# Makefile.am
# Automake file for Ethereal help files
#
-# $Id: Makefile.am,v 1.5 2003/12/22 22:16:25 guy Exp $
+# $Id: Makefile.am,v 1.6 2004/02/09 18:22:28 ulfl Exp $
#
# Ethereal - Network traffic analyzer
# By Gerald Combs <gerald@ethereal.com>
helpdir = $(pkgdatadir)/help
help_DATA = \
toc \
+ getting_started.txt \
+ capturing.txt \
capture_filters.txt \
display_filters.txt \
faq.txt \
--- /dev/null
+Capturing
+---------
+This section will explain the capturing options and give hints on what to do in some special cases.
+
+
+Capture options
+---------------
+The capture options can be logically divided into the following categories:
+
+-input
+-filtering
+-stop conditions
+-storing
+-display while capturing
+
+Input options
+-------------
+-Interface: You have to choose which interface (network card) will be used to capture packets from. Be sure to select the correct one, as it's a common mistake to select the wrong interface.
+
+-Link-layer header type: unless you are in the rare case that you will need this, just keep the default.
+
+Filtering options
+-----------------
+-Limit each packet to xy bytes: Will limit the maximum size to be captured of each packet, this includes the link-layer header and all subsequent headers. This can be useful when an error is known to be in the first 20 bytes of a packet, for example, as the size of the resulting capture file will be reduced.
+
+-Capture packets in promiscuous mode: Usually a network card will only capture the traffic to its own network address. If you want to capture all traffic that the network card can "see", mark this option. See the FAQ for some more details of capturing packets from a switched network.
+
+-Capture Filter: Use a capture filter to reduce the amount of packets to be captured. See "Capture Filters" in this help for further information how to use it.
+
+Stop condition options
+----------------------
+These three fields should be obvious; the capture process will be automatically stopped if one of the selected conditions is exceeded.
+
+Storing options
+---------------
+-File: you can choose the file to which captured data will be written. If you don't enter something here a temporary file will be used.
+
+-Use ring buffer: Instead of using a single capture file, multiple files will be created. The generated filenames will contain a incrementing number and the start time of the capture. For example, if you choose "/foo.cap" in the "File" field, files like "/foo_00001_20040205110102.cap", "/foo_00002_20040205110102.cap", ... will be created.
+This feature can be useful if you do long term capturing, as working with a single capture file of several GB usually isn't very fast.
+
+Display while capturing options
+-------------------------------
+-Update List of packets in real time: Using this will show the captured packets immediately on the main screen.
+Please note: this will slow down capturing, so increased packet drops might appear.
+
+-Automatic scrolling in live capture: This will scroll the "Packet List" automatically to the latest captured packet, when the "Update List of packets in real time" option is used.
+
+
+
+High performance capturing
+--------------------------
+When your network traffic is high, you might need to take some steps to ensure Ethereal doesn't get behind on its capture, particularly if you're running it on a slow computer.
+
+When Etheral cannot keep up, packets are dropped. To help avoid this as much as possible:
+
+a) Don't use the "Update List of packets in real time" option (see above). This has a significant performance penalty.
+
+b) Close other programs that might slow down your system, such as virus scanner software, server processes, etc.
+
+c) It might be a good idea not to use a capture filter. This will depend on the task you have to do.
+As a rule of thumb: if you want to see most of the packets and only filter a small number out, don't use a capture filter (you can use a display filter later). If you only want to capture a small proportion of the packets, it might be better to set a capture filter, as this will reduce the number of packets that have to be saved.
+
+d) If you still get packet drops, it might be an idea to use a tool dedicated to packet capturing and only use Ethereal for displaying and analyzing the packets.
+
+Have a look at tethereal, the command line variant of ethereal, which is included in this package.
+XXX: add a list of possibly useful standalone capture programs.
+
+
+
+Long term capturing
+-------------------
+By "Long term capturing", it's meant to capture data from a network for several hours or even days. Long term capturing will usually result in huge capture files, being hundreds of MB's or even several GB's in size!
