1 <!-- WSUG Chapter Three -->
4 <chapter id="ChapterUsing">
5 <title>User Interface</title>
6 <section id="ChUseIntroductionSection"><title>Introduction</title>
8 By now you have installed <application>Wireshark</application> and
9 are most likely keen to get started capturing your first packets. In
10 the next chapters we will explore:
14 How the Wireshark user interface works
19 How to capture packets in <application>Wireshark</application>
24 How to view packets in <application>Wireshark</application>
29 How to filter packets in <application>Wireshark</application>
34 ... and many other things!
41 <section id="ChUseStartSection"><title>Start Wireshark</title>
43 You can start Wireshark from your shell or window manager.
44 <tip><title>Tip!</title>
46 When starting Wireshark it's possible to specify optional settings using
47 the command line. See <xref linkend="ChCustCommandLine"/> for details.
50 <note><title>Note!</title>
52 In the following chapters, a lot of screenshots from Wireshark will be shown.
53 As Wireshark runs on many different platforms with many different window
54 managers, different styles applied and there are different versions of the
55 underlying GUI toolkit used, your screen might look different from the provided
56 screenshots. But as there are no real differences in functionality, these
57 screenshots should still be well understandable.
63 <section id="ChUseMainWindowSection"><title>The Main window</title>
65 Let's look at Wireshark's user interface. <xref linkend="ChUseFig01"/> shows
66 Wireshark as you would usually see it after some packets are captured or loaded
67 (how to do this will be described later).
68 <figure id="ChUseFig01">
69 <title>The Main window</title>
70 <graphic scale="100" entityref="WiresharkThreePane1" format="PNG"/>
74 Wireshark's main window consists of parts that are commonly known from many
79 The <emphasis>menu</emphasis> (see <xref linkend="ChUseMenuSection"/>)
80 is used to start actions.
85 The <emphasis>main toolbar</emphasis> (see <xref linkend="ChUseMainToolbarSection"/>)
86 provides quick access to frequently used items from the menu.
91 The <emphasis>filter toolbar</emphasis> (see <xref linkend="ChUseFilterToolbarSection"/>)
92 provides a way to directly manipulate the currently used display filter
93 (see <xref linkend="ChWorkDisplayFilterSection"/>).
98 The <emphasis>packet list pane</emphasis> (see <xref linkend="ChUsePacketListPaneSection"/>)
99 displays a summary of each packet captured. By clicking on packets
100 in this pane you control what is displayed in the other two panes.
105 The <emphasis>packet details pane</emphasis> (see <xref linkend="ChUsePacketDetailsPaneSection"/>)
106 displays the packet selected in the packet list pane in more detail.
111 The <emphasis>packet bytes pane</emphasis> (see <xref linkend="ChUsePacketBytesPaneSection"/>)
112 displays the data from the packet selected in the packet list pane, and
113 highlights the field selected in the packet details pane.
118 The <emphasis>statusbar</emphasis> (see <xref linkend="ChUseStatusbarSection"/>)
119 shows some detailed information about the current program state and
124 <tip><title>Tip!</title>
126 The layout of the main window can be customized by changing preference settings.
127 See <xref linkend="ChCustPreferencesSection"/> for details!
133 <section id="ChUseMainWindowNavSection"><title>Main Window Navigation</title>
135 Packet list and detail navigation can be done entirely from the
136 keyboard. <xref linkend="ChUseTabNav"/> shows a list of keystrokes
137 that will let you quickly move around a capture file. See
138 <xref linkend="ChUseTabGo"/> for additional navigation keystrokes.
140 <table id="ChUseTabNav" frame="none">
142 <title>Keyboard Navigation</title>
144 <colspec colnum="1" colwidth="72pt"/>
147 <entry>Accelerator</entry>
148 <entry>Description</entry>
153 <entry>Tab, Shift+Tab</entry>
155 Move between screen elements, e.g. from the toolbars
156 to the packet list to the packet detail.
162 Move to the next packet or detail item.
168 Move to the previous packet or detail item.
172 <entry>Ctrl+Down, F8</entry>
174 Move to the next packet, even if the packet
179 <entry>Ctrl+Up, F7</entry>
181 Move to the previous packet, even if the packet
186 <entry>Ctrl+.</entry>
188 Move to the next packet of the conversation
193 <entry>Ctrl+,</entry>
195 Move to the previous packet of the conversation
202 In the packet detail, closes the selected tree item.
203 If it's already closed, jumps to the parent node.
209 In the packet detail, opens the selected tree item.
213 <entry>Shift+Right</entry>
215 In the packet detail, opens the selected tree item
216 and all of its subtrees.
220 <entry>Ctrl+Right</entry>
222 In the packet detail, opens all tree items.
226 <entry>Ctrl+Left</entry>
228 In the packet detail, closes all tree items.
232 <entry>Backspace</entry>
234 In the packet detail, jumps to the parent node.
238 <entry>Return, Enter</entry>
240 In the packet detail, toggles the selected
248 Additionally, typing anywhere in the main window will start filling
254 <section id="ChUseMenuSection"><title>The Menu</title>
256 The Wireshark menu sits on top of the Wireshark window.
257 An example is shown in <xref linkend="ChUseWiresharkMenu"/>.
259 <note><title>Note!</title>
261 Menu items will be greyed out if the corresponding feature isn't
262 available. For example, you cannot save a capture file if you didn't
263 capture or load any data before.
267 <figure id="ChUseWiresharkMenu"><title>The Menu</title>
268 <graphic entityref="WiresharkMenuOnly" format="PNG"/>
272 It contains the following items:
274 <varlistentry><term><command>File</command></term>
277 This menu contains items to open and merge capture files,
278 save / print / export capture files in whole or in part,
279 and to quit from Wireshark. See <xref linkend="ChUseFileMenuSection"/>.
283 <varlistentry><term><command>Edit</command></term>
286 This menu contains items to find a packet, time reference or mark one
287 or more packets, handle configuration profiles, and set your preferences;
288 (cut, copy, and paste are not presently implemented).
289 See <xref linkend="ChUseEditMenuSection"/>.
293 <varlistentry><term><command>View</command></term>
295 <para>This menu controls the display of the captured data,
296 including colorization of packets, zooming the font,
297 showing a packet in a separate window, expanding and collapsing trees in packet details, ....
298 See <xref linkend="ChUseViewMenuSection"/>.
302 <varlistentry><term><command>Go</command></term>
304 <para>This menu contains items to go to a specific packet.
305 See <xref linkend="ChUseGoMenuSection"/>.
309 <varlistentry><term><command>Capture</command></term>
311 <para>This menu allows you to start and stop captures and to edit capture filters.
312 See <xref linkend="ChUseCaptureMenuSection"/>.
316 <varlistentry><term><command>Analyze</command></term>
319 This menu contains items to manipulate display filters, enable or
320 disable the dissection of protocols, configure user specified decodes
321 and follow a TCP stream.
322 See <xref linkend="ChUseAnalyzeMenuSection"/>.
326 <varlistentry><term><command>Statistics</command></term>
329 This menu contains items to display various statistic windows,
330 including a summary of the packets that have been captured,
331 display protocol hierarchy statistics and much more.
332 See <xref linkend="ChUseStatisticsMenuSection"/>.
336 <varlistentry><term><command>Telephony</command></term>
339 This menu contains items to display various telephony related
340 statistic windows, including a media analysis, flow diagrams,
341 display protocol hierarchy statistics and much more.
342 See <xref linkend="ChUseTelephonyMenuSection"/>.
346 <varlistentry><term><command>Tools</command></term>
349 This menu contains various tools available in Wireshark, such as
350 creating Firewall ACL Rules.
351 See <xref linkend="ChUseToolsMenuSection"/>.
355 <varlistentry><term><command>Help</command></term>
358 This menu contains items to help the user, e.g. access to some basic
359 help, a list of the supported protocols, manual pages, online access
360 to some of the webpages, and the usual about dialog.
361 See <xref linkend="ChUseHelpMenuSection"/>.
366 Each of these menu items is described in more detail in the sections
369 <tip><title>Tip!</title>
371 You can access menu items directly or by pressing the corresponding
372 accelerator keys which are shown at the right side of the
373 menu. For example, you can press the Control (or Strg in German) and the K
374 keys together to open the capture dialog.
