osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

More AsciiDoc → Asciidoctor updates. 

Switch from AsciiDoc's smart quotes markup to the quotes themselves. Use
double curly quotes in place of singles.

Switch from XML entities to their direct equivalents where we can.
Switch from hex entities to decimal entities where we can't or it's not
convenient. (Asciidoctor PDF doesn't yet handle hex entities).

Change-Id: Iaf5ec33249e1c91b3d50b5d96251763243b72836
Reviewed-on: https://code.wireshark.org/review/25606
Reviewed-by: Gerald Combs <gerald@wireshark.org>
This commit is contained in:
Gerald Combs 2018-02-04 15:15:02 -08:00
parent 444cac45b2
commit dabb19572d
33 changed files with 466 additions and 462 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docbook/attributes.asciidoc
View File

@ -74,3 +74,5 @@
// XXX height=22 results in content-height="22px" in the .fo file. Not sure
// how to make scaledwidth take precedence.
:statusbar-attrs: scaledwidth="85%",height=22
:multiplication: ×

6
docbook/common_src/GPL_appendix.asciidoc
View File

@ -3,7 +3,7 @@
++++++++++++++++++++++++++++++++++++++
[[AppGPL]]
== This Document's License (GPL)
== This Documents License (GPL)
As with the original license and documentation distributed
with Wireshark, this document is covered by the GNU General Public
@ -306,7 +306,7 @@ to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
&lt;one line to give the program's name and a brief idea of what it does.>
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
@ -346,7 +346,7 @@ necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
&lt;signature of Ty Coon>, 1 April 1989
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into

4
docbook/common_src/typographic_conventions.asciidoc
View File

@ -9,7 +9,7 @@ The following table shows the typographic conventions that are used in this guid
// AsciiDoc allows alternative markup for some styles, specifially
// 'single quotes' and _underlines_ for italics and +plus signs+ and
// `backticks` for monospaces.
// Asciidoctor's modern mode is more strict, and only allows _underline_
// Asciidoctors modern mode is more strict, and only allows _underline_
// italics and `backtick` monospaces.
// http://asciidoctor.org/docs/migration/
@ -18,7 +18,7 @@ The following table shows the typographic conventions that are used in this guid
|===============
|Style|Description|Example
|_Italic_ |File names, folder names, and extensions |_C:\Development\wireshark_.
|`Monospace` |Commands, flags, and environment variables|CMake's `-G` option.
|`Monospace` |Commands, flags, and environment variables|CMakes `-G` option.
|**`Bold Monospace`** |Commands that should be run by the user|Run **`cmake -G Ninja ..`**.
|btn:[Button] |Dialog and window buttons |Press btn:[Launch] to go to the Moon.
|kbd:[Key] |Keyboard shortcut |Press kbd:[Ctrl+Down] to move to the next packet.

4
docbook/developer-guide.asciidoc
View File

@ -1,10 +1,10 @@
= Wireshark Developer's Guide
= Wireshark Developers Guide
//v1.0, February 2014: Finished conversion from DocBook to AsciiDoc
:doctype: book
include::attributes.asciidoc[]
// Convenience attribute.
// XXX This should be surrounded by single quotes in the text. It's
// XXX This should be surrounded by single quotes in the text. Its
// currently surrounded by plus signs for AsciiDoc compatibility.
:dlt-glob: DLT_*

8
docbook/release-notes.asciidoc
View File

@ -8,10 +8,10 @@ Wireshark 2.6.
== What is Wireshark?
Wireshark is the world's most popular network protocol analyzer. It is
Wireshark is the worlds most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
== What's New
== Whats New
Many user interface improvements have been made. See the New and Updated
Features section below for more details.
@ -168,9 +168,9 @@ Wireshark should let you work with multiple capture files. (ws-buglink:10488[])
== Getting Help
Community support is available on https://ask.wireshark.org/[Wireshark's
Community support is available on https://ask.wireshark.org/[Wiresharks
Q&A site] and on the wireshark-users mailing list. Subscription
information and archives for all of Wireshark's mailing lists can be
information and archives for all of Wiresharks mailing lists can be
found on https://www.wireshark.org/lists/[the web site].
Official Wireshark training and certification are available from

2
docbook/user-guide.asciidoc
View File

@ -1,4 +1,4 @@
= Wireshark User's Guide
= Wireshark Users Guide
//v1.0, February 2014: Finished conversion from DocBook to AsciiDoc
:doctype: book
include::attributes.asciidoc[]

2
docbook/wsdg_src/WSDG_chapter_build_intro.asciidoc
View File

@ -14,7 +14,7 @@ Wireshark consists of the following major parts:
* Packet dissection - in the _/epan/dissector_ and _/plugin/\*_ directories
* File I/O - using Wireshark's own wiretap library
* File I/O - using Wiresharks own wiretap library
* Capture - using the libpcap/winpcap library, in _/wiretap_

22
docbook/wsdg_src/WSDG_chapter_capture.asciidoc
View File

@ -17,8 +17,8 @@ This chapter needs to be reviewed and extended.
The following is an updated excerpt from a developer mailing list mail about
adding ISO 9141 and 14230 (simple serial line card diagnostics) to Wireshark:
For libpcap, the first thing you'd need to do would be to get +{dlt-glob}+ values
for all the link-layer protocols you'd need. If ISO 9141 and 14230 use the same
For libpcap, the first thing youd need to do would be to get +{dlt-glob}+ values
for all the link-layer protocols youd need. If ISO 9141 and 14230 use the same
link-layer protocol, they might be able to share a +{dlt-glob}+ value, unless the
only way to know what protocols are running above the link layer is to know
which link-layer protocol is being used, in which case you might want separate
@ -30,7 +30,7 @@ work with a version older than 1.0, even if whatever OS you're using happens to
include libpcap - older versions are not as friendly towards adding support for
devices other than standard network interfaces.
Then you'd probably add to the `pcap_open_live()` routine, for whatever
Then youd probably add to the `pcap_open_live()` routine, for whatever
platform or platforms this code should work, something such as a check
for device names that look like serial port names and, if the check
succeeds, a call to a routine to open the serial port.
@ -39,7 +39,7 @@ See, for example, the `#ifdef HAVE_DAG_API` code in _pcap-linux.c_ and
_pcap-bpf.c_.
The serial port open routine would open the serial port device, set the baud
rate and do anything else needed to open the device. It'd allocate a `pcap_t`,
rate and do anything else needed to open the device. Itd allocate a `pcap_t`,
set its `fd` member to the file descriptor for the serial device, set the
`snapshot` member to the argument passed to the open routine, set the `linktype`
member to one of the +{dlt-glob}+ values, and set the `selectable_fd` member to
@ -48,22 +48,22 @@ the number of +{dlt-glob}+ values to support, and allocate an array of
`dlt_count` `u_int`s, assign it to the `dlt_list` member, and fill in that list
with all the +{dlt-glob}+ values.
You'd then set the various `_*_op` fields to routines to handle the operations in
question. `read_op` is the routine that'd read packets from the device. `inject_op`
would be for sending packets; if you don't care about that, you'd set it to a
Youd then set the various `_*_op` fields to routines to handle the operations in
question. `read_op` is the routine thatd read packets from the device. `inject_op`
would be for sending packets; if you don't care about that, youd set it to a
routine that returns an error indication. `setfilter_op` can probably just be set
to `install_bpf_program`. `set_datalink` would just set the `linktype` member to the
specified value if it's one of the values for OBD, otherwise it should return an
specified value if its one of the values for OBD, otherwise it should return an
error. `getnonblock_op` can probably be set to `pcap_getnonblock_fd`. `setnonblock_op`
can probably be set to `pcap_setnonblock_fd`. `stats_op` would be set to a routine
that reports statistics. `close_op` can probably be set to `pcap_close_common`.
If there's more than one +{dlt-glob}+ value, you definitely want a `set_datalink`
If theres more than one +{dlt-glob}+ value, you definitely want a `set_datalink`
routine so that the user can select the appropriate link-layer type.
For Wireshark, you'd add support for those +{dlt-glob}+ values to
For Wireshark, youd add support for those +{dlt-glob}+ values to
_wiretap/libpcap.c_, which might mean adding one or more _WTAP_ENCAP_ types to
_wtap.h_ and to the `encap_table[]` table in _wiretap/wtap.c_. You'd then
_wtap.h_ and to the `encap_table[]` table in _wiretap/wtap.c_. Youd then
have to write a dissector or dissectors for the link-layer protocols or
protocols and have them register themselves with the `wtap_encap` dissector
table, with the appropriate _WTAP_ENCAP_ values by calling

