5 == Working with captured packets
7 [[ChWorkViewPacketsSection]]
9 === Viewing packets you have captured
11 Once you have captured some packets or you have opened a previously saved
12 capture file, you can view the packets that are displayed in the packet list
13 pane by simply clicking on a packet in the packet list pane, which will bring up
14 the selected packet in the tree view and byte view panes.
16 You can then expand any part of the tree to view detailed information about each
17 protocol in each packet. Clicking on an item in the tree will highlight the
18 corresponding bytes in the byte view. An example with a TCP packet selected is
19 shown in <<ChWorkSelPack1>>. It also has the Acknowledgment number in the TCP
20 header selected, which shows up in the byte view as the selected bytes.
24 .Wireshark with a TCP packet selected for viewing
25 image::wsug_graphics/ws-packet-selected.png[{screenshot-attrs}]
27 You can also select and view packets the same way while Wireshark is capturing
28 if you selected “Update list of packets in real time” in the “Capture
29 Preferences” dialog box.
31 In addition you can view individual packets in a separate window as shown in
32 <<ChWorkPacketSepView>>. You can do this by double-clicking on an item in the
33 packet list or by selecting the packet in which you are interested in the packet
34 list pane and selecting menu:View[Show Packet in New Window]. This allows you to
35 easily compare two or more packets, even across multiple files.
37 [[ChWorkPacketSepView]]
39 .Viewing a packet in a separate window
40 image::wsug_graphics/ws-packet-sep-win.png[{screenshot-attrs}]
42 Along with double-clicking the packet list and using the main menu there are a
43 number of other ways to open a new packet window:
45 - Hold down the shift key and double-click on a frame link in the packet
47 - From <<PacketListPopupMenuTable>>.
48 - From <<PacketDetailsPopupMenuTable>>.
50 [[ChWorkDisplayPopUpSection]]
54 You can bring up a pop-up menu over either the “Packet List”, its column header,
55 or “Packet Details” pane by clicking your right mouse button at the
58 [[ChWorkColumnHeaderPopUpMenuSection]]
60 ==== Pop-up menu of the “Packet List” column header
62 [[ChWorkColumnHeaderPopUpMenu]]
63 .Pop-up menu of the “Packet List” column header
64 image::wsug_graphics/ws-column-header-popup-menu.png[{screenshot-attrs}]
66 The following table gives an overview of which functions are available in this
67 header, where to find the corresponding function in the main menu, and a short
68 description of each item.
70 [[ColumnHeaderPopupMenuTable]]
71 .The menu items of the “Packet List” column header pop-up menu
72 [options="header",cols="3,2,5"]
74 |Item|Identical to main menu’s item:|Description
75 |menu:Sort Ascending[]|| Sort the packet list in ascending order based on this column.
76 |menu:Sort Descending[]|| Sort the packet list in descending order based on this column.
77 |menu:No Sort[]|| Remove sorting order based on this column.
78 |menu:Align Left[]|| Set left alignment of the values in this column.
79 |menu:Align Center[]|| Set center alignment of the values in this column.
80 |menu:Align Right[]|| Set right alignment of the values in this column.
81 |menu:Column Preferences...[]|| Open the Preferences dialog box on the column tab.
82 |menu:Resize Column[]|| Resize the column to fit the values.
83 |menu:Rename Column Title[]|| Allows you to change the title of the column header.
84 |menu:Displayed Column[]|menu:View[]| This menu items folds out with a list of all configured columns. These columns can now be shown or hidden in the packet list.
85 |menu:Hide Column[]|| Allows you to hide the column from the packet list.
86 |menu:Remove Column[]|| Allows you to remove the column from the packet list.
89 [[ChWorkPacketListPanePopUpMenuSection]]
91 ==== Pop-up menu of the “Packet List” pane
93 [[ChWorkPacketListPanePopUpMenu]]
95 .Pop-up menu of the “Packet List” pane
96 image::wsug_graphics/ws-packet-pane-popup-menu.png[{screenshot-attrs}]
98 The following table gives an overview of which functions are available in this pane, where to find the corresponding function in the main menu, and a short description of each item.
