1WIRESHARK(1) The Wireshark Network Analyzer WIRESHARK(1)
2
6 wireshark - Interactively dump and analyze network traffic
7
9 wireshark [ -a <capture autostop condition> ] ... [ -b <cap‐
10 ture ring buffer option> ] ... [ -B <capture buf‐
11 fer size (Win32 only)> ] [ -c <capture packet count> ] [ -C <configu‐
12 ration profile> ] [ -D ] [ --display=<X display to use> ] [ -f <cap‐
13 ture filter> ] [ -g <packet number> ] [ -h ] [ -H ] [ -i <cap‐
14 ture interface>⎪- ] [ -k ] [ -l ] [ -L ] [ -m <font> ] [ -n ]
15 [ -N <name resolving flags> ] [ -o <preference/recent setting> ] ...
16 [ -p ] [ -P <path setting>] [ -Q ] [ -r <infile> ] [ -R <read (dis‐
17 play) filter> ] [ -S ] [ -s <capture snaplen> ] [ -t ad⎪a⎪r⎪d⎪dd⎪e ]
18 [ -v ] [ -w <outfile> ] [ -y <capture link type> ] [ -X <eXten‐
19 sion option> ] [ -z <statistics> ] [ <infile> ]
20
22 Wireshark is a GUI network protocol analyzer. It lets you interac‐
23 tively browse packet data from a live network or from a previously
24 saved capture file. Wireshark's native capture file format is libpcap
25 format, which is also the format used by tcpdump and various other
26 tools.
27 Wireshark can read / import the following file formats:
29 * libpcap, tcpdump and various other tools using tcpdump's capture for‐
31 mat
32 * snoop and atmsnoop
33 * Shomiti/Finisar Surveyor captures
34 * Novell LANalyzer captures
35 * Microsoft Network Monitor captures
36 * AIX's iptrace captures
37 * Cinco Networks NetXRay captures
38 * Network Associates Windows-based Sniffer captures
39 * Network General/Network Associates DOS-based Sniffer (compressed or
40 uncompressed) captures
41 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet‐
42 Grabber captures
43 * RADCOM's WAN/LAN analyzer captures
44 * Network Instruments Observer version 9 captures
45 * Lucent/Ascend router debug output
46 * files from HP-UX's nettl
47 * Toshiba's ISDN routers dump output
48 * the output from i4btrace from the ISDN4BSD project
49 * traces from the EyeSDN USB S0.
50 * the output in IPLog format from the Cisco Secure Intrusion Detection
51 System
52 * pppd logs (pppdump format)
53 * the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
54 * the text output from the DBS Etherwatch VMS utility
55 * Visual Networks' Visual UpTime traffic capture
56 * the output from CoSine L2 debug
57 * the output from Accellent's 5Views LAN agents
58 * Endace Measurement Systems' ERF format captures
59 * Linux Bluez Bluetooth stack hcidump -w traces
60 * Catapult DCT2000 .out files
61 * TamoSoft CommView files
62 There is no need to tell Wireshark what type of file you are reading;
64 it will determine the file type by itself. Wireshark is also capable
65 of reading any of these file formats if they are compressed using gzip.
66 Wireshark recognizes this directly from the file; the '.gz' extension
67 is not required for this purpose.
68 Like other protocol analyzers, Wireshark's main window shows 3 views of
70 a packet. It shows a summary line, briefly describing what the packet
71 is. A packet details display is shown, allowing you to drill down to
72 exact protocol or field that you interested in. Finally, a hex dump
73 shows you exactly what the packet looks like when it goes over the
74 wire.
75 In addition, Wireshark has some features that make it unique. It can
77 assemble all the packets in a TCP conversation and show you the ASCII
78 (or EBCDIC, or hex) data in that conversation. Display filters in
79 Wireshark are very powerful; more fields are filterable in Wireshark
80 than in other protocol analyzers, and the syntax you can use to create
81 your filters is richer. As Wireshark progresses, expect more and more
82 protocol fields to be allowed in display filters.
83 Packet capturing is performed with the pcap library. The capture fil‐
85 ter syntax follows the rules of the pcap library. This syntax is dif‐
86 ferent from the display filter syntax.
87 Compressed file support uses (and therefore requires) the zlib library.
89 If the zlib library is not present, Wireshark will compile, but will be
90 unable to read compressed files.
91 The pathname of a capture file to be read can be specified with the -r
93 option or can be specified as a command-line argument.
94
96 Most users will want to start Wireshark without options and config‐
97 ure it from the menus instead. Those users may just skip this sec‐
98 tion.
99 -a <capture autostop condition>
101 Specify a criterion that specifies when Wireshark is to stop writ‐
102 ing to a capture file. The criterion is of the form test:value,
103 where test is one of:
104 duration:value Stop writing to a capture file after value seconds
106 have elapsed.
107 filesize:value Stop writing to a capture file after it reaches a
109 size of value kilobytes (where a kilobyte is 1024 bytes). If this
110 option is used together with the -b option, Wireshark will stop
111 writing to the current capture file and switch to the next one if
112 filesize is reached.
113 files:value Stop writing to capture files after value number of
115 files were written.
116 -b <capture ring buffer option>
118 Cause Wireshark to run in "multiple files" mode. In "multiple
119 files" mode, Wireshark will write to several capture files. When
120 the first capture file fills up, Wireshark will switch writing to
121 the next file and so on.
122 The created filenames are based on the filename given with the -w
124 flag, the number of the file and on the creation date and time,
125 e.g. outfile_00001_20050604120117.pcap, out‐
126 file_00001_20050604120523.pcap, ...
127 With the files option it's also possible to form a "ring buffer".
129 This will fill up new files until the number of files specified, at
130 which point Wireshark will discard the data in the first file and
131 start writing to that file and so on. If the files option is not
132 set, new files filled up until one of the capture stop conditions
133 match (or until the disk if full).
134 The criterion is of the form key:value, where key is one of:
136 duration:value switch to the next file after value seconds have
138 elapsed, even if the current file is not completely filled up.
139 filesize:value switch to the next file after it reaches a size of
141 value kilobytes (where a kilobyte is 1024 bytes).
142 files:value begin again with the first file after value number of
144 files were written (form a ring buffer).
145 -B <capture buffer size (Win32 only)>
147 Win32 only: set capture buffer size (in MB, default is 1MB). This
148 is used by the the capture driver to buffer packet data until that
149 data can be written to disk. If you encounter packet drops while
150 capturing, try to increase this size.
151 -c <capture packet count>
153 Set the maximum number of packets to read when capturing live data.
154 -C <configuration profile>
156 Start with the given configuration profile.
157 -D Print a list of the interfaces on which Wireshark can capture, and
159 exit. For each network interface, a number and an interface name,
160 possibly followed by a text description of the interface, is
161 printed. The interface name or the number can be supplied to the
162 -i flag to specify an interface on which to capture.
163 This can be useful on systems that don't have a command to list
165 them (e.g., Windows systems, or UNIX systems lacking ifconfig -a);
166 the number can be useful on Windows 2000 and later systems, where
167 the interface name is a somewhat complex string.
168 Note that "can capture" means that Wireshark was able to open that
170 device to do a live capture; if, on your system, a program doing a
171 network capture must be run from an account with special privileges
172 (for example, as root), then, if Wireshark is run with the -D flag
173 and is not run from such an account, it will not list any inter‐
174 faces.
175 --display=<X display to use>
177 Specifies the X display to use. A hostname and screen (other‐
178 host:0.0) or just a screen (:0.0) can be specified. This option is
179 not available under Windows.
180 -f <capture filter>
182 Set the capture filter expression.
183 -g <packet number>
185 After reading in a capture file using the -r flag, go to the given
186 packet number.
187 -h Print the version and options and exit.
189 -H Hide the capture info dialog during live packet capture.
191 -i <capture interface>⎪-
193 Set the name of the network interface or pipe to use for live
194 packet capture.
195 Network interface names should match one of the names listed in
197 "wireshark -D" (described above); a number, as reported by "wire‐
198 shark -D", can also be used. If you're using UNIX, "netstat -i" or
199 "ifconfig -a" might also work to list interface names, although not
200 all versions of UNIX support the -a flag to ifconfig.
201 If no interface is specified, Wireshark searches the list of inter‐
203 faces, choosing the first non-loopback interface if there are any
204 non-loopback interfaces, and choosing the first loopback interface
205 if there are no non-loopback interfaces. If there are no interfaces
206 at all, Wireshark reports an error and doesn't start the capture.
207 Pipe names should be either the name of a FIFO (named pipe) or
209 ``-'' to read data from the standard input. Data read from pipes
210 must be in standard libpcap format.
211 Note: the Win32 version of Wireshark doesn't support capturing from
213 pipes or stdin!
214 -k Start the capture session immediately. If the -i flag was speci‐
216 fied, the capture uses the specified interface. Otherwise, Wire‐
217 shark searches the list of interfaces, choosing the first non-loop‐
218 back interface if there are any non-loopback interfaces, and choos‐
219 ing the first loopback interface if there are no non-loopback
220 interfaces; if there are no interfaces, Wireshark reports an error
221 and doesn't start the capture.
222 -l Turn on automatic scrolling if the packet display is being updated
224 automatically as packets arrive during a capture (as specified by
225 the -S flag).
226 -L List the data link types supported by the interface and exit.
228 -m <font>
230 Set the name of the font used by Wireshark for most text. Wire‐
231 shark will construct the name of the bold font used for the data in
232 the byte view pane that corresponds to the field selected in the
233 packet details pane from the name of the main text font.
234 -n Disable network object name resolution (such as hostname, TCP and
236 UDP port names), the -N flag might override this one.
237 -N <name resolving flags>
239 Turn on name resolving only for particular types of addresses and
240 port numbers, with name resolving for other types of addresses and
241 port numbers turned off. This flag overrides -n if both -N and -n
242 are present. If both -N and -n flags are not present, all name res‐
243 olutions are turned on.
244 The argument is a string that may contain the letters:
246 m to enable MAC address resolution
248 n to enable network address resolution
250 t to enable transport-layer port number resolution
252 C to enable concurrent (asynchronous) DNS lookups
254 -o <preference/recent setting>
256 Set a preference or recent value, overriding the default value and
257 any value read from a preference/recent file. The argument to the
258 flag is a string of the form prefname:value, where prefname is the
259 name of the preference/recent value (which is the same name that
260 would appear in the preference/recent file), and value is the value
261 to which it should be set. Since Ethereal 0.10.12, the recent set‐
262 tings replaces the formerly used -B, -P and -T flags to manipulate
263 the GUI dimensions.
264 If prefname is "uat", you can override settings in various user
266 access tables using the form uat:uat filename:uat record. uat file‐
267 name must be the name of a UAT file, e.g. user_dlts. uat_record
268 must be in the form of a valid record for that file, including
269 quotes. For instance, to specify a user DLT from the command line,
270 you would use
271 -o "uat:user_dlts:\"User 0
273 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
274 -p Don't put the interface into promiscuous mode. Note that the
276 interface might be in promiscuous mode for some other reason;
277 hence, -p cannot be used to ensure that the only traffic that is
278 captured is traffic sent to or from the machine on which Wireshark
279 is running, broadcast traffic, and multicast traffic to addresses
280 received by that machine.
281 -P <path setting>
283 Special path settings usually detected automatically. This is used
284 for special cases, e.g. starting Wireshark from a known location on
285 an USB stick.
286 The criterion is of the form key:path, where key is one of:
288 persconf:path path of personal configuration files, like the pref‐
290 erences files.
291 persdata:path path of personal data files, it's the folder ini‐
293 tially opened. After the very first initilization, the recent file
294 will keep the folder last used.
295 -Q Cause Wireshark to exit after the end of capture session (useful in
297 batch mode with -c option for instance); this option requires the
298 -i and -w parameters.
299 -r <infile>
301 Read packet data from infile, can be any supported capture file
302 format (including gzipped files). It's not possible to use named
303 pipes or stdin here!
304 -R <read (display) filter>
306 When reading a capture file specified with the -r flag, causes the
307 specified filter (which uses the syntax of display filters, rather
308 than that of capture filters) to be applied to all packets read
309 from the capture file; packets not matching the filter are dis‐
310 carded.
311 -S Automatically update the packet display as packets are coming in.
313 -s <capture snaplen>
315 Set the default snapshot length to use when capturing live data.
316 No more than snaplen bytes of each network packet will be read into
317 memory, or saved to disk.
318 -t ad⎪a⎪r⎪d⎪dd⎪e
320 Set the format of the packet timestamp displayed in the packet list
321 window, the default is relative. The format can be one of:
322 ad absolute with date: The absolute date and time is the actual
324 time and date the packet was captured
325 a absolute: The absolute time is the actual time the packet was
327 captured, with no date displayed
328 r relative: The relative time is the time elapsed between the first
330 packet and the current packet
331 d delta: The delta time is the time since the previous packet was
333 captured
334 dd delta_displayed: The delta_displayed time is the time since the
336 previous displayed packet was captured
337 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
339 -v Print the version and exit.
341 -w <outfile>
343 Set the default capture file name.
344 -y <capture link type>
346 If a capture is started from the command line with -k, set the data
347 link type to use while capturing packets. The values reported by
348 -L are the values that can be used.
349 -X <eXtension options>
351 Specify an option to be passed to an Wireshark module. The eXten‐
352 sion option is in the form extension_key:value, where extension_key
353 can be:
354 lua_script:lua_script_filename tells Wireshark to load the given
356 script in addition to the default Lua scripts.
357 -z <statistics>
359 Get Wireshark to collect various types of statistics and display
360 the result in a window that updates in semi-real time. Currently
361 implemented statistics are:
362 -z dcerpc,srt,uuid,major.minor[,filter]
364 Collect call/reply SRT (Service Response Time) data for DCERPC
366 interface uuid, version major.minor. Data collected is number of
367 calls for each procedure, MinSRT, MaxSRT and AvgSRT. Example: use
368 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0 to collect
369 data for CIFS SAMR Interface. This option can be used multiple
370 times on the command line.
371 If the optional filterstring is provided, the stats will only be
373 calculated on those calls that match that filter. Example: use -z
374 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
375 to collect SAMR SRT statistics for a specific host.
376 -z io,stat
378 Collect packet/bytes statistics for the capture in intervals of 1
380 seconds. This option will open a window with up to 5 color-coded
381 graphs where number-of-packets-per-second or number-of-bytes-per-
382 second statistics can be calculated and displayed.
383 This option can be used multiple times on the command line.
385 This graph window can also be opened from the Analyze:Statis‐
387 tics:Traffic:IO-Stat menu item.
388 -z rpc,srt,program,version[,<filter>]
390 Collect call/reply SRT (Service Response Time) data for pro‐
392 gram/version. Data collected is number of calls for each proce‐
393 dure, MinSRT, MaxSRT and AvgSRT. Example: use -z rpc,srt,100003,3
394 to collect data for NFS v3. This option can be used multiple times
395 on the command line.
