1 <!-- WSUG Chapter Three -->
4 <chapter id="ChapterUsing">
5 <title>User Interface</title>
6 <section id="ChUseIntroductionSection"><title>Introduction</title>
8 By now you have installed <application>Wireshark</application> and
9 are most likely keen to get started capturing your first packets. In
10 the next chapters we will explore:
14 How the Wireshark user interface works
19 How to capture packets in <application>Wireshark</application>
24 How to view packets in <application>Wireshark</application>
29 How to filter packets in <application>Wireshark</application>
34 ... and many other things!
41 <section id="ChUseStartSection"><title>Start Wireshark</title>
43 You can start Wireshark from your shell or window manager.
44 <tip><title>Tip!</title>
46 When starting Wireshark it's possible to specify optional settings using
47 the command line. See <xref linkend="ChCustCommandLine"/> for details.
50 <note><title>Note!</title>
52 In the following chapters, a lot of screenshots from Wireshark will be shown.
53 As Wireshark runs on many different platforms with many different window
54 managers, different styles applied and there are different versions of the
55 underlying GUI toolkit used, your screen might look different from the provided
56 screenshots. But as there are no real differences in functionality, these
57 screenshots should still be well understandable.
63 <section id="ChUseMainWindowSection"><title>The Main window</title>
65 Let's look at Wireshark's user interface. <xref linkend="ChUseFig01"/> shows
66 Wireshark as you would usually see it after some packets are captured or loaded
67 (how to do this will be described later).
68 <figure id="ChUseFig01">
69 <title>The Main window</title>
70 <graphic scale="100" entityref="WiresharkThreePane1" format="PNG"/>
74 Wireshark's main window consists of parts that are commonly known from many
79 The <emphasis>menu</emphasis> (see <xref linkend="ChUseMenuSection"/>)
80 is used to start actions.
85 The <emphasis>main toolbar</emphasis> (see <xref linkend="ChUseMainToolbarSection"/>)
86 provides quick access to frequently used items from the menu.
91 The <emphasis>filter toolbar</emphasis> (see <xref linkend="ChUseFilterToolbarSection"/>)
92 provides a way to directly manipulate the currently used display filter
93 (see <xref linkend="ChWorkDisplayFilterSection"/>).
98 The <emphasis>packet list pane</emphasis> (see <xref linkend="ChUsePacketListPaneSection"/>)
99 displays a summary of each packet captured. By clicking on packets
100 in this pane you control what is displayed in the other two panes.
105 The <emphasis>packet details pane</emphasis> (see <xref linkend="ChUsePacketDetailsPaneSection"/>)
106 displays the packet selected in the packet list pane in more detail.
111 The <emphasis>packet bytes pane</emphasis> (see <xref linkend="ChUsePacketBytesPaneSection"/>)
112 displays the data from the packet selected in the packet list pane, and
113 highlights the field selected in the packet details pane.
118 The <emphasis>statusbar</emphasis> (see <xref linkend="ChUseStatusbarSection"/>)
119 shows some detailed information about the current program state and
124 <tip><title>Tip!</title>
126 The layout of the main window can be customized by changing preference settings.
127 See <xref linkend="ChCustPreferencesSection"/> for details!
133 <section id="ChUseMainWindowNavSection"><title>Main Window Navigation</title>
135 Packet list and detail navigation can be done entirely from the
136 keyboard. <xref linkend="ChUseTabNav"/> shows a list of keystrokes
137 that will let you quickly move around a capture file. See
138 <xref linkend="ChUseTabGo"/> for additional navigation keystrokes.
140 <table id="ChUseTabNav" frame="none">
142 <title>Keyboard Navigation</title>
144 <colspec colnum="1" colwidth="72pt"/>
147 <entry>Accelerator</entry>
148 <entry>Description</entry>
153 <entry>Tab, Shift+Tab</entry>
155 Move between screen elements, e.g. from the toolbars
156 to the packet list to the packet detail.
162 Move to the next packet or detail item.
168 Move to the previous packet or detail item.
172 <entry>Ctrl+Down, F8</entry>
174 Move to the next packet, even if the packet
179 <entry>Ctrl+Up, F7</entry>
181 Move to the previous packet, even if the packet
186 <entry>Ctrl+.</entry>
188 Move to the next packet of the conversation
193 <entry>Ctrl+,</entry>
195 Move to the previous packet of the conversation
202 In the packet detail, closes the selected tree item.
203 If it's already closed, jumps to the parent node.
209 In the packet detail, opens the selected tree item.
213 <entry>Shift+Right</entry>
215 In the packet detail, opens the selected tree item
216 and all of its subtrees.
220 <entry>Ctrl+Right</entry>
222 In the packet detail, opens all tree items.
226 <entry>Ctrl+Left</entry>
228 In the packet detail, closes all tree items.
232 <entry>Backspace</entry>
234 In the packet detail, jumps to the parent node.
238 <entry>Return, Enter</entry>
240 In the packet detail, toggles the selected
248 Additionally, typing anywhere in the main window will start filling
254 <section id="ChUseMenuSection"><title>The Menu</title>
256 The Wireshark menu sits on top of the Wireshark window.
257 An example is shown in <xref linkend="ChUseWiresharkMenu"/>.
259 <note><title>Note!</title>
261 Menu items will be greyed out if the corresponding feature isn't
262 available. For example, you cannot save a capture file if you didn't
263 capture or load any data before.
267 <figure id="ChUseWiresharkMenu"><title>The Menu</title>
268 <graphic entityref="WiresharkMenuOnly" format="PNG"/>
272 It contains the following items:
274 <varlistentry><term><command>File</command></term>
277 This menu contains items to open and merge capture files,
278 save / print / export capture files in whole or in part,
279 and to quit from Wireshark. See <xref linkend="ChUseFileMenuSection"/>.
283 <varlistentry><term><command>Edit</command></term>
286 This menu contains items to find a packet, time reference or mark one
287 or more packets, handle configuration profiles, and set your preferences;
288 (cut, copy, and paste are not presently implemented).
289 See <xref linkend="ChUseEditMenuSection"/>.
293 <varlistentry><term><command>View</command></term>
295 <para>This menu controls the display of the captured data,
296 including colorization of packets, zooming the font,
297 showing a packet in a separate window, expanding and collapsing trees in packet details, ....
298 See <xref linkend="ChUseViewMenuSection"/>.
302 <varlistentry><term><command>Go</command></term>
304 <para>This menu contains items to go to a specific packet.
305 See <xref linkend="ChUseGoMenuSection"/>.
309 <varlistentry><term><command>Capture</command></term>
311 <para>This menu allows you to start and stop captures and to edit capture filters.
312 See <xref linkend="ChUseCaptureMenuSection"/>.
316 <varlistentry><term><command>Analyze</command></term>
319 This menu contains items to manipulate display filters, enable or
320 disable the dissection of protocols, configure user specified decodes
321 and follow a TCP stream.
322 See <xref linkend="ChUseAnalyzeMenuSection"/>.
326 <varlistentry><term><command>Statistics</command></term>
329 This menu contains items to display various statistic windows,
330 including a summary of the packets that have been captured,
331 display protocol hierarchy statistics and much more.
332 See <xref linkend="ChUseStatisticsMenuSection"/>.
336 <varlistentry><term><command>Telephony</command></term>
339 This menu contains items to display various telephony related
340 statistic windows, including a media analysis, flow diagrams,
341 display protocol hierarchy statistics and much more.
342 See <xref linkend="ChUseTelephonyMenuSection"/>.
346 <varlistentry><term><command>Tools</command></term>
349 This menu contains various tools available in Wireshark, such as
350 creating Firewall ACL Rules.
351 See <xref linkend="ChUseToolsMenuSection"/>.
355 <varlistentry><term><command>Help</command></term>
358 This menu contains items to help the user, e.g. access to some basic
359 help, a list of the supported protocols, manual pages, online access
360 to some of the webpages, and the usual about dialog.
361 See <xref linkend="ChUseHelpMenuSection"/>.
366 Each of these menu items is described in more detail in the sections
369 <tip><title>Tip!</title>
371 You can access menu items directly or by pressing the corresponding
372 accelerator keys which are shown at the right side of the
373 menu. For example, you can press the Control (or Strg in German) and the K
374 keys together to open the capture dialog.
