1 <!-- WSUG Chapter Customizing -->
4 <chapter id="ChapterCustomize">
5 <title>Customizing Wireshark</title>
7 <section id="ChCustIntroduction"><title>Introduction</title>
9 Wireshark's default behaviour will usually suit your needs pretty well.
10 However, as you become more familiar with Wireshark, it can be customized
11 in various ways to suit your needs even better. In this chapter we explore:
15 How to start Wireshark with command line parameters
20 How to colorize the packet list
25 How to control protocol dissection
30 How to use the various preference settings
37 <section id="ChCustCommandLine"><title>Start Wireshark from the command line</title>
39 You can start <application>Wireshark</application> from the command
40 line, but it can also be started from most Window managers
41 as well. In this section we will look at starting it from the command
45 <application>Wireshark</application> supports a large number of
46 command line parameters. To see what they are, simply enter the
47 command <command> ethereal -h</command> and the help information
48 shown in <xref linkend="ChCustEx1"/> (or something similar) should be
50 <example id="ChCustEx1">
51 <title>Help information available from Wireshark</title>
53 This is ethereal 0.10.13
54 (C) 1998-2005 Gerald Combs <gerald@wireshark.org>
56 Compiled with GTK+ 2.6.9, with GLib 2.6.6, with WinPcap (version unknown),
57 with libz 1.2.3, with libpcre 6.3, with Net-SNMP 5.2.1.2, with ADNS.
59 Running with WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on libp
60 cap version 0.9[.x] on Windows XP Service Pack 2, build 2600.
62 ethereal [ -vh ] [ -DklLnpQS ] [ -a <capture autostop condition> ] ...
63 [ -b <capture ring buffer option> ] ...
64 [ -B <capture buffer size> ]
65 [ -c <capture packet count> ] [ -f <capture filter> ]
66 [ -g <packet number> ] [ -i <capture interface> ] [ -m <font> ]
67 [ -N <name resolving flags> ] [ -o <preference/recent setting> ] ...
68 [ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ]
69 [ -t <time stamp format> ] [ -w <savefile> ] [ -y <capture link type> ]
70 [ -X <eXtension option> ] [ -z <statistics> ] [ <infile> ] </programlisting>
73 We will examine each of the command line options in turn.
76 The first thing to notice is that issuing the command
77 <command>ethereal</command> by itself will bring up
78 <application>Wireshark</application>.
79 However, you can include as many of the command line parameters as
80 you like. Their meanings are as follows ( in alphabetical order ):
81 XXX - is the alphabetical order a good choice? Maybe better task based?
83 <varlistentry><term><command>-a <capture autostop condition></command></term>
86 Specify a criterion that specifies when Wireshark is to stop writing
87 to a capture file. The criterion is of the form test:value, where test
90 <varlistentry><term><command>duration</command>:value</term>
92 Stop writing to a capture file after value of seconds have elapsed.
95 <varlistentry><term><command>filesize</command>:value</term>
97 Stop writing to a capture file after it reaches a size of value
98 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If
99 this option is used together with the -b option, Wireshark will
100 stop writing to the current capture file and switch to the next
101 one if filesize is reached.
104 <varlistentry><term><command>files</command>:value</term>
106 Stop writing to capture files after value number of files were
114 <varlistentry><term><command>-b <capture ring buffer option></command></term>
117 If a maximum capture file size was specified, cause Wireshark to run
118 in "ring buffer" mode, with the specified number of files. In "ring
119 buffer" mode, Wireshark will write to several capture files. Their
120 name is based on the number of the file and on the creation date and
124 When the first capture file fills up, Wireshark will switch to writing
125 to the next file, until it fills up the last file, at which point
126 it'll discard the data in the first file (unless 0 is specified, in
127 which case, the number of files is unlimited) and start writing to
131 If the optional duration is specified, Wireshark will switch also to
132 the next file when the specified number of seconds has elapsed even
133 if the current file is not completely fills up.
137 <varlistentry><term><command>duration</command>:value</term>
139 Switch to the next file after value seconds have elapsed, even
140 if the current file is not completely filled up.
143 <varlistentry><term><command>filesize</command>:value</term>
145 Switch to the next file after it reaches a size of value kilobytes
146 (where a kilobyte is 1000 bytes, not 1024 bytes).