56
docbook/wsdg_src/WSDG_chapter_dissection.asciidoc
View File

@ -21,7 +21,7 @@ IP) and so on. At each stage, details of the packet will be decoded and
displayed.
Dissection can be implemented in two possible ways. One is to have a dissector
module compiled into the main program, which means it's always available.
module compiled into the main program, which means its always available.
Another way is to make a plugin (a shared library or DLL) that registers itself
to handle dissection.
@ -44,7 +44,7 @@ a dissector. In many cases it is more up to date than this document.
=== Adding a basic dissector
Let's step through adding a basic dissector. We'll start with the made up "foo"
Lets step through adding a basic dissector. We'll start with the made up "foo"
protocol. It consists of the following basic items.
* A packet type - 8 bits, possible values: 1 - initialisation, 2 - terminate, 3 - data.
@ -62,7 +62,7 @@ protocol. It consists of the following basic items.
The first decision you need to make is if this dissector will be a
built-in dissector, included in the main program, or a plugin.
Plugins are the easiest to write initially, so let's start with that.
Plugins are the easiest to write initially, so lets start with that.
With a little care, the plugin can be made to run as a built-in
easily too so we haven't lost anything.
@ -90,12 +90,12 @@ proto_register_foo(void)
----
====
Let's go through this a bit at a time. First we have some boilerplate
Lets go through this a bit at a time. First we have some boilerplate
include files. These will be pretty constant to start with.
Next we have an int that is initialised to `-1` that records our protocol.
This will get updated when we register this dissector with the main program.
It's good practice to make all variables and functions that aren't exported
Its good practice to make all variables and functions that aren't exported
static to keep name space pollution down. Normally this isn't a problem unless your
dissector gets so big it has to span multiple files.
@ -126,7 +126,7 @@ proto_reg_handoff_foo(void)
----
====
What's happening here? We are initialising the dissector. First we create a
Whats happening here? We are initialising the dissector. First we create a
dissector handle; It is associated with the foo protocol and with a routine to
be called to do the actual dissecting. Then we associate the handle with a UDP
port number so that the main program will know to call us when it gets UDP
@ -160,8 +160,8 @@ info structure contains general data about the protocol, and we can update
information here. The tree parameter is where the detail dissection takes place.
For now we'll do the minimum we can get away with. In the first line we set the
text of this to our protocol, so everyone can see it's being recognised. The
only other thing we do is to clear out any data in the INFO column if it's being
text of this to our protocol, so everyone can see its being recognised. The
only other thing we do is to clear out any data in the INFO column if its being
displayed.
At this point we should have a basic dissector ready to compile and install.
@ -194,7 +194,7 @@ binary into the plugin directory of your Wireshark installation and run that.
==== Dissecting the details of the protocol
Now that we have our basic dissector up and running, let's do something with it.
Now that we have our basic dissector up and running, lets do something with it.
The simplest thing to do to start with is to just label the payload.
This will allow us to set up some of the parts we will need.
@ -224,7 +224,7 @@ This subtree will hold all the details of this protocol and so not clutter
up the display when not required.
We are also marking the area of data that is being consumed by this
protocol. In our case it's all that has been passed to us, as we're assuming
protocol. In our case its all that has been passed to us, as we're assuming
this protocol does not encapsulate another.
Therefore, we add the new tree node with `proto_tree_add_item()`,
adding it to the passed in tree, label it with the protocol, use the passed in
@ -234,7 +234,7 @@ ENC_NA ("not applicable") is specified as the "encoding" parameter.
After this change, there should be a label in the detailed display for the protocol,
and selecting this will highlight the remaining contents of the packet.
Now let's go to the next step and add some protocol dissection. For this step
Now lets go to the next step and add some protocol dissection. For this step
we'll need to construct a couple of tables that help with dissection. This needs
some additions to the `proto_register_foo()` function shown previously.
@ -335,7 +335,7 @@ We'll ignore the rest of the structure for now.
If you install this plugin and try it out, you'll see something that begins to look
useful.
Now let's finish off dissecting the simple protocol. We need to add a few
Now lets finish off dissecting the simple protocol. We need to add a few
more variables to the hfarray, and a couple more procedure calls.
.Wrapping up the packet dissection.
@ -405,7 +405,7 @@ now dissected.
==== Improving the dissection information
We can certainly improve the display of the protocol with a bit of extra data.
The first step is to add some text labels. Let's start by labeling the packet
The first step is to add some text labels. Lets start by labeling the packet
types. There is some useful support for this sort of thing by adding a couple of
extra things. First we add a simple table of type to name.
@ -507,7 +507,7 @@ to the dissection routine. Note we keep the same offset for each of the flags.
This is starting to look fairly full featured now, but there are a couple of
other things we can do to make things look even more pretty. At the moment our
dissection shows the packets as "Foo Protocol" which whilst correct is a little
uninformative. We can enhance this by adding a little more detail. First, let's
uninformative. We can enhance this by adding a little more detail. First, lets
get hold of the actual value of the protocol type. We can use the handy function
`tvb_get_guint8()` to do this. With this value in hand, there are a couple of
things we can do. First we can set the INFO column of the non-detailed view to
@ -545,7 +545,7 @@ dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
So here, after grabbing the value of the first 8 bits, we use it with one of the
built-in utility routines `val_to_str()`, to lookup the value. If the value
isn't found we provide a fallback which just prints the value in hex. We use
this twice, once in the INFO field of the columns -- if it's displayed, and
this twice, once in the INFO field of the columns -- if its displayed, and
similarly we append this data to the base of our dissecting tree.
[[ChDissectTransformed]]
@ -557,7 +557,7 @@ encrypt the data, or compress data, or part of it. If you know
how these steps are taken it is possible to reverse them within the
dissector.
As encryption can be tricky, let's consider the case of compression.
As encryption can be tricky, lets consider the case of compression.
These techniques can also work for other transformations of data,
where some step is required before the data can be examined.
@ -594,7 +594,7 @@ effect.
The first steps here are to recognise the compression. In this case a flag byte
alerts us to the fact the remainder of the packet is compressed. Next we
retrieve the original size of the packet, which in this case is conveniently
within the protocol. If it's not, it may be part of the compression routine to
within the protocol. If its not, it may be part of the compression routine to
work it out for you, in which case the logic would be different.
So armed with the size, a buffer is allocated to receive the uncompressed data
@ -613,7 +613,7 @@ tvb as a new data source, so that the detailed display can show the
decompressed bytes as well as the original.
After this has been set up the remainder of the dissector can dissect the buffer
next_tvb, as it's a new buffer the offset needs to be 0 as we start again from
next_tvb, as its a new buffer the offset needs to be 0 as we start again from
the beginning of this buffer. To make the rest of the dissector work regardless
of whether compression was involved or not, in the case that compression was not
signaled, we use `tvb_new_subset_remaining()` to deliver us a new buffer based
@ -640,7 +640,7 @@ _epan/reassemble.h_.
==== How to reassemble split UDP packets
As an example, let's examine a protocol that is layered on top of UDP that
As an example, lets examine a protocol that is layered on top of UDP that
splits up its own data stream. If a packet is bigger than some given size, it
will be split into chunks, and somehow signaled within its protocol.
@ -693,7 +693,7 @@ if (flags & FL_FRAGMENT) { /* fragmented */
We start by saving the fragmented state of this packet, so we can restore it
later. Next comes some protocol specific stuff, to dig the fragment data out of
the stream if it's present. Having decided it is present, we let the function
the stream if its present. Having decided it is present, we let the function
`fragment_add_seq_check()` do its work. We need to provide this with a certain
amount of parameters:
@ -967,7 +967,7 @@ exception.
Adding a Tap interface to a protocol allows it to do some useful things.
In particular you can produce protocol statistics from the tap interface.
A tap is basically a way of allowing other items to see what's happening as
A tap is basically a way of allowing other items to see whats happening as
a protocol is dissected. A tap is registered with the main program, and
then called on each dissection. Some arbitrary protocol specific data
is provided with the routine that can be used.
@ -998,15 +998,15 @@ void proto_register_foo(void)
====
Whilst you can program a tap without protocol specific data, it is generally not
very useful. Therefore it's a good idea to declare a structure that can be
very useful. Therefore its a good idea to declare a structure that can be
passed through the tap. This needs to be a static structure as it will be used
after the dissection routine has returned. It's generally best to pick out some
after the dissection routine has returned. Its generally best to pick out some
generic parts of the protocol you are dissecting into the tap data. A packet
type, a priority or a status code maybe. The structure really needs to be
included in a header file so that it can be included by other components that
want to listen in to the tap.
Once you have these defined, it's simply a case of populating the protocol
Once you have these defined, its simply a case of populating the protocol
specific structure and then calling `tap_queue_packet`, probably as the last part
of the dissector.
@ -1073,7 +1073,7 @@ strings, an integer, and three callback functions.
. An abbreviation of the stats name.
. The name of the stats module. A `/' character can be used to make sub menus.
. The name of the stats module. A “/” character can be used to make sub menus.
. Flags for per-packet callback
@ -1136,14 +1136,14 @@ _doc/README.dissector_, chapter 2.2.
=== __idl2wrs__: Creating dissectors from CORBA IDL files
Many of Wireshark's dissectors are automatically generated. This section shows
Many of Wiresharks dissectors are automatically generated. This section shows
how to generate one from a CORBA IDL file.
==== What is it?
As you have probably guessed from the name, `idl2wrs` takes a user specified IDL
file and attempts to build a dissector that can decode the IDL traffic over
GIOP. The resulting file is ``C'' code, that should compile okay as a Wireshark
GIOP. The resulting file is “C” code, that should compile okay as a Wireshark
dissector.
`idl2wrs` parses the data struct given to it by the `omniidl` compiler,
@ -1176,7 +1176,7 @@ I have also had comments/feedback that this tool would be good for say a CORBA
class when teaching students what CORBA traffic looks like ``on the wire''.
It is also COOL to work on a great Open Source project such as the case with
``Wireshark'' ({wireshark-main-url})
“Wireshark” ({wireshark-main-url})
==== How to use idl2wrs

