1WIRESHARK(1) WIRESHARK(1)
2
6 wireshark - Interactively dump and analyze network traffic
7
9 wireshark [ -i <capture interface>|- ] [ -f <capture filter> ]
10 [ -Y <display filter> ] [ -w <outfile> ] [ options ] [ <infile> ]
11
13 Wireshark is a GUI network protocol analyzer. It lets you interactively
14 browse packet data from a live network or from a previously saved
15 capture file. Wireshark's native capture file formats are pcapng format
16 and pcap format; it can read and write both formats.. pcap format is
17 also the format used by tcpdump and various other tools; tcpdump, when
18 using newer verions of the libpcap library, can also read some pcapng
19 files, and, on newer versions of macOS, can read all pcapng files and
20 can write them as well.
21 Wireshark can also read / import the following file formats:
23 • Oracle (previously Sun) snoop and atmsnoop captures
25 • Finisar (previously Shomiti) Surveyor captures
27 • Microsoft Network Monitor captures
29 • Novell LANalyzer captures
31 • AIX’s iptrace captures
33 • Cinco Networks NetXRay captures
35 • NETSCOUT (previously Network Associates/Network General)
37 Windows-based Sniffer captures
38 • Network General/Network Associates DOS-based Sniffer captures
40 (compressed or uncompressed)
41 • LiveAction (previously WildPackets/Savvius)
43 *Peek/EtherHelp/PacketGrabber captures
44 • RADCOM's WAN/LAN analyzer captures
46 • Viavi (previously Network Instruments) Observer captures
48 • Lucent/Ascend router debug output
50 • captures from HP-UX nettl
52 • Toshiba’s ISDN routers dump output
54 • the output from i4btrace from the ISDN4BSD project
56 • traces from the EyeSDN USB S0
58 • the IPLog format output from the Cisco Secure Intrusion Detection
60 System
61 • pppd logs (pppdump format)
63 • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
65 • the text output from the DBS Etherwatch VMS utility
67 • Visual Networks' Visual UpTime traffic capture
69 • the output from CoSine L2 debug
71 • the output from InfoVista (previously Accellent) 5View LAN agents
73 • Endace Measurement Systems' ERF format captures
75 • Linux Bluez Bluetooth stack hcidump -w traces
77 • Catapult DCT2000 .out files
79 • Gammu generated text output from Nokia DCT3 phones in Netmonitor
81 mode
82 • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
84 • Juniper Netscreen snoop files
86 • Symbian OS btsnoop files
88 • TamoSoft CommView files
90 • Tektronix K12xx 32bit .rf5 format files
92 • Tektronix K12 text file format captures
94 • Apple PacketLogger files
96 • Captures from Aethra Telecommunications' PC108 software for their
98 test instruments
99 • Citrix NetScaler Trace files
101 • Android Logcat binary and text format logs
103 • Colasoft Capsa and PacketBuilder captures
105 • Micropross mplog files
107 • Unigraf DPA-400 DisplayPort AUX channel monitor traces
109 • 802.15.4 traces from Daintree’s Sensor Network Analyzer
111 • MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
113 • Log files from the candump utility
115 • Logs from the BUSMASTER tool
117 • Ixia IxVeriWave raw captures
119 • Rabbit Labs CAM Inspector files
121 • systemd journal files
123 • 3GPP TS 32.423 trace files
125 There is no need to tell Wireshark what type of file you are reading;
127 it will determine the file type by itself. Wireshark is also capable of
128 reading any of these file formats if they are compressed using gzip.
129 Wireshark recognizes this directly from the file; the '.gz' extension
130 is not required for this purpose.
131 Like other protocol analyzers, Wireshark's main window shows 3 views of
133 a packet. It shows a summary line, briefly describing what the packet
134 is. A packet details display is shown, allowing you to drill down to
135 exact protocol or field that you interested in. Finally, a hex dump
136 shows you exactly what the packet looks like when it goes over the
137 wire.
138 In addition, Wireshark has some features that make it unique. It can
140 assemble all the packets in a TCP conversation and show you the ASCII
141 (or EBCDIC, or hex) data in that conversation. Display filters in
142 Wireshark are very powerful; more fields are filterable in Wireshark
143 than in other protocol analyzers, and the syntax you can use to create
144 your filters is richer. As Wireshark progresses, expect more and more
145 protocol fields to be allowed in display filters.
146 Packet capturing is performed with the pcap library. The capture filter
148 syntax follows the rules of the pcap library. This syntax is different
149 from the display filter syntax.
150 Compressed file support uses (and therefore requires) the zlib library.
152 If the zlib library is not present, Wireshark will compile, but will be
153 unable to read compressed files.
154 The pathname of a capture file to be read can be specified with the -r
156 option or can be specified as a command-line argument.
157
159 Most users will want to start Wireshark without options and configure
160 it from the menus instead. Those users may just skip this section.
161 -a|--autostop <capture autostop condition>
163 Specify a criterion that specifies when Wireshark is to stop
165 writing to a capture file. The criterion is of the form test:value,
166 where test is one of:
167 duration:value Stop writing to a capture file after value seconds
169 have elapsed. Floating point values (e.g. 0.5) are allowed.
170 files:value Stop writing to capture files after value number of
172 files were written.
173 filesize:value Stop writing to a capture file after it reaches a
175 size of value kB. If this option is used together with the -b
176 option, Wireshark will stop writing to the current capture file and
177 switch to the next one if filesize is reached. Note that the
178 filesize is limited to a maximum value of 2 GiB.
179 packets:value Stop writing to a capture file after it contains
181 value packets. Same as -c<capture packet count>.
182 -b|--ring-buffer <capture ring buffer option>
184 Cause Wireshark to run in "multiple files" mode. In "multiple
186 files" mode, Wireshark will write to several capture files. When
187 the first capture file fills up, Wireshark will switch writing to
188 the next file and so on.
189 The created filenames are based on the filename given with the -w
191 flag, the number of the file and on the creation date and time,
192 e.g. outfile_00001_20220714120117.pcap,
193 outfile_00002_20220714120523.pcap, ...
194 With the files option it’s also possible to form a "ring buffer".
196 This will fill up new files until the number of files specified, at
197 which point Wireshark will discard the data in the first file and
198 start writing to that file and so on. If the files option is not
199 set, new files filled up until one of the capture stop conditions
200 match (or until the disk is full).
201 The criterion is of the form key:value, where key is one of:
203 duration:value switch to the next file after value seconds have
205 elapsed, even if the current file is not completely filled up.
206 Floating point values (e.g. 0.5) are allowed.
207 files:value begin again with the first file after value number of
209 files were written (form a ring buffer). This value must be less
210 than 100000. Caution should be used when using large numbers of
211 files: some filesystems do not handle many files in a single
212 directory well. The files criterion requires one of the other
213 criteria to be specified to control when to go to the next file. It
214 should be noted that each -b parameter takes exactly one criterion;
215 to specify two criteria, each must be preceded by the -b option.
216 filesize:value switch to the next file after it reaches a size of
218 value kB. Note that the filesize is limited to a maximum value of 2
219 GiB.
220 interval:value switch to the next file when the time is an exact
222 multiple of value seconds.
223 packets:value switch to the next file after it contains value
225 packets.
226 Example: -b filesize:1000 -b files:5 results in a ring buffer of
228 five files of size one megabyte each.
229 -B|--buffer-size <capture buffer size>
231 Set capture buffer size (in MiB, default is 2 MiB). This is used by
233 the capture driver to buffer packet data until that data can be
234 written to disk. If you encounter packet drops while capturing, try
235 to increase this size. Note that, while Wireshark attempts to set
236 the buffer size to 2 MiB by default, and can be told to set it to a
237 larger value, the system or interface on which you’re capturing
238 might silently limit the capture buffer size to a lower value or
239 raise it to a higher value.
240 This is available on UNIX systems with libpcap 1.0.0 or later and
242 on Windows. It is not available on UNIX systems with earlier
243 versions of libpcap.
244 This option can occur multiple times. If used before the first
246 occurrence of the -i option, it sets the default capture buffer
247 size. If used after an -i option, it sets the capture buffer size
248 for the interface specified by the last -i option occurring before
249 this option. If the capture buffer size is not set specifically,
250 the default capture buffer size is used instead.
251 -c <capture packet count>
253 Set the maximum number of packets to read when capturing live data.
255 Same as -a packets:<capture packet count>.
256 -C <configuration profile>
258 Start with the given configuration profile.
260 --capture-comment <comment>
262 When performing a capture file from the command line, with the -k
264 flag, add a capture comment to the output file, if supported by the
265 capture format.
266 This option may be specified multiple times. Note that Wireshark
268 currently only displays the first comment of a capture file.
269 -d <layer type>==<selector>,<decode-as protocol>
271 Like Wireshark’s Decode As... feature, this lets you specify how a
273 layer type should be dissected. If the layer type in question (for
274 example, tcp.port or udp.port for a TCP or UDP port number) has the
275 specified selector value, packets should be dissected as the
276 specified protocol.
277 Example: -d tcp.port==8888,http will decode any traffic running
279 over TCP port 8888 as HTTP.
280 See the tshark(1) manual page for more examples.
282 -D|--list-interfaces
284 Print a list of the interfaces on which Wireshark can capture, and
286 exit. For each network interface, a number and an interface name,
287 possibly followed by a text description of the interface, is
288 printed. The interface name or the number can be supplied to the -i
289 flag to specify an interface on which to capture.
290 This can be useful on systems that don’t have a command to list
292 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
293 link show). The number can be useful on Windows systems, where the
294 interface name might be a long name or a GUID.
295 Note that "can capture" means that Wireshark was able to open that
297 device to do a live capture; if, on your system, a program doing a
298 network capture must be run from an account with special privileges
299 (for example, as root), then, if Wireshark is run with the -D flag
300 and is not run from such an account, it will not list any
301 interfaces.
302 --display <X display to use>
304 Specifies the X display to use. A hostname and screen
306 (otherhost:0.0) or just a screen (:0.0) can be specified. This
307 option is not available under Windows.
308 --disable-protocol <proto_name>
310 Disable dissection of proto_name.
312 --disable-heuristic <short_name>
314 Disable dissection of heuristic protocol.
316 --enable-protocol <proto_name>
318 Enable dissection of proto_name.
320 --enable-heuristic <short_name>
322 Enable dissection of heuristic protocol.
324 -f <capture filter>
326 Set the capture filter expression.
328 This option can occur multiple times. If used before the first
330 occurrence of the -i option, it sets the default capture filter
331 expression. If used after an -i option, it sets the capture filter
332 expression for the interface specified by the last -i option
333 occurring before this option. If the capture filter expression is
334 not set specifically, the default capture filter expression is used
335 if provided.
336 Pre-defined capture filter names, as shown in the GUI menu item
338 Capture→Capture Filters, can be used by prefixing the argument with
339 "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
340 --fullscreen
342 Start Wireshark in full screen mode (kiosk mode). To exit from
344 fullscreen mode, open the View menu and select the Full Screen
345 option. Alternatively, press the F11 key (or Ctrl + Cmd + F for
346 macOS).
347 -g <packet number>
349 After reading in a capture file using the -r flag, go to the given
351 packet number.
352 -h|--help
354 Print the version number and options and exit.
356 -H
358 Hide the capture info dialog during live packet capture.
360 -i|--interface <capture interface>|-
362 Set the name of the network interface or pipe to use for live
364 packet capture.
365 Network interface names should match one of the names listed in
367 "wireshark -D" (described above); a number, as reported by
368 "wireshark -D", can also be used. If you’re using UNIX, "netstat
369 -i", "ifconfig -a" or "ip link" might also work to list interface
370 names, although not all versions of UNIX support the -a option to
371 ifconfig.