379 <section id="ChUseFileMenuSection"><title>The "File" menu</title>
381 The Wireshark file menu contains the fields shown in
382 <xref linkend="ChUseTabFile"/>.
384 <figure id="ChUseWiresharkFileMenu">
385 <title>The "File" Menu</title>
386 <graphic entityref="WiresharkFileMenu" format="PNG"/>
388 <table id="ChUseTabFile" frame="none"><title>File menu items</title>
390 <colspec colnum="1" colwidth="72pt"/>
391 <colspec colnum="2" colwidth="80pt"/>
394 <entry>Menu Item</entry>
395 <entry>Accelerator</entry>
396 <entry>Description</entry>
401 <entry><command>Open...</command></entry>
402 <entry>Ctrl+O</entry>
404 This menu item brings up the file open dialog box that
405 allows you to load a capture file for viewing. It is
406 discussed in more detail in <xref linkend="ChIOOpen"/>.
410 <entry><command>Open Recent</command></entry>
413 This menu item shows a submenu containing the recently opened
414 capture files. Clicking on one of the submenu items will open the
415 corresponding capture file directly.
419 <entry><command>Merge...</command></entry>
422 This menu item brings up the merge file dialog box that
423 allows you to merge a capture file into the currently loaded one.
424 It is discussed in more detail in <xref linkend="ChIOMergeSection"/>.
428 <entry><command>Import...</command></entry>
431 This menu item brings up the import file dialog box that
432 allows you to import a text file into a new temporary capture.
433 It is discussed in more detail in <xref linkend="ChIOImportSection"/>.
437 <entry><command>Close</command></entry>
438 <entry>Ctrl+W</entry>
440 This menu item closes the current capture. If you
441 haven't saved the capture, you will be asked to do so first
442 (this can be disabled by a preference setting).
446 <entry><command>------</command></entry>
451 <entry><command>Save</command></entry>
452 <entry>Ctrl+S</entry>
454 This menu item saves the current capture. If you
455 have not set a default capture file name (perhaps with
456 the -w <capfile> option), Wireshark pops up the
457 Save Capture File As dialog box (which is discussed
458 further in <xref linkend="ChIOSaveAs"/>).
462 If you have already saved the current capture, this
463 menu item will be greyed out.
468 You cannot save a live capture while the capture is in
469 progress. You must stop the capture in order to
475 <entry><command>Save As...</command></entry>
476 <entry>Shift+Ctrl+S</entry>
478 This menu item allows you to save the current capture
479 file to whatever file you would like. It pops up the
480 Save Capture File As dialog box (which is discussed
481 further in <xref linkend="ChIOSaveAs"/>).
485 <entry><command>------</command></entry>
490 <entry><command>File Set > List Files</command></entry>
493 This menu item allows you to show a list of files in a file set.
494 It pops up the Wireshark List File Set dialog box (which is
495 discussed further in <xref linkend="ChIOFileSetSection"/>).
499 <entry><command>File Set > Next File</command></entry>
502 If the currently loaded file is part of a file set, jump to the
503 next file in the set. If it isn't part of a file set or just the
504 last file in that set, this item is greyed out.
508 <entry><command>File Set > Previous File</command></entry>
511 If the currently loaded file is part of a file set, jump to the
512 previous file in the set. If it isn't part of a file set or just
513 the first file in that set, this item is greyed out.
517 <entry><command>------</command></entry>
522 <entry><command>Export > File...</command></entry>
525 This menu item allows you to export all (or some) of the packets in
526 the capture file to file.
527 It pops up the Wireshark Export dialog box (which is discussed further in
528 <xref linkend="ChIOExportSection"/>).
532 <entry><command>Export > Selected Packet Bytes...</command></entry>
533 <entry>Ctrl+H</entry>
535 This menu item allows you to export the currently selected bytes
536 in the packet bytes pane to a binary file. It pops up the
537 Wireshark Export dialog box (which is discussed further in
538 <xref linkend="ChIOExportSelectedDialog"/>)
542 <entry><command>Export > Objects > HTTP</command></entry>
545 This menu item allows you to export all or some of the captured HTTP objects
546 into local files. It pops up the Wireshark HTTP object list (which is discussed
547 further in <xref linkend="ChIOExportObjectsDialog"/>)
551 <entry><command>Export > Objects > DICOM</command></entry>
554 This menu item allows you to export all or some of the captured DICOM objects
555 into local files. It pops up the Wireshark DICOM object list (which is discussed
556 further in <xref linkend="ChIOExportObjectsDialog"/>)
560 <entry><command>------</command></entry>
565 <entry><command>Print...</command></entry>
566 <entry>Ctrl+P</entry>
568 This menu item allows you to print all (or some) of the packets in
569 the capture file. It pops up the Wireshark Print dialog
570 box (which is discussed further in
571 <xref linkend="ChIOPrintSection"/>).
575 <entry><command>------</command></entry>
580 <entry><command>Quit</command></entry>
581 <entry>Ctrl+Q</entry>
583 This menu item allows you to quit from Wireshark.
584 Wireshark will ask to save your capture file if you haven't previously saved
585 it (this can be disabled by a preference setting).
593 <section id="ChUseEditMenuSection"><title>The "Edit" menu</title>
595 The Wireshark Edit menu contains the fields shown in
596 <xref linkend="ChUseTabEdit"/>.
598 <figure id="ChUseWiresharkEditMenu">
599 <title>The "Edit" Menu</title>
600 <graphic entityref="WiresharkEditMenu" format="PNG"/>
602 <table id="ChUseTabEdit" frame="none">
603 <title>Edit menu items</title>
605 <colspec colnum="1" colwidth="72pt"/>
606 <colspec colnum="2" colwidth="80pt"/>
609 <entry>Menu Item</entry>
610 <entry>Accelerator</entry>
611 <entry>Description</entry>
616 <entry><command>Copy > Description</command></entry>
617 <entry>Shift+Ctrl+D</entry>
619 This menu item will copy the description of the selected item
620 in the detail view to the clipboard.
624 <entry><command>Copy > Fieldname</command></entry>
625 <entry>Shift+Ctrl+F</entry>
627 This menu item will copy the fieldname of the selected item
628 in the detail view to the clipboard.
632 <entry><command>Copy > Value</command></entry>
633 <entry>Shift+Ctrl+V</entry>
635 This menu item will copy the value of the selected item
636 in the detail view to the clipboard.
640 <entry><command>Copy > As Filter</command></entry>
641 <entry>Shift+Ctrl+C</entry>
643 This menu item will use the selected item in the detail view to
644 create a display filter. This display filter is then copied to
649 <entry><command>------</command></entry>
654 <entry><command>Find Packet...</command></entry>
655 <entry>Ctrl+F</entry>
657 This menu item brings up a dialog box that allows you
658 to find a packet by many criteria.
659 There is further information on finding packets in
660 <xref linkend="ChWorkFindPacketSection"/>.
664 <entry><command>Find Next</command></entry>
665 <entry>Ctrl+N</entry>
667 This menu item tries to find the next packet matching the
668 settings from "Find Packet...".
672 <entry><command>Find Previous</command></entry>
673 <entry>Ctrl+B</entry>
675 This menu item tries to find the previous packet matching the
676 settings from "Find Packet...".
680 <entry><command>------</command></entry>
685 <entry><command>Mark Packet (toggle)</command></entry>
686 <entry>Ctrl+M</entry>
688 This menu item "marks" the currently selected packet. See
689 <xref linkend="ChWorkMarkPacketSection"/> for details.
693 <entry><command>Find Next Mark</command></entry>
694 <entry>Shift+Ctrl+N</entry>
696 Find the next marked packet.
700 <entry><command>Find Previous Mark</command></entry>
701 <entry>Shift+Ctrl+B</entry>
703 Find the previous marked packet.
707 <entry><command>Mark All Displayed Packets</command></entry>
710 This menu item "marks" all displayed packets.
714 <entry><command>Unmark All Packets</command></entry>
716 <entry><para>This menu item "unmarks" all marked packets.
