1 <!-- EUG Chapter Work -->
4 <chapter id="ChapterWork">
5 <title>Working with captured packets</title>
7 <section id="ChWorkViewPacketsSection"><title>Viewing packets you have captured</title>
9 Once you have captured some packets, or you have opened a previously
10 saved capture file, you can view the packets that are displayed in
11 the packet list pane by simply clicking on that packet in the
12 packet list pane, which will bring up the selected packet in the
13 tree view and byte view panes.
16 You can then expand any part of the tree view by clicking on the
17 <command>plus</command> sign (the symbol itself may vary) to the left of
18 that part of the payload,
19 and you can select individual fields by clicking on them in the tree
20 view pane. An example with a TCP packet selected is shown in
21 <xref linkend="ChWorkSelPack1"/>. It also has the Acknowledgment number
22 in the TCP header selected, which shows up in the byte view as the
24 <figure id="ChWorkSelPack1">
25 <title>Ethereal with a TCP packet selected for viewing</title>
26 <graphic entityref="EtherealPacketSelected1" format="PNG"/>
30 You can also select and view packets the same way, while Ethereal is
31 capturing, if you selected "Update list of packets in real time" in the
32 Ethereal Capture Preferences dialog box.
35 In addition, you can view individual packets in a separate window as
36 shown in <xref linkend="ChWorkPacketSepView"/>. Do this by selecting the
37 packet you are interested in in the packet list pane, and then
38 select "Show Packet in New Windows" from the Display menu. This
39 allows you to easily compare two or more packets.
40 <figure id="ChWorkPacketSepView">
41 <title>Viewing a packet in a separate window</title>
42 <graphic entityref="EtherealPacketSepView" format="PNG"/>
46 Finally, you can bring up a pop-up menu over either the "Packet List",
47 "Packet Details" or "Packet Bytes" pane by clicking your right mouse button.
50 The following table gives an overview of which functions are available
51 in the panes, where to find the corresponding function in the menu, and
52 a short description of each item.
54 <table id="PopupMenuTable">
55 <title>Function overview of the pop-up menus</title>
57 <colspec colnum="1" colwidth="80pt"/>
58 <colspec colnum="2" colwidth="20pt"/>
59 <colspec colnum="3" colwidth="20pt"/>
60 <colspec colnum="4" colwidth="20pt"/>
61 <colspec colnum="5" colwidth="80pt"/>
66 <entry>Details</entry>
69 <entry>Description</entry>
74 <entry><command>Follow TCP stream</command></entry>
78 <entry>Analyze</entry>
80 <para>View all the data on a TCP stream between a pair of nodes.</para>
84 <entry><command>Decode As...</command></entry>
88 <entry>Analyze</entry>
94 <entry><command>Display Filters...</command></entry>
98 <entry>Analyze</entry>
100 <para>Specify and manage filters.</para>
104 <entry><command>Mark Packet</command></entry>
110 <para>Mark a packet.</para>
114 <entry><command>Time Reference</command></entry>
120 <para>Set/reset and find time references.</para>
124 <entry><command>Apply as Filter</command></entry>
128 <entry>Analyze</entry>
134 <entry><command>Prepare a Filter</command></entry>
138 <entry>Analyze</entry>
144 <entry><command>Coloring Rules...</command></entry>
150 <para>Colorize packets in the "Packet List" pane.</para>
154 <entry><command>Print...</command></entry>
160 <para>Print packets.</para>
164 <entry><command>Show Packet in New Window</command></entry>
170 <para>Display the selected packet in another window.</para>
174 <entry><command>Resolve name</command></entry>
180 <para>Cause a name resolution to be performed for the selected packet,
181 but NOT for every packet in the capture.</para>
185 <entry><command>Go to Corresponding Packet</command></entry>
191 <para>If the selected field has a packet number in it, go to it. The
192 corresponding packet will often be a response which is requested by
193 this packet, or the request for which this packet is a response.