372 If no interface is specified, Wireshark searches the list of
374 interfaces, choosing the first non-loopback interface if there are
375 any non-loopback interfaces, and choosing the first loopback
376 interface if there are no non-loopback interfaces. If there are no
377 interfaces at all, Wireshark reports an error and doesn’t start the
378 capture.
379 Pipe names should be either the name of a FIFO (named pipe) or "-"
381 to read data from the standard input. On Windows systems, pipe
382 names must be of the form "\\pipe\.*pipename*". Data read from
383 pipes must be in standard pcapng or pcap format. Pcapng data must
384 have the same endianness as the capturing host.
385 "TCP@<host>:<port>" causes Wireshark to attempt to connect to the
387 specified port on the specified host and read pcapng or pcap data.
388 This option can occur multiple times. When capturing from multiple
390 interfaces, the capture file will be saved in pcapng format.
391 -I|--monitor-mode
393 Put the interface in "monitor mode"; this is supported only on IEEE
395 802.11 Wi-Fi interfaces, and supported only on some operating
396 systems.
397 Note that in monitor mode the adapter might disassociate from the
399 network with which it’s associated, so that you will not be able to
400 use any wireless networks with that adapter. This could prevent
401 accessing files on a network server, or resolving host names or
402 network addresses, if you are capturing in monitor mode and are not
403 connected to another network with another adapter.
404 This option can occur multiple times. If used before the first
406 occurrence of the -i option, it enables the monitor mode for all
407 interfaces. If used after an -i option, it enables the monitor mode
408 for the interface specified by the last -i option occurring before
409 this option.
410 -j
412 Use after -J to change the behavior when no exact match is found
414 for the filter. With this option select the first packet before.
415 -J <jump filter>
417 After reading in a capture file using the -r flag, jump to the
419 packet matching the filter (display filter syntax). If no exact
420 match is found the first packet after that is selected.
421 -k
423 Start the capture session immediately. If the -i flag was
425 specified, the capture uses the specified interface. Otherwise,
426 Wireshark searches the list of interfaces, choosing the first
427 non-loopback interface if there are any non-loopback interfaces,
428 and choosing the first loopback interface if there are no
429 non-loopback interfaces; if there are no interfaces, Wireshark
430 reports an error and doesn’t start the capture.
431 -K <keytab>
433 Load kerberos crypto keys from the specified keytab file. This
435 option can be used multiple times to load keys from several files.
436 Example: -K krb5.keytab
438 -l
440 Turn on automatic scrolling if the packet display is being updated
442 automatically as packets arrive during a capture (as specified by
443 the -S flag).
444 -L|--list-data-link-types
446 List the data link types supported by the interface and exit.
448 --list-time-stamp-types
450 List time stamp types supported for the interface. If no time stamp
452 type can be set, no time stamp types are listed.
453 -n
455 Disable network object name resolution (such as hostname, TCP and
457 UDP port names), the -N flag might override this one.
458 -N <name resolving flags>
460 Turn on name resolving only for particular types of addresses and
462 port numbers, with name resolving for other types of addresses and
463 port numbers turned off. This flag overrides -n if both -N and -n
464 are present. If both -N and -n flags are not present, all name
465 resolutions are turned on.
466 The argument is a string that may contain the letters:
468 m to enable MAC address resolution
470 n to enable network address resolution
472 N to enable using external resolvers (e.g., DNS) for network
474 address resolution
475 t to enable transport-layer port number resolution
477 d to enable resolution from captured DNS packets
479 v to enable VLAN IDs to names resolution
481 -o <preference/recent setting>
483 Set a preference or recent value, overriding the default value and
485 any value read from a preference/recent file. The argument to the
486 flag is a string of the form prefname:value, where prefname is the
487 name of the preference/recent value (which is the same name that
488 would appear in the preference/recent file), and value is the value
489 to which it should be set. Since Ethereal 0.10.12, the recent
490 settings replaces the formerly used -B, -P and -T flags to
491 manipulate the GUI dimensions.
492 If prefname is "uat", you can override settings in various user
494 access tables using the form uat*:*uat filename:uat record. uat
495 filename must be the name of a UAT file, e.g. user_dlts. uat_record
496 must be in the form of a valid record for that file, including
497 quotes. For instance, to specify a user DLT from the command line,
498 you would use
499 -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
501 -p|--no-promiscuous-mode
503 Don’t put the interface into promiscuous mode. Note that the
505 interface might be in promiscuous mode for some other reason;
506 hence, -p cannot be used to ensure that the only traffic that is
507 captured is traffic sent to or from the machine on which Wireshark
508 is running, broadcast traffic, and multicast traffic to addresses
509 received by that machine.
510 This option can occur multiple times. If used before the first
512 occurrence of the -i option, no interface will be put into the
513 promiscuous mode. If used after an -i option, the interface
514 specified by the last -i option occurring before this option will
515 not be put into the promiscuous mode.
516 -P <path setting>
518 Special path settings usually detected automatically. This is used
520 for special cases, e.g. starting Wireshark from a known location on
521 an USB stick.
522 The criterion is of the form key:path, where key is one of:
524 persconf:path path of personal configuration files, like the
526 preferences files.
527 persdata:path path of personal data files, it’s the folder
529 initially opened. After the very first initialization, the recent
530 file will keep the folder last used.
531 -r|--read-file <infile>
533 Read packet data from infile, can be any supported capture file
535 format (including gzipped files). It’s not possible to use named
536 pipes or stdin here! To capture from a pipe or from stdin use -i -
537 -R|--read-filter <read (display) filter>
539 When reading a capture file specified with the -r flag, causes the
541 specified filter (which uses the syntax of display filters, rather
542 than that of capture filters) to be applied to all packets read
543 from the capture file; packets not matching the filter are
544 discarded.
545 -s|--snapshot-length <capture snaplen>
547 Set the default snapshot length to use when capturing live data. No
549 more than snaplen bytes of each network packet will be read into
550 memory, or saved to disk. A value of 0 specifies a snapshot length
551 of 262144, so that the full packet is captured; this is the
552 default.
553 This option can occur multiple times. If used before the first
555 occurrence of the -i option, it sets the default snapshot length.
556 If used after an -i option, it sets the snapshot length for the
557 interface specified by the last -i option occurring before this
558 option. If the snapshot length is not set specifically, the default
559 snapshot length is used if provided.
560 -S
562 Automatically update the packet display as packets are coming in.
564 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
566 Set the format of the packet timestamp displayed in the packet list
568 window. The format can be one of:
569 a absolute: The absolute time, as local time in your time zone, is
571 the actual time the packet was captured, with no date displayed
572 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
574 and time, as local time in your time zone, is the actual time and
575 date the packet was captured
576 adoy absolute with date using day of year: The absolute date,
578 displayed as YYYY/DOY, and time, as local time in your time zone,
579 is the actual time and date the packet was captured
580 d delta: The delta time is the time since the previous packet was
582 captured
583 dd delta_displayed: The delta_displayed time is the time since the
585 previous displayed packet was captured
586 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
588 r relative: The relative time is the time elapsed between the first
590 packet and the current packet
591 u UTC: The absolute time, as UTC, is the actual time the packet was
593 captured, with no date displayed
594 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
596 time, as UTC, is the actual time and date the packet was captured
597 udoy UTC with date using day of year: The absolute date, displayed
599 as YYYY/DOY, and time, as UTC, is the actual time and date the
600 packet was captured
601 The default format is relative.
603 --time-stamp-type <type>
605 Change the interface’s timestamp method. See
607 --list-time-stamp-types.
608 -u <s|hms>
610 Output format of seconds (def: s: seconds)
612 -v|--version
614 Print the full version information and exit.
616 -w <outfile>
618 Set the default capture file name, or '-' for standard output.
620 -X <eXtension options>
622 Specify an option to be passed to an Wireshark module. The
624 eXtension option is in the form extension_key:value, where
625 extension_key can be:
626 lua_script:lua_script_filename tells Wireshark to load the given
628 script in addition to the default Lua scripts.
629 lua_scriptnum:argument tells Wireshark to pass the given argument
631 to the lua script identified by 'num', which is the number indexed
632 order of the 'lua_script' command. For example, if only one script
633 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
634 will pass the string 'foo' to the 'my.lua' script. If two scripts
635 were loaded, such as '-X lua_script:my.lua' and '-X
636 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
637 would pass the string 'bar' to the second lua script, namely
638 'other.lua'.
639 read_format:file_format tells Wireshark to use the given file
641 format to read in the file (the file given in the -r command
642 option).
643 stdin_descr:description tells Wireshark to use the given
645 description when capturing from standard input (-i -).
646 -y|--linktype <capture link type>
648 If a capture is started from the command line with -k, set the data
650 link type to use while capturing packets. The values reported by -L
651 are the values that can be used.
652 This option can occur multiple times. If used before the first
654 occurrence of the -i option, it sets the default capture link type.
655 If used after an -i option, it sets the capture link type for the
656 interface specified by the last -i option occurring before this
657 option. If the capture link type is not set specifically, the
658 default capture link type is used if provided.
659 -Y|--display-filter <displaY filter>
661 Start with the given display filter.
663 -z <statistics>
665 Get Wireshark to collect various types of statistics and display
667 the result in a window that updates in semi-real time.
668 Some of the currently implemented statistics are:
670 -z help
672 Display all possible values for -z.
674 -z afp,srt[,filter]
676 Show Apple Filing Protocol service response time statistics.
678 -z conv,type[,filter]
680 Create a table that lists all conversations that could be seen in
682 the capture. type specifies the conversation endpoint types for
683 which we want to generate the statistics; currently the supported
684 ones are:
685 "eth" Ethernet addresses
687 "fc" Fibre Channel addresses
688 "fddi" FDDI addresses
689 "ip" IPv4 addresses
690 "ipv6" IPv6 addresses
691 "ipx" IPX addresses
692 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
693 "tr" Token Ring addresses
694 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
695 If the optional filter is specified, only those packets that match
697 the filter will be used in the calculations.
698 The table is presented with one line for each conversation and
700 displays the number of packets/bytes in each direction as well as
701 the total number of packets/bytes. By default, the table is sorted
702 according to the total number of packets.
703 These tables can also be generated at runtime by selecting the
705 appropriate conversation type from the menu
706 "Tools/Statistics/Conversation List/".
707 -z dcerpc,srt,name-or-uuid,major.minor[,filter]
709 Collect call/reply SRT (Service Response Time) data for DCERPC
711 interface name or uuid, version major.minor. Data collected is the
712 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
713 Interface name and uuid are case-insensitive.
714 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
716 will collect data for the CIFS SAMR Interface.
717 This option can be used multiple times on the command line.
719 If the optional filter is provided, the stats will only be
721 calculated on those calls that match that filter.
722 Example: -z
724 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
725 will collect SAMR SRT statistics for a specific host.
726 -z dhcp,stat[,filter]
728 Show DHCP (BOOTP) statistics.
730 -z expert
732 Show expert information.
734 -z fc,srt[,filter]
736 Collect call/reply SRT (Service Response Time) data for FC. Data
738 collected is the number of calls for each Fibre Channel command,
739 MinSRT, MaxSRT and AvgSRT.
740 Example: -z fc,srt will calculate the Service Response Time as the
742 time delta between the First packet of the exchange and the Last
743 packet of the exchange.
744 The data will be presented as separate tables for all normal FC
746 commands, Only those commands that are seen in the capture will
747 have its stats displayed.
