1WIRESHARK(1) WIRESHARK(1)
2
6 wireshark - Interactively dump and analyze network traffic
7
9 wireshark [ -i <capture interface>|- ] [ -f <capture filter> ]
10 [ -Y <display filter> ] [ -w <outfile> ] [ options ] [ <infile> ]
11
13 Wireshark is a GUI network protocol analyzer. It lets you interactively
14 browse packet data from a live network or from a previously saved
15 capture file. Wireshark's native capture file formats are pcapng format
16 and pcap format; it can read and write both formats.. pcap format is
17 also the format used by tcpdump and various other tools; tcpdump, when
18 using newer verions of the libpcap library, can also read some pcapng
19 files, and, on newer versions of macOS, can read all pcapng files and
20 can write them as well.
21 Wireshark can also read / import the following file formats:
23 • Oracle (previously Sun) snoop and atmsnoop captures
25 • Finisar (previously Shomiti) Surveyor captures
27 • Microsoft Network Monitor captures
29 • Novell LANalyzer captures
31 • AIX’s iptrace captures
33 • Cinco Networks NetXRay captures
35 • NETSCOUT (previously Network Associates/Network General)
37 Windows-based Sniffer captures
38 • Network General/Network Associates DOS-based Sniffer captures
40 (compressed or uncompressed)
41 • LiveAction (previously WildPackets/Savvius)
43 *Peek/EtherHelp/PacketGrabber captures
44 • RADCOM's WAN/LAN analyzer captures
46 • Viavi (previously Network Instruments) Observer captures
48 • Lucent/Ascend router debug output
50 • captures from HP-UX nettl
52 • Toshiba’s ISDN routers dump output
54 • the output from i4btrace from the ISDN4BSD project
56 • traces from the EyeSDN USB S0
58 • the IPLog format output from the Cisco Secure Intrusion Detection
60 System
61 • pppd logs (pppdump format)
63 • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
65 • the text output from the DBS Etherwatch VMS utility
67 • Visual Networks' Visual UpTime traffic capture
69 • the output from CoSine L2 debug
71 • the output from InfoVista (previously Accellent) 5View LAN agents
73 • Endace Measurement Systems' ERF format captures
75 • Linux Bluez Bluetooth stack hcidump -w traces
77 • Catapult DCT2000 .out files
79 • Gammu generated text output from Nokia DCT3 phones in Netmonitor
81 mode
82 • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
84 • Juniper Netscreen snoop files
86 • Symbian OS btsnoop files
88 • TamoSoft CommView files
90 • Tektronix K12xx 32bit .rf5 format files
92 • Tektronix K12 text file format captures
94 • Apple PacketLogger files
96 • Captures from Aethra Telecommunications' PC108 software for their
98 test instruments
99 • Citrix NetScaler Trace files
101 • Android Logcat binary and text format logs
103 • Colasoft Capsa and PacketBuilder captures
105 • Micropross mplog files
107 • Unigraf DPA-400 DisplayPort AUX channel monitor traces
109 • 802.15.4 traces from Daintree’s Sensor Network Analyzer
111 • MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
113 • Log files from the candump utility
115 • Logs from the BUSMASTER tool
117 • Ixia IxVeriWave raw captures
119 • Rabbit Labs CAM Inspector files
121 • systemd journal files
123 • 3GPP TS 32.423 trace files
125 There is no need to tell Wireshark what type of file you are reading;
127 it will determine the file type by itself. Wireshark is also capable of
128 reading any of these file formats if they are compressed using gzip.
129 Wireshark recognizes this directly from the file; the '.gz' extension
130 is not required for this purpose.
131 Like other protocol analyzers, Wireshark's main window shows 3 views of
133 a packet. It shows a summary line, briefly describing what the packet
134 is. A packet details display is shown, allowing you to drill down to
135 exact protocol or field that you interested in. Finally, a hex dump
136 shows you exactly what the packet looks like when it goes over the
137 wire.
138 In addition, Wireshark has some features that make it unique. It can
140 assemble all the packets in a TCP conversation and show you the ASCII
141 (or EBCDIC, or hex) data in that conversation. Display filters in
142 Wireshark are very powerful; more fields are filterable in Wireshark
143 than in other protocol analyzers, and the syntax you can use to create
144 your filters is richer. As Wireshark progresses, expect more and more
145 protocol fields to be allowed in display filters.
146 Packet capturing is performed with the pcap library. The capture filter
148 syntax follows the rules of the pcap library. This syntax is different
149 from the display filter syntax.
150 Compressed file support uses (and therefore requires) the zlib library.
152 If the zlib library is not present, Wireshark will compile, but will be
153 unable to read compressed files.
154 The pathname of a capture file to be read can be specified with the -r
156 option or can be specified as a command-line argument.
157
159 Most users will want to start Wireshark without options and configure
160 it from the menus instead. Those users may just skip this section.
161 -a|--autostop <capture autostop condition>
163 Specify a criterion that specifies when Wireshark is to stop
165 writing to a capture file. The criterion is of the form test:value,
166 where test is one of:
167 duration:value Stop writing to a capture file after value seconds
169 have elapsed. Floating point values (e.g. 0.5) are allowed.
170 files:value Stop writing to capture files after value number of
172 files were written.
173 filesize:value Stop writing to a capture file after it reaches a
175 size of value kB. If this option is used together with the -b
176 option, Wireshark will stop writing to the current capture file and
177 switch to the next one if filesize is reached. Note that the
178 filesize is limited to a maximum value of 2 GiB.
179 packets:value Stop writing to a capture file after it contains
181 value packets. Same as -c<capture packet count>.
182 -b|--ring-buffer <capture ring buffer option>
184 Cause Wireshark to run in "multiple files" mode. In "multiple
186 files" mode, Wireshark will write to several capture files. When
187 the first capture file fills up, Wireshark will switch writing to
188 the next file and so on.
189 The created filenames are based on the filename given with the -w
191 flag, the number of the file and on the creation date and time,
192 e.g. outfile_00001_20210714120117.pcap,
193 outfile_00002_20210714120523.pcap, ...
194 With the files option it’s also possible to form a "ring buffer".
196 This will fill up new files until the number of files specified, at
197 which point Wireshark will discard the data in the first file and
198 start writing to that file and so on. If the files option is not
199 set, new files filled up until one of the capture stop conditions
200 match (or until the disk is full).
201 The criterion is of the form key:value, where key is one of:
203 duration:value switch to the next file after value seconds have
205 elapsed, even if the current file is not completely filled up.
206 Floating point values (e.g. 0.5) are allowed.
207 files:value begin again with the first file after value number of
209 files were written (form a ring buffer). This value must be less
210 than 100000. Caution should be used when using large numbers of
211 files: some filesystems do not handle many files in a single
212 directory well. The files criterion requires one of the other
213 criteria to be specified to control when to go to the next file. It
214 should be noted that each -b parameter takes exactly one criterion;
215 to specify two criteria, each must be preceded by the -b option.
216 filesize:value switch to the next file after it reaches a size of
218 value kB. Note that the filesize is limited to a maximum value of 2
219 GiB.
220 interval:value switch to the next file when the time is an exact
222 multiple of value seconds.
223 packets:value switch to the next file after it contains value
225 packets.
226 Example: -b filesize:1000 -b files:5 results in a ring buffer of
228 five files of size one megabyte each.
229 -B|--buffer-size <capture buffer size>
231 Set capture buffer size (in MiB, default is 2 MiB). This is used by
233 the capture driver to buffer packet data until that data can be
234 written to disk. If you encounter packet drops while capturing, try
235 to increase this size. Note that, while Wireshark attempts to set
236 the buffer size to 2 MiB by default, and can be told to set it to a
237 larger value, the system or interface on which you’re capturing
238 might silently limit the capture buffer size to a lower value or
239 raise it to a higher value.
240 This is available on UNIX systems with libpcap 1.0.0 or later and
242 on Windows. It is not available on UNIX systems with earlier
243 versions of libpcap.
244 This option can occur multiple times. If used before the first
246 occurrence of the -i option, it sets the default capture buffer
247 size. If used after an -i option, it sets the capture buffer size
248 for the interface specified by the last -i option occurring before
249 this option. If the capture buffer size is not set specifically,
250 the default capture buffer size is used instead.
251 -c <capture packet count>
253 Set the maximum number of packets to read when capturing live data.
255 Same as -a packets:<capture packet count>.
256 -C <configuration profile>
258 Start with the given configuration profile.
260 --capture-comment <comment>
262 When performing a capture file from the command line, with the -k
264 flag, add a capture comment to the output file, if supported by the
265 capture format.
266 This option may be specified multiple times. Note that Wireshark
268 currently only displays the first comment of a capture file.
269 -d <layer type>==<selector>,<decode-as protocol>
271 Like Wireshark’s Decode As... feature, this lets you specify how a
273 layer type should be dissected. If the layer type in question (for
274 example, tcp.port or udp.port for a TCP or UDP port number) has the
275 specified selector value, packets should be dissected as the
276 specified protocol.
277 Example: -d tcp.port==8888,http will decode any traffic running
279 over TCP port 8888 as HTTP.
280 See the tshark(1) manual page for more examples.
282 -D|--list-interfaces
284 Print a list of the interfaces on which Wireshark can capture, and
286 exit. For each network interface, a number and an interface name,
287 possibly followed by a text description of the interface, is
288 printed. The interface name or the number can be supplied to the -i
289 flag to specify an interface on which to capture.
290 This can be useful on systems that don’t have a command to list
292 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
293 link show). The number can be useful on Windows systems, where the
294 interface name might be a long name or a GUID.
295 Note that "can capture" means that Wireshark was able to open that
297 device to do a live capture; if, on your system, a program doing a
298 network capture must be run from an account with special privileges
299 (for example, as root), then, if Wireshark is run with the -D flag
300 and is not run from such an account, it will not list any
301 interfaces.
302 --display <X display to use>
304 Specifies the X display to use. A hostname and screen
306 (otherhost:0.0) or just a screen (:0.0) can be specified. This
307 option is not available under Windows.
308 --disable-protocol <proto_name>
310 Disable dissection of proto_name.
312 --disable-heuristic <short_name>
314 Disable dissection of heuristic protocol.
316 --enable-protocol <proto_name>
318 Enable dissection of proto_name.
320 --enable-heuristic <short_name>
322 Enable dissection of heuristic protocol.
324 -f <capture filter>
326 Set the capture filter expression.
328 This option can occur multiple times. If used before the first
330 occurrence of the -i option, it sets the default capture filter
331 expression. If used after an -i option, it sets the capture filter
332 expression for the interface specified by the last -i option
333 occurring before this option. If the capture filter expression is
334 not set specifically, the default capture filter expression is used
335 if provided.
336 Pre-defined capture filter names, as shown in the GUI menu item
338 Capture→Capture Filters, can be used by prefixing the argument with
339 "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
340 --fullscreen
342 Start Wireshark in full screen mode (kiosk mode). To exit from
344 fullscreen mode, open the View menu and select the Full Screen
345 option. Alternatively, press the F11 key (or Ctrl + Cmd + F for
346 macOS).
347 -g <packet number>
349 After reading in a capture file using the -r flag, go to the given
351 packet number.
352 -h|--help
354 Print the version number and options and exit.
356 -H
358 Hide the capture info dialog during live packet capture.
360 -i|--interface <capture interface>|-
362 Set the name of the network interface or pipe to use for live
364 packet capture.
365 Network interface names should match one of the names listed in
367 "wireshark -D" (described above); a number, as reported by
368 "wireshark -D", can also be used. If you’re using UNIX, "netstat
369 -i", "ifconfig -a" or "ip link" might also work to list interface
370 names, although not all versions of UNIX support the -a flag to
371 ifconfig.
