2018-02-05 16:59:45 +00:00
|
|
|
|
// WSUG Chapter IO
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChapterIO]]
|
|
|
|
|
|
|
|
|
|
== File Input, Output, and Printing
|
|
|
|
|
|
|
|
|
|
[[ChIOIntroductionSection]]
|
|
|
|
|
|
|
|
|
|
=== Introduction
|
|
|
|
|
|
|
|
|
|
This chapter will describe input and output of capture data.
|
|
|
|
|
|
|
|
|
|
* Open capture files in various capture file formats
|
|
|
|
|
|
|
|
|
|
* Save/Export capture files in various capture file formats
|
|
|
|
|
|
|
|
|
|
* Merge capture files together
|
|
|
|
|
|
|
|
|
|
* Import text files containing hex dumps of packets
|
|
|
|
|
|
|
|
|
|
* Print packets
|
|
|
|
|
|
|
|
|
|
[[ChIOOpenSection]]
|
|
|
|
|
|
|
|
|
|
=== Open capture files
|
|
|
|
|
|
|
|
|
|
Wireshark can read in previously saved capture files. To read them, simply
|
|
|
|
|
select the menu:File[Open] menu or toolbar item. Wireshark will then pop up
|
2018-02-26 01:50:01 +00:00
|
|
|
|
the “File Open” dialog box, which is discussed in more detail in <<ChIOOpen>>.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[TIP]
|
2019-10-29 16:13:53 +00:00
|
|
|
|
.You can use drag and drop to open files
|
2014-08-31 01:02:52 +00:00
|
|
|
|
====
|
|
|
|
|
You can open a file by simply dragging it in your file manager and dropping it
|
2019-10-29 16:13:53 +00:00
|
|
|
|
onto Wireshark’s main window. However, drag and drop may not be available in all
|
2014-08-31 01:02:52 +00:00
|
|
|
|
desktop environments.
|
|
|
|
|
====
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
If you haven’t previously saved the current capture file you will be asked to
|
2014-08-31 01:02:52 +00:00
|
|
|
|
do so to prevent data loss. This warning can be disabled in the preferences.
|
|
|
|
|
|
|
|
|
|
In addition to its native file format (pcapng), Wireshark can read and write
|
|
|
|
|
capture files from a large number of other packet capture programs as well. See
|
|
|
|
|
<<ChIOInputFormatsSection>> for the list of capture formats Wireshark
|
|
|
|
|
understands.
|
|
|
|
|
|
|
|
|
|
[[ChIOOpen]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Open Capture File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
The “Open Capture File” dialog box allows you to search for a capture file
|
2014-08-31 01:02:52 +00:00
|
|
|
|
containing previously captured packets for display in Wireshark. The following
|
2018-02-26 01:50:01 +00:00
|
|
|
|
sections show some examples of the Wireshark “Open File” dialog box. The
|
2014-08-31 01:02:52 +00:00
|
|
|
|
appearance of this dialog depends on the system. However, the functionality
|
|
|
|
|
should be the same across systems.
|
|
|
|
|
|
|
|
|
|
Common dialog behaviour on all systems:
|
|
|
|
|
|
|
|
|
|
* Select files and directories.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* Click the btn:[Open] or btn:[OK] button to accept your selected file and
|
2014-08-31 01:02:52 +00:00
|
|
|
|
open it.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* Click the btn:[Cancel] button to go back to Wireshark and not load a capture file.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Wireshark extensions to the standard behaviour of these dialogs:
|
|
|
|
|
|
|
|
|
|
* View file preview information such as the filesize and the number of packets
|
|
|
|
|
in a selected a capture file.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* Specify a display filter with the btn:[Filter] button and filter field.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
This filter will be used when opening the new file. The text field background
|
|
|
|
|
becomes green for a valid filter string and red for an invalid one. Clicking
|
2018-02-04 23:15:02 +00:00
|
|
|
|
on the btn:[Filter] button causes Wireshark to pop up the “Filters”
|
2014-08-31 01:02:52 +00:00
|
|
|
|
dialog box (which is discussed further in <<ChWorkDisplayFilterSection>>).
|
|
|
|
|
+
|
|
|
|
|
// XXX - we need a better description of these read filters
|
|
|
|
|
|
|
|
|
|
* Specify which type of name resolution is to be performed for all packets by
|
2018-02-26 01:50:01 +00:00
|
|
|
|
clicking on one of the “... name resolution” check buttons. Details about name
|
2014-08-31 01:02:52 +00:00
|
|
|
|
resolution can be found in <<ChAdvNameResolutionSection>>.
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
.Save a lot of time loading huge capture files
|
|
|
|
|
====
|
|
|
|
|
You can change the display filter and name resolution settings later while
|
|
|
|
|
viewing the packets. However, loading huge capture files can take a significant
|
|
|
|
|
amount of extra time if these settings are changed later, so in such situations
|
|
|
|
|
it can be a good idea to set at least the filter in advance here.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[ChIOOpenFileDialogWin32]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Open” on Microsoft Windows
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-open-win32.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Windows file open dialog - plus some Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
Specific for this dialog:
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* The btn:[Help] button will lead you to this section of this “User’s Guide”.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOOpenFileDialog]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Open” - Linux and UNIX
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-open-gtk24.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Gimp/GNOME file open dialog plus some Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
Specific for this dialog:
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* The btn:[+] button allows you to add a directory selected in the
|
2014-08-31 01:02:52 +00:00
|
|
|
|
right-hand pane to the favorites list on the left. These changes are
|
|
|
|
|
persistent.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* The btn:[-] button allows you to remove a selected directory from the list.