100 [[PacketListPopupMenuTable]]
101 .The menu items of the “Packet List” pop-up menu
102 [options="header",cols="3,2,5"]
104 |Item|Identical to main menu’s item:|Description
105 |menu:Mark Packet (toggle)[]|menu:Edit[]| Mark/unmark a packet.
106 |menu:Ignore Packet (toggle)[]|menu:Edit[]| Ignore or inspect this packet while dissecting the capture file.
107 |menu:Set Time Reference (toggle)[]|menu:Edit[]| Set/reset a time reference.
108 |menu:Manually Resolve Address[]|| Allows you to enter a name to resolve for the selected address.
109 |menu:Apply as Filter[]|menu:Analyze[]| Prepare and apply a display filter based on the currently selected item.
110 |menu:Prepare a Filter[]|menu:Analyze[]| Prepare a display filter based on the currently selected item.
111 |menu:Conversation Filter[]|| This menu item applies a display filter with the address information from the selected packet. E.g. the IP menu entry will set a filter to show the traffic between the two IP addresses of the current packet. XXX - add a new section describing this better.
112 |menu:Colorize Conversation[]|| This menu item uses a display filter with the address information from the selected packet to build a new colorizing rule.
113 |menu:SCTP[]|| Allows you to analyze and prepare a filter for this SCTP association.
114 |menu:Follow TCP Stream[]|menu:Analyze[]| Allows you to view all the data on a TCP stream between a pair of nodes.
115 |menu:Follow UDP Stream[]|menu:Analyze[]| Allows you to view all the data on a UDP datagram stream between a pair of nodes.
116 |menu:Follow SSL Stream[]|menu:Analyze[]| Same as “Follow TCP Stream” but for SSL. XXX - add a new section describing this better.
117 |menu:Copy/ Summary (Text)[]|| Copy the summary fields as displayed to the clipboard, as tab-separated text.
118 |menu:Copy/ Summary (CSV)[]|| Copy the summary fields as displayed to the clipboard, as comma-separated text.
119 |menu:Copy/ As Filter[]|| Prepare a display filter based on the currently selected item and copy that filter to the clipboard.
120 |menu:Copy/ Bytes (Offset Hex Text)[]|| Copy the packet bytes to the clipboard in hexdump-like format.
121 |menu:Copy/ Bytes (Offset Hex)[]|| Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion.
122 |menu:Copy/ Bytes (Printable Text Only)[]|| Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters.
123 |menu:Copy/ Bytes (Hex Stream)[]|| Copy the packet bytes to the clipboard as an unpunctuated list of hex digits.
124 |menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary. The data is stored in the clipboard as MIME-type “application/octet-stream”.
125 |menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors.
126 |menu:Print...[]|File| Print packets.
127 |menu:Show Packet in New Window[]|menu:View[]| Display the selected packet in a new window.
131 [[ChWorkPacketDetailsPanePopUpMenuSection]]
133 ==== Pop-up menu of the “Packet Details” pane
135 [[ChWorkPacketDetailsPanePopUpMenu]]
137 .Pop-up menu of the “Packet Details” pane
138 image::wsug_graphics/ws-details-pane-popup-menu.png[{screenshot-attrs}]
140 The following table gives an overview of which functions are available in this
141 pane, where to find the corresponding function in the main menu, and a short
142 description of each item.
144 [[PacketDetailsPopupMenuTable]]
146 .The menu items of the “Packet Details” pop-up menu
147 [options="header",cols="3,2,5"]
149 |Item|Identical to main menu’s item:|Description
150 |menu:Expand Subtrees[]|menu:View[]| Expand the currently selected subtree.
151 |menu:Collapse Subtrees[]|menu:View[]| Collapse the currently selected subtree.
152 |menu:Expand All[]|menu:View[]| Expand all subtrees in all packets in the capture.
153 |menu:Collapse All[]|menu:View[]| Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list.
154 |menu:Apply as Column[]|| Use the selected protocol item to create a new column in the packet list.
155 |menu:Apply as Filter[]|menu:Analyze[]| Prepare and apply a display filter based on the currently selected item.
156 |menu:Prepare a Filter[]|menu:Analyze[]| Prepare a display filter based on the currently selected item.
157 |menu:Colorize with Filter[]|| This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule.
158 |menu:Follow TCP Stream[]|menu:Analyze[]| Allows you to view all the data on a TCP stream between a pair of nodes.