372 If no interface is specified, Wireshark searches the list of
374 interfaces, choosing the first non-loopback interface if there are
375 any non-loopback interfaces, and choosing the first loopback
376 interface if there are no non-loopback interfaces. If there are no
377 interfaces at all, Wireshark reports an error and doesn’t start the
378 capture.
379 Pipe names should be either the name of a FIFO (named pipe) or "-"
381 to read data from the standard input. On Windows systems, pipe
382 names must be of the form "\\pipe\.*pipename*". Data read from
383 pipes must be in standard pcapng or pcap format. Pcapng data must
384 have the same endianness as the capturing host.
385 This option can occur multiple times. When capturing from multiple
387 interfaces, the capture file will be saved in pcapng format.
388 -I|--monitor-mode
390 Put the interface in "monitor mode"; this is supported only on IEEE
392 802.11 Wi-Fi interfaces, and supported only on some operating
393 systems.
394 Note that in monitor mode the adapter might disassociate from the
396 network with which it’s associated, so that you will not be able to
397 use any wireless networks with that adapter. This could prevent
398 accessing files on a network server, or resolving host names or
399 network addresses, if you are capturing in monitor mode and are not
400 connected to another network with another adapter.
401 This option can occur multiple times. If used before the first
403 occurrence of the -i option, it enables the monitor mode for all
404 interfaces. If used after an -i option, it enables the monitor mode
405 for the interface specified by the last -i option occurring before
406 this option.
407 -j
409 Use after -J to change the behavior when no exact match is found
411 for the filter. With this option select the first packet before.
412 -J <jump filter>
414 After reading in a capture file using the -r flag, jump to the
416 packet matching the filter (display filter syntax). If no exact
417 match is found the first packet after that is selected.
418 -k
420 Start the capture session immediately. If the -i flag was
422 specified, the capture uses the specified interface. Otherwise,
423 Wireshark searches the list of interfaces, choosing the first
424 non-loopback interface if there are any non-loopback interfaces,
425 and choosing the first loopback interface if there are no
426 non-loopback interfaces; if there are no interfaces, Wireshark
427 reports an error and doesn’t start the capture.
428 -K <keytab>
430 Load kerberos crypto keys from the specified keytab file. This
432 option can be used multiple times to load keys from several files.
433 Example: -K krb5.keytab
435 -l
437 Turn on automatic scrolling if the packet display is being updated
439 automatically as packets arrive during a capture (as specified by
440 the -S flag).
441 -L|--list-data-link-types
443 List the data link types supported by the interface and exit.
445 --list-time-stamp-types
447 List time stamp types supported for the interface. If no time stamp
449 type can be set, no time stamp types are listed.
450 -n
452 Disable network object name resolution (such as hostname, TCP and
454 UDP port names), the -N flag might override this one.
455 -N <name resolving flags>
457 Turn on name resolving only for particular types of addresses and
459 port numbers, with name resolving for other types of addresses and
460 port numbers turned off. This flag overrides -n if both -N and -n
461 are present. If both -N and -n flags are not present, all name
462 resolutions are turned on.
463 The argument is a string that may contain the letters:
465 m to enable MAC address resolution
467 n to enable network address resolution
469 N to enable using external resolvers (e.g., DNS) for network
471 address resolution
472 t to enable transport-layer port number resolution
474 d to enable resolution from captured DNS packets
476 v to enable VLAN IDs to names resolution
478 -o <preference/recent setting>
480 Set a preference or recent value, overriding the default value and
482 any value read from a preference/recent file. The argument to the
483 flag is a string of the form prefname:value, where prefname is the
484 name of the preference/recent value (which is the same name that
485 would appear in the preference/recent file), and value is the value
486 to which it should be set. Since Ethereal 0.10.12, the recent
487 settings replaces the formerly used -B, -P and -T flags to
488 manipulate the GUI dimensions.
489 If prefname is "uat", you can override settings in various user
491 access tables using the form uat*:*uat filename:uat record. uat
492 filename must be the name of a UAT file, e.g. user_dlts. uat_record
493 must be in the form of a valid record for that file, including
494 quotes. For instance, to specify a user DLT from the command line,
495 you would use
496 -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
498 -p|--no-promiscuous-mode
500 Don’t put the interface into promiscuous mode. Note that the
502 interface might be in promiscuous mode for some other reason;
503 hence, -p cannot be used to ensure that the only traffic that is
504 captured is traffic sent to or from the machine on which Wireshark
505 is running, broadcast traffic, and multicast traffic to addresses
506 received by that machine.
507 This option can occur multiple times. If used before the first
509 occurrence of the -i option, no interface will be put into the
510 promiscuous mode. If used after an -i option, the interface
511 specified by the last -i option occurring before this option will
512 not be put into the promiscuous mode.
513 -P <path setting>
515 Special path settings usually detected automatically. This is used
517 for special cases, e.g. starting Wireshark from a known location on
518 an USB stick.
519 The criterion is of the form key:path, where key is one of:
521 persconf:path path of personal configuration files, like the
523 preferences files.
524 persdata:path path of personal data files, it’s the folder
526 initially opened. After the very first initialization, the recent
527 file will keep the folder last used.
528 -r|--read-file <infile>
530 Read packet data from infile, can be any supported capture file
532 format (including gzipped files). It’s not possible to use named
533 pipes or stdin here! To capture from a pipe or from stdin use -i -
534 -R|--read-filter <read (display) filter>
536 When reading a capture file specified with the -r flag, causes the
538 specified filter (which uses the syntax of display filters, rather
539 than that of capture filters) to be applied to all packets read
540 from the capture file; packets not matching the filter are
541 discarded.
542 -s|--snapshot-length <capture snaplen>
544 Set the default snapshot length to use when capturing live data. No
546 more than snaplen bytes of each network packet will be read into
547 memory, or saved to disk. A value of 0 specifies a snapshot length
548 of 262144, so that the full packet is captured; this is the
549 default.
550 This option can occur multiple times. If used before the first
552 occurrence of the -i option, it sets the default snapshot length.
553 If used after an -i option, it sets the snapshot length for the
554 interface specified by the last -i option occurring before this
555 option. If the snapshot length is not set specifically, the default
556 snapshot length is used if provided.
557 -S
559 Automatically update the packet display as packets are coming in.
561 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
563 Set the format of the packet timestamp displayed in the packet list
565 window. The format can be one of:
566 a absolute: The absolute time, as local time in your time zone, is
568 the actual time the packet was captured, with no date displayed
569 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
571 and time, as local time in your time zone, is the actual time and
572 date the packet was captured
573 adoy absolute with date using day of year: The absolute date,
575 displayed as YYYY/DOY, and time, as local time in your time zone,
576 is the actual time and date the packet was captured
577 d delta: The delta time is the time since the previous packet was
579 captured
580 dd delta_displayed: The delta_displayed time is the time since the
582 previous displayed packet was captured
583 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
585 r relative: The relative time is the time elapsed between the first
587 packet and the current packet
588 u UTC: The absolute time, as UTC, is the actual time the packet was
590 captured, with no date displayed
591 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
593 time, as UTC, is the actual time and date the packet was captured
594 udoy UTC with date using day of year: The absolute date, displayed
596 as YYYY/DOY, and time, as UTC, is the actual time and date the
597 packet was captured
598 The default format is relative.
600 --time-stamp-type <type>
602 Change the interface’s timestamp method. See
604 --list-time-stamp-types.
605 -u <s|hms>
607 Output format of seconds (def: s: seconds)
609 -v|--version
611 Print the full version information and exit.
613 -w <outfile>
615 Set the default capture file name, or '-' for standard output.
617 -X <eXtension options>
619 Specify an option to be passed to an Wireshark module. The
621 eXtension option is in the form extension_key:value, where
622 extension_key can be:
623 lua_script:lua_script_filename tells Wireshark to load the given
625 script in addition to the default Lua scripts.
626 lua_scriptnum:argument tells Wireshark to pass the given argument
628 to the lua script identified by 'num', which is the number indexed
629 order of the 'lua_script' command. For example, if only one script
630 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
631 will pass the string 'foo' to the 'my.lua' script. If two scripts
632 were loaded, such as '-X lua_script:my.lua' and '-X
633 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
634 would pass the string 'bar' to the second lua script, namely
635 'other.lua'.
636 read_format:file_format tells Wireshark to use the given file
638 format to read in the file (the file given in the -r command
639 option).
640 stdin_descr:description tells Wireshark to use the given
642 description when capturing from standard input (-i -).
643 -y|--linktype <capture link type>
645 If a capture is started from the command line with -k, set the data
647 link type to use while capturing packets. The values reported by -L
648 are the values that can be used.
649 This option can occur multiple times. If used before the first
651 occurrence of the -i option, it sets the default capture link type.
652 If used after an -i option, it sets the capture link type for the
653 interface specified by the last -i option occurring before this
654 option. If the capture link type is not set specifically, the
655 default capture link type is used if provided.
656 -Y|--display-filter <displaY filter>
658 Start with the given display filter.
660 -z <statistics>
662 Get Wireshark to collect various types of statistics and display
664 the result in a window that updates in semi-real time.
665 Some of the currently implemented statistics are:
667 -z help
669 Display all possible values for -z.
671 -z afp,srt[,filter]
673 Show Apple Filing Protocol service response time statistics.
675 -z conv,type[,filter]
677 Create a table that lists all conversations that could be seen in
679 the capture. type specifies the conversation endpoint types for
680 which we want to generate the statistics; currently the supported
681 ones are:
682 "eth" Ethernet addresses
684 "fc" Fibre Channel addresses
685 "fddi" FDDI addresses
686 "ip" IPv4 addresses
687 "ipv6" IPv6 addresses
688 "ipx" IPX addresses
689 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
690 "tr" Token Ring addresses
691 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
692 If the optional filter is specified, only those packets that match
694 the filter will be used in the calculations.
695 The table is presented with one line for each conversation and
697 displays the number of packets/bytes in each direction as well as
698 the total number of packets/bytes. By default, the table is sorted
699 according to the total number of packets.
700 These tables can also be generated at runtime by selecting the
702 appropriate conversation type from the menu
703 "Tools/Statistics/Conversation List/".
704 -z dcerpc,srt,name-or-uuid,major.minor[,filter]
706 Collect call/reply SRT (Service Response Time) data for DCERPC
708 interface name or uuid, version major.minor. Data collected is the
709 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
710 Interface name and uuid are case-insensitive.
711 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
713 will collect data for the CIFS SAMR Interface.
714 This option can be used multiple times on the command line.
716 If the optional filter is provided, the stats will only be
718 calculated on those calls that match that filter.
719 Example: -z
721 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
722 will collect SAMR SRT statistics for a specific host.
723 -z dhcp,stat[,filter]
725 Show DHCP (BOOTP) statistics.
727 -z expert
729 Show expert information.
731 -z fc,srt[,filter]
733 Collect call/reply SRT (Service Response Time) data for FC. Data
735 collected is the number of calls for each Fibre Channel command,
736 MinSRT, MaxSRT and AvgSRT.
737 Example: -z fc,srt will calculate the Service Response Time as the
739 time delta between the First packet of the exchange and the Last
740 packet of the exchange.
741 The data will be presented as separate tables for all normal FC
743 commands, Only those commands that are seen in the capture will
744 have its stats displayed.
745 This option can be used multiple times on the command line.
747 If the optional filter is provided, the stats will only be
749 calculated on those calls that match that filter.