|
2018-02-04 23:15:02 +00:00
|
|
|
|
Some items (such as “Desktop”) cannot be removed from the favorites list.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* If Wireshark doesn’t recognize the selected file as a capture file it will
|
2017-08-23 21:46:24 +00:00
|
|
|
|
grey out the btn:[Open] button.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2017-03-01 21:58:16 +00:00
|
|
|
|
// XXX Add macOS
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[ChIOInputFormatsSection]]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
==== Input File Formats
|
|
|
|
|
|
|
|
|
|
The following file formats from other capture tools can be opened by Wireshark:
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
* pcapng. A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later
|
2014-08-31 01:02:52 +00:00
|
|
|
|
save files as pcapng by default. Versions prior to 1.8 used libpcap.
|
|
|
|
|
|
|
|
|
|
* libpcap. The default format used by the _libpcap_ packet capture library. Used
|
|
|
|
|
by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools.
|
|
|
|
|
|
|
|
|
|
* Oracle (previously Sun) _snoop_ and _atmsnoop_
|
|
|
|
|
|
|
|
|
|
* Finisar (previously Shomiti) _Surveyor_ captures
|
|
|
|
|
|
|
|
|
|
* Microsoft _Network Monitor_ captures
|
|
|
|
|
|
|
|
|
|
* Novell _LANalyzer_ captures
|
|
|
|
|
|
|
|
|
|
* AIX _iptrace_ captures
|
|
|
|
|
|
|
|
|
|
* Cinco Networks NetXray captures
|
|
|
|
|
|
|
|
|
|
* Network Associates Windows-based Sniffer and Sniffer Pro captures
|
|
|
|
|
|
|
|
|
|
* Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
|
|
|
|
|
|
2015-05-05 22:18:38 +00:00
|
|
|
|
* AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* RADCOM’s WAN/LAN Analyzer captures
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* Network Instruments Observer version 9 captures
|
|
|
|
|
|
|
|
|
|
* Lucent/Ascend router debug output
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* HP-UX’s nettl
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Toshiba’s ISDN routers dump output
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* ISDN4BSD _i4btrace_ utility
|
|
|
|
|
|
|
|
|
|
* traces from the EyeSDN USB S0
|
|
|
|
|
|
|
|
|
|
* IPLog format from the Cisco Secure Intrusion Detection System
|
|
|
|
|
|
|
|
|
|
* pppd logs (pppdump format)
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* the text output from the DBS Etherwatch VMS utility
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Visual Networks’ Visual UpTime traffic capture
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* the output from CoSine L2 debug
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* the output from Accellent’s 5Views LAN agents
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Endace Measurement Systems’ ERF format captures
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* Linux Bluez Bluetooth stack hcidump -w traces
|
|
|
|
|
|
|
|
|
|
* Catapult DCT2000 .out files
|
|
|
|
|
|
|
|
|
|
* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
|
|
|
|
|
|
|
|
|
|
* IBM Series (OS/400) Comm traces (ASCII & UNICODE)
|
|
|
|
|
|
|
|
|
|
* Juniper Netscreen snoop captures
|
|
|
|
|
|
|
|
|
|
* Symbian OS btsnoop captures
|
|
|
|
|
|
|
|
|
|
* Tamosoft CommView captures
|
|
|
|
|
|
|
|
|
|
* Textronix K12xx 32bit .rf5 format captures
|
|
|
|
|
|
|
|
|
|
* Textronix K12 text file format captures
|
|
|
|
|
|
|
|
|
|
* Apple PacketLogger captures
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Captures from Aethra Telecommunications’ PC108 software for their test instruments
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
New file formats are added from time to time.
|
|
|
|
|
|
|
|
|
|
It may not be possible to read some formats dependent on the packet types
|
|
|
|
|
captured. Ethernet captures are usually supported for most file formats but it
|
|
|
|
|
may not be possible to read other packet types such as PPP or IEEE 802.11 from
|
|
|
|
|
all file formats.
|
|
|
|
|
|
|
|
|
|
[[ChIOSaveSection]]
|
|
|
|
|
|
|
|
|
|
=== Saving captured packets
|
|
|
|
|
|
|
|
|
|
You can save captured packets simply by using the menu:File[Save As...] menu
|
|
|
|
|
item. You can choose which packets to save and which file format to be used.
|
|
|
|
|
|
|
|
|
|
Not all information will be saved in a capture file. For example, most file
|
2018-02-26 01:50:01 +00:00
|
|
|
|
formats don’t record the number of dropped packets. See
|
2014-08-31 01:02:52 +00:00
|
|
|
|
<<ChAppFilesCaptureFilesSection>> for details.
|
|
|
|
|
|
|
|
|
|
[[ChIOSaveAs]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Save Capture File As” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
The “Save Capture File As” dialog box allows you to save the current capture
|
2014-08-31 01:02:52 +00:00
|
|
|
|
to a file. The following sections show some examples of this dialog box. The
|
|
|
|
|
appearance of this dialog depends on the system. However, the functionality
|
|
|
|
|
should be the same across systems.