20
docbook/wsdg_src/WSDG_chapter_env_intro.asciidoc
View File

@ -19,7 +19,7 @@ development in general.
Well, if you want to start Wireshark development, you might already
know what Wireshark is doing. If not, please have a look at the
link:{wireshark-users-guide-url}[Wireshark User's Guide],
link:{wireshark-users-guide-url}[Wireshark Users Guide],
which will provide a lot of general information about it.
[[ChIntroPlatforms]]
@ -32,7 +32,7 @@ order to run.
As Wireshark is developed in a platform independent way and uses libraries (such
as the Qt GUI library) which are available for many different platforms,
it's thus available on a wide variety of platforms.
its thus available on a wide variety of platforms.
If a binary package is not available for your platform, you should
download the source and try to build it. Please report your experiences
@ -84,7 +84,7 @@ others:
Wireshark supports Windows natively via the
https://en.wikipedia.org/wiki/Windows_API[Windows API]. Note that in
this documentation and elsewhere we tend to use the terms
``Win32'', ``Win'', and ``Windows'' interchangeably to refer to the
“Win32”, “Win”, and “Windows” interchangeably to refer to the
Windows API. Wireshark runs on and can be compiled on the following
platforms:
@ -168,7 +168,7 @@ community:
will know that you have helped people in the same way that the developers of
Wireshark have helped you and other people.
* The developers of Wireshark might improve your changes even more, as there's
* The developers of Wireshark might improve your changes even more, as theres
always room for improvement. Or they may implement some advanced things on top
of your code, which can be useful for yourself too.
@ -235,10 +235,10 @@ e.g. if you need a distribution for a special audience, see
==== Source code distributions
It's still common for UNIX developers to give the end user a source
Its still common for UNIX developers to give the end user a source
tarball and let the user compile it on their target machine (configure,
make, make install). However, for different UNIX (Linux) distributions
it's becoming more common to release binary packages (e.g. .deb or .rpm
its becoming more common to release binary packages (e.g. .deb or .rpm
files) these days.
You should use the released sources if you want to build Wireshark from
@ -340,7 +340,7 @@ You will find lots of useful information on the Wireshark homepage at
The Wireshark Wiki at {wireshark-wiki-url} provides a wide range
of information related to Wireshark and packet capturing in general.
You will find a lot of information not part of this developer's guide. For
You will find a lot of information not part of this developers guide. For
example, there is an explanation how to capture on a switched network,
an ongoing effort to build a protocol reference and a lot more.
@ -365,7 +365,7 @@ You will find the FAQ inside Wireshark by clicking the menu item
Help/Contents and selecting the FAQ page in the upcoming dialog.
An online version is available at the Wireshark website:
{wireshark-faq-url}. You might prefer this online version as it's
{wireshark-faq-url}. You might prefer this online version as its
typically more up to date and the HTML format is easier to use.
[[ChIntroOtherSources]]
@ -495,7 +495,7 @@ as this won't give any direction to look at.
[NOTE]
.Don't send large files
====
Do not send large files (&gt;100KB) to the mailing lists, just place a note
Do not send large files (>100KB) to the mailing lists, just place a note
that further data is available on request. Large files will only annoy a
lot of people on the list who are not interested in your specific problem.
If required, you will be asked for further data by the persons who really
@ -542,7 +542,7 @@ _bt.txt_ in the current directory.
Include the file with your bug report.
If you do not have `gdb` available, you
will have to check out your operating system's debugger.
will have to check out your operating systems debugger.
====
You should mail the traceback to mailto:{wireshark-dev-list-email}[] or attach it

8
docbook/wsdg_src/WSDG_chapter_libraries.asciidoc
View File

@ -63,7 +63,7 @@ format. You will recognize MSVC libraries by the .lib/.dll file extension.
==== Win32: cygwin gcc
Cygwin provides most of the required libraries (with file extension .a or .lib)
for Wireshark suitable for cygwin's gcc compiler.
for Wireshark suitable for cygwins gcc compiler.
[[ChLibsSetup]]
@ -120,7 +120,7 @@ bin directory, e.g. C:\Qt\Qt5.6.2\5.6\msvc2013
=== GTK+ / GLib / GDK / Pango / ATK / GNU gettext / GNU libiconv
The Glib library is used as a basic platform abstraction library, it's
The Glib library is used as a basic platform abstraction library, its
not related to graphical user interface (GUI) things. For a detailed
description about GLib, see <<ChCodeGLib>>.
@ -172,7 +172,7 @@ http://www.ibr.cs.tu-bs.de/projects/libsmi/[].
Wireshark uses the source libSMI distribution at
http://www.ibr.cs.tu-bs.de/projects/libsmi/[].
LibSMI is cross-compiled using MinGW32. It's stored in the libsmi zip archive at
LibSMI is cross-compiled using MinGW32. Its stored in the libsmi zip archive at
https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/[].
[[ChLibsCares]]
@ -230,7 +230,7 @@ locally.
=== libpcap/WinPcap (optional)
Libpcap and WinPcap provide that packet capture capabilities that are central
to Wireshark's core functionality.
to Wiresharks core functionality.
[[ChLibsLibpcap]]