379 <section id="ChUseFileMenuSection"><title>The "File" menu</title>
381 The Wireshark file menu contains the fields shown in
382 <xref linkend="ChUseTabFile"/>.
384 <figure id="ChUseWiresharkFileMenu">
385 <title>The "File" Menu</title>
386 <graphic entityref="WiresharkFileMenu" format="PNG"/>
388 <table id="ChUseTabFile" frame="none"><title>File menu items</title>
390 <colspec colnum="1" colwidth="72pt"/>
391 <colspec colnum="2" colwidth="80pt"/>
394 <entry>Menu Item</entry>
395 <entry>Accelerator</entry>
396 <entry>Description</entry>
401 <entry><command>Open...</command></entry>
402 <entry>Ctrl+O</entry>
404 This menu item brings up the file open dialog box that
405 allows you to load a capture file for viewing. It is
406 discussed in more detail in <xref linkend="ChIOOpen"/>.
410 <entry><command>Open Recent</command></entry>
413 This menu item shows a submenu containing the recently opened
414 capture files. Clicking on one of the submenu items will open the
415 corresponding capture file directly.
419 <entry><command>Merge...</command></entry>
422 This menu item brings up the merge file dialog box that
423 allows you to merge a capture file into the currently loaded one.
424 It is discussed in more detail in <xref linkend="ChIOMergeSection"/>.
428 <entry><command>Import...</command></entry>
431 This menu item brings up the import file dialog box that
432 allows you to import a text file into a new temporary capture.
433 It is discussed in more detail in <xref linkend="ChIOImportSection"/>.
437 <entry><command>Close</command></entry>
438 <entry>Ctrl+W</entry>
440 This menu item closes the current capture. If you
441 haven't saved the capture, you will be asked to do so first
442 (this can be disabled by a preference setting).
446 <entry><command>------</command></entry>
451 <entry><command>Save</command></entry>
452 <entry>Ctrl+S</entry>
454 This menu item saves the current capture. If you
455 have not set a default capture file name (perhaps with
456 the -w <capfile> option), Wireshark pops up the
457 Save Capture File As dialog box (which is discussed
458 further in <xref linkend="ChIOSaveAs"/>).
462 If you have already saved the current capture, this
463 menu item will be greyed out.
468 You cannot save a live capture while the capture is in
469 progress. You must stop the capture in order to
475 <entry><command>Save As...</command></entry>
476 <entry>Shift+Ctrl+S</entry>
478 This menu item allows you to save the current capture
479 file to whatever file you would like. It pops up the
480 Save Capture File As dialog box (which is discussed
481 further in <xref linkend="ChIOSaveAs"/>).
485 <entry><command>------</command></entry>
490 <entry><command>File Set > List Files</command></entry>
493 This menu item allows you to show a list of files in a file set.
494 It pops up the Wireshark List File Set dialog box (which is
495 discussed further in <xref linkend="ChIOFileSetSection"/>).
499 <entry><command>File Set > Next File</command></entry>
502 If the currently loaded file is part of a file set, jump to the
503 next file in the set. If it isn't part of a file set or just the
504 last file in that set, this item is greyed out.
508 <entry><command>File Set > Previous File</command></entry>
511 If the currently loaded file is part of a file set, jump to the
512 previous file in the set. If it isn't part of a file set or just
513 the first file in that set, this item is greyed out.
517 <entry><command>------</command></entry>
522 <entry><command>Export > as "Plain Text" file...</command></entry>
525 This menu item allows you to export all (or some) of the packets in
526 the capture file to a plain ASCII text file.
527 It pops up the Wireshark Export dialog box (which is discussed further in
528 <xref linkend="ChIOExportPlainDialog"/>).
532 <entry><command>Export > as "PostScript" file...</command></entry>
535 This menu item allows you to export all (or some) of the packets in
536 the capture file to a PostScript file.
537 It pops up the Wireshark Export dialog box (which is discussed further in
538 <xref linkend="ChIOExportPSDialog"/>).
542 <entry><command>Export > as "CSV" (Comma Separated Values packet summary) file...</command></entry>
545 This menu item allows you to export all (or some) of the packet summaries in
546 the capture file to a .csv file (e.g. used by spreadsheet programs).
547 It pops up the Wireshark Export dialog box (which is discussed further in
548 <xref linkend="ChIOExportCSVDialog"/>).
552 <entry><command>Export > as "C Arrays" (packet bytes) file...</command></entry>
555 This menu item allows you to export all (or some) of the packet bytes in
556 the capture file to a .c file so you can import the stream data into your
558 It pops up the Wireshark Export dialog box (which is discussed further in
559 <xref linkend="ChIOExportCArraysDialog"/>).
563 <entry><command>------</command></entry>
568 <entry><command>Export > as "PSML" file...</command></entry>
571 This menu item allows you to export all (or some) of the packets in
572 the capture file to a PSML (packet summary markup language) XML file.
573 It pops up the Wireshark Export dialog box (which is discussed further in
574 <xref linkend="ChIOExportPSMLDialog"/>).
578 <entry><command>Export > as "PDML" file...</command></entry>
581 This menu item allows you to export all (or some) of the packets in
582 the capture file to a PDML (packet details markup language) XML file.
583 It pops up the Wireshark Export dialog box (which is discussed further in
584 <xref linkend="ChIOExportPDMLDialog"/>).
588 <entry><command>------</command></entry>
593 <entry><command>Export > Selected Packet Bytes...</command></entry>
594 <entry>Ctrl+H</entry>
596 This menu item allows you to export the currently selected bytes
597 in the packet bytes pane to a binary file. It pops up the
598 Wireshark Export dialog box (which is discussed further in
599 <xref linkend="ChIOExportSelectedDialog"/>)
603 <entry><command>Objects > HTTP</command></entry>
606 This menu item allows you to export all or some of the captured HTTP objects
607 into local files. It pops up the Wireshark HTTP object list (which is discussed
608 further in <xref linkend="ChIOExportObjectsDialog"/>)
612 <entry><command>------</command></entry>
617 <entry><command>Print...</command></entry>
618 <entry>Ctrl+P</entry>
620 This menu item allows you to print all (or some) of the packets in
621 the capture file. It pops up the Wireshark Print dialog
622 box (which is discussed further in
623 <xref linkend="ChIOPrintSection"/>).
627 <entry><command>------</command></entry>
632 <entry><command>Quit</command></entry>
633 <entry>Ctrl+Q</entry>
635 This menu item allows you to quit from Wireshark.
636 Wireshark will ask to save your capture file if you haven't previously saved
637 it (this can be disabled by a preference setting).
645 <section id="ChUseEditMenuSection"><title>The "Edit" menu</title>
647 The Wireshark Edit menu contains the fields shown in
648 <xref linkend="ChUseTabEdit"/>.
650 <figure id="ChUseWiresharkEditMenu">
651 <title>The "Edit" Menu</title>
652 <graphic entityref="WiresharkEditMenu" format="PNG"/>
654 <table id="ChUseTabEdit" frame="none">
655 <title>Edit menu items</title>
657 <colspec colnum="1" colwidth="72pt"/>
658 <colspec colnum="2" colwidth="80pt"/>
661 <entry>Menu Item</entry>
662 <entry>Accelerator</entry>
663 <entry>Description</entry>
668 <entry><command>Copy > Description</command></entry>
669 <entry>Shift+Ctrl+D</entry>
671 This menu item will copy the description of the selected item
672 in the detail view to the clipboard.
676 <entry><command>Copy > Fieldname</command></entry>
677 <entry>Shift+Ctrl+F</entry>
679 This menu item will copy the fieldname of the selected item
680 in the detail view to the clipboard.
684 <entry><command>Copy > Value</command></entry>
685 <entry>Shift+Ctrl+V</entry>
687 This menu item will copy the value of the selected item
688 in the detail view to the clipboard.
692 <entry><command>Copy > As Filter</command></entry>
693 <entry>Shift+Ctrl+C</entry>
695 This menu item will use the selected item in the detail view to
696 create a display filter. This display filter is then copied to
701 <entry><command>------</command></entry>
706 <entry><command>Find Packet...</command></entry>
707 <entry>Ctrl+F</entry>
709 This menu item brings up a dialog box that allows you
710 to find a packet by many criteria.