|
|
|
|
|
|
|
|
|
|
[[ChIOSaveAsFileWin32]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Save” on Microsoft Windows
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-save-as-win32.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Windows file save dialog with some additional Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
Specific behavior for this dialog:
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* If available, the “Help” button will lead you to this section of this “User’s Guide”.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* If you don’t provide a file extension to the filename (e.g. `.pcap`) Wireshark
|
2014-08-31 01:02:52 +00:00
|
|
|
|
will append the standard file extension for that file format.
|
|
|
|
|
|
|
|
|
|
[[ChIOSaveAsFile2]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Save” on Linux and UNIX
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-save-as-gtk24.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Gimp/GNOME file save dialog with additional Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
Specific for this dialog:
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Clicking on the + at “Browse for other folders” will allow you to browse files and folders in your file system.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2017-03-01 21:58:16 +00:00
|
|
|
|
// XXX Add macOS
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
With this dialog box, you can perform the following actions:
|
|
|
|
|
|
|
|
|
|
. Type in the name of the file you wish to save the captured packets in, as a
|
|
|
|
|
standard file name in your file system.
|
|
|
|
|
|
|
|
|
|
. Select the directory to save the file into.
|
|
|
|
|
|
|
|
|
|
. Select the range of the packets to be saved. See <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
|
|
|
|
. Specify the format of the saved capture file by clicking on the File type drop
|
|
|
|
|
down box. You can choose from the types described in
|
|
|
|
|
<<ChIOOutputFormatsSection>>.
|
|
|
|
|
|
|
|
|
|
Some capture formats may not be available depending on the packet types captured.
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
.Wireshark can convert file formats
|
|
|
|
|
====
|
|
|
|
|
You can convert capture files from one format to another by reading in a capture
|
|
|
|
|
file and writing it out using a different format.
|
|
|
|
|
====
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
. Click the btn:[Save] or btn:[OK] button to accept your selected file and
|
2014-08-31 01:02:52 +00:00
|
|
|
|
save to it. If Wireshark has a problem saving the captured packets to the file
|
2017-08-23 21:46:24 +00:00
|
|
|
|
you specified it will display an error dialog box. After clicking btn:[OK]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
on that error dialog box you can try again.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
. Click on the btn:[Cancel] button to go back to Wireshark without saving any
|
2014-08-31 01:02:52 +00:00
|
|
|
|
packets.
|
|
|
|
|
|
|
|
|
|
[[ChIOOutputFormatsSection]]
|
|
|
|
|
|
|
|
|
|
==== Output File Formats
|
|
|
|
|
|
|
|
|
|
Wireshark can save the packet data in its native file format (pcapng) and in the
|
|
|
|
|
file formats of other protocol analyzers so other tools can read the capture
|
|
|
|
|
data.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[WARNING]
|
|
|
|
|
.Different file formats have different time stamp accuracies
|
|
|
|
|
====
|
|
|
|
|
Saving from the currently used file format to a different format may reduce the
|
|
|
|
|
time stamp accuracy; see the <<ChAdvTimestamps>> for details.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
The following file formats can be saved by Wireshark (with the known file extensions):
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
* pcapng ({asterisk}.pcapng). A flexible, extensible successor to the
|
2018-02-04 23:15:02 +00:00
|
|
|
|
libpcap format. Wireshark 1.8 and later save files as pcapng by
|
|
|
|
|
default. Versions prior to 1.8 used libpcap.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* libpcap, tcpdump and various other tools using tcpdump’s capture
|
|
|
|
|
format ({asterisk}.pcap,{asterisk}.cap,{asterisk}.dmp)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Accellent 5Views ({asterisk}.5vw)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* HP-UX’s nettl ({asterisk}.TRC0,{asterisk}.TRC1)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Microsoft Network Monitor - NetMon ({asterisk}.cap)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Network Associates Sniffer - DOS ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,*fdc,{asterisk}.syc)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Network Associates Sniffer - Windows ({asterisk}.cap)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Network Instruments Observer version 9 ({asterisk}.bfr)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Novell LANalyzer ({asterisk}.tr1)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Oracle (previously Sun) snoop ({asterisk}.snoop,{asterisk}.cap)
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Visual Networks Visual UpTime traffic ({asterisk}.{asterisk})
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
New file formats are added from time to time.
|
|
|
|
|
|
|
|
|
|
Whether or not the above tools will be more helpful than Wireshark is a different question ;-)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
.Third party protocol analyzers may require specific file extensions
|
|
|
|
|
====
|
2018-02-04 23:15:02 +00:00
|
|
|
|
Wireshark examines a file’s contents to determine its type. Some other protocol
|
2014-08-31 01:02:52 +00:00
|
|
|
|
analyzers only look at a filename extensions. For example, you might need to use
|
|
|
|
|
the `.cap` extension in order to open a file using _Sniffer_.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[ChIOMergeSection]]
|
|
|
|
|
|
|
|
|
|
=== Merging capture files
|
|
|
|
|
|
|
|
|
|
Sometimes you need to merge several capture files into one. For example, this can
|
|
|
|
|
be useful if you have captured simultaneously from multiple interfaces at once
|
|
|
|
|
(e.g. using multiple instances of Wireshark).
|
|
|
|
|
|
|
|
|
|
There are three ways to merge capture files using Wireshark:
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
* Use the menu:File[Merge] menu to open the “Merge” dialog. See
|
2014-08-31 01:02:52 +00:00
|
|
|
|
<<ChIOMergeDialog>>. This menu item will be disabled unless you have loaded a
|
|
|
|
|
capture file.
