tells Wireshark to display time stamps with the
997 precision given by the capture file format used, see
998 <xref linkend="ChWorkTimeFormatsSection"/>.
999 <note><title>Note!</title>
1001 The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive.
1007 <entry><command>Time Display Format > Seconds: 0</command></entry>
1010 Selecting this tells Wireshark to display time stamps with a precision of one second, see
1011 <xref linkend="ChWorkTimeFormatsSection"/>.
1015 <entry><command>Time Display Format > ...seconds: 0....</command></entry>
1018 Selecting this tells Wireshark to display time stamps with a precision of one second,
1019 decisecond, centisecond, millisecond, microsecond or nanosecond, see
1020 <xref linkend="ChWorkTimeFormatsSection"/>.
1024 <entry><command>Time Display Format > Display Seconds with hours and minutes</command></entry>
1027 Selecting this tells Wireshark to display time stamps in seconds,
1028 with hours and minutes.
1032 <entry><command>Name Resolution > Resolve Name</command></entry>
1035 This item allows you to trigger a name resolve of the current packet
1036 only, see <xref linkend="ChAdvNameResolutionSection"/>.
1040 <entry><command>Name Resolution > Enable for MAC Layer</command></entry>
1043 This item allows you to control whether or not
1044 Wireshark translates MAC addresses into names, see
1045 <xref linkend="ChAdvNameResolutionSection"/>.
1049 <entry><command>Name Resolution > Enable for Network Layer</command></entry>
1052 This item allows you to control whether or not
1053 Wireshark translates network addresses into names, see
1054 <xref linkend="ChAdvNameResolutionSection"/>.
1058 <entry><command>Name Resolution > Enable for Transport Layer</command></entry>
1061 This item allows you to control whether or not
1062 Wireshark translates transport addresses into names, see
1063 <xref linkend="ChAdvNameResolutionSection"/>.
1067 <entry><command>Colorize Packet List</command></entry>
1070 This item allows you to control whether or not Wireshark should colorize
1071 the packet list.</para>
1072 <note><title>Note!</title><para>
1073 Enabling colorization will slow down the display
1074 of new packets while capturing / loading capture files.
1075 </para></note></entry>
1078 <entry><command>Auto Scroll in Live Capture</command></entry>
1081 This item allows you to specify that Wireshark
1082 should scroll the packet list pane as new packets come
1083 in, so you are always looking at the last packet. If you
1084 do not specify this, Wireshark simply adds new packets onto
1085 the end of the list, but does not scroll the packet list
1090 <entry><command>------</command></entry>
1095 <entry><command>Zoom In</command></entry>
1096 <entry>Ctrl++</entry>
1098 Zoom into the packet data (increase the font size).
1102 <entry><command>Zoom Out</command></entry>
1103 <entry>Ctrl+-</entry>
1105 Zoom out of the packet data (decrease the font size).
1109 <entry><command>Normal Size</command></entry>
1110 <entry>Ctrl+=</entry>
1112 Set zoom level back to 100% (set font size back to normal).
1116 <entry><command>Resize All Columns</command></entry>
1117 <entry>Shift+Ctrl+R</entry>
1119 Resize all column widths so the content will fit into it.
1121 <note><title>Note!</title><para>
1122 Resizing may take a significant amount of time, especially if a
1123 large capture file is loaded.
1128 <entry><command>Displayed Columns</command></entry>
1131 This menu items folds out with a list of all configured columns.
1132 These columns can now be shown or hidden in the packet list.
1137 <entry><command>------</command></entry>
1142 <entry><command>Expand Subtrees</command></entry>
1143 <entry>Shift+Right</entry>
1145 This menu item expands the currently selected subtree in the
1146 packet details tree.
1150 <entry><command>Expand All</command></entry>
1151 <entry>Ctrl+Right</entry>
1153 Wireshark keeps a list of all the protocol subtrees
1154 that are expanded, and uses it to ensure that the
1155 correct subtrees are expanded when you display a packet.
1156 This menu item expands all subtrees in all packets in
1161 <entry><command>Collapse All</command></entry>
1162 <entry>Ctrl+Left</entry>
1164 This menu item collapses the tree view of all packets
1165 in the capture list.
1169 <entry><command>------</command></entry>
1174 <entry><command>Colorize Conversation</command></entry>
1177 This menu item brings up a submenu that allows you
1178 to color packets in the packet list pane based
1179 on the addresses of the currently selected packet.
1180 This makes it easy to distinguish packets
1181 belonging to different conversations.
1182 <xref linkend="ChCustColorizationSection"/>.
1186 <entry><command>Colorize Conversation > Color 1-10</command></entry>
1189 These menu items enable one of the ten temporary color
1190 filters based on the currently selected conversation.
1194 <entry><command>Colorize Conversation > Reset coloring</command></entry>
1197 This menu item clears all temporary coloring rules.
1201 <entry><command>Colorize Conversation > New Coloring Rule...</command></entry>
1204 This menu item opens a dialog window in which a new
1205 permanent coloring rule can be created based on the
1206 currently selected conversation.
1210 <entry><command>Coloring Rules...</command></entry>
1213 This menu item brings up a dialog box that allows you
1214 to color packets in the packet list pane according to
1215 filter expressions you choose. It can be very useful
1216 for spotting certain types of packets, see
1217 <xref linkend="ChCustColorizationSection"/>.
1221 <entry><command>------</command></entry>
1226 <entry><command>Show Packet in New Window</command></entry>
1229 This menu item brings up the selected packet in a
1230 separate window. The separate window shows only the
1231 tree view and byte view panes.