18
docbook/wsdg_src/WSDG_chapter_quick_setup.asciidoc
View File

@ -16,7 +16,7 @@ If a tool is not already installed on your system, you can usually install it
using the package in your distribution: aptitude, yum, Synaptic, etc.
If an install package is not available or you have a
reason not to use it (maybe because it's simply too old), you
reason not to use it (maybe because its simply too old), you
can install that tool from source code. The following sections
will provide you with the webpage addresses where you can get
these sources.
@ -81,7 +81,7 @@ PS$>choco install VisualStudio2015Community --timeout 0 -package-parameters "--A
----
You can use other Microsoft C compiler variants, but VS2015 is used to
build the development releases and is the preferred option. It's
build the development releases and is the preferred option. Its
possible to compile Wireshark with a wide range of Microsoft C compiler
variants. For details see <<ChToolsMSChain>>.
@ -185,7 +185,7 @@ You can directly download packages via `cyg-get`
PS$>cyg-get asciidoc patch docbook-xml45 [...]
----
You can use Chocolatey's Win flex-bison packages rather than the Cygwin
You can use Chocolateys Win flex-bison packages rather than the Cygwin
Bison and Flex package:
----
@ -199,7 +199,7 @@ PS$>choco install winflexbison
Get the Python 3.5 or 2.7 installer from http://python.org/download/[] and
install Python into the default location (_C:\Python35_ or _C:\Python27_).
Why is this recommended? Cygwin's _/usr/bin/python_ is a Cygwin-specific
Why is this recommended? Cygwins _/usr/bin/python_ is a Cygwin-specific
symbolic link which cannot be run from Windows. The native package is faster
as well.
@ -288,7 +288,7 @@ Chocolatey ensures cmake.exe is on your path.
[TIP]
.Make sure everything works
====
It's a good idea to make sure Wireshark compiles and runs at least once before
Its a good idea to make sure Wireshark compiles and runs at least once before
you start hacking the Wireshark sources for your own project. This example uses
Git Extensions but any other Git client should work as well.
====
@ -318,7 +318,7 @@ Repository to clone: *`https://code.wireshark.org/review/wireshark`*
+
Destination: Your top-level development directory, e.g. _C:\Development_.
+
Subdirectory to create: Anything you'd like. Usually _wireshark_.
Subdirectory to create: Anything youd like. Usually _wireshark_.
+
[TIP]
.Check your paths
@ -457,7 +457,7 @@ the environment variables `WIRESHARK_BASE_DIR` and `QT5_BASE_DIR`.
==== Build Wireshark
Now it's time to build Wireshark!
Now its time to build Wireshark!
. If you've closed the Visual Studio Command Prompt <<ChSetupPrepareCommandCom,prepare>> it again.
@ -491,7 +491,7 @@ The build files produced by CMake will regenerate themselves if required by chan
You can debug using the Visual Studio Debugger or WinDbg. See the section
on using the <<ChToolsDebugger, Debugger Tools>>.
==== Optional: Create User's and Developer's Guide
==== Optional: Create Users and Developers Guide
Detailed information to build these guides can be found in the file
_docbook\README.txt_ in the Wireshark sources.
@ -538,6 +538,6 @@ to build a Wireshark installer.
----
> C:\Development\wireshark\packaging\nsis\wireshark-win32-{wireshark-version}-myprotocol123.exe
----
to test your new installer. It's a good idea to test on a different machine
to test your new installer. Its a good idea to test on a different machine
than the developer machine. Note that if you've built an x64 version, the installer will be named accordingly.
--

58
docbook/wsdg_src/WSDG_chapter_sources.asciidoc
View File

@ -28,7 +28,7 @@ such as where to find specific functionality. This is done in
=== The Wireshark Git repository
http://git-scm.com/[Git] is used to keep track of the changes made to the
Wireshark source code. The code is stored inside Wireshark project's Git
Wireshark source code. The code is stored inside Wireshark projects Git
repository located at a server at the wireshark.org domain.
Changes to the official repository are managed using the
@ -46,7 +46,7 @@ scale distributed development and ensures data integrity.
.Why Gerrit?
Gerrit makes it easy to contribute. You can sign in with any OpenID
provider and push your changes. It's usable from both the web and
provider and push your changes. Its usable from both the web and
command line and is integrated with many popular tools.
.Git is our *third* revision control system
@ -57,7 +57,7 @@ Wireshark originally used http://www.nongnu.org/cvs/[Concurrent Versions System]
The Subversion repository was subsequently migrated to Git in January 2014.
====
Using Wireshark's Git repository you can:
Using Wiresharks Git repository you can:
* Keep your private sources up to date with very little effort
* Get a mail notification when the official source code changes
@ -92,7 +92,7 @@ Wireshark uses the following branches for official releases:
=== Obtain the Wireshark sources
There are several ways to obtain the sources from Wireshark's Git
There are several ways to obtain the sources from Wiresharks Git
repository.
[TIP]
@ -109,7 +109,7 @@ source tree several times a day without much effort.
====
The following ways to retrieve the Wireshark sources are sorted in
decreasing source timeliness. If you plan to commit changes you've
made to the sources, it's a good idea to keep your private source
made to the sources, its a good idea to keep your private source
tree as current as possible.
====
@ -126,7 +126,7 @@ Recommended for development purposes.
Age: a few minutes.
You can use a Git client to download the source code from Wireshark's code
You can use a Git client to download the source code from Wiresharks code
review system. Anyone can clone from the anonymous git URL:
* {wireshark-git-anonhttp-url}
@ -141,7 +141,7 @@ https://code.wireshark.org/review/Documentation/cmd-index.html#_server[command l
HTTP lets you access the repository in environments that block the Gerrit SSH
port (29418). At the time of this writing (early 2014) we recommend that
you use the SSH interface. However, this may change as more tools take
advantage of Gerrit's HTTP REST API.
advantage of Gerrits HTTP REST API.
The following example shows how to get up and running on the command
line. See <<ChToolsGit>> for information on installing and configuring
@ -258,14 +258,14 @@ possible (e.g. because of a restrictive firewall).
Age: some number of minutes (a bit older than the Git access).
The Buildbot server will automatically start to generate a snapshot of
Wireshark's source tree after a source code change is committed. These
Wiresharks source tree after a source code change is committed. These
snapshots can be found at {wireshark-snapshots-url}.
If Git access isn't possible, e.g. if the connection to the server
isn't possible because of a corporate firewall, the sources can be
obtained by downloading the Buildbot snapshots. However, if you are
going to maintain your sources in parallel to the "official" sources
for some time, it's recommended to use the anonymous (or authenticated)
for some time, its recommended to use the anonymous (or authenticated)
Git access if possible (believe it, it will save you a lot of time).
[[ChSrcReleased]]
@ -310,7 +310,7 @@ sure the builds are in good shape.
==== Update Using Git
After you clone Wireshark's Git repository you can update
After you clone Wiresharks Git repository you can update
by running
----
@ -359,7 +359,7 @@ error-prone than using Git.
=== Build Wireshark
The sources contain several documentation files. It's a good idea to read these
The sources contain several documentation files. Its a good idea to read these
files first. After obtaining the sources, tools and libraries, the first place
to look at is _doc/README.developer_. Inside you will find the latest
information for Wireshark development for all supported platforms.
@ -420,7 +420,7 @@ installed version first.
==== Unix/Linux
After a successful build you can run Wireshark right from the build
directory. Still the program would need to know that it's being run from
directory. Still the program would need to know that its being run from
the build directory and not from its install location. This has an impact
on the directories where the program can find the other parts and
relevant data files.
@ -436,7 +436,7 @@ command line to launch Wireshark would be:
$ WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ./wireshark
----
There's no need to run Wireshark as root user, you just won't be able to
Theres no need to run Wireshark as root user, you just won't be able to
capture. When you opt to run Wireshark this way, your terminal output can
be informative when things don't work as expected.
@ -501,7 +501,7 @@ on using the <<ChToolsDebugger, Debugger Tools>>.
As the Wireshark developers are working on many different platforms, a lot of
editors are used to develop Wireshark (emacs, vi, Microsoft Visual Studio
and many, many others). There's no "standard" or "default" development
and many, many others). Theres no "standard" or "default" development
environment.
There are several reasons why you might want to change the Wireshark
@ -521,7 +521,7 @@ The internal structure of the Wireshark sources will be described in
.Ask the _wireshark-dev_ mailing list before you start a new development task.
[TIP]
====
If you have an idea what you want to add or change it's a good idea to
If you have an idea what you want to add or change its a good idea to
contact the developer mailing list
(see <<ChIntroMailingLists>>)
and explain your idea. Someone else might already be working on the same
@ -541,12 +541,12 @@ If you have finished changing the Wireshark sources to suit your needs, you
might want to contribute your changes back to the Wireshark community. You gain
the following benefits by contributing your improvements:
* _It's the right thing to do._ Other people who find your contributions useful
* _Its the right thing to do._ Other people who find your contributions useful
will appreciate them, and you will know that you have helped people in the
same way that the developers of Wireshark have helped you.
* _You get free enhancements._ By making your code public, other developers have
a chance to make improvements, as there's always room for improvements. In
a chance to make improvements, as theres always room for improvements. In
addition someone may implement advanced features on top of your code, which
can be useful for yourself too.
@ -557,7 +557,7 @@ the following benefits by contributing your improvements:
version from the website and your changes will already be included without any
effort for you.
There's no direct way to push changes to the Git repository. Only a few people
Theres no direct way to push changes to the Git repository. Only a few people
are authorised to actually make changes to the source code (check-in changed
files). If you want to submit your changes, you should upload them to the code
review system at {wireshark-code-review-url}. This requires you to set up git
@ -696,7 +696,7 @@ as described at <<ChSrcGit>>.
// $ diff -N -r -u --strip-trailing-cr ./svn-dir ./working-dir > foo.diff
// ----
//
// It's a good idea to run `make distclean` before the
// Its a good idea to run `make distclean` before the
// actual diff call, as this will remove a lot
// of temporary files which might be otherwise included in the diff. After
// doing the diff, you should edit the _foo.diff_ file and remove unnecessary
@ -731,7 +731,7 @@ as described at <<ChSrcGit>>.
Some tips that will make the merging of your changes into Git much more likely
(and you want exactly that, don't you?):
* _Use the latest Git sources._ It's a good idea to work with the same
* _Use the latest Git sources._ Its a good idea to work with the same
sources that are used by the other developers. This usually makes it much
easier to apply your patch. For information about the different ways to get
the sources, see <<ChSrcObtain>>.
@ -774,7 +774,7 @@ and integrated.
The core maintainers have done a lot of work fixing bugs and making code
compile on the various platforms Wireshark supports.
To ensure Wireshark's source code quality, and to reduce the workload of the
To ensure Wiresharks source code quality, and to reduce the workload of the
core maintainers, there are some things you should think about _before_
submitting a patch.
@ -792,7 +792,7 @@ be rejected.
details.
* _Submit dissectors as built-in whenever possible._ Developing a new dissector
as a plugin is a good idea because compiling and testing is quicker, but it's
as a plugin is a good idea because compiling and testing is quicker, but its
best to convert dissectors to the built-in style before submitting for check in.
This reduces the number of files that must be installed with Wireshark and
ensures your dissector will be available on all platforms.
@ -882,7 +882,7 @@ You might get one of the following responses to your patch request:
your patch is in the review system it won't get lost.
If you're concerned, feel free to add a comment to the patch or send an email
to the developer's list asking for status. But please be patient: most if not
to the developers list asking for status. But please be patient: most if not
all of us do this in our spare time.
[[ChSrcBackport]]
@ -947,23 +947,23 @@ Given the file _new.diff_ containing a unified diff,
the right way to call the patch tool depends on what the pathnames in
_new.diff_ look like.
If they're relative to the top-level source directory (for example, if a
patch to _prefs.c_ just has _prefs.c_ as the file name) you'd run it as:
patch to _prefs.c_ just has _prefs.c_ as the file name) youd run it as:
----
$ patch -p0 < new.diff
----
If they're relative to a higher-level directory, you'd replace 0 with the
If they're relative to a higher-level directory, youd replace 0 with the
number of higher-level directories in the path, e.g. if the names are
_wireshark.orig/prefs.c_ and
_wireshark.mine/prefs.c_, you'd run it with:
_wireshark.mine/prefs.c_, youd run it with:
----
$ patch -p1 < new.diff
----
If they're relative to a _subdirectory_ of the top-level
directory, you'd run `patch` in _that_ directory and run it with `-p0`.
directory, youd run `patch` in _that_ directory and run it with `-p0`.
If you run it without `-pat` all, the patch tool
flattens path names, so that if you
@ -977,12 +977,12 @@ _Makefile.am_ as well.
At which position in the filesystem should the patch tool be called?
If the pathnames are relative to the top-level source directory, or to a
directory above that directory, you'd run it in the top-level source
directory above that directory, youd run it in the top-level source
directory.
If they're relative to a *subdirectory* -- for example,
if somebody did a patch to _packet-ip.c_ and ran `diff` or `git diff` in
the _epan/dissectors_ directory -- you'd run it in that subdirectory.
the _epan/dissectors_ directory -- youd run it in that subdirectory.
It is preferred that people *not* submit patches like
that, especially if they're only patching files that exist in multiple
directories such as _Makefile.am_.