|
|
|
|
|
|
2019-10-29 16:13:53 +00:00
|
|
|
|
* Use _drag and drop_ to drop multiple files on the main window. Wireshark will
|
2014-08-31 01:02:52 +00:00
|
|
|
|
try to merge the packets in chronological order from the dropped files into a
|
|
|
|
|
newly created temporary file. If you drop only a single file it will simply
|
|
|
|
|
replace the existing capture.
|
|
|
|
|
|
|
|
|
|
* Use the `mergecap` tool, a command line tool to merge capture files.
|
|
|
|
|
This tool provides the most options to merge capture files. See
|
|
|
|
|
<<AppToolsmergecap>> for details.
|
|
|
|
|
|
|
|
|
|
[[ChIOMergeDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Merge with Capture File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This dialog box let you select a file to be merged into the currently loaded
|
|
|
|
|
file. If your current data has not been saved you will be asked to save it
|
|
|
|
|
first.
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
Most controls of this dialog will work the same way as described in the “Open
|
|
|
|
|
Capture File” dialog box, see <<ChIOOpen>>.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Specific controls of this merge dialog are:
|
|
|
|
|
|
|
|
|
|
_Prepend packets to existing file_::
|
|
|
|
|
Prepend the packets from the selected file before the currently loaded packets.
|
|
|
|
|
|
|
|
|
|
_Merge packets chronologically_::
|
|
|
|
|
Merge both the packets from the selected and currently loaded file in chronological order.
|
|
|
|
|
|
|
|
|
|
_Append packets to existing file_::
|
|
|
|
|
Append the packets from the selected file after the currently loaded packets.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[ChIOMergeFileTab]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The system specific “Merge Capture File As” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOMergeFileWin32]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Merge” on Microsoft Windows
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-merge-win32.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Windows file open dialog with additional Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
[[ChIOMergeFile2]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.“Merge” on Linux and UNIX
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-merge-gtk24.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This is the common Gimp/GNOME file open dialog with additional Wireshark extensions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[ChIOImportSection]]
|
|
|
|
|
|
|
|
|
|
=== Import hex dump
|
|
|
|
|
|
|
|
|
|
Wireshark can read in an ASCII hex dump and write the data described into a
|
|
|
|
|
temporary libpcap capture file. It can read hex dumps with multiple packets in
|
|
|
|
|
them, and build a capture file of multiple packets. It is also capable of
|
|
|
|
|
generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build
|
|
|
|
|
fully processable packet dumps from hexdumps of application-level data only.
|
|
|
|
|
|
|
|
|
|
Wireshark understands a hexdump of the form generated by `od -Ax -tx1 -v`. In
|
|
|
|
|
other words, each byte is individually displayed and surrounded with a space.
|
2019-01-20 18:35:19 +00:00
|
|
|
|
Each line begins with an offset describing the position in the packet, each
|
|
|
|
|
new packet starts with an offset of 0 and there is a space separating the
|
|
|
|
|
offset from the following bytes. The offset is a hex number (can also be octal
|
|
|
|
|
or decimal), of more than two hex digits.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
Here is a sample dump that can be imported:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
000000 00 e0 1e a7 05 6f 00 10 ........
|
|
|
|
|
000008 5a a0 b9 12 08 00 46 00 ........
|
|
|
|
|
000010 03 68 00 00 00 00 0a 2e ........
|
|
|
|
|
000018 ee 33 0f 19 08 7f 0f 19 ........
|
|
|
|
|
000020 03 80 94 04 00 00 10 01 ........
|
|
|
|
|
000028 16 a2 0a 00 03 50 00 0c ........
|
|
|
|
|
000030 01 01 0f 19 03 80 11 01 ........
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
There is no limit on the width or number of bytes per line. Also the text dump
|
|
|
|
|
at the end of the line is ignored. Byte and hex numbers can be uppercase or
|
|
|
|
|
lowercase. Any text before the offset is ignored, including email forwarding
|
2018-02-04 23:15:02 +00:00
|
|
|
|
characters _>_. Any lines of text between the bytestring lines are ignored.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
The offsets are used to track the bytes, so offsets must be correct. Any line
|
|
|
|
|
which has only bytes without a leading offset is ignored. An offset is
|
|
|
|
|
recognized as being a hex number longer than two characters. Any text after the
|
|
|
|
|
bytes is ignored (e.g. the character dump). Any hex numbers in this text are
|
|
|
|
|
also ignored. An offset of zero is indicative of starting a new packet, so a
|
|
|
|
|
single text file with a series of hexdumps can be converted into a packet
|
|
|
|
|
capture with multiple packets. Packets may be preceded by a timestamp. These are
|
|
|
|
|
interpreted according to the format given. If not the first packet is
|
|
|
|
|
timestamped with the current time the import takes place. Multiple packets are
|
2019-01-20 18:35:19 +00:00
|
|
|
|
written with timestamps differing by one microsecond each. In general, short of
|
2014-08-31 01:02:52 +00:00
|
|
|
|
these restrictions, Wireshark is pretty liberal about reading in hexdumps and
|
|
|
|
|
has been tested with a variety of mangled outputs (including being forwarded
|
|
|
|
|
through email multiple times, with limited line wrap etc.)