159 |menu:Follow UDP Stream[]|menu:Analyze[]| Allows you to view all the data on a UDP datagram stream between a pair of nodes.
160 |menu:Follow SSL Stream[]|menu:Analyze[]| Same as “Follow TCP Stream” but for SSL. XXX - add a new section describing this better.
161 |menu:Copy/ Description[]|menu:Edit[]| Copy the displayed text of the selected field to the system clipboard.
162 |menu:Copy/ Fieldname[]|menu:Edit[]| Copy the name of the selected field to the system clipboard.
163 |menu:Copy/ Value[]|menu:Edit[]| Copy the value of the selected field to the system clipboard.
164 |menu:Copy/ As Filter[]|menu:Edit[]| Prepare a display filter based on the currently selected item and copy it to the clipboard.
165 |menu:Copy/ Bytes (Offset Hex Text)[]|| Copy the packet bytes to the clipboard in hexdump-like format; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
166 |menu:Copy/ Bytes (Offset Hex)[]|| Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
167 |menu:Copy/ Bytes (Printable Text Only)[]|| Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
168 |menu:Copy/ Bytes (Hex Stream)[]|| Copy the packet bytes to the clipboard as an unpunctuated list of hex digits; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
169 |menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane). The data is stored in the clipboard as MIME-type “application/octet-stream”.
170 |menu:Export Selected Packet Bytes...[]|menu:File[]| This menu item is the same as the File menu item of the same name. It allows you to export raw packet bytes to a binary file.
171 |menu:Wiki Protocol Page[]|| Show the wiki page corresponding to the currently selected protocol in your web browser.
172 |menu:Filter Field Reference[]|| Show the filter field reference web page corresponding to the currently selected protocol in your web browser.
173 |menu:Protocol Preferences...[]|| The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in <<ChCustGUIPrefPage>>.
174 |menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors.
175 |menu:Disable Protocol[]|| Allows you to temporarily disable a protocol dissector, which may be blocking the legitimate dissector.
176 |menu:Resolve Name[]|menu:View[]| Causes a name resolution to be performed for the selected packet, but NOT every packet in the capture.
177 |menu:Go to Corresponding Packet[]|menu:Go[]| If the selected field has a corresponding packet, go to it. Corresponding packets will usually be a request/response packet pair or such.
180 [[ChWorkDisplayFilterSection]]
182 === Filtering packets while viewing
184 Wireshark has two filtering languages: One used when capturing packets, and one
185 used when displaying packets. In this section we explore that second type of
186 filter: Display filters. The first one has already been dealt with in
187 <<ChCapCaptureFilterSection>>.
189 Display filters allow you to concentrate on the packets you are interested in
190 while hiding the currently uninteresting ones. They allow you to select packets
195 * The presence of a field
197 * The values of fields
199 * A comparison between fields
201 * ... and a lot more!
203 To select packets based on protocol type, simply type the protocol in which you
204 are interested in the _Filter:_ field in the filter toolbar of the Wireshark
205 window and press enter to initiate the filter. <<ChWorkTCPFilter>> shows an
206 example of what happens when you type _tcp_ in the filter field.
211 All protocol and field names are entered in lowercase. Also, don’t forget to press enter after entering the filter expression.
217 .Filtering on the TCP protocol
218 image::wsug_graphics/ws-display-filter-tcp.png[{screenshot-attrs}]
220 As you might have noticed, only packets of the TCP protocol are displayed now
221 (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so
222 the first packet shown is now packet number 11.
226 When using a display filter, all packets remain in the capture file. The display
227 filter only changes the display of the capture file but not its content!
230 You can filter on any protocol that Wireshark understands. You can also filter
231 on any field that a dissector adds to the tree view, but only if the dissector
232 has added an abbreviation for the field. A list of such fields is available in
233 Wireshark in the _Add Expression..._ dialog box. You can find more information
234 on the _Add Expression..._ dialog box in <<ChWorkFilterAddExpressionSection>>.
236 For example, to narrow the packet list pane down to only those packets to or
237 from the IP address 192.168.0.1, use `ip.addr==192.168.0.1`.
