1WIRESHARK(1) WIRESHARK(1)
2
6 wireshark - Interactively dump and analyze network traffic
7
9 wireshark [ -i <capture interface>|- ] [ -f <capture filter> ]
10 [ -Y <display filter> ] [ -w <outfile> ] [ options ] [ <infile> ]
11
13 Wireshark is a GUI network protocol analyzer. It lets you interactively
14 browse packet data from a live network or from a previously saved
15 capture file. Wireshark's native capture file formats are pcapng format
16 and pcap format; it can read and write both formats.. pcap format is
17 also the format used by tcpdump and various other tools; tcpdump, when
18 using newer verions of the libpcap library, can also read some pcapng
19 files, and, on newer versions of macOS, can read all pcapng files and
20 can write them as well.
21 Wireshark can also read / import the following file formats:
23 • Oracle (previously Sun) snoop and atmsnoop captures
25 • Finisar (previously Shomiti) Surveyor captures
27 • Microsoft Network Monitor captures
29 • Novell LANalyzer captures
31 • AIX’s iptrace captures
33 • Cinco Networks NetXRay captures
35 • NETSCOUT (previously Network Associates/Network General)
37 Windows-based Sniffer captures
38 • Network General/Network Associates DOS-based Sniffer captures
40 (compressed or uncompressed)
41 • LiveAction (previously WildPackets/Savvius)
43 *Peek/EtherHelp/PacketGrabber captures
44 • RADCOM's WAN/LAN analyzer captures
46 • Viavi (previously Network Instruments) Observer captures
48 • Lucent/Ascend router debug output
50 • captures from HP-UX nettl
52 • Toshiba’s ISDN routers dump output
54 • the output from i4btrace from the ISDN4BSD project
56 • traces from the EyeSDN USB S0
58 • the IPLog format output from the Cisco Secure Intrusion Detection
60 System
61 • pppd logs (pppdump format)
63 • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
65 • the text output from the DBS Etherwatch VMS utility
67 • Visual Networks' Visual UpTime traffic capture
69 • the output from CoSine L2 debug
71 • the output from InfoVista (previously Accellent) 5View LAN agents
73 • Endace Measurement Systems' ERF format captures
75 • Linux Bluez Bluetooth stack hcidump -w traces
77 • Catapult DCT2000 .out files
79 • Gammu generated text output from Nokia DCT3 phones in Netmonitor
81 mode
82 • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
84 • Juniper Netscreen snoop files
86 • Symbian OS btsnoop files
88 • TamoSoft CommView files
90 • Tektronix K12xx 32bit .rf5 format files
92 • Tektronix K12 text file format captures
94 • Apple PacketLogger files
96 • Captures from Aethra Telecommunications' PC108 software for their
98 test instruments
99 • Citrix NetScaler Trace files
101 • Android Logcat binary and text format logs
103 • Colasoft Capsa and PacketBuilder captures
105 • Micropross mplog files
107 • Unigraf DPA-400 DisplayPort AUX channel monitor traces
109 • 802.15.4 traces from Daintree’s Sensor Network Analyzer
111 • MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
113 • Log files from the candump utility
115 • Logs from the BUSMASTER tool
117 • Ixia IxVeriWave raw captures
119 • Rabbit Labs CAM Inspector files
121 • systemd journal files
123 • 3GPP TS 32.423 trace files
125 There is no need to tell Wireshark what type of file you are reading;
127 it will determine the file type by itself. Wireshark is also capable of
128 reading any of these file formats if they are compressed using gzip.
129 Wireshark recognizes this directly from the file; the '.gz' extension
130 is not required for this purpose.
131 Like other protocol analyzers, Wireshark's main window shows 3 views of
133 a packet. It shows a summary line, briefly describing what the packet
134 is. A packet details display is shown, allowing you to drill down to
135 exact protocol or field that you interested in. Finally, a hex dump
136 shows you exactly what the packet looks like when it goes over the
137 wire.
138 In addition, Wireshark has some features that make it unique. It can
140 assemble all the packets in a TCP conversation and show you the ASCII
141 (or EBCDIC, or hex) data in that conversation. Display filters in
142 Wireshark are very powerful; more fields are filterable in Wireshark
143 than in other protocol analyzers, and the syntax you can use to create
144 your filters is richer. As Wireshark progresses, expect more and more
145 protocol fields to be allowed in display filters.
146 Packet capturing is performed with the pcap library. The capture filter
148 syntax follows the rules of the pcap library. This syntax is different
149 from the display filter syntax.
150 Compressed file support uses (and therefore requires) the zlib library.
152 If the zlib library is not present, Wireshark will compile, but will be
153 unable to read compressed files.
154 The pathname of a capture file to be read can be specified with the -r
156 option or can be specified as a command-line argument.
157
159 Most users will want to start Wireshark without options and configure
160 it from the menus instead. Those users may just skip this section.
161 -a|--autostop <capture autostop condition>
163 Specify a criterion that specifies when Wireshark is to stop
165 writing to a capture file. The criterion is of the form test:value,
166 where test is one of:
167 duration:value Stop writing to a capture file after value seconds
169 have elapsed. Floating point values (e.g. 0.5) are allowed.
170 files:value Stop writing to capture files after value number of
172 files were written.
173 filesize:value Stop writing to a capture file after it reaches a
175 size of value kB. If this option is used together with the -b
176 option, Wireshark will stop writing to the current capture file and
177 switch to the next one if filesize is reached. Note that the
178 filesize is limited to a maximum value of 2 GiB.
179 packets:value Stop writing to a capture file after it contains
181 value packets. Acts the same as -c<capture packet count>.
182 -b|--ring-buffer <capture ring buffer option>
184 Cause Wireshark to run in "multiple files" mode. In "multiple
186 files" mode, Wireshark will write to several capture files. When
187 the first capture file fills up, Wireshark will switch writing to
188 the next file and so on.
189 The created filenames are based on the filename given with the -w
191 flag, the number of the file and on the creation date and time,
192 e.g. outfile_00001_20220714120117.pcap,
193 outfile_00002_20220714120523.pcap, ...
194 With the files option it’s also possible to form a "ring buffer".
196 This will fill up new files until the number of files specified, at
197 which point Wireshark will discard the data in the first file and
198 start writing to that file and so on. If the files option is not
199 set, new files filled up until one of the capture stop conditions
200 match (or until the disk is full).
201 The criterion is of the form key:value, where key is one of:
203 duration:value switch to the next file after value seconds have
205 elapsed, even if the current file is not completely filled up.
206 Floating point values (e.g. 0.5) are allowed.
207 files:value begin again with the first file after value number of
209 files were written (form a ring buffer). This value must be less
210 than 100000. Caution should be used when using large numbers of
211 files: some filesystems do not handle many files in a single
212 directory well. The files criterion requires one of the other
213 criteria to be specified to control when to go to the next file. It
214 should be noted that each -b parameter takes exactly one criterion;
215 to specify two criteria, each must be preceded by the -b option.
216 filesize:value switch to the next file after it reaches a size of
218 value kB. Note that the filesize is limited to a maximum value of 2
219 GiB.
220 interval:value switch to the next file when the time is an exact
222 multiple of value seconds.
223 packets:value switch to the next file after it contains value
225 packets.
226 Example: -b filesize:1000 -b files:5 results in a ring buffer of
228 five files of size one megabyte each.
229 -B|--buffer-size <capture buffer size>
231 Set capture buffer size (in MiB, default is 2 MiB). This is used by
233 the capture driver to buffer packet data until that data can be
234 written to disk. If you encounter packet drops while capturing, try
235 to increase this size. Note that, while Wireshark attempts to set
236 the buffer size to 2 MiB by default, and can be told to set it to a
237 larger value, the system or interface on which you’re capturing
238 might silently limit the capture buffer size to a lower value or
239 raise it to a higher value.
240 This is available on UNIX systems with libpcap 1.0.0 or later and
242 on Windows. It is not available on UNIX systems with earlier
243 versions of libpcap.
244 This option can occur multiple times. If used before the first
246 occurrence of the -i option, it sets the default capture buffer
247 size. If used after an -i option, it sets the capture buffer size
248 for the interface specified by the last -i option occurring before
249 this option. If the capture buffer size is not set specifically,
250 the default capture buffer size is used instead.
251 -c <capture packet count>
253 Set the maximum number of packets to read when capturing live data.
255 Acts the same as -a packets:<capture packet count>.
256 -C <configuration profile>
258 Start with the given configuration profile.
260 --capture-comment <comment>
262 When performing a capture file from the command line, with the -k
264 flag, add a capture comment to the output file, if supported by the
265 capture format.
266 This option may be specified multiple times. Note that Wireshark
268 currently only displays the first comment of a capture file.
269 -d <layer type>==<selector>,<decode-as protocol>
271 Like Wireshark’s Decode As... feature, this lets you specify how a
273 layer type should be dissected. If the layer type in question (for
274 example, tcp.port or udp.port for a TCP or UDP port number) has the
275 specified selector value, packets should be dissected as the
276 specified protocol.
277 Example: -d tcp.port==8888,http will decode any traffic running
279 over TCP port 8888 as HTTP.
280 See the tshark(1) manual page for more examples.
282 -D|--list-interfaces
284 Print a list of the interfaces on which Wireshark can capture, and
286 exit. For each network interface, a number and an interface name,
287 possibly followed by a text description of the interface, is
288 printed. The interface name or the number can be supplied to the -i
289 flag to specify an interface on which to capture.
290 This can be useful on systems that don’t have a command to list
292 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
293 link show). The number can be useful on Windows systems, where the
294 interface name might be a long name or a GUID.
295 Note that "can capture" means that Wireshark was able to open that
297 device to do a live capture; if, on your system, a program doing a
298 network capture must be run from an account with special privileges
299 (for example, as root), then, if Wireshark is run with the -D flag
300 and is not run from such an account, it will not list any
301 interfaces.
302 --display <X display to use>
304 Specifies the X display to use. A hostname and screen
306 (otherhost:0.0) or just a screen (:0.0) can be specified. This
307 option is not available under Windows.
308 --disable-protocol <proto_name>
310 Disable dissection of proto_name.
312 --disable-heuristic <short_name>
314 Disable dissection of heuristic protocol.
316 --enable-protocol <proto_name>
318 Enable dissection of proto_name.
320 --enable-heuristic <short_name>
322 Enable dissection of heuristic protocol.
324 -f <capture filter>
326 Set the capture filter expression.
328 This option can occur multiple times. If used before the first
330 occurrence of the -i option, it sets the default capture filter
331 expression. If used after an -i option, it sets the capture filter
332 expression for the interface specified by the last -i option
333 occurring before this option. If the capture filter expression is
334 not set specifically, the default capture filter expression is used
335 if provided.
336 Pre-defined capture filter names, as shown in the GUI menu item
338 Capture→Capture Filters, can be used by prefixing the argument with
339 "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
340 --fullscreen
342 Start Wireshark in full screen mode (kiosk mode). To exit from
344 fullscreen mode, open the View menu and select the Full Screen
345 option. Alternatively, press the F11 key (or Ctrl + Cmd + F for
346 macOS).
347 -g <packet number>
349 After reading in a capture file using the -r flag, go to the given
351 packet number.
352 -h|--help
354 Print the version number and options and exit.
356 -H
358 Hide the capture info dialog during live packet capture.
360 -i|--interface <capture interface>|-
362 Set the name of the network interface or pipe to use for live
364 packet capture.
365 Network interface names should match one of the names listed in
367 "wireshark -D" (described above); a number, as reported by
368 "wireshark -D", can also be used. If you’re using UNIX, "netstat
369 -i", "ifconfig -a" or "ip link" might also work to list interface
370 names, although not all versions of UNIX support the -a option to
371 ifconfig.