|
|
|
|
|
|
|
|
|
|
There are a couple of other special features to note. Any line where the first
|
|
|
|
|
non-whitespace character is `#` will be ignored as a comment. Any line beginning
|
|
|
|
|
with `#TEXT2PCAP` is a directive and options can be inserted after this command to
|
|
|
|
|
be processed by Wireshark. Currently there are no directives implemented. In the
|
|
|
|
|
future these may be used to give more fine grained control on the dump and the
|
|
|
|
|
way it should be processed e.g. timestamps, encapsulation type etc. Wireshark
|
|
|
|
|
also allows the user to read in dumps of application-level data, by inserting
|
|
|
|
|
dummy L2, L3 and L4 headers before each packet. The user can elect to insert
|
|
|
|
|
Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers
|
|
|
|
|
before each packet. This allows Wireshark or any other full-packet decoder to
|
|
|
|
|
handle these dumps.
|
|
|
|
|
|
|
|
|
|
[[ChIOImportDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Import from Hex Dump” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
This dialog box lets you select a text file, containing a hex dump of packet
|
|
|
|
|
data, to be imported and set import parameters.
|
|
|
|
|
|
|
|
|
|
[[ChIOFileImportDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Import from Hex Dump” dialog
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-file-import.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Specific controls of this import dialog are split in two sections:
|
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
Import from:: Determine which input file has to be imported and how it is to be
|
2014-08-31 01:02:52 +00:00
|
|
|
|
interpreted.
|
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
Encapsulation:: Determine how the data is to be encapsulated.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
The import parameters are as follows:
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
_Filename / Browse_::
|
|
|
|
|
Enter the name of the text file to import. You can use _Browse_ to browse for a
|
|
|
|
|
file.
|
|
|
|
|
|
|
|
|
|
_Offsets_::
|
|
|
|
|
Select the radix of the offsets given in the text file to import. This is
|
2019-01-20 18:35:19 +00:00
|
|
|
|
usually hexadecimal, but decimal and octal are also supported. Select _None_
|
|
|
|
|
when only the bytes are present. These will be imported as a single packet.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
_Timestamp Format_::
|
2014-08-31 01:02:52 +00:00
|
|
|
|
This is the format specifier used to parse the timestamps in the text file to
|
|
|
|
|
import. It uses a simple syntax to describe the format of the timestamps, using
|
|
|
|
|
%H for hours, %M for minutes, %S for seconds, etc. The straightforward HH:MM:SS
|
|
|
|
|
format is covered by %T. For a full definition of the syntax look for
|
2019-01-20 18:35:19 +00:00
|
|
|
|
`strptime(3)`. If there are no timestamps in the text file to import leave this
|
|
|
|
|
field empty and timestamps will be generated based on the time of import.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
_Direction indication_::
|
|
|
|
|
Tick this box if the text file to import has direction indicators before each
|
|
|
|
|
frame. These are on a separate line before each frame and start with either
|
|
|
|
|
_I_ or _i_ for input and _O_ or _o_ for output.
|
|
|
|
|
|
|
|
|
|
The encapsulation parameters are as follows:
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
_Encapsulation type_::
|
|
|
|
|
Here you can select which type of frames you are importing. This all depends on
|
|
|
|
|
from what type of medium the dump to import was taken. It lists all types that
|
|
|
|
|
Wireshark understands, so as to pass the capture file contents to the right
|
|
|
|
|
dissector.
|
|
|
|
|
|
|
|
|
|
_Dummy header_::
|
|
|
|
|
When Ethernet encapsulation is selected you have to option to prepend dummy
|
|
|
|
|
headers to the frames to import. These headers can provide artificial Ethernet,
|
2019-01-20 18:35:19 +00:00
|
|
|
|
IP, UDP, TCP or SCTP headers or SCTP data chunks. When selecting a type of
|
|
|
|
|
dummy header the applicable entries are enabled, others are grayed out and
|
2014-08-31 01:02:52 +00:00
|
|
|
|
default values are used.
|
2019-01-20 18:35:19 +00:00
|
|
|
|
When the _Wireshark Upper PDU export_ encapsulation is selected the option
|
|
|
|
|
_ExportPDU_ becomes available. This allows you to enter the name of the
|
|
|
|
|
dissector these frames are to be directed to.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
_Maximum frame length_::
|
|
|
|
|
You may not be interested in the full frames from the text file, just the first
|
|
|
|
|
part. Here you can define how much data from the start of the frame you want to
|
2019-01-20 18:35:19 +00:00
|
|
|
|
import. If you leave this open the maximum is set to 256kiB.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2019-01-20 18:35:19 +00:00
|
|
|
|
Once all input and import parameters are setup click btn:[Import] to start the
|
2018-02-26 01:50:01 +00:00
|
|
|
|
import. If your current data wasn’t saved before you will be asked to save it
|
2014-08-31 01:02:52 +00:00
|
|
|
|
first.
|
|
|
|
|
|
|
|
|
|
When completed there will be a new capture file loaded with the frames imported
|
|
|
|
|
from the text file.
|
|
|
|
|
|
|
|
|
|
[[ChIOFileSetSection]]
|
|
|
|
|
|
|
|
|
|
=== File Sets
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
When using the “Multiple Files” option while doing a capture (see:
|
2014-08-31 01:02:52 +00:00
|
|
|
|
<<ChCapCaptureFiles>>), the capture data is spread over several capture files,
|
|
|
|
|
called a file set.
|
|
|
|
|
|
|
|
|
|
As it can become tedious to work with a file set by hand, Wireshark provides
|
|
|
|
|
some features to handle these file sets in a convenient way.
|
|
|
|
|
|
|
|
|
|
.How does Wireshark detect the files of a file set?