711 There is further information on finding packets in
712 <xref linkend="ChWorkFindPacketSection"/>.
716 <entry><command>Find Next</command></entry>
717 <entry>Ctrl+N</entry>
719 This menu item tries to find the next packet matching the
720 settings from "Find Packet...".
724 <entry><command>Find Previous</command></entry>
725 <entry>Ctrl+B</entry>
727 This menu item tries to find the previous packet matching the
728 settings from "Find Packet...".
732 <entry><command>------</command></entry>
737 <entry><command>Mark Packet (toggle)</command></entry>
738 <entry>Ctrl+M</entry>
740 This menu item "marks" the currently selected packet. See
741 <xref linkend="ChWorkMarkPacketSection"/> for details.
745 <entry><command>Find Next Mark</command></entry>
746 <entry>Shift+Ctrl+N</entry>
748 Find the next marked packet.
752 <entry><command>Find Previous Mark</command></entry>
753 <entry>Shift+Ctrl+B</entry>
755 Find the previous marked packet.
759 <entry><command>Mark All Displayed Packets</command></entry>
762 This menu item "marks" all displayed packets.
766 <entry><command>Unmark All Packets</command></entry>
768 <entry><para>This menu item "unmarks" all marked packets.
772 <entry><command>------</command></entry>
777 <entry><command>Ignore Packet (toggle)</command></entry>
778 <entry>Ctrl+X</entry>
780 This menu item marks the currently selected packet as ignored.
781 See <xref linkend="ChWorkIgnorePacketSection"/> for details.
785 <entry><command>Ignore All Displayed Packets</command></entry>
786 <entry>Shift-Ctrl-Alt-X</entry>
788 This menu item marks all displayed packets as ignored.
792 <entry><command>Un-Ignore All Packets</command></entry>
793 <entry>Shift-Ctrl-X</entry>
795 This menu item unmarks all ignored packets.
799 <entry><command>------</command></entry>
804 <entry><command>Set Time Reference (toggle)</command></entry>
805 <entry>Ctrl+T</entry>
807 This menu item set a time reference on the currently selected
808 packet. See <xref linkend="ChWorkTimeReferencePacketSection"/> for more information
809 about the time referenced packets.
813 <entry><command>Find Next Reference</command></entry>
816 This menu item tries to find the next time referenced packet.
820 <entry><command>Find Previous Reference</command></entry>
823 This menu item tries to find the previous time referenced packet.
827 <entry><command>------</command></entry>
832 <entry><command>Configuration Profiles...</command></entry>
833 <entry>Shift-Ctrl-A</entry>
835 This menu item brings up a dialog box for handling configuration
836 profiles. More detail is provided in
837 <xref linkend="ChCustConfigProfilesSection"/>.
841 <entry><command>Preferences...</command></entry>
842 <entry>Shift+Ctrl+P</entry>
844 This menu item brings up a dialog box that allows
845 you to set preferences for many parameters that control
846 Wireshark. You can also save your preferences so Wireshark
847 will use them the next time you start it. More detail
848 is provided in <xref linkend="ChCustPreferencesSection"/>.
856 <section id="ChUseViewMenuSection"><title>The "View" menu</title>
858 The Wireshark View menu contains the fields shown in
859 <xref linkend="ChUseTabView"/>.
861 <figure id="ChUseWiresharkViewMenu">
862 <title>The "View" Menu</title>
863 <graphic entityref="WiresharkViewMenu" format="PNG"/>
865 <table id="ChUseTabView" frame="none">
866 <title>View menu items</title>
868 <colspec colnum="1" colwidth="72pt"/>
869 <colspec colnum="2" colwidth="80pt"/>
872 <entry>Menu Item</entry>
873 <entry>Accelerator</entry>
874 <entry>Description</entry>
879 <entry><command>Main Toolbar</command></entry>
882 This menu item hides or shows the main toolbar, see
883 <xref linkend="ChUseMainToolbarSection"/>.
887 <entry><command>Filter Toolbar</command></entry>
890 This menu item hides or shows the filter toolbar, see
891 <xref linkend="ChUseFilterToolbarSection"/>.
895 <entry><command>Statusbar</command></entry>
898 This menu item hides or shows the statusbar, see
899 <xref linkend="ChUseStatusbarSection"/>.
903 <entry><command>------</command></entry>
908 <entry><command>Packet List</command></entry>
911 This menu item hides or shows the packet list pane, see
912 <xref linkend="ChUsePacketListPaneSection"/>.
916 <entry><command>Packet Details</command></entry>
919 This menu item hides or shows the packet details pane, see
920 <xref linkend="ChUsePacketDetailsPaneSection"/>.
924 <entry><command>Packet Bytes</command></entry>
927 This menu item hides or shows the packet bytes pane, see
928 <xref linkend="ChUsePacketBytesPaneSection"/>.
932 <entry><command>------</command></entry>
937 <entry><command>Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.123456</command></entry>
940 Selecting this tells Wireshark to display the
941 time stamps in date and time of day format, see
942 <xref linkend="ChWorkTimeFormatsSection"/>.
943 <note><title>Note!</title>
945 The fields "Time of Day", "Date and Time of
946 Day", "Seconds Since Beginning of Capture", "Seconds Since
947 Previous Captured Packet" and "Seconds Since Previous
948 Displayed Packet" are mutually exclusive.
954 <entry><command>Time Display Format > Time of Day: 01:02:03.123456</command></entry>
957 Selecting this tells Wireshark to display time
958 stamps in time of day format, see
959 <xref linkend="ChWorkTimeFormatsSection"/>.
963 <entry><command>Time Display Format > Seconds Since Beginning of Capture: 123.123456</command></entry>
966 Selecting this tells Wireshark to display time
967 stamps in seconds since beginning of capture format, see
968 <xref linkend="ChWorkTimeFormatsSection"/>.
972 <entry><command>Time Display Format > Seconds Since Previous Captured Packet: 1.123456</command></entry>
975 Selecting this tells Wireshark to display time stamps in
976 seconds since previous captured packet format, see
977 <xref linkend="ChWorkTimeFormatsSection"/>.
981 <entry><command>Time Display Format > Seconds Since Previous Displayed Packet: 1.123456</command></entry>
984 Selecting this tells Wireshark to display time stamps in
985 seconds since previous displayed packet format, see
986 <xref linkend="ChWorkTimeFormatsSection"/>.
990 <entry><command>Time Display Format > Seconds Since Epoch (1970-01-01): 1234567890.123456</command></entry>
993 Selecting this tells Wireshark to display time stamps in
994 seconds since 1970-01-01 00:00:00, see
995 <xref linkend="ChWorkTimeFormatsSection"/>.
999 <entry><command>Time Display Format > ------</command></entry>
1004 <entry><command>Time Display Format > Automatic (File Format Precision)</command></entry>
1007 Selecting this tells Wireshark to display time stamps with the
1008 precision given by the capture file format used, see
1009 <xref linkend="ChWorkTimeFormatsSection"/>.
1010 <note><title>Note!</title>
1012 The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive.
1018 <entry><command>Time Display Format > Seconds: 0</command></entry>
1021 Selecting this tells Wireshark to display time stamps with a precision of one second, see
1022 <xref linkend="ChWorkTimeFormatsSection"/>.
1026 <entry><command>Time Display Format > ...seconds: 0....</command></entry>
1029 Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see
1030 <xref linkend="ChWorkTimeFormatsSection"/>.
1034 <entry><command>Name Resolution > Resolve Name</command></entry>
1037 This item allows you to trigger a name resolve of the current packet
1038 only, see <xref linkend="ChAdvNameResolutionSection"/>.
1042 <entry><command>Name Resolution > Enable for MAC Layer</command></entry>
1045 This item allows you to control whether or not
1046 Wireshark translates MAC addresses into names, see
1047 <xref linkend="ChAdvNameResolutionSection"/>.
1051 <entry><command>Name Resolution > Enable for Network Layer</command></entry>
1054 This item allows you to control whether or not
1055 Wireshark translates network addresses into names, see
1056 <xref linkend="ChAdvNameResolutionSection"/>.