1235 <entry><command>Reload</command></entry>
1236 <entry>Ctrl+R</entry>
1238 This menu item allows you to reload the current
1247 <section id="ChUseGoMenuSection"><title>The "Go" menu</title>
1249 The Wireshark Go menu contains the fields shown in
1250 <xref linkend="ChUseTabGo"/>.
1252 <figure id="ChUseWiresharkGoMenu">
1253 <title>The "Go" Menu</title>
1254 <graphic entityref="WiresharkGoMenu" format="PNG"/>
1256 <table id="ChUseTabGo" frame="none">
1257 <title>Go menu items</title>
1259 <colspec colnum="1" colwidth="72pt"/>
1260 <colspec colnum="2" colwidth="80pt"/>
1263 <entry>Menu Item</entry>
1264 <entry>Accelerator</entry>
1265 <entry>Description</entry>
1270 <entry><command>Back</command></entry>
1271 <entry>Alt+Left</entry>
1273 Jump to the recently visited packet in the packet
1274 history, much like the page history in a web browser.
1278 <entry><command>Forward</command></entry>
1279 <entry>Alt+Right</entry>
1281 Jump to the next visited packet in the packet
1282 history, much like the page history in a web browser.
1286 <entry><command>Go to Packet...</command></entry>
1287 <entry>Ctrl+G</entry>
1289 Bring up a dialog box that allows you
1290 to specify a packet number, and then goes to that packet. See
1291 <xref linkend="ChWorkGoToPacketSection"/> for details.
1295 <entry><command>Go to Corresponding Packet</command></entry>
1298 Go to the corresponding packet of the currently
1299 selected protocol field. If the selected field doesn't correspond
1300 to a packet, this item is greyed out.
1304 <entry><command>------</command></entry>
1309 <entry><command>Previous Packet</command></entry>
1310 <entry>Ctrl+Up</entry>
1312 Move to the previous packet in the list. This can be
1313 used to move to the previous packet even if the packet
1314 list doesn't have keyboard focus.
1318 <entry><command>Next Packet</command></entry>
1319 <entry>Ctrl+Down</entry>
1321 Move to the next packet in the list. This can be
1322 used to move to the previous packet even if the packet
1323 list doesn't have keyboard focus.
1327 <entry><command>First Packet</command></entry>
1328 <entry>Ctrl+Home</entry>
1330 Jump to the first packet of the capture file.
1334 <entry><command>Last Packet</command></entry>
1335 <entry>Ctrl+End</entry>
1337 Jump to the last packet of the capture file.
1341 <entry><command>Previous Packet In Conversation</command></entry>
1342 <entry>Ctrl+,</entry>
1344 Move to the previous packet in the current conversation. This can be
1345 used to move to the previous packet even if the packet
1346 list doesn't have keyboard focus.
1350 <entry><command>Next Packet In Conversation</command></entry>
1351 <entry>Ctrl+.</entry>
1353 Move to the next packet in the current conversation. This can be
1354 used to move to the previous packet even if the packet
1355 list doesn't have keyboard focus.
1363 <section id="ChUseCaptureMenuSection"><title>The "Capture" menu</title>
1365 The Wireshark Capture menu contains the fields shown in
1366 <xref linkend="ChUseTabCap"/>.
1368 <figure id="ChUseWiresharkCaptureMenu">
1369 <title>The "Capture" Menu</title>
1370 <graphic entityref="WiresharkCaptureMenu" format="PNG"/>
1372 <table id="ChUseTabCap" frame="none">
1373 <title>Capture menu items</title>
1375 <colspec colnum="1" colwidth="72pt"/>
1376 <colspec colnum="2" colwidth="80pt"/>
1379 <entry>Menu Item</entry>
1380 <entry>Accelerator</entry>
1381 <entry>Description</entry>
1386 <entry><command>Interfaces...</command></entry>
1387 <entry>Ctrl+I</entry>
1389 This menu item brings up a dialog box that shows what's going on
1390 at the network interfaces Wireshark knows of, see
1391 <xref linkend="ChCapInterfaceSection"/>) .
1395 <entry><command>Options...</command></entry>
1396 <entry>Ctrl+K</entry>
1398 This menu item brings up the Capture Options
1399 dialog box (discussed further in
1400 <xref linkend="ChCapCaptureOptions"/>) and allows you to
1401 start capturing packets.
1405 <entry><command>Start</command></entry>
1406 <entry>Ctrl+E</entry>
1408 Immediately start capturing packets with the same settings than
1413 <entry><command>Stop</command></entry>
1414 <entry>Ctrl+E</entry>
1416 This menu item stops the currently running capture, see
1417 <xref linkend="ChCapStopSection"/>) .
1421 <entry><command>Restart</command></entry>
1422 <entry>Ctrl+R</entry>
1424 This menu item stops the currently running capture and starts
1425 again with the same options, this is just for convenience.
1429 <entry><command>Capture Filters...</command></entry>
1432 This menu item brings up a dialog box that allows you to
1433 create and edit capture filters. You can name filters,
1434 and you can save them for future use. More detail on
1435 this subject is provided in
1436 <xref linkend="ChWorkDefineFilterSection"/>
1444 <section id="ChUseAnalyzeMenuSection"><title>The "Analyze" menu</title>
1446 The Wireshark Analyze menu contains the fields shown in
1447 <xref linkend="ChUseAnalyze"/>.