396 If the optional filter string is provided, the stats will only be
398 calculated on those calls that match that filter. Example: use -z
399 rpc,srt,100003,3,nfs.fh.hash==0x12345678 to collect NFS v3 SRT sta‐
400 tistics for a specific file.
401 -z rpc,programs
403 Collect call/reply RTT data for all known ONC-RPC programs/ver‐
405 sions. Data collected is number of calls for each protocol/ver‐
406 sion, MinRTT, MaxRTT and AvgRTT.
407 -z scsi,srt,cmdset[,<filter>]
409 Collect call/reply SRT (Service Response Time) data for SCSI com‐
411 mandset <cmdset>.
412 Commandsets are 0:SBC 1:SSC 5:MMC
414 Data collected is number of calls for each procedure, MinSRT,
416 MaxSRT and AvgSRT. Example: use -z scsi,srt,0 to collect data for
417 SCSI BLOCK COMMANDS (SBC). This option can be used multiple times
418 on the command line.
419 If the optional filter string is provided, the stats will only be
421 calculated on those calls that match that filter. Example: use -z
422 scsi,srt,0,ip.addr==1.2.3.4 to collect SCSI SBC SRT statistics for
423 a specific iscsi/ifcp/fcip host.
424 -z smb,srt[,filter]
426 Collect call/reply SRT (Service Response Time) data for SMB. Data
428 collected is number of calls for each SMB command, MinSRT, MaxSRT
429 and AvgSRT. Example: use -z smb,srt.
430 The data will be presented as separate tables for all normal SMB
432 commands, all Transaction2 commands and all NT Transaction com‐
433 mands. Only those commands that are seen in the capture will have
434 its stats displayed. Only the first command in a xAndX command
435 chain will be used in the calculation. So for common SessionSetu‐
436 pAndX + TreeConnectAndX chains, only the SessionSetupAndX call will
437 be used in the statistics. This is a flaw that might be fixed in
438 the future.
439 This option can be used multiple times on the command line.
441 If the optional filterstring is provided, the stats will only be
443 calculated on those calls that match that filter. Example: use -z
444 "smb,srt,ip.addr==1.2.3.4" to only collect stats for SMB packets
445 echanged by the host at IP address 1.2.3.4 .
446 -z fc,srt[,filter]
448 Collect call/reply SRT (Service Response Time) data for FC. Data
450 collected is number of calls for each Fibre Channel command, Min‐
451 SRT, MaxSRT and AvgSRT. Example: use -z fc,srt. The Service
452 Response Time is calculated as the time delta between the First
453 packet of the exchange and the Last packet of the exchange.
454 The data will be presented as separate tables for all normal FC
456 commands, Only those commands that are seen in the capture will
457 have its stats displayed.
458 This option can be used multiple times on the command line.
460 If the optional filterstring is provided, the stats will only be
462 calculated on those calls that match that filter. Example: use -z
463 "fc,srt,fc.id==01.02.03" to only collect stats for FC packets
464 echanged by the host at FC address 01.02.03 .
465 -z ldap,srt[,filter]
467 Collect call/reply SRT (Service Response Time) data for LDAP. Data
469 collected is number of calls for each implemented LDAP command,
470 MinSRT, MaxSRT and AvgSRT. Example: use -z ldap,srt. The Service
471 Response Time is calculated as the time delta between the Request
472 and the Response.
473 The data will be presented as separate tables for all implemented
475 LDAP commands, Only those commands that are seen in the capture
476 will have its stats displayed.
477 This option can be used multiple times on the command line.
479 If the optional filterstring is provided, the stats will only be
481 calculated on those calls that match that filter. Example: use -z
482 "ldap,srt,ip.addr==10.1.1.1" to only collect stats for LDAP packets
483 echanged by the host at IP address 10.1.1.1 .
484 The only LDAP command that are currently implemented and the stats
486 will be available for are: BIND SEARCH MODIFY ADD DELETE MODRDN
487 COMPARE EXTENDED
488 -z mgcp,srt[,filter]
490 Collect requests/response SRT (Service Response Time) data for
492 MGCP. This is similar to -z smb,srt). Data collected is number of
493 calls for each known MGCP Type, Minimum SRT, Maximum SRT and Aver‐
494 age SRT. Example: use -z mgcp,srt.
495 This option can be used multiple times on the command line.
497 If the optional filterstring is provided, the stats will only be
499 calculated on those calls that match that filter. Example: use -z
500 "mgcp,srt,ip.addr==1.2.3.4" to only collect stats for MGCP packets
501 exchanged by the host at IP address 1.2.3.4 .
502 -z conv,type[,filter]
504 Create a table that lists all conversations that could be seen in
506 the capture. type specifies for which type of conversation we want
507 to generate the statistics; currently the supported ones are
508 "eth" Ethernet
510 "fc" Fibre Channel addresses
511 "fddi" FDDI addresses
512 "ip" IP addresses
513 "ipx" IPX addresses
514 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
515 "tr" TokenRing
516 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
517 If the optional filter string is specified, only those packets that
519 match the filter will be used in the calculations.
520 The table is presented with one line for each conversation and dis‐
522 plays number of packets/bytes in each direction as well as total
523 number of packets/bytes. By default, the table is sorted according
524 to total number of packets.
525 These tables can also be generated at runtime by selecting the
527 appropriate conversation type from the menu "Tools/Statistics/Con‐
528 versation List/".
529 -z h225,counter[,filter]
531 Count ITU-T H.225 messages and their reasons. In the first column
533 you get a list of H.225 messages and H.225 message reasons, which
534 occur in the current capture file. The number of occurences of each
535 message or reason is displayed in the second column.
536 Example: use -z h225,counter.
538 This option can be used multiple times on the command line.
540 If the optional filterstring is provided, the stats will only be
542 calculated on those calls that match that filter. Example: use -z
543 "h225,counter,ip.addr==1.2.3.4" to only collect stats for H.225
544 packets exchanged by the host at IP address 1.2.3.4 .
545 -z h225,srt[,filter]
547 Collect requests/response SRT (Service Response Time) data for ITU-
549 T H.225 RAS. Data collected is number of calls of each ITU-T H.225
550 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT, Minimum in
551 Packet, and Maximum in Packet. You will also get the number of
552 Open Requests (Unresponded Requests), Discarded Responses
553 (Responses without matching request) and Duplicate Messages. Exam‐
554 ple: use -z h225,srt.
555 This option can be used multiple times on the command line.
557 If the optional filterstring is provided, the stats will only be
559 calculated on those calls that match that filter. Example: use -z
560 "h225,srt,ip.addr==1.2.3.4" to only collect stats for ITU-T H.225
561 RAS packets exchanged by the host at IP address 1.2.3.4 .
562 -z sip,stat[,filter]
564 This option will activate a counter for SIP messages. You will get
566 the number of occurences of each SIP Method and of each SIP Sta‐
567 tus-Code. Additionally you also get the number of resent SIP Mes‐
568 sages (only for SIP over UDP).
569 Example: use -z sip,stat.
571 This option can be used multiple times on the command line.
573 If the optional filter string is provided, the stats will only be
575 calculated on those calls that match that filter. Example: use -z
576 "sip,stat,ip.addr==1.2.3.4" to only collect stats for SIP packets
577 exchanged by the host at IP address 1.2.3.4 .
578 -z voip,calls
580 This option will show a window that shows VoIP calls found in the
582 capture file. This is the same window shown as when you go to the
583 Statistics Menu and choose VoIP Calls.
584 Example: use -z voip,calls
586
588 MENU ITEMS
589 File:Open
591 File:Open Recent
592 File:Close
593 Open or close a capture file. The File:Open dialog box allows a
594 filter to be specified; when the capture file is read, the filter
595 is applied to all packets read from the file, and packets not
596 matching the filter are discarded. The File:Open Recent is a sub‐
597 menu and will show a list of previously opened files.
598 File:Merge
600 Merge another capture file to the currently loaded one. The
601 File:Merge dialog box allows the merge "Prepended", "Chronologi‐
602 cally" or "Appended", relative to the already loaded one.
603 File:Save
605 File:Save As
606 Save the current capture, or the packets currently displayed from
607 that capture, to a file. Check boxes let you select whether to
608 save all packets, or just those that have passed the current dis‐
609 play filter and/or those that are currently marked, and an option
610 menu lets you select (from a list of file formats in which at par‐
611 ticular capture, or the packets currently displayed from that cap‐
612 ture, can be saved), a file format in which to save it.
613 File:File Set:List Files
615 Show a dialog box that lists all files of the file set matching the
616 currently loaded file. A file set is a compound of files resulting
617 from a capture using the "multiple files" / "ringbuffer" mode, rec‐
618 ognizable by the filename pattern, e.g.: File‐
619 name_00001_20050604101530.pcap.
620 File:File Set:Next File
622 File:File Set:Previous File
623 If the currently loaded file is part of a file set (see above),
624 open the next / previous file in that set.
625 File:Export
627 Export captured data into an external format. Note: the data cannot
628 be imported back into Wireshark, so be sure to keep the capture
629 file.
630 File:Print
632 Print packet data from the current capture. You can select the
633 range of packets to be printed (which packets are printed), and the
634 output format of each packet (how each packet is printed). The out‐
635 put format will be similar to the displayed values, so a summary
636 line, the packet details view, and/or the hex dump of the packet
637 can be printed.
638 Printing options can be set with the Edit:Preferences menu item, or
640 in the dialog box popped up by this menu item.
641 File:Quit
643 Exit the application.
644 Edit:Copy:As Filter
646 Create a display filter based on the data currently highlighted in
647 the packet details and copy that filter to the clipboard.
648 If that data is a field that can be tested in a display filter
650 expression, the display filter will test that field; otherwise, the
651 display filter will be based on the absolute offset within the
652 packet. Therefore it could be unreliable if the packet contains
653 protocols with variable-length headers, such as a source-routed
654 token-ring packet.
655 Edit:Find Packet
657 Search forward or backward, starting with the currently selected
658 packet (or the most recently selected packet, if no packet is
659 selected). Search criteria can be a display filter expression, a
660 string of hexadecimal digits, or a text string.
661 When searching for a text string, you can search the packet data,
663 or you can search the text in the Info column in the packet list
664 pane or in the packet details pane.
665 Hexadecimal digits can be separated by colons, periods, or dashes.
667 Text string searches can be ASCII or Unicode (or both), and may be
668 case insensitive.
669 Edit:Find Next
671 Edit:Find Previous
672 Search forward / backward for a packet matching the filter from the
673 previous search, starting with the currently selected packet (or
674 the most recently selected packet, if no packet is selected).
675 Edit:Time Reference:Set Time Reference (toggle)
677 Set (or unset if currently set) the selected packet as a Time Ref‐
678 erence packet. When a packet is set as a Time Reference packet,
679 the timestamps in the packet list pane will be replaced with the
680 string "*REF*". The relative time timestamp in later packets will
681 then be calculated relative to the timestamp of this Time Reference
682 packet and not the first packet in the capture.
683 Packets that have been selected as Time Reference packets will
685 always be displayed in the packet list pane. Display filters will
686 not affect or hide these packets.
687 If there is a column displayed for "Culmulative Bytes" this counter
689 will be reset at every Time Reference packet.
690 Edit:Time Reference:Find Next
692 Edit:Time Reference:Find Previous
693 Search forward / backward for a time referenced packet.
694 Edit:Mark Packet (toggle)
696 Mark (or unmark if currently marked) the selected packet. The
697 field "frame.marked" is set for packets that are marked, so that,
698 for example, a display filters can be used to display only marked
699 packets, and so that the Edit:Find Packet dialog can be used to
700 find the next or previous marked packet.
701 Edit:Mark All Packets
703 Edit:Unmark All Packets
704 Mark / Unmark all packets that are currently displayed.
705 Edit:Configuration Profiles
707 Manage configuration profiles to be able to use more than one set
708 of preferences and configurations.
709 Edit:Preferences
711 Set the GUI, capture, printing and protocol options (see Prefer‐
712 ences dialog below).
713 View:Main Toolbar
715 View:Filter Toolbar
716 View:Statusbar
717 Show or hide the main window controls.
718 View:Packet List
720 View:Packet Details
721 View:Packet Bytes
722 Show or hide the main window panes.
723 View:Time Display Format
725 Set the format of the packet timestamp displayed in the packet list
726 window.
727 View:Name Resolution:Resolve Name
729 Try to resolve a name for the currently seleted item.
730 View:Name Resolution:Enable for ... Layer
732 Enable or disable translation of addresses to names in the display.
733 View:Colorize Packet List
735 Enable or disable the coloring rules. Disabling will improve per‐
736 formance.
737 View:Auto Scroll in Live Capture
739 Enable or disable the automatic scrolling of the packet list while
740 a live capture is in progress.
741 View:Zoom In
743 View:Zoom Out
744 Zoom into / out of the main window data (by changing the font
745 size).
746 View:Normal Size
748 Reset the zoom factor of zoom in / zoom out back to normal font
749 size.
750 View:Resize All Columns
752 Resize all columns to best fit the current packet display.
753 View:Expand Subtrees
755 Expands the currently selected item and it's subtrees in the packet
756 details.
757 View:Expand All
759 View:Collapse All
760 Expand / Collapse all branches of the packet details.
761 View:Coloring Rules
763 Change the foreground and background colors of the packet informa‐
764 tion in the list of packets, based upon display filters. The list
765 of display filters is applied to each packet sequentially. After
766 the first display filter matches a packet, any additional display
767 filters in the list are ignored. Therefore, if you are filtering
768 on the existence of protocols, you should list the higher-level
769 protocols first, and the lower-level protocols last.
770 How Colorization Works
772 Packets are colored according to a list of color filters. Each
773 filter consists of a name, a filter expression and a col‐
774 oration. A packet is colored according to the first filter that
775 it matches. Color filter expressions use exactly the same syn‐
776 tax as display filter expressions.
777 When Wireshark starts, the color filters are loaded from:
779 1. The user's personal color filters file or, if that does
781 not exist,
782 2. The global color filters file.
784 If neither of these exist then the packets will not be colored.
786 View:Show Packet In New Window
788 Create a new window containing a packet details view and a hex dump
789 window of the currently selected packet; this window will continue
790 to display that packet's details and data even if another packet is
791 selected.
792 View:Reload
794 Reload a capture file. Same as File:Close and File:Open the same
795 file again.
796 Go:Back
798 Go back in previously visited packets history.
799 Go:Forward
801 Go forward in previously visited packets history.
802 Go:Go To Packet
804 Go to a particular numbered packet.
805 Go:Go To Corresponding Packet
807 If a field in the packet details pane containing a packet number is
808 selected, go to the packet number specified by that field. (This
809 works only if the dissector that put that entry into the packet
810 details put it into the details as a filterable field rather than
811 just as text.) This can be used, for example, to go to the packet
812 for the request corresponding to a reply, or the reply correspond‐
813 ing to a request, if that packet number has been put into the
814 packet details.