748 This option can be used multiple times on the command line.
750 If the optional filter is provided, the stats will only be
752 calculated on those calls that match that filter.
753 Example: -z "fc,srt,fc.id==01.02.03" will collect stats only for FC
755 packets exchanged by the host at FC address 01.02.03 .
756 -z h225,counter[,filter]
758 Count ITU-T H.225 messages and their reasons. In the first column
760 you get a list of H.225 messages and H.225 message reasons which
761 occur in the current capture file. The number of occurrences of
762 each message or reason is displayed in the second column.
763 Example: -z h225,counter
765 This option can be used multiple times on the command line.
767 If the optional filter is provided, the stats will only be
769 calculated on those calls that match that filter.
770 Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only
772 for H.225 packets exchanged by the host at IP address 1.2.3.4 .
773 -z h225,srt[,filter]
775 Collect request/response SRT (Service Response Time) data for ITU-T
777 H.225 RAS. Data collected is the number of calls of each ITU-T
778 H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
779 Minimum in Packet, and Maximum in Packet. You will also get the
780 number of Open Requests (Unresponded Requests), Discarded Responses
781 (Responses without matching request) and Duplicate Messages.
782 Example: -z h225,srt
784 This option can be used multiple times on the command line.
786 If the optional filter is provided, the stats will only be
788 calculated on those calls that match that filter.
789 Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for
791 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
792 .
793 -z io,stat
795 Collect packet/bytes statistics for the capture in intervals of 1
797 second. This option will open a window with up to 5 color-coded
798 graphs where number-of-packets-per-second or
799 number-of-bytes-per-second statistics can be calculated and
800 displayed.
801 This option can be used multiple times on the command line.
803 This graph window can also be opened from the
805 Analyze:Statistics:Traffic:IO-Stat menu item.
806 -z ldap,srt[,filter]
808 Collect call/reply SRT (Service Response Time) data for LDAP. Data
810 collected is the number of calls for each implemented LDAP command,
811 MinSRT, MaxSRT and AvgSRT.
812 Example: -z ldap,srt will calculate the Service Response Time as
814 the time delta between the Request and the Response.
815 The data will be presented as separate tables for all implemented
817 LDAP commands, Only those commands that are seen in the capture
818 will have its stats displayed.
819 This option can be used multiple times on the command line.
821 If the optional filter is provided, the stats will only be
823 calculated on those calls that match that filter.
824 Example: use -z "ldap,srt,ip.addr==10.1.1.1" will collect stats
826 only for LDAP packets exchanged by the host at IP address 10.1.1.1
827 .
828 The only LDAP commands that are currently implemented and for which
830 the stats will be available are: BIND SEARCH MODIFY ADD DELETE
831 MODRDN COMPARE EXTENDED
832 -z megaco,srt[,filter]
834 Collect request/response SRT (Service Response Time) data for
836 MEGACO. (This is similar to -z smb,srt). Data collected is the
837 number of calls for each known MEGACO Command, Minimum SRT, Maximum
838 SRT and Average SRT.
839 Example: -z megaco,srt
841 This option can be used multiple times on the command line.
843 If the optional filter is provided, the stats will only be
845 calculated on those calls that match that filter.
846 Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only
848 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
849 -z mgcp,srt[,filter]
851 Collect request/response SRT (Service Response Time) data for MGCP.
853 (This is similar to -z smb,srt). Data collected is the number of
854 calls for each known MGCP Type, Minimum SRT, Maximum SRT and
855 Average SRT.
856 Example: -z mgcp,srt
858 This option can be used multiple times on the command line.
860 If the optional filter is provided, the stats will only be
862 calculated on those calls that match that filter.
863 Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for
865 MGCP packets exchanged by the host at IP address 1.2.3.4 .
866 -z mtp3,msus[,<filter>]
868 Show MTP3 MSU statistics.
870 -z multicast,stat[,<filter>]
872 Show UDP multicast stream statistics.
874 -z rpc,programs
876 Collect call/reply SRT data for all known ONC-RPC
878 programs/versions. Data collected is the number of calls for each
879 protocol/version, MinSRT, MaxSRT and AvgSRT.
880 -z rpc,srt,name-or-number,version[,<filter>]
882 Collect call/reply SRT (Service Response Time) data for program
884 name/version or number/version. Data collected is the number of
885 calls for each procedure, MinSRT, MaxSRT and AvgSRT. Program name
886 is case-insensitive.
887 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
889 This option can be used multiple times on the command line.
891 If the optional filter is provided, the stats will only be
893 calculated on those calls that match that filter.
894 Example: -z rpc,srt,nfs,3,nfs.fh.hash==0x12345678 will collect NFS
896 v3 SRT statistics for a specific file.
897 -z scsi,srt,cmdset[,<filter>]
899 Collect call/reply SRT (Service Response Time) data for SCSI
901 commandset <cmdset>.
902 Commandsets are 0:SBC 1:SSC 5:MMC
904 Data collected is the number of calls for each procedure, MinSRT,
906 MaxSRT and AvgSRT.
907 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
909 (SBC).
910 This option can be used multiple times on the command line.
912 If the optional filter is provided, the stats will only be
914 calculated on those calls that match that filter.
915 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
917 statistics for a specific iscsi/ifcp/fcip host.
918 -z sip,stat[,filter]
920 This option will activate a counter for SIP messages. You will get
922 the number of occurrences of each SIP Method and of each SIP
923 Status-Code. Additionally you also get the number of resent SIP
924 Messages (only for SIP over UDP).
925 Example: -z sip,stat
927 This option can be used multiple times on the command line.
929 If the optional filter is provided, the stats will only be
931 calculated on those calls that match that filter.
932 Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for
934 SIP packets exchanged by the host at IP address 1.2.3.4 .
935 -z smb,srt[,filter]
937 Collect call/reply SRT (Service Response Time) data for SMB. Data
939 collected is the number of calls for each SMB command, MinSRT,
940 MaxSRT and AvgSRT.
941 Example: -z smb,srt
943 The data will be presented as separate tables for all normal SMB
945 commands, all Transaction2 commands and all NT Transaction
946 commands. Only those commands that are seen in the capture will
947 have their stats displayed. Only the first command in a xAndX
948 command chain will be used in the calculation. So for common
949 SessionSetupAndX + TreeConnectAndX chains, only the
950 SessionSetupAndX call will be used in the statistics. This is a
951 flaw that might be fixed in the future.
952 This option can be used multiple times on the command line.
954 If the optional filter is provided, the stats will only be
956 calculated on those calls that match that filter.
957 Example: -z "smb,srt,ip.addr==1.2.3.4" will collect stats only for
959 SMB packets exchanged by the host at IP address 1.2.3.4 .
960 -z voip,calls
962 This option will show a window that shows VoIP calls found in the
964 capture file. This is the same window shown as when you go to the
965 Statistics Menu and choose VoIP Calls.
966 Example: -z voip,calls
968 -z wlan,stat[,<filter>]
970 Show IEEE 802.11 network and station statistics.
972 -z wsp,stat[,<filter>]
974 Show WSP packet counters.
976
978 MENU ITEMS
979 File › Open
980 File › Open Recent
983 File › Merge
986 Merge another capture file to the currently loaded one. The
988 File:Merge dialog box allows the merge "Prepended",
989 "Chronologically" or "Appended", relative to the already loaded
990 one.
991 File › Close
993 Open or close a capture file. The File:Open dialog box allows a
995 filter to be specified; when the capture file is read, the filter
996 is applied to all packets read from the file, and packets not
997 matching the filter are discarded. The File:Open Recent is a
998 submenu and will show a list of previously opened files.
999 File › Save
1001 File › Save As
1004 Save the current capture, or the packets currently displayed from
1006 that capture, to a file. Check boxes let you select whether to save
1007 all packets, or just those that have passed the current display
1008 filter and/or those that are currently marked, and an option menu
1009 lets you select (from a list of file formats in which at particular
1010 capture, or the packets currently displayed from that capture, can
1011 be saved), a file format in which to save it.
1012 File › File Set › List Files
1014 Show a dialog box that lists all files of the file set matching the
1016 currently loaded file. A file set is a compound of files resulting
1017 from a capture using the "multiple files" / "ringbuffer" mode,
1018 recognizable by the filename pattern, e.g.:
1019 Filename_00001_20220714101530.pcap.
1020 File › File Set › Next File
1022 File › File Set › Previous File
1025 If the currently loaded file is part of a file set (see above),
1027 open the next / previous file in that set.
1028 File › Export
1030 Export captured data into an external format. Note: the data cannot
1032 be imported back into Wireshark, so be sure to keep the capture
1033 file.
1034 File › Print
1036 Print packet data from the current capture. You can select the
1038 range of packets to be printed (which packets are printed), and the
1039 output format of each packet (how each packet is printed). The
1040 output format will be similar to the displayed values, so a summary
1041 line, the packet details view, and/or the hex dump of the packet
1042 can be printed.
1043 Printing options can be set with the Edit:Preferences menu item, or
1045 in the dialog box popped up by this menu item.
1046 File › Quit
1048 Exit the application.
1050 Edit › Copy › Description
1052 Copies the description of the selected field in the protocol tree
1054 to the clipboard.
1055 Edit › Copy › Fieldname
1057 Copies the fieldname of the selected field in the protocol tree to
1059 the clipboard.
1060 Edit › Copy › Value
1062 Copies the value of the selected field in the protocol tree to the
1064 clipboard.
1065 Edit › Copy › As Filter
1067 Create a display filter based on the data currently highlighted in
1069 the packet details and copy that filter to the clipboard.
1070 If that data is a field that can be tested in a display filter
1072 expression, the display filter will test that field; otherwise, the
1073 display filter will be based on the absolute offset within the
1074 packet. Therefore it could be unreliable if the packet contains
1075 protocols with variable-length headers, such as a source-routed
1076 token-ring packet.
1077 Edit › Find Packet
1079 Search forward or backward, starting with the currently selected
1081 packet (or the most recently selected packet, if no packet is
1082 selected). Search criteria can be a display filter expression, a
1083 string of hexadecimal digits, or a text string.
1084 When searching for a text string, you can search the packet data,
1086 or you can search the text in the Info column in the packet list
1087 pane or in the packet details pane.
1088 Hexadecimal digits can be separated by colons, periods, or dashes.
1090 Text string searches can be ASCII or Unicode (or both), and may be
1091 case insensitive.
1092 Edit › Find Next
1094 Edit › Find Previous
1097 Search forward / backward for a packet matching the filter from the
1099 previous search, starting with the currently selected packet (or
1100 the most recently selected packet, if no packet is selected).
1101 Edit › Mark Packet (toggle)
1103 Mark (or unmark if currently marked) the selected packet. The field
1105 "frame.marked" is set for packets that are marked, so that, for
1106 example, a display filters can be used to display only marked
1107 packets, and so that the /"Edit:Find Packet" dialog can be used to
1108 find the next or previous marked packet.
1109 Edit › Find Next Mark
1111 Edit › Find Previous Mark
1114 Find next/previous marked packet.
1116 Edit › Mark All Packets
1118 Edit › Unmark All Packets
1121 Mark / Unmark all packets that are currently displayed.
1123 Edit › Time Reference › Set Time Reference (toggle)
1125 Set (or unset if currently set) the selected packet as a Time
1127 Reference packet. When a packet is set as a Time Reference packet,
1128 the timestamps in the packet list pane will be replaced with the
1129 string "REF". The relative time timestamp in later packets will
1130 then be calculated relative to the timestamp of this Time Reference
1131 packet and not the first packet in the capture.
1132 Packets that have been selected as Time Reference packets will
1134 always be displayed in the packet list pane. Display filters will
1135 not affect or hide these packets.