1060 <entry><command>Name Resolution > Enable for Transport Layer</command></entry>
1063 This item allows you to control whether or not
1064 Wireshark translates transport addresses into names, see
1065 <xref linkend="ChAdvNameResolutionSection"/>.
1069 <entry><command>Colorize Packet List</command></entry>
1072 This item allows you to control whether or not Wireshark should colorize
1073 the packet list.</para>
1074 <note><title>Note!</title><para>
1075 Enabling colorization will slow down the display
1076 of new packets while capturing / loading capture files.
1077 </para></note></entry>
1080 <entry><command>Auto Scroll in Live Capture</command></entry>
1083 This item allows you to specify that Wireshark
1084 should scroll the packet list pane as new packets come
1085 in, so you are always looking at the last packet. If you
1086 do not specify this, Wireshark simply adds new packets onto
1087 the end of the list, but does not scroll the packet list
1092 <entry><command>------</command></entry>
1097 <entry><command>Zoom In</command></entry>
1098 <entry>Ctrl++</entry>
1100 Zoom into the packet data (increase the font size).
1104 <entry><command>Zoom Out</command></entry>
1105 <entry>Ctrl+-</entry>
1107 Zoom out of the packet data (decrease the font size).
1111 <entry><command>Normal Size</command></entry>
1112 <entry>Ctrl+=</entry>
1114 Set zoom level back to 100% (set font size back to normal).
1118 <entry><command>Resize All Columns</command></entry>
1121 Resize all column widths so the content will fit into it.
1123 <note><title>Note!</title><para>
1124 Resizing may take a significant amount of time, especially if a
1125 large capture file is loaded.
1130 <entry><command>------</command></entry>
1135 <entry><command>Expand Subtrees</command></entry>
1138 This menu item expands the currently selected subtree in the
1139 packet details tree.
1143 <entry><command>Expand All</command></entry>
1146 Wireshark keeps a list of all the protocol subtrees
1147 that are expanded, and uses it to ensure that the
1148 correct subtrees are expanded when you display a packet.
1149 This menu item expands all subtrees in all packets in
1154 <entry><command>Collapse All</command></entry>
1157 This menu item collapses the tree view of all packets
1158 in the capture list.
1162 <entry><command>------</command></entry>
1167 <entry><command>Colorize Conversation</command></entry>
1170 This menu item brings up a submenu that allows you
1171 to color packets in the packet list pane based
1172 on the addresses of the currently selected packet.
1173 This makes it easy to distinguish packets
1174 belonging to different conversations.
1175 <xref linkend="ChCustColorizationSection"/>.
1179 <entry><command>Colorize Conversation > Color 1-10</command></entry>
1182 These menu items enable one of the ten temporary color
1183 filters based on the currently selected conversation.
1187 <entry><command>Colorize Conversation > Reset coloring</command></entry>
1190 This menu item clears all temporary coloring rules.
1194 <entry><command>Colorize Conversation > New Coloring Rule...</command></entry>
1197 This menu item opens a dialog window in which a new
1198 permanent coloring rule can be created based on the
1199 currently selected conversation.
1203 <entry><command>Coloring Rules...</command></entry>
1206 This menu item brings up a dialog box that allows you
1207 to color packets in the packet list pane according to
1208 filter expressions you choose. It can be very useful
1209 for spotting certain types of packets, see
1210 <xref linkend="ChCustColorizationSection"/>.
1214 <entry><command>------</command></entry>
1219 <entry><command>Show Packet in New Window</command></entry>
1222 This menu item brings up the selected packet in a
1223 separate window. The separate window shows only the
1224 tree view and byte view panes.
1228 <entry><command>Reload</command></entry>
1229 <entry>Ctrl-R</entry>
1231 This menu item allows you to reload the current
1240 <section id="ChUseGoMenuSection"><title>The "Go" menu</title>
1242 The Wireshark Go menu contains the fields shown in
1243 <xref linkend="ChUseTabGo"/>.
1245 <figure id="ChUseWiresharkGoMenu">
1246 <title>The "Go" Menu</title>
1247 <graphic entityref="WiresharkGoMenu" format="PNG"/>
1249 <table id="ChUseTabGo" frame="none">
1250 <title>Go menu items</title>
1252 <colspec colnum="1" colwidth="72pt"/>
1253 <colspec colnum="2" colwidth="80pt"/>
1256 <entry>Menu Item</entry>
1257 <entry>Accelerator</entry>
1258 <entry>Description</entry>
1263 <entry><command>Back</command></entry>
1264 <entry>Alt+Left</entry>
1266 Jump to the recently visited packet in the packet
1267 history, much like the page history in a web browser.
1271 <entry><command>Forward</command></entry>
1272 <entry>Alt+Right</entry>
1274 Jump to the next visited packet in the packet
1275 history, much like the page history in a web browser.
1279 <entry><command>Go to Packet...</command></entry>
1280 <entry>Ctrl-G</entry>
1282 Bring up a dialog box that allows you
1283 to specify a packet number, and then goes to that packet. See
1284 <xref linkend="ChWorkGoToPacketSection"/> for details.
1288 <entry><command>Go to Corresponding Packet</command></entry>
1291 Go to the corresponding packet of the currently
1292 selected protocol field. If the selected field doesn't correspond
1293 to a packet, this item is greyed out.
1297 <entry><command>------</command></entry>
1302 <entry><command>Previous Packet</command></entry>
1303 <entry>Ctrl+Up</entry>
1305 Move to the previous packet in the list. This can be
1306 used to move to the previous packet even if the packet
1307 list doesn't have keyboard focus.
1311 <entry><command>Next Packet</command></entry>
1312 <entry>Ctrl+Down</entry>
1314 Move to the next packet in the list. This can be
1315 used to move to the previous packet even if the packet
1316 list doesn't have keyboard focus.
1320 <entry><command>First Packet</command></entry>
1321 <entry>Ctrl+Home</entry>
1323 Jump to the first packet of the capture file.
1327 <entry><command>Last Packet</command></entry>
1328 <entry>Ctrl+End</entry>
1330 Jump to the last packet of the capture file.
1338 <section id="ChUseCaptureMenuSection"><title>The "Capture" menu</title>
1340 The Wireshark Capture menu contains the fields shown in
1341 <xref linkend="ChUseTabCap"/>.
1343 <figure id="ChUseWiresharkCaptureMenu">
1344 <title>The "Capture" Menu</title>
1345 <graphic entityref="WiresharkCaptureMenu" format="PNG"/>
1347 <table id="ChUseTabCap" frame="none">
1348 <title>Capture menu items</title>
1350 <colspec colnum="1" colwidth="72pt"/>
1351 <colspec colnum="2" colwidth="80pt"/>
1354 <entry>Menu Item</entry>
1355 <entry>Accelerator</entry>
1356 <entry>Description</entry>
1361 <entry><command>Interfaces...</command></entry>
1364 This menu item brings up a dialog box that shows what's going on
1365 at the network interfaces Wireshark knows of, see
1366 <xref linkend="ChCapInterfaceSection"/>) .
1370 <entry><command>Options...</command></entry>
1371 <entry>Ctrl+K</entry>
1373 This menu item brings up the Capture Options
1374 dialog box (discussed further in
1375 <xref linkend="ChCapCaptureOptions"/>) and allows you to
1376 start capturing packets.
1380 <entry><command>Start</command></entry>
1383 Immediately start capturing packets with the same settings than
1388 <entry><command>Stop</command></entry>
1389 <entry>Ctrl+E</entry>
1391 This menu item stops the currently running capture, see
1392 <xref linkend="ChCapStopSection"/>) .
1396 <entry><command>Restart</command></entry>
1399 This menu item stops the currently running capture and starts
1400 again with the same options, this is just for convenience.
1404 <entry><command>Capture Filters...</command></entry>
1407 This menu item brings up a dialog box that allows you to
1408 create and edit capture filters. You can name filters,
1409 and you can save them for future use. More detail on
1410 this subject is provided in
1411 <xref linkend="ChWorkDefineFilterSection"/>
1419 <section id="ChUseAnalyzeMenuSection"><title>The "Analyze" menu</title>
1421 The Wireshark Analyze menu contains the fields shown in
1422 <xref linkend="ChUseAnalyze"/>.