720 <entry><command>------</command></entry>
725 <entry><command>Ignore Packet (toggle)</command></entry>
726 <entry>Ctrl+X</entry>
728 This menu item marks the currently selected packet as ignored.
729 See <xref linkend="ChWorkIgnorePacketSection"/> for details.
733 <entry><command>Ignore All Displayed Packets</command></entry>
734 <entry>Shift-Ctrl-Alt-X</entry>
736 This menu item marks all displayed packets as ignored.
740 <entry><command>Un-Ignore All Packets</command></entry>
741 <entry>Shift-Ctrl-X</entry>
743 This menu item unmarks all ignored packets.
747 <entry><command>------</command></entry>
752 <entry><command>Set Time Reference (toggle)</command></entry>
753 <entry>Ctrl+T</entry>
755 This menu item set a time reference on the currently selected
756 packet. See <xref linkend="ChWorkTimeReferencePacketSection"/> for more information
757 about the time referenced packets.
761 <entry><command>Find Next Reference</command></entry>
764 This menu item tries to find the next time referenced packet.
768 <entry><command>Find Previous Reference</command></entry>
771 This menu item tries to find the previous time referenced packet.
775 <entry><command>------</command></entry>
780 <entry><command>Configuration Profiles...</command></entry>
781 <entry>Shift-Ctrl-A</entry>
783 This menu item brings up a dialog box for handling configuration
784 profiles. More detail is provided in
785 <xref linkend="ChCustConfigProfilesSection"/>.
789 <entry><command>Preferences...</command></entry>
790 <entry>Shift+Ctrl+P</entry>
792 This menu item brings up a dialog box that allows
793 you to set preferences for many parameters that control
794 Wireshark. You can also save your preferences so Wireshark
795 will use them the next time you start it. More detail
796 is provided in <xref linkend="ChCustPreferencesSection"/>.
804 <section id="ChUseViewMenuSection"><title>The "View" menu</title>
806 The Wireshark View menu contains the fields shown in
807 <xref linkend="ChUseTabView"/>.
809 <figure id="ChUseWiresharkViewMenu">
810 <title>The "View" Menu</title>
811 <graphic entityref="WiresharkViewMenu" format="PNG"/>
813 <table id="ChUseTabView" frame="none">
814 <title>View menu items</title>
816 <colspec colnum="1" colwidth="72pt"/>
817 <colspec colnum="2" colwidth="80pt"/>
820 <entry>Menu Item</entry>
821 <entry>Accelerator</entry>
822 <entry>Description</entry>
827 <entry><command>Main Toolbar</command></entry>
830 This menu item hides or shows the main toolbar, see
831 <xref linkend="ChUseMainToolbarSection"/>.
835 <entry><command>Filter Toolbar</command></entry>
838 This menu item hides or shows the filter toolbar, see
839 <xref linkend="ChUseFilterToolbarSection"/>.
843 <entry><command>Wireless Toolbar (Windows only)</command></entry>
846 This menu item hides or shows the wireless toolbar. See
847 the AirPcap documentation for more information.
851 <entry><command>Statusbar</command></entry>
854 This menu item hides or shows the statusbar, see
855 <xref linkend="ChUseStatusbarSection"/>.
859 <entry><command>------</command></entry>
864 <entry><command>Packet List</command></entry>
867 This menu item hides or shows the packet list pane, see
868 <xref linkend="ChUsePacketListPaneSection"/>.
872 <entry><command>Packet Details</command></entry>
875 This menu item hides or shows the packet details pane, see
876 <xref linkend="ChUsePacketDetailsPaneSection"/>.
880 <entry><command>Packet Bytes</command></entry>
883 This menu item hides or shows the packet bytes pane, see
884 <xref linkend="ChUsePacketBytesPaneSection"/>.
888 <entry><command>------</command></entry>
893 <entry><command>Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.123456</command></entry>
896 Selecting this tells Wireshark to display the
897 time stamps in date and time of day format, see
898 <xref linkend="ChWorkTimeFormatsSection"/>.
899 <note><title>Note!</title>
901 The fields "Time of Day", "Date and Time of
902 Day", "Seconds Since Beginning of Capture", "Seconds Since
903 Previous Captured Packet" and "Seconds Since Previous
904 Displayed Packet" are mutually exclusive.
910 <entry><command>Time Display Format > Time of Day: 01:02:03.123456</command></entry>
913 Selecting this tells Wireshark to display time
914 stamps in time of day format, see
915 <xref linkend="ChWorkTimeFormatsSection"/>.
919 <entry><command>Time Display Format > Seconds Since Epoch (1970-01-01): 1234567890.123456</command></entry>
922 Selecting this tells Wireshark to display time stamps in
923 seconds since 1970-01-01 00:00:00, see
924 <xref linkend="ChWorkTimeFormatsSection"/>.
928 <entry><command>Time Display Format > Seconds Since Beginning of Capture: 123.123456</command></entry>
931 Selecting this tells Wireshark to display time
932 stamps in seconds since beginning of capture format, see
933 <xref linkend="ChWorkTimeFormatsSection"/>.
937 <entry><command>Time Display Format > Seconds Since Previous Captured Packet: 1.123456</command></entry>
940 Selecting this tells Wireshark to display time stamps in
941 seconds since previous captured packet format, see
942 <xref linkend="ChWorkTimeFormatsSection"/>.
946 <entry><command>Time Display Format > Seconds Since Previous Displayed Packet: 1.123456</command></entry>
949 Selecting this tells Wireshark to display time stamps in
950 seconds since previous displayed packet format, see
951 <xref linkend="ChWorkTimeFormatsSection"/>.
955 <entry><command>Time Display Format > ------</command></entry>
960 <entry><command>Time Display Format > Automatic (File Format Precision)</command></entry>
963 Selecting this tells Wireshark to display time stamps with the
964 precision given by the capture file format used, see
965 <xref linkend="ChWorkTimeFormatsSection"/>.
966 <note><title>Note!</title>
968 The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive.
974 <entry><command>Time Display Format > Seconds: 0</command></entry>
977 Selecting this tells Wireshark to display time stamps with a precision of one second, see
978 <xref linkend="ChWorkTimeFormatsSection"/>.
982 <entry><command>Time Display Format > ...seconds: 0....</command></entry>
985 Selecting this tells Wireshark to display time stamps with a precision of one second,
986 decisecond, centisecond, millisecond, microsecond or nanosecond, see
987 <xref linkend="ChWorkTimeFormatsSection"/>.
991 <entry><command>Time Display Format > Display Seconds with hours and minutes</command></entry>
994 Selecting this tells Wireshark to display time stamps in seconds,
995 with hours and minutes.
999 <entry><command>Name Resolution > Resolve Name</command></entry>
1002 This item allows you to trigger a name resolve of the current packet
1003 only, see <xref linkend="ChAdvNameResolutionSection"/>.
1007 <entry><command>Name Resolution > Enable for MAC Layer</command></entry>
1010 This item allows you to control whether or not
1011 Wireshark translates MAC addresses into names, see
1012 <xref linkend="ChAdvNameResolutionSection"/>.
1016 <entry><command>Name Resolution > Enable for Network Layer</command></entry>
1019 This item allows you to control whether or not
1020 Wireshark translates network addresses into names, see
1021 <xref linkend="ChAdvNameResolutionSection"/>.
1025 <entry><command>Name Resolution > Enable for Transport Layer</command></entry>
1028 This item allows you to control whether or not
1029 Wireshark translates transport addresses into names, see
1030 <xref linkend="ChAdvNameResolutionSection"/>.
1034 <entry><command>Colorize Packet List</command></entry>
1037 This item allows you to control whether or not Wireshark should colorize
1038 the packet list.</para>
1039 <note><title>Note!</title><para>
1040 Enabling colorization will slow down the display
1041 of new packets while capturing / loading capture files.