+
+Before doing a long term capture, get familiar with the options to use for it, as you might not get what you desire. Doing a long term capture not getting the results needed, is usually wasting a lot of time ;-)
+
+Rules of thumb for this task:
+-Use the ring buffer feature when you expect very large capture files
+-Don't use the "Update list of packets in real time" option
+-Set an appropriate capture filter, when you are only interested in some special packets from the net
+
--- /dev/null
+Getting started
+---------------
+This text will try to take you though the first steps of using Ethereal.
+
+
+Display
+-------
+When you start Ethereal, you will see the program window vertically divided into the following parts:
+
+-window title
+-menu
+-main toolbar
+-packet list (empty)
+-packet details (empty)
+-packet bytes (empty)
+-statusbar (with filter toolbar)
+
+As Ethereal has no packet data when started, most of the program's window is just empty.
+
+Many of the features available in the menu will also be on the main toolbar.
+
+First capture file
+------------------
+The first thing you probably want to do is look at some captured network data/packets:
+This can be achieved by two methods:
+
+-open an already existing capture file
+-capture something from your own network
+
+It might be easier to start with an example capture file from "http://www.ethereal.com/sample" before capturing your own data.
+
+You can open a capture file through the menu "File->Open..." (or the toolbar).
+
+Please note: the common file extension for capture files is ".cap" (or ".cap.gz" for gzipped ones).
+
+After opening a capture file, you will hopefully see some more packet data on the screen. :-)
+
+Display fields
+--------------
+In the "packet list", you will see several columns with a packet number, timestamp(s), addresses and a protocol specific summary of that packet. Here you can select a packet to be shown in the "packet details" below.
+
+In the "packet details", the details of the currently selected packet are shown. You can expand the tree nodes to get even more details about that packet.
+
+The "packet bytes" will simply show all the packet data in a hexdump style. It will show the same packet as in the "packet details", only with a different representation.
+When you select something in the "packet details", it will be highlighted in the "packet bytes" and vice-versa.
+
+All three display fields have their own context menu, available by clicking the right mouse button inside that part of the window.
+
+How to analyze protocol specific network data itself is not in the scope of this text.
+
+Display filters
+---------------
+You can reduce the number of packets shown (to filter out the uninteresting ones) by setting a display filter. Please see "Display Filters" in this help dialog for further information how the display filters should be used.
+
+Coloring Rules
+--------------
+The packet list can be colored; this means applying different colors for different packets. For example you could choose to have all HTTP packets shown in red and all other TCP traffic shown in yellow.
+
+Under "View->Coloring Rules..." you will see a list of color rules. This list is processed for each packet from top to bottom, until one of the rules matches (in which case the color settings of that rule are used for that packet). If no rule matches, the packet will not be colored at all.
+Please note: setting lots of color rules can slow down processing time a bit when showing huge capture files.
+
+Other display things
+--------------------
+You can mark packets, so that you can easily find packets of interest again later.
+You can set a time reference, if you are interested in seeing timings relative to a specific packet (e.g. get time differences relative to the start of some data transfer).
+But remember: These settings will not be saved - they are forgotten when the capture file is closed.
+
+
+Capture from the network
+------------------------
+Most likely you will now want to get some "real life" packet data captured from your own network interface.
+
+When opening the capture dialog with "Capture->Start...", you will see lots of settings to choose from. For your first test, just keep the default settings.
+
+After clicking "OK", the capture starts and a dialog shows up, giving the actual count of captured packets and some very basic packet statistics.
+
+When you stop the capture, you will get the same screen as if you had opened a capture file from disk, using the "File->Open" command.
+
+See the "Capturing" section of this help for further information about capturing.
+
+
+Conclusion
+----------
+There are a lot more features than described here. Just have a look at the menus to see them all. :-)
+
+For more information about Ethereal, see: "http://www.ethereal.com". You can get a users' guide and other useful information there.
+
+We hope this helped you with the first steps of using Ethereal and that you will enjoy using this program.
git.samba.org / metze / wireshark / wip.git / commitdiff