26
docbook/wsdg_src/WSDG_chapter_tools.asciidoc
View File

@ -65,7 +65,7 @@ PS:\>iex ((new-object net.webclient).DownloadString(_https://chocolatey.org/inst
----
Chocolatey sometimes installs packages in unexpected locations. Cygwin is a notable
example -- recent versions of the Cygwin package are installed in _C:\ProgramData\chocolatey\lib\Cygwin\tools\cygwin_ instead of Cygwin's default location
example -- recent versions of the Cygwin package are installed in _C:\ProgramData\chocolatey\lib\Cygwin\tools\cygwin_ instead of Cygwins default location
(_C:\cygwin_ or _C:\cygwin64_).
[[ChToolsCygwin]]
@ -85,7 +85,7 @@ Although Cygwin consists of several separate packages, the installation
and update is done through a single utility, _setup-x86.exe_ or
_setup-x86_64.exe_, which acts similarly to other web based installers.
You can install Cygwin and its packages using Chocolatey, but this is not
recommended due to Chocolatey's default installation location, described
recommended due to Chocolateys default installation location, described
in the previous section.
==== Installing Cygwin using the Cygwin installer
@ -198,7 +198,7 @@ Your version string may vary, of course.
[[ChToolsCMake]]
Wireshark's build environment can be configured using CMake on Windows
Wiresharks build environment can be configured using CMake on Windows
and either CMake or Autotools on Linux, macOS, and UNIX. CMake is designed
to support out of tree builds. So much so, that in tree builds do not work
properly in all cases. Along with being cross-platform, CMake supports
@ -237,7 +237,7 @@ using the `-D` flag. Useful variables and generators include the following:
+++-DCMAKE_C_FLAGS='-Qunused-arguments'+++:: Make ccache and clang work together
-DPYTHON_EXECUTABLE=c:/Python27/python:: Force the Python path. Useful on Windows since Cygwin's /usrbin/python is a symlink.
-DPYTHON_EXECUTABLE=c:/Python27/python:: Force the Python path. Useful on Windows since Cygwins /usrbin/python is a symlink.
-DENABLE_APPLICATION_BUNDLE=OFF:: Disable building an application bundle (Wireshark.app) on macOS
@ -522,7 +522,7 @@ http://msdn.microsoft.com/en-us/library/t2fck18t.aspx[Microsoft MSDN]
==== C-Runtime "Redistributable" Files
Please note: The following is not legal advice - ask your preferred lawyer
instead. It's the authors view and this view might be wrong.
instead. Its the authors view and this view might be wrong.
Depending on the Microsoft compiler version you use, some binary files coming
from Microsoft might be required to be installed on Windows machine to run
@ -575,7 +575,7 @@ this for applications built with Visual Studio 2013)
. _Using Visual {cpp} Redistributable Merge Modules._
(Loadable modules for building msi installers.
Not suitable for Wireshark's NSIS based installer)
Not suitable for Wiresharks NSIS based installer)
. _Install a particular Visual {cpp} assembly as a
private assembly for the application._ The
@ -596,7 +596,7 @@ is used (this produces the smallest package).
The Windows Platform SDK (PSDK) or Windows SDK is a free
(as in beer) download and contains platform specific headers and
libraries (e.g. _windows.h_, _WSock32.lib_, etc.). As new Windows
features evolve in time, updated SDK's become available that
features evolve in time, updated SDKs become available that
include new and updated APIs.
When you purchase a commercial Visual Studio or use the Community Edition, it will
@ -611,15 +611,15 @@ search for SetEnv.* in the SDK directory.
==== HTML Help
HTML Help is used to create the User's and Developer's Guide in .chm format and
to show the User's Guide as the Wireshark "Online Help".
HTML Help is used to create the Users and Developers Guide in .chm format and
to show the Users Guide as the Wireshark "Online Help".
Both features are currently optional, and might be removed in future versions.
===== HTML Help Compiler (hhc.exe)
This compiler is used to generate a .chm file from a bunch of HTML files -- in
our case to generate the User's and Developer's Guide in .chm format.
our case to generate the Users and Developers Guide in .chm format.
The compiler is only available as the free (as in beer) "HTML Help Workshop"
download. If you want to compile the guides yourself, you need to download and
@ -688,7 +688,7 @@ If you require a non-optimised version, then build using a debug configuration.
===== Debugging Tools for Windows
You can also use the Microsoft Debugging Tools for Windows toolkit, which is a
standalone GUI debugger. Although it's not that comfortable compared to
standalone GUI debugger. Although its not that comfortable compared to
debugging with the Visual Studio integrated debugger it can be helpful if you
have to debug on a machine where an integrated debugger is not available.
@ -897,7 +897,7 @@ However, the version string may vary.
=== Bison
Bison is a parser generator used for some of Wireshark's file format support.
Bison is a parser generator used for some of Wiresharks file format support.
[[ChToolsUnixBison]]
@ -944,7 +944,7 @@ officially supported but _should_ work.
=== Flex
Flex is a lexical analyzer generator used for Wireshark's display filters, some
Flex is a lexical analyzer generator used for Wiresharks display filters, some
file formats, and other features.
[[ChToolsUnixFlex]]