198 <entry><command>Export Selected Packet Bytes...</command></entry>
202 <entry>File->Export</entry>
204 <para>Export raw packet bytes to a binary file.</para>
208 <entry><command>Protocol Preferences...</command></entry>
214 <para>The menu item takes you to the preferences dialog and selects
215 the page corresponding to the protocol if there are settings
216 associated with the highlighted field. More information on preferences
217 can be found in <xref linkend="ChCustProtocolsPrefPages"/>.
222 <entry><command>Collapse All</command></entry>
229 Ethereal keeps a list of all the protocol subtrees that are
230 expanded, and uses it to ensure that the correct subtrees
231 are expanded when you display a packet. This menu item
232 collapses the tree view of all packets in the capture list.
237 <entry><command>Expand All</command></entry>
243 <para>Expand all subtrees in all packets in the capture.
248 <entry><command>Expand Tree</command></entry>
254 <para>Expand the currently selected subtree.
262 <figure id="ChWorkPacketListPanePopUpMenu">
263 <title>Pop-up menu of "Packet List" pane</title>
264 <graphic entityref="EtherealPacketPanePopupMenu" format="PNG"/>
267 <varlistentry><term><command>Follow TCP Stream</command></term>
270 This menu item is the same as the Analyze menu item of
271 the same name. It allows you to view all the data on a TCP
272 stream between a pair of nodes.
276 <varlistentry><term><command>Decode As...</command></term>
279 This menu item is the same as the Analyze menu item of the
284 <varlistentry><term><command>Display Filters...</command></term>
287 This menu item is the same as the Analyze menu item of the same
288 name. It allows you to specify and manage display filters.
292 <varlistentry><term><command>Mark Packet</command></term>
295 This menu item is the same as the Edit menu item of the same
296 name. It allows you to mark a packet.
300 <varlistentry><term><command>Time Reference</command></term>
303 This menu item is the same as the Edit menu items of the same
304 name. It allows you to set and work with time references.
308 <varlistentry><term><command>Apply as Filter</command></term>
311 This menu item is the same as the Analyze menu items of the same
316 <varlistentry><term><command>Prepare a Filter</command></term>
319 This menu item is the same as the Analyze menu items of the same
325 <term><command>Coloring Rules...</command></term>
328 This menu item is the same as the View menu item of the
329 same name. It allows you to colorize packets in the packet
334 <varlistentry><term><command>Print...</command></term>
337 This menu item is the same as the File menu item of the same
338 name. It allows you to print packets.
343 <term><command>Show Packet in New Window</command></term>
346 This menu item is the same as the View menu item of the
347 same name. It allows you to display the selected packet in
355 <figure id="ChWorkPacketDetailsPanePopUpMenu">
356 <title>Pop-up menu of "Packet Details" pane</title>
357 <graphic entityref="EtherealDetailsPanePopupMenu" format="PNG"/>
360 <varlistentry><term><command>Follow TCP Stream</command></term>
363 This menu item is the same as the Analyze menu item of the
364 same name. It allows you to view all the data on a TCP stream
365 between a pair of nodes.
369 <varlistentry><term><command>Decode As...</command></term>
372 This menu item is the same as the Analyze menu item of the
377 <varlistentry><term><command>Display Filters...</command></term>
380 This menu item is the same as the Analyze menu item of the same
381 name. It allows you to specify and manage filters.
385 <varlistentry><term><command>Resolve Name</command></term>
388 This menu item causes name resolution to be performed for
389 the selected packet, but NOT every packet in the capture.
393 <varlistentry><term><command>Go to Corresponding Packet</command></term>
396 If the selected field has a corresponding packet, go to it.
397 Corresponding packets will usually be a request/response packet pair
402 <varlistentry><term><command>Export Selected Packet Bytes...</command></term>
405 This menu item is the same as the File menu item of the same
406 name. It allows you to export raw packet bytes to a binary file.
410 <varlistentry><term><command>Protocol Properties...</command></term>
413 The menu item takes you to the properties dialog and selects the
414 page corresponding to the protocol if there are properties
415 associated with the highlighted field.