1449 <figure id="ChUseWiresharkAnalyzeMenu">
1450 <title>The "Analyze" Menu</title>
1451 <graphic entityref="WiresharkAnalyzeMenu" format="PNG"/>
1453 <table id="ChUseAnalyze" frame="none"><title>Analyze menu items</title>
1455 <colspec colnum="1" colwidth="72pt"/>
1456 <colspec colnum="2" colwidth="80pt"/>
1459 <entry>Menu Item</entry>
1460 <entry>Accelerator</entry>
1461 <entry>Description</entry>
1466 <entry><command>Display Filters...</command></entry>
1469 This menu item brings up a dialog box that allows you
1470 to create and edit display filters. You can name
1471 filters, and you can save them for future use. More
1472 detail on this subject is provided in
1473 <xref linkend="ChWorkDefineFilterSection"/>
1477 <entry><command>Display Filter Macros...</command></entry>
1480 This menu item brings up a dialog box that allows you
1481 to create and edit display filter macros. You can name
1482 filter macros, and you can save them for future use. More
1483 detail on this subject is provided in
1484 <xref linkend="ChWorkDefineFilterMacrosSection"/>
1488 <entry><command>------</command></entry>
1493 <entry><command>Apply as Column</command></entry>
1496 This menu item adds the selected protocol item in the packet details
1497 pane as a column to the packet list.
1501 <entry><command>Apply as Filter > ...</command></entry>
1504 These menu items will change the current display filter and apply
1505 the changed filter immediately. Depending on the chosen menu item,
1506 the current display filter string will be replaced or appended to
1507 by the selected protocol field in the packet details pane.
1511 <entry><command>Prepare a Filter > ...</command></entry>
1514 These menu items will change the current display filter but won't
1515 apply the changed filter. Depending on the chosen menu item,
1516 the current display filter string will be replaced or appended to
1517 by the selected protocol field in the packet details pane.
1521 <entry><command>------</command></entry>
1526 <entry><command>Enabled Protocols...</command></entry>
1527 <entry>Shift+Ctrl+E</entry>
1529 This menu item allows the user to enable/disable protocol
1530 dissectors, see <xref linkend="ChAdvEnabledProtocols"/>
1534 <entry><command>Decode As...</command></entry>
1537 This menu item allows the user to force Wireshark to
1538 decode certain packets as a particular protocol, see
1539 <xref linkend="ChAdvDecodeAs"/>
1543 <entry><command>User Specified Decodes...</command></entry>
1546 This menu item allows the user to force Wireshark to
1547 decode certain packets as a particular protocol, see
1548 <xref linkend="ChAdvDecodeAsShow"/>
1552 <entry><command>------</command></entry>
1557 <entry><command>Follow TCP Stream</command></entry>
1560 This menu item brings up a separate window and displays
1561 all the TCP segments captured that are on the same TCP
1562 connection as a selected packet, see
1563 <xref linkend="ChAdvFollowTCPSection"/>
1567 <entry><command>Follow UDP Stream</command></entry>
1570 Same functionality as "Follow TCP Stream" but
1575 <entry><command>Follow SSL Stream</command></entry>
1578 Same functionality as "Follow TCP Stream" but for SSL streams.
1579 XXX - how to provide the SSL keys?
1583 <entry><command>Expert Info</command></entry>
1586 Open a dialog showing some expert information about the captured
1587 packets in a log style display.
1588 The amount of information will depend on the protocol and varies
1589 from very detailed to none existing. This is currently a work in
1590 progress. XXX - add a new section about this and link from here
1594 <entry><command>Expert Info Composite</command></entry>
1597 Same information as in "Expert Info" but trying to group items
1598 together for faster analysis.
1602 <entry><command>Conversation Filter > ...</command></entry>
1605 In this menu you will find conversation filter for various
1614 <section id="ChUseStatisticsMenuSection"><title>The "Statistics" menu</title>
1616 The Wireshark Statistics menu contains the fields shown in
1617 <xref linkend="ChUseStatistics"/>.
1619 <figure id="ChUseWiresharkStatisticsMenu">
1620 <title>The "Statistics" Menu</title>
1621 <graphic entityref="WiresharkStatisticsMenu" format="PNG"/>
1624 All menu items will bring up a new window showing specific statistical
1627 <table id="ChUseStatistics" frame="none">
1628 <title>Statistics menu items</title>
1630 <colspec colnum="1" colwidth="72pt"/>
1631 <colspec colnum="2" colwidth="80pt"/>
1634 <entry>Menu Item</entry>
1635 <entry>Accelerator</entry>
1636 <entry>Description</entry>
1641 <entry><command>Summary</command></entry>
1644 Show information about the data captured, see <xref
1645 linkend="ChStatSummary"/>.
1649 <entry><command>Protocol Hierarchy</command></entry>
1652 Display a hierarchical tree of protocol statistics, see <xref
1653 linkend="ChStatHierarchy"/>.
1657 <entry><command>Conversations</command></entry>
1660 Display a list of conversations (traffic between two endpoints),
1661 see <xref linkend="ChStatConversationsWindow"/>.
1665 <entry><command>Endpoints</command></entry>
1668 Display a list of endpoints (traffic to/from an address), see
1669 <xref linkend="ChStatEndpointsWindow"/>.
1673 <entry><command>Packet Lengths...</command></entry>
1675 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1678 <entry><command>IO Graphs</command></entry>
1681 Display user specified graphs (e.g. the number of packets in the
1682 course of time), see <xref linkend="ChStatIOGraphs"/>.
1686 <entry><command>------</command></entry>
1691 <entry><command>Conversation List</command></entry>
1694 Display a list of conversations, obsoleted by the combined window
1695 of Conversations above, see
1696 <xref linkend="ChStatConversationListWindow"/>.
1700 <entry><command>Endpoint List</command></entry>
1703 Display a list of endpoints, obsoleted by the combined window
1704 of Endpoints above, see
1705 <xref linkend="ChStatEndpointListWindow"/>.
1709 <entry><command>Service Response Time</command></entry>
1712 Display the time between a request and the corresponding response, see
1713 <xref linkend="ChStatSRT"/>.