815 Go:First Packet
817 Go:Last Packet
818 Go to the first / last packet in the capture.
819 Capture:Interfaces
821 Shows a dialog box with all currently known interfaces and display‐
822 ing the current network traffic amount. Capture sessions can be
823 started from here. Beware: keeping this box open results in high
824 system load!
825 Capture:Options
827 Initiate a live packet capture (see Capture Options dialog below).
828 If no filename is specified, a temporary file will be created to
829 hold the capture. The location of the file can be chosen by setting
830 your TMPDIR environment variable before starting Wireshark. Other‐
831 wise, the default TMPDIR location is system-dependent, but is
832 likely either /var/tmp or /tmp.
833 Capture:Start
835 Start a live packet capture with the previously seleted options.
836 This won't open the options dialog box, and can be convenient for
837 repeatingly capturing with the same options.
838 Capture:Stop
840 Stop a running live capture.
841 Capture:Restart
843 While a live capture is running, stop it and restart with the same
844 options again. This can be convenient to remove unrelevant packets,
845 if no valuable packets were captured so far.
846 Capture:Capture Filters
848 Edit the saved list of capture filters, allowing filters to be
849 added, changed, or deleted.
850 Analyze:Display Filters
852 Edit the saved list of display filters, allowing filters to be
853 added, changed, or deleted.
854 Analyze:Apply as Filter
856 Create a display filter based on the data currently highlighted in
857 the packet details and apply the filter.
858 If that data is a field that can be tested in a display filter
860 expression, the display filter will test that field; otherwise, the
861 display filter will be based on the absolute offset within the
862 packet. Therefore it could be unreliable if the packet contains
863 protocols with variable-length headers, such as a source-routed
864 token-ring packet.
865 The Selected option creates a display filter that tests for a match
867 of the data; the Not Selected option creates a display filter that
868 tests for a non-match of the data. The And Selected, Or Selected,
869 And Not Selected, and Or Not Selected options add to the end of the
870 display filter in the strip at the top (or bottom) an AND or OR
871 operator followed by the new display filter expression.
872 Analyze:Prepare a Filter
874 Create a display filter based on the data currently highlighted in
875 the packet details. The filter strip at the top (or bottom) is
876 updated but it is not yet applied.
877 Analyze:Enabled Protocols
879 Allow protocol dissection to be enabled or disabled for a specific
880 protocol. Individual protocols can be enabled or disabled by
881 clicking on them in the list or by highlighting them and pressing
882 the space bar. The entire list can be enabled, disabled, or
883 inverted using the buttons below the list.
884 When a protocol is disabled, dissection in a particular packet
886 stops when that protocol is reached, and Wireshark moves on to the
887 next packet. Any higher-layer protocols that would otherwise have
888 been processed will not be displayed. For example, disabling TCP
889 will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
890 and any other protocol exclusively dependent on TCP.
891 The list of protocols can be saved, so that Wireshark will start up
893 with the protocols in that list disabled.
894 Analyze:Decode As
896 If you have a packet selected, present a dialog allowing you to
897 change which dissectors are used to decode this packet. The dialog
898 has one panel each for the link layer, network layer and transport
899 layer protocol/port numbers, and will allow each of these to be
900 changed independently. For example, if the selected packet is a
901 TCP packet to port 12345, using this dialog you can instruct Wire‐
902 shark to decode all packets to or from that TCP port as HTTP pack‐
903 ets.
904 Analyze:User Specified Decodes
906 Create a new window showing whether any protocol ID to dissector
907 mappings have been changed by the user. This window also allows
908 the user to reset all decodes to their default values.
909 Analyze:Follow TCP Stream
911 If you have a TCP packet selected, display the contents of the data
912 stream for the TCP connection to which that packet belongs, as
913 text, in a separate window, and leave the list of packets in a fil‐
914 tered state, with only those packets that are part of that TCP con‐
915 nection being displayed. You can revert to your old view by press‐
916 ing ENTER in the display filter text box, thereby invoking your old
917 display filter (or resetting it back to no display filter).
918 The window in which the data stream is displayed lets you select:
920 * whether to display the entire conversation, or one or the
922 other side of it;
923 * whether the data being displayed is to be treated as ASCII
925 or EBCDIC text or as raw hex data;
926 and lets you print what's currently being displayed, using the same
928 print options that are used for the File:Print Packet menu item, or
929 save it as text to a file.
930 Statistics:Summary
932 Show summary information about the capture, including elapsed time,
933 packet counts, byte counts, and the like. If a display filter is
934 in effect, summary information will be shown about the capture and
935 about the packets currently being displayed.
936 Statistics:Protocol Hierarchy
938 Show the number of packets, and the number of bytes in those pack‐
939 ets, for each protocol in the trace. It organizes the protocols in
940 the same hierarchy in which they were found in the trace. Besides
941 counting the packets in which the protocol exists, a count is also
942 made for packets in which the protocol is the last protocol in the
943 stack. These last-protocol counts show you how many packets (and
944 the byte count associated with those packets) ended in a particular
945 protocol. In the table, they are listed under "End Packets" and
946 "End Bytes".
947 Statistics:IO Graphs
949 Open a window where up to 5 graphs in different colors can be dis‐
950 played to indicate number of packets or number of bytes per second
951 for all packets matching the specified filter. By default only one
952 graph will be displayed showing number of packets per second.
953 The top part of the window contains the graphs and scales for the X
955 and Y axis. If the graph is too long to fit inside the window
956 there is a horizontal scrollbar below the drawing area that can
957 scroll the graphs to the left or the right. The horizontal axis
958 displays the time into the capture and the vertical axis will dis‐
959 play the measured quantity at that time.
960 Below the drawing area and the scrollbar are the controls. On the
962 bottom left there will be five similar sets of controls to control
963 each induvidual graph such as "Display:<button>" which button will
964 toggle that individual graph on/off. If <button> is ticked, the
965 graph will be displayed. "Color:<color>" which is just a button to
966 show which color will be used to draw that graph (color is only
967 available in Gtk2 version) and finally "Filter:<filter-text>" which
968 can be used to specify a display filter for that particular graph.
969 If filter-text is empty then all packets will be used to calculate
971 the quantity for that graph. If filter-text is specified only
972 those packets that match that display filter will be considered in
973 the calculation of quantity.
974 To the right of the 5 graph controls there are four menus to con‐
976 trol global aspects of the draw area and graphs. The "Unit:" menu
977 is used to control what to measure; "packets/tick", "bytes/tick" or
978 "advanced..."
979 packets/tick will measure the number of packets matching the (if
981 specified) display filter for the graph in each measurement inter‐
982 val.
983 bytes/tick will measure the total number of bytes in all packets
985 matching the (if specified) display filter for the graph in each
986 measurement interval.
987 advanced... see below
989 "Tick interval:" specifies what measurement intervals to use. The
991 default is 1 second and means that the data will be counted over 1
992 second intervals.
993 "Pixels per tick:" specifies how many pixels wide each measurement
995 interval will be in the drawing area. The default is 5 pixels per
996 tick.
997 "Y-scale:" controls the max value for the y-axis. Default value is
999 "auto" which means that Wireshark will try to adjust the maxvalue
1000 automatically.
1001 "advanced..." If Unit:advanced... is selected the window will dis‐
1003 play two more controls for each of the five graphs. One control
1004 will be a menu where the type of calculation can be selected from
1005 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1006 name of a single display filter field can be specified.
1007 The following restrictions apply to type and field combinations:
1009 SUM: available for all types of integers and will calculate the SUM
1011 of all occurences of this field in the measurement interval. Note
1012 that some field can occur multiple times in the same packet and
1013 then all instances will be summed up. Example: 'tcp.len' which
1014 will count the amount of payload data transferred across TCP in
1015 each interval.
1016 COUNT: available for all field types. This will COUNT the number of
1018 times certain field occurs in each interval. Note that some fields
1019 may occur multiple times in each packet and if that is the case
1020 then each instance will be counted independently and COUNT will be
1021 greater than the number of packets.
1022 MAX: available for all integer and relative time fields. This will
1024 calculate the max seen integer/time value seen for the field during
1025 the interval. Example: 'smb.time' which will plot the maximum SMB
1026 response time.
1027 MIN: available for all integer and relative time fields. This will
1029 calculate the min seen integer/time value seen for the field during
1030 the interval. Example: 'smb.time' which will plot the minimum SMB
1031 response time.
1032 AVG: available for all integer and relative time fields.This will
1034 calculate the average seen integer/time value seen for the field
1035 during the interval. Example: 'smb.time' which will plot the aver‐
1036 age SMB response time.
1037 LOAD: available only for relative time fields (response times).
1039 Example of advanced: Display how NFS response time MAX/MIN/AVG
1041 changes over time:
1042 Set first graph to:
1044 filter:nfs&&rpc.time
1046 Calc:MAX rpc.time
1047 Set second graph to
1049 filter:nfs&&rpc.time
1051 Calc:AVG rpc.time
1052 Set third graph to
1054 filter:nfs&&rpc.time
1056 Calc:MIN rpc.time
1057 Example of advanced: Display how the average packet size from host
1059 a.b.c.d changes over time.
1060 Set first graph to
1062 filter:ip.addr==a.b.c.d&&frame.pkt_len
1064 Calc:AVG frame.pkt_len
1065 LOAD: The LOAD io-stat type is very different from anything you
1067 have ever seen before! While the response times themself as plotted
1068 by MIN,MAX,AVG are indications on the Server load (which affects
1069 the Server response time), the LOAD measurement measures the Client
1070 LOAD. What this measures is how much workload the client gener‐
1071 ates, i.e. how fast will the client issue new commands when the
1072 previous ones completed. i.e. the level of concurrency the client
1073 can maintain. The higher the number, the more and faster is the
1074 client issuing new commands. When the LOAD goes down, it may be due
1075 to client load making the client slower in issuing new commands
1076 (there may be other reasons as well, maybe the client just doesn't
1077 have any commands it wants to issue right then).
1078 Load is measured in concurrency/number of overlapping i/o and the
1080 value 1000 means there is a constant load of one i/o.
1081 In each tick interval the amount of overlap is measured. See the
1083 graph below containing three commands: Below the graph are the LOAD
1084 values for each interval that would be calculated.
1085 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪
1087 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪
1088 ⎪ ⎪ o=====* ⎪ ⎪ ⎪ ⎪ ⎪ ⎪
1089 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪
1090 ⎪ o========* ⎪ o============* ⎪ ⎪ ⎪
1091 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪
1092 --------------------------------------------------> Time
1093 500 1500 500 750 1000 500 0 0
1094 Statistics:Conversation List
1096 This option will open a new window that displays a list of all con‐
1097 versations between two endpoints. The list has one row for each
1098 unique conversation and displays total number of packets/bytes seen
1099 as well as number of packets/bytes in each direction.
1100 By default the list is sorted according to the number of packets
1102 but by clicking on the column header; it is possible to re-sort the
1103 list in ascending or descending order by any column.
1104 By first selecting a conversation by clicking on it and then using
1106 the right mouse button (on those platforms that have a right mouse
1107 button) wireshark will display a popup menu offering several dif‐
1108 ferent filter operations to apply to the capture.
1109 These statistics windows can also be invoked from the Wireshark
1111 command line using the -z conv argument.
1112 Statistics:Service Response Time:DCE-RPC
1114 Open a window to display Service Response Time statistics for an
1115 arbitrary DCE-RPC program interface and display Procedure, Number
1116 of Calls, Minimum SRT, Maximum SRT and Average SRT for all proce‐
1117 dures for that program/version. These windows opened will update
1118 in semi-real time to reflect changes when doing live captures or
1119 when reading new capture files into Wireshark.
1120 This dialog will also allow an optional filter string to be used.
1122 If an optional filter string is used only such DCE-RPC
1123 request/response pairs that match that filter will be used to cal‐
1124 culate the statistics. If no filter string is specified all
1125 request/response pairs will be used.
1126 Statistics:Service Response Time:Fibre Channel
1128 Open a window to display Service Response Time statistics for Fibre
1129 Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1130 SRT and Average SRT for all FC types. These windows opened will
1131 update in semi-real time to reflect changes when doing live cap‐
1132 tures or when reading new capture files into Wireshark. The Ser‐
1133 vice Response Time is calculated as the time delta between the
1134 First packet of the exchange and the Last packet of the exchange.
1135 This dialog will also allow an optional filter string to be used.
1137 If an optional filter string is used only such FC first/last
1138 exchange pairs that match that filter will be used to calculate the
1139 statistics. If no filter string is specified all request/response
1140 pairs will be used.
1141 Statistics:Service Response Time:ONC-RPC
1143 Open a window to display statistics for an arbitrary ONC-RPC pro‐
1144 gram interface and display Procedure, Number of Calls, Minimum SRT,
1145 Maximum SRT and Average SRT for all procedures for that pro‐
1146 gram/version. These windows opened will update in semi-real time
1147 to reflect changes when doing live captures or when reading new
1148 capture files into Wireshark.
1149 This dialog will also allow an optional filter string to be used.
1151 If an optional filter string is used only such ONC-RPC
1152 request/response pairs that match that filter will be used to cal‐
1153 culate the statistics. If no filter string is specified all
1154 request/response pairs will be used.
1155 By first selecting a conversation by clicking on it and then using
1157 the right mouse button (on those platforms that have a right mouse
1158 button) wireshark will display a popup menu offering several dif‐
1159 ferent filter operations to apply to the capture.
1160 Statistics:Service Response Time:SMB
1162 Collect call/reply SRT (Service Response Time) data for SMB. Data
1163 collected is number of calls for each SMB command, MinSRT, MaxSRT
1164 and AvgSRT.
1165 The data will be presented as separate tables for all normal SMB
1167 commands, all Transaction2 commands and all NT Transaction com‐
1168 mands. Only those commands that are seen in the capture will have
1169 its stats displayed. Only the first command in a xAndX command
1170 chain will be used in the calculation. So for common SessionSetu‐
1171 pAndX + TreeConnectAndX chains, only the SessionSetupAndX call will
1172 be used in the statistics. This is a flaw that might be fixed in
1173 the future.
1174 You can apply an optional filter string in a dialog box, before
1176 starting the calculation. The stats will only be calculated on
1177 those calls matching that filter.
1178 By first selecting a conversation by clicking on it and then using
1180 the right mouse button (on those platforms that have a right mouse
1181 button) wireshark will display a popup menu offering several dif‐
1182 ferent filter operations to apply to the capture.
1183 Statistics:Service Response Time:MGCP
1185 Collect requests/response SRT (Service Response Time) data for
1186 MGCP. Data collected is number of calls for each known MGCP Type,
1187 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maxi‐
1188 mum in Packet. These windows opened will update in semi-real time
1189 to reflect changes when doing live captures or when reading new
1190 capture files into Wireshark.
1191 You can apply an optional filter string in a dialog box, before
1193 starting the calculation. The statistics will only be calculated on
1194 those calls matching that filter.