1042 </para></note></entry>
1045 <entry><command>Auto Scroll in Live Capture</command></entry>
1048 This item allows you to specify that Wireshark
1049 should scroll the packet list pane as new packets come
1050 in, so you are always looking at the last packet. If you
1051 do not specify this, Wireshark simply adds new packets onto
1052 the end of the list, but does not scroll the packet list
1057 <entry><command>------</command></entry>
1062 <entry><command>Zoom In</command></entry>
1063 <entry>Ctrl++</entry>
1065 Zoom into the packet data (increase the font size).
1069 <entry><command>Zoom Out</command></entry>
1070 <entry>Ctrl+-</entry>
1072 Zoom out of the packet data (decrease the font size).
1076 <entry><command>Normal Size</command></entry>
1077 <entry>Ctrl+=</entry>
1079 Set zoom level back to 100% (set font size back to normal).
1083 <entry><command>Resize All Columns</command></entry>
1086 Resize all column widths so the content will fit into it.
1088 <note><title>Note!</title><para>
1089 Resizing may take a significant amount of time, especially if a
1090 large capture file is loaded.
1095 <entry><command>Displayed Columns</command></entry>
1098 This menu items folds out with a list of all configured columns.
1099 These columns can now be shown or hidden in the packet list.
1104 <entry><command>------</command></entry>
1109 <entry><command>Expand Subtrees</command></entry>
1112 This menu item expands the currently selected subtree in the
1113 packet details tree.
1117 <entry><command>Expand All</command></entry>
1120 Wireshark keeps a list of all the protocol subtrees
1121 that are expanded, and uses it to ensure that the
1122 correct subtrees are expanded when you display a packet.
1123 This menu item expands all subtrees in all packets in
1128 <entry><command>Collapse All</command></entry>
1131 This menu item collapses the tree view of all packets
1132 in the capture list.
1136 <entry><command>------</command></entry>
1141 <entry><command>Colorize Conversation</command></entry>
1144 This menu item brings up a submenu that allows you
1145 to color packets in the packet list pane based
1146 on the addresses of the currently selected packet.
1147 This makes it easy to distinguish packets
1148 belonging to different conversations.
1149 <xref linkend="ChCustColorizationSection"/>.
1153 <entry><command>Colorize Conversation > Color 1-10</command></entry>
1156 These menu items enable one of the ten temporary color
1157 filters based on the currently selected conversation.
1161 <entry><command>Colorize Conversation > Reset coloring</command></entry>
1164 This menu item clears all temporary coloring rules.
1168 <entry><command>Colorize Conversation > New Coloring Rule...</command></entry>
1171 This menu item opens a dialog window in which a new
1172 permanent coloring rule can be created based on the
1173 currently selected conversation.
1177 <entry><command>Coloring Rules...</command></entry>
1180 This menu item brings up a dialog box that allows you
1181 to color packets in the packet list pane according to
1182 filter expressions you choose. It can be very useful
1183 for spotting certain types of packets, see
1184 <xref linkend="ChCustColorizationSection"/>.
1188 <entry><command>------</command></entry>
1193 <entry><command>Show Packet in New Window</command></entry>
1196 This menu item brings up the selected packet in a
1197 separate window. The separate window shows only the
1198 tree view and byte view panes.
1202 <entry><command>Reload</command></entry>
1203 <entry>Ctrl-R</entry>
1205 This menu item allows you to reload the current
1214 <section id="ChUseGoMenuSection"><title>The "Go" menu</title>
1216 The Wireshark Go menu contains the fields shown in
1217 <xref linkend="ChUseTabGo"/>.
1219 <figure id="ChUseWiresharkGoMenu">
1220 <title>The "Go" Menu</title>
1221 <graphic entityref="WiresharkGoMenu" format="PNG"/>
1223 <table id="ChUseTabGo" frame="none">
1224 <title>Go menu items</title>
1226 <colspec colnum="1" colwidth="72pt"/>
1227 <colspec colnum="2" colwidth="80pt"/>
1230 <entry>Menu Item</entry>
1231 <entry>Accelerator</entry>
1232 <entry>Description</entry>
1237 <entry><command>Back</command></entry>
1238 <entry>Alt+Left</entry>
1240 Jump to the recently visited packet in the packet
1241 history, much like the page history in a web browser.
1245 <entry><command>Forward</command></entry>
1246 <entry>Alt+Right</entry>
1248 Jump to the next visited packet in the packet
1249 history, much like the page history in a web browser.
1253 <entry><command>Go to Packet...</command></entry>
1254 <entry>Ctrl-G</entry>
1256 Bring up a dialog box that allows you
1257 to specify a packet number, and then goes to that packet. See
1258 <xref linkend="ChWorkGoToPacketSection"/> for details.
1262 <entry><command>Go to Corresponding Packet</command></entry>
1265 Go to the corresponding packet of the currently
1266 selected protocol field. If the selected field doesn't correspond
1267 to a packet, this item is greyed out.
1271 <entry><command>------</command></entry>
1276 <entry><command>Previous Packet</command></entry>
1277 <entry>Ctrl+Up</entry>
1279 Move to the previous packet in the list. This can be
1280 used to move to the previous packet even if the packet
1281 list doesn't have keyboard focus.
1285 <entry><command>Next Packet</command></entry>
1286 <entry>Ctrl+Down</entry>
1288 Move to the next packet in the list. This can be
1289 used to move to the previous packet even if the packet
1290 list doesn't have keyboard focus.
1294 <entry><command>First Packet</command></entry>
1295 <entry>Ctrl+Home</entry>
1297 Jump to the first packet of the capture file.
1301 <entry><command>Last Packet</command></entry>
1302 <entry>Ctrl+End</entry>
1304 Jump to the last packet of the capture file.
1312 <section id="ChUseCaptureMenuSection"><title>The "Capture" menu</title>
1314 The Wireshark Capture menu contains the fields shown in
1315 <xref linkend="ChUseTabCap"/>.
1317 <figure id="ChUseWiresharkCaptureMenu">
1318 <title>The "Capture" Menu</title>
1319 <graphic entityref="WiresharkCaptureMenu" format="PNG"/>
1321 <table id="ChUseTabCap" frame="none">
1322 <title>Capture menu items</title>
1324 <colspec colnum="1" colwidth="72pt"/>
1325 <colspec colnum="2" colwidth="80pt"/>
1328 <entry>Menu Item</entry>
1329 <entry>Accelerator</entry>
1330 <entry>Description</entry>
1335 <entry><command>Interfaces...</command></entry>
1338 This menu item brings up a dialog box that shows what's going on
1339 at the network interfaces Wireshark knows of, see
1340 <xref linkend="ChCapInterfaceSection"/>) .
1344 <entry><command>Options...</command></entry>
1345 <entry>Ctrl+K</entry>
1347 This menu item brings up the Capture Options
1348 dialog box (discussed further in
1349 <xref linkend="ChCapCaptureOptions"/>) and allows you to
1350 start capturing packets.
1354 <entry><command>Start</command></entry>
1357 Immediately start capturing packets with the same settings than
1362 <entry><command>Stop</command></entry>
1363 <entry>Ctrl+E</entry>
1365 This menu item stops the currently running capture, see
1366 <xref linkend="ChCapStopSection"/>) .
1370 <entry><command>Restart</command></entry>
1373 This menu item stops the currently running capture and starts
1374 again with the same options, this is just for convenience.
1378 <entry><command>Capture Filters...</command></entry>
1381 This menu item brings up a dialog box that allows you to
1382 create and edit capture filters. You can name filters,
1383 and you can save them for future use. More detail on
1384 this subject is provided in
1385 <xref linkend="ChWorkDefineFilterSection"/>
1393 <section id="ChUseAnalyzeMenuSection"><title>The "Analyze" menu</title>
1395 The Wireshark Analyze menu contains the fields shown in
1396 <xref linkend="ChUseAnalyze"/>.