750 Example: -z "fc,srt,fc.id==01.02.03" will collect stats only for FC
752 packets exchanged by the host at FC address 01.02.03 .
753 -z h225,counter[,filter]
755 Count ITU-T H.225 messages and their reasons. In the first column
757 you get a list of H.225 messages and H.225 message reasons which
758 occur in the current capture file. The number of occurrences of
759 each message or reason is displayed in the second column.
760 Example: -z h225,counter
762 This option can be used multiple times on the command line.
764 If the optional filter is provided, the stats will only be
766 calculated on those calls that match that filter.
767 Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only
769 for H.225 packets exchanged by the host at IP address 1.2.3.4 .
770 -z h225,srt[,filter]
772 Collect request/response SRT (Service Response Time) data for ITU-T
774 H.225 RAS. Data collected is the number of calls of each ITU-T
775 H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
776 Minimum in Packet, and Maximum in Packet. You will also get the
777 number of Open Requests (Unresponded Requests), Discarded Responses
778 (Responses without matching request) and Duplicate Messages.
779 Example: -z h225,srt
781 This option can be used multiple times on the command line.
783 If the optional filter is provided, the stats will only be
785 calculated on those calls that match that filter.
786 Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for
788 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
789 .
790 -z io,stat
792 Collect packet/bytes statistics for the capture in intervals of 1
794 second. This option will open a window with up to 5 color-coded
795 graphs where number-of-packets-per-second or
796 number-of-bytes-per-second statistics can be calculated and
797 displayed.
798 This option can be used multiple times on the command line.
800 This graph window can also be opened from the
802 Analyze:Statistics:Traffic:IO-Stat menu item.
803 -z ldap,srt[,filter]
805 Collect call/reply SRT (Service Response Time) data for LDAP. Data
807 collected is the number of calls for each implemented LDAP command,
808 MinSRT, MaxSRT and AvgSRT.
809 Example: -z ldap,srt will calculate the Service Response Time as
811 the time delta between the Request and the Response.
812 The data will be presented as separate tables for all implemented
814 LDAP commands, Only those commands that are seen in the capture
815 will have its stats displayed.
816 This option can be used multiple times on the command line.
818 If the optional filter is provided, the stats will only be
820 calculated on those calls that match that filter.
821 Example: use -z "ldap,srt,ip.addr==10.1.1.1" will collect stats
823 only for LDAP packets exchanged by the host at IP address 10.1.1.1
824 .
825 The only LDAP commands that are currently implemented and for which
827 the stats will be available are: BIND SEARCH MODIFY ADD DELETE
828 MODRDN COMPARE EXTENDED
829 -z megaco,srt[,filter]
831 Collect request/response SRT (Service Response Time) data for
833 MEGACO. (This is similar to -z smb,srt). Data collected is the
834 number of calls for each known MEGACO Command, Minimum SRT, Maximum
835 SRT and Average SRT.
836 Example: -z megaco,srt
838 This option can be used multiple times on the command line.
840 If the optional filter is provided, the stats will only be
842 calculated on those calls that match that filter.
843 Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only
845 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
846 -z mgcp,srt[,filter]
848 Collect request/response SRT (Service Response Time) data for MGCP.
850 (This is similar to -z smb,srt). Data collected is the number of
851 calls for each known MGCP Type, Minimum SRT, Maximum SRT and
852 Average SRT.
853 Example: -z mgcp,srt
855 This option can be used multiple times on the command line.
857 If the optional filter is provided, the stats will only be
859 calculated on those calls that match that filter.
860 Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for
862 MGCP packets exchanged by the host at IP address 1.2.3.4 .
863 -z mtp3,msus[,<filter>]
865 Show MTP3 MSU statistics.
867 -z multicast,stat[,<filter>]
869 Show UDP multicast stream statistics.
871 -z rpc,programs
873 Collect call/reply SRT data for all known ONC-RPC
875 programs/versions. Data collected is the number of calls for each
876 protocol/version, MinSRT, MaxSRT and AvgSRT.
877 -z rpc,srt,name-or-number,version[,<filter>]
879 Collect call/reply SRT (Service Response Time) data for program
881 name/version or number/version. Data collected is the number of
882 calls for each procedure, MinSRT, MaxSRT and AvgSRT. Program name
883 is case-insensitive.
884 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
886 This option can be used multiple times on the command line.
888 If the optional filter is provided, the stats will only be
890 calculated on those calls that match that filter.
891 Example: -z rpc,srt,nfs,3,nfs.fh.hash==0x12345678 will collect NFS
893 v3 SRT statistics for a specific file.
894 -z scsi,srt,cmdset[,<filter>]
896 Collect call/reply SRT (Service Response Time) data for SCSI
898 commandset <cmdset>.
899 Commandsets are 0:SBC 1:SSC 5:MMC
901 Data collected is the number of calls for each procedure, MinSRT,
903 MaxSRT and AvgSRT.
904 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
906 (SBC).
907 This option can be used multiple times on the command line.
909 If the optional filter is provided, the stats will only be
911 calculated on those calls that match that filter.
912 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
914 statistics for a specific iscsi/ifcp/fcip host.
915 -z sip,stat[,filter]
917 This option will activate a counter for SIP messages. You will get
919 the number of occurrences of each SIP Method and of each SIP
920 Status-Code. Additionally you also get the number of resent SIP
921 Messages (only for SIP over UDP).
922 Example: -z sip,stat
924 This option can be used multiple times on the command line.
926 If the optional filter is provided, the stats will only be
928 calculated on those calls that match that filter.
929 Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for
931 SIP packets exchanged by the host at IP address 1.2.3.4 .
932 -z smb,srt[,filter]
934 Collect call/reply SRT (Service Response Time) data for SMB. Data
936 collected is the number of calls for each SMB command, MinSRT,
937 MaxSRT and AvgSRT.
938 Example: -z smb,srt
940 The data will be presented as separate tables for all normal SMB
942 commands, all Transaction2 commands and all NT Transaction
943 commands. Only those commands that are seen in the capture will
944 have their stats displayed. Only the first command in a xAndX
945 command chain will be used in the calculation. So for common
946 SessionSetupAndX + TreeConnectAndX chains, only the
947 SessionSetupAndX call will be used in the statistics. This is a
948 flaw that might be fixed in the future.
949 This option can be used multiple times on the command line.
951 If the optional filter is provided, the stats will only be
953 calculated on those calls that match that filter.
954 Example: -z "smb,srt,ip.addr==1.2.3.4" will collect stats only for
956 SMB packets exchanged by the host at IP address 1.2.3.4 .
957 -z voip,calls
959 This option will show a window that shows VoIP calls found in the
961 capture file. This is the same window shown as when you go to the
962 Statistics Menu and choose VoIP Calls.
963 Example: -z voip,calls
965 -z wlan,stat[,<filter>]
967 Show IEEE 802.11 network and station statistics.
969 -z wsp,stat[,<filter>]
971 Show WSP packet counters.
973
975 MENU ITEMS
976 File › Open
977 File › Open Recent
980 File › Merge
983 Merge another capture file to the currently loaded one. The
985 File:Merge dialog box allows the merge "Prepended",
986 "Chronologically" or "Appended", relative to the already loaded
987 one.
988 File › Close
990 Open or close a capture file. The File:Open dialog box allows a
992 filter to be specified; when the capture file is read, the filter
993 is applied to all packets read from the file, and packets not
994 matching the filter are discarded. The File:Open Recent is a
995 submenu and will show a list of previously opened files.
996 File › Save
998 File › Save As
1001 Save the current capture, or the packets currently displayed from
1003 that capture, to a file. Check boxes let you select whether to save
1004 all packets, or just those that have passed the current display
1005 filter and/or those that are currently marked, and an option menu
1006 lets you select (from a list of file formats in which at particular
1007 capture, or the packets currently displayed from that capture, can
1008 be saved), a file format in which to save it.
1009 File › File Set › List Files
1011 Show a dialog box that lists all files of the file set matching the
1013 currently loaded file. A file set is a compound of files resulting
1014 from a capture using the "multiple files" / "ringbuffer" mode,
1015 recognizable by the filename pattern, e.g.:
1016 Filename_00001_20210714101530.pcap.
1017 File › File Set › Next File
1019 File › File Set › Previous File
1022 If the currently loaded file is part of a file set (see above),
1024 open the next / previous file in that set.
1025 File › Export
1027 Export captured data into an external format. Note: the data cannot
1029 be imported back into Wireshark, so be sure to keep the capture
1030 file.
1031 File › Print
1033 Print packet data from the current capture. You can select the
1035 range of packets to be printed (which packets are printed), and the
1036 output format of each packet (how each packet is printed). The
1037 output format will be similar to the displayed values, so a summary
1038 line, the packet details view, and/or the hex dump of the packet
1039 can be printed.
1040 Printing options can be set with the Edit:Preferences menu item, or
1042 in the dialog box popped up by this menu item.
1043 File › Quit
1045 Exit the application.
1047 Edit › Copy › Description
1049 Copies the description of the selected field in the protocol tree
1051 to the clipboard.
1052 Edit › Copy › Fieldname
1054 Copies the fieldname of the selected field in the protocol tree to
1056 the clipboard.
1057 Edit › Copy › Value
1059 Copies the value of the selected field in the protocol tree to the
1061 clipboard.
1062 Edit › Copy › As Filter
1064 Create a display filter based on the data currently highlighted in
1066 the packet details and copy that filter to the clipboard.
1067 If that data is a field that can be tested in a display filter
1069 expression, the display filter will test that field; otherwise, the
1070 display filter will be based on the absolute offset within the
1071 packet. Therefore it could be unreliable if the packet contains
1072 protocols with variable-length headers, such as a source-routed
1073 token-ring packet.
1074 Edit › Find Packet
1076 Search forward or backward, starting with the currently selected
1078 packet (or the most recently selected packet, if no packet is
1079 selected). Search criteria can be a display filter expression, a
1080 string of hexadecimal digits, or a text string.
1081 When searching for a text string, you can search the packet data,
1083 or you can search the text in the Info column in the packet list
1084 pane or in the packet details pane.
1085 Hexadecimal digits can be separated by colons, periods, or dashes.
1087 Text string searches can be ASCII or Unicode (or both), and may be
1088 case insensitive.
1089 Edit › Find Next
1091 Edit › Find Previous
1094 Search forward / backward for a packet matching the filter from the
1096 previous search, starting with the currently selected packet (or
1097 the most recently selected packet, if no packet is selected).
1098 Edit › Mark Packet (toggle)
1100 Mark (or unmark if currently marked) the selected packet. The field
1102 "frame.marked" is set for packets that are marked, so that, for
1103 example, a display filters can be used to display only marked
1104 packets, and so that the /"Edit:Find Packet" dialog can be used to
1105 find the next or previous marked packet.
1106 Edit › Find Next Mark
1108 Edit › Find Previous Mark
1111 Find next/previous marked packet.
1113 Edit › Mark All Packets
1115 Edit › Unmark All Packets
1118 Mark / Unmark all packets that are currently displayed.
1120 Edit › Time Reference › Set Time Reference (toggle)
1122 Set (or unset if currently set) the selected packet as a Time
1124 Reference packet. When a packet is set as a Time Reference packet,
1125 the timestamps in the packet list pane will be replaced with the
1126 string "REF". The relative time timestamp in later packets will
1127 then be calculated relative to the timestamp of this Time Reference
1128 packet and not the first packet in the capture.
1129 Packets that have been selected as Time Reference packets will
1131 always be displayed in the packet list pane. Display filters will
1132 not affect or hide these packets.