1195 Statistics:Service Response Time:ITU-T H.225 RAS
1197 Collect requests/response SRT (Service Response Time) data for ITU-
1198 T H.225 RAS. Data collected is number of calls for each known ITU-
1199 T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
1200 Minimum in Packet, and Maximum in Packet. You will also get the
1201 number of Open Requests (Unresponded Requests), Discarded Responses
1202 (Responses without matching request) and Duplicate Messages. These
1203 windows opened will update in semi-real time to reflect changes
1204 when doing live captures or when reading new capture files into
1205 Wireshark.
1206 You can apply an optional filter string in a dialog box, before
1208 starting the calculation. The statistics will only be calculated on
1209 those calls matching that filter.
1210 Statistics:ITU-T H.225
1212 Count ITU-T H.225 messages and their reasons. In the first column
1213 you get a list of H.225 messages and H.225 message reasons, which
1214 occur in the current capture file. The number of occurences of each
1215 message or reason will be displayed in the second column. This
1216 window opened will update in semi-real time to reflect changes when
1217 doing live captures or when reading new capture files into Wire‐
1218 shark.
1219 You can apply an optional filter string in a dialog box, before
1221 starting the counter. The statistics will only be calculated on
1222 those calls matching that filter.
1223 Statistics:SIP
1225 Activate a counter for SIP messages. You will get the number of
1226 occurences of each SIP Method and of each SIP Status-Code. Addi‐
1227 tionally you also get the number of resent SIP Messages (only for
1228 SIP over UDP).
1229 This window opened will update in semi-real time to reflect changes
1231 when doing live captures or when reading new capture files into
1232 Wireshark.
1233 You can apply an optional filter string in a dialog box, before
1235 starting the counter. The statistics will only be calculated on
1236 those calls matching that filter.
1237 Statistics:ONC-RPC Programs
1239 This dialog will open a window showing aggregated RTT statistics
1240 for all ONC-RPC Programs/versions that exist in the capture file.
1241 Help:Contents
1243 Some help texts.
1244 Help:Supported Protocols
1246 List of supported protocols and display filter protocol fields.
1247 Help:Manual Pages
1249 Display locally installed HTML versions of these manual pages in a
1250 web browser.
1251 Help:Wireshark Online
1253 Various links to online resources to be open in a web browser, like
1254 <http://www.wireshark.org>.
1255 Help:About Wireshark
1257 See various information about Wireshark (see About dialog below),
1258 like the version, the folders used, the available plugins, ...
1259 WINDOWS
1261 Main Window
1263 The main window contains the usual things like the menu, some tool‐
1264 bars, the main area and a statusbar. The main area is split into
1265 three panes, you can resize each pane using a "thumb" at the right
1266 end of each divider line.
1267 The main window is much more flexible than before. The layout of
1269 the main window can be customized by the Layout page in the dialog
1270 box popped up by Edit:Preferences, the following will describe the
1271 layout with the default settings.
1272 Main Toolbar
1274 Some menu items are available for quick access here. There is
1275 no way to customize the items in the toolbar, however the
1276 toolbar can be hidden by View:Main Toolbar.
1277 Filter Toolbar
1279 A display filter can be entered into the filter toolbar. A
1280 filter for HTTP, HTTPS, and DNS traffic might look like this:
1281 tcp.port == 80 ⎪⎪ tcp.port == 443 ⎪⎪ tcp.port == 53
1283 Selecting the Filter: button lets you choose from a list of
1285 named filters that you can optionally save. Pressing the
1286 Return or Enter keys, or selecting the Apply button, will
1287 cause the filter to be applied to the current list of pack‐
1288 ets. Selecting the Reset button clears the display filter so
1289 that all packets are displayed (again).
1290 There is no way to customize the items in the toolbar, how‐
1292 ever the toolbar can be hidden by View:Filter Toolbar.
1293 Packet List Pane
1295 The top pane contains the list of network packets that you
1296 can scroll through and select. By default, the packet num‐
1297 ber, packet timestamp, source and destination addresses, pro‐
1298 tocol, and description are displayed for each packet; the
1299 Columns page in the dialog box popped up by Edit:Preferences
1300 lets you change this (although, unfortunately, you currently
1301 have to save the preferences, and exit and restart Wireshark,
1302 for those changes to take effect).
1303 If you click on the heading for a column, the display will be
1305 sorted by that column; clicking on the heading again will
1306 reverse the sort order for that column.
1307 An effort is made to display information as high up the pro‐
1309 tocol stack as possible, e.g. IP addresses are displayed for
1310 IP packets, but the MAC layer address is displayed for
1311 unknown packet types.
1312 The right mouse button can be used to pop up a menu of opera‐
1314 tions.
1315 The middle mouse button can be used to mark a packet.
1317 Packet Details Pane
1319 The middle pane contains a display of the details of the cur‐
1320 rently-selected packet. The display shows each field and its
1321 value in each protocol header in the stack. The right mouse
1322 button can be used to pop up a menu of operations.
1323 Packet Bytes Pane
1325 The lowest pane contains a hex and ASCII dump of the actual
1326 packet data. Selecting a field in the packet details high‐
1327 lights the corresponding bytes in this section.
1328 The right mouse button can be used to pop up a menu of opera‐
1330 tions.
1331 Statusbar
1333 The statusbar is divided into three parts, on the left some
1334 context dependant things are shown, like information about
1335 the loaded file, in the center the number of packets are dis‐
1336 played, and on the right the current configuration profile.
1337 The statusbar can be hidden by View:Statusbar.
1339 Preferences
1341 The Preferences dialog lets you control various personal prefer‐
1342 ences for the behavior of Wireshark.
1343 User Interface Preferences
1345 The User Interface page is used to modify small aspects of
1346 the GUI to your own personal taste:
1347 Selection Bars
1349 The selection bar in the packet list and packet details
1350 can have either a "browse" or "select" behavior. If
1351 the selection bar has a "browse" behavior, the arrow
1352 keys will move an outline of the selection bar, allow‐
1353 ing you to browse the rest of the list or details with‐
1354 out changing the selection until you press the space
1355 bar. If the selection bar has a "select" behavior, the
1356 arrow keys will move the selection bar and change the
1357 selection to the new item in the packet list or packet
1358 details.
1359 Tree Line Style (GTK1 only)
1361 Trees can be drawn with no lines, solid lines, or dot‐
1362 ted lines between items, or can be drawn with "tab"
1363 headings.
1364 Tree Expander Style (GTK1 only)
1366 The expander item that can be clicked to show or hide
1367 items under a tree item can be omitted (note that this
1368 will prevent you from changing whether those items are
1369 shown or hidden!), or can be drawn as squares, trian‐
1370 gles, or circles.
1371 Save Window Position
1373 If this item is selected, the position of the main
1374 Wireshark window will be saved when Wireshark exits,
1375 and used when Wireshark is started again.
1376 Save Window Size
1378 If this item is selected, the size of the main Wire‐
1379 shark window will be saved when Wireshark exits, and
1380 used when Wireshark is started again.
1381 Save Window Maximized state
1383 If this item is selected the maximize state of the main
1384 Wireshark window will be saved when Wireshark exists,
1385 and used when Wireshark is started again.
1386 File Open Dialog Behavior
1388 This item allows the user to select how Wireshark han‐
1389 dles the listing of the "File Open" Dialog when opening
1390 trace files. "Remember Last Directory" causes Wire‐
1391 shark to automatically position the dialog in the
1392 directory of the most recently opened file, even
1393 between launches of Wireshark. "Always Open in Direc‐
1394 tory" allows the user to define a persistent directory
1395 that the dialog will always default to.
1396 Directory
1398 Allows the user to specify a persistent File Open
1399 directory. Trailing slashes or backslashes will auto‐
1400 matically be added.
1401 File Open Preview timeout
1403 This items allows the user to define how much time is
1404 spend reading the capture file to present preview data
1405 in the File Open dialog.
1406 Open Recent maximum list entries
1408 The File menu supports a recent file list. This items
1409 allows the user to specify how many files are kept
1410 track of in this list.
1411 Ask for unsaved capture files
1413 When closing a capture file or Wireshark itself if the
1414 file isn't saved yet the user is presented the option
1415 to save the file when this item is set.
1416 Wrap during find
1418 This items determines the behaviour when reaching the
1419 beginning or the end of a capture file. When set the
1420 search wraps around and continues, otherwise it stops.
1421 Settings dialogs show a save button
1423 This item determines if the various dialogs sport an
1424 explicit Save button or that save is implicit in Ok /
1425 Apply.
1426 Web browser command
1428 This entry specifies the command line to launch a web
1429 browser. It is used to access online content, like the
1430 Wiki and user guide. Use '%s' to place the request URL
1431 in the command line.
1432 Layout Preferences
1434 The Layout page lets you specify the general layout of the
1435 main window. You can choose from six different layouts and
1436 fill the three panes with the contents you like.
1437 Scrollbars
1439 The vertical scrollbars in the three panes can be set
1440 to be either on the left or the right.
1441 Alternating row colors
1443 Hex Display
1444 The highlight method in the hex dump display for the
1445 selected protocol item can be set to use either inverse
1446 video, or bold characters.
1447 Toolbar style
1449 Filter toolbar placement
1450 Custom window title
1451 Column Preferences
1452 The Columns page lets you specify the number, title, and for‐
1453 mat of each column in the packet list.
1454 The Column title entry is used to specify the title of the
1456 column displayed at the top of the packet list. The type of
1457 data that the column displays can be specified using the Col‐
1458 umn format option menu. The row of buttons on the left per‐
1459 form the following actions:
1460 New Adds a new column to the list.
1462 Delete
1464 Deletes the currently selected list item.
1465 Up / Down
1467 Moves the selected list item up or down one position.
1468 Font Preferences
1470 The Font page lets you select the font to be used for most
1471 text.
1472 Color Preferences
1474 The Colors page can be used to change the color of the text
1475 displayed in the TCP stream window and for marked packets. To
1476 change a color, simply select an attribute from the "Set:"
1477 menu and use the color selector to get the desired color.
1478 The new text colors are displayed as a sample text.
1479 Capture Preferences
1481 The Capture page lets you specify various parameters for cap‐
1482 turing live packet data; these are used the first time a cap‐
1483 ture is started.
1484 The Interface: combo box lets you specify the interface from
1486 which to capture packet data, or the name of a FIFO from
1487 which to get the packet data.
1488 The Data link type: option menu lets you, for some inter‐
1490 faces, select the data link header you want to see on the
1491 packets you capture. For example, in some OSes and with some
1492 versions of libpcap, you can choose, on an 802.11 interface,
1493 whether the packets should appear as Ethernet packets (with a
1494 fake Ethernet header) or as 802.11 packets.
1495 The Limit each packet to ... bytes check box lets you set the
1497 snapshot length to use when capturing live data; turn on the
1498 check box, and then set the number of bytes to use as the
1499 snapshot length.
1500 The Filter: text entry lets you set a capture filter expres‐
1502 sion to be used when capturing.
1503 If any of the environment variables SSH_CONNECTION,
1505 SSH_CLIENT, REMOTEHOST, DISPLAY, or SESSIONNAME are set,
1506 Wireshark will create a default capture filter that excludes
1507 traffic from the hosts and ports defined in those variables.
1508 The Capture packets in promiscuous mode check box lets you
1510 specify whether to put the interface in promiscuous mode when
1511 capturing.
1512 The Update list of packets in real time check box lets you
1514 specify that the display should be updated as packets are
1515 seen.
1516 The Automatic scrolling in live capture check box lets you
1518 specify whether, in an "Update list of packets in real time"
1519 capture, the packet list pane should automatically scroll to
1520 show the most recently captured packets.
1521 Printing Preferences
1523 The radio buttons at the top of the Printing page allow you
1524 choose between printing packets with the File:Print Packet
1525 menu item as text or PostScript, and sending the output
1526 directly to a command or saving it to a file. The Command:
1527 text entry box, on UNIX-compatible systems, is the command to
1528 send files to (usually lpr), and the File: entry box lets you
1529 enter the name of the file you wish to save to. Addition‐
1530 ally, you can select the File: button to browse the file sys‐
1531 tem for a particular save file.
1532 Name Resolution Preferences
1534 The Enable MAC name resolution, Enable network name resolu‐
1535 tion and Enable transport name resolution check boxes let you
1536 specify whether MAC addresses, network addresses, and trans‐
1537 port-layer port numbers should be translated to names.
1538 The Enable concurrent DNS name resolution allows Wireshark to
1540 send out multiple name resolution requests and not wait for
1541 the result before continuing dissection. This speeds up dis‐
1542 section with network name resolution but initially may miss
1543 resolutions. The number of concurrent requests can be set
1544 here as well.
1545 SMI paths
1547 SMI modules
1549 RTP Player Preferences
1551 This page allows you to select the number of channels visible
1552 in the RTP player window. It determines the height of the
1553 window, more channels are possible and visible by means of a
1554 scroll bar.
1555 Protocol Preferences
1557 There are also pages for various protocols that Wireshark
1558 dissects, controlling the way Wireshark handles those proto‐
1559 cols.
1560 Edit Capture Filter List
1562 Edit Display Filter List
1563 Capture Filter
1564 Display Filter
1565 Read Filter
1566 Search Filter
1567 The Edit Capture Filter List dialog lets you create, modify, and
1568 delete capture filters, and the Edit Display Filter List dialog
1569 lets you create, modify, and delete display filters.
1570 The Capture Filter dialog lets you do all of the editing operations
1572 listed, and also lets you choose or construct a filter to be used
1573 when capturing packets.
1574 The Display Filter dialog lets you do all of the editing operations
1576 listed, and also lets you choose or construct a filter to be used
1577 to filter the current capture being viewed.
1578 The Read Filter dialog lets you do all of the editing operations
1580 listed, and also lets you choose or construct a filter to be used
1581 to as a read filter for a capture file you open.
1582 The Search Filter dialog lets you do all of the editing operations
1584 listed, and also lets you choose or construct a filter expression
1585 to be used in a find operation.
1586 In all of those dialogs, the Filter name entry specifies a descrip‐
1588 tive name for a filter, e.g. Web and DNS traffic. The Filter
1589 string entry is the text that actually describes the filtering
1590 action to take, as described above.The dialog buttons perform the
1591 following actions:
1592 New If there is text in the two entry boxes, creates a new asso‐
1594 ciated list item.
1595 Edit Modifies the currently selected list item to match what's in
1597 the entry boxes.
1598 Delete
1600 Deletes the currently selected list item.
1601 Add Expression...
1603 For display filter expressions, pops up a dialog box to allow
1604 you to construct a filter expression to test a particular
1605 field; it offers lists of field names, and, when appropriate,
1606 lists from which to select tests to perform on the field and
1607 values with which to compare it. In that dialog box, the OK
1608 button will cause the filter expression you constructed to be
1609 entered into the Filter string entry at the current cursor
1610 position.