149 <varlistentry><term><command>files</command>:value</term>
151 Begin again with the first file after value number of files were
152 written (form a ring buffer).
159 <varlistentry><term><command>-B <capture buffer size (Win32 only)></command></term>
162 Win32 only: set capture buffer size (in MB, default is 1MB). This
163 is used by the the capture driver to buffer packet data until that
164 data can be written to disk. If you encounter packet drops while
165 capturing, try to increase this size.
169 <varlistentry><term><command>-c <capture packet count></command></term>
172 This option specifies the maximum number of packets to capture
173 when capturing live data. It would be used in conjunction
174 with the <command>-k</command> option.
178 <varlistentry><term><command>-D</command></term>
181 Print a list of the interfaces on which Wireshark can capture, and
182 exit. For each network interface, a number and an
183 interface name, possibly followed by a text description of the
184 interface, is printed. The interface name or the number can be supplied
185 to the <command>-i</command> flag to specify an interface on which to capture.
188 This can be useful on systems that don't have a command to list them
189 (e.g., Windows systems, or UNIX systems lacking <command>ifconfig -a</command>);
190 the number can be useful on Windows 2000 and later systems, where the
191 interface name is a somewhat complex string.
194 Note that "can capture" means that Wireshark was able to open
195 that device to do a live capture; if, on your system, a program doing a
196 network capture must be run from an account with special privileges (for
197 example, as root), then, if Wireshark is run with the <command>-D</command> flag and
198 is not run from such an account, it will not list any interfaces.
202 <varlistentry><term><command>-f <capture filter></command></term>
205 This option sets the initial capture filter expression to
206 be used when capturing packets.
210 <varlistentry><term><command>-g <packet number></command></term>
213 After reading in a capture file using the -r flag, go to the given
218 <varlistentry><term><command>-h</command></term>
221 The <command>-h</command> option requests Wireshark to print
222 its version and usage instructions (as shown above) and exit.
226 <varlistentry><term><command>-i <capture interface></command></term>
229 Set the name of the network interface or pipe to use for live packet
233 Network interface names should match one of the names listed in
234 <command>ethereal -D</command> (described above); a number, as reported by
235 <command>ethereal -D</command>, can also be used. If you're using UNIX, <command>netstat
236 -i</command> or <command>ifconfig -a</command> might also work to list interface names,
237 although not all versions of UNIX support the <command>-a</command> flag to <command>ifconfig</command>.
240 If no interface is specified, Wireshark searches the list of
241 interfaces, choosing the first non-loopback interface if there are any
242 non-loopback interfaces, and choosing the first loopback interface if
243 there are no non-loopback interfaces; if there are no interfaces,
244 Wireshark reports an error and doesn't start the capture.
247 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
248 read data from the standard input. Data read from pipes must be in
249 standard libpcap format.
253 <varlistentry><term><command>-k</command></term>
256 The <command>-k</command> option specifies that Wireshark
257 should start capturing packets immediately. This option
258 requires the use of the <command>-i</command> parameter to
259 specify the interface that packet capture will occur from.
263 <varlistentry><term><command>-l</command></term>
266 This option turns on automatic scrolling if the packet
267 list pane is being updated automatically as packets arrive
268 during a capture ( as specified by the <command>-S</command>
273 <varlistentry><term><command>-L</command></term>
276 List the data link types supported by the interface and exit.
280 <varlistentry><term><command>-m <font></command></term>
283 This option sets the name of the font used for most text
284 displayed by Wireshark. XXX - add an example!
288 <varlistentry><term><command>-n</command></term>
291 Disable network object name resolution (such as hostname, TCP and UDP
296 <varlistentry><term><command>-N <name resolving flags></command></term>
299 Turns on name resolving for particular types of addresses
300 and port numbers; the argument is a string that may contain
301 the letters <command>m</command> to enable MAC address
302 resolution, <command>n</command> to enable network address
303 resolution, and <command>t</command> to enable transport-layer
304 port number resolution. This overrides <command>-n</command>
305 if both <command>-N</command> and <command>-n</command> are
306 present. The letter C enables concurrent (asynchronous) DNS lookups.