1717 <entry><command>------</command></entry>
1722 <entry><command>ANCP...</command></entry>
1724 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1727 <entry><command>BOOTP-DHCP...</command></entry>
1729 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1732 <entry><command>Colledtd...</command></entry>
1734 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1737 <entry><command>Compare...</command></entry>
1739 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1742 <entry><command>Flow Graph...</command></entry>
1744 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1747 <entry><command>HTTP</command></entry>
1749 <entry><para>HTTP request/response statistics, see <xref linkend="ChStatXXX"/></para></entry>
1752 <entry><command>IP Addresses...</command></entry>
1754 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1757 <entry><command>IP Destinations...</command></entry>
1759 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1762 <entry><command>IP Protocol Types...</command></entry>
1764 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1767 <entry><command>ONC-RPC Programs</command></entry>
1769 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1772 <entry><command>Sametime</command></entry>
1774 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1777 <entry><command>TCP Stream Graph</command></entry>
1779 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1782 <entry><command>UDP Multicast Streams</command></entry>
1784 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1787 <entry><command>WLAN Traffic</command></entry>
1789 <entry><para>See <xref linkend="ChStatWLANTraffic"/></para></entry>
1796 <section id="ChUseTelephonyMenuSection"><title>The "Telephony" menu</title>
1798 The Wireshark Telephony menu contains the fields shown in
1799 <xref linkend="ChUseTelephony"/>.
1801 <figure id="ChUseWiresharkTelephonyMenu">
1802 <title>The "Telephony" Menu</title>
1803 <graphic entityref="WiresharkTelephonyMenu" format="PNG"/>
1806 All menu items will bring up a new window showing specific telephony
1807 related statistical information.
1809 <table id="ChUseTelephony" frame="none">
1810 <title>Telephony menu items</title>
1812 <colspec colnum="1" colwidth="72pt"/>
1813 <colspec colnum="2" colwidth="80pt"/>
1816 <entry>Menu Item</entry>
1817 <entry>Accelerator</entry>
1818 <entry>Description</entry>
1823 <entry><command>IAX2</command></entry>
1825 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1828 <entry><command>SMPP Operations...</command></entry>
1830 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1833 <entry><command>SCTP</command></entry>
1835 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1838 <entry><command>ANSI</command></entry>
1840 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1843 <entry><command>GSM</command></entry>
1845 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1848 <entry><command>H.225...</command></entry>
1850 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1853 <entry><command>ISUP Messages...</command></entry>
1855 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1858 <entry><command>LTE</command></entry>
1860 <entry><para>See <xref linkend="ChTelLTEMACTraffic"/></para></entry>
1863 <entry><command>MTP3</command></entry>
1865 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1868 <entry><command>RTP</command></entry>
1870 <entry><para>See <xref linkend="ChTelRTPAnalysis"/></para></entry>
1873 <entry><command>SIP...</command></entry>
1875 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1878 <entry><command>UCP Messages...</command></entry>
1880 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1883 <entry><command>VoIP Calls...</command></entry>
1885 <entry><para>See <xref linkend="ChTelVoipCalls"/></para></entry>
1888 <entry><command>WAP-WSP...</command></entry>
1890 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1897 <section id="ChUseToolsMenuSection"><title>The "Tools" menu</title>
1899 The Wireshark Tools menu contains the fields shown in
1900 <xref linkend="ChUseTools"/>.
1902 <figure id="ChUseWiresharkToolsMenu">
1903 <title>The "Tools" Menu</title>
1904 <graphic entityref="WiresharkToolsMenu" format="PNG"/>
1906 <table id="ChUseTools" frame="none">
1907 <title>Tools menu items</title>
1909 <colspec colnum="1" colwidth="72pt"/>
1910 <colspec colnum="2" colwidth="80pt"/>
1913 <entry>Menu Item</entry>
1914 <entry>Accelerator</entry>
1915 <entry>Description</entry>
1920 <entry><command>Firewall ACL Rules</command></entry>
1923 This allows you to create command-line ACL rules for many different
1924 firewall products, including Cisco IOS, Linux Netfilter (iptables),
1925 OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses,
1926 IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are
1929 It is assumed that the rules will be applied to an outside interface.
1933 <entry><command>Lua</command></entry>
1936 These options allow you to work with the Lua interpreter optionally
1937 build into Wireshark, see <xref linkend="wsluarm_intro"/>.
1945 <section id="ChUseInternalsMenuSection"><title>The "Internals" menu</title>
1947 The Wireshark Internals menu contains the fields shown in
1948 <xref linkend="ChUseInternals"/>.
1950 <figure id="ChUseWiresharkInternalsMenu">
1951 <title>The "Internals" Menu</title>
1952 <graphic entityref="WiresharkInternalsMenu" format="PNG"/>
1954 <table id="ChUseInternals" frame="none">
1955 <title>Help menu items</title>
1957 <colspec colnum="1" colwidth="72pt"/>
1958 <colspec colnum="2" colwidth="80pt"/>
1961 <entry>Menu Item</entry>
1962 <entry>Accelerator</entry>
1963 <entry>Description</entry>
1968 <entry><command>Dissector tables</command></entry>
1971 This menu item brings up a dialog box showing the tables
1972 with subdissector relationships.
1976 <entry><command>Supported Protocols (slow!)</command></entry>
1979 This menu item brings up a dialog box showing the supported
1980 protocols and protocol fields.
1988 <section id="ChUseHelpMenuSection"><title>The "Help" menu</title>
1990 The Wireshark Help menu contains the fields shown in
1991 <xref linkend="ChUseHelp"/>.