372 If no interface is specified, Wireshark searches the list of
374 interfaces, choosing the first non-loopback interface if there are
375 any non-loopback interfaces, and choosing the first loopback
376 interface if there are no non-loopback interfaces. If there are no
377 interfaces at all, Wireshark reports an error and doesn’t start the
378 capture.
379 Pipe names should be either the name of a FIFO (named pipe) or "-"
381 to read data from the standard input. On Windows systems, pipe
382 names must be of the form "\\.\pipe\pipename". Data read from pipes
383 must be in standard pcapng or pcap format. Pcapng data must have
384 the same endianness as the capturing host.
385 "TCP@<host>:<port>" causes Wireshark to attempt to connect to the
387 specified port on the specified host and read pcapng or pcap data.
388 This option can occur multiple times. When capturing from multiple
390 interfaces, the capture file will be saved in pcapng format.
391 -I|--monitor-mode
393 Put the interface in "monitor mode"; this is supported only on IEEE
395 802.11 Wi-Fi interfaces, and supported only on some operating
396 systems.
397 Note that in monitor mode the adapter might disassociate from the
399 network with which it’s associated, so that you will not be able to
400 use any wireless networks with that adapter. This could prevent
401 accessing files on a network server, or resolving host names or
402 network addresses, if you are capturing in monitor mode and are not
403 connected to another network with another adapter.
404 This option can occur multiple times. If used before the first
406 occurrence of the -i option, it enables the monitor mode for all
407 interfaces. If used after an -i option, it enables the monitor mode
408 for the interface specified by the last -i option occurring before
409 this option.
410 -j
412 Use after -J to change the behavior when no exact match is found
414 for the filter. With this option select the first packet before.
415 -J <jump filter>
417 After reading in a capture file using the -r flag, jump to the
419 packet matching the filter (display filter syntax). If no exact
420 match is found the first packet after that is selected.
421 -k
423 Start the capture session immediately. If the -i flag was
425 specified, the capture uses the specified interface. Otherwise,
426 Wireshark searches the list of interfaces, choosing the first
427 non-loopback interface if there are any non-loopback interfaces,
428 and choosing the first loopback interface if there are no
429 non-loopback interfaces; if there are no interfaces, Wireshark
430 reports an error and doesn’t start the capture.
431 -K <keytab>
433 Load kerberos crypto keys from the specified keytab file. This
435 option can be used multiple times to load keys from several files.
436 Example: -K krb5.keytab
438 -l
440 Turn on automatic scrolling if the packet display is being updated
442 automatically as packets arrive during a capture (as specified by
443 the -S flag).
444 -L|--list-data-link-types
446 List the data link types supported by the interface and exit.
448 --list-time-stamp-types
450 List time stamp types supported for the interface. If no time stamp
452 type can be set, no time stamp types are listed.
453 -n
455 Disable network object name resolution (such as hostname, TCP and
457 UDP port names), the -N flag might override this one.
458 -N <name resolving flags>
460 Turn on name resolving only for particular types of addresses and
462 port numbers, with name resolving for other types of addresses and
463 port numbers turned off. This flag overrides -n if both -N and -n
464 are present. If both -N and -n flags are not present, all name
465 resolutions are turned on.
466 The argument is a string that may contain the letters:
468 m to enable MAC address resolution
470 n to enable network address resolution
472 N to enable using external resolvers (e.g., DNS) for network
474 address resolution
475 t to enable transport-layer port number resolution
477 d to enable resolution from captured DNS packets
479 v to enable VLAN IDs to names resolution
481 -o <preference/recent setting>
483 Set a preference or recent value, overriding the default value and
485 any value read from a preference/recent file. The argument to the
486 flag is a string of the form prefname:value, where prefname is the
487 name of the preference/recent value (which is the same name that
488 would appear in the preference/recent file), and value is the value
489 to which it should be set. Since Ethereal 0.10.12, the recent
490 settings replaces the formerly used -B, -P and -T flags to
491 manipulate the GUI dimensions.
492 If prefname is "uat", you can override settings in various user
494 access tables using the form "uat:uat filename:uat record". uat
495 filename must be the name of a UAT file, e.g. user_dlts. uat_record
496 must be in the form of a valid record for that file, including
497 quotes. For instance, to specify a user DLT from the command line,
498 you would use
499 -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
501 -p|--no-promiscuous-mode
503 Don’t put the interface into promiscuous mode. Note that the
505 interface might be in promiscuous mode for some other reason;
506 hence, -p cannot be used to ensure that the only traffic that is
507 captured is traffic sent to or from the machine on which Wireshark
508 is running, broadcast traffic, and multicast traffic to addresses
509 received by that machine.
510 This option can occur multiple times. If used before the first
512 occurrence of the -i option, no interface will be put into the
513 promiscuous mode. If used after an -i option, the interface
514 specified by the last -i option occurring before this option will
515 not be put into the promiscuous mode.
516 -P <path setting>
518 Special path settings usually detected automatically. This is used
520 for special cases, e.g. starting Wireshark from a known location on
521 an USB stick.
522 The criterion is of the form key:path, where key is one of:
524 persconf:path path of personal configuration files, like the
526 preferences files.
527 persdata:path path of personal data files, it’s the folder
529 initially opened. After the very first initialization, the recent
530 file will keep the folder last used.
531 -r|--read-file <infile>
533 Read packet data from infile, can be any supported capture file
535 format (including gzipped files). It’s not possible to use named
536 pipes or stdin here! To capture from a pipe or from stdin use -i -
537 -R|--read-filter <read (display) filter>
539 When reading a capture file specified with the -r flag, causes the
541 specified filter (which uses the syntax of display filters, rather
542 than that of capture filters) to be applied to all packets read
543 from the capture file; packets not matching the filter are
544 discarded.
545 -s|--snapshot-length <capture snaplen>
547 Set the default snapshot length to use when capturing live data. No
549 more than snaplen bytes of each network packet will be read into
550 memory, or saved to disk. A value of 0 specifies a snapshot length
551 of 262144, so that the full packet is captured; this is the
552 default.
553 This option can occur multiple times. If used before the first
555 occurrence of the -i option, it sets the default snapshot length.
556 If used after an -i option, it sets the snapshot length for the
557 interface specified by the last -i option occurring before this
558 option. If the snapshot length is not set specifically, the default
559 snapshot length is used if provided.
560 -S
562 Automatically update the packet display as packets are coming in.
564 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
566 Set the format of the packet timestamp displayed in the packet list
568 window. The format can be one of:
569 a absolute: The absolute time, as local time in your time zone, is
571 the actual time the packet was captured, with no date displayed
572 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
574 and time, as local time in your time zone, is the actual time and
575 date the packet was captured
576 adoy absolute with date using day of year: The absolute date,
578 displayed as YYYY/DOY, and time, as local time in your time zone,
579 is the actual time and date the packet was captured
580 d delta: The delta time is the time since the previous packet was
582 captured
583 dd delta_displayed: The delta_displayed time is the time since the
585 previous displayed packet was captured
586 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
588 r relative: The relative time is the time elapsed between the first
590 packet and the current packet
591 u UTC: The absolute time, as UTC, is the actual time the packet was
593 captured, with no date displayed
594 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
596 time, as UTC, is the actual time and date the packet was captured
597 udoy UTC with date using day of year: The absolute date, displayed
599 as YYYY/DOY, and time, as UTC, is the actual time and date the
600 packet was captured
601 The default format is relative.
603 --temp-dir <directory>
605 Specifies the directory into which temporary files (including
607 capture files) are to be written. The default behaviour is to use
608 your system’s temporary directory (typically /tmp on Linux, and
609 C:\\Temp on Windows).
610 --time-stamp-type <type>
612 Change the interface’s timestamp method. See
614 --list-time-stamp-types.
615 -u <s|hms>
617 Output format of seconds (def: s: seconds)
619 -v|--version
621 Print the full version information and exit.
623 -w <outfile>
625 Set the default capture file name, or '-' for standard output.
627 -X <eXtension options>
629 Specify an option to be passed to an Wireshark module. The
631 eXtension option is in the form extension_key:value, where
632 extension_key can be:
633 lua_script:lua_script_filename tells Wireshark to load the given
635 script in addition to the default Lua scripts.
636 lua_scriptnum:argument tells Wireshark to pass the given argument
638 to the lua script identified by 'num', which is the number indexed
639 order of the 'lua_script' command. For example, if only one script
640 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
641 will pass the string 'foo' to the 'my.lua' script. If two scripts
642 were loaded, such as '-X lua_script:my.lua' and '-X
643 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
644 would pass the string 'bar' to the second lua script, namely
645 'other.lua'.
646 read_format:file_format tells Wireshark to use the given file
648 format to read in the file (the file given in the -r command
649 option).
650 stdin_descr:description tells Wireshark to use the given
652 description when capturing from standard input (-i -).
653 -y|--linktype <capture link type>
655 If a capture is started from the command line with -k, set the data
657 link type to use while capturing packets. The values reported by -L
658 are the values that can be used.
659 This option can occur multiple times. If used before the first
661 occurrence of the -i option, it sets the default capture link type.
662 If used after an -i option, it sets the capture link type for the
663 interface specified by the last -i option occurring before this
664 option. If the capture link type is not set specifically, the
665 default capture link type is used if provided.
666 -Y|--display-filter <displaY filter>
668 Start with the given display filter.
670 -z <statistics>
672 Get Wireshark to collect various types of statistics and display
674 the result in a window that updates in semi-real time.
675 Some of the currently implemented statistics are:
677 -z help
679 Display all possible values for -z.
681 -z afp,srt[,filter]
683 Show Apple Filing Protocol service response time statistics.
685 -z conv,type[,filter]
687 Create a table that lists all conversations that could be seen in
689 the capture. type specifies the conversation endpoint types for
690 which we want to generate the statistics; currently the supported
691 ones are:
692 "eth" Ethernet addresses
694 "fc" Fibre Channel addresses
695 "fddi" FDDI addresses
696 "ip" IPv4 addresses
697 "ipv6" IPv6 addresses
698 "ipx" IPX addresses
699 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
700 "tr" Token Ring addresses
701 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
702 If the optional filter is specified, only those packets that match
704 the filter will be used in the calculations.
705 The table is presented with one line for each conversation and
707 displays the number of packets/bytes in each direction as well as
708 the total number of packets/bytes. By default, the table is sorted
709 according to the total number of packets.
710 These tables can also be generated at runtime by selecting the
712 appropriate conversation type from the menu
713 "Tools/Statistics/Conversation List/".
714 -z dcerpc,srt,name-or-uuid,major.minor[,filter]
716 Collect call/reply SRT (Service Response Time) data for DCERPC
718 interface name or uuid, version major.minor. Data collected is the
719 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
720 Interface name and uuid are case-insensitive.
721 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
723 will collect data for the CIFS SAMR Interface.
724 This option can be used multiple times on the command line.
726 If the optional filter is provided, the stats will only be
728 calculated on those calls that match that filter.
729 Example: -z
731 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
732 will collect SAMR SRT statistics for a specific host.
733 -z dhcp,stat[,filter]
735 Show DHCP (BOOTP) statistics.
737 -z expert
739 Show expert information.
741 -z fc,srt[,filter]
743 Collect call/reply SRT (Service Response Time) data for FC. Data
745 collected is the number of calls for each Fibre Channel command,
746 MinSRT, MaxSRT and AvgSRT.
747 Example: -z fc,srt will calculate the Service Response Time as the
749 time delta between the First packet of the exchange and the Last
750 packet of the exchange.
751 The data will be presented as separate tables for all normal FC
753 commands, Only those commands that are seen in the capture will
754 have its stats displayed.