28
docbook/wsdg_src/WSDG_chapter_userinterface.asciidoc
View File

@ -66,7 +66,7 @@ instead of requiring that options be specified.
documentation and instead prefer to learn an application as they use it.
Providing feedback increases your sense of control and awareness, and
makes the application more enjoyable to use. Most of the Qt dialogs
provide a ``hint'' area near the bottom which shows useful information.
provide a “hint” area near the bottom which shows useful information.
For example, the ``Follow Stream'' dialog shows the packet corresponding
to the text under the mouse. The profile management dialog shows a
clickable path to the current profile. The main welcome screen shows
@ -77,7 +77,7 @@ keyboard shortcuts.
Qt Creator is a full-featured IDE and user interface editor. It makes
adding new UI features much easier. It doesn't work well on Windows at
the present time, so it's recommended that you use it on macOS or Linux.
the present time, so its recommended that you use it on macOS or Linux.
To edit and build Wireshark using Qt Cretor, open the top-level
_CMakeLists.txt_ within Qt Creator. It should ask you to choose a build
@ -87,14 +87,14 @@ ENABLE_GTK3=OFF") and click the ``Run CMake'' button. When that
completes select ``Build → Open Build and Run Kit Selector...'' and make
sure _wireshark_ is selected.
Note that Qt Creator uses output created by CMake's *CodeBlocks*
Note that Qt Creator uses output created by CMakes *CodeBlocks*
generator. If you run CMake outside of Qt Creator you should use the
``CodeBlocks - Unix Makefiles'' generator, otherwise Qt Creator will
prompt you to re-run CMake.
==== Source Code Overview
Wireshark's `main` entry point is in _wireshark-qt.cpp_. Command-line arguments
Wiresharks `main` entry point is in _wireshark-qt.cpp_. Command-line arguments
are processed there and the main application class (`WiresharkApplication`)
instance is created there along with the main window.
@ -119,7 +119,7 @@ open when the capture file closes.
The code in _ui/qt_ directory uses three APIs: Qt (which uses
InterCapConvention), GLib (which uses underscore_convention), and the Wireshark
API (which also uses underscore_convention). As a general rule Wireshark's Qt
API (which also uses underscore_convention). As a general rule Wiresharks Qt
code uses InterCapConvention for class names, interCapConvention for methods,
and underscore_convention for variables, with a trailing_underscore_ for member
variables.
@ -130,9 +130,9 @@ Dialogs that work with capture file information shouldn't close just because the
capture file closes. Subclassing `WiresharkDialog` as described above can make
it easier to persist across capture files.
When you create a window with a row of standard ``OK'' and ``Close'' buttons at
When you create a window with a row of standard “OK” and “Close” buttons at
the bottom using Qt Creator you will end up with a subclass of QDialog. This is
fine for traditional modal dialogs, but many times the ``dialog'' needs to behave
fine for traditional modal dialogs, but many times the “dialog” needs to behave
like a QWindow instead.
Modal dialogs should be constructed with `QDialog(parent)`. Modeless dialogs
@ -143,7 +143,7 @@ this for you.
Most of the dialogs in ui/qt share many similarities, including method names,
widget names, and behavior. Most dialogs should have the following, although
it's not strictly required:
its not strictly required:
- An `updateWidgets()` method, which enables and disables widgets depending on
the current state and constraints of the dialog. For example, the Coloring
@ -163,7 +163,7 @@ it's not strictly required:
===== Strings
Wireshark's C code and GLib use UTF-8 encoded character arrays. Qt
Wiresharks C code and GLib use UTF-8 encoded character arrays. Qt
(specifically QString) uses UTF-16. You can convert a `char *` to a
`QString` using simple assignment. You can convert a `QString` to a
`const char *` using `qUtf8Printable`.
@ -184,7 +184,7 @@ your code.
===== Mixing C and {cpp}
Sometimes we have to call {cpp} functions from one of
Wireshark's C callbacks and pass {cpp} objects to or from C. Tap
Wiresharks C callbacks and pass {cpp} objects to or from C. Tap
listeners are a common example. The {cpp} FAQ link:http://www.
parashift.com/c++-faq/mixing-c-and-cpp.html:[describes how to do this
safely].
@ -266,7 +266,7 @@ the internals of a running Qt application similar to $$Spy++$$ on Windows.
.We have switched to Qt
[NOTE]
====
Wireshark's default interface uses Qt. If you would like to add a new
Wiresharks default interface uses Qt. If you would like to add a new
interface feature you should use it and not GTK{plus}.
The documentation below is primarily historical.
====
@ -278,13 +278,13 @@ intended to be a multiplatform tool, there are some drawbacks, as the
result is a somewhat "non native" look and feel.
GTK{plus} is available for many different platforms including, but not limited to:
Unix/Linux, macOS and Win32. It's the foundation of the famous GNOME desktop,
Unix/Linux, macOS and Win32. Its the foundation of the famous GNOME desktop,
so the future development of GTK should be certain. GTK is implemented in plain
C (as is Wireshark itself), and available under the LGPL (Lesser General Public
License), making it free to used by commercial and noncommercial applications.
There are other similar toolkits like wxWidgets which could also be used for
Wireshark. There's no "one and only" reason for or against any of these
Wireshark. Theres no "one and only" reason for or against any of these
toolkits. However, the decision towards GTK was made a long time ago :-)
There are two major GTK versions available:
@ -353,7 +353,7 @@ Several mailing lists are available about GTK development, see
http://mail.gnome.org/mailman/listinfo[], the gtk-app-devel-list may be your
friend.
As it's often done wrong: You should post a mail to *help* the developers
As its often done wrong: You should post a mail to *help* the developers
there instead of only complaining. Posting such a thing like "I don't like
your dialog, it looks ugly" won't be of much help. You might think about
what you dislike and describe why you dislike it and provide a suggestion

8
docbook/wsdg_src/WSDG_chapter_works.asciidoc
View File

@ -16,7 +16,7 @@ This chapter will give you a short overview of how Wireshark works.
=== Overview
The following will give you a simplified overview of Wireshark's function blocks:
The following will give you a simplified overview of Wiresharks function blocks:
[[ChWorksFigOverview]]
@ -58,8 +58,8 @@ with elevated privileges. Source code is in the root directory.
WinPcap and libpcap:: These are separate libraries that provide packet capture
and filtering support on different platforms. The filtering WinPcap and libpcap
works at a much lower level than Wireshark's display filters and uses a
significantly different mechanism. That's why we have different display and
works at a much lower level than Wiresharks display filters and uses a
significantly different mechanism. Thats why we have different display and
capture filter syntaxes.
@ -71,7 +71,7 @@ Capturing takes packets from a network adapter and saves them to a file
on your hard disk.
Since raw network adapter access requires elevated privileges these functions
are isolated into the `dumpcap` program. It's only this program that needs these
are isolated into the `dumpcap` program. Its only this program that needs these
privileges, allowing the main part of the code (dissectors, user interface,
etc) to run with normal user privileges.