416 More information on preferences can be found in
417 <xref linkend="ChCustGUIPrefPage"/>.
421 <varlistentry><term><command>Apply as Filter</command></term>
424 This menu item is the same as the Analyze menu items of the same
429 <varlistentry><term><command>Prepare a Filter</command></term>
432 This menu item is the same as the Analyze menu items of the same
437 <varlistentry><term><command>Collapse All</command></term>
440 Ethereal keeps a list of all the protocol subtrees that are
441 expanded, and uses it to ensure that the correct subtrees
442 are expanded when you display a packet. This menu item
443 collapses the tree view of all packets in the capture list.
447 <varlistentry><term><command>Expand All</command></term>
450 This menu item expands all subtrees in all packets in the
455 <varlistentry><term><command>Expand Tree</command></term>
458 This menu item expands the currently selected subtree.
465 <figure id="ChWorkPacketBytesPanePopUpMenu">
466 <title>Pop-up menu of "Packet Bytes" pane</title>
467 <graphic entityref="EtherealBytesPanePopupMenu" format="PNG"/>
470 <varlistentry><term><command>Follow TCP Stream</command></term>
473 This menu item is the same as the Analyze menu item of the
474 same name. It allows you to view all the data on a TCP stream
475 between a pair of nodes.
479 <varlistentry><term><command>Decode As...</command></term>
482 This menu item is the same as the Analyze menu item of the
487 <varlistentry><term><command>Display Filters...</command></term>
490 This menu item is the same as the Analyze menu item of the same
491 name. It allows you to specify and manage filters.
495 <varlistentry><term><command>Export Selected Packet Bytes...</command></term>
498 This menu item is the same as the File menu item of the same
499 name. It allows you to export raw packet bytes to a binary file.
507 <section id="ChWorkDisplayFilterSection"><title>Filtering packets while viewing</title>
509 Ethereal has two filtering languages: One used when capturing
510 packets, and one used when displaying packets. In this section we
511 explore that second type of filter: Display filters. The first one
512 has already been dealt with in <xref linkend="ChCapCaptureFilterSection"/>.
515 Display filters allow you to concentrate on the packets you are
516 interested in. They allow you to select packets by:
518 <listitem><para>Protocol</para></listitem>
519 <listitem><para>The presence of a field</para></listitem>
520 <listitem><para>The values of fields</para></listitem>
521 <listitem><para>A comparison between fields</para></listitem>
522 <listitem><para>... and a lot more!</para></listitem>
526 To select packets based on protocol type, simply type the protocol you
527 are interested in in the <command>Filter:</command> field in the filter
528 toolbar of the Ethereal window and press enter to initiate
529 the filter. <xref linkend="ChWorkTCPFilter"/> shows an example of what
530 happens when you type <command>tcp</command> in the filter field.
535 All protocol and field names are entered in lowercase. Also, don't
536 forget to press enter after entering the filter expression.
539 <figure id="ChWorkTCPFilter"><title>Filtering on the TCP protocol</title>
540 <graphic entityref="EtherealFilterTCP" format="JPG"/>
543 As you might have noticed, only packets of the TCP protocol are displayed
544 now (e.g. packets 1-10 are hidden). The packet numbering will remain as
545 before, so the first packet shown is now packet number 11.
550 When using a display filter, all packets remain in the capture file.
551 The display filter only changes the display of the capture file and
556 You can filter on any protocol that Ethereal understands.
557 You can also filter on any field that a dissector adds to the tree
558 view, but only if the dissector has added an abbreviation for the
559 field. A list of such fields is available in the Ethereal in the
560 <command>Add Expression...</command> dialog box. You can find more
561 information on the <command>Add Expression...</command> dialog box
562 in <xref linkend="ChWorkFilterAddExpressionSection"/>.
565 For example, to narrow the packet list pane down to only those
566 packets to or from the IP address 192.168.0.1, use
567 <command>ip.addr==192.168.0.1</command>.
572 To remove the filter, click on the <command>Clear</command> button
573 to the right of the filter field.