1611 OK In the Capture Filter dialog, closes the dialog box and makes
1613 the filter in the Filter string entry the filter in the Cap‐
1614 ture Preferences dialog. In the Display Filter dialog,
1615 closes the dialog box and makes the filter in the Filter
1616 string entry the current display filter, and applies it to
1617 the current capture. In the Read Filter dialog, closes the
1618 dialog box and makes the filter in the Filter string entry
1619 the filter in the Open Capture File dialog. In the Search
1620 Filter dialog, closes the dialog box and makes the filter in
1621 the Filter string entry the filter in the Find Packet dialog.
1622 Apply Makes the filter in the Filter string entry the current dis‐
1624 play filter, and applies it to the current capture.
1625 Save If the list of filters being edited is the list of capture
1627 filters, saves the current filter list to the personal cap‐
1628 ture filters file, and if the list of filters being edited is
1629 the list of display filters, saves the current filter list to
1630 the personal display filters file.
1631 Close Closes the dialog without doing anything with the filter in
1633 the Filter string entry.
1634 The Color Filters Dialog
1636 This dialog displays a list of color filters and allows it to be
1637 modified.
1638 THE FILTER LIST
1640 Single rows may be selected by clicking. Multiple rows may be
1641 selected by using the ctrl and shift keys in combination with
1642 the mouse button.
1643 NEW Adds a new filter at the bottom of the list and opens the Edit
1645 Color Filter dialog box. You will have to alter the filter
1646 expression at least before the filter will be accepted. The
1647 format of color filter expressions is identical to that of dis‐
1648 play filters. The new filter is selected, so it may immediately
1649 be moved up and down, deleted or edited. To avoid confusion
1650 all filters are unselected before the new filter is created.
1651 EDIT
1653 Opens the Edit Color Filter dialog box for the selected filter.
1654 (If this button is disabled you may have more than one filter
1655 selected, making it ambiguous which is to be edited.)
1656 ENABLE
1658 Enables the selected color filter(s).
1659 DISABLE
1661 Disables the selected color filter(s).
1662 DELETE
1664 Deletes the selected color filter(s).
1665 EXPORT
1667 Allows you to choose a file in which to save the current list
1668 of color filters. You may also choose to save only the selected
1669 filters. A button is provided to save the filters in the global
1670 color filters file (you must have sufficient permissions to
1671 write this file, of course).
1672 IMPORT
1674 Allows you to choose a file containing color filters which are
1675 then added to the bottom of the current list. All the added
1676 filters are selected, so they may be moved to the correct posi‐
1677 tion in the list as a group. To avoid confusion, all filters
1678 are unselected before the new filters are imported. A button is
1679 provided to load the filters from the global color filters
1680 file.
1681 CLEAR
1683 Deletes your personal color filters file, reloads the global
1684 color filters file, if any, and closes the dialog.
1685 UP Moves the selected filter(s) up the list, making it more likely
1687 that they will be used to color packets.
1688 DOWN
1690 Moves the selected filter(s) down the list, making it less
1691 likely that they will be used to color packets.
1692 OK Closes the dialog and uses the color filters as they stand.
1694 APPLY
1696 Colors the packets according to the current list of color fil‐
1697 ters, but does not close the dialog.
1698 SAVE
1700 Saves the current list of color filters in your personal color
1701 filters file. Unless you do this they will not be used the next
1702 time you start Wireshark.
1703 CLOSE
1705 Closes the dialog without changing the coloration of the pack‐
1706 ets. Note that changes you have made to the current list of
1707 color filters are not undone.
1708 Capture Options
1710 The Capture Options dialog lets you specify various parameters for
1711 capturing live packet data.
1712 The Interface: field lets you specify the interface from which to
1714 capture packet data or a command from which to get the packet data
1715 via a pipe.
1716 The Link layer header type: field lets you specify the interfaces
1718 link layer header type. This field is usually disabled, as most
1719 interface have only one header type.
1720 The Capture packets in promiscuous mode check box lets you specify
1722 whether the interface should be put into promiscuous mode when cap‐
1723 turing.
1724 The Limit each packet to ... bytes check box and field lets you
1726 specify a maximum number of bytes per packet to capture and save;
1727 if the check box is not checked, the limit will be 65535 bytes.
1728 The Capture Filter: entry lets you specify the capture filter using
1730 a tcpdump-style filter string as described above.
1731 The File: entry lets you specify the file into which captured pack‐
1733 ets should be saved, as in the Printer Options dialog above. If
1734 not specified, the captured packets will be saved in a temporary
1735 file; you can save those packets to a file with the File:Save As
1736 menu item.
1737 The Use multiple files check box lets you specify that the capture
1739 should be done in "multiple files" mode. This option is disabled,
1740 if the Update list of packets in real time option is checked.
1741 The Next file every ... megabyte(s) check box and fields lets you
1743 specify that a switch to a next file should be done if the speci‐
1744 fied filesize is reached. You can also select the appriate unit,
1745 but beware that the filesize has a maximum of 2 GB. The check box
1746 is forced to be checked, as "multiple files" mode requires a file
1747 size to be specified.
1748 The Next file every ... minute(s) check box and fields lets you
1750 specify that the switch to a next file should be done after the
1751 specified time has elapsed, even if the specified capture size is
1752 not reached.
1753 The Ring buffer with ... files field lets you specify the number of
1755 files of a ring buffer. This feature will capture into to the first
1756 file again, after the specified amount of files were used.
1757 The Stop capture after ... files field lets you specify the number
1759 of capture files used, until the capture is stopped.
1760 The Stop capture after ... packet(s) check box and field let you
1762 specify that Wireshark should stop capturing after having captured
1763 some number of packets; if the check box is not checked, Wireshark
1764 will not stop capturing at some fixed number of captured packets.
1765 The Stop capture after ... megabyte(s) check box and field lets you
1767 specify that Wireshark should stop capturing after the file to
1768 which captured packets are being saved grows as large as or larger
1769 than some specified number of megabytes. If the check box is not
1770 checked, Wireshark will not stop capturing at some capture file
1771 size (although the operating system on which Wireshark is running,
1772 or the available disk space, may still limit the maximum size of a
1773 capture file). This option is disabled, if "multiple files" mode is
1774 used,
1775 The Stop capture after ... second(s) check box and field let you
1777 specify that Wireshark should stop capturing after it has been cap‐
1778 turing for some number of seconds; if the check box is not checked,
1779 Wireshark will not stop capturing after some fixed time has
1780 elapsed.
1781 The Update list of packets in real time check box lets you specify
1783 whether the display should be updated as packets are captured and,
1784 if you specify that, the Automatic scrolling in live capture check
1785 box lets you specify the packet list pane should automatically
1786 scroll to show the most recently captured packets as new packets
1787 arrive.
1788 The Enable MAC name resolution, Enable network name resolution and
1790 Enable transport name resolution check boxes let you specify
1791 whether MAC addresses, network addresses, and transport-layer port
1792 numbers should be translated to names.
1793 About
1795 The About dialog lets you view various information about Wireshark.
1796 About:Wireshark
1798 The Wireshark page lets you view general information about Wire‐
1799 shark, like the installed version, licensing information and such.
1800 About:Authors
1802 The Authors page shows the author and all contributors.
1803 About:Folders
1805 The Folders page lets you view the directory names where Wireshark
1806 is searching it's various configuration and other files.
1807 About:Plugins
1809 The Plugins page lets you view the dissector plugin modules avail‐
1810 able on your system.
1811 The Plugins List shows the name and version of each dissector plug‐
1813 in module found on your system.
1814 On Unix-compatible systems, the plugins are looked for in the fol‐
1816 lowing directories: the lib/wireshark/plugins/$VERSION directory
1817 under the main installation directory (for example,
1818 /usr/local/lib/wireshark/plugins/$VERSION), and then $HOME/.wire‐
1819 shark/plugins.
1820 On Windows systems, the plugins are looked for in the following
1822 directories: plugins\$VERSION directory under the main installation
1823 directory (for example, C:\Program Files\Wireshark\plugins\$VER‐
1824 SION), and then %APPDATA%\Wireshark\plugins\$VERSION (or, if %APP‐
1825 DATA% isn't defined, %USERPROFILE%\Application Data\Wireshark\plug‐
1826 ins\$VERSION).
1827 $VERSION is the version number of the plugin interface, which is
1829 typically the version number of Wireshark. Note that a dissector
1830 plugin module may support more than one protocol; there is not nec‐
1831 essarily a one-to-one correspondence between dissector plugin mod‐
1832 ules and protocols. Protocols supported by a dissector plugin mod‐
1833 ule are enabled and disabled using the Edit:Protocols dialog box,
1834 just as protocols built into Wireshark are.
1835
1837 See the manual page of pcap-filter(4) or, if that doesn't exist, tcp‐
1838 dump(8).
1839
1841 For a complete table of protocol and protocol fields that are filter‐
1842 able in Wireshark see the wireshark-filter(4) manual page.
1843
1845 These files contains various Wireshark configuration settings.
1846 Preferences
1848 The preferences files contain global (system-wide) and personal
1849 preference settings. If the system-wide preference file exists, it
1850 is read first, overriding the default settings. If the personal
1851 preferences file exists, it is read next, overriding any previous
1852 values. Note: If the command line flag -o is used (possibly more
1853 than once), it will in turn override values from the preferences
1854 files.
1855 The preferences settings are in the form prefname:value, one per
1857 line, where prefname is the name of the preference and value is the
1858 value to which it should be set; white space is allowed between :
1859 and value. A preference setting can be continued on subsequent
1860 lines by indenting the continuation lines with white space. A #
1861 character starts a comment that runs to the end of the line:
1862 # Vertical scrollbars should be on right side?
1864 # TRUE or FALSE (case-insensitive).
1865 gui.scrollbar_on_right: TRUE
1866 The global preferences file is looked for in the wireshark direc‐
1868 tory under the share subdirectory of the main installation direc‐
1869 tory (for example, /usr/local/share/wireshark/preferences) on UNIX-
1870 compatible systems, and in the main installation directory (for
1871 example, C:\Program Files\Wireshark\preferences) on Windows sys‐
1872 tems.
1873 The personal preferences file is looked for in $HOME/.wire‐
1875 shark/preferences on UNIX-compatible systems and %APPDATA%\Wire‐
1876 shark\preferences (or, if %APPDATA% isn't defined, %USERPRO‐
1877 FILE%\Application Data\Wireshark\preferences) on Windows systems.
1878 Note: Whenever the preferences are saved by using the Save button
1880 in the Edit:Preferences dialog box, your personal preferences file
1881 will be overwritten with the new settings, destroying any comments
1882 and unknown/obsolete settings that were in the file.
1883 Recent
1885 The recent file contains personal settings (mostly GUI related)
1886 such as the current Wireshark window size. The file is saved at
1887 program exit and read in at program start automatically. Note: The
1888 command line flag -o may be used to override settings from this
1889 file.
1890 The settings in this file have the same format as in the prefer‐
1892 ences files, and the same directory as for the personal preferences
1893 file is used.
1894 Note: Whenever Wireshark is closed, your recent file will be over‐
1896 written with the new settings, destroying any comments and
1897 unknown/obsolete settings that were in the file.
1898 Disabled (Enabled) Protocols
1900 The disabled_protos files contain system-wide and personal lists of
1901 protocols that have been disabled, so that their dissectors are
1902 never called. The files contain protocol names, one per line,
1903 where the protocol name is the same name that would be used in a
1904 display filter for the protocol:
1905 http
1907 tcp # a comment
1908 If a protocol is listed in the global disabled_protos file, it is
1910 not displayed in the Analyze:Enabled Protocols dialog box, and so
1911 cannot be enabled by the user.
1912 The global disabled_protos file uses the same directory as the
1914 global preferences file.
1915 The personal disabled_protos file uses the same directory as the
1917 personal preferences file.
1918 Note: Whenever the disabled protocols list is saved by using the
1920 Save button in the Analyze:Enabled Protocols dialog box, your per‐
1921 sonal disabled protocols file will be overwritten with the new set‐
1922 tings, destroying any comments that were in the file.
1923 Name Resolution (hosts)
1925 If the personal hosts file exists, it is used to resolve IPv4 and
1926 IPv6 addresses before any other attempts are made to resolve them.
1927 The file has the standard hosts file syntax; each line contains one
1928 IP address and name, separated by whitespace. The same directory as
1929 for the personal preferences file is used.
1930 Name Resolution (ethers)
1932 The ethers files are consulted to correlate 6-byte hardware
1933 addresses to names. First the personal ethers file is tried and if
1934 an address is not found there the global ethers file is tried next.
1935 Each line contains one hardware address and name, separated by
1937 whitespace. The digits of the hardware address are separated by
1938 colons (:), dashes (-) or periods (.). The same separator charac‐
1939 ter must be used consistently in an address. The following three
1940 lines are valid lines of an ethers file:
1941 ff:ff:ff:ff:ff:ff Broadcast
1943 c0-00-ff-ff-ff-ff TR_broadcast
1944 00.00.00.00.00.00 Zero_broadcast
1945 The global ethers file is looked for in the /etc directory on UNIX-
1947 compatible systems, and in the main installation directory (for
1948 example, C:\Program Files\Wireshark) on Windows systems.
1949 The personal ethers file is looked for in the same directory as the
1951 personal preferences file.
1952 Name Resolution (manuf)
1954 The manuf file is used to match the 3-byte vendor portion of a
1955 6-byte hardware address with the manufacturer's name; it can also
1956 contain well-known MAC addresses and address ranges specified with
1957 a netmask. The format of the file is the same as the ethers files,
1958 except that entries such as:
1959 00:00:0C Cisco
1961 can be provided, with the 3-byte OUI and the name for a vendor, and
1963 entries such as:
1964 00-00-0C-07-AC/40 All-HSRP-routers
1966 can be specified, with a MAC address and a mask indicating how many
1968 bits of the address must match. The above entry, for example, has
1969 40 significant bits, or 5 bytes, and would match addresses from
1970 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1971 multiple of 8.
1972 The manuf file is looked for in the same directory as the global
1974 preferences file.
1975 Name Resolution (ipxnets)
1977 The ipxnets files are used to correlate 4-byte IPX network numbers
1978 to names. First the global ipxnets file is tried and if that
1979 address is not found there the personal one is tried next.
1980 The format is the same as the ethers file, except that each address
1982 is four bytes instead of six. Additionally, the address can be
1983 represented as a single hexadecimal number, as is more common in
1984 the IPX world, rather than four hex octets. For example, these
1985 four lines are valid lines of an ipxnets file:
1986 C0.A8.2C.00 HR
1988 c0-a8-1c-00 CEO
1989 00:00:BE:EF IT_Server1
1990 110f FileServer3
1991 The global ipxnets file is looked for in the /etc directory on
1993 UNIX-compatible systems, and in the main installation directory
1994 (for example, C:\Program Files\Wireshark) on Windows systems.
1995 The personal ipxnets file is looked for in the same directory as
1997 the personal preferences file.
1998 Capture Filters
2000 The cfilters files contain system-wide and personal capture fil‐
2001 ters. Each line contains one filter, starting with the string dis‐
2002 played in the dialog box in quotation marks, followed by the filter
2003 string itself:
2004 "HTTP" port 80
2006 "DCERPC" port 135
2007 The global cfilters file uses the same directory as the global
2009 preferences file.