1136 If there is a column displayed for "Cumulative Bytes" this counter
1138 will be reset at every Time Reference packet.
1139 Edit › Time Reference › Find Next
1141 Edit › Time Reference › Find Previous
1144 Search forward / backward for a time referenced packet.
1146 Edit › Configuration Profiles
1148 Manage configuration profiles to be able to use more than one set
1150 of preferences and configurations.
1151 Edit › Preferences
1153 Set the GUI, capture, printing and protocol options (see
1155 /Preferences dialog below).
1156 View › Main Toolbar
1158 View › Filter Toolbar
1161 View › Statusbar
1164 Show or hide the main window controls.
1166 View › Packet List
1168 View › Packet Details
1171 View › Packet Bytes
1174 Show or hide the main window panes.
1176 View › Time Display Format
1178 Set the format of the packet timestamp displayed in the packet list
1180 window.
1181 View › Name Resolution › Resolve Name
1183 Try to resolve a name for the currently selected item.
1185 View › Name Resolution › Enable for ... Layer
1187 Enable or disable translation of addresses to names in the display.
1189 View › Colorize Packet List
1191 Enable or disable the coloring rules. Disabling will improve
1193 performance.
1194 View › Auto Scroll in Live Capture
1196 Enable or disable the automatic scrolling of the packet list while
1198 a live capture is in progress.
1199 View › Zoom In
1201 View › Zoom Out
1204 Zoom into / out of the main window data (by changing the font
1206 size).
1207 View › Normal Size
1209 Reset the zoom factor of zoom in / zoom out back to normal font
1211 size.
1212 View › Resize All Columns
1214 Resize all columns to best fit the current packet display.
1216 View › Expand / Collapse Subtrees
1218 Expands / Collapses the currently selected item and it’s subtrees
1220 in the packet details.
1221 View › Expand All
1223 View › Collapse All
1226 Expand / Collapse all branches of the packet details.
1228 View › Colorize Conversation
1230 Select color for a conversation.
1232 View › Reset Coloring 1-10
1234 Reset Color for a conversation.
1236 View › Coloring Rules
1238 Change the foreground and background colors of the packet
1240 information in the list of packets, based upon display filters. The
1241 list of display filters is applied to each packet sequentially.
1242 After the first display filter matches a packet, any additional
1243 display filters in the list are ignored. Therefore, if you are
1244 filtering on the existence of protocols, you should list the
1245 higher-level protocols first, and the lower-level protocols last.
1246 How Colorization Works
1248 Packets are colored according to a list of color filters. Each
1250 filter consists of a name, a filter expression and a coloration. A
1251 packet is colored according to the first filter that it matches.
1252 Color filter expressions use exactly the same syntax as display
1253 filter expressions.
1254 When Wireshark starts, the color filters are loaded from:
1256 1. The user’s personal color filters file or, if that does not
1258 exist,
1259 2. The global color filters file.
1261 If neither of these exist then the packets will not be colored.
1263 View › Show Packet In New Window
1265 Create a new window containing a packet details view and a hex dump
1267 window of the currently selected packet; this window will continue
1268 to display that packet’s details and data even if another packet is
1269 selected.
1270 View › Reload
1272 Reload a capture file. Same as File:Close and File:Open the same
1274 file again.
1275 Go › Back
1277 Go back in previously visited packets history.
1279 Go › Forward
1281 Go forward in previously visited packets history.
1283 Go › Go To Packet
1285 Go to a particular numbered packet.
1287 Go › Go To Corresponding Packet
1289 If a field in the packet details pane containing a packet number is
1291 selected, go to the packet number specified by that field. (This
1292 works only if the dissector that put that entry into the packet
1293 details put it into the details as a filterable field rather than
1294 just as text.) This can be used, for example, to go to the packet
1295 for the request corresponding to a reply, or the reply
1296 corresponding to a request, if that packet number has been put into
1297 the packet details.
1298 Go › Previous Packet
1300 Go › Next Packet
1303 Go › First Packet
1306 Go › Last Packet
1309 Go to the previous / next / first / last packet in the capture.
1311 Go › Previous Packet In Conversation
1313 Go › Next Packet In Conversation
1316 Go to the previous / next packet of the conversation (TCP, UDP or
1318 IP)
1319 Capture › Interfaces
1321 Shows a dialog box with all currently known interfaces and
1323 displaying the current network traffic amount. Capture sessions can
1324 be started from here. Beware: keeping this box open results in high
1325 system load!
1326 Capture › Options
1328 Initiate a live packet capture (see /"Capture Options Dialog"
1330 below). If no filename is specified, a temporary file will be
1331 created to hold the capture. The location of the file can be chosen
1332 by setting your TMPDIR environment variable before starting
1333 Wireshark. Otherwise, the default TMPDIR location is
1334 system-dependent, but is likely either /var/tmp or /tmp.
1335 Capture › Start
1337 Start a live packet capture with the previously selected options.
1339 This won’t open the options dialog box, and can be convenient for
1340 repeatedly capturing with the same options.
1341 Capture › Stop
1343 Stop a running live capture.
1345 Capture › Restart
1347 While a live capture is running, stop it and restart with the same
1349 options again. This can be convenient to remove irrelevant packets,
1350 if no valuable packets were captured so far.
1351 Capture › Capture Filters
1353 Edit the saved list of capture filters, allowing filters to be
1355 added, changed, or deleted.
1356 Analyze › Display Filters
1358 Edit the saved list of display filters, allowing filters to be
1360 added, changed, or deleted.
1361 Analyze › Display Filter Macros
1363 Create shortcuts for complex macros
1365 Analyze › Apply as Filter
1367 Create a display filter based on the data currently highlighted in
1369 the packet details and apply the filter.
1370 If that data is a field that can be tested in a display filter
1372 expression, the display filter will test that field; otherwise, the
1373 display filter will be based on the absolute offset within the
1374 packet. Therefore it could be unreliable if the packet contains
1375 protocols with variable-length headers, such as a source-routed
1376 token-ring packet.
1377 The Selected option creates a display filter that tests for a match
1379 of the data; the Not Selected option creates a display filter that
1380 tests for a non-match of the data. The And Selected, Or Selected,
1381 And Not Selected, and Or Not Selected options add to the end of the
1382 display filter in the strip at the top (or bottom) an AND or OR
1383 operator followed by the new display filter expression.
1384 Analyze › Prepare as Filter
1386 Create a display filter based on the data currently highlighted in
1388 the packet details. The filter strip at the top (or bottom) is
1389 updated but it is not yet applied.
1390 Analyze › Enabled Protocols
1392 Allow protocol dissection to be enabled or disabled for a specific
1394 protocol. Individual protocols can be enabled or disabled by
1395 clicking on them in the list or by highlighting them and pressing
1396 the space bar. The entire list can be enabled, disabled, or
1397 inverted using the buttons below the list.
1398 When a protocol is disabled, dissection in a particular packet
1400 stops when that protocol is reached, and Wireshark moves on to the
1401 next packet. Any higher-layer protocols that would otherwise have
1402 been processed will not be displayed. For example, disabling TCP
1403 will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
1404 and any other protocol exclusively dependent on TCP.
1405 The list of protocols can be saved, so that Wireshark will start up
1407 with the protocols in that list disabled.
1408 Analyze › Decode As
1410 If you have a packet selected, present a dialog allowing you to
1412 change which dissectors are used to decode this packet. The dialog
1413 has one panel each for the link layer, network layer and transport
1414 layer protocol/port numbers, and will allow each of these to be
1415 changed independently. For example, if the selected packet is a TCP
1416 packet to port 12345, using this dialog you can instruct Wireshark
1417 to decode all packets to or from that TCP port as HTTP packets.
1418 Analyze › User Specified Decodes
1420 Create a new window showing whether any protocol ID to dissector
1422 mappings have been changed by the user. This window also allows the
1423 user to reset all decodes to their default values.
1424 Analyze › Follow TCP Stream
1426 If you have a TCP packet selected, display the contents of the data
1428 stream for the TCP connection to which that packet belongs, as
1429 text, in a separate window, and leave the list of packets in a
1430 filtered state, with only those packets that are part of that TCP
1431 connection being displayed. You can revert to your old view by
1432 pressing ENTER in the display filter text box, thereby invoking
1433 your old display filter (or resetting it back to no display
1434 filter).
1435 The window in which the data stream is displayed lets you select:
1437 • whether to display the entire conversation, or one or the other
1439 side of it;
1440 • whether the data being displayed is to be treated as ASCII or
1442 EBCDIC text or as raw hex data;
1443 and lets you print what’s currently being displayed, using the same
1445 print options that are used for the File:Print Packet menu item, or
1446 save it as text to a file.
1447 Analyze › Follow UDP Stream
1449 Analyze › Follow TLS Stream
1452 (Similar to Analyze:Follow TCP Stream)
1454 Analyze › Expert Info
1456 Analyze › Expert Info Composite
1459 (Kind of) a log of anomalies found by Wireshark in a capture file.
1461 Analyze › Conversation Filter
1463 Statistics › Summary
1466 Show summary information about the capture, including elapsed time,
1468 packet counts, byte counts, and the like. If a display filter is in
1469 effect, summary information will be shown about the capture and
1470 about the packets currently being displayed.
1471 Statistics › Protocol Hierarchy
1473 Show the number of packets, and the number of bytes in those
1475 packets, for each protocol in the trace. It organizes the protocols
1476 in the same hierarchy in which they were found in the trace.
1477 Besides counting the packets in which the protocol exists, a count
1478 is also made for packets in which the protocol is the last protocol
1479 in the stack. These last-protocol counts show you how many packets
1480 (and the byte count associated with those packets) ended in a
1481 particular protocol. In the table, they are listed under "End
1482 Packets" and "End Bytes".
1483 Statistics › Conversations
1485 Lists of conversations; selectable by protocol. See
1487 Statistics:Conversation List below.
1488 Statistics › End Points
1490 List of End Point Addresses by protocol with packets/bytes/....
1492 counts.
1493 Statistics › Packet Lengths
1495 Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
1497 Statistics › I/O Graphs
1499 Open a window where up to 5 graphs in different colors can be
1501 displayed to indicate number of packets or number of bytes per
1502 second for all packets matching the specified filter. By default
1503 only one graph will be displayed showing number of packets per
1504 second.
1505 The top part of the window contains the graphs and scales for the X
1507 and Y axis. If the graph is too long to fit inside the window there
1508 is a horizontal scrollbar below the drawing area that can scroll
1509 the graphs to the left or the right. The horizontal axis displays
1510 the time into the capture and the vertical axis will display the
1511 measured quantity at that time.
1512 Below the drawing area and the scrollbar are the controls. On the
1514 bottom left there will be five similar sets of controls to control
1515 each individual graph such as "Display:<button>" which button will
1516 toggle that individual graph on/off. If <button> is ticked, the
1517 graph will be displayed. "Color:<color>" which is just a button to
1518 show which color will be used to draw that graph. Finally
1519 "Filter:<filter-text>" which can be used to specify a display
1520 filter for that particular graph.
1521 If filter-text is empty then all packets will be used to calculate
1523 the quantity for that graph. If filter-text is specified only those
1524 packets that match that display filter will be considered in the
1525 calculation of quantity.
1526 To the right of the 5 graph controls there are four menus to
1528 control global aspects of the draw area and graphs. The "Unit:"
1529 menu is used to control what to measure; "packets/tick",
1530 "bytes/tick" or "advanced..."
1531 packets/tick will measure the number of packets matching the (if
1533 specified) display filter for the graph in each measurement
1534 interval.