|
|
|
|
|
****
|
|
|
|
|
A filename in a file set uses the format Prefix_Number_DateTimeSuffix which
|
2019-01-06 08:26:28 +00:00
|
|
|
|
might look something like `test_00001_20190714183910.pcap`. All files of a file
|
2018-02-04 23:15:02 +00:00
|
|
|
|
set share the same prefix (e.g. “test”) and suffix (e.g. “.pcap”) and a
|
2014-08-31 01:02:52 +00:00
|
|
|
|
varying middle part.
|
|
|
|
|
|
|
|
|
|
To find the files of a file set, Wireshark scans the directory where the
|
|
|
|
|
currently loaded file resides and checks for files matching the filename pattern
|
|
|
|
|
(prefix and suffix) of the currently loaded file.
|
|
|
|
|
|
|
|
|
|
This simple mechanism usually works well but has its drawbacks. If several file
|
|
|
|
|
sets were captured with the same prefix and suffix, Wireshark will detect them
|
|
|
|
|
as a single file set. If files were renamed or spread over several directories
|
|
|
|
|
the mechanism will fail to find all files of a set.
|
|
|
|
|
****
|
|
|
|
|
|
|
|
|
|
The following features in the menu:File[File Set] submenu are available to work
|
|
|
|
|
with file sets in a convenient way:
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* The “List Files” dialog box will list the files Wireshark has recognized as
|
2014-08-31 01:02:52 +00:00
|
|
|
|
being part of the current file set.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* btn:[Next File] closes the current and opens the next file in the file
|
2014-08-31 01:02:52 +00:00
|
|
|
|
set.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
* btn:[Previous File] closes the current and opens the previous file in the
|
2014-08-31 01:02:52 +00:00
|
|
|
|
file set.
|
|
|
|
|
|
|
|
|
|
[[ChIOFileSetListDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “List Files” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “List Files” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-file-set-dialog.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Each line contains information about a file of the file set:
|
|
|
|
|
|
|
|
|
|
* _Filename_ the name of the file. If you click on the filename (or the radio
|
|
|
|
|
button left to it), the current file will be closed and the corresponding
|
|
|
|
|
capture file will be opened.
|
|
|
|
|
|
|
|
|
|
* _Created_ the creation time of the file
|
|
|
|
|
|
|
|
|
|
* _Last Modified_ the last time the file was modified
|
|
|
|
|
|
|
|
|
|
* _Size_ the size of the file
|
|
|
|
|
|
|
|
|
|
The last line will contain info about the currently used directory where all of
|
|
|
|
|
the files in the file set can be found.
|
|
|
|
|
|
|
|
|
|
The content of this dialog box is updated each time a capture file is
|
|
|
|
|
opened/closed.
|
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
The btn:[Close] button will, well, close the dialog box.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOExportSection]]
|
|
|
|
|
|
|
|
|
|
=== Exporting data
|
|
|
|
|
|
|
|
|
|
Wireshark provides several ways and formats to export packet data. This section
|
|
|
|
|
describes general ways to export data from the main Wireshark application. There
|
|
|
|
|
are more specialized functions to export specific data which are described
|
|
|
|
|
elsewhere.
|
|
|
|
|
|
|
|
|
|
// XXX - add detailed descriptions of the output formats and some sample output, too.
|
|
|
|
|
|
|
|
|
|
// XXX Most of this content is no longer relevant in the current GTK+ UI, much less Qt.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportPlainDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as Plain Text File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOExportPlain]]
|
|
|
|
|
|
|
|
|
|
Export packet data into a plain ASCII text file, much like the format used to print packets.
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
|
|
|
|
If you would like to be able to import any previously exported packets from a
|
|
|
|
|
plain text file it is recommended that you:
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Add the “Absolute date and time” column.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* Temporarily hide all other columns.
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* Disable the menu:Edit[Preferences,Protocols,Data] “Show not dissected data
|
|
|
|
|
on new Packet Bytes pane” preference. More details are provided in
|
2014-08-31 01:02:52 +00:00
|
|
|
|
<<ChCustPreferencesSection>>
|
|
|
|
|
|
|
|
|
|
* Include the packet summary line.
|
|
|
|
|
|
|
|
|
|
* Exclude column headings.
|
|
|
|
|
|
|
|
|
|
* Exclude packet details.
|
|
|
|
|
|
|
|
|
|
* Include the packet bytes.
|
|
|
|
|
====
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export as Plain Text File” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-plain.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* The “Export to file:” frame chooses the file to export the packet data to.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* The “Packet Range” frame is described in <<ChIOPacketRangeSection>>.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* The “Packet Details” frame is described in <<ChIOPacketFormatSection>>.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOExportPSDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as PostScript File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export as PostScript File” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-ps.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Export to file:_ frame chooses the file to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
|
|
|
|
* The _Packet Details_ frame is described in <<ChIOPacketFormatSection>>.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportCSVDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as CSV (Comma Separated Values) File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
// XXX - add screenshot
|
|
|
|
|
|
|
|
|
|
Export packet summary into CSV, used e.g. by spreadsheet programs to im-/export data.
|
|
|
|
|
|
|
|
|
|
//<!--<figure>
|
2018-02-26 01:50:01 +00:00
|
|
|
|
// <title>The “Export as Comma Separated Values File” dialog box</title>
|
2014-08-31 01:02:52 +00:00
|
|
|
|
// <graphic entityref="WiresharkExportCSVDialog" format="PNG"/>
|
|
|
|
|
// </figure>-->
|
|
|
|
|
|
|
|
|
|
* _Export to file:_ frame chooses the file to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportCArraysDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as C Arrays (packet bytes) file” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
// XXX - add screenshot
|
|
|
|
|
|
|
|
|
|
Export packet bytes into C arrays so you can import the stream data into your own C program.