578 <section id="ChWorkBuildDisplayFilterSection">
579 <title>Building display filter expressions</title>
581 Ethereal provides a simple but powerful display filter language that you
582 can build quite complex filter expressions with. You can compare
583 values in packets as well as combine expressions into more
584 specific expressions. The following sections provide more
585 information on doing this.
588 <title>Display filter fields</title>
590 Every field in the packet details pane can be used as a filter
591 string, this will result in showing only the packets where this field
592 exists. For example: the
593 filter string: <command>tcp</command> will show all packets containing the
597 There is a complete list of all filter fields available
598 through the menu item "Help/Supported Protocols" in the page "Display Filter
599 Fields" of the upcoming dialog.
602 XXX - add some more info here and a link to the statusbar info.
606 <title>Comparing values</title>
608 You can build display filters that compare values using a number
609 of different comparison operators. They are shown in
610 <xref linkend="DispCompOps"/>.
614 You can use English and C-like terms in the same way, they can even be
615 mixed in a filter string!
618 <table id="DispCompOps">
619 <title>Display Filter comparison operators</title>
621 <colspec colnum="1" colwidth="50pt"/>
622 <colspec colnum="2" colwidth="50pt"/>
625 <entry>English</entry>
626 <entry>C-like</entry>
627 <entry>Description and example</entry>
633 <entry><programlisting>==</programlisting></entry>
635 <command>Equal</command></para><para>
636 <programlisting>ip.addr==10.0.0.5</programlisting>
641 <entry><programlisting>!=</programlisting></entry>
643 <command>Not equal</command></para><para>
644 <programlisting>ip.addr!=10.0.0.5</programlisting>
649 <entry><programlisting>></programlisting></entry>
651 <command>Greater than</command></para><para>
652 <programlisting>frame.pkt_len > 10</programlisting>
657 <entry><programlisting><</programlisting></entry>
658 <entry><para><command>Less than</command></para><para>
659 <programlisting>frame.pkt_len < 128</programlisting>
664 <entry><programlisting>>=</programlisting></entry>
666 <command>Greater than or equal to</command></para><para>
667 <programlisting>frame.pkt_len ge 0x100</programlisting>
672 <entry><programlisting><=</programlisting></entry>
674 <command>Less than or equal to</command></para><para>
675 <programlisting>frame.pkt_len <= 0x20</programlisting>
682 In addition, all protocol fields are typed.
683 <xref linkend="ChWorkFieldTypes"/> provides a list of the types and
684 example of how to express them.
685 <table id="ChWorkFieldTypes">
686 <title>Display Filter Field Types</title>
691 <entry>Example</entry>
697 Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
700 You can express integers in decimal, octal, or
701 hexadecimal. The following display filters are
712 Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
717 <entry>Boolean</entry>
719 A boolean field is present in the protocol decode
720 only if its value is true. For example,
721 <command>tcp.flags.syn</command> is present, and
722 thus true, only if the SYN flag is present in a
723 TCP segment header.</para><para>
724 Thus the filter expression
725 <command>tcp.flags.syn</command> will select only
726 those packets for which this flag exists, that is,
727 TCP segments where the segment header contains the
728 SYN flag. Similarly, to find source-routed token
729 ring packets, use a filter expression of
730 <command>tr.sr</command>.
