You are here: Home » Internet » Network Tools » Wireshark » Online Manual

Wireshark 1.0.0 Online Manual

A free network protocol analyzer for Windows and Unix

Free Download ( Evaluation | 20.7 MB )

62 (57%)

47 (43%)

Online Manual of Wireshark 1.0.0
Tips: Convert Microsoft Excel to HTML | PDF to HTML | Convert paper documents to PDF / HTML

Wireshark User's Guide

Wireshark User's Guide

24665 for Wireshark 0.99.7

Ulf Lamping

Richard Sharpe

NS Computer Software and Services P/L

Ed Warnicke

Copyright © 2004-2008 Ulf Lamping , Richard Sharpe , Ed Warnicke

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

All logos and trademarks in this document are property of their respective owner.

Table of Contents

1. Foreword
2. Who should read this document?
3. Acknowledgements
4. About this document
5. Where to get the latest copy of this document?
6. Providing feedback about this document

1. Introduction

1.1. What is Wireshark?

1.1.1. Some intended purposes
1.1.2. Features
1.1.3. Live capture from many different network media
1.1.4. Import files from many other capture programs
1.1.5. Export files for many other capture programs
1.1.6. Many protocol decoders
1.1.7. Open Source Software
1.1.8. What Wireshark is not

1.2. System Requirements

1.2.1. General Remarks
1.2.2. Microsoft Windows
1.2.3. Unix / Linux

1.3. Where to get Wireshark?

1.4. A brief history of Wireshark

1.5. Development and maintenance of Wireshark

1.6. Reporting problems and getting help

1.6.1. Website
1.6.2. Wiki
1.6.3. FAQ
1.6.4. Mailing Lists
1.6.5. Reporting Problems
1.6.6. Reporting Crashes on UNIX/Linux platforms
1.6.7. Reporting Crashes on Windows platforms

2. Building and Installing Wireshark

2.1. Introduction

2.2. Obtaining the source and binary distributions

2.3. Before you build Wireshark under UNIX

2.4. Building Wireshark from source under UNIX

2.5. Installing the binaries under UNIX

2.5.1. Installing from rpm's under Red Hat and alike
2.5.2. Installing from deb's under Debian
2.5.3. Installing from portage under Gentoo Linux
2.5.4. Installing from packages under FreeBSD

2.6. Troubleshooting during the install on Unix

2.7. Building from source under Windows

2.8. Installing Wireshark under Windows

2.8.1. Install Wireshark
2.8.2. Manual WinPcap Installation
2.8.3. Update Wireshark
2.8.4. Update WinPcap
2.8.5. Uninstall Wireshark
2.8.6. Uninstall WinPcap

3. User Interface

3.1. Introduction

3.2. Start Wireshark

3.3. The Main window

3.3.1. Main Window Navigation

3.4. The Menu

3.5. The "File" menu

3.6. The "Edit" menu

3.7. The "View" menu

3.8. The "Go" menu

3.9. The "Capture" menu

3.10. The "Analyze" menu

3.11. The "Statistics" menu

3.12. The "Help" menu

3.13. The "Main" toolbar

3.14. The "Filter" toolbar

3.15. The "Packet List" pane

3.16. The "Packet Details" pane

3.17. The "Packet Bytes" pane

3.18. The Statusbar

4. Capturing Live Network Data

4.1. Introduction

4.2. Prerequisites

4.3. Start Capturing

4.4. The "Capture Interfaces" dialog box

4.5. The "Capture Options" dialog box

4.5.1. Capture frame
4.5.2. Capture File(s) frame
4.5.3. Stop Capture... frame
4.5.4. Display Options frame
4.5.5. Name Resolution frame
4.5.6. Buttons