241 To remove the filter, click on the btn:[Clear] button to the right of the filter field.
244 [[ChWorkBuildDisplayFilterSection]]
246 === Building display filter expressions
248 Wireshark provides a simple but powerful display filter language that allows you
249 to build quite complex filter expressions. You can compare values in packets as
250 well as combine expressions into more specific expressions. The following
251 sections provide more information on doing this.
255 You will find a lot of Display Filter examples at the _Wireshark Wiki Display
256 Filter page_ at: link:{wireshark-wiki-url}DisplayFilters[].
259 ==== Display filter fields
261 Every field in the packet details pane can be used as a filter string, this will
262 result in showing only the packets where this field exists. For example: the
263 filter string: _tcp_ will show all packets containing the tcp protocol.
265 There is a complete list of all filter fields available through the menu item
266 menu:Help[Supported Protocols] in the page “Display Filter Fields” of the
267 “Supported Protocols” dialog.
269 // XXX - add some more info here and a link to the statusbar info.
271 ==== Comparing values
273 You can build display filters that compare values using a number of different
274 comparison operators. They are shown in <<DispCompOps>>.
278 You can use English and C-like terms in the same way, they can even be mixed in a filter string.
283 .Display Filter comparison operators
284 [options="header",cols="1,1,4"]
286 |English|C-like|Description and example
287 |eq |== |Equal. `ip.src==10.0.0.5`
288 |ne |!= |Not equal. `ip.src!=10.0.0.5`
289 |gt |> |Greater than. `frame.len > 10`
290 |lt |< |Less than. `frame.len < 128`
291 |ge |>= |Greater than or equal to. `frame.len ge 0x100`
292 |le |\<= |Less than or equal to. `frame.len <= 0x20`
293 |contains||Protocol, field or slice contains a value. `sip.To contains "a1762"`
294 |matches|~|Protocol or text field match Perl regualar expression. `http.host matches "acme\.(org\|com\|net)"`
295 |bitwise_and|&|Compare bit field value. `tcp.flags & 0x02`
298 In addition, all protocol fields have a type. <<ChWorkFieldTypes>> provides a list
299 of the types and example of how to express them.
303 .Display Filter Field Types
305 Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, octal,
306 or hexadecimal. The following display filters are equivalent:
315 Can be 8, 16, 24, 32, or 64 bits. As with unsigned integers you can use
316 decimal, octal, or hexadecimal.
319 A boolean field is present in the protocol decode only if its value is true. For
320 example, `tcp.flags.syn` is present, and thus true, only if the SYN flag is
321 present in a TCP segment header.
323 The filter expression `tcp.flags.syn` will select only those packets for which
324 this flag exists, that is, TCP segments where the segment header contains the
325 SYN flag. Similarly, to find source-routed token ring packets, use a filter
326 expression of `tr.sr`.
329 6 bytes separated by a colon (:), dot (.) or dash (-) with one or two bytes between separators:
331 eth.dst == ff:ff:ff:ff:ff:ff
333 eth.dst == ff-ff-ff-ff-ff-ff
335 eth.dst == ffff.ffff.ffff
338 ip.addr == 192.168.0.1
340 Classless InterDomain Routing (CIDR) notation can be used to test if
341 an IPv4 address is in a certain subnet. For example, this display
342 filter will find all packets in the 129.111 Class-B network:
344 ip.addr == 129.111.0.0/16
349 As with IPv4 addresses, IPv6 addresses can match a subnet.
352 `http.request.uri == "https://www.wireshark.org/"`
355 udp contains 81:60:03
357 The example above match packets that contains the 3-byte sequence 0x81, 0x60,
358 0x03 anywhere in the UDP header or payload.
360 sip.To contains "a1762"
362 Above example match packets where SIP To-header contains the string "a1762"
363 anywhere in the header.
365 http.host matches "acme\.(org|com|net)"
367 The example above match HTTP packets where the HOST header contains acme.org or acme.com
368 or acme.net. Comparisons are case-insensitive. Note: Wireshark needs to be built with
369 libpcre in order to be able to use the `matches` resp. `{tilde}` operator.
373 That expression will match all packets that contain a “tcp.flags” field with the 0x02 bit,
374 i.e. the SYN bit, set.