1398 <figure id="ChUseWiresharkAnalyzeMenu">
1399 <title>The "Analyze" Menu</title>
1400 <graphic entityref="WiresharkAnalyzeMenu" format="PNG"/>
1402 <table id="ChUseAnalyze" frame="none"><title>Analyze menu items</title>
1404 <colspec colnum="1" colwidth="72pt"/>
1405 <colspec colnum="2" colwidth="80pt"/>
1408 <entry>Menu Item</entry>
1409 <entry>Accelerator</entry>
1410 <entry>Description</entry>
1415 <entry><command>Display Filters...</command></entry>
1418 This menu item brings up a dialog box that allows you
1419 to create and edit display filters. You can name
1420 filters, and you can save them for future use. More
1421 detail on this subject is provided in
1422 <xref linkend="ChWorkDefineFilterSection"/>
1426 <entry><command>Display Filter Macros...</command></entry>
1429 This menu item brings up a dialog box that allows you
1430 to create and edit display filter macros. You can name
1431 filter macros, and you can save them for future use. More
1432 detail on this subject is provided in
1433 <xref linkend="ChWorkDefineFilterMacrosSection"/>
1437 <entry><command>------</command></entry>
1442 <entry><command>Apply as Column</command></entry>
1445 This menu item adds the selected protocol item in the packet details
1446 pane as a column to the packet list.
1450 <entry><command>Apply as Filter > ...</command></entry>
1453 These menu items will change the current display filter and apply
1454 the changed filter immediately. Depending on the chosen menu item,
1455 the current display filter string will be replaced or appended to
1456 by the selected protocol field in the packet details pane.
1460 <entry><command>Prepare a Filter > ...</command></entry>
1463 These menu items will change the current display filter but won't
1464 apply the changed filter. Depending on the chosen menu item,
1465 the current display filter string will be replaced or appended to
1466 by the selected protocol field in the packet details pane.
1470 <entry><command>------</command></entry>
1475 <entry><command>Enabled Protocols...</command></entry>
1476 <entry>Shift+Ctrl+R</entry>
1478 This menu item allows the user to enable/disable protocol
1479 dissectors, see <xref linkend="ChAdvEnabledProtocols"/>
1483 <entry><command>Decode As...</command></entry>
1486 This menu item allows the user to force Wireshark to
1487 decode certain packets as a particular protocol, see
1488 <xref linkend="ChAdvDecodeAs"/>
1492 <entry><command>User Specified Decodes...</command></entry>
1495 This menu item allows the user to force Wireshark to
1496 decode certain packets as a particular protocol, see
1497 <xref linkend="ChAdvDecodeAsShow"/>
1501 <entry><command>------</command></entry>
1506 <entry><command>Follow TCP Stream</command></entry>
1509 This menu item brings up a separate window and displays
1510 all the TCP segments captured that are on the same TCP
1511 connection as a selected packet, see
1512 <xref linkend="ChAdvFollowTCPSection"/>
1516 <entry><command>Follow UDP Stream</command></entry>
1519 Same functionality as "Follow TCP Stream" but
1524 <entry><command>Follow SSL Stream</command></entry>
1527 Same functionality as "Follow TCP Stream" but for SSL streams.
1528 XXX - how to provide the SSL keys?
1532 <entry><command>Expert Info</command></entry>
1535 Open a dialog showing some expert information about the captured
1536 packets in a log style display.
1537 The amount of information will depend on the protocol and varies
1538 from very detailed to none existing. This is currently a work in
1539 progress. XXX - add a new section about this and link from here
1543 <entry><command>Expert Info Composite</command></entry>
1546 Same information as in "Expert Info" but trying to group items
1547 together for faster analysis.
1551 <entry><command>Conversation Filter > ...</command></entry>
1554 In this menu you will find conversation filter for various
1563 <section id="ChUseStatisticsMenuSection"><title>The "Statistics" menu</title>
1565 The Wireshark Statistics menu contains the fields shown in
1566 <xref linkend="ChUseStatistics"/>.
1568 <figure id="ChUseWiresharkStatisticsMenu">
1569 <title>The "Statistics" Menu</title>
1570 <graphic entityref="WiresharkStatisticsMenu" format="PNG"/>
1573 All menu items will bring up a new window showing specific statistical
1576 <table id="ChUseStatistics" frame="none">
1577 <title>Statistics menu items</title>
1579 <colspec colnum="1" colwidth="72pt"/>
1580 <colspec colnum="2" colwidth="80pt"/>
1583 <entry>Menu Item</entry>
1584 <entry>Accelerator</entry>
1585 <entry>Description</entry>
1590 <entry><command>Summary</command></entry>
1593 Show information about the data captured, see <xref
1594 linkend="ChStatSummary"/>.
1598 <entry><command>Protocol Hierarchy</command></entry>
1601 Display a hierarchical tree of protocol statistics, see <xref
1602 linkend="ChStatHierarchy"/>.
1606 <entry><command>Conversations</command></entry>
1609 Display a list of conversations (traffic between two endpoints),
1610 see <xref linkend="ChStatConversationsWindow"/>.
1614 <entry><command>Endpoints</command></entry>
1617 Display a list of endpoints (traffic to/from an address), see
1618 <xref linkend="ChStatEndpointsWindow"/>.
1622 <entry><command>Packet Lengths...</command></entry>
1624 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1627 <entry><command>IO Graphs</command></entry>
1630 Display user specified graphs (e.g. the number of packets in the
1631 course of time), see <xref linkend="ChStatIOGraphs"/>.
1635 <entry><command>------</command></entry>
1640 <entry><command>Conversation List</command></entry>
1643 Display a list of conversations, obsoleted by the combined window
1644 of Conversations above, see
1645 <xref linkend="ChStatConversationListWindow"/>.
1649 <entry><command>Endpoint List</command></entry>
1652 Display a list of endpoints, obsoleted by the combined window
1653 of Endpoints above, see
1654 <xref linkend="ChStatEndpointListWindow"/>.
1658 <entry><command>Service Response Time</command></entry>
1661 Display the time between a request and the corresponding response, see
1662 <xref linkend="ChStatSRT"/>.
1666 <entry><command>------</command></entry>
1671 <entry><command>ANCP...</command></entry>
1673 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1676 <entry><command>BOOTP-DHCP...</command></entry>
1678 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1681 <entry><command>Colledtd...</command></entry>
1683 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1686 <entry><command>Compare...</command></entry>
1688 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1691 <entry><command>Flow Graph...</command></entry>
1693 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1696 <entry><command>HTTP</command></entry>
1698 <entry><para>HTTP request/response statistics, see <xref linkend="ChStatXXX"/></para></entry>
1701 <entry><command>IP Addresses...</command></entry>
1703 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1706 <entry><command>IP Destinations...</command></entry>
1708 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1711 <entry><command>IP Protocol Types...</command></entry>
1713 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1716 <entry><command>ONC-RPC Programs</command></entry>
1718 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1721 <entry><command>TCP Stream Graph</command></entry>
1723 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1726 <entry><command>UDP Multicast Streams</command></entry>
1728 <entry><para>See <xref linkend="ChStatXXX"/></para></entry>
1731 <entry><command>WLAN Traffic</command></entry>
1733 <entry><para>See <xref linkend="ChStatWLANTraffic"/></para></entry>
1740 <section id="ChUseTelephonyMenuSection"><title>The "Telephony" menu</title>
1742 The Wireshark Telephony menu contains the fields shown in
1743 <xref linkend="ChUseTelephony"/>.
1745 <figure id="ChUseWiresharkTelephonyMenu">
1746 <title>The "Telephony" Menu</title>
1747 <graphic entityref="WiresharkTelephonyMenu" format="PNG"/>
1750 All menu items will bring up a new window showing specific telephony
1751 related statistical information.