1993 <figure id="ChUseWiresharkHelpMenu">
1994 <title>The "Help" Menu</title>
1995 <graphic entityref="WiresharkHelpMenu" format="PNG"/>
1997 <table id="ChUseHelp" frame="none">
1998 <title>Help menu items</title>
2000 <colspec colnum="1" colwidth="72pt"/>
2001 <colspec colnum="2" colwidth="80pt"/>
2004 <entry>Menu Item</entry>
2005 <entry>Accelerator</entry>
2006 <entry>Description</entry>
2011 <entry><command>Contents</command></entry>
2014 This menu item brings up a basic help system.
2018 <entry><command>Manual Pages > ...</command></entry>
2021 This menu item starts a Web browser showing one of the locally
2022 installed html manual pages.
2026 <entry><command>------</command></entry>
2031 <entry><command>Website</command></entry>
2034 This menu item starts a Web browser showing the
2036 <ulink url="&WiresharkWebSite;">&WiresharkWebSite;</ulink>.
2040 <entry><command>FAQ's</command></entry>
2043 This menu item starts a Web browser showing various FAQ's.
2047 <entry><command>Downloads</command></entry>
2050 This menu item starts a Web browser showing the
2052 <ulink url="&WiresharkWebSite;">&WiresharkWebSite;</ulink>.
2056 <entry><command>------</command></entry>
2061 <entry><command>Wiki</command></entry>
2064 This menu item starts a Web browser showing the
2066 <ulink url="&WiresharkWikiPage;">&WiresharkWikiPage;</ulink>.
2070 <entry><command>Sample Captures</command></entry>
2073 This menu item starts a Web browser showing the
2074 sample captures from:
2075 <ulink url="&WiresharkWikiPage;">&WiresharkWikiPage;</ulink>.
2079 <entry><command>------</command></entry>
2084 <entry><command>About Wireshark</command></entry>
2087 This menu item brings up an information window that
2088 provides various detailed information items on Wireshark,
2089 such as how it's build, the plugins loaded, the used folders, ...
2095 <note><title>Note!</title>
2097 Calling a Web browser might be unsupported in your version of Wireshark.
2098 If this is the case, the corresponding menu items will be hidden.
2101 <note><title>Note!</title>
2103 If calling a Web browser fails on your machine, maybe because just nothing
2104 happens or the browser is started but no page is shown, have a look at the
2105 web browser setting in the preferences dialog.
2110 <section id="ChUseMainToolbarSection"><title>The "Main" toolbar</title>
2112 The main toolbar provides quick access to frequently used items from the
2113 menu. This toolbar cannot be customized by the user, but it can be hidden
2114 using the View menu, if the space on the screen is needed to show even
2118 As in the menu, only the items useful in the current program state will
2119 be available. The others will be greyed out (e.g. you cannot save a capture
2120 file if you haven't loaded one).
2121 <figure id="ChUseWiresharkMainToolbar">
2122 <title>The "Main" toolbar</title>
2123 <graphic entityref="WiresharkMainToolbar" format="PNG"/>
2126 <table id="ChUseMainToolbar" frame="none">
2127 <title>Main toolbar items</title>
2129 <colspec colnum="1" colwidth="40pt"/>
2130 <colspec colnum="2" colwidth="80pt"/>
2131 <colspec colnum="3" colwidth="80pt"/>
2134 <entry>Toolbar Icon</entry>
2135 <entry>Toolbar Item</entry>
2136 <entry>Corresponding Menu Item</entry>
2137 <entry>Description</entry>
2142 <entry><graphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/></entry>
2143 <entry><command>Interfaces...</command></entry>
2144 <entry>Capture/Interfaces...</entry>
2146 This item brings up the Capture Interfaces List
2147 dialog box (discussed further in
2148 <xref linkend="ChCapCapturingSection"/>).
2153 <entry><graphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/></entry>
2154 <entry><command>Options...</command></entry>
2155 <entry>Capture/Options...</entry>
2157 This item brings up the Capture Options
2158 dialog box (discussed further in
2159 <xref linkend="ChCapCapturingSection"/>) and allows you to
2160 start capturing packets.
2165 <entry><graphic entityref="WiresharkToolbarCaptureStart" format="PNG"/></entry>
2166 <entry><command>Start</command></entry>
2167 <entry>Capture/Start</entry>
2169 This item starts capturing packets with the options form
2175 <entry><graphic entityref="WiresharkToolbarCaptureStop" format="PNG"/></entry>
2176 <entry><command>Stop</command></entry>
2177 <entry>Capture/Stop</entry>
2179 This item stops the currently running live capture process
2180 <xref linkend="ChCapCapturingSection"/>).
2185 <entry><graphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/></entry>
2186 <entry><command>Restart</command></entry>
2187 <entry>Capture/Restart</entry>
2189 This item stops the currently running live capture process
2190 and restarts it again, for convenience.
2195 <entry><command>------</command></entry>
2200 <entry><graphic entityref="WiresharkToolbarOpen" format="PNG"/></entry>
2201 <entry><command>Open...</command></entry>
2202 <entry>File/Open...</entry>
2204 This item brings up the file open dialog box that
2205 allows you to load a capture file for viewing. It is
2206 discussed in more detail in <xref linkend="ChIOOpen"/>.
2210 <entry><graphic entityref="WiresharkToolbarSaveAs" format="PNG"/></entry>
2211 <entry><command>Save As...</command></entry>
2212 <entry>File/Save As...</entry>
2214 This item allows you to save the current capture file to whatever
2215 file you would like. It pops up the Save Capture File As dialog
2216 box (which is discussed further in <xref linkend="ChIOSaveAs"/>).