376 ==== Combining expressions
378 You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>>
382 .Display Filter Logical Operations
383 [options="header",cols="1,1,4"]
385 |English|C-like|Description and example
386 |and |&&| Logical AND. `ip.src==10.0.0.5 and tcp.flags.fin`
387 |or |\|\| | Logical OR. `ip.scr==10.0.0.5 or ip.src==192.1.1.1`
388 |xor |^^ | Logical XOR. `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29`
389 |not |! | Logical NOT. `not llc`
390 |[...] | | See “Slice Operator” below.
391 |in | | See “Membership Operator” below.
395 Wireshark allows you to select subsequences of a sequence in rather elaborate
396 ways. After a label you can place a pair of brackets [] containing a comma
397 separated list of range specifiers.
399 eth.src[0:3] == 00:00:83
401 The example above uses the n:m format to specify a single range. In this case n
402 is the beginning offset and m is the length of the range being specified.
404 eth.src[1-2] == 00:83
406 The example above uses the n-m format to specify a single range. In this case n
407 is the beginning offset and m is the ending offset.
409 eth.src[:4] == 00:00:83:00
411 The example above uses the :m format, which takes everything from the beginning
412 of a sequence to offset m. It is equivalent to 0:m
416 The example above uses the n: format, which takes everything from offset n to
417 the end of the sequence.
421 The example above uses the n format to specify a single range. In this case the
422 element in the sequence at offset n is selected. This is equivalent to n:1.
424 eth.src[0:3,1-2,:4,4:,2] ==
425 00:00:83:00:83:00:00:83:00:20:20:83
427 Wireshark allows you to string together single ranges in a comma separated list
428 to form compound ranges as shown above.
430 ==== Membership Operator
431 Wireshark allows you to test a field for membership in a set of values or
432 fields. After the field name, use the in operator followed by the set items
433 surrounded by braces {}.
435 tcp.port in {80 443 8080}
437 This can be considered a shortcut operator, as the previous expression could
438 have been expressed as:
440 tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
443 The set of values can also contain ranges:
445 tcp.port in {443 4430..4434}
447 This is not merely a shortcut for `tcp.port == 443 || (tcp.port >= 4430 &&
448 tcp.port <= 4434)`. Comparison operators are usually satisfied when any field
449 matches the filter, and thus a packet with ports 80 and 56789 would match this
450 alternative display filter since `56789 >= 4430 && 80 <= 4434` is true. The
451 membership operator instead tests the same field against the range condition.
453 Sets are not just limited to numbers, other types can be used as well:
455 http.request.method in {"HEAD" "GET"}
456 ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
457 frame.time_delta in {10 .. 10.5}
462 The display filter language has a number of functions to convert fields, see
466 .Display Filter Functions
467 [options="header",cols="1,4"]
469 |Function|Description
470 |upper |Converts a string field to uppercase.
471 |lower |Converts a string field to lowercase.
472 |len |Returns the byte length of a string or bytes field.
473 |count |Returns the number of field occurrences in a frame.
476 The `upper` and `lower` functions can used to force case-insensitive matches:
477 `lower(http.server) contains "apache"`.
479 To find HTTP requests with long request URIs: `len(http.request.uri) > 100`.
480 Note that the `len` function yields the string length in bytes rather than
481 (multi-byte) characters.
483 Usually an IP frame has only two addresses (source and destination), but in case
484 of ICMP errors or tunneling, a single packet might contain even more addresses.
485 These packets can be found with `count(ip.addr) > 2`.
487 [[ChWorkBuildDisplayFilterMistake]]
489 ==== A Common Mistake
491 Using the != operator on combined expressions like eth.addr, ip.addr, tcp.port,
492 and udp.port will probably not work as expected.
494 Often people use a filter string to display something like `ip.addr == 1.2.3.4`
495 which will display all packets containing the IP address 1.2.3.4.
497 Then they use `ip.addr != 1.2.3.4` to see all packets not containing the IP
498 address 1.2.3.4 in it. Unfortunately, this does _not_ do the expected.
500 Instead, that expression will even be true for packets where either source or
501 destination IP address equals 1.2.3.4. The reason for this, is that the
502 expression `ip.addr != 1.2.3.4` must be read as “the packet contains a field
503 named ip.addr with a value different from 1.2.3.4”. As an IP datagram contains
504 both a source and a destination address, the expression will evaluate to true
505 whenever at least one of the two addresses differs from 1.2.3.4.