1753 <table id="ChUseTelephony" frame="none">
1754 <title>Telephony menu items</title>
1756 <colspec colnum="1" colwidth="72pt"/>
1757 <colspec colnum="2" colwidth="80pt"/>
1760 <entry>Menu Item</entry>
1761 <entry>Accelerator</entry>
1762 <entry>Description</entry>
1767 <entry><command>IAX2</command></entry>
1769 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1772 <entry><command>SMPP Operations...</command></entry>
1774 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1777 <entry><command>SCTP</command></entry>
1779 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1782 <entry><command>ANSI</command></entry>
1784 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1787 <entry><command>GSM</command></entry>
1789 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1792 <entry><command>H.225...</command></entry>
1794 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1797 <entry><command>ISUP Messages...</command></entry>
1799 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1802 <entry><command>LTE MAC...</command></entry>
1804 <entry><para>See <xref linkend="ChTelLTEMACTraffic"/></para></entry>
1807 <entry><command>LTE RLC...</command></entry>
1809 <entry><para>See <xref linkend="ChTelLTERLCTraffic"/></para></entry>
1812 <entry><command>MTP3</command></entry>
1814 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1817 <entry><command>RTP</command></entry>
1819 <entry><para>See <xref linkend="ChTelRTPAnalysis"/></para></entry>
1822 <entry><command>SIP...</command></entry>
1824 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1827 <entry><command>UCP Messages...</command></entry>
1829 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1832 <entry><command>VoIP Calls...</command></entry>
1834 <entry><para>See <xref linkend="ChTelVoipCalls"/></para></entry>
1837 <entry><command>WAP-WSP...</command></entry>
1839 <entry><para>See <xref linkend="ChTelXXX"/></para></entry>
1846 <section id="ChUseToolsMenuSection"><title>The "Tools" menu</title>
1848 The Wireshark Tools menu contains the fields shown in
1849 <xref linkend="ChUseTools"/>.
1851 <figure id="ChUseWiresharkToolsMenu">
1852 <title>The "Tools" Menu</title>
1853 <graphic entityref="WiresharkToolsMenu" format="PNG"/>
1855 <table id="ChUseTools" frame="none">
1856 <title>Tools menu items</title>
1858 <colspec colnum="1" colwidth="72pt"/>
1859 <colspec colnum="2" colwidth="80pt"/>
1862 <entry>Menu Item</entry>
1863 <entry>Accelerator</entry>
1864 <entry>Description</entry>
1869 <entry><command>Firewall ACL Rules</command></entry>
1872 This allows you to create command-line ACL rules for many different
1873 firewall products, including Cisco IOS, Linux Netfilter (iptables),
1874 OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses,
1875 IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are
1878 It is assumed that the rules will be applied to an outside interface.
1882 <entry><command>Lua</command></entry>
1885 These options allow you to work with the Lua interpreter optionally
1886 build into Wireshark, see <xref linkend="wsluarm_intro"/>.
1894 <section id="ChUseHelpMenuSection"><title>The "Help" menu</title>
1896 The Wireshark Help menu contains the fields shown in
1897 <xref linkend="ChUseHelp"/>.
1899 <figure id="ChUseWiresharkHelpMenu">
1900 <title>The "Help" Menu</title>
1901 <graphic entityref="WiresharkHelpMenu" format="PNG"/>
1903 <table id="ChUseHelp" frame="none">
1904 <title>Help menu items</title>
1906 <colspec colnum="1" colwidth="72pt"/>
1907 <colspec colnum="2" colwidth="80pt"/>
1910 <entry>Menu Item</entry>
1911 <entry>Accelerator</entry>
1912 <entry>Description</entry>
1917 <entry><command>Contents</command></entry>
1920 This menu item brings up a basic help system.
1924 <entry><command>FAQ's</command></entry>
1927 This menu item starts a Web browser showing various FAQ's.
1931 <entry><command>Manual Pages > ...</command></entry>
1934 This menu item starts a Web browser showing one of the locally
1935 installed html manual pages.
1939 <entry><command>------</command></entry>
1944 <entry><command>Wireshark Online > ...</command></entry>
1947 This menu item starts a Web browser showing the chosen
1949 <ulink url="&WiresharkWebSite;">&WiresharkWebSite;</ulink>.
1953 <entry><command>------</command></entry>
1958 <entry><command>Supported Protocols (slow!)</command></entry>
1961 This menu item brings up a dialog box showing the supported
1962 protocols and protocol fields.
1966 <entry><command>------</command></entry>
1971 <entry><command>About Wireshark</command></entry>
1974 This menu item brings up an information window that
1975 provides some information on Wireshark, such as the plugins, the
1982 <note><title>Note!</title>
1984 Calling a Web browser might be unsupported in your version of Wireshark.
1985 If this is the case, the corresponding menu items will be hidden.
1988 <note><title>Note!</title>
1990 If calling a Web browser fails on your machine, maybe because just nothing
1991 happens or the browser is started but no page is shown, have a look at the
1992 web browser setting in the preferences dialog.
1997 <section id="ChUseMainToolbarSection"><title>The "Main" toolbar</title>
1999 The main toolbar provides quick access to frequently used items from the
2000 menu. This toolbar cannot be customized by the user, but it can be hidden
2001 using the View menu, if the space on the screen is needed to show even
2005 As in the menu, only the items useful in the current program state will
2006 be available. The others will be greyed out (e.g. you cannot save a capture
2007 file if you haven't loaded one).
2008 <figure id="ChUseWiresharkMainToolbar">
2009 <title>The "Main" toolbar</title>
2010 <graphic entityref="WiresharkMainToolbar" format="PNG"/>
2013 <table id="ChUseMainToolbar" frame="none">
2014 <title>Main toolbar items</title>
2016 <colspec colnum="1" colwidth="40pt"/>
2017 <colspec colnum="2" colwidth="80pt"/>
2018 <colspec colnum="3" colwidth="80pt"/>
2021 <entry>Toolbar Icon</entry>
2022 <entry>Toolbar Item</entry>
2023 <entry>Corresponding Menu Item</entry>
2024 <entry>Description</entry>
2029 <entry><graphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/></entry>
2030 <entry><command>Interfaces...</command></entry>
2031 <entry>Capture/Interfaces...</entry>
2033 This item brings up the Capture Interfaces List
2034 dialog box (discussed further in
2035 <xref linkend="ChCapCapturingSection"/>).
2040 <entry><graphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/></entry>
2041 <entry><command>Options...</command></entry>
2042 <entry>Capture/Options...</entry>
2044 This item brings up the Capture Options
2045 dialog box (discussed further in
2046 <xref linkend="ChCapCapturingSection"/>) and allows you to
2047 start capturing packets.
2052 <entry><graphic entityref="WiresharkToolbarCaptureStart" format="PNG"/></entry>
2053 <entry><command>Start</command></entry>
2054 <entry>Capture/Start</entry>
2056 This item starts capturing packets with the options form
2062 <entry><graphic entityref="WiresharkToolbarCaptureStop" format="PNG"/></entry>
2063 <entry><command>Stop</command></entry>
2064 <entry>Capture/Stop</entry>
2066 This item stops the currently running live capture process
2067 <xref linkend="ChCapCapturingSection"/>).
2072 <entry><graphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/></entry>
2073 <entry><command>Restart</command></entry>
2074 <entry>Capture/Restart</entry>
2076 This item stops the currently running live capture process
2077 and restarts it again, for convenience.
2082 <entry><command>------</command></entry>
2087 <entry><graphic entityref="WiresharkToolbarOpen" format="PNG"/></entry>
2088 <entry><command>Open...</command></entry>
2089 <entry>File/Open...</entry>
2091 This item brings up the file open dialog box that
2092 allows you to load a capture file for viewing. It is
2093 discussed in more detail in <xref linkend="ChIOOpen"/>.
2097 <entry><graphic entityref="WiresharkToolbarSaveAs" format="PNG"/></entry>
2098 <entry><command>Save As...</command></entry>
2099 <entry>File/Save As...</entry>
2101 This item allows you to save the current capture file to whatever
2102 file you would like. It pops up the Save Capture File As dialog
2103 box (which is discussed further in <xref linkend="ChIOSaveAs"/>).
2105 <note><title>Note!</title>
2107 If you currently have a temporary capture file, the Save icon
2108 <inlinegraphic entityref="WiresharkToolbarSave" format="PNG"/> will be
2114 <entry><graphic entityref="WiresharkToolbarClose" format="PNG"/></entry>
2115 <entry><command>Close</command></entry>
2116 <entry>File/Close</entry>
2118 This item closes the current capture. If you
2119 have not saved the capture, you will be asked to save it first.
2123 <entry><graphic entityref="WiresharkToolbarReload" format="PNG"/></entry>
2124 <entry><command>Reload</command></entry>
2125 <entry>View/Reload</entry>
2127 This item allows you to reload the current capture file.
2131 <entry><graphic entityref="WiresharkToolbarPrint" format="PNG"/></entry>
2132 <entry><command>Print...</command></entry>
2133 <entry>File/Print...</entry>
2135 This item allows you to print all (or some of) the packets in
2136 the capture file. It pops up the Wireshark Print dialog
2137 box (which is discussed further in
2138 <xref linkend="ChIOPrintSection"/>).