2010 The personal cfilters file uses the same directory as the personal
2012 preferences file. It is written through the Capture:Capture Filters
2013 dialog.
2014 If the global cfilters file exists, it is used only if the personal
2016 cfilters file does not exist; global and personal capture filters
2017 are not merged.
2018 Display Filters
2020 The dfilters files contain system-wide and personal display fil‐
2021 ters. Each line contains one filter, starting with the string dis‐
2022 played in the dialog box in quotation marks, followed by the filter
2023 string itself:
2024 "HTTP" http
2026 "DCERPC" dcerpc
2027 The global dfilters file uses the same directory as the global
2029 preferences file.
2030 The personal dfilters file uses the same directory as the personal
2032 preferences file. It is written through the Analyze:Display Filters
2033 dialog.
2034 If the global dfilters file exists, it is used only if the personal
2036 dfilters file does not exist; global and personal display filters
2037 are not merged.
2038 Color Filters (Coloring Rules)
2040 The colorfilters files contain system-wide and personal color fil‐
2041 ters. Each line contains one filter, starting with the string dis‐
2042 played in the dialog box, followed by the corresponding display
2043 filter. Then the background and foreground colors are appended:
2044 # a comment
2046 @tcp@tcp@[59345,58980,65534][0,0,0]
2047 @udp@udp@[28834,57427,65533][0,0,0]
2048 The global colorfilters file uses the same directory as the global
2050 preferences file.
2051 The personal colorfilters file uses the same directory as the per‐
2053 sonal preferences file. It is written through the View:Coloring
2054 Rules dialog.
2055 If the global colorfilters file exists, it is used only if the per‐
2057 sonal colorfilters file does not exist; global and personal color
2058 filters are not merged.
2059 GTK rc files
2061 The gtkrc files contain system-wide and personal GTK theme set‐
2062 tings.
2063 The global gtkrc file uses the same directory as the global prefer‐
2065 ences file.
2066 The personal gtkrc file uses the same directory as the personal
2068 preferences file.
2069 Plugins
2071 See above in the description of the About:Plugins page.
2072
2074 wireshark-filter(4), tshark(1), editcap(1), pcap-filter(4), tcpdump(8),
2075 pcap(3), dumpcap(1), mergecap(1), text2pcap(1)
2076
2078 The latest version of Wireshark can be found at <http://www.wire‐
2079 shark.org>.
2080 HTML versions of the Wireshark project man pages are available at:
2082 <http://www.wireshark.org/docs/man-pages>.
2083
2085 Original Author
2086 -------- ------
2087 Gerald Combs <gerald[AT]wireshark.org>
2088 Contributors
2090 ------------
2091 Gilbert Ramirez <gram[AT]alumni.rice.edu>
2092 Hannes R. Boehm <hannes[AT]boehm.org>
2093 Mike Hall <mike [AT] hallzone.net>
2094 Bobo Rajec <bobo[AT]bsp-consulting.sk>
2095 Laurent Deniel <laurent.deniel[AT]free.fr>
2096 Don Lafontaine <lafont02[AT]cn.ca>
2097 Guy Harris <guy[AT]alum.mit.edu>
2098 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
2099 Joerg Mayer <jmayer[AT]loplof.de>
2100 Martin Maciaszek <fastjack[AT]i-s-o.net>
2101 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
2102 Jun-ichiro itojun Hagino <itojun[AT]itojun.org>
2103 Richard Sharpe <sharpe[AT]ns.aus.com>
2104 John McDermott <jjm[AT]jkintl.com>
2105 Jeff Jahr <jjahr[AT]shastanets.com>
2106 Brad Robel-Forrest <bradr[AT]watchguard.com>
2107 Ashok Narayanan <ashokn[AT]cisco.com>
2108 Aaron Hillegass <aaron[AT]classmax.com>
2109 Jason Lango <jal[AT]netapp.com>
2110 Johan Feyaerts <Johan.Feyaerts[AT]siemens.com>
2111 Olivier Abad <oabad[AT]noos.fr>
2112 Thierry Andry <Thierry.Andry[AT]advalvas.be>
2113 Jeff Foster <jfoste[AT]woodward.com>
2114 Peter Torvals <petertv[AT]xoommail.com>
2115 Christophe Tronche <ch.tronche[AT]computer.org>
2116 Nathan Neulinger <nneul[AT]umr.edu>
2117 Tomislav Vujec <tvujec[AT]carnet.hr>
2118 Kojak <kojak[AT]bigwig.net>
2119 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
2120 Warren Young <tangent[AT]mail.com>
2121 Heikki Vatiainen <hessu[AT]cs.tut.fi>
2122 Greg Hankins <gregh[AT]twoguys.org>
2123 Jerry Talkington <jtalkington[AT]users.sourceforge.net>
2124 Dave Chapeskie <dchapes[AT]ddm.on.ca>
2125 James Coe <jammer[AT]cin.net>
2126 Bert Driehuis <driehuis[AT]playbeing.org>
2127 Stuart Stanley <stuarts[AT]mxmail.net>
2128 John Thomes <john[AT]ensemblecom.com>
2129 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
2130 Thomas Parvais <thomas.parvais[AT]advalvas.be>
2131 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
2132 Craig Newell <craign[AT]cheque.uq.edu.au>
2133 Ed Meaney <emeaney[AT]cisco.com>
2134 Dietmar Petras <DPetras[AT]ELSA.de>
2135 Fred Reimer <fwr[AT]ga.prestige.net>
2136 Florian Lohoff <flo[AT]rfc822.org>
2137 Jochen Friedrich <jochen+ethereal[AT]scram.de>
2138 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
2139 Doug Nazar <nazard[AT]dragoninc.on.ca>
2140 Andreas Sikkema <h323 [AT] ramdyne.nl>
2141 Mark Muhlestein <mmm[AT]netapp.com>
2142 Graham Bloice <graham.bloice[AT]trihedral.com>
2143 Ralf Schneider <ralf.schneider[AT]alcatel.se>
2144 Yaniv Kaul <ykaul[AT]netvision.net.il>
2145 Paul Ionescu <paul[AT]acorp.ro>
2146 Mark Burton <markb[AT]ordern.com>
2147 Stefan Raab <sraab[AT]cisco.com>
2148 Mark Clayton <clayton[AT]shore.net>
2149 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
2150 Dug Song <dugsong[AT]monkey.org>
2151 Michael Tuexen <tuexen [AT] fh-muenster.de>
2152 Bruce Korb <bkorb[AT]sco.com>
2153 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
2154 David Frascone <dave[AT]frascone.com>
2155 Peter Kjellerstedt <pkj[AT]axis.com>
2156 Phil Techau <phil_t[AT]altavista.net>
2157 Wes Hardaker <hardaker[AT]users.sourceforge.net>
2158 Robert Tsai <rtsai[AT]netapp.com>
2159 Craig Metz <cmetz[AT]inner.net>
2160 Per Flock <per.flock[AT]axis.com>
2161 Jack Keane <jkeane[AT]OpenReach.com>
2162 Brian Wellington <bwelling[AT]xbill.org>
2163 Santeri Paavolainen <santtu[AT]ssh.com>
2164 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
2165 Neil Hunter <neil.hunter[AT]energis-squared.com>
2166 Ralf Holzer <ralf[AT]well.com>
2167 Craig Rodrigues <rodrigc [AT] attbi.com>
2168 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
2169 Johan Jorgensen <johan.jorgensen[AT]axis.com>
2170 Frank Singleton <frank.singleton[AT]ericsson.com>
2171 Kevin Shi <techishi[AT]ms22.hinet.net>
2172 Mike Frisch <mfrisch[AT]isurfer.ca>
2173 Burke Lau <burke_lau[AT]agilent.com>
2174 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
2175 David Hampton <dhampton[AT]mac.com>
2176 Kent Engstroem <kent[AT]unit.liu.se>
2177 Ronnie Sahlberg <ronnie_sahlberg[AT]ozemail.com.au>
2178 Borosa Tomislav <tomislav.borosa[AT]SIEMENS.HR>
2179 Alexandre P. Ferreira <alexandref[AT]tcoip.com.br>
2180 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
2181 Greg Kilfoyle <gregk[AT]redback.com>
2182 James E. Flemer <jflemer[AT]acm.jhu.edu>
2183 Peter Lei <peterlei[AT]cisco.com>
2184 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
2185 Albert Chin <china[AT]thewrittenword.com>
2186 Charles Levert <charles[AT]comm.polymtl.ca>
2187 Todd Sabin <tas[AT]webspan.net>
2188 Eduardo Perez Ureta <eperez[AT]dei.inf.uc3m.es>
2189 Martin Thomas <martin_a_thomas[AT]yahoo.com>
2190 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
2191 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
2192 Hannes Gredler <hannes[AT]juniper.net>
2193 Inoue <inoue[AT]ainet.or.jp>
2194 Olivier Biot <obiot.ethereal[AT]gmail.com>
2195 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
2196 Martin Held <Martin.Held[AT]icn.siemens.de>
2197 Riaan Swart <rswart[AT]cs.sun.ac.za>
2198 Christian Lacunza <celacunza[AT]gmx.net>
2199 Scott Renfro <scott[AT]renfro.org>
2200 Juan Toledo <toledo[AT]users.sourceforge.net>
2201 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
2202 Jian Yu <bgp4news[AT]yahoo.com>
2203 Eran Mann <emann[AT]opticalaccess.com>
2204 Andy Hood <ajhood [AT] fl.net.au>
2205 Randy McEoin <rmceoin[AT]pe.net>
2206 Edgar Iglesias <edgar.iglesias[AT]axis.com>
2207 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
2208 Javier Achirica <achirica[AT]ttd.net>
2209 B. Johannessen <bob[AT]havoq.com>
2210 Thierry Pelle <thierry.pelle[AT]laposte.net>
2211 Francisco Javier Cabello <fjcabello[AT]vtools.es>
2212 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
2213 nuf si <gnippiks[AT]yahoo.com>
2214 Jeff Morriss <jeff.morriss[AT]ulticom.com>
2215 Aamer Akhter <aakhter[AT]cisco.com>
2216 Pekka Savola <pekkas[AT]netcore.fi>
2217 David Eisner <cradle[AT]Glue.umd.edu>
2218 Steve Dickson <steved[AT]talarian.com>
2219 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
2220 Lee Berger <lberger[AT]roy.org>
2221 Motonori Shindo <mshindo[AT]mshindo.net>
2222 Terje Krogdahl <tekr[AT]nextra.com>
2223 Jean-Francois Mule <jfm[AT]cablelabs.com>
2224 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
2225 Matthias Nyffenegger <matthias.nyffenegger[AT]iclip.ch>
2226 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
2227 Nicolas Balkota <balkota[AT]mac.com>
2228 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
2229 Akira Endoh <endoh[AT]netmarks.co.jp>
2230 Graeme Hewson <graeme.hewson[AT]oracle.com>
2231 Pasi Eronen <pe[at]iki.fi>
2232 Georg von Zezschwitz <gvz[AT]2scale.net>
2233 Steffen Weinreich <steve[AT]weinreich.org>
2234 Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
2235 Gordon McKinney <gordon[AT]night-ray.com>
2236 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
2237 Shinsuke Suzuki <suz[AT]kame.net>
2238 Andrew C. Feren <acferen[AT]yahoo.com>
2239 Tomas Kukosa <tomas.kukosa [AT] siemens.com>
2240 Andreas Stockmeier <a.stockmeier[AT]avm.de>
2241 Pekka Nikander <pekka.nikander[AT]nomadiclab.com>
2242 Hamish Moffatt <hamish[AT]cloud.net.au>
2243 Kazushi Sugyo <k-sugyou[AT]nwsl.mesh.ad.jp>
2244 Tim Potter <tpot[AT]samba.org>
2245 Raghu Angadi <rangadi[AT]inktomi.com>
2246 Taisuke Sasaki <sasaki[AT]soft.net.fujitsu.co.jp>
2247 Tim Newsham <newsham[AT]lava.net>
2248 Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
2249 Darren New <dnew[AT]san.rr.com>
2250 Pavel Mores <pvl[AT]uh.cz>
2251 Bernd Becker <bb[AT]bernd-becker.de>
2252 Heinz Prantner <Heinz.Prantner[AT]radisys.com>
2253 Irfan Khan <ikhan[AT]qualcomm.com>
2254 Jayaram V.R <vjayar[AT]cisco.com>
2255 Dinesh Dutt <ddutt[AT]cisco.com>
2256 Nagarjuna Venna <nvenna[AT]Brixnet.com>
2257 Jirka Novak <j.novak[AT]netsystem.cz>
2258 Ricardo Barroetaven~a <rbarroetavena[AT]veufort.com>
2259 Alan Harrison <alanharrison[AT]mail.com>
2260 Mike Frantzen <frantzen[AT]w4g.org>
2261 Charlie Duke <cduke[AT]fvc.com>
2262 Alfred Arnold <Alfred.Arnold[AT]elsa.de>
2263 Dermot Bradley <dermot.bradley[AT]openwave.com>
2264 Adam Sulmicki <adam[AT]cfar.umd.edu>
2265 Kari Tiirikainen <kari.tiirikainen[AT]nokia.com>