2218 <note><title>Note!</title>
2220 If you currently have a temporary capture file, the Save icon
2221 <inlinegraphic entityref="WiresharkToolbarSave" format="PNG"/> will be
2227 <entry><graphic entityref="WiresharkToolbarClose" format="PNG"/></entry>
2228 <entry><command>Close</command></entry>
2229 <entry>File/Close</entry>
2231 This item closes the current capture. If you
2232 have not saved the capture, you will be asked to save it first.
2236 <entry><graphic entityref="WiresharkToolbarReload" format="PNG"/></entry>
2237 <entry><command>Reload</command></entry>
2238 <entry>View/Reload</entry>
2240 This item allows you to reload the current capture file.
2244 <entry><graphic entityref="WiresharkToolbarPrint" format="PNG"/></entry>
2245 <entry><command>Print...</command></entry>
2246 <entry>File/Print...</entry>
2248 This item allows you to print all (or some of) the packets in
2249 the capture file. It pops up the Wireshark Print dialog
2250 box (which is discussed further in
2251 <xref linkend="ChIOPrintSection"/>).
2255 <entry><command>------</command></entry>
2260 <entry><graphic entityref="WiresharkToolbarFind" format="PNG"/></entry>
2261 <entry><command>Find Packet...</command></entry>
2262 <entry>Edit/Find Packet...</entry>
2264 This item brings up a dialog box that allows you
2265 to find a packet. There is further information on finding packets
2266 in <xref linkend="ChWorkFindPacketSection"/>.
2270 <entry><graphic entityref="WiresharkToolbarGoBack" format="PNG"/></entry>
2271 <entry><command>Go Back</command></entry>
2272 <entry>Go/Go Back</entry>
2274 This item jumps back in the packet history.
2278 <entry><graphic entityref="WiresharkToolbarGoForward" format="PNG"/></entry>
2279 <entry><command>Go Forward</command></entry>
2280 <entry>Go/Go Forward</entry>
2282 This item jumps forward in the packet history.
2286 <entry><graphic entityref="WiresharkToolbarGoTo" format="PNG"/></entry>
2287 <entry><command>Go to Packet...</command></entry>
2288 <entry>Go/Go to Packet...</entry>
2290 This item brings up a dialog box that allows you
2291 to specify a packet number to go to that packet.
2295 <entry><graphic entityref="WiresharkToolbarGoFirst" format="PNG"/></entry>
2296 <entry><command>Go To First Packet</command></entry>
2297 <entry>Go/First Packet</entry>
2299 This item jumps to the first packet of the capture file.
2303 <entry><graphic entityref="WiresharkToolbarGoLast" format="PNG"/></entry>
2304 <entry><command>Go To Last Packet</command></entry>
2305 <entry>Go/Last Packet</entry>
2307 This item jumps to the last packet of the capture file.
2311 <entry><command>------</command></entry>
2316 <entry><graphic entityref="WiresharkToolbarColorize" format="PNG"/></entry>
2317 <entry><command>Colorize</command></entry>
2318 <entry>View/Colorize</entry>
2320 Colorize the packet list (or not).
2324 <entry><graphic entityref="WiresharkToolbarAutoScroll" format="PNG"/></entry>
2325 <entry><command>Auto Scroll in Live Capture</command></entry>
2326 <entry>View/Auto Scroll in Live Capture</entry>
2328 Auto scroll packet list while doing a live capture (or not).
2332 <entry><command>------</command></entry>
2337 <entry><graphic entityref="WiresharkToolbarZoomIn" format="PNG"/></entry>
2338 <entry><command>Zoom In</command></entry>
2339 <entry>View/Zoom In</entry>
2341 Zoom into the packet data (increase the font size).
2345 <entry><graphic entityref="WiresharkToolbarZoomOut" format="PNG"/></entry>
2346 <entry><command>Zoom Out</command></entry>
2347 <entry>View/Zoom Out</entry>
2349 Zoom out of the packet data (decrease the font size).
2353 <entry><graphic entityref="WiresharkToolbarZoom100" format="PNG"/></entry>
2354 <entry><command>Normal Size</command></entry>
2355 <entry>View/Normal Size</entry>
2357 Set zoom level back to 100%.
2361 <entry><graphic entityref="WiresharkToolbarResizeColumns" format="PNG"/></entry>
2362 <entry><command>Resize Columns</command></entry>
2363 <entry>View/Resize Columns</entry>
2365 Resize columns, so the content fits into them.
2369 <entry><command>------</command></entry>
2374 <entry><graphic entityref="WiresharkToolbarCaptureFilters" format="PNG"/></entry>
2375 <entry><command>Capture Filters...</command></entry>
2376 <entry>Capture/Capture Filters...</entry>
2378 This item brings up a dialog box that allows you to
2379 create and edit capture filters. You can name filters,
2380 and you can save them for future use. More detail on
2381 this subject is provided in
2382 <xref linkend="ChWorkDefineFilterSection"/>.
2386 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2387 <entry><command>Display Filters...</command></entry>
2388 <entry>Analyze/Display Filters...</entry>
2390 This item brings up a dialog box that allows you
2391 to create and edit display filters. You can name
2392 filters, and you can save them for future use. More
2393 detail on this subject is provided in
2394 <xref linkend="ChWorkDefineFilterSection"/>.
2398 <entry><graphic entityref="WiresharkToolbarColoringRules" format="PNG"/></entry>
2399 <entry><command>Coloring Rules...</command></entry>
2400 <entry>View/Coloring Rules...</entry>
2402 This item brings up a dialog box that allows you
2403 color packets in the packet list pane according to
2404 filter expressions you choose. It can be very useful
2405 for spotting certain types of packets. More
2406 detail on this subject is provided in
2407 <xref linkend="ChCustColorizationSection"/>.