1535 bytes/tick will measure the total number of bytes in all packets
1537 matching the (if specified) display filter for the graph in each
1538 measurement interval.
1539 advanced... see below
1541 "Tick interval:" specifies what measurement intervals to use. The
1543 default is 1 second and means that the data will be counted over 1
1544 second intervals.
1545 "Pixels per tick:" specifies how many pixels wide each measurement
1547 interval will be in the drawing area. The default is 5 pixels per
1548 tick.
1549 "Y-scale:" controls the max value for the y-axis. Default value is
1551 "auto" which means that Wireshark will try to adjust the maxvalue
1552 automatically.
1553 "advanced..." If Unit:advanced... is selected the window will
1555 display two more controls for each of the five graphs. One control
1556 will be a menu where the type of calculation can be selected from
1557 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1558 name of a single display filter field can be specified.
1559 The following restrictions apply to type and field combinations:
1561 SUM: available for all types of integers and will calculate the SUM
1563 of all occurrences of this field in the measurement interval. Note
1564 that some field can occur multiple times in the same packet and
1565 then all instances will be summed up. Example: 'tcp.len' which will
1566 count the amount of payload data transferred across TCP in each
1567 interval.
1568 COUNT: available for all field types. This will COUNT the number of
1570 times certain field occurs in each interval. Note that some fields
1571 may occur multiple times in each packet and if that is the case
1572 then each instance will be counted independently and COUNT will be
1573 greater than the number of packets.
1574 MAX: available for all integer and relative time fields. This will
1576 calculate the max seen integer/time value seen for the field during
1577 the interval. Example: 'smb.time' which will plot the maximum SMB
1578 response time.
1579 MIN: available for all integer and relative time fields. This will
1581 calculate the min seen integer/time value seen for the field during
1582 the interval. Example: 'smb.time' which will plot the minimum SMB
1583 response time.
1584 AVG: available for all integer and relative time fields.This will
1586 calculate the average seen integer/time value seen for the field
1587 during the interval. Example: 'smb.time' which will plot the
1588 average SMB response time.
1589 LOAD: available only for relative time fields (response times).
1591 Example of advanced: Display how NFS response time MAX/MIN/AVG
1593 changes over time:
1594 Set first graph to:
1596 filter:nfs&&rpc.time
1598 Calc:MAX rpc.time
1599 Set second graph to
1601 filter:nfs&&rpc.time
1603 Calc:AVG rpc.time
1604 Set third graph to
1606 filter:nfs&&rpc.time
1608 Calc:MIN rpc.time
1609 Example of advanced: Display how the average packet size from host
1611 a.b.c.d changes over time.
1612 Set first graph to
1614 filter:ip.addr==a.b.c.d&&frame.pkt_len
1616 Calc:AVG frame.pkt_len
1617 LOAD: The LOAD io-stat type is very different from anything you
1619 have ever seen before! While the response times themselves as
1620 plotted by MIN,MAX,AVG are indications on the Server load (which
1621 affects the Server response time), the LOAD measurement measures
1622 the Client LOAD. What this measures is how much workload the client
1623 generates, i.e. how fast will the client issue new commands when
1624 the previous ones completed. i.e. the level of concurrency the
1625 client can maintain. The higher the number, the more and faster is
1626 the client issuing new commands. When the LOAD goes down, it may be
1627 due to client load making the client slower in issuing new commands
1628 (there may be other reasons as well, maybe the client just doesn’t
1629 have any commands it wants to issue right then).
1630 Load is measured in concurrency/number of overlapping i/o and the
1632 value 1000 means there is a constant load of one i/o.
1633 In each tick interval the amount of overlap is measured. See the
1635 graph below containing three commands: Below the graph are the LOAD
1636 values for each interval that would be calculated.
1637 | | | | | | | | |
1639 | | | | | | | | |
1640 | | o=====* | | | | | |
1641 | | | | | | | | |
1642 | o========* | o============* | | |
1643 | | | | | | | | |
1644 --------------------------------------------------> Time
1645 500 1500 500 750 1000 500 0 0
1646 Statistics › Conversation List
1648 This option will open a new window that displays a list of all
1650 conversations between two endpoints. The list has one row for each
1651 unique conversation and displays total number of packets/bytes seen
1652 as well as number of packets/bytes in each direction.
1653 By default the list is sorted according to the number of packets
1655 but by clicking on the column header; it is possible to re-sort the
1656 list in ascending or descending order by any column.
1657 By first selecting a conversation by clicking on it and then using
1659 the right mouse button (on those platforms that have a right mouse
1660 button) Wireshark will display a popup menu offering several
1661 different filter operations to apply to the capture.
1662 These statistics windows can also be invoked from the Wireshark
1664 command line using the -z conv argument.
1665 Statistics › Service Response Time
1667 • AFP
1669 • CAMEL
1671 • DCE-RPC
1673 Open a window to display Service Response Time statistics for an
1675 arbitrary DCE-RPC program interface and display Procedure, Number
1676 of Calls, Minimum SRT, Maximum SRT and Average SRT for all
1677 procedures for that program/version. These windows opened will
1678 update in semi-real time to reflect changes when doing live
1679 captures or when reading new capture files into Wireshark.
1680 This dialog will also allow an optional filter string to be used.
1682 If an optional filter string is used only such DCE-RPC
1683 request/response pairs that match that filter will be used to
1684 calculate the statistics. If no filter string is specified all
1685 request/response pairs will be used.
1686 • Diameter
1688 • Fibre Channel
1690 Open a window to display Service Response Time statistics for Fibre
1692 Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1693 SRT and Average SRT for all FC types. These windows opened will
1694 update in semi-real time to reflect changes when doing live
1695 captures or when reading new capture files into Wireshark. The
1696 Service Response Time is calculated as the time delta between the
1697 First packet of the exchange and the Last packet of the exchange.
1698 This dialog will also allow an optional filter string to be used.
1700 If an optional filter string is used only such FC first/last
1701 exchange pairs that match that filter will be used to calculate the
1702 statistics. If no filter string is specified all request/response
1703 pairs will be used.
1704 • GTP
1706 • H.225 RAS
1708 Collect requests/response SRT (Service Response Time) data for
1710 ITU-T H.225 RAS. Data collected is number of calls for each known
1711 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1712 SRT, Minimum in Packet, and Maximum in Packet. You will also get
1713 the number of Open Requests (Unresponded Requests), Discarded
1714 Responses (Responses without matching request) and Duplicate
1715 Messages. These windows opened will update in semi-real time to
1716 reflect changes when doing live captures or when reading new
1717 capture files into Wireshark.
1718 You can apply an optional filter string in a dialog box, before
1720 starting the calculation. The statistics will only be calculated on
1721 those calls matching that filter.
1722 • LDAP
1724 • MEGACO
1726 • MGCP
1728 Collect requests/response SRT (Service Response Time) data for
1730 MGCP. Data collected is number of calls for each known MGCP Type,
1731 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and
1732 Maximum in Packet. These windows opened will update in semi-real
1733 time to reflect changes when doing live captures or when reading
1734 new capture files into Wireshark.
1735 You can apply an optional filter string in a dialog box, before
1737 starting the calculation. The statistics will only be calculated on
1738 those calls matching that filter.
1739 • NCP
1741 • ONC-RPC
1743 Open a window to display statistics for an arbitrary ONC-RPC
1745 program interface and display Procedure, Number of Calls, Minimum
1746 SRT, Maximum SRT and Average SRT for all procedures for that
1747 program/version. These windows opened will update in semi-real time
1748 to reflect changes when doing live captures or when reading new
1749 capture files into Wireshark.
1750 This dialog will also allow an optional filter string to be used.
1752 If an optional filter string is used only such ONC-RPC
1753 request/response pairs that match that filter will be used to
1754 calculate the statistics. If no filter string is specified all
1755 request/response pairs will be used.
1756 By first selecting a conversation by clicking on it and then using
1758 the right mouse button (on those platforms that have a right mouse
1759 button) Wireshark will display a popup menu offering several
1760 different filter operations to apply to the capture.
1761 • RADIUS
1763 • SCSI
1765 • SMB
1767 Collect call/reply SRT (Service Response Time) data for SMB. Data
1769 collected is the number of calls for each SMB command, MinSRT,
1770 MaxSRT and AvgSRT.
1771 The data will be presented as separate tables for all normal SMB
1773 commands, all Transaction2 commands and all NT Transaction
1774 commands. Only those commands that are seen in the capture will
1775 have its stats displayed. Only the first command in a xAndX command
1776 chain will be used in the calculation. So for common
1777 SessionSetupAndX + TreeConnectAndX chains, only the
1778 SessionSetupAndX call will be used in the statistics. This is a
1779 flaw that might be fixed in the future.
1780 You can apply an optional filter string in a dialog box, before
1782 starting the calculation. The stats will only be calculated on
1783 those calls matching that filter.
1784 By first selecting a conversation by clicking on it and then using
1786 the right mouse button (on those platforms that have a right mouse
1787 button) Wireshark will display a popup menu offering several
1788 different filter operations to apply to the capture.
1789 • SMB2
1791 Statistics › BOOTP-DHCP
1793 Statistics › Compare
1796 Compare two Capture Files
1798 Statistics › Flow Graph
1800 Flow Graph: General/TCP
1802 Statistics › HTTP
1804 HTTP Load Distribution, Packet Counter & Requests
1806 Statistics › IP Addresses
1808 Count/Rate/Percent by IP Address
1810 Statistics › IP Destinations
1812 Count/Rate/Percent by IP Address/protocol/port
1814 Statistics › IP Protocol Types
1816 Count/Rate/Percent by IP Protocol Types
1818 Statistics › ONC-RPC Programs
1820 This dialog will open a window showing aggregated SRT statistics
1822 for all ONC-RPC Programs/versions that exist in the capture file.
1823 Statistics › TCP Stream Graph
1825 Graphs: Round Trip; Throughput; Time-Sequence (Stevens);
1827 Time-Sequence (tcptrace)
1828 Statistics › UDP Multicast streams
1830 Multicast Streams Counts/Rates/... by Source/Destination
1832 Address/Port pairs
1833 Statistics › WLAN Traffic
1835 WLAN Traffic Statistics
1837 Telephony › ITU-T H.225
1839 Count ITU-T H.225 messages and their reasons. In the first column
1841 you get a list of H.225 messages and H.225 message reasons, which
1842 occur in the current capture file. The number of occurrences of
1843 each message or reason will be displayed in the second column. This
1844 window opened will update in semi-real time to reflect changes when
1845 doing live captures or when reading new capture files into
1846 Wireshark.
1847 You can apply an optional filter string in a dialog box, before
1849 starting the counter. The statistics will only be calculated on
1850 those calls matching that filter.
1851 Telephony › SIP
1853 Activate a counter for SIP messages. You will get the number of
1855 occurrences of each SIP Method and of each SIP Status-Code.
1856 Additionally you also get the number of resent SIP Messages (only
1857 for SIP over UDP).
1858 This window opened will update in semi-real time to reflect changes
1860 when doing live captures or when reading new capture files into
1861 Wireshark.
1862 You can apply an optional filter string in a dialog box, before
1864 starting the counter. The statistics will only be calculated on
1865 those calls matching that filter.
1866 Tools › Firewall ACL Rules
1868 Help › Contents
1871 Some help texts.
1873 Help › Supported Protocols
1875 List of supported protocols and display filter protocol fields.
1877 Help › Manual Pages
1879 Display locally installed HTML versions of these manual pages in a
1881 web browser.
1882 Help › Wireshark Online
1884 Various links to online resources to be open in a web browser, like
1886 https://www.wireshark.org.