734 <entry>Ethernet address (6 bytes)</entry>
735 <entry>eth.addr == ff:ff:ff:ff:ff:ff</entry>
738 <entry>IPv4 address</entry>
739 <entry>ip.addr == 192.168.0.1</entry>
742 <entry>IPv6 address</entry>
746 <entry>IPX network number</entry>
750 <entry>String (text)</entry>
755 Double-precision floating point number
765 <title>Combining expressions</title>
767 You can combine filter expressions in Ethereal using the
768 logical operators shown in <xref linkend="FiltLogOps"/>
770 <table id="FiltLogOps">
771 <title>Display Filter Logical Operations</title>
773 <colspec colnum="1" colwidth="50pt"/>
774 <colspec colnum="2" colwidth="50pt"/>
777 <entry>English</entry>
778 <entry>C-like</entry>
779 <entry>Description and example</entry>
785 <entry>&&</entry>
787 <command>Logical AND</command></para><para>
788 <programlisting>ip.addr==10.0.0.5 and tcp.flags.fin</programlisting>
795 <command>Logical OR</command></para><para>
796 <programlisting>ip.addr==10.0.0.5 or ip.addr==192.1.1.1</programlisting>
803 <command>Logical XOR</command></para><para>
804 <programlisting>tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29</programlisting>
811 <command>Logical NOT</command></para><para>
812 <programlisting>not llc</programlisting>
819 <command>Substring Operator</command></para><para>
820 Ethereal allows you to select subsequences of a
821 sequence in rather elaborate ways. After a label you
822 can place a pair of brackes [] containing a comma
823 separated list of range specifiers. </para><para>
824 <programlisting>eth.src[0:3] == 00:00:83</programlisting></para><para>
825 The example above uses the n:m format to specify a
826 single range. In this case n is the beginning offset
827 and m is the length of the range
828 being specified.</para><para>
830 eth.src[1-2] == 00:83
831 </programlisting></para><para>
832 The example above uses the n-m format to specify a
833 single range. In this case n is the beginning offset
834 and m is the ending offset. </para><para>
835 <programlisting>eth.src[:4] == 00:00:83:00</programlisting></para><para>
836 The example above uses the :m format, which takes
837 everything from the beginning of a sequence to offset m.
838 It is equivalent to 0:m</para><para>
839 <programlisting>eth.src[4:] == 20:20</programlisting></para><para>
840 The example above uses the n: format, which takes
841 everything from offset n to the end of the
842 sequence. </para><para>
843 <programlisting>eth.src[2] == 83</programlisting></para><para>
844 The example above uses the n format to specify a
845 single range. In this case the element in the
846 sequence at offset n is selected. This is equivalent
848 <programlisting>eth.src[0:3,1-2,:4,4:,2] ==
849 00:00:83:00:83:00:00:83:00:20:20:83</programlisting></para><para>
850 Ethereal allows you to string together single ranges
851 in a comma separated list to form compound ranges as
859 <section><title>A common mistake</title>
861 Often people use a filter string to display something like
862 <command>ip.addr == 1.2.3.4</command> which will display all packets
863 containing the IP address 1.2.3.4.
866 Then they use <command>ip.addr != 1.2.3.4</command> to see all packets
867 not containing the IP address 1.2.3.4 in it. Unfortunately, this does
868 <command>not</command> do the expected.
871 Instead, that expression will even be true for packets where either
872 source or destination IP address equals 1.2.3.4. The reason for this,
873 is that the expression <command>ip.addr != 1.2.3.4</command> must be read as "the
874 packet contains a field named ip.addr with a value
875 different from 1.2.3.4". As an IP datagram contains both a source and
876 a destination address, the expression will evaluate to true whenever
877 at least one of the two addresses differs from 1.2.3.4.
881 filter out all packets containing IP datagrams to or from IP address
882 1.2.3.4, then the correct filter is <command>!(ip.addr == 1.2.3.4)</command> as it
883 reads "show me all the packets for which it is not true
884 that a field named ip.addr exists with a value of 1.2.3.4", or in
885 other words, "filter out all packets for which there are
886 no occurrences of a field named ip.addr with the value 1.2.3.4".
891 <section id="ChWorkFilterAddExpressionSection">
892 <title>The "Filter Expression" dialog box</title>
894 When you are accustomed to Ethereal's filtering system and know what
895 labels you wish to use in your filters it can be very quick to
896 simply type a filter string. However if you are new to Ethereal or
897 are working with a slightly unfamiliar protocol it can be very
898 confusing to try to figure out what to type. The Filter Expression
899 dialog box helps with this.
901 <tip><title>Tip!</title>
903 The "Filter Expression" dialog box is an excellent way to learn how to
904 write Ethereal display filter strings.