311 <term><command>-o <preference/recent settings></command></term>
314 Sets a preference or recent value, overriding the default value and
315 any value read from a preference/recent file. The argument to the
316 flag is a string of the form prefname:value, where prefname
317 is the name of the preference (which is the same name that
318 would appear in the preference/recent file), and value is the value
319 to which it should be set. Multiple instances of
320 <command>-o <preference settings> </command> can be
321 given on a single command line.
323 <para>An example of setting a single preference would be: </para>
326 ethereal -o mgcp.display_dissect_tree:TRUE
330 An example of setting multiple preferences would be:
334 ethereal -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
337 <tip><title>Tip!</title>
339 You can get a list of all available preference strings from the
340 preferences file, see <xref linkend="AppFiles"/>.
345 <varlistentry><term><command>-p</command></term>
348 Don't put the interface into promiscuous mode. Note that
349 the interface might be in promiscuous mode for some other
350 reason; hence, -p cannot be used to ensure that the only
351 traffic that is captured is traffic sent to or from the
352 machine on which Wireshark is running, broadcast traffic, and
353 multicast traffic to addresses received by that machine.
357 <varlistentry><term><command>-Q</command></term>
360 This option forces Wireshark to exit when capturing is
361 complete. It can be used with the <command>-c</command> option.
362 It must be used in conjunction with the
363 <command>-i</command> and <command>-w</command> options.
367 <varlistentry><term><command>-r <infile></command></term>
370 This option provides the name of a capture file for Wireshark
371 to read and display. This capture file can be in one of the
372 formats Wireshark understands.
376 <varlistentry><term><command>-R <read (display) filter></command></term>
379 This option specifies a display filter to be applied when
380 reading packets from a capture file. The syntax of this
381 filter is that of the display filters discussed in
382 <xref linkend="ChWorkDisplayFilterSection"/>. Packets not
383 matching the filter are discarded.
387 <varlistentry><term><command>-s <capture snaplen></command></term>
390 This option specifies the snapshot length to use when
391 capturing packets. Wireshark will only capture
392 <command><snaplen></command> bytes of data for each packet.
396 <varlistentry><term><command>-S</command></term>
399 This option specifies that Wireshark will display packets as
400 it captures them. This is done by capturing in one process
401 and displaying them in a separate process. This is the same
402 as "Update list of packets in real time" in the Capture Options
408 <term><command>-t <time stamp format></command></term>
411 This option sets the format of packet timestamps that are
412 displayed in the packet list window. The format can be one of:
416 <command>r</command> relative, which specifies timestamps are
417 displayed relative to the first packet captured.
422 <command>a</command> absolute, which specifies that actual times
423 be displayed for all packets.
428 <command>ad</command> absolute with date, which specifies that
429 actual dates and times be displayed for all packets.
434 <command>d</command> delta, which specifies that timestamps
435 are relative to the previous packet.
442 <varlistentry><term><command>-v</command></term>
445 The <command>-v</command> option requests
446 Wireshark to print out its version information and exit.
450 <varlistentry><term><command>-w <savefile></command></term>
453 This option sets the name of the <command>savefile</command>
454 to be used when saving a capture file.
458 <varlistentry><term><command>-y <capture link type></command></term>
461 If a capture is started from the command line with -k, set the data
462 link type to use while capturing packets. The values reported by -L
463 are the values that can be used.
467 <varlistentry><term><command>-X <eXtension option></command></term>
470 Specify an option to be passed to a TShark module. The eXtension
471 option is in the form extension_key:value, where extension_key can
475 <command>lua_script</command>:lua_script_filename Tell Wireshark to load the given script in addition to the default Lua scripts.
479 <varlistentry><term><command>-z <statistics-string></command></term>
482 Get Wireshark to collect various types of statistics and display the
483 result in a window that updates in semi-real time.
484 XXX - add more details here!
492 <section id="ChCustColorizationSection"><title>Packet colorization</title>
494 A very useful mechanism available in Wireshark is packet colorization.
495 You can set-up Wireshark so that it will colorize packets according to a
496 filter. This allows you to emphasize the packets you are usually
502 You will find a lot of Coloring Rule examples at the <command>Wireshark
503 Wiki Coloring Rules page</command> at <ulink
504 url="&WiresharkWikiColoringRulesPage;">&WiresharkWikiColoringRulesPage;</ulink>.