1887 Help › About Wireshark
1889 See various information about Wireshark (see /About dialog below),
1891 like the version, the folders used, the available plugins, ...
1892 WINDOWS
1894 Main Window
1895 The main window contains the usual things like the menu, some
1897 toolbars, the main area and a statusbar. The main area is split
1898 into three panes, you can resize each pane using a "thumb" at the
1899 right end of each divider line.
1900 The main window is much more flexible than before. The layout of
1902 the main window can be customized by the Layout page in the dialog
1903 box popped up by Edit:Preferences, the following will describe the
1904 layout with the default settings.
1905 Main Toolbar
1907 Some menu items are available for quick access here. There is no
1909 way to customize the items in the toolbar, however the toolbar can
1910 be hidden by View:Main Toolbar.
1911 Filter Toolbar
1913 A display filter can be entered into the filter toolbar. A filter
1915 for HTTP, HTTPS, and DNS traffic might look like this:
1916 tcp.port in {80 443 53}
1918 Selecting the Filter: button lets you choose from a list of named
1920 filters that you can optionally save. Pressing the Return or Enter
1921 keys, or selecting the Apply button, will cause the filter to be
1922 applied to the current list of packets. Selecting the Reset button
1923 clears the display filter so that all packets are displayed
1924 (again).
1925 There is no way to customize the items in the toolbar, however the
1927 toolbar can be hidden by View:Filter Toolbar.
1928 Packet List Pane
1930 The top pane contains the list of network packets that you can
1932 scroll through and select. By default, the packet number, packet
1933 timestamp, source and destination addresses, protocol, and
1934 description are displayed for each packet; the Columns page in the
1935 dialog box popped up by Edit:Preferences lets you change this
1936 (although, unfortunately, you currently have to save the
1937 preferences, and exit and restart Wireshark, for those changes to
1938 take effect).
1939 If you click on the heading for a column, the display will be
1941 sorted by that column; clicking on the heading again will reverse
1942 the sort order for that column.
1943 An effort is made to display information as high up the protocol
1945 stack as possible, e.g. IP addresses are displayed for IP packets,
1946 but the MAC layer address is displayed for unknown packet types.
1947 The right mouse button can be used to pop up a menu of operations.
1949 The middle mouse button can be used to mark a packet.
1951 Packet Details Pane
1953 The middle pane contains a display of the details of the
1955 currently-selected packet. The display shows each field and its
1956 value in each protocol header in the stack. The right mouse button
1957 can be used to pop up a menu of operations.
1958 Packet Bytes Pane
1960 The lowest pane contains a hex and ASCII dump of the actual packet
1962 data. Selecting a field in the packet details highlights the
1963 corresponding bytes in this section.
1964 The right mouse button can be used to pop up a menu of operations.
1966 Statusbar
1968 The statusbar is divided into three parts, on the left some context
1970 dependent things are shown, like information about the loaded file,
1971 in the center the number of packets are displayed, and on the right
1972 the current configuration profile.
1973 The statusbar can be hidden by View:Statusbar.
1975 Preferences
1977 The Preferences dialog lets you control various personal
1979 preferences for the behavior of Wireshark.
1980 User Interface Preferences
1982 The User Interface page is used to modify small aspects of the GUI
1984 to your own personal taste:
1985 Selection Bars
1987 The selection bar in the packet list and packet details can have
1989 either a "browse" or "select" behavior. If the selection bar has a
1990 "browse" behavior, the arrow keys will move an outline of the
1991 selection bar, allowing you to browse the rest of the list or
1992 details without changing the selection until you press the space
1993 bar. If the selection bar has a "select" behavior, the arrow keys
1994 will move the selection bar and change the selection to the new
1995 item in the packet list or packet details.
1996 Save Window Position
1998 If this item is selected, the position of the main Wireshark window
2000 will be saved when Wireshark exits, and used when Wireshark is
2001 started again.
2002 Save Window Size
2004 If this item is selected, the size of the main Wireshark window
2006 will be saved when Wireshark exits, and used when Wireshark is
2007 started again.
2008 Save Window Maximized state
2010 If this item is selected the maximize state of the main Wireshark
2012 window will be saved when Wireshark exists, and used when Wireshark
2013 is started again.
2014 File Open Dialog Behavior
2016 This item allows the user to select how Wireshark handles the
2018 listing of the "File Open" Dialog when opening trace files.
2019 "Remember Last Directory" causes Wireshark to automatically
2020 position the dialog in the directory of the most recently opened
2021 file, even between launches of Wireshark. "Always Open in
2022 Directory" allows the user to define a persistent directory that
2023 the dialog will always default to.
2024 Directory
2026 Allows the user to specify a persistent File Open directory.
2028 Trailing slashes or backslashes will automatically be added.
2029 File Open Preview timeout
2031 This items allows the user to define how much time is spend reading
2033 the capture file to present preview data in the File Open dialog.
2034 Open Recent maximum list entries
2036 The File menu supports a recent file list. This items allows the
2038 user to specify how many files are kept track of in this list.
2039 Ask for unsaved capture files
2041 When closing a capture file or Wireshark itself if the file isn’t
2043 saved yet the user is presented the option to save the file when
2044 this item is set.
2045 Wrap during find
2047 This items determines the behavior when reaching the beginning or
2049 the end of a capture file. When set the search wraps around and
2050 continues, otherwise it stops.
2051 Settings dialogs show a save button
2053 This item determines if the various dialogs sport an explicit Save
2055 button or that save is implicit in OK / Apply.
2056 Web browser command
2058 This entry specifies the command line to launch a web browser. It
2060 is used to access online content, like the Wiki and user guide. Use
2061 '%s' to place the request URL in the command line.
2062 Layout Preferences
2064 The Layout page lets you specify the general layout of the main
2066 window. You can choose from six different layouts and fill the
2067 three panes with the contents you like.
2068 Scrollbars
2070 The vertical scrollbars in the three panes can be set to be either
2072 on the left or the right.
2073 Alternating row colors
2075 Hex Display
2078 The highlight method in the hex dump display for the selected
2080 protocol item can be set to use either inverse video, or bold
2081 characters.
2082 Toolbar style
2084 Filter toolbar placement
2087 Custom window title
2090 Column Preferences
2093 The Columns page lets you specify the number, title, and format of
2095 each column in the packet list.
2096 The Column title entry is used to specify the title of the column
2098 displayed at the top of the packet list. The type of data that the
2099 column displays can be specified using the Column format option
2100 menu. The row of buttons on the left perform the following actions:
2101 New
2103 Adds a new column to the list.
2105 Delete
2107 Deletes the currently selected list item.
2109 Up / Down
2111 Moves the selected list item up or down one position.
2113 Font Preferences
2115 The Font page lets you select the font to be used for most text.
2117 Color Preferences
2119 The Colors page can be used to change the color of the text
2121 displayed in the TCP stream window and for marked packets. To
2122 change a color, simply select an attribute from the "Set:" menu and
2123 use the color selector to get the desired color. The new text
2124 colors are displayed as a sample text.
2125 Capture Preferences
2127 The Capture page lets you specify various parameters for capturing
2129 live packet data; these are used the first time a capture is
2130 started.
2131 The Interface: combo box lets you specify the interface from which
2133 to capture packet data, or the name of a FIFO from which to get the
2134 packet data.
2135 The Data link type: option menu lets you, for some interfaces,
2137 select the data link header you want to see on the packets you
2138 capture. For example, in some OSes and with some versions of
2139 libpcap, you can choose, on an 802.11 interface, whether the
2140 packets should appear as Ethernet packets (with a fake Ethernet
2141 header) or as 802.11 packets.
2142 The Limit each packet to ... bytes check box lets you set the
2144 snapshot length to use when capturing live data; turn on the check
2145 box, and then set the number of bytes to use as the snapshot
2146 length.
2147 The Filter: text entry lets you set a capture filter expression to
2149 be used when capturing.
2150 If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
2152 REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create
2153 a default capture filter that excludes traffic from the hosts and
2154 ports defined in those variables.
2155 The Capture packets in promiscuous mode check box lets you specify
2157 whether to put the interface in promiscuous mode when capturing.
2158 The Update list of packets in real time check box lets you specify
2160 that the display should be updated as packets are seen.
2161 The Automatic scrolling in live capture check box lets you specify
2163 whether, in an "Update list of packets in real time" capture, the
2164 packet list pane should automatically scroll to show the most
2165 recently captured packets.
2166 Printing Preferences
2168 The radio buttons at the top of the Printing page allow you choose
2170 between printing packets with the File:Print Packet menu item as
2171 text or PostScript, and sending the output directly to a command or
2172 saving it to a file. The Command: text entry box, on
2173 UNIX-compatible systems, is the command to send files to (usually
2174 lpr), and the File: entry box lets you enter the name of the file
2175 you wish to save to. Additionally, you can select the File: button
2176 to browse the file system for a particular save file.
2177 Name Resolution Preferences
2179 The Enable MAC name resolution, Enable network name resolution and
2181 Enable transport name resolution check boxes let you specify
2182 whether MAC addresses, network addresses, and transport-layer port
2183 numbers should be translated to names.
2184 The Enable concurrent DNS name resolution allows Wireshark to send
2186 out multiple name resolution requests and not wait for the result
2187 before continuing dissection. This speeds up dissection with
2188 network name resolution but initially may miss resolutions. The
2189 number of concurrent requests can be set here as well.
2190 SMI paths
2192 SMI modules
2194 RTP Player Preferences
2196 This page allows you to select the number of channels visible in
2198 the RTP player window. It determines the height of the window, more
2199 channels are possible and visible by means of a scroll bar.
2200 Protocol Preferences
2202 There are also pages for various protocols that Wireshark dissects,
2204 controlling the way Wireshark handles those protocols.
2205 Edit Capture Filter List
2207 Edit Display Filter List
2210 Capture Filter
2213 Display Filter
2216 Read Filter
2219 Search Filter
2222 The Edit Capture Filter List dialog lets you create, modify, and
2224 delete capture filters, and the Edit Display Filter List dialog
2225 lets you create, modify, and delete display filters.
2226 The Capture Filter dialog lets you do all of the editing operations
2228 listed, and also lets you choose or construct a filter to be used
2229 when capturing packets.
2230 The Display Filter dialog lets you do all of the editing operations
2232 listed, and also lets you choose or construct a filter to be used
2233 to filter the current capture being viewed.
2234 The Read Filter dialog lets you do all of the editing operations
2236 listed, and also lets you choose or construct a filter to be used
2237 to as a read filter for a capture file you open.
2238 The Search Filter dialog lets you do all of the editing operations
2240 listed, and also lets you choose or construct a filter expression
2241 to be used in a find operation.
2242 In all of those dialogs, the Filter name entry specifies a
2244 descriptive name for a filter, e.g. Web and DNS traffic. The Filter
2245 string entry is the text that actually describes the filtering
2246 action to take, as described above.The dialog buttons perform the
2247 following actions:
2248 New
2250 If there is text in the two entry boxes, creates a new associated
2252 list item.
2253 Edit
2255 Modifies the currently selected list item to match what’s in the
2257 entry boxes.
2258 Delete
2260 Deletes the currently selected list item.
2262 Add Expression...
2264 For display filter expressions, pops up a dialog box to allow you
2266 to construct a filter expression to test a particular field; it
2267 offers lists of field names, and, when appropriate, lists from
2268 which to select tests to perform on the field and values with which
2269 to compare it. In that dialog box, the OK button will cause the
2270 filter expression you constructed to be entered into the Filter
2271 string entry at the current cursor position.