2142 <entry><command>------</command></entry>
2147 <entry><graphic entityref="WiresharkToolbarFind" format="PNG"/></entry>
2148 <entry><command>Find Packet...</command></entry>
2149 <entry>Edit/Find Packet...</entry>
2151 This item brings up a dialog box that allows you
2152 to find a packet. There is further information on finding packets
2153 in <xref linkend="ChWorkFindPacketSection"/>.
2157 <entry><graphic entityref="WiresharkToolbarGoBack" format="PNG"/></entry>
2158 <entry><command>Go Back</command></entry>
2159 <entry>Go/Go Back</entry>
2161 This item jumps back in the packet history.
2165 <entry><graphic entityref="WiresharkToolbarGoForward" format="PNG"/></entry>
2166 <entry><command>Go Forward</command></entry>
2167 <entry>Go/Go Forward</entry>
2169 This item jumps forward in the packet history.
2173 <entry><graphic entityref="WiresharkToolbarGoTo" format="PNG"/></entry>
2174 <entry><command>Go to Packet...</command></entry>
2175 <entry>Go/Go to Packet...</entry>
2177 This item brings up a dialog box that allows you
2178 to specify a packet number to go to that packet.
2182 <entry><graphic entityref="WiresharkToolbarGoFirst" format="PNG"/></entry>
2183 <entry><command>Go To First Packet</command></entry>
2184 <entry>Go/First Packet</entry>
2186 This item jumps to the first packet of the capture file.
2190 <entry><graphic entityref="WiresharkToolbarGoLast" format="PNG"/></entry>
2191 <entry><command>Go To Last Packet</command></entry>
2192 <entry>Go/Last Packet</entry>
2194 This item jumps to the last packet of the capture file.
2198 <entry><command>------</command></entry>
2203 <entry><graphic entityref="WiresharkToolbarColorize" format="PNG"/></entry>
2204 <entry><command>Colorize</command></entry>
2205 <entry>View/Colorize</entry>
2207 Colorize the packet list (or not).
2211 <entry><graphic entityref="WiresharkToolbarAutoScroll" format="PNG"/></entry>
2212 <entry><command>Auto Scroll in Live Capture</command></entry>
2213 <entry>View/Auto Scroll in Live Capture</entry>
2215 Auto scroll packet list while doing a live capture (or not).
2219 <entry><command>------</command></entry>
2224 <entry><graphic entityref="WiresharkToolbarZoomIn" format="PNG"/></entry>
2225 <entry><command>Zoom In</command></entry>
2226 <entry>View/Zoom In</entry>
2228 Zoom into the packet data (increase the font size).
2232 <entry><graphic entityref="WiresharkToolbarZoomOut" format="PNG"/></entry>
2233 <entry><command>Zoom Out</command></entry>
2234 <entry>View/Zoom Out</entry>
2236 Zoom out of the packet data (decrease the font size).
2240 <entry><graphic entityref="WiresharkToolbarZoom100" format="PNG"/></entry>
2241 <entry><command>Normal Size</command></entry>
2242 <entry>View/Normal Size</entry>
2244 Set zoom level back to 100%.
2248 <entry><graphic entityref="WiresharkToolbarResizeColumns" format="PNG"/></entry>
2249 <entry><command>Resize Columns</command></entry>
2250 <entry>View/Resize Columns</entry>
2252 Resize columns, so the content fits into them.
2256 <entry><command>------</command></entry>
2261 <entry><graphic entityref="WiresharkToolbarCaptureFilters" format="PNG"/></entry>
2262 <entry><command>Capture Filters...</command></entry>
2263 <entry>Capture/Capture Filters...</entry>
2265 This item brings up a dialog box that allows you to
2266 create and edit capture filters. You can name filters,
2267 and you can save them for future use. More detail on
2268 this subject is provided in
2269 <xref linkend="ChWorkDefineFilterSection"/>.
2273 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2274 <entry><command>Display Filters...</command></entry>
2275 <entry>Analyze/Display Filters...</entry>
2277 This item brings up a dialog box that allows you
2278 to create and edit display filters. You can name
2279 filters, and you can save them for future use. More
2280 detail on this subject is provided in
2281 <xref linkend="ChWorkDefineFilterSection"/>.
2285 <entry><graphic entityref="WiresharkToolbarColoringRules" format="PNG"/></entry>
2286 <entry><command>Coloring Rules...</command></entry>
2287 <entry>View/Coloring Rules...</entry>
2289 This item brings up a dialog box that allows you
2290 color packets in the packet list pane according to
2291 filter expressions you choose. It can be very useful
2292 for spotting certain types of packets. More
2293 detail on this subject is provided in
2294 <xref linkend="ChCustColorizationSection"/>.
2298 <entry><graphic entityref="WiresharkToolbarPreferences" format="PNG"/></entry>
2299 <entry><command>Preferences...</command></entry>
2300 <entry>Edit/Preferences</entry>
2302 This item brings up a dialog box that allows
2303 you to set preferences for many parameters that control
2304 Wireshark. You can also save your preferences so Wireshark
2305 will use them the next time you start it. More detail
2306 is provided in <xref linkend="ChCustPreferencesSection"/>
2310 <entry><command>------</command></entry>
2315 <entry><graphic entityref="WiresharkToolbarHelp" format="PNG"/></entry>
2316 <entry><command>Help</command></entry>
2317 <entry>Help/Contents</entry>
2319 This item brings up help dialog box.
2327 <section id="ChUseFilterToolbarSection"><title>The "Filter" toolbar</title>
2329 The filter toolbar lets you quickly edit and apply display filters. More information on
2330 display filters is available in <xref linkend="ChWorkDisplayFilterSection"/>.
2331 <figure id="ChUseWiresharkFilterToolbar">
2332 <title>The "Filter" toolbar</title>
2333 <graphic entityref="WiresharkFilterToolbar" format="PNG"/>
2335 <table id="ChUseFilterToolbar" frame="none">
2336 <title>Filter toolbar items</title>
2338 <colspec colnum="1" colwidth="40pt"/>
2339 <colspec colnum="2" colwidth="80pt"/>
2342 <entry>Toolbar Icon</entry>
2343 <entry>Toolbar Item</entry>
2344 <entry>Description</entry>
2349 <entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
2350 <entry><command>Filter:</command></entry>
2352 Brings up the filter construction dialog, described in <xref linkend="FiltersDialog"/>.
2358 <entry>Filter input</entry>
2361 The area to enter or edit a display filter string,
2362 see <xref linkend="ChWorkBuildDisplayFilterSection"/>
2363 . A syntax check of your filter string is done while you are typing.
2364 The background will turn red if you enter an incomplete or invalid
2365 string, and will become green when you enter a valid string. You can
2366 click on the pull down arrow to select a previously-entered filter
2367 string from a list. The entries in the pull down list will remain
2368 available even after a program restart.
2370 <note><title>Note!</title>
2372 After you've changed something in this field, don't forget to press
2373 the Apply button (or the Enter/Return key), to apply this filter
2374 string to the display.
2377 <note><title>Note!</title>
2379 This field is also where the current filter in effect is displayed.
2385 <entry><graphic entityref="WiresharkToolbarAdd" format="PNG"/></entry>
2386 <entry><command>Expression...</command></entry>
2388 The middle button labeled "Add Expression..." opens a dialog box that lets
2389 you edit a display filter from a list of protocol fields, described in
2390 <xref linkend="ChWorkFilterAddExpressionSection"/>
2395 <entry><graphic entityref="WiresharkToolbarClear" format="PNG"/></entry>
2396 <entry><command>Clear</command></entry>
2398 Reset the current display filter and clears the edit area.
2403 <entry><graphic entityref="WiresharkToolbarApply" format="PNG"/></entry>
2404 <entry><command>Apply</command></entry>
2406 Apply the current value in the edit area as the new display filter.
2407 <note><title>Note!</title>
2409 Applying a display filter on large capture files might take quite a long time!
2421 <section id="ChUsePacketListPaneSection"><title>The "Packet List" pane</title>
2423 The packet list pane displays all the packets in the current capture
2425 <figure id="ChUseWiresharkListPane">
2426 <title>The "Packet List" pane</title>
2427 <graphic entityref="WiresharkListPane" format="PNG"/>
2429 Each line in the packet list corresponds to one packet in the capture
2430 file. If you select a line in this pane, more details will be displayed in
2431 the "Packet Details" and "Packet Bytes" panes.