1133 If there is a column displayed for "Cumulative Bytes" this counter
1135 will be reset at every Time Reference packet.
1136 Edit › Time Reference › Find Next
1138 Edit › Time Reference › Find Previous
1141 Search forward / backward for a time referenced packet.
1143 Edit › Configuration Profiles
1145 Manage configuration profiles to be able to use more than one set
1147 of preferences and configurations.
1148 Edit › Preferences
1150 Set the GUI, capture, printing and protocol options (see
1152 /Preferences dialog below).
1153 View › Main Toolbar
1155 View › Filter Toolbar
1158 View › Statusbar
1161 Show or hide the main window controls.
1163 View › Packet List
1165 View › Packet Details
1168 View › Packet Bytes
1171 Show or hide the main window panes.
1173 View › Time Display Format
1175 Set the format of the packet timestamp displayed in the packet list
1177 window.
1178 View › Name Resolution › Resolve Name
1180 Try to resolve a name for the currently selected item.
1182 View › Name Resolution › Enable for ... Layer
1184 Enable or disable translation of addresses to names in the display.
1186 View › Colorize Packet List
1188 Enable or disable the coloring rules. Disabling will improve
1190 performance.
1191 View › Auto Scroll in Live Capture
1193 Enable or disable the automatic scrolling of the packet list while
1195 a live capture is in progress.
1196 View › Zoom In
1198 View › Zoom Out
1201 Zoom into / out of the main window data (by changing the font
1203 size).
1204 View › Normal Size
1206 Reset the zoom factor of zoom in / zoom out back to normal font
1208 size.
1209 View › Resize All Columns
1211 Resize all columns to best fit the current packet display.
1213 View › Expand / Collapse Subtrees
1215 Expands / Collapses the currently selected item and it’s subtrees
1217 in the packet details.
1218 View › Expand All
1220 View › Collapse All
1223 Expand / Collapse all branches of the packet details.
1225 View › Colorize Conversation
1227 Select color for a conversation.
1229 View › Reset Coloring 1-10
1231 Reset Color for a conversation.
1233 View › Coloring Rules
1235 Change the foreground and background colors of the packet
1237 information in the list of packets, based upon display filters. The
1238 list of display filters is applied to each packet sequentially.
1239 After the first display filter matches a packet, any additional
1240 display filters in the list are ignored. Therefore, if you are
1241 filtering on the existence of protocols, you should list the
1242 higher-level protocols first, and the lower-level protocols last.
1243 How Colorization Works
1245 Packets are colored according to a list of color filters. Each
1247 filter consists of a name, a filter expression and a coloration. A
1248 packet is colored according to the first filter that it matches.
1249 Color filter expressions use exactly the same syntax as display
1250 filter expressions.
1251 When Wireshark starts, the color filters are loaded from:
1253 1. The user’s personal color filters file or, if that does not
1255 exist,
1256 2. The global color filters file.
1258 If neither of these exist then the packets will not be colored.
1260 View › Show Packet In New Window
1262 Create a new window containing a packet details view and a hex dump
1264 window of the currently selected packet; this window will continue
1265 to display that packet’s details and data even if another packet is
1266 selected.
1267 View › Reload
1269 Reload a capture file. Same as File:Close and File:Open the same
1271 file again.
1272 Go › Back
1274 Go back in previously visited packets history.
1276 Go › Forward
1278 Go forward in previously visited packets history.
1280 Go › Go To Packet
1282 Go to a particular numbered packet.
1284 Go › Go To Corresponding Packet
1286 If a field in the packet details pane containing a packet number is
1288 selected, go to the packet number specified by that field. (This
1289 works only if the dissector that put that entry into the packet
1290 details put it into the details as a filterable field rather than
1291 just as text.) This can be used, for example, to go to the packet
1292 for the request corresponding to a reply, or the reply
1293 corresponding to a request, if that packet number has been put into
1294 the packet details.
1295 Go › Previous Packet
1297 Go › Next Packet
1300 Go › First Packet
1303 Go › Last Packet
1306 Go to the previous / next / first / last packet in the capture.
1308 Go › Previous Packet In Conversation
1310 Go › Next Packet In Conversation
1313 Go to the previous / next packet of the conversation (TCP, UDP or
1315 IP)
1316 Capture › Interfaces
1318 Shows a dialog box with all currently known interfaces and
1320 displaying the current network traffic amount. Capture sessions can
1321 be started from here. Beware: keeping this box open results in high
1322 system load!
1323 Capture › Options
1325 Initiate a live packet capture (see /"Capture Options Dialog"
1327 below). If no filename is specified, a temporary file will be
1328 created to hold the capture. The location of the file can be chosen
1329 by setting your TMPDIR environment variable before starting
1330 Wireshark. Otherwise, the default TMPDIR location is
1331 system-dependent, but is likely either /var/tmp or /tmp.
1332 Capture › Start
1334 Start a live packet capture with the previously selected options.
1336 This won’t open the options dialog box, and can be convenient for
1337 repeatedly capturing with the same options.
1338 Capture › Stop
1340 Stop a running live capture.
1342 Capture › Restart
1344 While a live capture is running, stop it and restart with the same
1346 options again. This can be convenient to remove irrelevant packets,
1347 if no valuable packets were captured so far.
1348 Capture › Capture Filters
1350 Edit the saved list of capture filters, allowing filters to be
1352 added, changed, or deleted.
1353 Analyze › Display Filters
1355 Edit the saved list of display filters, allowing filters to be
1357 added, changed, or deleted.
1358 Analyze › Display Filter Macros
1360 Create shortcuts for complex macros
1362 Analyze › Apply as Filter
1364 Create a display filter based on the data currently highlighted in
1366 the packet details and apply the filter.
1367 If that data is a field that can be tested in a display filter
1369 expression, the display filter will test that field; otherwise, the
1370 display filter will be based on the absolute offset within the
1371 packet. Therefore it could be unreliable if the packet contains
1372 protocols with variable-length headers, such as a source-routed
1373 token-ring packet.
1374 The Selected option creates a display filter that tests for a match
1376 of the data; the Not Selected option creates a display filter that
1377 tests for a non-match of the data. The And Selected, Or Selected,
1378 And Not Selected, and Or Not Selected options add to the end of the
1379 display filter in the strip at the top (or bottom) an AND or OR
1380 operator followed by the new display filter expression.
1381 Analyze › Prepare as Filter
1383 Create a display filter based on the data currently highlighted in
1385 the packet details. The filter strip at the top (or bottom) is
1386 updated but it is not yet applied.
1387 Analyze › Enabled Protocols
1389 Allow protocol dissection to be enabled or disabled for a specific
1391 protocol. Individual protocols can be enabled or disabled by
1392 clicking on them in the list or by highlighting them and pressing
1393 the space bar. The entire list can be enabled, disabled, or
1394 inverted using the buttons below the list.
1395 When a protocol is disabled, dissection in a particular packet
1397 stops when that protocol is reached, and Wireshark moves on to the
1398 next packet. Any higher-layer protocols that would otherwise have
1399 been processed will not be displayed. For example, disabling TCP
1400 will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
1401 and any other protocol exclusively dependent on TCP.
1402 The list of protocols can be saved, so that Wireshark will start up
1404 with the protocols in that list disabled.
1405 Analyze › Decode As
1407 If you have a packet selected, present a dialog allowing you to
1409 change which dissectors are used to decode this packet. The dialog
1410 has one panel each for the link layer, network layer and transport
1411 layer protocol/port numbers, and will allow each of these to be
1412 changed independently. For example, if the selected packet is a TCP
1413 packet to port 12345, using this dialog you can instruct Wireshark
1414 to decode all packets to or from that TCP port as HTTP packets.
1415 Analyze › User Specified Decodes
1417 Create a new window showing whether any protocol ID to dissector
1419 mappings have been changed by the user. This window also allows the
1420 user to reset all decodes to their default values.
1421 Analyze › Follow TCP Stream
1423 If you have a TCP packet selected, display the contents of the data
1425 stream for the TCP connection to which that packet belongs, as
1426 text, in a separate window, and leave the list of packets in a
1427 filtered state, with only those packets that are part of that TCP
1428 connection being displayed. You can revert to your old view by
1429 pressing ENTER in the display filter text box, thereby invoking
1430 your old display filter (or resetting it back to no display
1431 filter).
1432 The window in which the data stream is displayed lets you select:
1434 • whether to display the entire conversation, or one or the other
1436 side of it;
1437 • whether the data being displayed is to be treated as ASCII or
1439 EBCDIC text or as raw hex data;
1440 and lets you print what’s currently being displayed, using the same
1442 print options that are used for the File:Print Packet menu item, or
1443 save it as text to a file.
1444 Analyze › Follow UDP Stream
1446 Analyze › Follow TLS Stream
1449 (Similar to Analyze:Follow TCP Stream)
1451 Analyze › Expert Info
1453 Analyze › Expert Info Composite
1456 (Kind of) a log of anomalies found by Wireshark in a capture file.
1458 Analyze › Conversation Filter
1460 Statistics › Summary
1463 Show summary information about the capture, including elapsed time,
1465 packet counts, byte counts, and the like. If a display filter is in
1466 effect, summary information will be shown about the capture and
1467 about the packets currently being displayed.
1468 Statistics › Protocol Hierarchy
1470 Show the number of packets, and the number of bytes in those
1472 packets, for each protocol in the trace. It organizes the protocols
1473 in the same hierarchy in which they were found in the trace.
1474 Besides counting the packets in which the protocol exists, a count
1475 is also made for packets in which the protocol is the last protocol
1476 in the stack. These last-protocol counts show you how many packets
1477 (and the byte count associated with those packets) ended in a
1478 particular protocol. In the table, they are listed under "End
1479 Packets" and "End Bytes".
1480 Statistics › Conversations
1482 Lists of conversations; selectable by protocol. See
1484 Statistics:Conversation List below.
1485 Statistics › End Points
1487 List of End Point Addresses by protocol with packets/bytes/....
1489 counts.
1490 Statistics › Packet Lengths
1492 Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
1494 Statistics › I/O Graphs
1496 Open a window where up to 5 graphs in different colors can be
1498 displayed to indicate number of packets or number of bytes per
1499 second for all packets matching the specified filter. By default
1500 only one graph will be displayed showing number of packets per
1501 second.
1502 The top part of the window contains the graphs and scales for the X
1504 and Y axis. If the graph is too long to fit inside the window there
1505 is a horizontal scrollbar below the drawing area that can scroll
1506 the graphs to the left or the right. The horizontal axis displays
1507 the time into the capture and the vertical axis will display the
1508 measured quantity at that time.
1509 Below the drawing area and the scrollbar are the controls. On the
1511 bottom left there will be five similar sets of controls to control
1512 each individual graph such as "Display:<button>" which button will
1513 toggle that individual graph on/off. If <button> is ticked, the
1514 graph will be displayed. "Color:<color>" which is just a button to
1515 show which color will be used to draw that graph. Finally
1516 "Filter:<filter-text>" which can be used to specify a display
1517 filter for that particular graph.
1518 If filter-text is empty then all packets will be used to calculate
1520 the quantity for that graph. If filter-text is specified only those
1521 packets that match that display filter will be considered in the
1522 calculation of quantity.
1523 To the right of the 5 graph controls there are four menus to
1525 control global aspects of the draw area and graphs. The "Unit:"
1526 menu is used to control what to measure; "packets/tick",
1527 "bytes/tick" or "advanced..."
1528 packets/tick will measure the number of packets matching the (if
1530 specified) display filter for the graph in each measurement
1531 interval.
1532 bytes/tick will measure the total number of bytes in all packets
1534 matching the (if specified) display filter for the graph in each
1535 measurement interval.