755 This option can be used multiple times on the command line.
757 If the optional filter is provided, the stats will only be
759 calculated on those calls that match that filter.
760 Example: -z "fc,srt,fc.id==01.02.03" will collect stats only for FC
762 packets exchanged by the host at FC address 01.02.03 .
763 -z h225,counter[,filter]
765 Count ITU-T H.225 messages and their reasons. In the first column
767 you get a list of H.225 messages and H.225 message reasons which
768 occur in the current capture file. The number of occurrences of
769 each message or reason is displayed in the second column.
770 Example: -z h225,counter
772 This option can be used multiple times on the command line.
774 If the optional filter is provided, the stats will only be
776 calculated on those calls that match that filter.
777 Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only
779 for H.225 packets exchanged by the host at IP address 1.2.3.4 .
780 -z h225,srt[,filter]
782 Collect request/response SRT (Service Response Time) data for ITU-T
784 H.225 RAS. Data collected is the number of calls of each ITU-T
785 H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
786 Minimum in Packet, and Maximum in Packet. You will also get the
787 number of Open Requests (Unresponded Requests), Discarded Responses
788 (Responses without matching request) and Duplicate Messages.
789 Example: -z h225,srt
791 This option can be used multiple times on the command line.
793 If the optional filter is provided, the stats will only be
795 calculated on those calls that match that filter.
796 Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for
798 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
799 .
800 -z io,stat
802 Collect packet/bytes statistics for the capture in intervals of 1
804 second. This option will open a window with up to 5 color-coded
805 graphs where number-of-packets-per-second or
806 number-of-bytes-per-second statistics can be calculated and
807 displayed.
808 This option can be used multiple times on the command line.
810 This graph window can also be opened from the
812 Analyze:Statistics:Traffic:IO-Stat menu item.
813 -z ldap,srt[,filter]
815 Collect call/reply SRT (Service Response Time) data for LDAP. Data
817 collected is the number of calls for each implemented LDAP command,
818 MinSRT, MaxSRT and AvgSRT.
819 Example: -z ldap,srt will calculate the Service Response Time as
821 the time delta between the Request and the Response.
822 The data will be presented as separate tables for all implemented
824 LDAP commands, Only those commands that are seen in the capture
825 will have its stats displayed.
826 This option can be used multiple times on the command line.
828 If the optional filter is provided, the stats will only be
830 calculated on those calls that match that filter.
831 Example: use -z "ldap,srt,ip.addr==10.1.1.1" will collect stats
833 only for LDAP packets exchanged by the host at IP address 10.1.1.1
834 .
835 The only LDAP commands that are currently implemented and for which
837 the stats will be available are: BIND SEARCH MODIFY ADD DELETE
838 MODRDN COMPARE EXTENDED
839 -z megaco,srt[,filter]
841 Collect request/response SRT (Service Response Time) data for
843 MEGACO. (This is similar to -z smb,srt). Data collected is the
844 number of calls for each known MEGACO Command, Minimum SRT, Maximum
845 SRT and Average SRT.
846 Example: -z megaco,srt
848 This option can be used multiple times on the command line.
850 If the optional filter is provided, the stats will only be
852 calculated on those calls that match that filter.
853 Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only
855 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
856 -z mgcp,srt[,filter]
858 Collect request/response SRT (Service Response Time) data for MGCP.
860 (This is similar to -z smb,srt). Data collected is the number of
861 calls for each known MGCP Type, Minimum SRT, Maximum SRT and
862 Average SRT.
863 Example: -z mgcp,srt
865 This option can be used multiple times on the command line.
867 If the optional filter is provided, the stats will only be
869 calculated on those calls that match that filter.
870 Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for
872 MGCP packets exchanged by the host at IP address 1.2.3.4 .
873 -z mtp3,msus[,<filter>]
875 Show MTP3 MSU statistics.
877 -z multicast,stat[,<filter>]
879 Show UDP multicast stream statistics.
881 -z rpc,programs
883 Collect call/reply SRT data for all known ONC-RPC
885 programs/versions. Data collected is the number of calls for each
886 protocol/version, MinSRT, MaxSRT and AvgSRT.
887 -z rpc,srt,name-or-number,version[,<filter>]
889 Collect call/reply SRT (Service Response Time) data for program
891 name/version or number/version. Data collected is the number of
892 calls for each procedure, MinSRT, MaxSRT and AvgSRT. Program name
893 is case-insensitive.
894 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
896 This option can be used multiple times on the command line.
898 If the optional filter is provided, the stats will only be
900 calculated on those calls that match that filter.
901 Example: -z rpc,srt,nfs,3,nfs.fh.hash==0x12345678 will collect NFS
903 v3 SRT statistics for a specific file.
904 -z scsi,srt,cmdset[,<filter>]
906 Collect call/reply SRT (Service Response Time) data for SCSI
908 commandset <cmdset>.
909 Commandsets are 0:SBC 1:SSC 5:MMC
911 Data collected is the number of calls for each procedure, MinSRT,
913 MaxSRT and AvgSRT.
914 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
916 (SBC).
917 This option can be used multiple times on the command line.
919 If the optional filter is provided, the stats will only be
921 calculated on those calls that match that filter.
922 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
924 statistics for a specific iscsi/ifcp/fcip host.
925 -z sip,stat[,filter]
927 This option will activate a counter for SIP messages. You will get
929 the number of occurrences of each SIP Method and of each SIP
930 Status-Code. Additionally you also get the number of resent SIP
931 Messages (only for SIP over UDP).
932 Example: -z sip,stat
934 This option can be used multiple times on the command line.
936 If the optional filter is provided, the stats will only be
938 calculated on those calls that match that filter.
939 Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for
941 SIP packets exchanged by the host at IP address 1.2.3.4 .
942 -z smb,srt[,filter]
944 Collect call/reply SRT (Service Response Time) data for SMB. Data
946 collected is the number of calls for each SMB command, MinSRT,
947 MaxSRT and AvgSRT.
948 Example: -z smb,srt
950 The data will be presented as separate tables for all normal SMB
952 commands, all Transaction2 commands and all NT Transaction
953 commands. Only those commands that are seen in the capture will
954 have their stats displayed. Only the first command in a xAndX
955 command chain will be used in the calculation. So for common
956 SessionSetupAndX + TreeConnectAndX chains, only the
957 SessionSetupAndX call will be used in the statistics. This is a
958 flaw that might be fixed in the future.
959 This option can be used multiple times on the command line.
961 If the optional filter is provided, the stats will only be
963 calculated on those calls that match that filter.
964 Example: -z "smb,srt,ip.addr==1.2.3.4" will collect stats only for
966 SMB packets exchanged by the host at IP address 1.2.3.4 .
967 -z voip,calls
969 This option will show a window that shows VoIP calls found in the
971 capture file. This is the same window shown as when you go to the
972 Statistics Menu and choose VoIP Calls.
973 Example: -z voip,calls
975 -z wlan,stat[,<filter>]
977 Show IEEE 802.11 network and station statistics.
979 -z wsp,stat[,<filter>]
981 Show WSP packet counters.
983
985 --log-level <level>
986 Set the active log level. Supported levels in lowest to highest
987 order are "noisy", "debug", "info", "message", "warning",
988 "critical", and "error". Messages at each level and higher will be
989 printed, for example "warning" prints "warning", "critical", and
990 "error" messages and "noisy" prints all messages. Levels are case
991 insensitive.
992 --log-fatal <level>
994 Abort the program if any messages are logged at the specified level
995 or higher. For example, "warning" aborts on any "warning",
996 "critical", or "error" messages.
997 --log-domains <list>
999 Only print messages for the specified log domains, e.g.
1000 "GUI,Epan,sshdump". List of domains must be comma-separated.
1001 --log-debug <list>
1003 Force the specified domains to log at the "debug" level. List of
1004 domains must be comma-separated.
1005 --log-noisy <list>
1007 Force the specified domains to log at the "noisy" level. List of
1008 domains must be comma-separated.
1009 --log-file <path>
1011 Write log messages and stderr output to the specified file.
1012
1014 MENU ITEMS
1015 File › Open, File › Open Recent, File › Merge
1016 Merge another capture file to the currently loaded one. The
1018 File:Merge dialog box allows the merge "Prepended",
1019 "Chronologically" or "Appended", relative to the already loaded
1020 one.
1021 File › Close
1023 Open or close a capture file. The File:Open dialog box allows a
1025 filter to be specified; when the capture file is read, the filter
1026 is applied to all packets read from the file, and packets not
1027 matching the filter are discarded. The File:Open Recent is a
1028 submenu and will show a list of previously opened files.
1029 File › Save, File › Save As
1031 Save the current capture, or the packets currently displayed from
1033 that capture, to a file. Check boxes let you select whether to save
1034 all packets, or just those that have passed the current display
1035 filter and/or those that are currently marked, and an option menu
1036 lets you select (from a list of file formats in which at particular
1037 capture, or the packets currently displayed from that capture, can
1038 be saved), a file format in which to save it.
1039 File › File Set › List Files
1041 Show a dialog box that lists all files of the file set matching the
1043 currently loaded file. A file set is a compound of files resulting
1044 from a capture using the "multiple files" / "ringbuffer" mode,
1045 recognizable by the filename pattern, e.g.:
1046 Filename_00001_20220714101530.pcap.
1047 File › File Set › Next File, File › File Set › Previous File
1049 If the currently loaded file is part of a file set (see above),
1051 open the next / previous file in that set.
1052 File › Export
1054 Export captured data into an external format. Note: the data cannot
1056 be imported back into Wireshark, so be sure to keep the capture
1057 file.
1058 File › Print
1060 Print packet data from the current capture. You can select the
1062 range of packets to be printed (which packets are printed), and the
1063 output format of each packet (how each packet is printed). The
1064 output format will be similar to the displayed values, so a summary
1065 line, the packet details view, and/or the hex dump of the packet
1066 can be printed.
1067 Printing options can be set with the Edit:Preferences menu item, or
1069 in the dialog box popped up by this menu item.
1070 File › Quit
1072 Exit the application.
1073 Edit › Copy › Description
1075 Copies the description of the selected field in the protocol tree
1076 to the clipboard.
1077 Edit › Copy › Fieldname
1079 Copies the fieldname of the selected field in the protocol tree to
1080 the clipboard.
1081 Edit › Copy › Value
1083 Copies the value of the selected field in the protocol tree to the
1084 clipboard.
1085 Edit › Copy › As Filter
1087 Create a display filter based on the data currently highlighted in
1089 the packet details and copy that filter to the clipboard.
1090 If that data is a field that can be tested in a display filter
1092 expression, the display filter will test that field; otherwise, the
1093 display filter will be based on the absolute offset within the
1094 packet. Therefore it could be unreliable if the packet contains
1095 protocols with variable-length headers, such as a source-routed
1096 token-ring packet.
1097 Edit › Find Packet
1099 Search forward or backward, starting with the currently selected
1101 packet (or the most recently selected packet, if no packet is
1102 selected). Search criteria can be a display filter expression, a
1103 string of hexadecimal digits, or a text string.
1104 When searching for a text string, you can search the packet data,
1106 or you can search the text in the Info column in the packet list
1107 pane or in the packet details pane.
1108 Hexadecimal digits can be separated by colons, periods, or dashes.
1110 Text string searches can be ASCII or Unicode (or both), and may be
1111 case insensitive.
1112 Edit › Find Next, Edit › Find Previous
1114 Search forward / backward for a packet matching the filter from the
1116 previous search, starting with the currently selected packet (or
1117 the most recently selected packet, if no packet is selected).
1118 Edit › Mark Packet (toggle)
1120 Mark (or unmark if currently marked) the selected packet. The field
1122 "frame.marked" is set for packets that are marked, so that, for
1123 example, a display filters can be used to display only marked
1124 packets, and so that the /"Edit:Find Packet" dialog can be used to
1125 find the next or previous marked packet.