507 If you want to filter out all packets containing IP datagrams to or from IP
508 address 1.2.3.4, then the correct filter is `!(ip.addr == 1.2.3.4)` as it reads
509 “show me all the packets for which it is not true that a field named ip.addr
510 exists with a value of 1.2.3.4”, or in other words, “filter out all packets
511 for which there are no occurrences of a field named ip.addr with the value
514 [[ChWorkFilterAddExpressionSection]]
517 === The “Filter Expression” dialog box
519 When you are accustomed to Wireshark’s filtering system and know what labels you
520 wish to use in your filters it can be very quick to simply type a filter string.
521 However if you are new to Wireshark or are working with a slightly unfamiliar
522 protocol it can be very confusing to try to figure out what to type. The
523 “Filter Expression” dialog box helps with this.
527 The “Filter Expression” dialog box is an excellent way to learn how to write
528 Wireshark display filter strings.
532 [[ChWorkFilterAddExpression1]]
534 .The “Filter Expression” dialog box
535 image::wsug_graphics/ws-filter-add-expression.png[{screenshot-attrs}]
537 When you first bring up the Filter Expression dialog box you are shown a tree
538 of field names, organized by protocol, and a box for selecting a relation.
541 Select a protocol field from the protocol field tree. Every protocol with
542 filterable fields is listed at the top level. (You can search for a particular
543 protocol entry by entering the first few letters of the protocol name). By
544 expanding a protocol name you can get a list of the field names available for
545 filtering for that protocol.
548 Select a relation from the list of available relation. The _is present_ is a
549 unary relation which is true if the selected field is present in a packet. All
550 other listed relations are binary relations which require additional data (e.g.
551 a _Value_ to match) to complete.
553 When you select a field from the field name list and select a binary relation
554 (such as the equality relation ==) you will be given the opportunity to enter a
555 value, and possibly some range information.
558 You may enter an appropriate value in the _Value_ text box. The _Value_ will
559 also indicate the type of value for the _field name_ you have selected (like
562 _Predefined values_::
563 Some of the protocol fields have predefined values available, much like enum’s
564 in C. If the selected protocol field has such values defined, you can choose one
568 A range of integers or a group of ranges, such as `1-12` or `39-42,98-2000`.
571 When you have built a satisfactory expression click btn:[OK] and a filter string
572 will be built for you.
575 You can leave the “Add Expression...” dialog box without any effect by
576 clicking the btn:[Cancel] button.
578 [[ChWorkDefineFilterSection]]
580 === Defining and saving filters
582 You can define filters with Wireshark and give them labels for later use. This
583 can save time in remembering and retyping some of the more complex filters you
586 To define a new filter or edit an existing one, select menu:Capture[Capture
587 Filters...] or menu:Analyze[Display Filters...]. Wireshark will then pop up the
588 Filters dialog as shown in
591 The mechanisms for defining and saving capture filters and display filters are
592 almost identical. Both will be described here but the differences between these two
593 will be marked as such.
597 You must use btn:[Save] to save your filters permanently. btn:[OK] or
598 btn:[Apply] will not save the filters and they will be lost when you close
604 .The “Capture Filters” and “Display Filters” dialog boxes
605 image::wsug_graphics/ws-filters.png[{screenshot-attrs}]
608 This button adds a new filter to the list of filters. The currently entered
609 values from Filter name and Filter string will be used. If any of these fields
610 are empty, it will be set to “new”.
614 This button deletes the selected filter. It will be greyed out, if no filter is
619 You can select a filter from this list (which will fill in the filter name and
620 filter string in the fields down at the bottom of the dialog box).
624 You can change the name of the currently selected filter here.
626 The filter name will only be used in this dialog to identify the filter for your
627 convenience, it will not be used elsewhere. You can add multiple filters with
628 the same name, but this is not very useful.
631 You can change the filter string of the currently selected filter here. Display
632 Filter only: the string will be syntax checked while you are typing.
634 _Add Expression..._::
635 Display Filter only: This button brings up the Add Expression dialog box which
636 assists in building filter strings. You can find more information about the Add
637 Expression dialog in <<ChWorkFilterAddExpressionSection>>
640 Display Filter only: This button applies the selected filter to the current
641 display and closes the dialog.