1536 advanced... see below
1538 "Tick interval:" specifies what measurement intervals to use. The
1540 default is 1 second and means that the data will be counted over 1
1541 second intervals.
1542 "Pixels per tick:" specifies how many pixels wide each measurement
1544 interval will be in the drawing area. The default is 5 pixels per
1545 tick.
1546 "Y-scale:" controls the max value for the y-axis. Default value is
1548 "auto" which means that Wireshark will try to adjust the maxvalue
1549 automatically.
1550 "advanced..." If Unit:advanced... is selected the window will
1552 display two more controls for each of the five graphs. One control
1553 will be a menu where the type of calculation can be selected from
1554 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1555 name of a single display filter field can be specified.
1556 The following restrictions apply to type and field combinations:
1558 SUM: available for all types of integers and will calculate the SUM
1560 of all occurrences of this field in the measurement interval. Note
1561 that some field can occur multiple times in the same packet and
1562 then all instances will be summed up. Example: 'tcp.len' which will
1563 count the amount of payload data transferred across TCP in each
1564 interval.
1565 COUNT: available for all field types. This will COUNT the number of
1567 times certain field occurs in each interval. Note that some fields
1568 may occur multiple times in each packet and if that is the case
1569 then each instance will be counted independently and COUNT will be
1570 greater than the number of packets.
1571 MAX: available for all integer and relative time fields. This will
1573 calculate the max seen integer/time value seen for the field during
1574 the interval. Example: 'smb.time' which will plot the maximum SMB
1575 response time.
1576 MIN: available for all integer and relative time fields. This will
1578 calculate the min seen integer/time value seen for the field during
1579 the interval. Example: 'smb.time' which will plot the minimum SMB
1580 response time.
1581 AVG: available for all integer and relative time fields.This will
1583 calculate the average seen integer/time value seen for the field
1584 during the interval. Example: 'smb.time' which will plot the
1585 average SMB response time.
1586 LOAD: available only for relative time fields (response times).
1588 Example of advanced: Display how NFS response time MAX/MIN/AVG
1590 changes over time:
1591 Set first graph to:
1593 filter:nfs&&rpc.time
1595 Calc:MAX rpc.time
1596 Set second graph to
1598 filter:nfs&&rpc.time
1600 Calc:AVG rpc.time
1601 Set third graph to
1603 filter:nfs&&rpc.time
1605 Calc:MIN rpc.time
1606 Example of advanced: Display how the average packet size from host
1608 a.b.c.d changes over time.
1609 Set first graph to
1611 filter:ip.addr==a.b.c.d&&frame.pkt_len
1613 Calc:AVG frame.pkt_len
1614 LOAD: The LOAD io-stat type is very different from anything you
1616 have ever seen before! While the response times themselves as
1617 plotted by MIN,MAX,AVG are indications on the Server load (which
1618 affects the Server response time), the LOAD measurement measures
1619 the Client LOAD. What this measures is how much workload the client
1620 generates, i.e. how fast will the client issue new commands when
1621 the previous ones completed. i.e. the level of concurrency the
1622 client can maintain. The higher the number, the more and faster is
1623 the client issuing new commands. When the LOAD goes down, it may be
1624 due to client load making the client slower in issuing new commands
1625 (there may be other reasons as well, maybe the client just doesn’t
1626 have any commands it wants to issue right then).
1627 Load is measured in concurrency/number of overlapping i/o and the
1629 value 1000 means there is a constant load of one i/o.
1630 In each tick interval the amount of overlap is measured. See the
1632 graph below containing three commands: Below the graph are the LOAD
1633 values for each interval that would be calculated.
1634 | | | | | | | | |
1636 | | | | | | | | |
1637 | | o=====* | | | | | |
1638 | | | | | | | | |
1639 | o========* | o============* | | |
1640 | | | | | | | | |
1641 --------------------------------------------------> Time
1642 500 1500 500 750 1000 500 0 0
1643 Statistics › Conversation List
1645 This option will open a new window that displays a list of all
1647 conversations between two endpoints. The list has one row for each
1648 unique conversation and displays total number of packets/bytes seen
1649 as well as number of packets/bytes in each direction.
1650 By default the list is sorted according to the number of packets
1652 but by clicking on the column header; it is possible to re-sort the
1653 list in ascending or descending order by any column.
1654 By first selecting a conversation by clicking on it and then using
1656 the right mouse button (on those platforms that have a right mouse
1657 button) Wireshark will display a popup menu offering several
1658 different filter operations to apply to the capture.
1659 These statistics windows can also be invoked from the Wireshark
1661 command line using the -z conv argument.
1662 Statistics › Service Response Time
1664 • AFP
1666 • CAMEL
1668 • DCE-RPC
1670 Open a window to display Service Response Time statistics for an
1672 arbitrary DCE-RPC program interface and display Procedure, Number
1673 of Calls, Minimum SRT, Maximum SRT and Average SRT for all
1674 procedures for that program/version. These windows opened will
1675 update in semi-real time to reflect changes when doing live
1676 captures or when reading new capture files into Wireshark.
1677 This dialog will also allow an optional filter string to be used.
1679 If an optional filter string is used only such DCE-RPC
1680 request/response pairs that match that filter will be used to
1681 calculate the statistics. If no filter string is specified all
1682 request/response pairs will be used.
1683 • Diameter
1685 • Fibre Channel
1687 Open a window to display Service Response Time statistics for Fibre
1689 Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1690 SRT and Average SRT for all FC types. These windows opened will
1691 update in semi-real time to reflect changes when doing live
1692 captures or when reading new capture files into Wireshark. The
1693 Service Response Time is calculated as the time delta between the
1694 First packet of the exchange and the Last packet of the exchange.
1695 This dialog will also allow an optional filter string to be used.
1697 If an optional filter string is used only such FC first/last
1698 exchange pairs that match that filter will be used to calculate the
1699 statistics. If no filter string is specified all request/response
1700 pairs will be used.
1701 • GTP
1703 • H.225 RAS
1705 Collect requests/response SRT (Service Response Time) data for
1707 ITU-T H.225 RAS. Data collected is number of calls for each known
1708 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1709 SRT, Minimum in Packet, and Maximum in Packet. You will also get
1710 the number of Open Requests (Unresponded Requests), Discarded
1711 Responses (Responses without matching request) and Duplicate
1712 Messages. These windows opened will update in semi-real time to
1713 reflect changes when doing live captures or when reading new
1714 capture files into Wireshark.
1715 You can apply an optional filter string in a dialog box, before
1717 starting the calculation. The statistics will only be calculated on
1718 those calls matching that filter.
1719 • LDAP
1721 • MEGACO
1723 • MGCP
1725 Collect requests/response SRT (Service Response Time) data for
1727 MGCP. Data collected is number of calls for each known MGCP Type,
1728 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and
1729 Maximum in Packet. These windows opened will update in semi-real
1730 time to reflect changes when doing live captures or when reading
1731 new capture files into Wireshark.
1732 You can apply an optional filter string in a dialog box, before
1734 starting the calculation. The statistics will only be calculated on
1735 those calls matching that filter.
1736 • NCP
1738 • ONC-RPC
1740 Open a window to display statistics for an arbitrary ONC-RPC
1742 program interface and display Procedure, Number of Calls, Minimum
1743 SRT, Maximum SRT and Average SRT for all procedures for that
1744 program/version. These windows opened will update in semi-real time
1745 to reflect changes when doing live captures or when reading new
1746 capture files into Wireshark.
1747 This dialog will also allow an optional filter string to be used.
1749 If an optional filter string is used only such ONC-RPC
1750 request/response pairs that match that filter will be used to
1751 calculate the statistics. If no filter string is specified all
1752 request/response pairs will be used.
1753 By first selecting a conversation by clicking on it and then using
1755 the right mouse button (on those platforms that have a right mouse
1756 button) Wireshark will display a popup menu offering several
1757 different filter operations to apply to the capture.
1758 • RADIUS
1760 • SCSI
1762 • SMB
1764 Collect call/reply SRT (Service Response Time) data for SMB. Data
1766 collected is the number of calls for each SMB command, MinSRT,
1767 MaxSRT and AvgSRT.
1768 The data will be presented as separate tables for all normal SMB
1770 commands, all Transaction2 commands and all NT Transaction
1771 commands. Only those commands that are seen in the capture will
1772 have its stats displayed. Only the first command in a xAndX command
1773 chain will be used in the calculation. So for common
1774 SessionSetupAndX + TreeConnectAndX chains, only the
1775 SessionSetupAndX call will be used in the statistics. This is a
1776 flaw that might be fixed in the future.
1777 You can apply an optional filter string in a dialog box, before
1779 starting the calculation. The stats will only be calculated on
1780 those calls matching that filter.
1781 By first selecting a conversation by clicking on it and then using
1783 the right mouse button (on those platforms that have a right mouse
1784 button) Wireshark will display a popup menu offering several
1785 different filter operations to apply to the capture.
1786 • SMB2
1788 Statistics › BOOTP-DHCP
1790 Statistics › Compare
1793 Compare two Capture Files
1795 Statistics › Flow Graph
1797 Flow Graph: General/TCP
1799 Statistics › HTTP
1801 HTTP Load Distribution, Packet Counter & Requests
1803 Statistics › IP Addresses
1805 Count/Rate/Percent by IP Address
1807 Statistics › IP Destinations
1809 Count/Rate/Percent by IP Address/protocol/port
1811 Statistics › IP Protocol Types
1813 Count/Rate/Percent by IP Protocol Types
1815 Statistics › ONC-RPC Programs
1817 This dialog will open a window showing aggregated SRT statistics
1819 for all ONC-RPC Programs/versions that exist in the capture file.
1820 Statistics › TCP Stream Graph
1822 Graphs: Round Trip; Throughput; Time-Sequence (Stevens);
1824 Time-Sequence (tcptrace)
1825 Statistics › UDP Multicast streams
1827 Multicast Streams Counts/Rates/... by Source/Destination
1829 Address/Port pairs
1830 Statistics › WLAN Traffic
1832 WLAN Traffic Statistics
1834 Telephony › ITU-T H.225
1836 Count ITU-T H.225 messages and their reasons. In the first column
1838 you get a list of H.225 messages and H.225 message reasons, which
1839 occur in the current capture file. The number of occurrences of
1840 each message or reason will be displayed in the second column. This
1841 window opened will update in semi-real time to reflect changes when
1842 doing live captures or when reading new capture files into
1843 Wireshark.
1844 You can apply an optional filter string in a dialog box, before
1846 starting the counter. The statistics will only be calculated on
1847 those calls matching that filter.
1848 Telephony › SIP
1850 Activate a counter for SIP messages. You will get the number of
1852 occurrences of each SIP Method and of each SIP Status-Code.
1853 Additionally you also get the number of resent SIP Messages (only
1854 for SIP over UDP).
1855 This window opened will update in semi-real time to reflect changes
1857 when doing live captures or when reading new capture files into
1858 Wireshark.
1859 You can apply an optional filter string in a dialog box, before
1861 starting the counter. The statistics will only be calculated on
1862 those calls matching that filter.
1863 Tools › Firewall ACL Rules
1865 Help › Contents
1868 Some help texts.
1870 Help › Supported Protocols
1872 List of supported protocols and display filter protocol fields.
1874 Help › Manual Pages
1876 Display locally installed HTML versions of these manual pages in a
1878 web browser.
1879 Help › Wireshark Online
1881 Various links to online resources to be open in a web browser, like
1883 https://www.wireshark.org.