1424 <figure id="ChUseWiresharkAnalyzeMenu">
1425 <title>The "Analyze" Menu</title>
1426 <graphic entityref="WiresharkAnalyzeMenu" format="PNG"/>
1428 <table id="ChUseAnalyze" frame="none"><title>Analyze menu items</title>
1430 <colspec colnum="1" colwidth="72pt"/>
1431 <colspec colnum="2" colwidth="80pt"/>
1434 <entry>Menu Item</entry>
1435 <entry>Accelerator</entry>
1436 <entry>Description</entry>
1441 <entry><command>Display Filters...</command></entry>
1444 This menu item brings up a dialog box that allows you
1445 to create and edit display filters. You can name
1446 filters, and you can save them for future use. More
1447 detail on this subject is provided in
1448 <xref linkend="ChWorkDefineFilterSection"/>
1452 <entry><command>Display Filter Macros...</command></entry>
1455 This menu item brings up a dialog box that allows you
1456 to create and edit display filter macros. You can name
1457 filter macros, and you can save them for future use. More
1458 detail on this subject is provided in
1459 <xref linkend="ChWorkDefineFilterMacrosSection"/>
1463 <entry><command>Apply as Filter > ...</command></entry>
1466 These menu items will change the current display filter and apply
1467 the changed filter immediately. Depending on the chosen menu item,
1468 the current display filter string will be replaced or appended to
1469 by the selected protocol field in the packet details pane.
1473 <entry><command>Prepare a Filter > ...</command></entry>
1476 These menu items will change the current display filter but won't
1477 apply the changed filter. Depending on the chosen menu item,
1478 the current display filter string will be replaced or appended to
1479 by the selected protocol field in the packet details pane.
1483 <entry><command>------</command></entry>
1488 <entry><command>Enabled Protocols...</command></entry>
1489 <entry>Shift+Ctrl+R</entry>
1491 This menu item allows the user to enable/disable protocol
1492 dissectors, see <xref linkend="ChAdvEnabledProtocols"/>
1496 <entry><command>Decode As...</command></entry>
1499 This menu item allows the user to force Wireshark to
1500 decode certain packets as a particular protocol, see
1501 <xref linkend="ChAdvDecodeAs"/>
1505 <entry><command>User Specified Decodes...</command></entry>
1508 This menu item allows the user to force Wireshark to
1509 decode certain packets as a particular protocol, see
1510 <xref linkend="ChAdvDecodeAsShow"/>
1514 <entry><command>------</command></entry>
1519 <entry><command>Follow TCP Stream</command></entry>
1522 This menu item brings up a separate window and displays
1523 all the TCP segments captured that are on the same TCP
1524 connection as a selected packet, see
1525 <xref linkend="ChAdvFollowTCPSection"/>
1529 <entry><command>Follow UDP Stream</command></entry>
1532 Same functionality as "Follow TCP Stream" but
1537 <entry><command>Follow SSL Stream</command></entry>
1540 Same functionality as "Follow TCP Stream" but for SSL streams.
1541 XXX - how to provide the SSL keys?
1545 <entry><command>Expert Info</command></entry>
1548 Open a dialog showing some expert information about the captured
1549 packets in a log style display.
1550 The amount of information will depend on the protocol and varies
1551 from very detailed to none existing. This is currently a work in
1552 progress. XXX - add a new section about this and link from here
1556 <entry><command>Expert Info Composite</command></entry>
1559 Same information as in "Expert Info" but trying to group items
1560 together for faster analysis.
1564 <entry><command>Conversation Filter > ...</command></entry>
1567 In this menu you will find conversation filter for various
1576 <section id="ChUseStatisticsMenuSection"><title>The "Statistics" menu</title>
1578 The Wireshark Statistics menu contains the fields shown in
1579 <xref linkend="ChUseStatistics"/>.
1581 <figure id="ChUseWiresharkStatisticsMenu">
1582 <title>The "Statistics" Menu</title>
1583 <graphic entityref="WiresharkStatisticsMenu" format="PNG"/>
1586 All menu items will bring up a new window showing specific statistical
1589 <table id="ChUseStatistics" frame="none">
1590 <title>Statistics menu items</title>
1592 <colspec colnum="1" colwidth="72pt"/>
1593 <colspec colnum="2" colwidth="80pt"/>
1596 <entry>Menu Item</entry>
1597 <entry>Accelerator</entry>
1598 <entry>Description</entry>
1603 <entry><command>Summary</command></entry>
1606 Show information about the data captured, see <xref
1607 linkend="ChStatSummary"/>.
1611 <entry><command>Protocol Hierarchy</command></entry>
1614 Display a hierarchical tree of protocol statistics, see <xref
1615 linkend="ChStatHierarchy"/>.
1619 <entry><command>Conversations</command></entry>
1622 Display a list of conversations (traffic between two endpoints),
1623 see <xref linkend="ChStatConversationsWindow"/>.
1627 <entry><command>Endpoints</command></entry>
1630 Display a list of endpoints (traffic to/from an address), see
1631 <xref linkend="ChStatEndpointsWindow"/>.
1635 <entry><command>Packet Lengths...</command></entry>
1637 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1640 <entry><command>IO Graphs</command></entry>
1643 Display user specified graphs (e.g. the number of packets in the
1644 course of time), see <xref linkend="ChStatIOGraphs"/>.
1648 <entry><command>------</command></entry>
1653 <entry><command>Conversation List</command></entry>
1656 Display a list of conversations, obsoleted by the combined window
1657 of Conversations above, see
1658 <xref linkend="ChStatConversationListWindow"/>.
1662 <entry><command>Endpoint List</command></entry>
1665 Display a list of endpoints, obsoleted by the combined window
1666 of Endpoints above, see
1667 <xref linkend="ChStatEndpointListWindow"/>.
1671 <entry><command>Service Response Time</command></entry>
1674 Display the time between a request and the corresponding response, see
1675 <xref linkend="ChStatSRT"/>.
1679 <entry><command>------</command></entry>
1684 <entry><command>BOOTP-DHCP...</command></entry>
1686 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1689 <entry><command>Compare...</command></entry>
1691 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1694 <entry><command>Flow Graph...</command></entry>
1696 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1699 <entry><command>HTTP</command></entry>
1701 <entry><para>HTTP request/response statistics, see <xref linkend="ChStatXXX"/></para></entry>
1704 <entry><command>IP Addresses...</command></entry>
1706 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1709 <entry><command>IP Destinations...</command></entry>
1711 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1714 <entry><command>IP Protocol Types...</command></entry>
1716 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1719 <entry><command>ISUP Messages</command></entry>
1721 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1724 <entry><command>ONC-RPC Programs</command></entry>
1726 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1729 <entry><command>TCP Stream Graph</command></entry>
1731 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1734 <entry><command>UDP Multicast Streams</command></entry>
1736 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1739 <entry><command>WLAN Traffic</command></entry>
1741 <entry><para>See <xref linkend="ChStatWLANTraffic"/></para></entry>
1748 <section id="ChUseTelephonyMenuSection"><title>The "Telephony" menu</title>
1750 The Wireshark Telephony menu contains the fields shown in
1751 <xref linkend="ChUseTelephony"/>.
1753 <figure id="ChUseWiresharkTelephonyMenu">
1754 <title>The "Telephony" Menu</title>
1755 <graphic entityref="WiresharkTelephonyMenu" format="PNG"/>
1758 All menu items will bring up a new window showing specific telephony
1759 related statistical information.