4.6. Capture files and file modes

4.7. Link-layer header type

4.8. Filtering while capturing

4.8.1. Automatic Remote Traffic Filtering

4.9. While a Capture is running ...

4.9.1. Stop the running capture
4.9.2. Restart a running capture

5. File Input / Output and Printing

5.1. Introduction

5.2. Open capture files

5.2.1. The "Open Capture File" dialog box
5.2.2. Input File Formats

5.3. Saving captured packets

5.3.1. The "Save Capture File As" dialog box
5.3.2. Output File Formats

5.4. Merging capture files

5.4.1. The "Merge with Capture File" dialog box

5.5. File Sets

5.5.1. The "List Files" dialog box

5.6. Exporting data

5.6.1. The "Export as Plain Text File" dialog box
5.6.2. The "Export as PostScript File" dialog box
5.6.3. The "Export as CSV (Comma Separated Values) File" dialog box
5.6.4. The "Export as PSML File" dialog box
5.6.5. The "Export as PDML File" dialog box
5.6.6. The "Export selected packet bytes" dialog box
5.6.7. The "Export Objects" dialog box

5.7. Printing packets

5.7.1. The "Print" dialog box

5.8. The Packet Range frame

5.9. The Packet Format frame

6. Working with captured packets

6.1. Viewing packets you have captured

6.2. Pop-up menus

6.2.1. Pop-up menu of the "Packet List" pane
6.2.2. Pop-up menu of the "Packet Details" pane

6.3. Filtering packets while viewing

6.4. Building display filter expressions

6.4.1. Display filter fields
6.4.2. Comparing values
6.4.3. Combining expressions
6.4.4. A common mistake

6.5. The "Filter Expression" dialog box

6.6. Defining and saving filters

6.7. Finding packets

6.7.1. The "Find Packet" dialog box
6.7.2. The "Find Next" command
6.7.3. The "Find Previous" command

6.8. Go to a specific packet

6.8.1. The "Go Back" command
6.8.2. The "Go Forward" command
6.8.3. The "Go to Packet" dialog box
6.8.4. The "Go to Corresponding Packet" command
6.8.5. The "Go to First Packet" command
6.8.6. The "Go to Last Packet" command

6.9. Marking packets

6.10. Time display formats and time references

6.10.1. Packet time referencing

7. Advanced Topics

7.1. Introduction

7.2. Following TCP streams

7.2.1. The "Follow TCP Stream" dialog box

7.3. Expert Infos

7.3.1. Expert Info Entries
7.3.2. "Expert Info Composite" dialog
7.3.3. "Colorized" Protocol Details Tree
7.3.4. "Expert" Packet List Column (optional)

7.4. Time Stamps

7.4.1. Wireshark internals
7.4.2. Capture file formats
7.4.3. Accuracy

7.5. Time Zones

7.5.1. Set your computer's time correctly!
7.5.2. Wireshark and Time Zones

7.6. Packet Reassembling

7.6.1. What is it?
7.6.2. How Wireshark handles it

7.7. Name Resolution

7.7.1. Name Resolution drawbacks
7.7.2. Ethernet name resolution (MAC layer)
7.7.3. IP name resolution (network layer)
7.7.4. IPX name resolution (network layer)
7.7.5. TCP/UDP port name resolution (transport layer)

7.8. Checksums

7.8.1. Wireshark checksum validation
7.8.2. Checksum offloading

8. Statistics

8.1. Introduction

8.2. The "Summary" window

8.3. The "Protocol Hierarchy" window

8.4. Conversations

8.4.1. What is a Conversation?
8.4.2. The "Conversations" window
8.4.3. The protocol specific "Conversation List" windows