2266 John Mackenzie <John.A.Mackenzie[AT]t-online.de>
2267 Peter Valchev <pvalchev[AT]openbsd.org>
2268 Alex Rozin <Arozin[AT]mrv.com>
2269 Jouni Malinen <jkmaline[AT]cc.hut.fi>
2270 Paul E. Erkkila <pee[AT]erkkila.org>
2271 Jakob Schlyter <jakob[AT]openbsd.org>
2272 Jim Sienicki <sienicki[AT]issanni.com>
2273 Steven French <sfrench[AT]us.ibm.com>
2274 Diana Eichert <deicher[AT]sandia.gov>
2275 Blair Cooper <blair[AT]teamon.com>
2276 Kikuchi Ayamura <ayamura[AT]ayamura.org>
2277 Didier Gautheron <dgautheron[AT]magic.fr>
2278 Phil Williams <csypbw[AT]comp.leeds.ac.uk>
2279 Kevin Humphries <khumphries[AT]networld.com>
2280 Erik Nordstroem <erik.nordstrom[AT]it.uu.se>
2281 Devin Heitmueller <dheitmueller[AT]netilla.com>
2282 Chenjiang Hu <chu[AT]chiaro.com>
2283 Kan Sasaki <sasaki[AT]fcc.ad.jp>
2284 Stefan Wenk <stefan.wenk[AT]gmx.at>
2285 Ruud Linders <ruud[AT]lucent.com>
2286 Andrew Esh <Andrew.Esh[AT]tricord.com>
2287 Greg Morris <GMORRIS[AT]novell.com>
2288 Dirk Steinberg <dws[AT]dirksteinberg.de>
2289 Kari Heikkila <kari.o.heikkila[AT]nokia.com>
2290 Olivier Dreux <Olivier.Dreux[AT]alcatel.fr>
2291 Michael Stiller <ms[AT]2scale.net>
2292 Antti Tuominen <ajtuomin[AT]tml.hut.fi>
2293 Martin Gignac <lmcgign[AT]mobilitylab.net>
2294 John Wells <wells[AT]ieee.org>
2295 Loic Tortay <tortay[AT]cc.in2p3.fr>
2296 Steve Housley <Steve_Housley[AT]eur.3com.com>
2297 Peter Hawkins <peter[AT]hawkins.emu.id.au>
2298 Bill Fumerola <billf[AT]FreeBSD.org>
2299 Chris Waters <chris[AT]waters.co.nz>
2300 Solomon Peachy <pizza[AT]shaftnet.org>
2301 Jaime Fournier <Jaime.Fournier [AT] hush.com>
2302 Markus Steinmann <ms[AT]seh.de>
2303 Tsutomu Mieno <iitom[AT]utouto.com>
2304 Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
2305 Anand V. Narwani <anand[AT]narwani.org>
2306 Christopher K. St. John <cks[AT]distributopia.com>
2307 Nix <nix[AT]esperi.demon.co.uk>
2308 Liviu Daia <Liviu.Daia[AT]imar.ro>
2309 Richard Urwin <richard[AT]soronlin.org.uk>
2310 Prabhakar Krishnan <Prabhakar.Krishnan[AT]netapp.com>
2311 Jim McDonough <jmcd[AT]us.ibm.com>
2312 Sergei Shokhor <sshokhor[AT]uroam.com>
2313 Hidetaka Ogawa <ogawa[AT]bs2.qnes.nec.co.jp>
2314 Jan Kratochvil <short[AT]ucw.cz>
2315 Alfred Koebler <ak[AT]icon-sult.de>
2316 Vassilii Khachaturov <Vassilii.Khachaturov[AT]comverse.com>
2317 Bill Studenmund <wrstuden[AT]wasabisystems.com>
2318 Brian Bruns <camber[AT]ais.org>
2319 Flavio Poletti <flavio[AT]polettix.it>
2320 Marcus Haebler <haeblerm[AT]yahoo.com>
2321 Ulf Lamping <ulf.lamping[AT]web.de>
2322 Matthew Smart <smart[AT]monkey.org>
2323 Luke Howard <lukeh[AT]au.padl.com>
2324 PC Drew <drewpc[AT]ibsncentral.com>
2325 Renzo Tomas <renzo.toma [AT] xs4all.nl>
2326 Clive A. Stubbings <eth [AT] vjet.demon.co.uk>
2327 Steve Langasek <vorlon [AT] netexpress.net>
2328 Brad Hards <bhards[AT]bigpond.net.au>
2329 cjs 2895 <cjs2895[AT]hotmail.com>
2330 Lutz Jaenicke <Lutz.Jaenicke [AT] aet.TU-Cottbus.DE>
2331 Senthil Kumar Nagappan <sknagappan [AT] yahoo.com>
2332 Jason House <jhouse [AT] mitre.org>
2333 Peter Fales <psfales [AT] lucent.com>
2334 Fritz Budiyanto <fritzb88 [AT] yahoo.com>
2335 Jean-Baptiste Marchand <Jean-Baptiste.Marchand [AT] hsc.fr>
2336 Andreas Trauer <andreas.trauer [AT] siemens.com>
2337 Ronald Henderson <Ronald.Henderson [AT] CognicaseUSA.com>
2338 Brian Ginsbach <ginsbach [AT] cray.com>
2339 Dave Richards <d_m_richards [AT] comcast.net>
2340 Martin Regner <martin.regner [AT] chello.se>
2341 Jason Greene <jason [AT] inetgurus.net>
2342 Marco Molteni <mmolteni [AT] cisco.com>
2343 James Harris <jharris [AT] fourhorsemen.org>
2344 rmkml <rmkml [AT] wanadoo.fr>
2345 Anders Broman <anders.broman [AT] ericsson.com>
2346 Christian Falckenberg <christian.falckenberg [AT] nortelnetworks.com>
2347 Huagang Xie <xie [AT] lids.org>
2348 Pasi Kovanen <Pasi.Kovanen [AT] tahoenetworks.fi>
2349 Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
2350 Martijn Schipper <martijn.schipper [AT] intersil.com>
2351 Wayne Parrott <wayne_p [AT] pacific.net.au>
2352 Laurent Meyer <laurent.meyer6 [AT] wanadoo.fr>
2353 Lars Roland <Lars.Roland [AT] gmx.net>
2354 Miha Jemec <m.jemec [AT] iskratel.si>
2355 Markus Friedl <markus [AT] openbsd.org>
2356 Todd Montgomery <tmontgom [AT] tibco.com>
2357 emre <emre [AT] flash.net>
2358 Stephen Shelley <steve.shelley [AT] attbi.com>
2359 Erwin Rol <erwin [AT] erwinrol.com>
2360 Duncan Laurie <duncan [AT] sun.com>
2361 Tony Schene <schene [AT] pcisys.net>
2362 Matthijs Melchior <mmelchior [AT] xs4all.nl>
2363 Garth Bushell <gbushell [AT] elipsan.com>
2364 Mark C. Brown <mbrown [AT] hp.com>
2365 Can Erkin Acar <canacar [AT] eee.metu.edu.tr>
2366 Martin Warnes <martin.warnes [AT] ntlworld.com>
2367 J Bruce Fields <bfields [AT] fieldses.org>
2368 tz <tz1 [AT] mac.com>
2369 Jeff Liu <jqliu [AT] broadcom.com>
2370 Niels Koot <Niels.Koot [AT] logicacmg.com>
2371 Lionel Ains <lains [AT] gmx.net>
2372 Joakim Wiberg <jow [AT] hms-networks.com>
2373 Jeff Rizzo <riz [AT] boogers.sf.ca.us>
2374 Christoph Wiest <ch.wiest [AT] tesionmail.de>
2375 Xuan Zhang <xz [AT] aemail4u.com>
2376 Thierry Martin <thierry.martin [AT] accellent-group.com>
2377 Oleg Terletsky <oleg.terletsky [AT] comverse.com>
2378 Michael Lum <mlum [AT] telostech.com>
2379 Shiang-Ming Huang <smhuang [AT] pcs.csie.nctu.edu.tw>
2380 Tony Lindstrom <tony.lindstrom [AT] ericsson.com>
2381 Niklas Ogren <niklas.ogren [AT] 71.se>
2382 Jesper Peterson <jesper [AT] endace.com>
2383 Giles Scott <gscott [AT] arubanetworks.com>
2384 Vincent Jardin <vincent.jardin [AT] 6wind.com>
2385 Jean-Michel Fayard <jean-michel.fayard [AT] moufrei.de>
2386 Josef Korelus <jkor [AT] quick.cz>
2387 Brian K. Teravskis <Brian_Teravskis [AT] Cargill.com>
2388 Nathan Jennings <njen [AT] triad.rr.com>
2389 Hans Viens <hviens [AT] mediatrix.com>
2390 Kevin A. Noll <kevin.noll [AT] versatile.com>
2391 Emanuele Caratti <wiz [AT] libero.it>
2392 Graeme Reid <graeme.reid [AT] norwoodsystems.com>
2393 Lars Ruoff <lars.ruoff [AT] sxb.bsf.alcatel.fr>
2394 Samuel Qu <samuel.qu [AT] utstar.com>
2395 Baktha Muralitharan <muralidb [AT] cisco.com>
2396 Loiec Minier <lool [AT] dooz.org>
2397 Marcel Holtmann <marcel [AT] holtmann.org>
2398 Scott Emberley <scotte [AT] netinst.com>
2399 Brian Fundakowski Feldman <bfeldman [AT] fla.fujitsu.com>
2400 Yuriy Sidelnikov <ysidelnikov [AT] hotmail.com>
2401 Matthias Drochner <M.Drochner [AT] fz-juelich.de>
2402 Dave Sclarsky <dave_sclarsky [AT] cnt.com>
2403 Scott Hovis <scott.hovis [AT] ums.msfc.nasa.gov>
2404 David Fort <david.fort [AT] irisa.fr>
2405 Martijn Schipper <mschipper [AT] globespanvirata.com>
2406 Felix Fei <felix.fei [AT] utstar.com>
2407 Christoph Neusch <christoph.neusch [AT] nortelnetworks.com>
2408 Jan Kiszka <jan.kiszka [AT] web.de>
2409 Joshua Craig Douglas <jdouglas [AT] enterasys.com>
2410 Dick Gooris <gooris [AT] alcatel-lucent.com>
2411 Michael Shuldman <michaels [AT] inet.no>
2412 Tadaaki Nagao <nagao [AT] iij.ad.jp>
2413 Aaron Woo <woo [AT] itd.nrl.navy.mil>
2414 Chris Wilson <chris [AT] mxtelecom.com>
2415 Rolf Fiedler <Rolf.Fiedler [AT] Innoventif.com>
2416 Alastair Maw <ethereal [AT] almaw.com>
2417 Sam Leffler <sam [AT] errno.com>
2418 Martin Mathieson <martin.r.mathieson [AT] googlemail.com>
2419 Christian Wagner <Christian.Wagner [AT] stud.uni-karlsruhe.de>
2420 Edwin Calo <calo [AT] fusemail.com>
2421 Ian Schorr <ischorr [AT] comcast.net>
2422 Rowan McFarland <rmcfarla[AT]cisco.com>
2423 John Engelhart <johne [AT] zang.com>
2424 Ryuji Somegawa <ryuji-so [AT] is.aist-nara.ac.jp>
2425 metatech <metatech [AT] flashmail.com>
2426 Brian Wheeler <Brian.Wheeler [AT] arrisi.com>
2427 Josh Bailey <joshbailey [AT] lucent.com>
2428 Jelmer Vernooij <jelmer [AT] samba.org>
2429 Duncan Sargeant <dunc-ethereal-dev [AT] rcpt.to>
2430 Love Hoernquist Aastrand <lha [AT] it.su.se>
2431 Lukas Pokorny <maskis [AT] seznam.cz>
2432 Carlos Pignataro <cpignata [AT] cisco.com>
2433 Thomas Anders <thomas.anders [AT] blue-cable.de>
2434 Rich Coe <Richard.Coe [AT] med.ge.com>
2435 Dominic Bechaz <bdo [AT] zhwin.ch>
2436 Richard van der Hoff <richardv [AT] mxtelecom.com>
2437 Shaun Jackman <sjackman [AT] gmail.com>
2438 Jon Oberheide <jon [AT] oberheide.org>
2439 Henry Ptasinski <henryp [AT] broadcom.com>
2440 Roberto Morro <Roberto.Morro [AT] TILAB.COM>
2441 Chris Maynard <Christopher.Maynard [AT] GTECH.COM>
2442 SEKINE Hideki <sekineh [AT] gf7.so-net.ne.jp>
2443 Jeff Connelly <shellreef+mp2p [AT] gmail.com>
2444 Irene Ruengle <i.ruengeler [AT] fh-muenster.de
2445 M. Ortega y Strupp <moys [AT] loplof.de>
2446 Kelly Byrd <kbyrd-ethereal [AT] memcpy.com>
2447 Luis Ontanon <luis.ontanon[AT]gmail.com>
2448 Luca Deri <deri [AT] ntop.org>
2449 Viorel Suman <vsuman [AT] avmob.ro>
2450 Alejandro Vaquero <alejandro.vaquero [AT] verso.com>
2451 Francesco Fondelli <francesco.fondelli [AT] gmail.com>
2452 Bill Meier <wmeier [AT] newsguy.com>
2453 Susanne Edlund <Susanne.Edlund [AT] ericsson.com>
2454 Victor Stratan <hidralisk [AT] yahoo.com>
2455 Peter Johansson <PeterJohansson73 [AT] gmail.com>
2456 Stefan Metzmacher <metze [AT] samba.org>
2457 Abhijit Menon-Sen <ams [AT] oryx.com>
2458 James Fields <jvfields [AT] tds.net>
2459 Kevin Johnson <kjohnson [AT] secureideas.net>
2460 Mike Duigou <bondolo [AT] dev.java.net>
2461 Deepak Jain <jain1971 [AT] yahoo.com>
2462 Stefano Pettini <spettini [AT] users.sourceforge.net>
2463 Jon Ringle <ml-ethereal [AT] ringle.org>
2464 Tim Endean <endeant [AT] hotmail.com>
2465 Charlie Lenahan <clenahan [AT] fortresstech.com>
2466 Takeshi Nakashima <T.Nakashima [AT] jp.yokogawa.com>
2467 Shoichi Sakane <sakane [AT] tanu.org>
2468 Michael Richardson <Michael.Richardson [AT] protiviti.com>
2469 Olivier Jacques <olivier.jacques [AT] hp.com>
2470 Francisco Alcoba <francisco.alcoba [AT] ericsson.com>
2471 Nils O. Selaasdal <noselasd [AT] asgaard.homelinux.org>
2472 Guillaume Chazarain <guichaz [AT] yahoo.fr>
2473 Angelo Bannack <angelo.bannack[AT]siemens.com>
2474 Paolo Frigo <paolofrigo [AT] gmail.com>
2475 Jeremy J Ouellette <jouellet [AT] scires.com>
2476 Aboo Valappil <valappil_aboo [AT] emc.com>
2477 Fred Hoekstra <fred.hoekstra [AT] philips.com>
2478 Ankur Aggarwal <ankur [AT] in.athenasemi.com>
2479 Viorel Suman <vsuman [AT] avmob.ro>
2480 Lucian Piros <lpiros [AT] avmob.ro>
2481 Juan Gonzalez <juan.gonzalez [AT] pikatech.com>
2482 Brian Bogora <brian_bogora [AT] mitel.com>
2483 Jim Young <sysjhy [AT] langate.gsu.edu>
2484 Jeff Snyder <jeff [AT] mxtelecom.com>
2485 William Fiveash <William.Fiveash [AT] sun.com>
2486 Graeme Lunt <graeme.lunt [AT] smhs.co.uk>
2487 Menno Andriesse <s5066 [AT] nc3a.nato.int>
2488 Stig Bjorlykke <stig [AT] bjorlykke.org>
2489 Kyle J. Harms <kyle.j.harms [AT] boeing.com>
2490 Eric Wedel <ewedel [AT] bluearc.com>
2491 Secfire <secfire[AT]gmail.com>
2492 Eric Hultin <Eric.Hultin[AT]arrisi.com>
2493 Paolo Abeni <paolo.abeni [AT] email.it>