1761 <table id="ChUseTelephony" frame="none">
1762 <title>Telephony menu items</title>
1764 <colspec colnum="1" colwidth="72pt"/>
1765 <colspec colnum="2" colwidth="80pt"/>
1768 <entry>Menu Item</entry>
1769 <entry>Accelerator</entry>
1770 <entry>Description</entry>
1775 <entry><command>ANSI</command></entry>
1777 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1780 <entry><command>Fax T38 Analysis...</command></entry>
1782 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1785 <entry><command>GSM</command></entry>
1787 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1790 <entry><command>H.225...</command></entry>
1792 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1795 <entry><command>IAX2</command></entry>
1797 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1800 <entry><command>ISUP Messages...</command></entry>
1802 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1805 <entry><command>LTE MAC...</command></entry>
1807 <entry><para>See <xref linkend="ChTelLTEMACTraffic"/></para></entry>
1810 <entry><command>LTE RLC...</command></entry>
1812 <entry><para>See <xref linkend="ChTelLTERLCTraffic"/></para></entry>
1815 <entry><command>MTP3</command></entry>
1817 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1820 <entry><command>RTP</command></entry>
1822 <entry><para>See <xref linkend="ChTelRTPAnalysis"/></para></entry>
1825 <entry><command>SCTP</command></entry>
1827 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1830 <entry><command>SIP...</command></entry>
1832 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1835 <entry><command>SMPP Operations...</command></entry>
1837 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1840 <entry><command>UCP Messages...</command></entry>
1842 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1845 <entry><command>VoIP Calls...</command></entry>
1847 <entry><para>See <xref linkend="ChTelVoipCalls"/></para></entry>
1850 <entry><command>WAP-WSP...</command></entry>
1852 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1859 <section id="ChUseToolsMenuSection"><title>The "Tools" menu</title>
1861 The Wireshark Tools menu contains the fields shown in
1862 <xref linkend="ChUseTools"/>.
1865 <figure id="ChUseWiresharkToolsMenu">
1866 <title>The "Tools" Menu</title>
1867 <graphic entityref="WiresharkToolsMenu" format="PNG"/>
1870 <table id="ChUseTools" frame="none">
1871 <title>Tools menu items</title>
1873 <colspec colnum="1" colwidth="72pt"/>
1874 <colspec colnum="2" colwidth="80pt"/>
1877 <entry>Menu Item</entry>
1878 <entry>Accelerator</entry>
1879 <entry>Description</entry>
1884 <entry><command>Firewall ACL Rules</command></entry>
1887 This allows you to create command-line ACL rules for many different
1888 firewall products, including Cisco IOS, Linux Netfilter (iptables),
1889 OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses,
1890 IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are
1893 It is assumed that the rules will be applied to an outside interface.
1901 <section id="ChUseHelpMenuSection"><title>The "Help" menu</title>
1903 The Wireshark Help menu contains the fields shown in
1904 <xref linkend="ChUseHelp"/>.
1906 <figure id="ChUseWiresharkHelpMenu">
1907 <title>The "Help" Menu</title>
1908 <graphic entityref="WiresharkHelpMenu" format="PNG"/>
1910 <table id="ChUseHelp" frame="none">
1911 <title>Help menu items</title>
1913 <colspec colnum="1" colwidth="72pt"/>
1914 <colspec colnum="2" colwidth="80pt"/>
1917 <entry>Menu Item</entry>
1918 <entry>Accelerator</entry>
1919 <entry>Description</entry>
1924 <entry><command>Contents</command></entry>
1927 This menu item brings up a basic help system.
1931 <entry><command>FAQ's</command></entry>
1934 This menu item starts a Web browser showing various FAQ's.
1938 <entry><command>Manual Pages > ...</command></entry>
1941 This menu item starts a Web browser showing one of the locally
1942 installed html manual pages.
1946 <entry><command>------</command></entry>
1951 <entry><command>Wireshark Online > ...</command></entry>
1954 This menu item starts a Web browser showing the chosen
1956 <ulink url="&WiresharkWebSite;">&WiresharkWebSite;</ulink>.
1960 <entry><command>------</command></entry>
1965 <entry><command>Supported Protocols (slow!)</command></entry>
1968 This menu item brings up a dialog box showing the supported
1969 protocols and protocol fields.
1973 <entry><command>------</command></entry>
1978 <entry><command>About Wireshark</command></entry>
1981 This menu item brings up an information window that
1982 provides some information on Wireshark, such as the plugins, the
1989 <note><title>Note!</title>
1991 Calling a Web browser might be unsupported in your version of Wireshark.
1992 If this is the case, the corresponding menu items will be hidden.
1995 <note><title>Note!</title>
1997 If calling a Web browser fails on your machine, maybe because just nothing
1998 happens or the browser is started but no page is shown, have a look at the
1999 web browser setting in the preferences dialog.
2004 <section id="ChUseMainToolbarSection"><title>The "Main" toolbar</title>
2006 The main toolbar provides quick access to frequently used items from the
2007 menu. This toolbar cannot be customized by the user, but it can be hidden
2008 using the View menu, if the space on the screen is needed to show even
2012 As in the menu, only the items useful in the current program state will
2013 be available. The others will be greyed out (e.g. you cannot save a capture
2014 file if you haven't loaded one).
2015 <figure id="ChUseWiresharkMainToolbar">
2016 <title>The "Main" toolbar</title>
2017 <graphic entityref="WiresharkMainToolbar" format="PNG"/>
2020 <table id="ChUseMainToolbar" frame="none">
2021 <title>Main toolbar items</title>
2023 <colspec colnum="1" colwidth="40pt"/>
2024 <colspec colnum="2" colwidth="80pt"/>
2025 <colspec colnum="3" colwidth="80pt"/>
2028 <entry>Toolbar Icon</entry>
2029 <entry>Toolbar Item</entry>
2030 <entry>Corresponding Menu Item</entry>
2031 <entry>Description</entry>
2036 <entry><graphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/></entry>
2037 <entry><command>Interfaces...</command></entry>
2038 <entry>Capture/Interfaces...</entry>
2040 This item brings up the Capture Interfaces List
2041 dialog box (discussed further in
2042 <xref linkend="ChCapCapturingSection"/>).
2047 <entry><graphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/></entry>
2048 <entry><command>Options...</command></entry>
2049 <entry>Capture/Options...</entry>
2051 This item brings up the Capture Options
2052 dialog box (discussed further in
2053 <xref linkend="ChCapCapturingSection"/>) and allows you to
2054 start capturing packets.
2059 <entry><graphic entityref="WiresharkToolbarCaptureStart" format="PNG"/></entry>
2060 <entry><command>Start</command></entry>
2061 <entry>Capture/Start</entry>
2063 This item starts capturing packets with the options form
2069 <entry><graphic entityref="WiresharkToolbarCaptureStop" format="PNG"/></entry>
2070 <entry><command>Stop</command></entry>
2071 <entry>Capture/Stop</entry>
2073 This item stops the currently running live capture process
2074 <xref linkend="ChCapCapturingSection"/>).
2079 <entry><graphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/></entry>
2080 <entry><command>Restart</command></entry>
2081 <entry>Capture/Restart</entry>
2083 This item stops the currently running live capture process
2084 and restarts it again, for convenience.
2089 <entry><command>------</command></entry>
2094 <entry><graphic entityref="WiresharkToolbarOpen" format="PNG"/></entry>
2095 <entry><command>Open...</command></entry>
2096 <entry>File/Open...</entry>
2098 This item brings up the file open dialog box that
2099 allows you to load a capture file for viewing. It is
2100 discussed in more detail in <xref linkend="ChIOOpen"/>.
2104 <entry><graphic entityref="WiresharkToolbarSaveAs" format="PNG"/></entry>
2105 <entry><command>Save As...</command></entry>
2106 <entry>File/Save As...</entry>
2108 This item allows you to save the current capture file to whatever
2109 file you would like. It pops up the Save Capture File As dialog
2110 box (which is discussed further in <xref linkend="ChIOSaveAs"/>).
2112 <note><title>Note!</title>
2114 If you currently have a temporary capture file, the Save icon
2115 <inlinegraphic entityref="WiresharkToolbarSave" format="PNG"/> will be
2121 <entry><graphic entityref="WiresharkToolbarClose" format="PNG"/></entry>
2122 <entry><command>Close</command></entry>
2123 <entry>File/Close</entry>
2125 This item closes the current capture. If you
2126 have not saved the capture, you will be asked to save it first.
