This will only be shown for live captures or if this information is present in a saved capture file.
The pcapng format supports this, while pcap doesn’t.
Interfaces:::
Information about the capture interface or interfaces.
Statistics:::
A statistical summary of the capture file.
If a display filter is set, you will see values in the _Captured_ column, and if any packets are marked, you will see values in the _Marked_ column.
The values in the _Captured_ column will remain the same as before, while the values in the _Displayed_ column will reflect the values corresponding to the packets shown in the display.
The values in the _Marked_ column will reflect the values corresponding to the marked packages.
Capture file comments::
Some capture file formats (notably pcapng) allow a text comment for the entire file.
You can view and edit this comment here.
btn:[Refresh]::
Updates the information in the dialog.
btn:[Save Comments]::
Saves the contents of the “Capture file comments” text entry.
btn:[Close]::
Closes the dialog
btn:[Copy To Clipboard]::
Copies the “Details” information to the clipboard.
The Resolved Addresses window shows the list of resolved addresses and their host names. Users can choose the `Hosts` field to display IPv4 and IPv6 addresses only. In this case, the dialog displays host names for each IP address in a capture file with a known host. This host is typically taken from DNS answers in a capture file. In case of an unknown host name, users can populate it based on a reverse DNS lookup. To do so, follow these steps:
. Enable `Resolve Network Addresses` in the menu:View[Name Resolution] menu as this option is disabled by default.
. Select `Use an external network name resolver` in the menu:Preferences[Name Resolution] menu. This option is enabled by default.
NOTE: The resolved addresses are not updated automatically after users change the settings. To display newly available names user have to reopen the dialog.
The `Ports` tab shows the list of service names, ports and types.
Wireshark reads the entries for port mappings from the `hosts` service configuration files. See <<ChAppFilesConfigurationSection>> section for more information.
The arithmetic mean length of the packets in this range.
Min Val, Max Val::
The minimum and maximum lengths in this range.
Rate (ms)::
The average packets per millisecond for the packets in this range.
Percent::
The percentage of packets in this range, by count.
Burst Rate::
Packet bursts are detected by counting the number of packets in a given time interval and comparing that count to the intervals across a window of time.
Statistics for the interval with the maximum number of packets are shown.
By default, bursts are detected across 5 millisecond intervals and intervals are compared across 100 millisecond windows.
+
These calculations can be adjusted in the “Statistics” section of the <<ChCustPreferencesSection,Preferences Dialog>>.
Burst Start::
The start time, in seconds from the beginning of the capture, for the interval with the maximum number of packets.
You can show statistics for a portion of the capture by entering a display filter into the _Display filter_ entry and pressing btn:[Apply].
btn:[Copy] copies the statistics to the clipboard.
btn:[Save as...] lets you save the data as text, CSV, YAML, or XML.
The maximum, minimum, and arithmetic mean values of the specified “Y Field” per interval.
For MAX and MIN values, hovering and clicking the graph will show and take you to the packet with the MAX or MIN value in the interval instead of the most recent packet.
The Dynamic Host Configuration Protocol (DHCP) is an option of the Bootstrap Protocol (BOOTP). It dynamically assigns IP addresses and other parameters to a DHCP client. The DHCP (BOOTP) Statistics window displays a table over the number of occurrences of a DHCP message type. The user can filter, copy or save the data into a file.
Open Network Computing (ONC) Remote Procedure Call (RPC) uses TCP or UDP protocols to map a program number to a specific port on a remote machine and call a required service at that port. The ONC-RPC Programs window shows the description for captured program calls, such as program name, its number, version, and other data.
The 29West technology now refers to Ultra-Low Latency Messaging (ULLM) technology. It allows sending and receiving a high number of messages per second with microsecond delivery times for zero-latency data delivery.
The menu:Statistics[29West] shows:
[cols="1,1"]
|===
|The `Topics` submenu shows counters for:
a|* Advertisement by Topic
* Advertisement by Source
* Advertisement by Transport
* Queries by Topic
* Queries by Receiver
* Wildcard Queries by Pattern
* Wildcard Queries by Receiver
|The `Queues` submenu shows counters for:
a|* Advertisement by Queue
* Advertisement by Source
* Queries by Queue
* Queries by Receiver
|The `UIM` submenu shows `Streams`:
| Each stream is provided by Endpoints, Messages, Bytes, and the First and Last Frame statistics.
|The `LBT-RM` submenu
|The LBT-RM Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data.
|The `LBT-RU` submenu
|The LBT-Ru Transport Statistics window shows the Sources and Receivers sequence numbers for transport and other data.