1884 Help › About Wireshark
1886 See various information about Wireshark (see /About dialog below),
1888 like the version, the folders used, the available plugins, ...
1889 WINDOWS
1891 Main Window
1892 The main window contains the usual things like the menu, some
1894 toolbars, the main area and a statusbar. The main area is split
1895 into three panes, you can resize each pane using a "thumb" at the
1896 right end of each divider line.
1897 The main window is much more flexible than before. The layout of
1899 the main window can be customized by the Layout page in the dialog
1900 box popped up by Edit:Preferences, the following will describe the
1901 layout with the default settings.
1902 Main Toolbar
1904 Some menu items are available for quick access here. There is no
1906 way to customize the items in the toolbar, however the toolbar can
1907 be hidden by View:Main Toolbar.
1908 Filter Toolbar
1910 A display filter can be entered into the filter toolbar. A filter
1912 for HTTP, HTTPS, and DNS traffic might look like this:
1913 tcp.port in {80 443 53}
1915 Selecting the Filter: button lets you choose from a list of named
1917 filters that you can optionally save. Pressing the Return or Enter
1918 keys, or selecting the Apply button, will cause the filter to be
1919 applied to the current list of packets. Selecting the Reset button
1920 clears the display filter so that all packets are displayed
1921 (again).
1922 There is no way to customize the items in the toolbar, however the
1924 toolbar can be hidden by View:Filter Toolbar.
1925 Packet List Pane
1927 The top pane contains the list of network packets that you can
1929 scroll through and select. By default, the packet number, packet
1930 timestamp, source and destination addresses, protocol, and
1931 description are displayed for each packet; the Columns page in the
1932 dialog box popped up by Edit:Preferences lets you change this
1933 (although, unfortunately, you currently have to save the
1934 preferences, and exit and restart Wireshark, for those changes to
1935 take effect).
1936 If you click on the heading for a column, the display will be
1938 sorted by that column; clicking on the heading again will reverse
1939 the sort order for that column.
1940 An effort is made to display information as high up the protocol
1942 stack as possible, e.g. IP addresses are displayed for IP packets,
1943 but the MAC layer address is displayed for unknown packet types.
1944 The right mouse button can be used to pop up a menu of operations.
1946 The middle mouse button can be used to mark a packet.
1948 Packet Details Pane
1950 The middle pane contains a display of the details of the
1952 currently-selected packet. The display shows each field and its
1953 value in each protocol header in the stack. The right mouse button
1954 can be used to pop up a menu of operations.
1955 Packet Bytes Pane
1957 The lowest pane contains a hex and ASCII dump of the actual packet
1959 data. Selecting a field in the packet details highlights the
1960 corresponding bytes in this section.
1961 The right mouse button can be used to pop up a menu of operations.
1963 Statusbar
1965 The statusbar is divided into three parts, on the left some context
1967 dependent things are shown, like information about the loaded file,
1968 in the center the number of packets are displayed, and on the right
1969 the current configuration profile.
1970 The statusbar can be hidden by View:Statusbar.
1972 Preferences
1974 The Preferences dialog lets you control various personal
1976 preferences for the behavior of Wireshark.
1977 User Interface Preferences
1979 The User Interface page is used to modify small aspects of the GUI
1981 to your own personal taste:
1982 Selection Bars
1984 The selection bar in the packet list and packet details can have
1986 either a "browse" or "select" behavior. If the selection bar has a
1987 "browse" behavior, the arrow keys will move an outline of the
1988 selection bar, allowing you to browse the rest of the list or
1989 details without changing the selection until you press the space
1990 bar. If the selection bar has a "select" behavior, the arrow keys
1991 will move the selection bar and change the selection to the new
1992 item in the packet list or packet details.
1993 Save Window Position
1995 If this item is selected, the position of the main Wireshark window
1997 will be saved when Wireshark exits, and used when Wireshark is
1998 started again.
1999 Save Window Size
2001 If this item is selected, the size of the main Wireshark window
2003 will be saved when Wireshark exits, and used when Wireshark is
2004 started again.
2005 Save Window Maximized state
2007 If this item is selected the maximize state of the main Wireshark
2009 window will be saved when Wireshark exists, and used when Wireshark
2010 is started again.
2011 File Open Dialog Behavior
2013 This item allows the user to select how Wireshark handles the
2015 listing of the "File Open" Dialog when opening trace files.
2016 "Remember Last Directory" causes Wireshark to automatically
2017 position the dialog in the directory of the most recently opened
2018 file, even between launches of Wireshark. "Always Open in
2019 Directory" allows the user to define a persistent directory that
2020 the dialog will always default to.
2021 Directory
2023 Allows the user to specify a persistent File Open directory.
2025 Trailing slashes or backslashes will automatically be added.
2026 File Open Preview timeout
2028 This items allows the user to define how much time is spend reading
2030 the capture file to present preview data in the File Open dialog.
2031 Open Recent maximum list entries
2033 The File menu supports a recent file list. This items allows the
2035 user to specify how many files are kept track of in this list.
2036 Ask for unsaved capture files
2038 When closing a capture file or Wireshark itself if the file isn’t
2040 saved yet the user is presented the option to save the file when
2041 this item is set.
2042 Wrap during find
2044 This items determines the behavior when reaching the beginning or
2046 the end of a capture file. When set the search wraps around and
2047 continues, otherwise it stops.
2048 Settings dialogs show a save button
2050 This item determines if the various dialogs sport an explicit Save
2052 button or that save is implicit in OK / Apply.
2053 Web browser command
2055 This entry specifies the command line to launch a web browser. It
2057 is used to access online content, like the Wiki and user guide. Use
2058 '%s' to place the request URL in the command line.
2059 Layout Preferences
2061 The Layout page lets you specify the general layout of the main
2063 window. You can choose from six different layouts and fill the
2064 three panes with the contents you like.
2065 Scrollbars
2067 The vertical scrollbars in the three panes can be set to be either
2069 on the left or the right.
2070 Alternating row colors
2072 Hex Display
2075 The highlight method in the hex dump display for the selected
2077 protocol item can be set to use either inverse video, or bold
2078 characters.
2079 Toolbar style
2081 Filter toolbar placement
2084 Custom window title
2087 Column Preferences
2090 The Columns page lets you specify the number, title, and format of
2092 each column in the packet list.
2093 The Column title entry is used to specify the title of the column
2095 displayed at the top of the packet list. The type of data that the
2096 column displays can be specified using the Column format option
2097 menu. The row of buttons on the left perform the following actions:
2098 New
2100 Adds a new column to the list.
2102 Delete
2104 Deletes the currently selected list item.
2106 Up / Down
2108 Moves the selected list item up or down one position.
2110 Font Preferences
2112 The Font page lets you select the font to be used for most text.
2114 Color Preferences
2116 The Colors page can be used to change the color of the text
2118 displayed in the TCP stream window and for marked packets. To
2119 change a color, simply select an attribute from the "Set:" menu and
2120 use the color selector to get the desired color. The new text
2121 colors are displayed as a sample text.
2122 Capture Preferences
2124 The Capture page lets you specify various parameters for capturing
2126 live packet data; these are used the first time a capture is
2127 started.
2128 The Interface: combo box lets you specify the interface from which
2130 to capture packet data, or the name of a FIFO from which to get the
2131 packet data.
2132 The Data link type: option menu lets you, for some interfaces,
2134 select the data link header you want to see on the packets you
2135 capture. For example, in some OSes and with some versions of
2136 libpcap, you can choose, on an 802.11 interface, whether the
2137 packets should appear as Ethernet packets (with a fake Ethernet
2138 header) or as 802.11 packets.
2139 The Limit each packet to ... bytes check box lets you set the
2141 snapshot length to use when capturing live data; turn on the check
2142 box, and then set the number of bytes to use as the snapshot
2143 length.
2144 The Filter: text entry lets you set a capture filter expression to
2146 be used when capturing.
2147 If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
2149 REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create
2150 a default capture filter that excludes traffic from the hosts and
2151 ports defined in those variables.
2152 The Capture packets in promiscuous mode check box lets you specify
2154 whether to put the interface in promiscuous mode when capturing.
2155 The Update list of packets in real time check box lets you specify
2157 that the display should be updated as packets are seen.
2158 The Automatic scrolling in live capture check box lets you specify
2160 whether, in an "Update list of packets in real time" capture, the
2161 packet list pane should automatically scroll to show the most
2162 recently captured packets.
2163 Printing Preferences
2165 The radio buttons at the top of the Printing page allow you choose
2167 between printing packets with the File:Print Packet menu item as
2168 text or PostScript, and sending the output directly to a command or
2169 saving it to a file. The Command: text entry box, on
2170 UNIX-compatible systems, is the command to send files to (usually
2171 lpr), and the File: entry box lets you enter the name of the file
2172 you wish to save to. Additionally, you can select the File: button
2173 to browse the file system for a particular save file.
2174 Name Resolution Preferences
2176 The Enable MAC name resolution, Enable network name resolution and
2178 Enable transport name resolution check boxes let you specify
2179 whether MAC addresses, network addresses, and transport-layer port
2180 numbers should be translated to names.
2181 The Enable concurrent DNS name resolution allows Wireshark to send
2183 out multiple name resolution requests and not wait for the result
2184 before continuing dissection. This speeds up dissection with
2185 network name resolution but initially may miss resolutions. The
2186 number of concurrent requests can be set here as well.
2187 SMI paths
2189 SMI modules
2191 RTP Player Preferences
2193 This page allows you to select the number of channels visible in
2195 the RTP player window. It determines the height of the window, more
2196 channels are possible and visible by means of a scroll bar.
2197 Protocol Preferences
2199 There are also pages for various protocols that Wireshark dissects,
2201 controlling the way Wireshark handles those protocols.
2202 Edit Capture Filter List
2204 Edit Display Filter List
2207 Capture Filter
2210 Display Filter
2213 Read Filter
2216 Search Filter
2219 The Edit Capture Filter List dialog lets you create, modify, and
2221 delete capture filters, and the Edit Display Filter List dialog
2222 lets you create, modify, and delete display filters.
2223 The Capture Filter dialog lets you do all of the editing operations
2225 listed, and also lets you choose or construct a filter to be used
2226 when capturing packets.
2227 The Display Filter dialog lets you do all of the editing operations
2229 listed, and also lets you choose or construct a filter to be used
2230 to filter the current capture being viewed.
2231 The Read Filter dialog lets you do all of the editing operations
2233 listed, and also lets you choose or construct a filter to be used
2234 to as a read filter for a capture file you open.
2235 The Search Filter dialog lets you do all of the editing operations
2237 listed, and also lets you choose or construct a filter expression
2238 to be used in a find operation.
2239 In all of those dialogs, the Filter name entry specifies a
2241 descriptive name for a filter, e.g. Web and DNS traffic. The Filter
2242 string entry is the text that actually describes the filtering
2243 action to take, as described above.The dialog buttons perform the
2244 following actions:
2245 New
2247 If there is text in the two entry boxes, creates a new associated
2249 list item.
2250 Edit
2252 Modifies the currently selected list item to match what’s in the
2254 entry boxes.
2255 Delete
2257 Deletes the currently selected list item.
2259 Add Expression...
2261 For display filter expressions, pops up a dialog box to allow you
2263 to construct a filter expression to test a particular field; it
2264 offers lists of field names, and, when appropriate, lists from
2265 which to select tests to perform on the field and values with which
2266 to compare it. In that dialog box, the OK button will cause the
2267 filter expression you constructed to be entered into the Filter
2268 string entry at the current cursor position.