2130 <entry><graphic entityref="WiresharkToolbarReload" format="PNG"/></entry>
2131 <entry><command>Reload</command></entry>
2132 <entry>View/Reload</entry>
2134 This item allows you to reload the current capture file.
2138 <entry><graphic entityref="WiresharkToolbarPrint" format="PNG"/></entry>
2139 <entry><command>Print...</command></entry>
2140 <entry>File/Print...</entry>
2142 This item allows you to print all (or some of) the packets in
2143 the capture file. It pops up the Wireshark Print dialog
2144 box (which is discussed further in
2145 <xref linkend="ChIOPrintSection"/>).
2149 <entry><command>------</command></entry>
2154 <entry><graphic entityref="WiresharkToolbarFind" format="PNG"/></entry>
2155 <entry><command>Find Packet...</command></entry>
2156 <entry>Edit/Find Packet...</entry>
2158 This item brings up a dialog box that allows you
2159 to find a packet. There is further information on finding packets
2160 in <xref linkend="ChWorkFindPacketSection"/>.
2164 <entry><graphic entityref="WiresharkToolbarGoBack" format="PNG"/></entry>
2165 <entry><command>Go Back</command></entry>
2166 <entry>Go/Go Back</entry>
2168 This item jumps back in the packet history.
2172 <entry><graphic entityref="WiresharkToolbarGoForward" format="PNG"/></entry>
2173 <entry><command>Go Forward</command></entry>
2174 <entry>Go/Go Forward</entry>
2176 This item jumps forward in the packet history.
2180 <entry><graphic entityref="WiresharkToolbarGoTo" format="PNG"/></entry>
2181 <entry><command>Go to Packet...</command></entry>
2182 <entry>Go/Go to Packet...</entry>
2184 This item brings up a dialog box that allows you
2185 to specify a packet number to go to that packet.
2189 <entry><graphic entityref="WiresharkToolbarGoFirst" format="PNG"/></entry>
2190 <entry><command>Go To First Packet</command></entry>
2191 <entry>Go/First Packet</entry>
2193 This item jumps to the first packet of the capture file.
2197 <entry><graphic entityref="WiresharkToolbarGoLast" format="PNG"/></entry>
2198 <entry><command>Go To Last Packet</command></entry>
2199 <entry>Go/Last Packet</entry>
2201 This item jumps to the last packet of the capture file.
2205 <entry><command>------</command></entry>
2210 <entry><graphic entityref="WiresharkToolbarColorize" format="PNG"/></entry>
2211 <entry><command>Colorize</command></entry>
2212 <entry>View/Colorize</entry>
2214 Colorize the packet list (or not).
2218 <entry><graphic entityref="WiresharkToolbarAutoScroll" format="PNG"/></entry>
2219 <entry><command>Auto Scroll in Live Capture</command></entry>
2220 <entry>View/Auto Scroll in Live Capture</entry>
2222 Auto scroll packet list while doing a live capture (or not).
2226 <entry><command>------</command></entry>
2231 <entry><graphic entityref="WiresharkToolbarZoomIn" format="PNG"/></entry>
2232 <entry><command>Zoom In</command></entry>
2233 <entry>View/Zoom In</entry>
2235 Zoom into the packet data (increase the font size).
2239 <entry><graphic entityref="WiresharkToolbarZoomOut" format="PNG"/></entry>
2240 <entry><command>Zoom Out</command></entry>
2241 <entry>View/Zoom Out</entry>
2243 Zoom out of the packet data (decrease the font size).
2247 <entry><graphic entityref="WiresharkToolbarZoom100" format="PNG"/></entry>
2248 <entry><command>Normal Size</command></entry>
2249 <entry>View/Normal Size</entry>
2251 Set zoom level back to 100%.
2255 <entry><graphic entityref="WiresharkToolbarResizeColumns" format="PNG"/></entry>
2256 <entry><command>Resize Columns</command></entry>
2257 <entry>View/Resize Columns</entry>
2259 Resize columns, so the content fits into them.
2263 <entry><command>------</command></entry>
2268 <entry><graphic entityref="WiresharkToolbarCaptureFilters" format="PNG"/></entry>
2269 <entry><command>Capture Filters...</command></entry>
2270 <entry>Capture/Capture Filters...</entry>
2272 This item brings up a dialog box that allows you to
2273 create and edit capture filters. You can name filters,
2274 and you can save them for future use. More detail on
2275 this subject is provided in
2276 <xref linkend="ChWorkDefineFilterSection"/>.
2280 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2281 <entry><command>Display Filters...</command></entry>
2282 <entry>Analyze/Display Filters...</entry>
2284 This item brings up a dialog box that allows you
2285 to create and edit display filters. You can name
2286 filters, and you can save them for future use. More
2287 detail on this subject is provided in
2288 <xref linkend="ChWorkDefineFilterSection"/>.
2292 <entry><graphic entityref="WiresharkToolbarColoringRules" format="PNG"/></entry>
2293 <entry><command>Coloring Rules...</command></entry>
2294 <entry>View/Coloring Rules...</entry>
2296 This item brings up a dialog box that allows you
2297 color packets in the packet list pane according to
2298 filter expressions you choose. It can be very useful
2299 for spotting certain types of packets. More
2300 detail on this subject is provided in
2301 <xref linkend="ChCustColorizationSection"/>.
2305 <entry><graphic entityref="WiresharkToolbarPreferences" format="PNG"/></entry>
2306 <entry><command>Preferences...</command></entry>
2307 <entry>Edit/Preferences</entry>
2309 This item brings up a dialog box that allows
2310 you to set preferences for many parameters that control
2311 Wireshark. You can also save your preferences so Wireshark
2312 will use them the next time you start it. More detail
2313 is provided in <xref linkend="ChCustPreferencesSection"/>
2317 <entry><command>------</command></entry>
2322 <entry><graphic entityref="WiresharkToolbarHelp" format="PNG"/></entry>
2323 <entry><command>Help</command></entry>
2324 <entry>Help/Contents</entry>
2326 This item brings up help dialog box.
2334 <section id="ChUseFilterToolbarSection"><title>The "Filter" toolbar</title>
2336 The filter toolbar lets you quickly edit and apply display filters. More information on
2337 display filters is available in <xref linkend="ChWorkDisplayFilterSection"/>.
2338 <figure id="ChUseWiresharkFilterToolbar">
2339 <title>The "Filter" toolbar</title>
2340 <graphic entityref="WiresharkFilterToolbar" format="PNG"/>
2342 <table id="ChUseFilterToolbar" frame="none">
2343 <title>Filter toolbar items</title>
2345 <colspec colnum="1" colwidth="40pt"/>
2346 <colspec colnum="2" colwidth="80pt"/>
2349 <entry>Toolbar Icon</entry>
2350 <entry>Toolbar Item</entry>
2351 <entry>Description</entry>
2356 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2357 <entry><command>Filter:</command></entry>
2359 Brings up the filter construction dialog, described in <xref linkend="FiltersDialog"/>.
2365 <entry>Filter input</entry>
2368 The area to enter or edit a display filter string,
2369 see <xref linkend="ChWorkBuildDisplayFilterSection"/>
2370 . A syntax check of your filter string is done while you are typing.
2371 The background will turn red if you enter an incomplete or invalid
2372 string, and will become green when you enter a valid string. You can
2373 click on the pull down arrow to select a previously-entered filter
2374 string from a list. The entries in the pull down list will remain
2375 available even after a program restart.
2377 <note><title>Note!</title>
2379 After you've changed something in this field, don't forget to press
2380 the Apply button (or the Enter/Return key), to apply this filter
2381 string to the display.
2384 <note><title>Note!</title>
2386 This field is also where the current filter in effect is displayed.
2392 <entry><graphic entityref="WiresharkToolbarAdd" format="PNG"/></entry>
2393 <entry><command>Expression...</command></entry>
2395 The middle button labeled "Add Expression..." opens a dialog box that lets
2396 you edit a display filter from a list of protocol fields, described in
2397 <xref linkend="ChWorkFilterAddExpressionSection"/>
2402 <entry><graphic entityref="WiresharkToolbarClear" format="PNG"/></entry>
2403 <entry><command>Clear</command></entry>
2405 Reset the current display filter and clears the edit area.
2410 <entry><graphic entityref="WiresharkToolbarApply" format="PNG"/></entry>
2411 <entry><command>Apply</command></entry>
2413 Apply the current value in the edit area as the new display filter.
2414 <note><title>Note!</title>
2416 Applying a display filter on large capture files might take quite a long time!
2428 <section id="ChUsePacketListPaneSection"><title>The "Packet List" pane</title>
2430 The packet list pane displays all the packets in the current capture
2432 <figure id="ChUseWiresharkListPane">
2433 <title>The "Packet List" pane</title>
2434 <graphic entityref="WiresharkListPane" format="PNG"/>
2436 Each line in the packet list corresponds to one packet in the capture
2437 file. If you select a line in this pane, more details will be displayed in
2438 the "Packet Details" and "Packet Bytes" panes.