644 Display Filter only: This button applies the selected filter to the current
645 display, and keeps the dialog open.
648 Save the current settings in this dialog. The file location and format is
649 explained in <<AppFiles>>.
652 Close this dialog. This will discard unsaved settings.
654 [[ChWorkDefineFilterMacrosSection]]
656 === Defining and saving filter macros
658 You can define filter macros with Wireshark and give them labels for later use.
659 This can save time in remembering and retyping some of the more complex filters
662 // XXX - add an explanation of this.
664 [[ChWorkFindPacketSection]]
668 You can easily find packets once you have captured some packets or have read in
669 a previously saved capture file. Simply select the _Find Packet..._ menu item
670 from the _Edit_ menu. Wireshark will pop up the dialog box shown in
671 <<ChWorkFindPacketDialog>>.
673 ==== The “Find Packet” dialog box
675 [[ChWorkFindPacketDialog]]
677 .The “Find Packet” dialog box
678 image::wsug_graphics/ws-find-packet.png[{screenshot-attrs}]
680 You might first select the kind of thing to search for:
684 Simply enter a display filter string into the _Filter:_ field, select a direction, and click on OK.
686 For example, to find the three way handshake for a connection from host 192.168.0.1, use the following filter string:
688 ip.src==192.168.0.1 and tcp.flags.syn==1
690 For more details on display filters, see <<ChWorkDisplayFilterSection>>
694 Search for a specific byte sequence in the packet data.
696 For example, use “00:00” to find the next packet including two null bytes in the packet data.
700 Find a string in the packet data, with various options.
702 The value to be found will be syntax checked while you type it in. If the syntax
703 check of your value succeeds, the background of the entry field will turn green,
704 if it fails, it will turn red.
706 You can choose the search direction:
710 Search upwards in the packet list (decreasing packet numbers).
714 Search downwards in the packet list (increasing packet numbers).
716 ==== The “Find Next” command
718 “Find Next” will continue searching with the same options used in the last
721 ==== The “Find Previous” command
723 “Find Previous” will do the same thing as “Find Next”, but in the reverse
726 [[ChWorkGoToPacketSection]]
728 === Go to a specific packet
730 You can easily jump to specific packets with one of the menu items in the Go menu.
732 ==== The “Go Back” command
734 Go back in the packet history, works much like the page history in current web browsers.
736 ==== The “Go Forward” command
738 Go forward in the packet history, works much like the page history in current web browsers.
740 ==== The “Go to Packet” dialog box
742 [[ChWorkGoToPacketDialog]]
744 .The “Go To Packet” dialog box
745 image::wsug_graphics/ws-goto-packet.png[{screenshot-attrs}]
747 This dialog box will let you enter a packet number. When you press btn:[OK],
748 Wireshark will jump to that packet.
750 ==== The “Go to Corresponding Packet” command
752 If a protocol field is selected which points to another packet in the capture
753 file, this command will jump to that packet.
755 As these protocol fields now work like links (just as in your Web browser), it’s
756 easier to simply double-click on the field to jump to the corresponding field.
758 ==== The “Go to First Packet” command
760 This command will simply jump to the first packet displayed.
762 ==== The “Go to Last Packet” command
764 This command will simply jump to the last packet displayed.
766 [[ChWorkMarkPacketSection]]
770 You can mark packets in the “Packet List” pane. A marked packet will be shown
771 with black background, regardless of the coloring rules set. Marking a packet
772 can be useful to find it later while analyzing in a large capture file.
774 The packet marks are not stored in the capture file or anywhere else. All
775 packet marks will be lost when you close the capture file.
777 You can use packet marking to control the output of packets when saving,
778 exporting, or printing. To do so, an option in the packet range is available,
779 see <<ChIOPacketRangeSection>>.
781 There are three functions to manipulate the marked state of a packet:
783 * _Mark packet (toggle)_ toggles the marked state of a single packet.
785 * _Mark all displayed packets_ set the mark state of all displayed packets.
787 * _Unmark all packets_ reset the mark state of all packets.