907 <figure id="ChWorkFilterAddExpression1">
908 <title>The "Filter Expression" dialog box</title>
909 <graphic entityref="EtherealFilterAddExpression" format="PNG"/>
912 When you first bring up the Filter Expression dialog box you are shown a
913 tree list of field names, organized by protocol, and a box for
914 selecting a relation.
917 <varlistentry><term><command>Field Name</command></term>
920 Select a protocol field from the protocol field tree.
921 Every protocol with filterable fields is listed at the
922 top level. By clicking on the "+" next to a protocol name
923 you can get a list of the field names available for filtering
928 <varlistentry><term><command>Relation</command></term>
931 Select a relation from the list of available relation.
932 The <command>is present</command> is a unary relation which
933 is true if the selected field is present in a packet. All
934 other listed relations are binary relations which require additional
935 data (e.g. a <command>Value</command> to match) to complete.
941 When you select a field from the field name list and select a
942 binary relation (such as the equality relation ==) you will be
943 given the opportunity to enter a value, and possibly some range
947 <varlistentry><term><command>Value</command></term>
950 You may enter an appropriate value in the
951 <command>Value</command> text box. The <command>Value</command>
952 will also indicate the type of value for the
953 <command>field name</command> you have selected (like
958 <varlistentry><term><command>Predefined values</command></term>
961 Some of the protocol fields have predefined values available, much like
962 enum's in C. If the selected protocol field has such values defined, you
967 <varlistentry><term><command>Range</command></term>
970 XXX - add an explanation here!
974 <varlistentry><term><command>OK</command></term>
977 When you have built a satisfactory expression click
978 <command>OK</command> and a filter string will be
983 <varlistentry><term><command>Cancel</command></term>
986 You can leave the <command>Add Expression...</command> dialog
987 box without any effect by clicking the <command>Cancel</command>
994 <section id="ChWorkDefineFilterSection"><title>Defining and saving filters</title>
996 You can define filters with Ethereal and give them labels for
997 later use. This can save time in remembering and retyping some of
998 the more complex filters you use.
1001 To define a new filter or edit an existing filter, select the
1002 <command>Capture Filters...</command> menu item from the Capture menu
1003 or the <command>Display Filters...</command> menu item from the Analyze
1004 menu. Ethereal will then pop up the Filters dialog as shown in
1005 <xref linkend="FiltersDialog"/>.
1008 <title>Note!</title>
1010 The mechanisms for defining and saving capture filters and display
1011 filters are almost identical. So both will be described here,
1012 differences between these two will be marked as such.
1015 <warning><title>Warning!</title>
1017 You must use <command>Save</command> to save your filters permanently.
1018 <command>Ok</command> or <command>Apply</command> will not save the filters,
1019 so they will be lost when you close Ethereal.
1022 <figure id="FiltersDialog">
1023 <title>The "Capture Filters" and "Display Filters" dialog boxes</title>
1024 <graphic entityref="EtherealFilters" format="PNG"/>
1028 <varlistentry><term><command>New</command></term>
1031 This button adds a new filter to the list of filters. The currently
1032 entered values from Filter name and Filter string will be used. If
1033 any of these fields are empty, it will be set to "new".
1037 <varlistentry><term><command>Delete</command></term>
1040 This button deletes the selected filter. It will be greyed out, if no
1045 <varlistentry><term><command>Filter</command></term>
1048 You can select a filter from this list (which will fill in the
1049 filter name and filter string in the fields down the bottom of the
1054 <varlistentry><term><command>Filter name:</command></term>
1057 You can change the name of the currently selected filter here.
1059 <note><title>Note!</title>
1061 The filter name will only be used in this dialog to identify the
1062 filter for your convenience, it will not be used elsewhere. You can
1063 add multiple filters with the same name, but this is not very useful.