8.5. Endpoints

8.5.1. What is an Endpoint?
8.5.2. The "Endpoints" window
8.5.3. The protocol specific "Endpoint List" windows

8.6. The "IO Graphs" window

8.7. WLAN Traffic Statistics

8.8. Service Response Time

8.8.1. The "Service Response Time DCE-RPC" window

8.9. The protocol specific statistics windows

9. Customizing Wireshark

9.1. Introduction

9.2. Start Wireshark from the command line

9.3. Packet colorization

9.4. Control Protocol dissection

9.4.1. The "Enabled Protocols" dialog box
9.4.2. User Specified Decodes
9.4.3. Show User Specified Decodes

9.5. Preferences

9.6. Configuration Profiles

9.7. User Table

9.8. Display Filter Macros

9.9. Tektronix K12xx/15 RF5 protocols Table

9.10. User DLTs protocol table

9.11. SNMP users Table

9.12. SCCP users Table

10. Lua Support in Wireshark

10.1. Introduction

10.2. Example of Dissector written in Lua

10.3. Example of Listener written in Lua

10.4. Wireshark's Lua API Reference Manual

10.4.1. saving capture files
10.4.2. obtaining dissection data
10.4.3. GUI support
10.4.4. post-dissection packet analysis
10.4.5. obtaining packet information
10.4.6. functions for writing dissectors
10.4.7. adding information to the dissection tree
10.4.8. functions for handling packet data
10.4.9. Utility Functions

A. Files and Folders

A.1. Capture Files

A.1.1. Libpcap File Contents
A.1.2. Not Saved in the Capture File

A.2. Configuration Files and Folders

A.3. Windows folders

A.3.1. Windows profiles
A.3.2. Windows Vista/XP/2000/NT roaming profiles
A.3.3. Windows temporary folder

B. Protocols and Protocol Fields

C. Wireshark Messages

C.1. Packet List Messages

C.1.1. [Malformed Packet]
C.1.2. [Packet size limited during capture]

C.2. Packet Details Messages

C.2.1. [Response in frame: 123]
C.2.2. [Request in frame: 123]
C.2.3. [Time from request: 0.123 seconds]
C.2.4. [Stream setup by PROTOCOL (frame 123)]

D. Related command line tools

D.1. Introduction

D.2. tshark: Terminal-based Wireshark

D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark

D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark

D.5. capinfos: Print information about capture files

D.6. editcap: Edit capture files

D.7. mergecap: Merging multiple capture files into one

D.8. text2pcap: Converting ASCII hexdumps to network captures

D.9. idl2wrs: Creating dissectors from CORBA IDL files

D.9.1. What is it?
D.9.2. Why do this?
D.9.3. How to use idl2wrs
D.9.4. TODO
D.9.5. Limitations
D.9.6. Notes

E. This Document's License (GPL)

List of Figures

1.1. Wireshark captures packets and allows you to examine their content.
3.1. The Main window
3.2. The Menu
3.3. The "File" Menu
3.4. The "Edit" Menu
3.5. The "View" Menu
3.6. The "Go" Menu
3.7. The "Capture" Menu
3.8. The "Analyze" Menu
3.9. The "Statistics" Menu
3.10. The "Help" Menu
3.11. The "Main" toolbar
3.12. The "Filter" toolbar
3.13. The "Packet List" pane
3.14. The "Packet Details" pane
3.15. The "Packet Bytes" pane
3.16. The "Packet Bytes" pane with tabs
3.17. The initial Statusbar
3.18. The Statusbar with a loaded capture file
3.19. The Statusbar with a selected protocol field
4.1. The "Capture Interfaces" dialog box
4.2. The "Capture Options" dialog box
4.3. The "Capture Info" dialog box
5.1. "Open" on native Windows
5.2. "Open" - new GTK version
5.3. "Open" - old GTK version
5.4. "Save" on native Windows
5.5. "Save" - new GTK version
5.6. "Save" - old GTK version
5.7. "Merge" on native Windows
5.8. "Merge" - new GTK version
5.9. "Merge" - old GTK version
5.10. The "List Files" dialog box
5.11. The "Export as Plain Text File" dialog box
5.12. The "Export as PostScript File" dialog box
5.13. The "Export as PSML File" dialog box
5.14. The "Export as PDML File" dialog box
5.15. The "Export Selected Packet Bytes" dialog box
5.16. The "Export Objects" dialog box
5.17. The "Print" dialog box
5.18. The "Packet Range" frame
5.19. The "Packet Format" frame
6.1. Wireshark with a TCP packet selected for viewing
6.2. Viewing a packet in a separate window
6.3. Pop-up menu of the "Packet List" pane
6.4. Pop-up menu of the "Packet Details" pane
6.5. Filtering on the TCP protocol
6.6. The "Filter Expression" dialog box
6.7. The "Capture Filters" and "Display Filters" dialog boxes
6.8. The "Find Packet" dialog box
6.9. The "Go To Packet" dialog box
6.10. Wireshark showing a time referenced packet
7.1. The "Follow TCP Stream" dialog box
7.2. The "Packet Bytes" pane with a reassembled tab
8.1. The "Summary" window
8.2. The "Protocol Hierarchy" window
8.3. The "Conversations" window
8.4. The "Endpoints" window
8.5. The "IO Graphs" window
8.6. The "WLAN Traffic Statistics" window
8.7. The "Compute DCE-RPC statistics" window
8.8. The "DCE-RPC Statistic for ..." window
9.1. The "Coloring Rules" dialog box
9.2. The "Edit Color Filter" dialog box
9.3. The "Choose color" dialog box
9.4. Using color filters with Wireshark
9.5. The "Enabled Protocols" dialog box
9.6. The "Decode As" dialog box
9.7. The "Decode As: Show" dialog box
9.8. The preferences dialog box
9.9. The configuration profiles dialog box