2441 While dissecting a packet, Wireshark will place information from the
2442 protocol dissectors into the columns. As higher level protocols might
2443 overwrite information from lower levels, you will typically see the
2444 information from the highest possible level only.
2447 For example, let's look at a packet containing TCP inside IP inside
2448 an Ethernet packet. The Ethernet dissector will write its data (such as
2449 the Ethernet addresses), the IP dissector will overwrite this by its own
2450 (such as the IP addresses), the TCP dissector will overwrite the IP
2451 information, and so on.
2454 There are a lot of different columns available. Which columns are
2455 displayed can be selected by preference settings, see
2456 <xref linkend="ChCustPreferencesSection"/>.
2459 The default columns will show:
2462 <para><command>No.</command>
2463 The number of the packet in the capture file. This number won't change,
2464 even if a display filter is used.
2468 <para><command>Time</command>
2469 The timestamp of the packet. The presentation format of this timestamp
2470 can be changed, see <xref linkend="ChWorkTimeFormatsSection"/>.
2474 <para><command>Source</command>
2475 The address where this packet is coming from.
2479 <para><command>Destination</command>
2480 The address where this packet is going to.
2484 <para><command>Protocol</command>
2485 The protocol name in a short (perhaps abbreviated) version.
2489 <para><command>Info</command>
2490 Additional information about the packet content.
2496 There is a context menu (right mouse click) available, see details in
2497 <xref linkend="ChWorkPacketListPanePopUpMenu"/>.
2501 <section id="ChUsePacketDetailsPaneSection"><title>The "Packet Details" pane</title>
2503 The packet details pane shows the current packet (selected in the "Packet List"
2504 pane) in a more detailed form.
2505 <figure id="ChUseWiresharkDetailsPane">
2506 <title>The "Packet Details" pane</title>
2507 <graphic entityref="WiresharkDetailsPane" format="PNG"/>
2511 This pane shows the protocols and protocol fields of the packet selected
2512 in the "Packet List" pane. The protocols and fields of the packet are
2513 displayed using a tree, which can be expanded and collapsed.
2516 There is a context menu (right mouse click) available, see details in
2517 <xref linkend="ChWorkPacketDetailsPanePopUpMenu"/>.
2520 Some protocol fields are specially displayed.
2525 <command>Generated fields</command>
2526 Wireshark itself will generate additional protocol fields which are
2527 surrounded by brackets. The information in these fields is derived from the
2528 known context to other packets in the capture file. For example, Wireshark
2529 is doing a sequence/acknowledge analysis of each TCP stream,
2530 which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol.
2535 <command>Links</command>
2536 If Wireshark detected a relationship to another packet in the capture file,
2537 it will generate a link to that packet. Links are underlined and displayed
2538 in blue. If double-clicked, Wireshark jumps to the corresponding packet.
2544 <section id="ChUsePacketBytesPaneSection"><title>The "Packet Bytes" pane</title>
2546 The packet bytes pane shows the data of the current packet (selected in the "Packet List"
2547 pane) in a hexdump style.
2548 <figure id="ChUseWiresharkBytesPane">
2549 <title>The "Packet Bytes" pane</title>
2550 <graphic entityref="WiresharkBytesPane" format="PNG"/>
2554 As usual for a hexdump, the left side shows the offset in the packet data,
2555 in the middle the packet data is shown in a hexadecimal representation and
2556 on the right the corresponding ASCII characters (or . if not appropriate)
2560 Depending on the packet data, sometimes more than one page is available,
2561 e.g. when Wireshark has reassembled some packets into a single chunk of
2562 data, see <xref linkend="ChAdvReassemblySection"/>. In this case there are
2563 some additional tabs shown at the bottom of the pane to let you select
2564 the page you want to see.
2565 <figure id="ChUseWiresharkBytesPaneTabs">
2566 <title>The "Packet Bytes" pane with tabs</title>
2567 <graphic entityref="WiresharkBytesPaneTabs" format="PNG"/>
2570 <note><title>Note!</title>
2572 The additional pages might contain data picked from multiple packets.
2576 The context menu (right mouse click) of the tab labels will show a list of
2577 all available pages. This can be helpful if the size in the pane is too
2578 small for all the tab labels.
2582 <section id="ChUseStatusbarSection"><title>The Statusbar</title>
2584 The statusbar displays informational messages.
2587 In general, the left side will show context related information, the
2588 middle part will show the current number of packets, and the right side will
2589 show the selected configuration profile. Drag the handles between the text
2590 areas to change the size.
2593 <figure id="ChUseWiresharkStatusbarEmpty">
2594 <title>The initial Statusbar</title>
2595 <graphic entityref="WiresharkStatusbarEmpty" format="PNG"/>
2597 This statusbar is shown while no capture file is loaded, e.g. when
2598 Wireshark is started.
2601 <figure id="ChUseWiresharkStatusbarLoaded">
2602 <title>The Statusbar with a loaded capture file</title>
2603 <graphic entityref="WiresharkStatusbarLoaded" format="PNG"/>
2609 <command>The colorized bullet</command> on the left shows the highest expert
2610 info level found in the currently loaded capture file. Hovering the mouse
2611 over this icon will show a textual description of the expert info level,
2612 and clicking the icon will bring up the Expert Infos dialog box.
2613 For a detailed description of expert info, see <xref linkend="ChAdvExpert"/>.
2618 <command>The left side</command> shows information about the capture file, its
2619 name, its size and the elapsed time while it was being captured.
2624 <command>The middle part</command> shows the current number of packets in the capture file.
2625 The following values are displayed:
2626 <itemizedlist mark="bullet">
2628 <para><emphasis>Packets:</emphasis> the number of captured packets</para>
2631 <para><emphasis>Displayed:</emphasis> the number of packets currently being
2635 <para><emphasis>Marked:</emphasis> the number of marked packets</para>
2638 <para><emphasis>Dropped:</emphasis> the number of dropped packets (only displayed
2639 if Wireshark was unable to capture all packets)</para>
2642 <para><emphasis>Ignored:</emphasis> the number of ignored packets (only displayed
2643 if packets are ignored)</para>
2650 <command>The right side</command> shows the selected configuration profile.
2651 Clicking in this part of the statusbar will bring up a menu with all available
2652 configuration profiles, and selecting from this list will change the configuration profile.
2657 <figure id="ChUseWiresharkStatusbarProfile">
2658 <title>The Statusbar with a configuration profile menu</title>
2659 <graphic entityref="WiresharkStatusbarProfile" format="PNG"/>
2661 For a detailed description of configuration profiles, see
2662 <xref linkend="ChCustConfigProfilesSection"/>.
2665 <figure id="ChUseWiresharkStatusbarSelected">
2666 <title>The Statusbar with a selected protocol field</title>
2667 <graphic entityref="WiresharkStatusbarSelected" format="PNG"/>
2669 This is displayed if you have selected a protocol field from the
2670 "Packet Details" pane.
2672 <tip><title>Tip!</title>
2674 The value between the brackets (in this example
2675 <command>arp.opcode</command>) can be used as a display filter string,
2676 representing the selected protocol field.
2680 <figure id="ChUseWiresharkStatusbarFilter">
2681 <title>The Statusbar with a display filter message</title>
2682 <graphic entityref="WiresharkStatusbarFilter" format="PNG"/>
2684 This is displayed if you are trying to use a display filter which
2685 may have unexpected results. For a detailed description, see
2686 <xref linkend="ChWorkBuildDisplayFilterMistake"/>.
2692 <!-- End of WSUG Chapter 3 -->