2272 OK
2274 In the Capture Filter dialog, closes the dialog box and makes the
2276 filter in the Filter string entry the filter in the Capture
2277 Preferences dialog. In the Display Filter dialog, closes the dialog
2278 box and makes the filter in the Filter string entry the current
2279 display filter, and applies it to the current capture. In the Read
2280 Filter dialog, closes the dialog box and makes the filter in the
2281 Filter string entry the filter in the Open Capture File dialog. In
2282 the Search Filter dialog, closes the dialog box and makes the
2283 filter in the Filter string entry the filter in the Find Packet
2284 dialog.
2285 Apply
2287 Makes the filter in the Filter string entry the current display
2289 filter, and applies it to the current capture.
2290 Save
2292 If the list of filters being edited is the list of capture filters,
2294 saves the current filter list to the personal capture filters file,
2295 and if the list of filters being edited is the list of display
2296 filters, saves the current filter list to the personal display
2297 filters file.
2298 Close
2300 Closes the dialog without doing anything with the filter in the
2302 Filter string entry.
2303 The Color Filters Dialog
2305 This dialog displays a list of color filters and allows it to be
2307 modified.
2308 THE FILTER LIST
2310 Single rows may be selected by clicking. Multiple rows may be
2312 selected by using the ctrl and shift keys in combination with the
2313 mouse button.
2314 NEW
2316 Adds a new filter at the bottom of the list and opens the Edit
2318 Color Filter dialog box. You will have to alter the filter
2319 expression at least before the filter will be accepted. The format
2320 of color filter expressions is identical to that of display
2321 filters. The new filter is selected, so it may immediately be moved
2322 up and down, deleted or edited. To avoid confusion all filters are
2323 unselected before the new filter is created.
2324 EDIT
2326 Opens the Edit Color Filter dialog box for the selected filter. (If
2328 this button is disabled you may have more than one filter selected,
2329 making it ambiguous which is to be edited.)
2330 ENABLE
2332 Enables the selected color filter(s).
2334 DISABLE
2336 Disables the selected color filter(s).
2338 DELETE
2340 Deletes the selected color filter(s).
2342 EXPORT
2344 Allows you to choose a file in which to save the current list of
2346 color filters. You may also choose to save only the selected
2347 filters. A button is provided to save the filters in the global
2348 color filters file (you must have sufficient permissions to write
2349 this file, of course).
2350 IMPORT
2352 Allows you to choose a file containing color filters which are then
2354 added to the bottom of the current list. All the added filters are
2355 selected, so they may be moved to the correct position in the list
2356 as a group. To avoid confusion, all filters are unselected before
2357 the new filters are imported. A button is provided to load the
2358 filters from the global color filters file.
2359 CLEAR
2361 Deletes your personal color filters file, reloads the global color
2363 filters file, if any, and closes the dialog.
2364 UP
2366 Moves the selected filter(s) up the list, making it more likely
2368 that they will be used to color packets.
2369 DOWN
2371 Moves the selected filter(s) down the list, making it less likely
2373 that they will be used to color packets.
2374 OK
2376 Closes the dialog and uses the color filters as they stand.
2378 APPLY
2380 Colors the packets according to the current list of color filters,
2382 but does not close the dialog.
2383 SAVE
2385 Saves the current list of color filters in your personal color
2387 filters file. Unless you do this they will not be used the next
2388 time you start Wireshark.
2389 CLOSE
2391 Closes the dialog without changing the coloration of the packets.
2393 Note that changes you have made to the current list of color
2394 filters are not undone.
2395 Capture Options Dialog
2397 The Capture Options Dialog lets you specify various parameters for
2399 capturing live packet data.
2400 The Interface: field lets you specify the interface from which to
2402 capture packet data or a command from which to get the packet data
2403 via a pipe.
2404 The Link layer header type: field lets you specify the interfaces
2406 link layer header type. This field is usually disabled, as most
2407 interface have only one header type.
2408 The Capture packets in promiscuous mode check box lets you specify
2410 whether the interface should be put into promiscuous mode when
2411 capturing.
2412 The Limit each packet to ... bytes check box and field lets you
2414 specify a maximum number of bytes per packet to capture and save;
2415 if the check box is not checked, the limit will be 262144 bytes.
2416 The Capture Filter: entry lets you specify the capture filter using
2418 a tcpdump-style filter string as described above.
2419 The File: entry lets you specify the file into which captured
2421 packets should be saved, as in the Printer Options dialog above. If
2422 not specified, the captured packets will be saved in a temporary
2423 file; you can save those packets to a file with the File:Save As
2424 menu item.
2425 The Use multiple files check box lets you specify that the capture
2427 should be done in "multiple files" mode. This option is disabled,
2428 if the Update list of packets in real time option is checked.
2429 The Next file every ... megabyte(s) check box and fields lets you
2431 specify that a switch to a next file should be done if the
2432 specified filesize is reached. You can also select the appropriate
2433 unit, but beware that the filesize has a maximum of 2 GiB. The
2434 check box is forced to be checked, as "multiple files" mode
2435 requires a file size to be specified.
2436 The Next file every ... minute(s) check box and fields lets you
2438 specify that the switch to a next file should be done after the
2439 specified time has elapsed, even if the specified capture size is
2440 not reached.
2441 The Ring buffer with ... files field lets you specify the number of
2443 files of a ring buffer. This feature will capture into the first
2444 file again, after the specified number of files have been used.
2445 The Stop capture after ... files field lets you specify the number
2447 of capture files used, until the capture is stopped.
2448 The Stop capture after ... packet(s) check box and field let you
2450 specify that Wireshark should stop capturing after having captured
2451 some number of packets; if the check box is not checked, Wireshark
2452 will not stop capturing at some fixed number of captured packets.
2453 The Stop capture after ... megabyte(s) check box and field lets you
2455 specify that Wireshark should stop capturing after the file to
2456 which captured packets are being saved grows as large as or larger
2457 than some specified number of megabytes. If the check box is not
2458 checked, Wireshark will not stop capturing at some capture file
2459 size (although the operating system on which Wireshark is running,
2460 or the available disk space, may still limit the maximum size of a
2461 capture file). This option is disabled, if "multiple files" mode is
2462 used,
2463 The Stop capture after ... second(s) check box and field let you
2465 specify that Wireshark should stop capturing after it has been
2466 capturing for some number of seconds; if the check box is not
2467 checked, Wireshark will not stop capturing after some fixed time
2468 has elapsed.
2469 The Update list of packets in real time check box lets you specify
2471 whether the display should be updated as packets are captured and,
2472 if you specify that, the Automatic scrolling in live capture check
2473 box lets you specify the packet list pane should automatically
2474 scroll to show the most recently captured packets as new packets
2475 arrive.
2476 The Enable MAC name resolution, Enable network name resolution and
2478 Enable transport name resolution check boxes let you specify
2479 whether MAC addresses, network addresses, and transport-layer port
2480 numbers should be translated to names.
2481 About
2483 The About dialog lets you view various information about Wireshark.
2485 About › Wireshark
2487 The Wireshark page lets you view general information about
2489 Wireshark, like the installed version, licensing information and
2490 such.
2491 About › Authors
2493 The Authors page shows the author and all contributors.
2495 About › Folders
2497 The Folders page lets you view the directory names where Wireshark
2499 is searching it’s various configuration and other files.
2500 About › Plugins
2502 The Plugins page lets you view the dissector plugin modules
2504 available on your system.
2505 The Plugins List shows the name and version of each dissector
2507 plugin module found on your system.
2508 On Unix-compatible systems, the plugins are looked for in the
2510 following directories: the lib/wireshark/plugins/$VERSION directory
2511 under the main installation directory (for example,
2512 /usr/local/lib/wireshark/plugins/$VERSION), and then
2513 $HOME/.wireshark/plugins.
2514 On Windows systems, the plugins are looked for in the following
2516 directories: plugins\$VERSION directory under the main installation
2517 directory (for example, C:\Program
2518 Files\Wireshark\plugins\$VERSION), and then
2519 %APPDATA%\Wireshark\plugins\$VERSION (or, if %APPDATA% isn’t
2520 defined, %USERPROFILE%\Application
2521 Data\Wireshark\plugins\$VERSION).
2522 $VERSION is the version number of the plugin interface, which is
2524 typically the version number of Wireshark. Note that a dissector
2525 plugin module may support more than one protocol; there is not
2526 necessarily a one-to-one correspondence between dissector plugin
2527 modules and protocols. Protocols supported by a dissector plugin
2528 module are enabled and disabled using the Edit:Protocols dialog
2529 box, just as protocols built into Wireshark are.
2530
2532 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2533 tcpdump(8), or, if that doesn’t exist,
2534 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2535
2537 For a complete table of protocol and protocol fields that are
2538 filterable in Wireshark see the wireshark-filter(4) manual page.
2539
2541 These files contains various Wireshark configuration settings.
2542 Preferences
2544 The preferences files contain global (system-wide) and personal
2546 preference settings. If the system-wide preference file exists, it
2547 is read first, overriding the default settings. If the personal
2548 preferences file exists, it is read next, overriding any previous
2549 values. Note: If the command line flag -o is used (possibly more
2550 than once), it will in turn override values from the preferences
2551 files.
2552 The preferences settings are in the form prefname:value, one per
2554 line, where prefname is the name of the preference and value is the
2555 value to which it should be set; white space is allowed between :
2556 and value. A preference setting can be continued on subsequent
2557 lines by indenting the continuation lines with white space. A #
2558 character starts a comment that runs to the end of the line:
2559 # Vertical scrollbars should be on right side?
2561 # TRUE or FALSE (case-insensitive).
2562 gui.scrollbar_on_right: TRUE
2563 The global preferences file is looked for in the wireshark
2565 directory under the share subdirectory of the main installation
2566 directory (for example, /usr/local/share/wireshark/preferences) on
2567 UNIX-compatible systems, and in the main installation directory
2568 (for example, C:\Program Files\Wireshark\preferences) on Windows
2569 systems.
2570 The personal preferences file is looked for in
2572 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2573 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2574 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2575 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2576 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2577 Windows systems.
2578 Note: Whenever the preferences are saved by using the Save button
2580 in the Edit:Preferences dialog box, your personal preferences file
2581 will be overwritten with the new settings, destroying any comments
2582 and unknown/obsolete settings that were in the file.
2583 Recent
2585 The recent file contains personal settings (mostly GUI related)
2587 such as the current Wireshark window size. The file is saved at
2588 program exit and read in at program start automatically. Note: The
2589 command line flag -o may be used to override settings from this
2590 file.
2591 The settings in this file have the same format as in the
2593 preferences files, and the same directory as for the personal
2594 preferences file is used.
2595 Note: Whenever Wireshark is closed, your recent file will be
2597 overwritten with the new settings, destroying any comments and
2598 unknown/obsolete settings that were in the file.
2599 Disabled (Enabled) Protocols
2601 The disabled_protos files contain system-wide and personal lists of
2603 protocols that have been disabled, so that their dissectors are
2604 never called. The files contain protocol names, one per line, where
2605 the protocol name is the same name that would be used in a display
2606 filter for the protocol:
2607 http
2609 tcp # a comment
2610 If a protocol is listed in the global disabled_protos file, it is
2612 not displayed in the Analyze:Enabled Protocols dialog box, and so
2613 cannot be enabled by the user.
2614 The global disabled_protos file uses the same directory as the
2616 global preferences file.
2617 The personal disabled_protos file uses the same directory as the
2619 personal preferences file.
2620 Note: Whenever the disabled protocols list is saved by using the
2622 Save button in the Analyze:Enabled Protocols dialog box, your
2623 personal disabled protocols file will be overwritten with the new
2624 settings, destroying any comments that were in the file.