2269 OK
2271 In the Capture Filter dialog, closes the dialog box and makes the
2273 filter in the Filter string entry the filter in the Capture
2274 Preferences dialog. In the Display Filter dialog, closes the dialog
2275 box and makes the filter in the Filter string entry the current
2276 display filter, and applies it to the current capture. In the Read
2277 Filter dialog, closes the dialog box and makes the filter in the
2278 Filter string entry the filter in the Open Capture File dialog. In
2279 the Search Filter dialog, closes the dialog box and makes the
2280 filter in the Filter string entry the filter in the Find Packet
2281 dialog.
2282 Apply
2284 Makes the filter in the Filter string entry the current display
2286 filter, and applies it to the current capture.
2287 Save
2289 If the list of filters being edited is the list of capture filters,
2291 saves the current filter list to the personal capture filters file,
2292 and if the list of filters being edited is the list of display
2293 filters, saves the current filter list to the personal display
2294 filters file.
2295 Close
2297 Closes the dialog without doing anything with the filter in the
2299 Filter string entry.
2300 The Color Filters Dialog
2302 This dialog displays a list of color filters and allows it to be
2304 modified.
2305 THE FILTER LIST
2307 Single rows may be selected by clicking. Multiple rows may be
2309 selected by using the ctrl and shift keys in combination with the
2310 mouse button.
2311 NEW
2313 Adds a new filter at the bottom of the list and opens the Edit
2315 Color Filter dialog box. You will have to alter the filter
2316 expression at least before the filter will be accepted. The format
2317 of color filter expressions is identical to that of display
2318 filters. The new filter is selected, so it may immediately be moved
2319 up and down, deleted or edited. To avoid confusion all filters are
2320 unselected before the new filter is created.
2321 EDIT
2323 Opens the Edit Color Filter dialog box for the selected filter. (If
2325 this button is disabled you may have more than one filter selected,
2326 making it ambiguous which is to be edited.)
2327 ENABLE
2329 Enables the selected color filter(s).
2331 DISABLE
2333 Disables the selected color filter(s).
2335 DELETE
2337 Deletes the selected color filter(s).
2339 EXPORT
2341 Allows you to choose a file in which to save the current list of
2343 color filters. You may also choose to save only the selected
2344 filters. A button is provided to save the filters in the global
2345 color filters file (you must have sufficient permissions to write
2346 this file, of course).
2347 IMPORT
2349 Allows you to choose a file containing color filters which are then
2351 added to the bottom of the current list. All the added filters are
2352 selected, so they may be moved to the correct position in the list
2353 as a group. To avoid confusion, all filters are unselected before
2354 the new filters are imported. A button is provided to load the
2355 filters from the global color filters file.
2356 CLEAR
2358 Deletes your personal color filters file, reloads the global color
2360 filters file, if any, and closes the dialog.
2361 UP
2363 Moves the selected filter(s) up the list, making it more likely
2365 that they will be used to color packets.
2366 DOWN
2368 Moves the selected filter(s) down the list, making it less likely
2370 that they will be used to color packets.
2371 OK
2373 Closes the dialog and uses the color filters as they stand.
2375 APPLY
2377 Colors the packets according to the current list of color filters,
2379 but does not close the dialog.
2380 SAVE
2382 Saves the current list of color filters in your personal color
2384 filters file. Unless you do this they will not be used the next
2385 time you start Wireshark.
2386 CLOSE
2388 Closes the dialog without changing the coloration of the packets.
2390 Note that changes you have made to the current list of color
2391 filters are not undone.
2392 Capture Options Dialog
2394 The Capture Options Dialog lets you specify various parameters for
2396 capturing live packet data.
2397 The Interface: field lets you specify the interface from which to
2399 capture packet data or a command from which to get the packet data
2400 via a pipe.
2401 The Link layer header type: field lets you specify the interfaces
2403 link layer header type. This field is usually disabled, as most
2404 interface have only one header type.
2405 The Capture packets in promiscuous mode check box lets you specify
2407 whether the interface should be put into promiscuous mode when
2408 capturing.
2409 The Limit each packet to ... bytes check box and field lets you
2411 specify a maximum number of bytes per packet to capture and save;
2412 if the check box is not checked, the limit will be 262144 bytes.
2413 The Capture Filter: entry lets you specify the capture filter using
2415 a tcpdump-style filter string as described above.
2416 The File: entry lets you specify the file into which captured
2418 packets should be saved, as in the Printer Options dialog above. If
2419 not specified, the captured packets will be saved in a temporary
2420 file; you can save those packets to a file with the File:Save As
2421 menu item.
2422 The Use multiple files check box lets you specify that the capture
2424 should be done in "multiple files" mode. This option is disabled,
2425 if the Update list of packets in real time option is checked.
2426 The Next file every ... megabyte(s) check box and fields lets you
2428 specify that a switch to a next file should be done if the
2429 specified filesize is reached. You can also select the appropriate
2430 unit, but beware that the filesize has a maximum of 2 GiB. The
2431 check box is forced to be checked, as "multiple files" mode
2432 requires a file size to be specified.
2433 The Next file every ... minute(s) check box and fields lets you
2435 specify that the switch to a next file should be done after the
2436 specified time has elapsed, even if the specified capture size is
2437 not reached.
2438 The Ring buffer with ... files field lets you specify the number of
2440 files of a ring buffer. This feature will capture into the first
2441 file again, after the specified number of files have been used.
2442 The Stop capture after ... files field lets you specify the number
2444 of capture files used, until the capture is stopped.
2445 The Stop capture after ... packet(s) check box and field let you
2447 specify that Wireshark should stop capturing after having captured
2448 some number of packets; if the check box is not checked, Wireshark
2449 will not stop capturing at some fixed number of captured packets.
2450 The Stop capture after ... megabyte(s) check box and field lets you
2452 specify that Wireshark should stop capturing after the file to
2453 which captured packets are being saved grows as large as or larger
2454 than some specified number of megabytes. If the check box is not
2455 checked, Wireshark will not stop capturing at some capture file
2456 size (although the operating system on which Wireshark is running,
2457 or the available disk space, may still limit the maximum size of a
2458 capture file). This option is disabled, if "multiple files" mode is
2459 used,
2460 The Stop capture after ... second(s) check box and field let you
2462 specify that Wireshark should stop capturing after it has been
2463 capturing for some number of seconds; if the check box is not
2464 checked, Wireshark will not stop capturing after some fixed time
2465 has elapsed.
2466 The Update list of packets in real time check box lets you specify
2468 whether the display should be updated as packets are captured and,
2469 if you specify that, the Automatic scrolling in live capture check
2470 box lets you specify the packet list pane should automatically
2471 scroll to show the most recently captured packets as new packets
2472 arrive.
2473 The Enable MAC name resolution, Enable network name resolution and
2475 Enable transport name resolution check boxes let you specify
2476 whether MAC addresses, network addresses, and transport-layer port
2477 numbers should be translated to names.
2478 About
2480 The About dialog lets you view various information about Wireshark.
2482 About › Wireshark
2484 The Wireshark page lets you view general information about
2486 Wireshark, like the installed version, licensing information and
2487 such.
2488 About › Authors
2490 The Authors page shows the author and all contributors.
2492 About › Folders
2494 The Folders page lets you view the directory names where Wireshark
2496 is searching it’s various configuration and other files.
2497 About › Plugins
2499 The Plugins page lets you view the dissector plugin modules
2501 available on your system.
2502 The Plugins List shows the name and version of each dissector
2504 plugin module found on your system.
2505 On Unix-compatible systems, the plugins are looked for in the
2507 following directories: the lib/wireshark/plugins/$VERSION directory
2508 under the main installation directory (for example,
2509 /usr/local/lib/wireshark/plugins/$VERSION), and then
2510 $HOME/.wireshark/plugins.
2511 On Windows systems, the plugins are looked for in the following
2513 directories: plugins\$VERSION directory under the main installation
2514 directory (for example, C:\Program
2515 Files\Wireshark\plugins\$VERSION), and then
2516 %APPDATA%\Wireshark\plugins\$VERSION (or, if %APPDATA% isn’t
2517 defined, %USERPROFILE%\Application
2518 Data\Wireshark\plugins\$VERSION).
2519 $VERSION is the version number of the plugin interface, which is
2521 typically the version number of Wireshark. Note that a dissector
2522 plugin module may support more than one protocol; there is not
2523 necessarily a one-to-one correspondence between dissector plugin
2524 modules and protocols. Protocols supported by a dissector plugin
2525 module are enabled and disabled using the Edit:Protocols dialog
2526 box, just as protocols built into Wireshark are.
2527
2529 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2530 tcpdump(8), or, if that doesn’t exist,
2531 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2532
2534 For a complete table of protocol and protocol fields that are
2535 filterable in Wireshark see the wireshark-filter(4) manual page.
2536
2538 These files contains various Wireshark configuration settings.
2539 Preferences
2541 The preferences files contain global (system-wide) and personal
2543 preference settings. If the system-wide preference file exists, it
2544 is read first, overriding the default settings. If the personal
2545 preferences file exists, it is read next, overriding any previous
2546 values. Note: If the command line flag -o is used (possibly more
2547 than once), it will in turn override values from the preferences
2548 files.
2549 The preferences settings are in the form prefname:value, one per
2551 line, where prefname is the name of the preference and value is the
2552 value to which it should be set; white space is allowed between :
2553 and value. A preference setting can be continued on subsequent
2554 lines by indenting the continuation lines with white space. A #
2555 character starts a comment that runs to the end of the line:
2556 # Vertical scrollbars should be on right side?
2558 # TRUE or FALSE (case-insensitive).
2559 gui.scrollbar_on_right: TRUE
2560 The global preferences file is looked for in the wireshark
2562 directory under the share subdirectory of the main installation
2563 directory (for example, /usr/local/share/wireshark/preferences) on
2564 UNIX-compatible systems, and in the main installation directory
2565 (for example, C:\Program Files\Wireshark\preferences) on Windows
2566 systems.
2567 The personal preferences file is looked for in
2569 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2570 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2571 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2572 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2573 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2574 Windows systems.
2575 Note: Whenever the preferences are saved by using the Save button
2577 in the Edit:Preferences dialog box, your personal preferences file
2578 will be overwritten with the new settings, destroying any comments
2579 and unknown/obsolete settings that were in the file.
2580 Recent
2582 The recent file contains personal settings (mostly GUI related)
2584 such as the current Wireshark window size. The file is saved at
2585 program exit and read in at program start automatically. Note: The
2586 command line flag -o may be used to override settings from this
2587 file.
2588 The settings in this file have the same format as in the
2590 preferences files, and the same directory as for the personal
2591 preferences file is used.
2592 Note: Whenever Wireshark is closed, your recent file will be
2594 overwritten with the new settings, destroying any comments and
2595 unknown/obsolete settings that were in the file.
2596 Disabled (Enabled) Protocols
2598 The disabled_protos files contain system-wide and personal lists of
2600 protocols that have been disabled, so that their dissectors are
2601 never called. The files contain protocol names, one per line, where
2602 the protocol name is the same name that would be used in a display
2603 filter for the protocol:
2604 http
2606 tcp # a comment
2607 If a protocol is listed in the global disabled_protos file, it is
2609 not displayed in the Analyze:Enabled Protocols dialog box, and so
2610 cannot be enabled by the user.
2611 The global disabled_protos file uses the same directory as the
2613 global preferences file.
2614 The personal disabled_protos file uses the same directory as the
2616 personal preferences file.
2617 Note: Whenever the disabled protocols list is saved by using the
2619 Save button in the Analyze:Enabled Protocols dialog box, your
2620 personal disabled protocols file will be overwritten with the new
2621 settings, destroying any comments that were in the file.