The Access Node Control Protocol (ANCP) is an TCP based protocol, which operates between an Access Node and Network Access Server. The Wireshark ANCP dissector supports the listed below messages:
* Adjacency Message
* Topology Discovery Extensions, such as Port-Up and Port-Down Messages
* Operation And Maintenance (OAM) Extension, such as Port Management Message.
The ANCP window shows the related statistical data. The user can filter, copy or save the data into a file.
Building Automation and Control Networks (BACnet) is a communication protocol which provides control for various building automated facilities, such as light control, fire alarm control, and others. Wireshark provides the BACnet statistics which is a packet counter. You can sort packets by instance ID, IP address, object type or service.
Collectd is a system statistics collection daemon. It collects various statistics from your system and converts it for the network use. The Collectd statistics window shows counts for values, which split into type, plugin, and host as well as total packets counter. You can filter, copy or save the data to a file.
The Domain Name System (DNS) associates different information, such as IP addresses, with domain names. DNS returns different codes, request-response and counters for various aggregations. The DNS statistics window enlists a total count of DNS messages, which are divided into groups by request types (opcodes), response code (rcode), query type, and others.
You might find these statistics useful for quickly examining the health of a DNS service or other investigations. See the few possible scenarios below:
* The DNS server might have issues if you see that DNS queries have a long request-response time or, if there are too many unanswered queries.
* DNS requests with abnormally large requests and responses might be indicative of DNS tunneling or command and control traffic.
* The order of magnitude more DNS responses than requests and the responses are very large might indicate that the target is being attacked with a DNS-based DDoS.
You can filter, copy or save the data into a file.
The Flow Graph window shows connections between hosts. It displays the packet time, direction, ports and comments for each captured connection. You can filter all connections by ICMP Flows, ICMPv6 Flows, UIM Flows and TCP Flows.
Each vertical line represents the specific host, which you can see in the top of the window.
The numbers in each row at the very left of the window represent the time packet. You can change the time format in the menu:View[Time Display Format]. If you change the time format, you must relaunch the Flow Graph window to observe the time in a new format.
The numbers at the both ends of each arrow between hosts represent the port numbers.
Left-click a row to select a corresponding packet in the packet list.
Right-click on the graph for additional options, such as selecting the previous, current, or next packet in the packet list. This menu also contains shortcuts for moving the diagram.
Highway Addressable Remote Transducer over IP (HART-IP) is an application layer protocol. It sends and receives digital information between smart devices and control or monitoring systems. The HART-IP statistics window shows the counter for response, request, publish and error packets. You can filter, copy or save the data to a file.
Hpfeeds protocol provides a lightweight authenticated publishing and subscription. It supports arbitrary binary payloads which can be separated into different channels. HPFEEDS statistics window shows a counter for payload size per channel and opcodes. You can filter, copy or save the data to a file.
Hypertext Transfer Protocol version 2 (HTTP/2) allows multiplexing various HTTP requests and responses over a single connection. It uses a binary encoding which is consisting of frames. The HTTP/2 statistics window shows the total number of HTTP/2 frames and also provides a breakdown per frame types, such as `HEADERS`, `DATA`, and others.
As HTTP/2 traffic is typically encrypted with TLS, you must configure decryption to observe HTTP/2 traffic. For more details, see the link:{wireshark-wiki-url}TLS[TLS wiki page].
The UDP Multicast Streams window shows statistics for all UDP multicast streams. It includes source addresses and ports, destination addresses and ports, packets counter and other data. You can specify the burst interval, the alarm limits and output speeds. To apply new settings, press btn:[Enter].
With this statistics you can:
* Measure the burst size for a video stream. This uses the sliding window algorithm.
* Measure of the output buffer size limit, that no packet drop will occur. This uses the Leaky bucket algorithm.
* Detect the packet loss inside the MPEG2 video stream.
Internet Protocol version 4 (IPv4) is a core protocol for the internet layer. It uses 32-bit addresses and allows packets routing from one source host to the next one.
The menu:Statistics[IPv4] menu provides the packet counter by submenus:
* `All Addresses`. Divides data by IP address.
* `Destination and Ports`. Divides data by IP address, and further by IP protocol type, such as TCP, UDP, and others. It also shows port number.
* `IP Protocol Types`. Divides data by IP protocol type.
* `Source and Destination addresses`. Divides data by source and destination IP address.
You can see similar statistics in the menu:Statistics[Conversations] and menu:Statistics[Endpoints] menus.
Internet Protocol version 6 (IPv6) is a core protocol for the internet layer. It uses 128-bit addresses and routes internet traffic. Similar to <<ChStatIPv4>>, the menu:Statistics[IPv6] menu shows the packet counter in each submenu.