2625 Name Resolution (hosts)
2627 If the personal hosts file exists, it is used to resolve IPv4 and
2629 IPv6 addresses before any other attempts are made to resolve them.
2630 The file has the standard hosts file syntax; each line contains one
2631 IP address and name, separated by whitespace. The same directory as
2632 for the personal preferences file is used.
2633 Capture filter name resolution is handled by libpcap on
2635 UNIX-compatible systems and WinPcap on Windows. As such the
2636 Wireshark personal hosts file will not be consulted for capture
2637 filter name resolution.
2638 Name Resolution (subnets)
2640 If an IPv4 address cannot be translated via name resolution (no
2642 exact match is found) then a partial match is attempted via the
2643 subnets file. Both the global subnets file and personal subnets
2644 files are used if they exist.
2645 Each line of this file consists of an IPv4 address, a subnet mask
2647 length separated only by a / and a name separated by whitespace.
2648 While the address must be a full IPv4 address, any values beyond
2649 the mask length are subsequently ignored.
2650 An example is:
2652 # Comments must be prepended by the # sign! 192.168.0.0/24
2654 ws_test_network
2655 A partially matched name will be printed as
2657 "subnet-name.remaining-address". For example, "192.168.0.1" under
2658 the subnet above would be printed as "ws_test_network.1"; if the
2659 mask length above had been 16 rather than 24, the printed address
2660 would be "ws_test_network.0.1".
2661 Name Resolution (ethers)
2663 The ethers files are consulted to correlate 6-byte hardware
2665 addresses to names. First the personal ethers file is tried and if
2666 an address is not found there the global ethers file is tried next.
2667 Each line contains one hardware address and name, separated by
2669 whitespace. The digits of the hardware address are separated by
2670 colons (:), dashes (-) or periods (.). The same separator character
2671 must be used consistently in an address. The following three lines
2672 are valid lines of an ethers file:
2673 ff:ff:ff:ff:ff:ff Broadcast
2675 c0-00-ff-ff-ff-ff TR_broadcast
2676 00.00.00.00.00.00 Zero_broadcast
2677 The global ethers file is looked for in the /etc directory on
2679 UNIX-compatible systems, and in the main installation directory
2680 (for example, C:\Program Files\Wireshark) on Windows systems.
2681 The personal ethers file is looked for in the same directory as the
2683 personal preferences file.
2684 Capture filter name resolution is handled by libpcap on
2686 UNIX-compatible systems and WinPcap on Windows. As such the
2687 Wireshark personal ethers file will not be consulted for capture
2688 filter name resolution.
2689 Name Resolution (manuf)
2691 The manuf file is used to match the 3-byte vendor portion of a
2693 6-byte hardware address with the manufacturer’s name; it can also
2694 contain well-known MAC addresses and address ranges specified with
2695 a netmask. The format of the file is the same as the ethers files,
2696 except that entries such as:
2697 00:00:0C Cisco
2699 can be provided, with the 3-byte OUI and the name for a vendor, and
2701 entries such as:
2702 00-00-0C-07-AC/40 All-HSRP-routers
2704 can be specified, with a MAC address and a mask indicating how many
2706 bits of the address must match. The above entry, for example, has
2707 40 significant bits, or 5 bytes, and would match addresses from
2708 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2709 multiple of 8.
2710 The manuf file is looked for in the same directory as the global
2712 preferences file.
2713 Name Resolution (services)
2715 The services file is used to translate port numbers into names.
2717 Both the global services file and personal services files are used
2718 if they exist.
2719 The file has the standard services file syntax; each line contains
2721 one (service) name and one transport identifier separated by white
2722 space. The transport identifier includes one port number and one
2723 transport protocol name (typically tcp, udp, or sctp) separated by
2724 a /.
2725 An example is:
2727 mydns 5045/udp # My own Domain Name Server mydns
2729 5045/tcp # My own Domain Name Server
2730 Name Resolution (ipxnets)
2732 The ipxnets files are used to correlate 4-byte IPX network numbers
2734 to names. First the global ipxnets file is tried and if that
2735 address is not found there the personal one is tried next.
2736 The format is the same as the ethers file, except that each address
2738 is four bytes instead of six. Additionally, the address can be
2739 represented as a single hexadecimal number, as is more common in
2740 the IPX world, rather than four hex octets. For example, these four
2741 lines are valid lines of an ipxnets file:
2742 C0.A8.2C.00 HR
2744 c0-a8-1c-00 CEO
2745 00:00:BE:EF IT_Server1
2746 110f FileServer3
2747 The global ipxnets file is looked for in the /etc directory on
2749 UNIX-compatible systems, and in the main installation directory
2750 (for example, C:\Program Files\Wireshark) on Windows systems.
2751 The personal ipxnets file is looked for in the same directory as
2753 the personal preferences file.
2754 Capture Filters
2756 The cfilters files contain system-wide and personal capture
2758 filters. Each line contains one filter, starting with the string
2759 displayed in the dialog box in quotation marks, followed by the
2760 filter string itself:
2761 "HTTP" port 80
2763 "DCERPC" port 135
2764 The global cfilters file uses the same directory as the global
2766 preferences file.
2767 The personal cfilters file uses the same directory as the personal
2769 preferences file. It is written through the Capture:Capture Filters
2770 dialog.
2771 If the global cfilters file exists, it is used only if the personal
2773 cfilters file does not exist; global and personal capture filters
2774 are not merged.
2775 Display Filters
2777 The dfilters files contain system-wide and personal display
2779 filters. Each line contains one filter, starting with the string
2780 displayed in the dialog box in quotation marks, followed by the
2781 filter string itself:
2782 "HTTP" http
2784 "DCERPC" dcerpc
2785 The global dfilters file uses the same directory as the global
2787 preferences file.
2788 The personal dfilters file uses the same directory as the personal
2790 preferences file. It is written through the Analyze:Display Filters
2791 dialog.
2792 If the global dfilters file exists, it is used only if the personal
2794 dfilters file does not exist; global and personal display filters
2795 are not merged.
2796 Color Filters (Coloring Rules)
2798 The colorfilters files contain system-wide and personal color
2800 filters. Each line contains one filter, starting with the string
2801 displayed in the dialog box, followed by the corresponding display
2802 filter. Then the background and foreground colors are appended:
2803 # a comment
2805 @tcp@tcp@[59345,58980,65534][0,0,0]
2806 @udp@udp@[28834,57427,65533][0,0,0]
2807 The global colorfilters file uses the same directory as the global
2809 preferences file.
2810 The personal colorfilters file uses the same directory as the
2812 personal preferences file. It is written through the View:Coloring
2813 Rules dialog.
2814 If the global colorfilters file exists, it is used only if the
2816 personal colorfilters file does not exist; global and personal
2817 color filters are not merged.
2818 Plugins
2820 See above in the description of the About:Plugins page.
2822
2824 WIRESHARK_CONFIG_DIR
2825 This environment variable overrides the location of personal
2827 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2828 $HOME/.wireshark if the former is missing while the latter exists).
2829 On Windows, %APPDATA%\Wireshark is used instead. Available since
2830 Wireshark 3.0.
2831 WIRESHARK_DEBUG_WMEM_OVERRIDE
2833 Setting this environment variable forces the wmem framework to use
2835 the specified allocator backend for all allocations, regardless of
2836 which backend is normally specified by the code. This is mainly
2837 useful to developers when testing or debugging. See README.wmem in
2838 the source distribution for details.
2839 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2841 This environment variable causes the plugins and other data files
2843 to be loaded from the build directory (where the program was
2844 compiled) rather than from the standard locations. It has no effect
2845 when the program in question is running with root (or setuid)
2846 permissions on *NIX.
2847 WIRESHARK_DATA_DIR
2849 This environment variable causes the various data files to be
2851 loaded from a directory other than the standard locations. It has
2852 no effect when the program in question is running with root (or
2853 setuid) permissions on *NIX.
2854 ERF_RECORDS_TO_CHECK
2856 This environment variable controls the number of ERF records
2858 checked when deciding if a file really is in the ERF format.
2859 Setting this environment variable a number higher than the default
2860 (20) would make false positives less likely.
2861 IPFIX_RECORDS_TO_CHECK
2863 This environment variable controls the number of IPFIX records
2865 checked when deciding if a file really is in the IPFIX format.
2866 Setting this environment variable a number higher than the default
2867 (20) would make false positives less likely.
2868 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2870 If this environment variable is set, Wireshark will call abort(3)
2872 when a dissector bug is encountered. abort(3) will cause the
2873 program to exit abnormally; if you are running Wireshark in a
2874 debugger, it should halt in the debugger and allow inspection of
2875 the process, and, if you are not running it in a debugger, it will,
2876 on some OSes, assuming your environment is configured correctly,
2877 generate a core dump file. This can be useful to developers
2878 attempting to troubleshoot a problem with a protocol dissector.
2879 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2881 If this environment variable is set, Wireshark will call abort(3)
2883 if a dissector tries to add too many items to a tree (generally
2884 this is an indication of the dissector not breaking out of a loop
2885 soon enough). abort(3) will cause the program to exit abnormally;
2886 if you are running Wireshark in a debugger, it should halt in the
2887 debugger and allow inspection of the process, and, if you are not
2888 running it in a debugger, it will, on some OSes, assuming your
2889 environment is configured correctly, generate a core dump file.
2890 This can be useful to developers attempting to troubleshoot a
2891 problem with a protocol dissector.
2892 WIRESHARK_QUIT_AFTER_CAPTURE
2894 Cause Wireshark to exit after the end of the capture session. This
2896 doesn’t automatically start a capture; you must still use -k to do
2897 that. You must also specify an autostop condition, e.g. -c or -a
2898 duration:.... This means that you will not be able to see the
2899 results of the capture after it stops; it’s primarily useful for
2900 testing.
2901 WIRESHARK_LOG_LEVEL
2903 This environment variable controls the verbosity of diagnostic
2905 messages to the console. From less verbose to most verbose levels
2906 can be critical, warning, message, info, debug or noisy. Levels
2907 above the current level are also active. Levels critical and error
2908 are always active.
2909 WIRESHARK_LOG_FATAL
2911 Sets the fatal log level. Fatal log levels cause the program to
2913 abort. This level can be set to Error, critical or warning. Error
2914 is always fatal and is the default.
2915 WIRESHARK_LOG_DOMAINS
2917 This environment variable selects which log domains are active. The
2919 filter is given as a case-insensitive comma separated list. If set
2920 only the included domains will be enabled. The default domain is
2921 always considered to be enabled. Domain filter lists can be
2922 preceded by '!' to invert the sense of the match.
2923 WIRESHARK_LOG_DEBUG
2925 List of domains with debug log level. This sets the level of the
2927 provided log domains and takes precedence over the active domains
2928 filter. If preceded by '!' this disables the debug level instead.
2929 WIRESHARK_LOG_NOISY
2931 Same as above but for noisy log level instead.
2933
2935 Wireshark would not be the powerful, featureful application it is
2936 without the generous contributions of hundreds of developers.
2937 A complete list of authors can be found in the AUTHORS file in
2939 Wireshark’s source code repository and at
2940 https://www.wireshark.org/about.html#authors.
2941
2943 wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1),
2944 mergecap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
2945
2947 This is the manual page for Wireshark 3.6.2. The latest version of
2948 Wireshark can be found at https://www.wireshark.org.
2949 HTML versions of the Wireshark project man pages are available at
2951 https://www.wireshark.org/docs/man-pages.
2952 2022-02-16 WIRESHARK(1)