2411 <entry><graphic entityref="WiresharkToolbarPreferences" format="PNG"/></entry>
2412 <entry><command>Preferences...</command></entry>
2413 <entry>Edit/Preferences</entry>
2415 This item brings up a dialog box that allows
2416 you to set preferences for many parameters that control
2417 Wireshark. You can also save your preferences so Wireshark
2418 will use them the next time you start it. More detail
2419 is provided in <xref linkend="ChCustPreferencesSection"/>
2423 <entry><command>------</command></entry>
2428 <entry><graphic entityref="WiresharkToolbarHelp" format="PNG"/></entry>
2429 <entry><command>Help</command></entry>
2430 <entry>Help/Contents</entry>
2432 This item brings up help dialog box.
2440 <section id="ChUseFilterToolbarSection"><title>The "Filter" toolbar</title>
2442 The filter toolbar lets you quickly edit and apply display filters. More information on
2443 display filters is available in <xref linkend="ChWorkDisplayFilterSection"/>.
2444 <figure id="ChUseWiresharkFilterToolbar">
2445 <title>The "Filter" toolbar</title>
2446 <graphic entityref="WiresharkFilterToolbar" format="PNG"/>
2448 <table id="ChUseFilterToolbar" frame="none">
2449 <title>Filter toolbar items</title>
2451 <colspec colnum="1" colwidth="40pt"/>
2452 <colspec colnum="2" colwidth="80pt"/>
2455 <entry>Toolbar Icon</entry>
2456 <entry>Toolbar Item</entry>
2457 <entry>Description</entry>
2462 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2463 <entry><command>Filter:</command></entry>
2465 Brings up the filter construction dialog, described in <xref linkend="FiltersDialog"/>.
2471 <entry>Filter input</entry>
2474 The area to enter or edit a display filter string,
2475 see <xref linkend="ChWorkBuildDisplayFilterSection"/>
2476 . A syntax check of your filter string is done while you are typing.
2477 The background will turn red if you enter an incomplete or invalid
2478 string, and will become green when you enter a valid string. You can
2479 click on the pull down arrow to select a previously-entered filter
2480 string from a list. The entries in the pull down list will remain
2481 available even after a program restart.
2483 <note><title>Note!</title>
2485 After you've changed something in this field, don't forget to press
2486 the Apply button (or the Enter/Return key), to apply this filter
2487 string to the display.
2490 <note><title>Note!</title>
2492 This field is also where the current filter in effect is displayed.
2498 <entry><graphic entityref="WiresharkToolbarAdd" format="PNG"/></entry>
2499 <entry><command>Expression...</command></entry>
2501 The middle button labeled "Add Expression..." opens a dialog box that lets
2502 you edit a display filter from a list of protocol fields, described in
2503 <xref linkend="ChWorkFilterAddExpressionSection"/>
2508 <entry><graphic entityref="WiresharkToolbarClear" format="PNG"/></entry>
2509 <entry><command>Clear</command></entry>
2511 Reset the current display filter and clears the edit area.
2516 <entry><graphic entityref="WiresharkToolbarApply" format="PNG"/></entry>
2517 <entry><command>Apply</command></entry>
2519 Apply the current value in the edit area as the new display filter.
2520 <note><title>Note!</title>
2522 Applying a display filter on large capture files might take quite a long time!
2534 <section id="ChUsePacketListPaneSection"><title>The "Packet List" pane</title>
2536 The packet list pane displays all the packets in the current capture
2538 <figure id="ChUseWiresharkListPane">
2539 <title>The "Packet List" pane</title>
2540 <graphic entityref="WiresharkListPane" format="PNG"/>
2542 Each line in the packet list corresponds to one packet in the capture
2543 file. If you select a line in this pane, more details will be displayed in
2544 the "Packet Details" and "Packet Bytes" panes.
2547 While dissecting a packet, Wireshark will place information from the
2548 protocol dissectors into the columns. As higher level protocols might
2549 overwrite information from lower levels, you will typically see the
2550 information from the highest possible level only.
2553 For example, let's look at a packet containing TCP inside IP inside
2554 an Ethernet packet. The Ethernet dissector will write its data (such as
2555 the Ethernet addresses), the IP dissector will overwrite this by its own
2556 (such as the IP addresses), the TCP dissector will overwrite the IP
2557 information, and so on.
2560 There are a lot of different columns available. Which columns are
2561 displayed can be selected by preference settings, see
2562 <xref linkend="ChCustPreferencesSection"/>.
2565 The default columns will show:
2568 <para><command>No.</command>
2569 The number of the packet in the capture file. This number won't change,
2570 even if a display filter is used.
2574 <para><command>Time</command>
2575 The timestamp of the packet. The presentation format of this timestamp
2576 can be changed, see <xref linkend="ChWorkTimeFormatsSection"/>.
2580 <para><command>Source</command>
2581 The address where this packet is coming from.
2585 <para><command>Destination</command>
2586 The address where this packet is going to.
2590 <para><command>Protocol</command>
2591 The protocol name in a short (perhaps abbreviated) version.
2595 <para><command>Info</command>
2596 Additional information about the packet content.
2602 There is a context menu (right mouse click) available, see details in
2603 <xref linkend="ChWorkPacketListPanePopUpMenu"/>.
2607 <section id="ChUsePacketDetailsPaneSection"><title>The "Packet Details" pane</title>
2609 The packet details pane shows the current packet (selected in the "Packet List"
2610 pane) in a more detailed form.
2611 <figure id="ChUseWiresharkDetailsPane">
2612 <title>The "Packet Details" pane</title>
2613 <graphic entityref="WiresharkDetailsPane" format="PNG"/>
2617 This pane shows the protocols and protocol fields of the packet selected
2618 in the "Packet List" pane. The protocols and fields of the packet are
2619 displayed using a tree, which can be expanded and collapsed.