List of Tables

3.1. Keyboard Navigation
3.2. File menu items
3.3. Edit menu items
3.4. View menu items
3.5. Go menu items
3.6. Capture menu items
3.7. Analyze menu items
3.8. Statistics menu items
3.9. Help menu items
3.10. Main toolbar items
3.11. Filter toolbar items
4.1. Capture file mode selected by capture options
5.1. The system specific "Open Capture File" dialog box
5.2. The system specific "Save Capture File As" dialog box
5.3. The system specific "Merge Capture File As" dialog box
6.1. The menu items of the "Packet List" pop-up menu
6.2. The menu items of the "Packet Details" pop-up menu
6.3. Display Filter comparison operators
6.4. Display Filter Field Types
6.5. Display Filter Logical Operations
7.1. Some example expert infos
7.2. Time zone examples for UTC arrival times (without DST)
A.1. Configuration files and folders overview

List of Examples

2.1. Building GTK+ from source
2.2. Building and installing libpcap
2.3. Installing required RPMs under Red Hat Linux 6.2 and beyond
2.4. Installing debs under Debian
4.1. A capture filter for telnet that captures traffic to and from a particular host
4.2. Capturing all telnet traffic not from 10.0.0.5
9.1. Help information available from Wireshark
D.1. Help information available from dumpcap
D.2. Help information available from capinfos
D.3. Help information available from editcap
D.4. Help information available from mergecap
D.5. Simple example of using mergecap
D.6. Help information available for text2pcap

Download Wireshark 1.0.0 (20.7 MB)

Rate This Manual

Tips & Guides Related to Wireshark

How to install Norton Internet Security 2008?
Guide to install Norton Internet Security 2008.

by Admin on Oct 10, 2007
How to Upgrade to BitDefender Internet Security 2008?
Guide to Upgrade to BitDefender Internet Security 2008.

by Admin on Oct 28, 2007
How to fix system instability when using AVG Internet Security 8 with ThreatFire Antivirus?
I have AVG Internet Security 8 installed and I'm experiencing system instability such as applications not loading, programs becoming unresponsive...

by Jane Lambert on May 15, 2008
Remove Norton Internet Security 2009 with Norton Removal Tool
The Norton Removal Tool uninstalls Norton Internet Security 2009 from your computer.

by Jane Lambert on Sep 17, 2008
2 Ways to uninstall / remove Internet Explorer 7
This article describes how to uninstall Windows Internet Explorer 7 in Microsoft Windows XP and in Microsoft Windows Server 2003.

by Jane Lambert on Sep 17, 2008

Top Online Manuals

New Online Manuals

Download Wireshark 1.0.0 (20.7 MB)