|
|
|
|
|
|
|
|
|
|
// <figure>
|
2018-02-26 01:50:01 +00:00
|
|
|
|
// <title>The “Export as C Arrays (packet bytes) file” dialog box</title>
|
2014-08-31 01:02:52 +00:00
|
|
|
|
// <graphic entityref="WiresharkExportCArraysDialog" format="PNG"/>
|
|
|
|
|
// </figure>
|
|
|
|
|
|
|
|
|
|
* _Export to file:_ frame chooses the file to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportPSMLDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as PSML File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Export packet data into PSML. This is an XML based format including only the
|
|
|
|
|
packet summary. The PSML file specification is available at:
|
2019-07-20 15:13:59 +00:00
|
|
|
|
https://web.archive.org/web/20141115200425/http://www.nbee.org/doku.php?id=netpdl:psml_specification[].
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export as PSML File” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-psml.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Export to file:_ frame chooses the file to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
There’s no such thing as a packet details frame for PSML export, as the packet
|
2014-08-31 01:02:52 +00:00
|
|
|
|
format is defined by the PSML specification.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportPDMLDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export as PDML File” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
Export packet data into PDML. This is an XML based format including the packet
|
|
|
|
|
details. The PDML file specification is available at:
|
2019-07-20 15:13:59 +00:00
|
|
|
|
https://web.archive.org/web/20140416072301/http://www.nbee.org/doku.php?id=netpdl:pdml_specification[].
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
2018-02-04 23:15:02 +00:00
|
|
|
|
The PDML specification is not officially released and Wireshark’s implementation
|
2014-08-31 01:02:52 +00:00
|
|
|
|
of it is still in an early beta state, so please expect changes in future
|
|
|
|
|
Wireshark versions.
|
|
|
|
|
====
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export as PDML File” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-pdml.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Export to file:_ frame chooses the file to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
There’s no such thing as a packet details frame for PDML export, as the packet
|
2014-08-31 01:02:52 +00:00
|
|
|
|
format is defined by the PDML specification.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportSelectedDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export selected packet bytes” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
Export the bytes selected in the “Packet Bytes” pane into a raw binary file.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export Selected Packet Bytes” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-selected.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Name:_ the filename to export the packet data to.
|
|
|
|
|
|
|
|
|
|
* The _Save in folder:_ field lets you select the folder to save to (from some predefined folders).
|
|
|
|
|
|
|
|
|
|
* _Browse for other folders_ provides a flexible way to choose a folder.
|
|
|
|
|
|
|
|
|
|
[[ChIOExportObjectsDialog]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
==== The “Export Objects” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
This feature scans through the selected protocol's streams in the currently
|
|
|
|
|
open capture file or running capture and allows the user to export reassembled
|
|
|
|
|
objects to the disk. For example, if you select HTTP, you can export HTML
|
|
|
|
|
documents, images, executables, and any other files transferred over HTTP
|
|
|
|
|
to the disk. If you have a capture running, this list is automatically
|
2014-08-31 01:02:52 +00:00
|
|
|
|
updated every few seconds with any new objects seen. The saved objects can then
|
2018-07-17 03:31:40 +00:00
|
|
|
|
be opened or examined independently of Wireshark.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Export Objects” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-export-objects.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
Columns:
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Packet:_ The packet number in which this object was found. In some
|
|
|
|
|
cases, there can be multiple objects in the same packet.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Hostname:_ The hostname of the server that sent this object.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Content Type:_ The content type of this object.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Size:_ The size of this object in bytes.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Filename:_ The filename for this object. Each protocol generates
|
|
|
|
|
the filename differently. For example, HTTP uses the
|
|
|
|
|
final part of the URI and IMF uses the subject of the email.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-24 22:09:20 +00:00
|
|
|
|
Inputs:
|
|
|
|
|
|
|
|
|
|
* _Text Filter:_ Only displays objects containing the specified text string.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-17 03:31:40 +00:00
|
|
|
|
* _Help:_ Opens the “Export Objects” section in the user’s guide.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-07-24 22:09:20 +00:00
|
|
|
|
* _Save All:_ Saves all objects (including those not displayed) using the filename from the
|
2014-08-31 01:02:52 +00:00
|
|
|
|
filename column. You will be asked what directory / folder to save them in.
|
2018-07-17 03:31:40 +00:00
|
|
|
|
|
|
|
|
|
* _Close:_ Closes the “Export Objects” dialog.
|
|
|
|
|
|
|
|
|
|
* _Save:_ Saves the currently selected object as a filename you specify. The
|
|
|
|
|
default filename to save as is taken from the filename column of the objects
|
|
|
|
|
list.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOPrintSection]]
|
|
|
|
|
|
|
|
|
|
=== Printing packets
|
|
|
|
|
|
|
|
|
|
To print packets, select the menu:File[Print...] menu item. When you
|
2018-02-04 23:15:02 +00:00
|
|
|
|
do this Wireshark pops up the “Print” dialog box as shown in
|
2014-08-31 01:02:52 +00:00
|
|
|
|
<<ChIOPrintDialogBox>>.