2622 There is a context menu (right mouse click) available, see details in
2623 <xref linkend="ChWorkPacketDetailsPanePopUpMenu"/>.
2626 Some protocol fields are specially displayed.
2631 <command>Generated fields</command>
2632 Wireshark itself will generate additional protocol fields which are
2633 surrounded by brackets. The information in these fields is derived from the
2634 known context to other packets in the capture file. For example, Wireshark
2635 is doing a sequence/acknowledge analysis of each TCP stream,
2636 which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol.
2641 <command>Links</command>
2642 If Wireshark detected a relationship to another packet in the capture file,
2643 it will generate a link to that packet. Links are underlined and displayed
2644 in blue. If double-clicked, Wireshark jumps to the corresponding packet.
2650 <section id="ChUsePacketBytesPaneSection"><title>The "Packet Bytes" pane</title>
2652 The packet bytes pane shows the data of the current packet (selected in the "Packet List"
2653 pane) in a hexdump style.
2654 <figure id="ChUseWiresharkBytesPane">
2655 <title>The "Packet Bytes" pane</title>
2656 <graphic entityref="WiresharkBytesPane" format="PNG"/>
2660 As usual for a hexdump, the left side shows the offset in the packet data,
2661 in the middle the packet data is shown in a hexadecimal representation and
2662 on the right the corresponding ASCII characters (or . if not appropriate)
2666 Depending on the packet data, sometimes more than one page is available,
2667 e.g. when Wireshark has reassembled some packets into a single chunk of
2668 data, see <xref linkend="ChAdvReassemblySection"/>. In this case there are
2669 some additional tabs shown at the bottom of the pane to let you select
2670 the page you want to see.
2671 <figure id="ChUseWiresharkBytesPaneTabs">
2672 <title>The "Packet Bytes" pane with tabs</title>
2673 <graphic entityref="WiresharkBytesPaneTabs" format="PNG"/>
2676 <note><title>Note!</title>
2678 The additional pages might contain data picked from multiple packets.
2682 The context menu (right mouse click) of the tab labels will show a list of
2683 all available pages. This can be helpful if the size in the pane is too
2684 small for all the tab labels.
2688 <section id="ChUseStatusbarSection"><title>The Statusbar</title>
2690 The statusbar displays informational messages.
2693 In general, the left side will show context related information, the
2694 middle part will show the current number of packets, and the right side will
2695 show the selected configuration profile. Drag the handles between the text
2696 areas to change the size.
2699 <figure id="ChUseWiresharkStatusbarEmpty">
2700 <title>The initial Statusbar</title>
2701 <graphic entityref="WiresharkStatusbarEmpty" format="PNG"/>
2703 This statusbar is shown while no capture file is loaded, e.g. when
2704 Wireshark is started.
2707 <figure id="ChUseWiresharkStatusbarLoaded">
2708 <title>The Statusbar with a loaded capture file</title>
2709 <graphic entityref="WiresharkStatusbarLoaded" format="PNG"/>
2715 <command>The colorized bullet</command> on the left shows the highest expert
2716 info level found in the currently loaded capture file. Hovering the mouse
2717 over this icon will show a textual description of the expert info level,
2718 and clicking the icon will bring up the Expert Infos dialog box.
2719 For a detailed description of expert info, see <xref linkend="ChAdvExpert"/>.
2724 <command>The left side</command> shows information about the capture file, its
2725 name, its size and the elapsed time while it was being captured.
2730 <command>The middle part</command> shows the current number of packets in the capture file.
2731 The following values are displayed:
2732 <itemizedlist mark="bullet">
2734 <para><emphasis>Packets:</emphasis> the number of captured packets</para>
2737 <para><emphasis>Displayed:</emphasis> the number of packets currently being
2741 <para><emphasis>Marked:</emphasis> the number of marked packets</para>
2744 <para><emphasis>Dropped:</emphasis> the number of dropped packets (only displayed
2745 if Wireshark was unable to capture all packets)</para>
2748 <para><emphasis>Ignored:</emphasis> the number of ignored packets (only displayed
2749 if packets are ignored)</para>
2756 <command>The right side</command> shows the selected configuration profile.
2757 Clicking in this part of the statusbar will bring up a menu with all available
2758 configuration profiles, and selecting from this list will change the configuration profile.
2763 <figure id="ChUseWiresharkStatusbarProfile">
2764 <title>The Statusbar with a configuration profile menu</title>
2765 <graphic entityref="WiresharkStatusbarProfile" format="PNG"/>
2767 For a detailed description of configuration profiles, see
2768 <xref linkend="ChCustConfigProfilesSection"/>.
2771 <figure id="ChUseWiresharkStatusbarSelected">
2772 <title>The Statusbar with a selected protocol field</title>
2773 <graphic entityref="WiresharkStatusbarSelected" format="PNG"/>
2775 This is displayed if you have selected a protocol field from the
2776 "Packet Details" pane.
2778 <tip><title>Tip!</title>
2780 The value between the brackets (in this example
2781 <command>arp.opcode</command>) can be used as a display filter string,
2782 representing the selected protocol field.
2786 <figure id="ChUseWiresharkStatusbarFilter">
2787 <title>The Statusbar with a display filter message</title>
2788 <graphic entityref="WiresharkStatusbarFilter" format="PNG"/>
2790 This is displayed if you are trying to use a display filter which
2791 may have unexpected results. For a detailed description, see
2792 <xref linkend="ChWorkBuildDisplayFilterMistake"/>.
2798 <!-- End of WSUG Chapter 3 -->
git.samba.org / obnox / wireshark / wip.git / blob