508 To colorize packets, select the Coloring Rules... menu item from
509 the View menu, Wireshark will pop up the "Coloring Rules"
510 dialog box as shown in <xref linkend="ChCustColoringRulesDialog"/>.
512 <figure id="ChCustColoringRulesDialog">
513 <title>The "Coloring Rules" dialog box</title>
514 <graphic entityref="WiresharkColoringRulesDialog" format="PNG"/>
517 Once the Coloring Rules dialog box is up, there are a number
518 of buttons you can use, depending on whether or not you have any
519 color filters installed already.
521 <note><title>Note!</title>
523 You will need to carefully select the order the coloring rules are listed
524 (and thus applied) as they are applied in order from top to bottom.
525 So, more specific rules need to be listed before more general rules.
526 For example, if you have a color rule for UDP before the one for DNS,
527 the color rule for DNS will never be applied (as DNS uses UDP, so the
528 UDP rule will be matching first).
532 If this is the first time you have used Coloring Rules, click on the New
533 button which will bring up the Edit color filter dialog box as shown in
534 <xref linkend="ChCustEditColorDialog"/>.
536 <figure id="ChCustEditColorDialog">
537 <title>The "Edit Color Filter" dialog box</title>
538 <graphic entityref="WiresharkEditColorDialog" format="PNG"/>
541 In the Edit Color dialog box, simply enter a name for the color filter,
542 and enter a filter string in the Filter text field.
543 <xref linkend="ChCustEditColorDialog"/> shows the values
544 <command>arp</command> and <command>arp</command> which means that
545 the name of the color filter is <command>arp</command> and the filter
546 will select protocols of type <command>arp</command>. Once you have
547 entered these values, you can choose a foreground and background
548 color for packets that match the filter expression. Click on
549 <command>Foreground color...</command> or
550 <command>Background color...</command> to achieve this and
551 Wireshark will pop up the Choose foreground/background color for
552 protocol dialog box as shown in
553 <xref linkend="ChCustChooseColorDialog"/>.
555 <figure id="ChCustChooseColorDialog">
556 <title>The "Choose color" dialog box</title>
557 <graphic entityref="WiresharkChooseColorDialog" format="PNG"/>
560 Select the color you desire for the selected packets and click on OK.
565 You must select a color in the colorbar next to the colorwheel to
566 load values into the RGB values. Alternatively, you can set the
567 values to select the color you want.
571 <xref linkend="ChCustColorFilterMany"/> shows an example of several color
572 filters being used in Wireshark. You may not like the color choices,
573 however, feel free to choose your own.
575 <figure id="ChCustColorFilterMany">
576 <title>Using color filters with Wireshark</title>
577 <graphic entityref="WiresharkThreePane1" format="PNG"/>
581 <section id="ChCustProtocolDissectionSection">
582 <title>Control Protocol dissection</title>
584 The user can control how protocols are dissected.
587 Each protocol has its own dissector, so dissecting a complete packet will
588 typically involve several dissectors. As Wireshark tries to find the
589 right dissector for each packet (using static "routes" and heuristics
590 "guessing"), it might choose the wrong dissector in your specific
591 case. For example, Wireshark won't know if you use a common protocol
592 on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of
593 the standard port 80.
596 There are two ways to control the relations between protocol
597 dissectors: disable a protocol dissector completely or temporarily
598 divert the way Wireshark calls the dissectors.
600 <section id="ChAdvEnabledProtocols"><title>The "Enabled Protocols" dialog
603 The Enabled Protocols dialog box lets you enable or
604 disable specific protocols, all protocols are enabled by default.
605 When a protocol is disabled, Wireshark stops processing a packet
606 whenever that protocol is encountered.
608 <note><title>Note!</title>
610 Disabling a protocol will prevent information about higher-layer
611 protocols from being displayed. For example,
612 suppose you disabled the IP protocol and selected
613 a packet containing Ethernet, IP, TCP, and HTTP
614 information. The Ethernet information would be
615 displayed, but the IP, TCP and HTTP information
616 would not - disabling IP would prevent it and
617 the other protocols from being displayed.