789 These mark functions are available from the “Edit” menu, and the “Mark packet
790 (toggle)” function is also available from the pop-up menu of the “Packet
793 [[ChWorkIgnorePacketSection]]
797 You can ignore packets in the “Packet List” pane. Wireshark will then pretend
798 that this packets does not exist in the capture file. An ignored packet will be
799 shown with white background and gray foreground, regardless of the coloring
802 The packet ignored marks are not stored in the capture file or anywhere else.
803 All “packet ignored” marks will be lost when you close the capture file.
805 There are three functions to manipulate the ignored state of a packet:
807 * _Ignore packet (toggle)_ toggles the ignored state of a single packet.
809 * _Ignore all displayed packets_ set the ignored state of all displayed packets.
811 * _Un-Ignore all packets_ reset the ignored state of all packets.
813 These ignore functions are available from the “Edit” menu, and the “Ignore
814 packet (toggle)” function is also available from the pop-up menu of the
817 [[ChWorkTimeFormatsSection]]
819 === Time display formats and time references
821 While packets are captured, each packet is timestamped. These timestamps will be
822 saved to the capture file, so they will be available for later analysis.
824 A detailed description of timestamps, timezones and alike can be found at:
827 The timestamp presentation format and the precision in the packet list can be
828 chosen using the View menu, see <<ChUseWiresharkViewMenu>>.
830 The available presentation formats are:
832 * _Date and Time of Day: 1970-01-01 01:02:03.123456_ The absolute date and time
833 of the day when the packet was captured.
835 * _Time of Day: 01:02:03.123456_ The absolute time of the day when the packet
838 * _Seconds Since Beginning of Capture: 123.123456_ The time relative to the
839 start of the capture file or the first “Time Reference” before this packet
840 (see <<ChWorkTimeReferencePacketSection>>).
842 * _Seconds Since Previous Captured Packet: 1.123456_ The time relative to the
843 previous captured packet.
845 * _Seconds Since Previous Displayed Packet: 1.123456_ The time relative to the
846 previous displayed packet.
848 * _Seconds Since Epoch (1970-01-01): 1234567890.123456_ The time relative to
849 epoch (midnight UTC of January 1, 1970).
851 The available precisions (aka. the number of displayed decimal places) are:
853 * _Automatic_ The timestamp precision of the loaded capture file format will be
856 * _Seconds, Deciseconds, Centiseconds, Milliseconds, Microseconds or
857 Nanoseconds_ The timestamp precision will be forced to the given setting. If
858 the actually available precision is smaller, zeros will be appended. If the
859 precision is larger, the remaining decimal places will be cut off.
861 Precision example: If you have a timestamp and it’s displayed using, “Seconds
862 Since Previous Packet” the value might be 1.123456. This will be displayed
863 using the “Automatic” setting for libpcap files (which is microseconds). If
864 you use Seconds it would show simply 1 and if you use Nanoseconds it shows
867 [[ChWorkTimeReferencePacketSection]]
869 ==== Packet time referencing
871 The user can set time references to packets. A time reference is the starting
872 point for all subsequent packet time calculations. It will be useful, if you
873 want to see the time values relative to a special packet, e.g. the start of a
874 new request. It’s possible to set multiple time references in the capture file.
876 The time references will not be saved permanently and will be lost when you
877 close the capture file.
879 Time referencing will only be useful if the time display format is set to
880 “Seconds Since Beginning of Capture”. If one of the other time display formats
881 are used, time referencing will have no effect (and will make no sense either).
883 To work with time references, choose one of the menu:Time Reference[] items in
884 the menu:[Edit] menu or from the pop-up menu of the “Packet List” pane. See
885 <<ChUseEditMenuSection>>.
887 * _Set Time Reference (toggle)_ Toggles the time reference state of the
888 currently selected packet to on or off.
890 * _Find Next_ Find the next time referenced packet in the “Packet List” pane.
892 * _Find Previous_ Find the previous time referenced packet in the “Packet
895 [[ChWorkTimeReference]]
897 .Wireshark showing a time referenced packet
898 image::wsug_graphics/ws-time-reference.png[{screenshot-attrs}]
900 A time referenced packet will be marked with the string $$*REF*$$ in the Time
901 column (see packet number 10). All subsequent packets will show the time since
902 the last time reference.
904 // End of WSUG Chapter Work