2622 Name Resolution (hosts)
2624 If the personal hosts file exists, it is used to resolve IPv4 and
2626 IPv6 addresses before any other attempts are made to resolve them.
2627 The file has the standard hosts file syntax; each line contains one
2628 IP address and name, separated by whitespace. The same directory as
2629 for the personal preferences file is used.
2630 Capture filter name resolution is handled by libpcap on
2632 UNIX-compatible systems and WinPcap on Windows. As such the
2633 Wireshark personal hosts file will not be consulted for capture
2634 filter name resolution.
2635 Name Resolution (subnets)
2637 If an IPv4 address cannot be translated via name resolution (no
2639 exact match is found) then a partial match is attempted via the
2640 subnets file. Both the global subnets file and personal subnets
2641 files are used if they exist.
2642 Each line of this file consists of an IPv4 address, a subnet mask
2644 length separated only by a / and a name separated by whitespace.
2645 While the address must be a full IPv4 address, any values beyond
2646 the mask length are subsequently ignored.
2647 An example is:
2649 # Comments must be prepended by the # sign! 192.168.0.0/24
2651 ws_test_network
2652 A partially matched name will be printed as
2654 "subnet-name.remaining-address". For example, "192.168.0.1" under
2655 the subnet above would be printed as "ws_test_network.1"; if the
2656 mask length above had been 16 rather than 24, the printed address
2657 would be "ws_test_network.0.1".
2658 Name Resolution (ethers)
2660 The ethers files are consulted to correlate 6-byte hardware
2662 addresses to names. First the personal ethers file is tried and if
2663 an address is not found there the global ethers file is tried next.
2664 Each line contains one hardware address and name, separated by
2666 whitespace. The digits of the hardware address are separated by
2667 colons (:), dashes (-) or periods (.). The same separator character
2668 must be used consistently in an address. The following three lines
2669 are valid lines of an ethers file:
2670 ff:ff:ff:ff:ff:ff Broadcast
2672 c0-00-ff-ff-ff-ff TR_broadcast
2673 00.00.00.00.00.00 Zero_broadcast
2674 The global ethers file is looked for in the /etc directory on
2676 UNIX-compatible systems, and in the main installation directory
2677 (for example, C:\Program Files\Wireshark) on Windows systems.
2678 The personal ethers file is looked for in the same directory as the
2680 personal preferences file.
2681 Capture filter name resolution is handled by libpcap on
2683 UNIX-compatible systems and WinPcap on Windows. As such the
2684 Wireshark personal ethers file will not be consulted for capture
2685 filter name resolution.
2686 Name Resolution (manuf)
2688 The manuf file is used to match the 3-byte vendor portion of a
2690 6-byte hardware address with the manufacturer’s name; it can also
2691 contain well-known MAC addresses and address ranges specified with
2692 a netmask. The format of the file is the same as the ethers files,
2693 except that entries such as:
2694 00:00:0C Cisco
2696 can be provided, with the 3-byte OUI and the name for a vendor, and
2698 entries such as:
2699 00-00-0C-07-AC/40 All-HSRP-routers
2701 can be specified, with a MAC address and a mask indicating how many
2703 bits of the address must match. The above entry, for example, has
2704 40 significant bits, or 5 bytes, and would match addresses from
2705 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2706 multiple of 8.
2707 The manuf file is looked for in the same directory as the global
2709 preferences file.
2710 Name Resolution (services)
2712 The services file is used to translate port numbers into names.
2714 Both the global services file and personal services files are used
2715 if they exist.
2716 The file has the standard services file syntax; each line contains
2718 one (service) name and one transport identifier separated by white
2719 space. The transport identifier includes one port number and one
2720 transport protocol name (typically tcp, udp, or sctp) separated by
2721 a /.
2722 An example is:
2724 mydns 5045/udp # My own Domain Name Server mydns
2726 5045/tcp # My own Domain Name Server
2727 Name Resolution (ipxnets)
2729 The ipxnets files are used to correlate 4-byte IPX network numbers
2731 to names. First the global ipxnets file is tried and if that
2732 address is not found there the personal one is tried next.
2733 The format is the same as the ethers file, except that each address
2735 is four bytes instead of six. Additionally, the address can be
2736 represented as a single hexadecimal number, as is more common in
2737 the IPX world, rather than four hex octets. For example, these four
2738 lines are valid lines of an ipxnets file:
2739 C0.A8.2C.00 HR
2741 c0-a8-1c-00 CEO
2742 00:00:BE:EF IT_Server1
2743 110f FileServer3
2744 The global ipxnets file is looked for in the /etc directory on
2746 UNIX-compatible systems, and in the main installation directory
2747 (for example, C:\Program Files\Wireshark) on Windows systems.
2748 The personal ipxnets file is looked for in the same directory as
2750 the personal preferences file.
2751 Capture Filters
2753 The cfilters files contain system-wide and personal capture
2755 filters. Each line contains one filter, starting with the string
2756 displayed in the dialog box in quotation marks, followed by the
2757 filter string itself:
2758 "HTTP" port 80
2760 "DCERPC" port 135
2761 The global cfilters file uses the same directory as the global
2763 preferences file.
2764 The personal cfilters file uses the same directory as the personal
2766 preferences file. It is written through the Capture:Capture Filters
2767 dialog.
2768 If the global cfilters file exists, it is used only if the personal
2770 cfilters file does not exist; global and personal capture filters
2771 are not merged.
2772 Display Filters
2774 The dfilters files contain system-wide and personal display
2776 filters. Each line contains one filter, starting with the string
2777 displayed in the dialog box in quotation marks, followed by the
2778 filter string itself:
2779 "HTTP" http
2781 "DCERPC" dcerpc
2782 The global dfilters file uses the same directory as the global
2784 preferences file.
2785 The personal dfilters file uses the same directory as the personal
2787 preferences file. It is written through the Analyze:Display Filters
2788 dialog.
2789 If the global dfilters file exists, it is used only if the personal
2791 dfilters file does not exist; global and personal display filters
2792 are not merged.
2793 Color Filters (Coloring Rules)
2795 The colorfilters files contain system-wide and personal color
2797 filters. Each line contains one filter, starting with the string
2798 displayed in the dialog box, followed by the corresponding display
2799 filter. Then the background and foreground colors are appended:
2800 # a comment
2802 @tcp@tcp@[59345,58980,65534][0,0,0]
2803 @udp@udp@[28834,57427,65533][0,0,0]
2804 The global colorfilters file uses the same directory as the global
2806 preferences file.
2807 The personal colorfilters file uses the same directory as the
2809 personal preferences file. It is written through the View:Coloring
2810 Rules dialog.
2811 If the global colorfilters file exists, it is used only if the
2813 personal colorfilters file does not exist; global and personal
2814 color filters are not merged.
2815 Plugins
2817 See above in the description of the About:Plugins page.
2819
2821 WIRESHARK_CONFIG_DIR
2822 This environment variable overrides the location of personal
2824 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2825 $HOME/.wireshark if the former is missing while the latter exists).
2826 On Windows, %APPDATA%\Wireshark is used instead. Available since
2827 Wireshark 3.0.
2828 WIRESHARK_DEBUG_WMEM_OVERRIDE
2830 Setting this environment variable forces the wmem framework to use
2832 the specified allocator backend for all allocations, regardless of
2833 which backend is normally specified by the code. This is mainly
2834 useful to developers when testing or debugging. See README.wmem in
2835 the source distribution for details.
2836 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2838 This environment variable causes the plugins and other data files
2840 to be loaded from the build directory (where the program was
2841 compiled) rather than from the standard locations. It has no effect
2842 when the program in question is running with root (or setuid)
2843 permissions on *NIX.
2844 WIRESHARK_DATA_DIR
2846 This environment variable causes the various data files to be
2848 loaded from a directory other than the standard locations. It has
2849 no effect when the program in question is running with root (or
2850 setuid) permissions on *NIX.
2851 ERF_RECORDS_TO_CHECK
2853 This environment variable controls the number of ERF records
2855 checked when deciding if a file really is in the ERF format.
2856 Setting this environment variable a number higher than the default
2857 (20) would make false positives less likely.
2858 IPFIX_RECORDS_TO_CHECK
2860 This environment variable controls the number of IPFIX records
2862 checked when deciding if a file really is in the IPFIX format.
2863 Setting this environment variable a number higher than the default
2864 (20) would make false positives less likely.
2865 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2867 If this environment variable is set, Wireshark will call abort(3)
2869 when a dissector bug is encountered. abort(3) will cause the
2870 program to exit abnormally; if you are running Wireshark in a
2871 debugger, it should halt in the debugger and allow inspection of
2872 the process, and, if you are not running it in a debugger, it will,
2873 on some OSes, assuming your environment is configured correctly,
2874 generate a core dump file. This can be useful to developers
2875 attempting to troubleshoot a problem with a protocol dissector.
2876 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2878 If this environment variable is set, Wireshark will call abort(3)
2880 if a dissector tries to add too many items to a tree (generally
2881 this is an indication of the dissector not breaking out of a loop
2882 soon enough). abort(3) will cause the program to exit abnormally;
2883 if you are running Wireshark in a debugger, it should halt in the
2884 debugger and allow inspection of the process, and, if you are not
2885 running it in a debugger, it will, on some OSes, assuming your
2886 environment is configured correctly, generate a core dump file.
2887 This can be useful to developers attempting to troubleshoot a
2888 problem with a protocol dissector.
2889 WIRESHARK_QUIT_AFTER_CAPTURE
2891 Cause Wireshark to exit after the end of the capture session. This
2893 doesn’t automatically start a capture; you must still use -k to do
2894 that. You must also specify an autostop condition, e.g. -c or -a
2895 duration:.... This means that you will not be able to see the
2896 results of the capture after it stops; it’s primarily useful for
2897 testing.
2898 WIRESHARK_LOG_LEVEL
2900 This environment variable controls the verbosity of diagnostic
2902 messages to the console. From less verbose to most verbose levels
2903 can be critical, warning, message, info, debug or noisy. Levels
2904 above the current level are also active. Levels critical and error
2905 are always active.
2906 WIRESHARK_LOG_FATAL
2908 Sets the fatal log level. Fatal log levels cause the program to
2910 abort. This level can be set to Error, critical or warning. Error
2911 is always fatal and is the default.
2912 WIRESHARK_LOG_DOMAINS
2914 This environment variable selects which log domains are active. The
2916 filter is given as a case-insensitive comma separated list. If set
2917 only the included domains will be enabled. The default domain is
2918 always considered to be enabled. Domain filter lists can be
2919 preceded by '!' to invert the sense of the match.
2920 WIRESHARK_LOG_DEBUG
2922 List of domains with debug log level. This sets the level of the
2924 provided log domains and takes precedence over the active domains
2925 filter. If preceded by '!' this disables the debug level instead.
2926 WIRESHARK_LOG_NOISY
2928 Same as above but for noisy log level instead.
2930
2932 Wireshark would not be the powerful, featureful application it is
2933 without the generous contributions of hundreds of developers.
2934 A complete list of authors can be found in the AUTHORS file in
2936 Wireshark’s source code repository and at
2937 https://www.wireshark.org/about.html#authors.
2938
2940 wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1),
2941 mergecap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
2942
2944 This is the manual page for Wireshark 3.6.0. The latest version of
2945 Wireshark can be found at https://www.wireshark.org.
2946 HTML versions of the Wireshark project man pages are available at
2948 https://www.wireshark.org/docs/man-pages.
2949 2021-11-25 WIRESHARK(1)