1126 Edit › Find Next Mark, Edit › Find Previous Mark
1128 Find next or previous marked packet.
1129 Edit › Mark All Packets, Edit › Unmark All Packets
1131 Mark or unmark all packets that are currently displayed.
1132 Edit › Time Reference › Set Time Reference (toggle)
1134 Set (or unset if currently set) the selected packet as a Time
1136 Reference packet. When a packet is set as a Time Reference packet,
1137 the timestamps in the packet list pane will be replaced with the
1138 string "REF". The relative time timestamp in later packets will
1139 then be calculated relative to the timestamp of this Time Reference
1140 packet and not the first packet in the capture.
1141 Packets that have been selected as Time Reference packets will
1143 always be displayed in the packet list pane. Display filters will
1144 not affect or hide these packets.
1145 If there is a column displayed for "Cumulative Bytes" this counter
1147 will be reset at every Time Reference packet.
1148 Edit › Time Reference › Find Next, Edit › Time Reference › Find
1150 Previous
1151 Search forward or backward for a time referenced packet.
1152 Edit › Configuration Profiles
1154 Manage configuration profiles to be able to use more than one set
1155 of preferences and configurations.
1156 Edit › Preferences
1158 Set the GUI, capture, printing and protocol options (see
1159 /Preferences dialog below).
1160 View › Main Toolbar, View › Filter Toolbar, View › Statusbar
1162 Show or hide the main window controls.
1163 View › Packet List, View › Packet Details, View › Packet Bytes
1165 Show or hide the main window panes.
1166 View › Time Display Format
1168 Set the format of the packet timestamp displayed in the packet list
1169 window.
1170 View › Name Resolution › Resolve Name
1172 Try to resolve a name for the currently selected item.
1173 View › Name Resolution › Enable for ... Layer
1175 Enable or disable translation of addresses to names in the display.
1176 View › Colorize Packet List
1178 Enable or disable the coloring rules. Disabling will improve
1179 performance.
1180 View › Auto Scroll in Live Capture
1182 Enable or disable the automatic scrolling of the packet list while
1183 a live capture is in progress.
1184 View › Zoom In, View › Zoom Out
1186 Zoom into or out of the main window data (by changing the font
1187 size).
1188 View › Normal Size
1190 Reset the zoom level back to normal font size.
1191 View › Resize All Columns
1193 Resize all columns to best fit the current packet display.
1194 View › Expand / Collapse Subtrees
1196 Expand or collapse the currently selected item and its subtrees in
1197 the packet details.
1198 View › Expand All, View › Collapse All
1200 Expand or Collapse all branches of the packet details.
1201 View › Colorize Conversation
1203 Select a color for a conversation.
1204 View › Reset Coloring 1-10
1206 Reset a color for a conversation.
1207 View › Coloring Rules
1209 Change the foreground and background colors of the packet
1211 information in the list of packets, based upon display filters. The
1212 list of display filters is applied to each packet sequentially.
1213 After the first display filter matches a packet, any additional
1214 display filters in the list are ignored. Therefore, if you are
1215 filtering on the existence of protocols, you should list the
1216 higher-level protocols first, and the lower-level protocols last.
1217 How Colorization Works
1219 Packets are colored according to a list of color filters. Each
1221 filter consists of a name, a filter expression and a coloration. A
1222 packet is colored according to the first filter that it matches.
1223 Color filter expressions use exactly the same syntax as display
1224 filter expressions.
1225 When Wireshark starts, the color filters are loaded from:
1227 1. The user’s personal color filters file or, if that does not
1229 exist,
1230 2. The global color filters file.
1232 If neither of these exist then the packets will not be colored.
1234 View › Show Packet In New Window
1236 Create a new window containing a packet details view and a hex dump
1238 window of the currently selected packet; this window will continue
1239 to display that packet’s details and data even if another packet is
1240 selected.
1241 View › Reload
1243 Reload a capture file. Same as File:Close and File:Open the same
1244 file again.
1245 Go › Back
1247 Go back in previously visited packets history.
1248 Go › Forward
1250 Go forward in previously visited packets history.
1251 Go › Go To Packet
1253 Go to a particular numbered packet.
1254 Go › Go To Corresponding Packet
1256 If a field in the packet details pane containing a packet number is
1258 selected, go to the packet number specified by that field. (This
1259 works only if the dissector that put that entry into the packet
1260 details put it into the details as a filterable field rather than
1261 just as text.) This can be used, for example, to go to the packet
1262 for the request corresponding to a reply, or the reply
1263 corresponding to a request, if that packet number has been put into
1264 the packet details.
1265 Go › Previous Packet, Go › Next Packet, Go › First Packet, Go › Last
1267 Packet
1268 Go to the previous, next, first, or last packet in the capture.
1269 Go › Previous Packet In Conversation, Go › Next Packet In Conversation
1271 Go to the previous or next packet of the TCP, UDP or IP
1272 conversation.
1273 Capture › Interfaces
1275 Shows a dialog box with all currently known interfaces and
1277 displaying the current network traffic amount. Capture sessions can
1278 be started from here. Beware: keeping this box open results in high
1279 system load!
1280 Capture › Options
1282 Initiate a live packet capture (see /"Capture Options Dialog"
1284 below). If no filename is specified, a temporary file will be
1285 created to hold the capture. The location of the file can be chosen
1286 by setting your TMPDIR environment variable before starting
1287 Wireshark. Otherwise, the default TMPDIR location is
1288 system-dependent, but is likely either /var/tmp or /tmp.
1289 Capture › Start
1291 Start a live packet capture with the previously selected options.
1293 This won’t open the options dialog box, and can be convenient for
1294 repeatedly capturing with the same options.
1295 Capture › Stop
1297 Stop a running live capture.
1298 Capture › Restart
1300 While a live capture is running, stop it and restart with the same
1302 options again. This can be convenient to remove irrelevant packets,
1303 if no valuable packets were captured so far.
1304 Capture › Capture Filters
1306 Edit the saved list of capture filters, allowing filters to be
1307 added, changed, or deleted.
1308 Analyze › Display Filters
1310 Edit the saved list of display filters, allowing filters to be
1311 added, changed, or deleted.
1312 Analyze › Display Filter Macros
1314 Create shortcuts for complex macros.
1315 Analyze › Apply as Filter
1317 Create a display filter based on the data currently highlighted in
1319 the packet details and apply the filter.
1320 If that data is a field that can be tested in a display filter
1322 expression, the display filter will test that field; otherwise, the
1323 display filter will be based on the absolute offset within the
1324 packet. Therefore it could be unreliable if the packet contains
1325 protocols with variable-length headers, such as a source-routed
1326 token-ring packet.
1327 The Selected option creates a display filter that tests for a match
1329 of the data; the Not Selected option creates a display filter that
1330 tests for a non-match of the data. The And Selected, Or Selected,
1331 And Not Selected, and Or Not Selected options add to the end of the
1332 display filter in the strip at the top (or bottom) an AND or OR
1333 operator followed by the new display filter expression.
1334 Analyze › Prepare as Filter
1336 Create a display filter based on the data currently highlighted in
1338 the packet details. The filter strip at the top (or bottom) is
1339 updated but it is not yet applied.
1340 Analyze › Enabled Protocols
1342 Allow protocol dissection to be enabled or disabled for a specific
1344 protocol. Individual protocols can be enabled or disabled by
1345 clicking on them in the list or by highlighting them and pressing
1346 the space bar. The entire list can be enabled, disabled, or
1347 inverted using the buttons below the list.
1348 When a protocol is disabled, dissection in a particular packet
1350 stops when that protocol is reached, and Wireshark moves on to the
1351 next packet. Any higher-layer protocols that would otherwise have
1352 been processed will not be displayed. For example, disabling TCP
1353 will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
1354 and any other protocol exclusively dependent on TCP.
1355 The list of protocols can be saved, so that Wireshark will start up
1357 with the protocols in that list disabled.
1358 Analyze › Decode As
1360 If you have a packet selected, present a dialog allowing you to
1362 change which dissectors are used to decode this packet. The dialog
1363 has one panel each for the link layer, network layer and transport
1364 layer protocol/port numbers, and will allow each of these to be
1365 changed independently. For example, if the selected packet is a TCP
1366 packet to port 12345, using this dialog you can instruct Wireshark
1367 to decode all packets to or from that TCP port as HTTP packets.
1368 Analyze › User Specified Decodes
1370 Create a new window showing whether any protocol ID to dissector
1372 mappings have been changed by the user. This window also allows the
1373 user to reset all decodes to their default values.
1374 Analyze › Follow TCP Stream
1376 If you have a TCP packet selected, display the contents of the data
1378 stream for the TCP connection to which that packet belongs, as
1379 text, in a separate window, and leave the list of packets in a
1380 filtered state, with only those packets that are part of that TCP
1381 connection being displayed. You can revert to your old view by
1382 pressing ENTER in the display filter text box, thereby invoking
1383 your old display filter (or resetting it back to no display
1384 filter).
1385 The window in which the data stream is displayed lets you select:
1387 • whether to display the entire conversation, or one or the other
1389 side of it;
1390 • whether the data being displayed is to be treated as ASCII or
1392 EBCDIC text or as raw hex data;
1393 and lets you print what’s currently being displayed, using the same
1395 print options that are used for the File:Print Packet menu item, or
1396 save it as text to a file.
1397 Analyze › Follow UDP Stream, Analyze › Follow TLS Stream
1399 Similar to Analyze:Follow TCP Stream.
1400 Analyze › Expert Info, Analyze › Expert Info Composite
1402 Show anomalies found by Wireshark in a capture file.
1403 Analyze › Conversation Filter, Statistics › Summary
1405 Show summary information about the capture, including elapsed time,
1407 packet counts, byte counts, and the like. If a display filter is in
1408 effect, summary information will be shown about the capture and
1409 about the packets currently being displayed.
1410 Statistics › Protocol Hierarchy
1412 Show the number of packets, and the number of bytes in those
1414 packets, for each protocol in the trace. It organizes the protocols
1415 in the same hierarchy in which they were found in the trace.
1416 Besides counting the packets in which the protocol exists, a count
1417 is also made for packets in which the protocol is the last protocol
1418 in the stack. These last-protocol counts show you how many packets
1419 (and the byte count associated with those packets) ended in a
1420 particular protocol. In the table, they are listed under "End
1421 Packets" and "End Bytes".
1422 Statistics › Conversations
1424 Lists of conversations; selectable by protocol. See
1425 Statistics:Conversation List below.
1426 Statistics › End Points
1428 List of End Point Addresses by protocol with packets, bytes, and
1429 other counts.
1430 Statistics › Packet Lengths
1432 Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
1433 Statistics › I/O Graphs
1435 Open a window where up to 5 graphs in different colors can be
1437 displayed to indicate number of packets or number of bytes per
1438 second for all packets matching the specified filter. By default
1439 only one graph will be displayed showing number of packets per
1440 second.
1441 The top part of the window contains the graphs and scales for the X
1443 and Y axis. If the graph is too long to fit inside the window there
1444 is a horizontal scrollbar below the drawing area that can scroll
1445 the graphs to the left or the right. The horizontal axis displays
1446 the time into the capture and the vertical axis will display the
1447 measured quantity at that time.
1448 Below the drawing area and the scrollbar are the controls. On the
1450 bottom left there will be five similar sets of controls to control
1451 each individual graph such as "Display:<button>" which button will
1452 toggle that individual graph on/off. If <button> is ticked, the
1453 graph will be displayed. "Color:<color>" which is just a button to
1454 show which color will be used to draw that graph. Finally
1455 "Filter:<filter-text>" which can be used to specify a display
1456 filter for that particular graph.