2
docbook/wsdg_src/WSDG_preface.asciidoc
View File

@ -32,7 +32,7 @@ Wireshark.
This book is not intended to explain the usage of Wireshark in general.
Please refer the
{wireshark-users-guide-url}[Wireshark User's Guide] about Wireshark usage.
{wireshark-users-guide-url}[Wireshark Users Guide] about Wireshark usage.
By reading this book, you will learn how to develop Wireshark. It will
hopefully guide you around some common problems that frequently appear for

34
docbook/wsluarm.asciidoc
View File

@ -20,13 +20,13 @@ the Department of Computer Science.
In Wireshark Lua can be used to write dissectors, taps, and capture file readers
and writers.
Wireshark's Lua interpreter starts by loading `init.lua` that is located in the
Wiresharks Lua interpreter starts by loading `init.lua` that is located in the
global configuration directory of Wireshark. Lua is enabled by default. To
disable Lua the line variable _$$disable_lua$$_ should be set to _true_ in
`init.lua`.
After loading _init.lua_ from the data directory if Lua is enabled Wireshark
will try to load a file named `init.lua` in the user's directory.
will try to load a file named `init.lua` in the users directory.
Wireshark will also load all files with `.lua` suffix from both the global and
the personal plugins directory.
@ -167,7 +167,7 @@ register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED)
[[wsluarm_modules]]
== Wireshark's Lua API Reference Manual
== Wiresharks Lua API Reference Manual
This Part of the User Guide describes the Wireshark specific functions in the embedded Lua.
@ -211,9 +211,9 @@ include::{build_dir}/wsluarm_src/wslua_struct.asciidoc[]
=== GLib Regular Expressions
Lua has its own native _pattern_ syntax in the string library, but sometimes a
real regex engine is more useful. Wireshark comes with GLib's Regex
real regex engine is more useful. Wireshark comes with GLibs Regex
implementation, which itself is based on Perl Compatible Regular Expressions
(PCRE). This engine is exposed into Wireshark's Lua engine through the
(PCRE). This engine is exposed into Wiresharks Lua engine through the
well-known Lrexlib library, following the same syntax and semantics as the
Lrexlib PCRE implementation, with a few differences as follows:
@ -277,34 +277,34 @@ characters stand for compilation flags. Combinations of the following characters
(case sensitive) are supported:
* _i_ = G_REGEX_CASELESS - Letters in the pattern match both upper- and
lowercase letters. This option can be changed within a pattern by a ``(?i)''
lowercase letters. This option can be changed within a pattern by a “(?i)”
option setting.
* _m_ = G_REGEX_MULTILINE - By default, GRegex treats the strings as
consisting of a single line of characters (even if it actually contains
newlines). The ``start of line'' metacharacter (``^'') matches only at the start
of the string, while the ``end of line'' metacharacter (``$'') matches only at
newlines). The ``start of line'' metacharacter (“^”) matches only at the start
of the string, while the ``end of line'' metacharacter (“$”) matches only at
the end of the string, or before a terminating newline (unless
G_REGEX_DOLLAR_ENDONLY is set). When G_REGEX_MULTILINE is set, the ``start of
line'' and ``end of line'' constructs match immediately following or
immediately before any newline in the string, respectively, as well as at the
very start and end. This can be changed within a pattern by a ``(?m)'' option
very start and end. This can be changed within a pattern by a “(?m)” option
setting.
* _s_ = G_REGEX_DOTALL - A dot metacharater (``.'') in the pattern matches
* _s_ = G_REGEX_DOTALL - A dot metacharater (“.”) in the pattern matches
all characters, including newlines. Without it, newlines are excluded. This
option can be changed within a pattern by a ("?s") option setting.
* _x_ = G_REGEX_EXTENDED - Whitespace data characters in the pattern are
totally ignored except when escaped or inside a character class. Whitespace
does not include the VT character (code 11). In addition, characters between
an unescaped ``$$#$$'' outside a character class and the next newline character,
an unescaped “$$#$$” outside a character class and the next newline character,
inclusive, are also ignored. This can be changed within a pattern by a
``(?x)'' option setting.
“(?x)” option setting.
* _U_ = G_REGEX_UNGREEDY - Inverts the ``greediness'' of the quantifiers so
that they are not greedy by default, but become greedy if followed by ``?''.
It can also be set by a ``(?U)'' option setting within the pattern.
* _U_ = G_REGEX_UNGREEDY - Inverts the “greediness” of the quantifiers so
that they are not greedy by default, but become greedy if followed by “?”.
It can also be set by a “(?U)” option setting within the pattern.
[[lua_fn_GRegex_new_pattern_]]
@ -597,7 +597,7 @@ ef (optional):: match execution flags (bitwise OR)
[float]
===== Returns
On success, returns all substring matches (``captures''), in the order they appear
On success, returns all substring matches (“captures”), in the order they appear
in the pattern. false is returned for sub-patterns that did not participate in
the match. If the pattern specified no captures then the whole matched substring
is returned. nil is returned if the pattern did not match.
@ -650,7 +650,7 @@ ef (optional):: match execution flags (bitwise OR)
===== Returns
On success, returns the start point of the first match (a number), the end point
of the first match (a number), and the offsets of substring matches (``captures''
of the first match (a number), and the offsets of substring matches (“captures”
in Lua terminology) are returned as a third result, in a table. This table
contains false in the positions where the corresponding sub-pattern did not
participate in the match. On failure, returns nil. Example: If the whole match

24
docbook/wsug_src/WSUG_app_files.asciidoc
View File

@ -12,7 +12,7 @@
=== Capture Files
To understand which information will remain available after the captured packets
are saved to a capture file, it's helpful to know a bit about the capture file
are saved to a capture file, its helpful to know a bit about the capture file
contents.
Wireshark uses the
@ -23,7 +23,7 @@ but other tools may not support it.
Wireshark also supports the
link:https://wiki.wireshark.org/Development/LibpcapFileFormat[libpcap] file
format. This is a much simpler format and is well established. However, it has
some drawbacks: it's not extensible and lacks some information that would be
some drawbacks: its not extensible and lacks some information that would be
really helpful (e.g. being able to add a comment to a packet such as ``the
problems start here'' would be really nice).
@ -46,9 +46,9 @@ The following data is saved for each packet:
* The packet length as it was ``on the wire''
* The packet length as it's saved in the file
* The packet length as its saved in the file
* The packet's raw bytes
* The packets raw bytes
A detailed description of the libpcap file format can be found at:
link:$$https://wiki.wireshark.org/Development/LibpcapFileFormat$$[]
@ -108,7 +108,7 @@ Files\Wireshark_.
==== Folders on Unix-like systems
_$XDG_CONFIG_HOME_ is the folder for user-specific configuration files.
It's usually _$HOME/.config_, where _$HOME_ is the user's home folder, which
Its usually _$HOME/.config_, where _$HOME_ is the users home folder, which
is usually something such as _$HOME/**username**_, or
_/Users/**username**_ on macOS.
@ -195,7 +195,7 @@ _preferences_ file in the personal configuration folder, that is read;
if there is a preference set in both files, the setting in the personal
preferences file overrides the setting in the global preference file.
If you press the Save button in the ``Preferences'' dialog box, all the
If you press the Save button in the “Preferences” dialog box, all the
current settings are written to the personal preferences file.
--
@ -390,7 +390,7 @@ overrides the setting in the personal preference file.
+
--
Each line in one of these files consists of an IPv4 address, a subnet
mask length separated only by a ``/'' and a name separated by whitespace.
mask length separated only by a “/” and a name separated by whitespace.
While the address must be a full IPv4 address, any values beyond the
mask length are subsequently ignored.
@ -400,10 +400,10 @@ An example is:
192.168.0.0/24 ws_test_network
----
A partially matched name will be printed as ``subnet-name.remaining-address''.
For example, ``192.168.0.1'' under the subnet above would be printed as
A partially matched name will be printed as “subnet-name.remaining-address”.
For example, “192.168.0.1” under the subnet above would be printed as
``ws_test_network.1"; if the mask length above had been 16 rather than 24, the
printed address would be ``ws_test_network.0.1''.
printed address would be “ws_test_network.0.1”.
The settings from these files are read in at program start and never
written by Wireshark.
@ -487,7 +487,7 @@ of duplicate file names between old and new the new folder wins.
* If you are running on macOS and Wireshark is installed as an
application bundle, the global plugin folder is
_%APPDIR%/Contents/PlugIns/wireshark_, otherwise it's
_%APPDIR%/Contents/PlugIns/wireshark_, otherwise its
_INSTALLDIR/lib/wireshark/plugins_.
[[ChWindowsFolder]]
@ -515,7 +515,7 @@ If you've upgraded to a new Windows version, your profile might be kept in the
former location. The defaults mentioned here might not apply.
====
The following guides you to the right place where to look for Wireshark's
The following guides you to the right place where to look for Wiresharks
profile data.
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions::