620 <figure id="ChAdvEnabledProtocolsFig">
621 <title>The "Enabled Protocols" dialog box</title>
622 <graphic entityref="WiresharkEnabledProtocols" format="PNG"/>
625 To disable or enable a protocol, simply click on it using the
626 mouse or press the space bar when the protocol is highlighted.
628 <warning><title>Warning!</title>
630 You have to use the Save button to save your settings. The OK or Apply
631 buttons will not save your changes permanently, so they will be lost
632 when Wireshark is closed.
636 You can choose from the following actions:
640 <command>Enable All</command> Enable all protocols in the list.
645 <command>Disable All</command> Disable all protocols in the list.
650 <command>Invert</command> Toggle the state of all protocols in the
656 <command>OK</command> Apply the changes and close the dialog box.
661 <command>Apply</command> Apply the changes and keep the dialog box
667 <command>Save</command> Save the settings to the disabled_protos, see
668 <xref linkend="AppFiles"/> for details.
673 <command>Cancel</command> Cancel the changes and close the dialog box.
680 <section id="ChAdvDecodeAs"><title>User Specified Decodes</title>
682 The "Decode As" functionality let you temporarily divert specific
683 protocol dissections. This might be useful for example, if you do some
684 uncommon experiments on your network.
687 <figure id="ChAdvDecodeAsFig">
688 <title>The "Decode As" dialog box</title>
689 <graphic scale="100" entityref="WiresharkDecodeAs" format="PNG"/>
691 The content of this dialog box depends on the selected packet when it
693 <warning><title>Warning!</title>
695 The user specified decodes can not be saved. If you quit Wireshark,
696 these settings will be lost.
702 <command>Decode</command> Decode packets the selected way.
707 <command>Do not decode</command> Do not decode packets the selected
713 <command>Link/Network/Transport</command> Specify the network layer
714 at which "Decode As" should take place. Which of these pages are
715 available, depends on the content of the selected packet when this
716 dialog box was opened.
721 <command>Show Current</command> Open a dialog box showing the
722 current list of user specified decodes.
727 <command>OK</command> Apply the currently selected decode and close
733 <command>Apply</command> Apply the currently selected decode and keep
739 <command>Cancel</command> Cancel the changes and close the dialog box.
746 <section id="ChAdvDecodeAsShow"><title>Show User Specified Decodes</title>
748 This dialog box shows the currently active user specified decodes.
749 <figure id="ChAdvDecodeAsShowFig">
750 <title>The "Decode As: Show" dialog box</title>
751 <graphic entityref="WiresharkDecodeAsShow" format="PNG"/>
756 <command>OK</command> Close this dialog box.
761 <command>Clear</command> Removes all user specified decodes.
769 <section id="ChCustPreferencesSection"><title>Preferences</title>
771 There are a number of preferences you can set. Simply
772 select the Preferences... menu item from the Edit menu, and Wireshark
773 will pop up the Preferences dialog box as shown in
774 <xref linkend="ChCustGUIPrefPage"/>, with the "User Interface" page as
775 default. On the left side is a tree where you can select the page to be
777 <note><title>Note!</title>
779 Preference settings are added frequently. For a recent explanation of
780 the preference pages and their settings have a look at the
781 <command>Wireshark Wiki Preferences page</command> at <ulink
782 url="&WiresharkWikiPreferencesPage;">&WiresharkWikiPreferencesPage;</ulink>.
786 <title>Warning!</title>
788 The OK or Apply button will not save the preference settings,
789 you'll have to save the settings by clicking the Save button.
795 The <command>OK</command> button will apply the preferences
796 settings and close the dialog.
801 The <command>Apply</command> button will apply the preferences
802 settings and keep the dialog open.
807 The <command>Save</command> button will apply the preferences
808 settings, save the settings on the harddisk and keep the dialog open.
813 The <command>Cancel</command> button will restore all preferences
814 settings to the last saved state.
819 <figure id="ChCustGUIPrefPage">
820 <title>The preferences dialog box</title>
821 <graphic entityref="WiresharkGUIPreferences" format="PNG"/>
826 <!-- End of WSUG Chapter Customizing -->