1457 If filter-text is empty then all packets will be used to calculate
1459 the quantity for that graph. If filter-text is specified only those
1460 packets that match that display filter will be considered in the
1461 calculation of quantity.
1462 To the right of the 5 graph controls there are four menus to
1464 control global aspects of the draw area and graphs. The "Unit:"
1465 menu is used to control what to measure; "packets/tick",
1466 "bytes/tick" or "advanced..."
1467 packets/tick will measure the number of packets matching the (if
1469 specified) display filter for the graph in each measurement
1470 interval.
1471 bytes/tick will measure the total number of bytes in all packets
1473 matching the (if specified) display filter for the graph in each
1474 measurement interval.
1475 advanced... see below
1477 "Tick interval:" specifies what measurement intervals to use. The
1479 default is 1 second and means that the data will be counted over 1
1480 second intervals.
1481 "Pixels per tick:" specifies how many pixels wide each measurement
1483 interval will be in the drawing area. The default is 5 pixels per
1484 tick.
1485 "Y-scale:" controls the max value for the y-axis. Default value is
1487 "auto" which means that Wireshark will try to adjust the maxvalue
1488 automatically.
1489 "advanced..." If Unit:advanced... is selected the window will
1491 display two more controls for each of the five graphs. One control
1492 will be a menu where the type of calculation can be selected from
1493 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1494 name of a single display filter field can be specified.
1495 The following restrictions apply to type and field combinations:
1497 SUM: available for all types of integers and will calculate the SUM
1499 of all occurrences of this field in the measurement interval. Note
1500 that some field can occur multiple times in the same packet and
1501 then all instances will be summed up. Example: 'tcp.len' which will
1502 count the amount of payload data transferred across TCP in each
1503 interval.
1504 COUNT: available for all field types. This will COUNT the number of
1506 times certain field occurs in each interval. Note that some fields
1507 may occur multiple times in each packet and if that is the case
1508 then each instance will be counted independently and COUNT will be
1509 greater than the number of packets.
1510 MAX: available for all integer and relative time fields. This will
1512 calculate the max seen integer/time value seen for the field during
1513 the interval. Example: 'smb.time' which will plot the maximum SMB
1514 response time.
1515 MIN: available for all integer and relative time fields. This will
1517 calculate the min seen integer/time value seen for the field during
1518 the interval. Example: 'smb.time' which will plot the minimum SMB
1519 response time.
1520 AVG: available for all integer and relative time fields.This will
1522 calculate the average seen integer/time value seen for the field
1523 during the interval. Example: 'smb.time' which will plot the
1524 average SMB response time.
1525 LOAD: available only for relative time fields (response times).
1527 Example of advanced: Display how NFS response time MAX/MIN/AVG
1529 changes over time:
1530 Set first graph to:
1532 filter:nfs&&rpc.time
1534 Calc:MAX rpc.time
1535 Set second graph to
1537 filter:nfs&&rpc.time
1539 Calc:AVG rpc.time
1540 Set third graph to
1542 filter:nfs&&rpc.time
1544 Calc:MIN rpc.time
1545 Example of advanced: Display how the average packet size from host
1547 a.b.c.d changes over time.
1548 Set first graph to
1550 filter:ip.addr==a.b.c.d&&frame.pkt_len
1552 Calc:AVG frame.pkt_len
1553 LOAD: The LOAD io-stat type is very different from anything you
1555 have ever seen before! While the response times themselves as
1556 plotted by MIN,MAX,AVG are indications on the Server load (which
1557 affects the Server response time), the LOAD measurement measures
1558 the Client LOAD. What this measures is how much workload the client
1559 generates, i.e. how fast will the client issue new commands when
1560 the previous ones completed. i.e. the level of concurrency the
1561 client can maintain. The higher the number, the more and faster is
1562 the client issuing new commands. When the LOAD goes down, it may be
1563 due to client load making the client slower in issuing new commands
1564 (there may be other reasons as well, maybe the client just doesn’t
1565 have any commands it wants to issue right then).
1566 Load is measured in concurrency/number of overlapping i/o and the
1568 value 1000 means there is a constant load of one i/o.
1569 In each tick interval the amount of overlap is measured. See the
1571 graph below containing three commands: Below the graph are the LOAD
1572 values for each interval that would be calculated.
1573 | | | | | | | | |
1575 | | | | | | | | |
1576 | | o=====* | | | | | |
1577 | | | | | | | | |
1578 | o========* | o============* | | |
1579 | | | | | | | | |
1580 --------------------------------------------------> Time
1581 500 1500 500 750 1000 500 0 0
1582 Statistics › Conversation List
1584 This option will open a new window that displays a list of all
1586 conversations between two endpoints. The list has one row for each
1587 unique conversation and displays total number of packets/bytes seen
1588 as well as number of packets/bytes in each direction.
1589 By default the list is sorted according to the number of packets
1591 but by clicking on the column header; it is possible to re-sort the
1592 list in ascending or descending order by any column.
1593 By first selecting a conversation by clicking on it and then using
1595 the right mouse button (on those platforms that have a right mouse
1596 button) Wireshark will display a popup menu offering several
1597 different filter operations to apply to the capture.
1598 These statistics windows can also be invoked from the Wireshark
1600 command line using the -z conv argument.
1601 Statistics › Service Response Time
1603 • AFP
1605 • CAMEL
1607 • DCE-RPC
1609 Open a window to display Service Response Time statistics for an
1611 arbitrary DCE-RPC program interface and display Procedure, Number
1612 of Calls, Minimum SRT, Maximum SRT and Average SRT for all
1613 procedures for that program/version. These windows opened will
1614 update in semi-real time to reflect changes when doing live
1615 captures or when reading new capture files into Wireshark.
1616 This dialog will also allow an optional filter string to be used.
1618 If an optional filter string is used only such DCE-RPC
1619 request/response pairs that match that filter will be used to
1620 calculate the statistics. If no filter string is specified all
1621 request/response pairs will be used.
1622 • Diameter
1624 • Fibre Channel
1626 Open a window to display Service Response Time statistics for Fibre
1628 Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1629 SRT and Average SRT for all FC types. These windows opened will
1630 update in semi-real time to reflect changes when doing live
1631 captures or when reading new capture files into Wireshark. The
1632 Service Response Time is calculated as the time delta between the
1633 First packet of the exchange and the Last packet of the exchange.
1634 This dialog will also allow an optional filter string to be used.
1636 If an optional filter string is used only such FC first/last
1637 exchange pairs that match that filter will be used to calculate the
1638 statistics. If no filter string is specified all request/response
1639 pairs will be used.
1640 • GTP
1642 • H.225 RAS
1644 Collect requests/response SRT (Service Response Time) data for
1646 ITU-T H.225 RAS. Data collected is number of calls for each known
1647 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1648 SRT, Minimum in Packet, and Maximum in Packet. You will also get
1649 the number of Open Requests (Unresponded Requests), Discarded
1650 Responses (Responses without matching request) and Duplicate
1651 Messages. These windows opened will update in semi-real time to
1652 reflect changes when doing live captures or when reading new
1653 capture files into Wireshark.
1654 You can apply an optional filter string in a dialog box, before
1656 starting the calculation. The statistics will only be calculated on
1657 those calls matching that filter.
1658 • LDAP
1660 • MEGACO
1662 • MGCP
1664 Collect requests/response SRT (Service Response Time) data for
1666 MGCP. Data collected is number of calls for each known MGCP Type,
1667 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and
1668 Maximum in Packet. These windows opened will update in semi-real
1669 time to reflect changes when doing live captures or when reading
1670 new capture files into Wireshark.
1671 You can apply an optional filter string in a dialog box, before
1673 starting the calculation. The statistics will only be calculated on
1674 those calls matching that filter.
1675 • NCP
1677 • ONC-RPC
1679 Open a window to display statistics for an arbitrary ONC-RPC
1681 program interface and display Procedure, Number of Calls, Minimum
1682 SRT, Maximum SRT and Average SRT for all procedures for that
1683 program/version. These windows opened will update in semi-real time
1684 to reflect changes when doing live captures or when reading new
1685 capture files into Wireshark.
1686 This dialog will also allow an optional filter string to be used.
1688 If an optional filter string is used only such ONC-RPC
1689 request/response pairs that match that filter will be used to
1690 calculate the statistics. If no filter string is specified all
1691 request/response pairs will be used.
1692 By first selecting a conversation by clicking on it and then using
1694 the right mouse button (on those platforms that have a right mouse
1695 button) Wireshark will display a popup menu offering several
1696 different filter operations to apply to the capture.
1697 • RADIUS
1699 • SCSI
1701 • SMB
1703 Collect call/reply SRT (Service Response Time) data for SMB. Data
1705 collected is the number of calls for each SMB command, MinSRT,
1706 MaxSRT and AvgSRT.
1707 The data will be presented as separate tables for all normal SMB
1709 commands, all Transaction2 commands and all NT Transaction
1710 commands. Only those commands that are seen in the capture will
1711 have its stats displayed. Only the first command in a xAndX command
1712 chain will be used in the calculation. So for common
1713 SessionSetupAndX + TreeConnectAndX chains, only the
1714 SessionSetupAndX call will be used in the statistics. This is a
1715 flaw that might be fixed in the future.
1716 You can apply an optional filter string in a dialog box, before
1718 starting the calculation. The stats will only be calculated on
1719 those calls matching that filter.
1720 By first selecting a conversation by clicking on it and then using
1722 the right mouse button (on those platforms that have a right mouse
1723 button) Wireshark will display a popup menu offering several
1724 different filter operations to apply to the capture.
1725 • SMB2
1727 Statistics › BOOTP-DHCP
1729 Show DHCP statistics.
1730 Statistics › Compare
1732 Compare two capture files.
1733 Statistics › Flow Graph
1735 Show protocol flows.
1736 Statistics › HTTP
1738 HTTP Load Distribution, Packet Counter & Requests.
1739 Statistics › IP Addresses
1741 Count, Rate, and Percent by IP Address.
1742 Statistics › IP Destinations
1744 Count, Rate, and Percent by IP Address, protocol, and port.
1745 Statistics › IP Protocol Types
1747 Count, Rate, and Percent by IP Protocol Types.
1748 Statistics › ONC-RPC Programs
1750 This dialog will open a window showing aggregated SRT statistics
1751 for all ONC-RPC Programs/versions that exist in the capture file.
1752 Statistics › TCP Stream Graph
1754 Show Round Trip, Throughput, Time-Sequence (Stevens), or
1755 Time-Sequence (tcptrace) graphs.
1756 Statistics › UDP Multicast streams
1758 Multicast Streams counts, rates, and other statistics by source and
1759 destination address and port pairs.
1760 Statistics › WLAN Traffic
1762 WLAN Traffic Statistics.
1763 Telephony › ITU-T H.225
1765 Count ITU-T H.225 messages and their reasons. In the first column
1767 you get a list of H.225 messages and H.225 message reasons, which
1768 occur in the current capture file. The number of occurrences of
1769 each message or reason will be displayed in the second column. This
1770 window opened will update in semi-real time to reflect changes when
1771 doing live captures or when reading new capture files into
1772 Wireshark.
1773 You can apply an optional filter string in a dialog box, before
1775 starting the counter. The statistics will only be calculated on
1776 those calls matching that filter.
1777 Telephony › SIP
1779 Activate a counter for SIP messages. You will get the number of
1781 occurrences of each SIP Method and of each SIP Status-Code.
1782 Additionally you also get the number of resent SIP Messages (only
1783 for SIP over UDP).
1784 This window opened will update in semi-real time to reflect changes
1786 when doing live captures or when reading new capture files into
1787 Wireshark.
1788 You can apply an optional filter string in a dialog box, before
1790 starting the counter. The statistics will only be calculated on
1791 those calls matching that filter.