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
==== The “Print” dialog box
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
[[ChIOPrintDialogBox]]
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
.The “Print” dialog box
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-print.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
The following fields are available in the Print dialog box: _Printer_::
|
|
|
|
|
This field contains a pair of mutually exclusive radio buttons:
|
|
|
|
|
|
|
|
|
|
* _Plain Text_ specifies that the packet print should be in plain text.
|
|
|
|
|
|
|
|
|
|
* _PostScript_ specifies that the packet print process should use PostScript to
|
|
|
|
|
generate a better print output on PostScript aware printers.
|
|
|
|
|
|
|
|
|
|
* _Output to file:_ specifies that printing be done to a file, using the
|
|
|
|
|
filename entered in the field or selected with the browse button.
|
|
|
|
|
+
|
|
|
|
|
This field is where you enter the _file_ to print to if you have selected Print
|
|
|
|
|
to a file, or you can click the button to browse the filesystem. It is greyed
|
|
|
|
|
out if Print to a file is not selected.
|
|
|
|
|
|
|
|
|
|
* _Print command_ specifies that a command be used for printing.
|
|
|
|
|
+
|
|
|
|
|
[NOTE]
|
|
|
|
|
.Note!
|
|
|
|
|
====
|
|
|
|
|
These _Print command_ fields are not available on windows platforms.
|
|
|
|
|
====
|
|
|
|
|
+
|
|
|
|
|
This field specifies the command to use for printing. It is typically `lpr`. You
|
|
|
|
|
would change it to specify a particular queue if you need to print to a queue
|
|
|
|
|
other than the default. An example might be:
|
|
|
|
|
+
|
|
|
|
|
----
|
|
|
|
|
$ lpr -Pmypostscript
|
|
|
|
|
----
|
|
|
|
|
+
|
|
|
|
|
This field is greyed out if _Output to file:_ is checked above.
|
|
|
|
|
|
|
|
|
|
_Packet Range_::
|
|
|
|
|
Select the packets to be printed, see <<ChIOPacketRangeSection>>
|
|
|
|
|
|
|
|
|
|
_Packet Format_::
|
|
|
|
|
Select the output format of the packets to be printed. You can choose, how each
|
|
|
|
|
packet is printed, see <<ChIOPacketFormatFrame>>
|
|
|
|
|
|
|
|
|
|
[[ChIOPacketRangeSection]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
=== The “Packet Range” frame
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
The packet range frame is a part of various output related dialog boxes. It
|
|
|
|
|
provides options to select which packets should be processed by the output
|
|
|
|
|
function.
|
|
|
|
|
|
|
|
|
|
[[ChIOPacketRangeFrame]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Packet Range” frame
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-packet-range.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2017-08-23 21:46:24 +00:00
|
|
|
|
If the btn:[Captured] button is set (default), all packets from the selected rule
|
|
|
|
|
will be processed. If the btn:[Displayed] button is set, only the currently
|
2014-08-31 01:02:52 +00:00
|
|
|
|
displayed packets are taken into account to the selected rule.
|
|
|
|
|
|
|
|
|
|
* _All packets_ will process all packets.
|
|
|
|
|
|
|
|
|
|
* _Selected packet only_ process only the selected packet.
|
|
|
|
|
|
|
|
|
|
* _Marked packets only_ process only the marked packets.
|
|
|
|
|
|
|
|
|
|
* _From first to last marked packet_ process the packets from the first to the
|
|
|
|
|
last marked one.
|
|
|
|
|
|
|
|
|
|
* _Specify a packet range_ process a user specified range of packets, e.g.
|
|
|
|
|
specifying _5,10-15,20-_ will process the packet number five, the packets from
|
|
|
|
|
packet number ten to fifteen (inclusive) and every packet from number twenty
|
|
|
|
|
to the end of the capture.
|
|
|
|
|
|
|
|
|
|
[[ChIOPacketFormatSection]]
|
|
|
|
|
|
|
|
|
|
=== The Packet Format frame
|
|
|
|
|
|
|
|
|
|
The packet format frame is a part of various output related dialog boxes. It
|
|
|
|
|
provides options to select which parts of a packet should be used for the output
|
|
|
|
|
function.
|
|
|
|
|
|
|
|
|
|
[[ChIOPacketFormatFrame]]
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
.The “Packet Format” frame
|
2016-09-13 18:29:25 +00:00
|
|
|
|
image::wsug_graphics/ws-packet-format.png[{screenshot-attrs}]
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Packet summary line_ enable the output of the summary line, just as in the
|
2018-02-26 01:50:01 +00:00
|
|
|
|
“Packet List” pane.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Packet details_ enable the output of the packet details tree.
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* _All collapsed_ the info from the “Packet Details” pane in “all collapsed”
|
2014-08-31 01:02:52 +00:00
|
|
|
|
state.
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* _As displayed_ the info from the “Packet Details” pane in the current state.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* _All expanded_ the info from the “Packet Details” pane in “all expanded”
|
2014-08-31 01:02:52 +00:00
|
|
|
|
state.
|
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
* _Packet bytes_ enable the output of the packet bytes, just as in the “Packet
|
|
|
|
|
Bytes” pane.
|
2014-08-31 01:02:52 +00:00
|
|
|
|
|
|
|
|
|
* _Each packet on a new page_ put each packet on a separate page (e.g. when
|
|
|
|
|
saving/printing to a text file, this will put a form feed character between
|
|
|
|
|
the packets).
|
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSUG Chapter IO
|