2434 While dissecting a packet, Wireshark will place information from the
2435 protocol dissectors into the columns. As higher level protocols might
2436 overwrite information from lower levels, you will typically see the
2437 information from the highest possible level only.
2440 For example, let's look at a packet containing TCP inside IP inside
2441 an Ethernet packet. The Ethernet dissector will write its data (such as
2442 the Ethernet addresses), the IP dissector will overwrite this by its own
2443 (such as the IP addresses), the TCP dissector will overwrite the IP
2444 information, and so on.
2447 There are a lot of different columns available. Which columns are
2448 displayed can be selected by preference settings, see
2449 <xref linkend="ChCustPreferencesSection"/>.
2452 The default columns will show:
2455 <para><command>No.</command>
2456 The number of the packet in the capture file. This number won't change,
2457 even if a display filter is used.
2461 <para><command>Time</command>
2462 The timestamp of the packet. The presentation format of this timestamp
2463 can be changed, see <xref linkend="ChWorkTimeFormatsSection"/>.
2467 <para><command>Source</command>
2468 The address where this packet is coming from.
2472 <para><command>Destination</command>
2473 The address where this packet is going to.
2477 <para><command>Protocol</command>
2478 The protocol name in a short (perhaps abbreviated) version.
2482 <para><command>Info</command>
2483 Additional information about the packet content.
2489 There is a context menu (right mouse click) available, see details in
2490 <xref linkend="ChWorkPacketListPanePopUpMenu"/>.
2494 <section id="ChUsePacketDetailsPaneSection"><title>The "Packet Details" pane</title>
2496 The packet details pane shows the current packet (selected in the "Packet List"
2497 pane) in a more detailed form.
2498 <figure id="ChUseWiresharkDetailsPane">
2499 <title>The "Packet Details" pane</title>
2500 <graphic entityref="WiresharkDetailsPane" format="PNG"/>
2504 This pane shows the protocols and protocol fields of the packet selected
2505 in the "Packet List" pane. The protocols and fields of the packet are
2506 displayed using a tree, which can be expanded and collapsed.
2509 There is a context menu (right mouse click) available, see details in
2510 <xref linkend="ChWorkPacketDetailsPanePopUpMenu"/>.
2513 Some protocol fields are specially displayed.
2518 <command>Generated fields</command>
2519 Wireshark itself will generate additional protocol fields which are
2520 surrounded by brackets. The information in these fields is derived from the
2521 known context to other packets in the capture file. For example, Wireshark
2522 is doing a sequence/acknowledge analysis of each TCP stream,
2523 which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol.
2528 <command>Links</command>
2529 If Wireshark detected a relationship to another packet in the capture file,
2530 it will generate a link to that packet. Links are underlined and displayed
2531 in blue. If double-clicked, Wireshark jumps to the corresponding packet.
2537 <section id="ChUsePacketBytesPaneSection"><title>The "Packet Bytes" pane</title>
2539 The packet bytes pane shows the data of the current packet (selected in the "Packet List"
2540 pane) in a hexdump style.
2541 <figure id="ChUseWiresharkBytesPane">
2542 <title>The "Packet Bytes" pane</title>
2543 <graphic entityref="WiresharkBytesPane" format="PNG"/>
2547 As usual for a hexdump, the left side shows the offset in the packet data,
2548 in the middle the packet data is shown in a hexadecimal representation and
2549 on the right the corresponding ASCII characters (or . if not appropriate)
2553 Depending on the packet data, sometimes more than one page is available,
2554 e.g. when Wireshark has reassembled some packets into a single chunk of
2555 data, see <xref linkend="ChAdvReassemblySection"/>. In this case there are
2556 some additional tabs shown at the bottom of the pane to let you select
2557 the page you want to see.
2558 <figure id="ChUseWiresharkBytesPaneTabs">
2559 <title>The "Packet Bytes" pane with tabs</title>
2560 <graphic entityref="WiresharkBytesPaneTabs" format="PNG"/>
2563 <note><title>Note!</title>
2565 The additional pages might contain data picked from multiple packets.
2569 The context menu (right mouse click) of the tab labels will show a list of
2570 all available pages. This can be helpful if the size in the pane is too
2571 small for all the tab labels.
2575 <section id="ChUseStatusbarSection"><title>The Statusbar</title>
2577 The statusbar displays informational messages.
2580 In general, the left side will show context related information, the
2581 middle part will show the current number of packets, and the right side will
2582 show the selected configuration profile. Drag the handles between the text
2583 areas to change the size.
2586 <figure id="ChUseWiresharkStatusbarEmpty">
2587 <title>The initial Statusbar</title>
2588 <graphic entityref="WiresharkStatusbarEmpty" format="PNG"/>
2590 This statusbar is shown while no capture file is loaded, e.g. when
2591 Wireshark is started.
2594 <figure id="ChUseWiresharkStatusbarLoaded">
2595 <title>The Statusbar with a loaded capture file</title>
2596 <graphic entityref="WiresharkStatusbarLoaded" format="PNG"/>
2602 <command>The colorized bullet</command> on the left shows the highest expert
2603 info level found in the currently loaded capture file. Hovering the mouse
2604 over this icon will show a textual description of the expert info level,
2605 and clicking the icon will bring up the Expert Infos dialog box.
2606 For a detailed description of expert info, see <xref linkend="ChAdvExpert"/>.
2611 <command>The left side</command> shows information about the capture file, its
2612 name, its size and the elapsed time while it was being captured.
2617 <command>The middle part</command> shows the current number of packets in the capture file.
2618 The following values are displayed:
2619 <itemizedlist mark="bullet">
2621 <para><emphasis>Packets:</emphasis> the number of captured packets</para>
2624 <para><emphasis>Displayed:</emphasis> the number of packets currently being
2628 <para><emphasis>Marked:</emphasis> the number of marked packets</para>
2631 <para><emphasis>Dropped:</emphasis> the number of dropped packets (only displayed
2632 if Wireshark was unable to capture all packets)</para>
2635 <para><emphasis>Ignored:</emphasis> the number of ignored packets (only displayed
2636 if packets are ignored)</para>
2643 <command>The right side</command> shows the selected configuration profile.
2644 Clicking in this part of the statusbar will bring up a menu with all available
2645 configuration profiles, and selecting from this list will change the configuration profile.
2650 <figure id="ChUseWiresharkStatusbarProfile">
2651 <title>The Statusbar with a configuration profile menu</title>
2652 <graphic entityref="WiresharkStatusbarProfile" format="PNG"/>
2654 For a detailed description of configuration profiles, see
2655 <xref linkend="ChCustConfigProfilesSection"/>.
2658 <figure id="ChUseWiresharkStatusbarSelected">
2659 <title>The Statusbar with a selected protocol field</title>
2660 <graphic entityref="WiresharkStatusbarSelected" format="PNG"/>
2662 This is displayed if you have selected a protocol field from the
2663 "Packet Details" pane.
2665 <tip><title>Tip!</title>
2667 The value between the brackets (in this example
2668 <command>arp.opcode</command>) can be used as a display filter string,
2669 representing the selected protocol field.
2673 <figure id="ChUseWiresharkStatusbarFilter">
2674 <title>The Statusbar with a display filter message</title>
2675 <graphic entityref="WiresharkStatusbarFilter" format="PNG"/>
2677 This is displayed if you are trying to use a display filter which
2678 may have unexpected results. For a detailed description, see
2679 <xref linkend="ChWorkBuildDisplayFilterMistake"/>.
2685 <!-- End of WSUG Chapter 3 -->
git.samba.org / obnox / wireshark / wip.git / blob