1792 Tools › Firewall ACL Rules
1794 Generate firewall rules for a selected packet.
1795 Help › Contents
1797 Display the User’s Guide.
1798 Help › Supported Protocols
1800 List of supported protocols and display filter protocol fields.
1801 Help › Manual Pages
1803 Display locally installed HTML versions of these manual pages in a
1804 web browser.
1805 Help › Wireshark Online
1807 Various links to online resources to be open in a web browser, like
1808 https://www.wireshark.org.
1809 Help › About Wireshark
1811 See various information about Wireshark (see /About dialog below),
1812 like the version, the folders used, the available plugins, ...
1813 WINDOWS
1815 Main Window
1816 The main window contains the usual things like the menu, some
1818 toolbars, the main area and a statusbar. The main area is split
1819 into three panes, you can resize each pane using a "thumb" at the
1820 right end of each divider line.
1821 The main window is much more flexible than before. The layout of
1823 the main window can be customized by the Layout page in the dialog
1824 box popped up by Edit:Preferences, the following will describe the
1825 layout with the default settings.
1826 Main Toolbar
1828 Some menu items are available for quick access here. There is no
1830 way to customize the items in the toolbar, however the toolbar can
1831 be hidden by View:Main Toolbar.
1832 Filter Toolbar
1834 A display filter can be entered into the filter toolbar. A filter
1836 for HTTP, HTTPS, and DNS traffic might look like this:
1837 tcp.port in {80 443 53}
1839 Selecting the Filter: button lets you choose from a list of named
1841 filters that you can optionally save. Pressing the Return or Enter
1842 keys, or selecting the Apply button, will cause the filter to be
1843 applied to the current list of packets. Selecting the Reset button
1844 clears the display filter so that all packets are displayed
1845 (again).
1846 There is no way to customize the items in the toolbar, however the
1848 toolbar can be hidden by View:Filter Toolbar.
1849 Packet List Pane
1851 The top pane contains the list of network packets that you can
1853 scroll through and select. By default, the packet number, packet
1854 timestamp, source and destination addresses, protocol, and
1855 description are displayed for each packet; the Columns page in the
1856 dialog box popped up by Edit:Preferences lets you change this
1857 (although, unfortunately, you currently have to save the
1858 preferences, and exit and restart Wireshark, for those changes to
1859 take effect).
1860 If you click on the heading for a column, the display will be
1862 sorted by that column; clicking on the heading again will reverse
1863 the sort order for that column.
1864 An effort is made to display information as high up the protocol
1866 stack as possible, e.g. IP addresses are displayed for IP packets,
1867 but the MAC layer address is displayed for unknown packet types.
1868 The right mouse button can be used to pop up a menu of operations.
1870 The middle mouse button can be used to mark a packet.
1872 Packet Details Pane
1874 The middle pane contains a display of the details of the
1876 currently-selected packet. The display shows each field and its
1877 value in each protocol header in the stack. The right mouse button
1878 can be used to pop up a menu of operations.
1879 Packet Bytes Pane
1881 The lowest pane contains a hex and ASCII dump of the actual packet
1883 data. Selecting a field in the packet details highlights the
1884 corresponding bytes in this section.
1885 The right mouse button can be used to pop up a menu of operations.
1887 Statusbar
1889 The statusbar is divided into three parts, on the left some context
1891 dependent things are shown, like information about the loaded file,
1892 in the center the number of packets are displayed, and on the right
1893 the current configuration profile.
1894 The statusbar can be hidden by View:Statusbar.
1896 Preferences
1898 Adjust the behavior of Wireshark.
1899 User Interface Preferences
1901 Modify the UI to your own personal tastes.
1902 Selection Bars
1904 The selection bar in the packet list and packet details can have
1906 either a "browse" or "select" behavior. If the selection bar has a
1907 "browse" behavior, the arrow keys will move an outline of the
1908 selection bar, allowing you to browse the rest of the list or
1909 details without changing the selection until you press the space
1910 bar. If the selection bar has a "select" behavior, the arrow keys
1911 will move the selection bar and change the selection to the new
1912 item in the packet list or packet details.
1913 Save Window Position
1915 If this item is selected, the position of the main Wireshark window
1917 will be saved when Wireshark exits, and used when Wireshark is
1918 started again.
1919 Save Window Size
1921 If this item is selected, the size of the main Wireshark window
1923 will be saved when Wireshark exits, and used when Wireshark is
1924 started again.
1925 Save Window Maximized state
1927 If this item is selected the maximize state of the main Wireshark
1929 window will be saved when Wireshark exists, and used when Wireshark
1930 is started again.
1931 File Open Dialog Behavior
1933 This item allows the user to select how Wireshark handles the
1935 listing of the "File Open" Dialog when opening trace files.
1936 "Remember Last Directory" causes Wireshark to automatically
1937 position the dialog in the directory of the most recently opened
1938 file, even between launches of Wireshark. "Always Open in
1939 Directory" allows the user to define a persistent directory that
1940 the dialog will always default to.
1941 Directory
1943 Allows the user to specify a persistent File Open directory.
1945 Trailing slashes or backslashes will automatically be added.
1946 File Open Preview timeout
1948 This items allows the user to define how much time is spend reading
1950 the capture file to present preview data in the File Open dialog.
1951 Open Recent maximum list entries
1953 The File menu supports a recent file list. This items allows the
1955 user to specify how many files are kept track of in this list.
1956 Ask for unsaved capture files
1958 When closing a capture file or Wireshark itself if the file isn’t
1960 saved yet the user is presented the option to save the file when
1961 this item is set.
1962 Wrap during find
1964 This items determines the behavior when reaching the beginning or
1966 the end of a capture file. When set the search wraps around and
1967 continues, otherwise it stops.
1968 Settings dialogs show a save button
1970 This item determines if the various dialogs sport an explicit Save
1972 button or that save is implicit in OK / Apply.
1973 Web browser command
1975 This entry specifies the command line to launch a web browser. It
1977 is used to access online content, like the Wiki and user guide. Use
1978 '%s' to place the request URL in the command line.
1979 Layout Preferences
1981 The Layout page lets you specify the general layout of the main
1983 window. You can choose from six different layouts and fill the
1984 three panes with the contents you like.
1985 Scrollbars
1987 The vertical scrollbars in the three panes can be set to be either
1989 on the left or the right.
1990 Alternating row colors, Hex Display
1992 The highlight method in the hex dump display for the selected
1994 protocol item can be set to use either inverse video, or bold
1995 characters.
1996 Toolbar style, Filter toolbar placement, Custom window title, Column
1998 Preferences
1999 The Columns page lets you specify the number, title, and format of
2001 each column in the packet list.
2002 The Column title entry is used to specify the title of the column
2004 displayed at the top of the packet list. The type of data that the
2005 column displays can be specified using the Column format option
2006 menu. The row of buttons on the left perform the following actions:
2007 New
2009 Adds a new column to the list.
2010 Delete
2012 Deletes the currently selected list item.
2013 Up / Down
2015 Moves the selected list item up or down one position.
2016 Font Preferences
2018 The Font page lets you select the font to be used for most text.
2019 Color Preferences
2021 The Colors page can be used to change the color of the text
2023 displayed in the TCP stream window and for marked packets. To
2024 change a color, simply select an attribute from the "Set:" menu and
2025 use the color selector to get the desired color. The new text
2026 colors are displayed as a sample text.
2027 Capture Preferences
2029 The Capture page lets you specify various parameters for capturing
2031 live packet data; these are used the first time a capture is
2032 started.
2033 The Interface: combo box lets you specify the interface from which
2035 to capture packet data, or the name of a FIFO from which to get the
2036 packet data.
2037 The Data link type: option menu lets you, for some interfaces,
2039 select the data link header you want to see on the packets you
2040 capture. For example, in some OSes and with some versions of
2041 libpcap, you can choose, on an 802.11 interface, whether the
2042 packets should appear as Ethernet packets (with a fake Ethernet
2043 header) or as 802.11 packets.
2044 The Limit each packet to ... bytes check box lets you set the
2046 snapshot length to use when capturing live data; turn on the check
2047 box, and then set the number of bytes to use as the snapshot
2048 length.
2049 The Filter: text entry lets you set a capture filter expression to
2051 be used when capturing.
2052 If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
2054 REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create
2055 a default capture filter that excludes traffic from the hosts and
2056 ports defined in those variables.
2057 The Capture packets in promiscuous mode check box lets you specify
2059 whether to put the interface in promiscuous mode when capturing.
2060 The Update list of packets in real time check box lets you specify
2062 that the display should be updated as packets are seen.
2063 The Automatic scrolling in live capture check box lets you specify
2065 whether, in an "Update list of packets in real time" capture, the
2066 packet list pane should automatically scroll to show the most
2067 recently captured packets.
2068 Printing Preferences
2070 The radio buttons at the top of the Printing page allow you choose
2072 between printing packets with the File:Print Packet menu item as
2073 text or PostScript, and sending the output directly to a command or
2074 saving it to a file. The Command: text entry box, on
2075 UNIX-compatible systems, is the command to send files to (usually
2076 lpr), and the File: entry box lets you enter the name of the file
2077 you wish to save to. Additionally, you can select the File: button
2078 to browse the file system for a particular save file.
2079 Name Resolution Preferences
2081 The Enable MAC name resolution, Enable network name resolution and
2083 Enable transport name resolution check boxes let you specify
2084 whether MAC addresses, network addresses, and transport-layer port
2085 numbers should be translated to names.
2086 The Enable concurrent DNS name resolution allows Wireshark to send
2088 out multiple name resolution requests and not wait for the result
2089 before continuing dissection. This speeds up dissection with
2090 network name resolution but initially may miss resolutions. The
2091 number of concurrent requests can be set here as well.
2092 SMI paths
2094 SMI modules
2096 RTP Player Preferences
2098 This page allows you to select the number of channels visible in
2100 the RTP player window. It determines the height of the window, more
2101 channels are possible and visible by means of a scroll bar.
2102 Protocol Preferences
2104 There are also pages for various protocols that Wireshark dissects,
2106 controlling the way Wireshark handles those protocols.
2107 Edit Capture Filter List, Edit Display Filter List, Capture Filter,
2109 Display Filter, Read Filter, Search Filter
2110 The Edit Capture Filter List dialog lets you create, modify, and
2112 delete capture filters, and the Edit Display Filter List dialog
2113 lets you create, modify, and delete display filters.
2114 The Capture Filter dialog lets you do all of the editing operations
2116 listed, and also lets you choose or construct a filter to be used
2117 when capturing packets.
2118 The Display Filter dialog lets you do all of the editing operations
2120 listed, and also lets you choose or construct a filter to be used
2121 to filter the current capture being viewed.
2122 The Read Filter dialog lets you do all of the editing operations
2124 listed, and also lets you choose or construct a filter to be used
2125 to as a read filter for a capture file you open.
2126 The Search Filter dialog lets you do all of the editing operations
2128 listed, and also lets you choose or construct a filter expression
2129 to be used in a find operation.
2130 In all of those dialogs, the Filter name entry specifies a
2132 descriptive name for a filter, e.g. Web and DNS traffic. The Filter
2133 string entry is the text that actually describes the filtering
2134 action to take, as described above.The dialog buttons perform the
2135 following actions:
2136 New
2138 If there is text in the two entry boxes, creates a new associated
2139 list item.
2140 Edit
2142 Modifies the currently selected list item to match what’s in the
2143 entry boxes.