1068 <varlistentry><term><command>Filter string:</command></term>
1071 You can change the filter string of the currently selected filter here.
1072 Display Filter only: the string will be syntax checked while you are
1077 <varlistentry><term><command>Add Expression...</command></term>
1080 Display Filter only: This button brings up the Add Expression
1081 dialog box which assists in building filter strings. You can find
1082 more information about the Add Expression dialog in
1083 <xref linkend="ChWorkFilterAddExpressionSection"/>
1087 <varlistentry><term><command>OK</command></term>
1090 Display Filter only: This button applies the selected filter to the
1091 current display and closes the dialog.
1095 <varlistentry><term><command>Apply</command></term>
1098 Display Filter only: This button applies the selected filter to the
1099 current display, and keeps the dialog open.
1103 <varlistentry><term><command>Save</command></term>
1106 Save the current settings in this dialog. The file location and
1107 format is explained in <xref linkend="AppFiles"/>.
1111 <varlistentry><term><command>Close</command></term>
1114 Close this dialog. This will discard unsaved settings.
1122 <section id="ChWorkFindPacketSection"><title>Finding packets</title>
1124 You can easily find packets once you have captured some packets or
1125 have read in a previously saved capture file. Simply select the
1126 <command>Find Packet...</command> menu item from the
1127 <command>Edit</command> menu. Ethereal will pop up the dialog box
1128 shown in <xref linkend="ChWorkFindPacketDialog"/>.
1130 <section><title>The "Find Packet" dialog box</title>
1131 <figure id="ChWorkFindPacketDialog">
1132 <title>The "Find Packet" dialog box</title>
1133 <graphic entityref="EtherealFindPacket" format="PNG"/>
1136 You might first select the kind of thing to search for:
1140 <command>Display filter</command>
1143 Simply enter a display filter string into the
1144 <command>Filter:</command> field, select a direction, and click on OK.
1147 For example, to find the three way handshake for a connection from
1148 host 192.168.0.1, use the following filter string:
1149 <programlisting>ip.addr==192.168.0.1 and tcp.flags.syn</programlisting>
1150 For more details on display filters, see <xref linkend="ChWorkDisplayFilterSection"/>
1155 <command>Hex Value</command>
1158 Search for a specific byte sequence in the packet data.
1161 For example, use "00:00" to find the next packet including two
1162 null bytes in the packet data.
1167 <command>String</command>
1170 Find a string in the packet data, with various options.
1176 The value to be found will by syntax checked while you type it in. If the
1177 syntax check of your value succeeded, the background of the entry field
1178 will turn green, if it fails, it will turn red.
1181 You can choose the direction to be searched for:
1184 <para><command>Up</command></para>
1185 <para>Search upwards in the packet list (decreasing packet numbers).</para>
1190 <para><command>Down</command></para>
1191 <para>Search downwards in the packet list (increasing packet numbers).</para>
1196 <section><title>The "Find Next" command</title>
1198 "Find Next" will continue searching with the same options like in the last
1202 <section><title>The "Find Previous" command</title>
1204 "Find Previous" will do the same thing as "Find Next", but with reverse
1210 <section id="ChWorkGoToPacketSection"><title>Go to a specific packet</title>
1212 You can easily jump to specific packets with one of the menu items in the
1215 <section><title>The "Go to Packet" dialog box</title>
1216 <figure id="ChWorkGoToPacketDialog">
1217 <title>The "Go To Packet" dialog box</title>
1218 <graphic entityref="EtherealGoToPacket" format="PNG"/>
1221 This dialog box will let you enter a packet number. When you press
1222 <command>OK</command>, Ethereal will jump to that packet.
1225 <section><title>The "Go to Corresponding Packet" command</title>
1227 If a protocol field is selected, which points to another packet in the
1228 capture file, this command will jump to that packet.
1230 <note><title>Note!</title>
1232 As these protocol fields now work like links (just as in your
1233 Web browser), it's easier simply to double-click on the field to jump
1234 to the corresponding field.
1238 <section><title>The "Go to First Packet" command</title>
1240 This command will simply jump to the first packet displayed.
1243 <section><title>The "Go to Last Packet" command</title>
1245 This command will simply jump to the last packet displayed.
1250 <section id="ChWorkMarkPacketSection"><title>Marking packets</title>
1252 You can mark packets in the "Packet List" pane. A marked packet will
1253 be shown with black background, regardless of the coloring rules set.