2494 W. Borgert <debacle [AT] debian.org>
2495 Frederic Roudaut <frederic.roudaut [AT] irisa.fr>
2496 Christoph Scholz <scholz_ch [AT] web.de>
2497 Wolfgang Hansmann <hansmann [AT] cs.uni-bonn.de>
2498 Kees Cook <kees [AT] outflux.net>
2499 Thomas Dreibholz <dreibh [AT] exp-math.uni-essen.de>
2500 Authesserre Samuel <sauthess [AT] gmail.com>
2501 Balint Reczey <balint.reczey [AT] ericsson.com>
2502 Stephen Fisher <stephentfisher [AT] yahoo.com>
2503 Krzysztof Burghardt <krzysztof [AT] burghardt.pl>
2504 Peter Racz <racz [AT] ifi.unizh.ch>
2505 Jakob Bratkovic <j.bratkovic [AT] iskratel.si>
2506 Mark Lewis <mlewis [AT] altera.com>
2507 Dominic Bechaz <bdo [AT] zhwin.ch>
2508 David Buechi <bhd [AT] zhwin.ch>
2509 Bill Florac <bill.florac [AT] etcconnect.com>
2510 Alex Burlyga <Alex.Burlyga [AT] netapp.com>
2511 Douglas Pratley <Douglas.pratley [AT] detica.com>
2512 Giorgio Tino <giorgio.tino [AT] cacetech.com>
2513 Davide Schiera <davide.schiera [AT] cacetech.com>
2514 Sebastien Tandel <sebastien [AT] tandel.be>
2515 Clay Jones <clay.jones [AT] email.com>
2516 Kriang Lerdsuwanakij <lerdsuwa [AT] users.sourceforge.net>
2517 Abhik Sarkar <sarkar.abhik [AT] gmail.com>
2518 Robin Seggelmann <seggelmann [AT] fh-muenster.de>
2519 Chris Bontje <cbontje [AT] gmail.com>
2520 Ryan Wamsley <wamslers [AT] sbcglobal.net>
2521 Dave Butt <davidbutt [AT] mxtelecom.com>
2522 Julian Cable <julian_cable [AT] yahoo.com>
2523 Joost Yervante Damad <joost [AT] teluna.org>
2524 Martin Sustrik <sustrik [AT] imatix.com>
2525 Jon Smirl <jonsmirl [AT] gmail.com>
2526 David Kennedy <sgsguy [AT] gmail.com>
2527 Matthijs Mekking <matthijs [AT] mlnetlabs.nl>
2528 Dustin Johnson <dustin.johnson [AT] cacetech.com>
2529 Victor Fajardo <vfajardo [AT] tari.toshiba.com>
2530 Tamas Regos <tamas.regos [AT] ericsson.com>
2531 Moshe van der Sterre <moshevds [AT] gmail.com>
2532 Rob Casey <rcasey [AT] gmail.com>
2533 Ted Percival <ted [AT] midg3t.net>
2534 Marc Petit-Huguenin <marc [AT] petit-huguenin.org>
2535 Florent Drouin <florent.drouin [AT] alcatel-lucent.fr>
2536 Karen Feng <kfeng [AT] fas.harvard.edu>
2537 Stephen Croll <croll [AT] mobilemetrics.net>
2538 Jens Braeuer <jensb [AT] cs.tu-berlin.de>
2539 Sake Blok <sake [AT] euronet.nl>
2540 Fulko Hew <fulko.hew [AT] gmail.com>
2541 Yukiyo Akisada <Yukiyo.Akisada [AT] jp.yokogawa.com>
2542 Andy Chu <chu.dev [AT] gmail.com>
2543 Shane Kearns <shane.kearns [AT] symbian.com>
2544 Thomas Dreibholz <dreibh [AT] iem.uni-due.de>
2545 Loris Degioanni <loris.degioanni [AT] cacetech.com>
2546 Sven Meier <msv[AT]zhwin.ch>
2547 Holger Pfrommer <hpfrommer [AT] hilscher.com>
2548 Hariharan Ananthakrishnan <hariharan.a [AT] gmail.com>
2549 Hannes Kaelber <hannes.kaelber--wireshark [AT] x2e.de>
2550 Stephen Donnelly <stephen [AT] endace.com>
2551 and by:
2552 Pavel Roskin <proski [AT] gnu.org>
2554 Georgi Guninski <guninski [AT] guninski.com>
2555 Jason Copenhaver <jcopenha [AT] typedef.org>
2556 Eric Perie <eric.perie [AT] colubris.com>
2557 David Yon <yon [AT] tacticalsoftware.com>
2558 Marcio Franco <franco.marcio [AT] rd.francetelecom.fr>
2559 Kaloian Stoilov <kalkata [AT] yahoo.com>
2560 Steven Lass <stevenlass [AT] mail.com>
2561 Gregory Stark <gsstark [AT] mit.edu>
2562 Darren Steele <steeley [AT] steeley.co.uk>
2563 <smhuang [AT] pcs.csie.nctu.edu.tw>
2564 Michael Kopp <michael.kopp [AT] isarnet.de>
2565 Bernd Leibing <bernd.leibing [AT] kiz.uni-ulm.de>
2566 Chris Heath <chris [AT] heathens.co.nz>
2567 Gisle Vanem <giva [AT] bgnett.no>
2568 Ritchie <ritchie [AT] tipsybottle.com>
2569 Aki Immonen <aki.immonen [AT] golftalma.fi>
2570 David E. Weekly <david [AT] weekly.org>
2571 Steve Ford <sford [AT] geeky-boy.com>
2572 Masaki Chikama <masaki-c [AT] is.aist-nara.ac.jp>
2573 Mohammad Hanif <mhanif [AT] nexthop.com>
2574 Reinhard Speyerer <rspmn [AT] arcor.de>
2575 Patrick Kursawe <phosphan [AT] gentoo.org>
2576 Arsen Chaloyan <achaloyan [AT] yahoo.com>
2577 <melerski [AT] poczta.onet.pl>
2578 Arnaud Jacques <webmaster [AT] securiteinfo.com>
2579 D. Manzella <manzella [AT] lucent.com>
2580 Jari Mustajarvi <jari.mustajarvi [AT] nokia.com>
2581 Joost Yervante Damad <Joost.Damad [AT] siemens.com>
2582 Pierre Juhen <pierre.juhen [AT] wanadoo.fr>
2583 David Richards <drichards [AT] alum.mit.edu>
2584 Shusaku Ueda <ueda [AT] sra.co.jp>
2585 Jonathan Perkins <jonathan.perkins [AT] ipaccess.com>
2586 Holger Schurig <h.schurig [AT] mn-logistik.de>
2587 Peter J. Creath <peter-ethereal [AT] creath.net>
2588 Magnus Hansson <mah [AT] hms.se>
2589 Pavel Kankovsky <kan [AT] dcit.cz>
2590 Nick Black <dank [AT] reflexsecurity.com>
2591 Bill Guyton <guyton [AT] bguyton.com>
2592 Chernishov Yury <Chernishov [AT] iskrauraltel.ru>
2593 Thomas Palmer <Thomas.Palmer [AT] Gunter.AF.mil>
2594 Clinton Work <clinton [AT] scripty.com>
2595 Joe Marcus Clarke <marcus [AT] marcuscom.com>
2596 Kendy Kutzner <kutzner[AT]tm.uka.de>
2597 James H. Cloos Jr. <cloos [AT] jhcloos.com>
2598 Tim Farley <tfarley[AT]iss.net>
2599 Daniel Thompson <daniel.thompson[AT]st.com>
2600 Chris Jepeway <thai-dragon[AT]eleven29.com>
2601 Matthew Bradley <matthew.bradley [AT] cnsonline.net>
2602 Nathan Alger <nathan [AT] wasted.com>
2603 Stas Grabois <sagig [AT] radware.com>
2604 Ainsley Pereira <APereira [AT] Witness.com>
2605 Philippe Mazeau <philippe.mazeau [AT] swissvoice.net>
2606 Carles Kishimoto <ckishimo [AT] ac.upc.es>
2607 Dennis Lim <Dennis.Lim [AT] motorola.com>
2608 <postadal [AT] suse.cz>
2609 Martin van der Werff <martin [AT] vanderwerff.org>
2610 Marco van den Bovenkamp <marco [AT] linuxgoeroe.dhs.org>
2611 Ming Zhang <mingz [AT] ele.uri.edu>
2612 Neil Piercy <Neil.Piercy [AT] ipaccess.com>
2613 Remi Denis-Courmont <courmisch [AT] via.ecp.fr>
2614 Thomas Palmer <tpalmer [AT] elmore.rr.com>
2615 Maarten Svantesson <f95-msv [AT] f.kth.se>
2616 Thomas Boehne <TBoehne [AT] ADwin.de>
2617 Steve Sommars (e-mail address removed at contributor's request)
2618 Kestutis Kupciunas <kesha [AT] soften.ktu.lt>
2619 Rene Pilz <rene.pilz [AT] ftw.at>
2620 Laurent Constantin <laurent.constantin [AT] aql.fr>
2621 Martin Pichlmaier <martin.pichlmaier [AT] siemens.com>
2622 Mark Phillips <msp [AT] nortelnetworks.com>
2623 Nils Ohlmeier <lists [AT] ohlmeier.org>
2624 Ignacio Goyret <igoyret [AT] lucent.com>
2625 Bart Braem <bart.braem [AT] gmail.com>
2626 Shingo Horisawa <name4n5 [AT] hotmail.com>
2627 Lane Hu <lane.hu [AT] utstar.com>
2628 Marc Poulhies <marc.poulhies [AT] epfl.ch>
2629 Tomasz Mrugalski <thomson [AT] klub.com.pl>
2630 Brett Kuskie <mstrprgmmr [AT] chek.com>
2631 Brian Caswell <bmc [AT] sourcefire.com>
2632 Yann <yann_eads [AT] hotmail.com>
2633 Jon Ringle <ml-ethereal [AT] ringle.org>
2634 Julien Leproust <julien [AT] via.ecp.fr>
2635 Mutsuya Irie <irie [AT] sakura-catv.ne.jp>
2636 Yoshihiro Oyama <y.oyama [AT] netagent.co.jp>
2637 Chris Eagle <cseagle [AT] nps.edu>
2638 Dominique Bastien <dbastien [AT] accedian.com>
2639 Nicolas Dichtel <nicolas.dichtel [AT] 6wind.com>
2640 Ricardo Muggli <ricardo.muggli [AT] mnsu.edu>
2641 Vladimir Kondratiev <vladimir.kondratiev [AT] gmail.com>
2642 Jaap Keuter <jaap.keuter [AT] xs4all.nl>
2643 Frederic Peters <fpeters [AT] debian.org>
2644 Anton Ivanov <anthony_johnson [AT] mail.ru>
2645 Ilya Konstantinov <future [AT] shiny.co.il>
2646 Neil Kettle <mu-b [AT] 65535.com>
2647 Steve Karg <skarg [AT] users.sourceforge.net>
2648 Javier Acuna <javier.acuna [AT] sixbell.cl>
2649 Miklos Szurdi <szurdimiklos [AT] yahoo.com>
2650 Cvetan Ivanov <zezo [AT] spnet.net>
2651 Vasanth Manickam <vasanth.manickam [AT] bt.com>
2652 Julian Onions <julian.onions [AT] gmail.com>
2653 Samuel Thibault <samuel.thibault [AT] ens-lyon.org>
2654 Peter Kovař <peter.kovar [AT] gmail.com>
2655 Paul Ollis <paul.ollis [AT] roke.co.uk>
2656 Dominik Kuhlen <dkuhlen [AT] gmx.net>
2657 Karl Knoebl <karl.knoebl [AT] siemens.com>
2658 Maria-Luiza Crivat <luizacri [AT] gmail.com>
2659 Brice Augustin <bricecotte [AT] gmail.com>
2660 Matt Thornton <MATT_THORNTON [AT] appsig.com>
2661 Markus Seehofer <Markus.Seehofer [AT] hirschmann.de>
2662 Matthias Drochner <M.Drochner [AT] fz-juelich.de>
2663 Timo Metsala <timo.metsala [AT] gmail.com>
2664 Manu Pathak <mapathak [AT] cisco.com>
2665 Kaul <mykaul [AT] gmail.com>
2666 John Sullivan <john [AT] kanargh.force9.co.uk>
2667 Martin Andre <andre [AT] clarinet.u-strasbg.fr>
2668 Andrei Emeltchenko <Andrei.Emeltchenko [AT] nokia.com>
2669 Kirby Files <kfiles [AT] masergy.com>
2670 Ravi Valmikam <rvalmikam [AT] airvananet.com>
2671 Diego Petteno <flameeyes [AT] gentoo.org>
2672 Daniel Black <dragonheart [AT] gentoo.org>
2673 Christoph Werle <Christoph.Werle [AT] ira.uka.de>
2674 Aaron Christensen <aaronmf [AT] gmail.com>
2675 Ian Abel <ianabel [AT] mxtelecom.com>
2676 Bryant Eastham <beastham [AT] slc.mew.com>
2677 Taner Kurtulus <taner.kurtulus [AT] tubitak.gov.tr>
2678 Joe Breher <linux [AT] q-music.com>
2679 Patrick vd Lageweg <patrick [AT] bitwizard.nl>
2680 Thomas Sillaber <Thomas.Sillaber [AT] gmx.de>
2681 Mike Davies <m.davies [AT] btinternet.com>
2682 Boris Misenov <Boris.Misenov [AT] oktelabs.ru>
2683 Joe McEachern <joe [AT] qacafe.com>
2684 Charles Lepple <clepple [AT] gmail.com>
2685 Tuomas Maattanen <maattanen [AT] iki.fi>
2686 Joe Eykholt <joe [AT] nuovasystems.com>
2687 Ian Brumby <ian.brumby [AT] baesystems.com>
2688 Todd J Martin <todd.martin [AT] acm.org>
2689 Scott Robinson <scott.robinson [AT] flukenetworks.com>
2690 Martin Peylo <wireshark [AT] izac.de>
2691 Stephane Loeuillet <leroutier [AT] gmail.com>
2692 Andrei Rubaniuk <rubaniuk [AT] mail.ru>
2693 Mikael Magnusson <mikma264 [AT] gmail.com>
2694 Timo Teraes <timo.teras [AT] iki.fi>
2695 Marton Nemeth <nm127 [AT] freemail.hu>
2696 Kai Blin <kai [AT] samba.org>
2697 Olivier Montanuy <olivier.montanuy [AT] orange-ftgroup.com>
2698 Thomas Morin <thomas.morin [AT] orange-ftgroup.com>
2699 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to
2701 give his permission to use his version of snprintf.c.
2702 Dan Lasley <dlasley[AT]promus.com> gave permission for his
2704 dumpit() hex-dump routine to be used.
2705 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the
2707 hex dump display routine.
2708 We use the exception module from Kazlib, a C library written by
2710 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks go to him for
2711 his well-written library. The Kazlib home page can be found at
2712 http://users.footprints.net/~kaz/kazlib.html
2713 Henrik Brix Andersen <brix[AT]gimp.org> gave permission for his
2715 webbrowser calling routine to be used.
2716 Christophe Devine <c.devine[at]cr0.net> gave permission for his
2718 SHA1 routines to be used.
2719 snax <snax[AT]shmoo.com> gave permission to use his(?) weak key
2721 detection code from Airsnort.
2722 IANA gave permission for their port-numbers file to be used.
27241.0.0 2008-04-03 WIRESHARK(1)