2144 Delete
2146 Deletes the currently selected list item.
2147 Add Expression...
2149 For display filter expressions, pops up a dialog box to allow you
2151 to construct a filter expression to test a particular field; it
2152 offers lists of field names, and, when appropriate, lists from
2153 which to select tests to perform on the field and values with which
2154 to compare it. In that dialog box, the OK button will cause the
2155 filter expression you constructed to be entered into the Filter
2156 string entry at the current cursor position.
2157 OK
2159 In the Capture Filter dialog, closes the dialog box and makes the
2161 filter in the Filter string entry the filter in the Capture
2162 Preferences dialog. In the Display Filter dialog, closes the dialog
2163 box and makes the filter in the Filter string entry the current
2164 display filter, and applies it to the current capture. In the Read
2165 Filter dialog, closes the dialog box and makes the filter in the
2166 Filter string entry the filter in the Open Capture File dialog. In
2167 the Search Filter dialog, closes the dialog box and makes the
2168 filter in the Filter string entry the filter in the Find Packet
2169 dialog.
2170 Apply
2172 Makes the filter in the Filter string entry the current display
2173 filter, and applies it to the current capture.
2174 Save
2176 If the list of filters being edited is the list of capture filters,
2178 saves the current filter list to the personal capture filters file,
2179 and if the list of filters being edited is the list of display
2180 filters, saves the current filter list to the personal display
2181 filters file.
2182 Close
2184 Closes the dialog without doing anything with the filter in the
2185 Filter string entry.
2186 The Color Filters Dialog
2188 This dialog displays a list of color filters and allows it to be
2189 modified.
2190 THE FILTER LIST
2192 Single rows may be selected by clicking. Multiple rows may be
2194 selected by using the ctrl and shift keys in combination with the
2195 mouse button.
2196 NEW
2198 Adds a new filter at the bottom of the list and opens the Edit
2200 Color Filter dialog box. You will have to alter the filter
2201 expression at least before the filter will be accepted. The format
2202 of color filter expressions is identical to that of display
2203 filters. The new filter is selected, so it may immediately be moved
2204 up and down, deleted or edited. To avoid confusion all filters are
2205 unselected before the new filter is created.
2206 EDIT
2208 Opens the Edit Color Filter dialog box for the selected filter. (If
2210 this button is disabled you may have more than one filter selected,
2211 making it ambiguous which is to be edited.)
2212 ENABLE
2214 Enables the selected color filter(s).
2215 DISABLE
2217 Disables the selected color filter(s).
2218 DELETE
2220 Deletes the selected color filter(s).
2221 EXPORT
2223 Allows you to choose a file in which to save the current list of
2225 color filters. You may also choose to save only the selected
2226 filters. A button is provided to save the filters in the global
2227 color filters file (you must have sufficient permissions to write
2228 this file, of course).
2229 IMPORT
2231 Allows you to choose a file containing color filters which are then
2233 added to the bottom of the current list. All the added filters are
2234 selected, so they may be moved to the correct position in the list
2235 as a group. To avoid confusion, all filters are unselected before
2236 the new filters are imported. A button is provided to load the
2237 filters from the global color filters file.
2238 CLEAR
2240 Deletes your personal color filters file, reloads the global color
2241 filters file, if any, and closes the dialog.
2242 UP
2244 Moves the selected filter(s) up the list, making it more likely
2245 that they will be used to color packets.
2246 DOWN
2248 Moves the selected filter(s) down the list, making it less likely
2249 that they will be used to color packets.
2250 OK
2252 Closes the dialog and uses the color filters as they stand.
2253 APPLY
2255 Colors the packets according to the current list of color filters,
2256 but does not close the dialog.
2257 SAVE
2259 Saves the current list of color filters in your personal color
2261 filters file. Unless you do this they will not be used the next
2262 time you start Wireshark.
2263 CLOSE
2265 Closes the dialog without changing the coloration of the packets.
2267 Note that changes you have made to the current list of color
2268 filters are not undone.
2269 Capture Options Dialog
2271 The Capture Options Dialog lets you specify various parameters for
2273 capturing live packet data.
2274 The Interface: field lets you specify the interface from which to
2276 capture packet data or a command from which to get the packet data
2277 via a pipe.
2278 The Link layer header type: field lets you specify the interfaces
2280 link layer header type. This field is usually disabled, as most
2281 interface have only one header type.
2282 The Capture packets in promiscuous mode check box lets you specify
2284 whether the interface should be put into promiscuous mode when
2285 capturing.
2286 The Limit each packet to ... bytes check box and field lets you
2288 specify a maximum number of bytes per packet to capture and save;
2289 if the check box is not checked, the limit will be 262144 bytes.
2290 The Capture Filter: entry lets you specify the capture filter using
2292 a tcpdump-style filter string as described above.
2293 The File: entry lets you specify the file into which captured
2295 packets should be saved, as in the Printer Options dialog above. If
2296 not specified, the captured packets will be saved in a temporary
2297 file; you can save those packets to a file with the File:Save As
2298 menu item.
2299 The Use multiple files check box lets you specify that the capture
2301 should be done in "multiple files" mode. This option is disabled,
2302 if the Update list of packets in real time option is checked.
2303 The Next file every ... megabyte(s) check box and fields lets you
2305 specify that a switch to a next file should be done if the
2306 specified filesize is reached. You can also select the appropriate
2307 unit, but beware that the filesize has a maximum of 2 GiB. The
2308 check box is forced to be checked, as "multiple files" mode
2309 requires a file size to be specified.
2310 The Next file every ... minute(s) check box and fields lets you
2312 specify that the switch to a next file should be done after the
2313 specified time has elapsed, even if the specified capture size is
2314 not reached.
2315 The Ring buffer with ... files field lets you specify the number of
2317 files of a ring buffer. This feature will capture into the first
2318 file again, after the specified number of files have been used.
2319 The Stop capture after ... files field lets you specify the number
2321 of capture files used, until the capture is stopped.
2322 The Stop capture after ... packet(s) check box and field let you
2324 specify that Wireshark should stop capturing after having captured
2325 some number of packets; if the check box is not checked, Wireshark
2326 will not stop capturing at some fixed number of captured packets.
2327 The Stop capture after ... megabyte(s) check box and field lets you
2329 specify that Wireshark should stop capturing after the file to
2330 which captured packets are being saved grows as large as or larger
2331 than some specified number of megabytes. If the check box is not
2332 checked, Wireshark will not stop capturing at some capture file
2333 size (although the operating system on which Wireshark is running,
2334 or the available disk space, may still limit the maximum size of a
2335 capture file). This option is disabled, if "multiple files" mode is
2336 used,
2337 The Stop capture after ... second(s) check box and field let you
2339 specify that Wireshark should stop capturing after it has been
2340 capturing for some number of seconds; if the check box is not
2341 checked, Wireshark will not stop capturing after some fixed time
2342 has elapsed.
2343 The Update list of packets in real time check box lets you specify
2345 whether the display should be updated as packets are captured and,
2346 if you specify that, the Automatic scrolling in live capture check
2347 box lets you specify the packet list pane should automatically
2348 scroll to show the most recently captured packets as new packets
2349 arrive.
2350 The Enable MAC name resolution, Enable network name resolution and
2352 Enable transport name resolution check boxes let you specify
2353 whether MAC addresses, network addresses, and transport-layer port
2354 numbers should be translated to names.
2355 About
2357 The About dialog lets you view various information about Wireshark.
2358 About › Wireshark
2360 The Wireshark page lets you view general information about
2362 Wireshark, like the installed version, licensing information and
2363 such.
2364 About › Authors
2366 The Authors page shows the author and all contributors.
2367 About › Folders
2369 The Folders page lets you view the directory names where Wireshark
2371 is searching it’s various configuration and other files.
2372 About › Plugins
2374 The Plugins page lets you view the dissector plugin modules
2376 available on your system.
2377 The Plugins List shows the name and version of each dissector
2379 plugin module found on your system.
2380 On Unix-compatible systems, the plugins are looked for in the
2382 following directories: the lib/wireshark/plugins/$VERSION directory
2383 under the main installation directory (for example,
2384 /usr/local/lib/wireshark/plugins/$VERSION), and then
2385 $HOME/.wireshark/plugins.
2386 On Windows systems, the plugins are looked for in the following
2388 directories: plugins\$VERSION directory under the main installation
2389 directory (for example, C:\Program
2390 Files\Wireshark\plugins\$VERSION), and then
2391 %APPDATA%\Wireshark\plugins\$VERSION (or, if %APPDATA% isn’t
2392 defined, %USERPROFILE%\Application
2393 Data\Wireshark\plugins\$VERSION).
2394 $VERSION is the version number of the plugin interface, which is
2396 typically the version number of Wireshark. Note that a dissector
2397 plugin module may support more than one protocol; there is not
2398 necessarily a one-to-one correspondence between dissector plugin
2399 modules and protocols. Protocols supported by a dissector plugin
2400 module are enabled and disabled using the Edit:Protocols dialog
2401 box, just as protocols built into Wireshark are.
2402
2404 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2405 tcpdump(8), or, if that doesn’t exist,
2406 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2407
2409 For a complete table of protocol and protocol fields that are
2410 filterable in Wireshark see the wireshark-filter(4) manual page.
2411
2413 These files contains various Wireshark configuration settings.
2414 Preferences
2416 The preferences files contain global (system-wide) and personal
2418 preference settings. If the system-wide preference file exists, it
2419 is read first, overriding the default settings. If the personal
2420 preferences file exists, it is read next, overriding any previous
2421 values. Note: If the command line flag -o is used (possibly more
2422 than once), it will in turn override values from the preferences
2423 files.
2424 The preferences settings are in the form prefname:value, one per
2426 line, where prefname is the name of the preference and value is the
2427 value to which it should be set; white space is allowed between :
2428 and value. A preference setting can be continued on subsequent
2429 lines by indenting the continuation lines with white space. A #
2430 character starts a comment that runs to the end of the line:
2431 # Vertical scrollbars should be on right side?
2433 # TRUE or FALSE (case-insensitive).
2434 gui.scrollbar_on_right: TRUE
2435 The global preferences file is looked for in the wireshark
2437 directory under the share subdirectory of the main installation
2438 directory (for example, /usr/local/share/wireshark/preferences) on
2439 UNIX-compatible systems, and in the main installation directory
2440 (for example, C:\Program Files\Wireshark\preferences) on Windows
2441 systems.
2442 The personal preferences file is looked for in
2444 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2445 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2446 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2447 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2448 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2449 Windows systems.
2450 Note: Whenever the preferences are saved by using the Save button
2452 in the Edit:Preferences dialog box, your personal preferences file
2453 will be overwritten with the new settings, destroying any comments
2454 and unknown/obsolete settings that were in the file.
2455 Recent
2457 The recent file contains personal settings (mostly GUI related)
2459 such as the current Wireshark window size. The file is saved at
2460 program exit and read in at program start automatically. Note: The
2461 command line flag -o may be used to override settings from this
2462 file.
2463 The settings in this file have the same format as in the
2465 preferences files, and the same directory as for the personal
2466 preferences file is used.
2467 Note: Whenever Wireshark is closed, your recent file will be
2469 overwritten with the new settings, destroying any comments and
2470 unknown/obsolete settings that were in the file.
2471 Disabled (Enabled) Protocols
2473 The disabled_protos files contain system-wide and personal lists of
2475 protocols that have been disabled, so that their dissectors are
2476 never called. The files contain protocol names, one per line, where
2477 the protocol name is the same name that would be used in a display
2478 filter for the protocol:
2479 http
2481 tcp # a comment
2482 If a protocol is listed in the global disabled_protos file, it is
2484 not displayed in the Analyze:Enabled Protocols dialog box, and so
2485 cannot be enabled by the user.
2486 The global disabled_protos file uses the same directory as the
2488 global preferences file.
2489 The personal disabled_protos file uses the same directory as the
2491 personal preferences file.