1254 Marking a packet can be useful to find it later while analyzing in a large
1257 <warning><title>Warning!</title>
1259 The packet marks are not stored in the capture file or anywhere else,
1260 so all packet marks will be lost if you close the capture file.
1264 You can use packet marking to control the output of packets when
1265 saving/exporting/printing. To do so, an option in the packet range is
1266 available, see <xref linkend="ChIOPacketRangeSection"/>.
1269 There are three functions to manipulate the marked state of a packet:
1273 <command>Mark packet</command> toggle the marked state of a single packet.
1278 <command>Mark all packets</command> set the mark state of all packets.
1283 <command>Unmark all packets</command> reset the mark state of all packets.
1287 These mark function are available from the "Edit" menu, and the "Mark packet"
1288 function is also available from the pop-up menu of the "Packet List" pane.
1292 <section id="ChWorkTimeFormatsSection"><title>Time display formats and time
1295 While packets are captured, each packet is timestamped. These timestamps
1296 will be saved to the capture file, so they will be available for later
1300 When the packets are displayed, the presentation of these timestamps can
1301 be chosen by the user. There are four presentation formats available:
1303 <listitem><para><command>Time of Day</command>, e.g. 20:02:48.863096
1304 The absolute time of the day when the packet was captured.</para>
1306 <listitem><para><command>Date and Time of Day</command>, e.g. 2004-06-22 20:02:48.863096
1307 The absolute date and time of the day when the packet was captured.</para>
1309 <listitem><para><command>Seconds Since Beginning of Capture</command>, e.g. 123.299139
1310 The time relative to the start of the capture file or the first
1311 "Time Reference" before this packet (see <xref
1312 linkend="ChWorkTimeReferencePacketSection"/>).</para>
1314 <listitem><para><command>Seconds Since Previous Packet</command>, e.g. 1.162423
1315 The time relative to the previous packet.</para>
1318 The time format can be selected from the View menu, see
1319 <xref linkend="ChUseEtherealViewMenu"/>.
1322 XXX - how is the GMT / localtime thing handled.
1324 <section id="ChWorkTimeReferencePacketSection">
1325 <title>Packet time referencing</title>
1327 The user can set time references to packets. A time reference is the
1328 starting point for all subsequent packet time calculations. It will be
1329 useful, if you want to see the time values relative to a special packet,
1330 e.g. the start of a new request. It's possible to set multiple time
1331 references in the capture file.
1333 <warning><title>Warning!</title>
1335 The time references will not be saved permanently and will be lost when
1336 you close the capture file.
1339 <note><title>Note!</title>
1341 Time referencing will only be useful, if the time display format is set to
1342 "Seconds Since Beginning of Capture". If one of the other time display
1343 formats are used, time referencing will have no effect (and will make no
1348 To work with time references, choose one of the "Time Reference" items
1349 in the "Edit" menu , see <xref linkend="ChUseEditMenuSection"/>, or from
1350 the pop-up menu of the "Packet List" pane.
1353 <listitem><para><command>Set Time Reference (toggle)</command>
1354 Toggles the time reference state of the currently selected
1355 packet to on or off.</para>
1357 <listitem><para><command>Find Next</command>
1358 Find the next time referenced packet in the "Packet List" pane.
1361 <listitem><para><command>Find Previous</command>
1362 Find the previous time referenced packet in the "Packet List"
1368 <figure id="ChWorkTimeReference">
1369 <title>Ethereal showing a time referenced packet</title>
1370 <graphic entityref="EtherealTimeReference" format="PNG"/>
1374 A time referenced packet will be marked with the string *REF* in the Time
1375 column (see packet number 10). All subsequent packets will show the time
1376 since the last time reference.
1382 <!-- End of EUG Chapter Work -->
git.samba.org / obnox / wireshark / wip.git / blob