2492 Note: Whenever the disabled protocols list is saved by using the
2494 Save button in the Analyze:Enabled Protocols dialog box, your
2495 personal disabled protocols file will be overwritten with the new
2496 settings, destroying any comments that were in the file.
2497 Name Resolution (hosts)
2499 If the personal hosts file exists, it is used to resolve IPv4 and
2501 IPv6 addresses before any other attempts are made to resolve them.
2502 The file has the standard hosts file syntax; each line contains one
2503 IP address and name, separated by whitespace. The same directory as
2504 for the personal preferences file is used.
2505 Capture filter name resolution is handled by libpcap on
2507 UNIX-compatible systems and WinPcap on Windows. As such the
2508 Wireshark personal hosts file will not be consulted for capture
2509 filter name resolution.
2510 Name Resolution (subnets)
2512 If an IPv4 address cannot be translated via name resolution (no
2514 exact match is found) then a partial match is attempted via the
2515 subnets file. Both the global subnets file and personal subnets
2516 files are used if they exist.
2517 Each line of this file consists of an IPv4 address, a subnet mask
2519 length separated only by a / and a name separated by whitespace.
2520 While the address must be a full IPv4 address, any values beyond
2521 the mask length are subsequently ignored.
2522 An example is:
2524 # Comments must be prepended by the # sign! 192.168.0.0/24
2526 ws_test_network
2527 A partially matched name will be printed as
2529 "subnet-name.remaining-address". For example, "192.168.0.1" under
2530 the subnet above would be printed as "ws_test_network.1"; if the
2531 mask length above had been 16 rather than 24, the printed address
2532 would be "ws_test_network.0.1".
2533 Name Resolution (ethers)
2535 The ethers files are consulted to correlate 6-byte hardware
2537 addresses to names. First the personal ethers file is tried and if
2538 an address is not found there the global ethers file is tried next.
2539 Each line contains one hardware address and name, separated by
2541 whitespace. The digits of the hardware address are separated by
2542 colons (:), dashes (-) or periods (.). The same separator character
2543 must be used consistently in an address. The following three lines
2544 are valid lines of an ethers file:
2545 ff:ff:ff:ff:ff:ff Broadcast
2547 c0-00-ff-ff-ff-ff TR_broadcast
2548 00.00.00.00.00.00 Zero_broadcast
2549 The global ethers file is looked for in the /etc directory on
2551 UNIX-compatible systems, and in the main installation directory
2552 (for example, C:\Program Files\Wireshark) on Windows systems.
2553 The personal ethers file is looked for in the same directory as the
2555 personal preferences file.
2556 Capture filter name resolution is handled by libpcap on
2558 UNIX-compatible systems and WinPcap on Windows. As such the
2559 Wireshark personal ethers file will not be consulted for capture
2560 filter name resolution.
2561 Name Resolution (manuf)
2563 The manuf file is used to match the 3-byte vendor portion of a
2565 6-byte hardware address with the manufacturer’s name; it can also
2566 contain well-known MAC addresses and address ranges specified with
2567 a netmask. The format of the file is the same as the ethers files,
2568 except that entries such as:
2569 00:00:0C Cisco
2571 can be provided, with the 3-byte OUI and the name for a vendor, and
2573 entries such as:
2574 00-00-0C-07-AC/40 All-HSRP-routers
2576 can be specified, with a MAC address and a mask indicating how many
2578 bits of the address must match. The above entry, for example, has
2579 40 significant bits, or 5 bytes, and would match addresses from
2580 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2581 multiple of 8.
2582 The manuf file is looked for in the same directory as the global
2584 preferences file.
2585 Name Resolution (services)
2587 The services file is used to translate port numbers into names.
2589 Both the global services file and personal services files are used
2590 if they exist.
2591 The file has the standard services file syntax; each line contains
2593 one (service) name and one transport identifier separated by white
2594 space. The transport identifier includes one port number and one
2595 transport protocol name (typically tcp, udp, or sctp) separated by
2596 a /.
2597 An example is:
2599 mydns 5045/udp # My own Domain Name Server mydns
2601 5045/tcp # My own Domain Name Server
2602 Name Resolution (ipxnets)
2604 The ipxnets files are used to correlate 4-byte IPX network numbers
2606 to names. First the global ipxnets file is tried and if that
2607 address is not found there the personal one is tried next.
2608 The format is the same as the ethers file, except that each address
2610 is four bytes instead of six. Additionally, the address can be
2611 represented as a single hexadecimal number, as is more common in
2612 the IPX world, rather than four hex octets. For example, these four
2613 lines are valid lines of an ipxnets file:
2614 C0.A8.2C.00 HR
2616 c0-a8-1c-00 CEO
2617 00:00:BE:EF IT_Server1
2618 110f FileServer3
2619 The global ipxnets file is looked for in the /etc directory on
2621 UNIX-compatible systems, and in the main installation directory
2622 (for example, C:\Program Files\Wireshark) on Windows systems.
2623 The personal ipxnets file is looked for in the same directory as
2625 the personal preferences file.
2626 Capture Filters
2628 The cfilters files contain system-wide and personal capture
2630 filters. Each line contains one filter, starting with the string
2631 displayed in the dialog box in quotation marks, followed by the
2632 filter string itself:
2633 "HTTP" port 80
2635 "DCERPC" port 135
2636 The global cfilters file uses the same directory as the global
2638 preferences file.
2639 The personal cfilters file uses the same directory as the personal
2641 preferences file. It is written through the Capture:Capture Filters
2642 dialog.
2643 If the global cfilters file exists, it is used only if the personal
2645 cfilters file does not exist; global and personal capture filters
2646 are not merged.
2647 Display Filters
2649 The dfilters files contain system-wide and personal display
2651 filters. Each line contains one filter, starting with the string
2652 displayed in the dialog box in quotation marks, followed by the
2653 filter string itself:
2654 "HTTP" http
2656 "DCERPC" dcerpc
2657 The global dfilters file uses the same directory as the global
2659 preferences file.
2660 The personal dfilters file uses the same directory as the personal
2662 preferences file. It is written through the Analyze:Display Filters
2663 dialog.
2664 If the global dfilters file exists, it is used only if the personal
2666 dfilters file does not exist; global and personal display filters
2667 are not merged.
2668 Color Filters (Coloring Rules)
2670 The colorfilters files contain system-wide and personal color
2672 filters. Each line contains one filter, starting with the string
2673 displayed in the dialog box, followed by the corresponding display
2674 filter. Then the background and foreground colors are appended:
2675 # a comment
2677 @tcp@tcp@[59345,58980,65534][0,0,0]
2678 @udp@udp@[28834,57427,65533][0,0,0]
2679 The global colorfilters file uses the same directory as the global
2681 preferences file.
2682 The personal colorfilters file uses the same directory as the
2684 personal preferences file. It is written through the View:Coloring
2685 Rules dialog.
2686 If the global colorfilters file exists, it is used only if the
2688 personal colorfilters file does not exist; global and personal
2689 color filters are not merged.
2690 Plugins
2692 See above in the description of the About:Plugins page.
2694
2696 WIRESHARK_CONFIG_DIR
2697 This environment variable overrides the location of personal
2699 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2700 $HOME/.wireshark if the former is missing while the latter exists).
2701 On Windows, %APPDATA%\Wireshark is used instead. Available since
2702 Wireshark 3.0.
2703 WIRESHARK_DEBUG_WMEM_OVERRIDE
2705 Setting this environment variable forces the wmem framework to use
2707 the specified allocator backend for all allocations, regardless of
2708 which backend is normally specified by the code. This is mainly
2709 useful to developers when testing or debugging. See README.wmem in
2710 the source distribution for details.
2711 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2713 This environment variable causes the plugins and other data files
2715 to be loaded from the build directory (where the program was
2716 compiled) rather than from the standard locations. It has no effect
2717 when the program in question is running with root (or setuid)
2718 permissions on *NIX.
2719 WIRESHARK_DATA_DIR
2721 This environment variable causes the various data files to be
2723 loaded from a directory other than the standard locations. It has
2724 no effect when the program in question is running with root (or
2725 setuid) permissions on *NIX.
2726 ERF_RECORDS_TO_CHECK
2728 This environment variable controls the number of ERF records
2730 checked when deciding if a file really is in the ERF format.
2731 Setting this environment variable a number higher than the default
2732 (20) would make false positives less likely.
2733 IPFIX_RECORDS_TO_CHECK
2735 This environment variable controls the number of IPFIX records
2737 checked when deciding if a file really is in the IPFIX format.
2738 Setting this environment variable a number higher than the default
2739 (20) would make false positives less likely.
2740 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2742 If this environment variable is set, Wireshark will call abort(3)
2744 when a dissector bug is encountered. abort(3) will cause the
2745 program to exit abnormally; if you are running Wireshark in a
2746 debugger, it should halt in the debugger and allow inspection of
2747 the process, and, if you are not running it in a debugger, it will,
2748 on some OSes, assuming your environment is configured correctly,
2749 generate a core dump file. This can be useful to developers
2750 attempting to troubleshoot a problem with a protocol dissector.
2751 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2753 If this environment variable is set, Wireshark will call abort(3)
2755 if a dissector tries to add too many items to a tree (generally
2756 this is an indication of the dissector not breaking out of a loop
2757 soon enough). abort(3) will cause the program to exit abnormally;
2758 if you are running Wireshark in a debugger, it should halt in the
2759 debugger and allow inspection of the process, and, if you are not
2760 running it in a debugger, it will, on some OSes, assuming your
2761 environment is configured correctly, generate a core dump file.
2762 This can be useful to developers attempting to troubleshoot a
2763 problem with a protocol dissector.
2764 WIRESHARK_QUIT_AFTER_CAPTURE
2766 Cause Wireshark to exit after the end of the capture session. This
2768 doesn’t automatically start a capture; you must still use -k to do
2769 that. You must also specify an autostop condition, e.g. -c or -a
2770 duration:.... This means that you will not be able to see the
2771 results of the capture after it stops; it’s primarily useful for
2772 testing.
2773 WIRESHARK_LOG_LEVEL
2775 This environment variable controls the verbosity of diagnostic
2777 messages to the console. From less verbose to most verbose levels
2778 can be critical, warning, message, info, debug or noisy. Levels
2779 above the current level are also active. Levels critical and error
2780 are always active.
2781 WIRESHARK_LOG_FATAL
2783 Sets the fatal log level. Fatal log levels cause the program to
2785 abort. This level can be set to Error, critical or warning. Error
2786 is always fatal and is the default.
2787 WIRESHARK_LOG_DOMAINS
2789 This environment variable selects which log domains are active. The
2791 filter is given as a case-insensitive comma separated list. If set
2792 only the included domains will be enabled. The default domain is
2793 always considered to be enabled. Domain filter lists can be
2794 preceded by '!' to invert the sense of the match.
2795 WIRESHARK_LOG_DEBUG
2797 List of domains with debug log level. This sets the level of the
2799 provided log domains and takes precedence over the active domains
2800 filter. If preceded by '!' this disables the debug level instead.
2801 WIRESHARK_LOG_NOISY
2803 Same as above but for noisy log level instead.
2805
2807 Wireshark would not be the powerful, featureful application it is
2808 without the generous contributions of hundreds of developers.
2809 A complete list of authors can be found in the AUTHORS file in
2811 Wireshark’s source code repository and at
2812 https://www.wireshark.org/about.html#authors.
2813
2815 wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1),
2816 mergecap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
2817
2819 This is the manual page for Wireshark 4.0.2. The latest version of
2820 Wireshark can be found at https://www.wireshark.org.
2821 HTML versions of the Wireshark project man pages are available at
2823 https://www.wireshark.org/docs/man-pages.
2824 2022-12-08 WIRESHARK(1)