10
docbook/wsug_src/WSUG_app_howitworks.asciidoc
View File

@ -7,7 +7,7 @@
[appendix]
== How Wireshark Works
When using such a complex program like Wireshark, it's sometimes useful to
When using such a complex program like Wireshark, its sometimes useful to
understand the mechanisms and concepts behind the surface. This is an approach
to shed some light on the inner workings of Wireshark.
@ -51,19 +51,19 @@ At program start, the dissector registers itself at the appropriate place(s).
There are two ways for a dissector to register itself for packet data:
* _Static_. If the dissector knows a specific value of a lower layer, if can
directly register itself there (e.g. the HTTP dissector ``knows'', that
directly register itself there (e.g. the HTTP dissector “knows”, that
typically the well known TCP port 80 is used to transport HTTP data).
* _Heuristic_. If no such well known way exists, the dissector
can register itself for the heuristic mechanism. If a lower layer dissector
has to handle some packet data where no well known way exists, it can
handover the packet to Wireshark's heuristic mechanism. This will ask all
registered upper layer dissectors, if they ``like'' that data. Each of these
handover the packet to Wiresharks heuristic mechanism. This will ask all
registered upper layer dissectors, if they “like” that data. Each of these
dissectors will typically look into the first few bytes of the packet, if it
contains some characteristic data of that protocol. So the dissector can
accept or reject to dissect that packet.
Let's look at an example. We'll assume, Wireshark loads a TCP/IP/Ethernet
Lets look at an example. We'll assume, Wireshark loads a TCP/IP/Ethernet
packet. Wireshark will call the Ethernet dissector, which will dissect the
Ethernet related data (usually the first 6 + 6 + 2 bytes). Then this dissector calls
back into Wireshark and will pass the rest of the data back to Wireshark.

8
docbook/wsug_src/WSUG_app_messages.asciidoc
View File

@ -9,7 +9,7 @@
Wireshark provides you with additional information generated out of the plain
packet data or it may need to indicate dissection problems. Messages generated
by Wireshark are usually placed in square brackets (``[]'').
by Wireshark are usually placed in square brackets (“[]”).
[[AppMessagesList]]
@ -40,7 +40,7 @@ the packet any further. There can be various reasons:
Any of the above is possible. You'll have to look into the specific situation to
determine the reason. You could disable the dissector by disabling the protocol
on the Analyze menu and check how Wireshark displays the packet then. You could
(if it's TCP) enable reassembly for TCP and the specific dissector (if possible)
(if its TCP) enable reassembly for TCP and the specific dissector (if possible)
in the Edit|Preferences menu. You could check the packet contents yourself by
reading the packet bytes and comparing it to the protocol specification. This
could reveal a dissector bug. Or you could find out that the packet is indeed
@ -50,7 +50,7 @@ wrong.
The packet size was limited during capture, see ``Limit each packet to n bytes''
at the <<ChCapCaptureOptions>>. While dissecting, the current protocol dissector
was simply running out of packet bytes and had to give up. There's nothing else
was simply running out of packet bytes and had to give up. Theres nothing else
you can do now, except to repeat the whole capture process again with a higher
(or no) packet size limitation.
@ -82,4 +82,4 @@ by double clicking on this message.
++++++++++++++++++++++++++++++++++++++
<!-- End of WSUG Appendix Messages -->
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++

26
docbook/wsug_src/WSUG_app_tools.asciidoc
View File

@ -14,7 +14,7 @@
Along with the main application, Wireshark comes with an array of
command line tools which can be helpful for specialized tasks. Some of
these tools will be described in this chapter. You can find more
information about all of Wireshark's command line tools on
information about all of Wiresharks command line tools on
link:{wireshark-man-page-url}[the web site].
[[AppToolstshark]]
@ -35,9 +35,9 @@ include::tshark-h.txt[]
[[AppToolstcpdump]]
=== __tcpdump__: Capturing with ``tcpdump'' for viewing with Wireshark
=== __tcpdump__: Capturing with “tcpdump” for viewing with Wireshark
It's often more useful to capture packets using `tcpdump` rather than
Its often more useful to capture packets using `tcpdump` rather than
`wireshark`. For example, you might want to do a remote capture and either don't
have GUI access or don't have Wireshark installed on the remote machine.
@ -59,10 +59,10 @@ tcpdump`) or link:{tcpdump-man-page-url}[the online version].
[[AppToolsdumpcap]]
=== __dumpcap__: Capturing with ``dumpcap'' for viewing with Wireshark
=== __dumpcap__: Capturing with “dumpcap” for viewing with Wireshark
Dumpcap is a network traffic dump tool. It captures packet data from a live
network and writes the packets to a file. Dumpcap's native capture file format
network and writes the packets to a file. Dumpcaps native capture file format
is pcapng, which is also the format used by Wireshark.
Without any options set it will use the pcap library to capture traffic
@ -149,13 +149,13 @@ Mergecap is a program that combines multiple saved capture files into a single
output file specified by the `-w` argument. Mergecap knows how to read libpcap
capture files, including those of tcpdump. In addition, Mergecap can read
capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer
(compressed or uncompressed), Microsoft Network Monitor, AIX's iptrace, NetXray,
Sniffer Pro, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug output,
HP-UX's nettl, and the dump output from Toshiba's ISDN routers. There is no need
(compressed or uncompressed), Microsoft Network Monitor, AIXs iptrace, NetXray,
Sniffer Pro, RADCOMs WAN/LAN analyzer, Lucent/Ascend router debug output,
HP-UXs nettl, and the dump output from Toshibas ISDN routers. There is no need
to tell Mergecap what type of file you are reading; it will determine the file
type by itself. Mergecap is also capable of reading any of these file formats if
they are compressed using `gzip`. Mergecap recognizes this directly from the
file; the ``.gz'' extension is not required for this purpose.
file; the “.gz” extension is not required for this purpose.
By default, it writes the capture file in pcapng format, and writes all of the
packets in the input capture files to the output file. The `-F` flag can be used
@ -167,10 +167,10 @@ Network Monitor 1.x format, and the format used by Windows-based versions of the
Sniffer software.
Packets from the input files are merged in chronological order based on each
frame's timestamp, unless the `-a` flag is specified. Mergecap assumes that
frames timestamp, unless the `-a` flag is specified. Mergecap assumes that
frames within a single capture file are already stored in chronological order.
When the `-a` flag is specified, packets are copied directly from each input
file to the output file, independent of each frame's timestamp.
file to the output file, independent of each frames timestamp.
If the `-s` flag is used to specify a snapshot length, frames in the input file
with more captured data than the specified snapshot length will have only the
@ -242,7 +242,7 @@ is a sample dump that `text2pcap` can recognize:
There is no limit on the width or number of bytes per line. Also the text dump
at the end of the line is ignored. Bytes/hex numbers can be uppercase or
lowercase. Any text before the offset is ignored, including email forwarding
characters `>'. Any lines of text between the bytestring lines is ignored.
characters “>”. Any lines of text between the bytestring lines is ignored.
The offsets are used to track the bytes, so offsets must be correct. Any line
which has only bytes without a leading offset is ignored. An offset is
recognized as being a hex number longer than two characters. Any text after the
@ -256,7 +256,7 @@ of mangled outputs (including being forwarded through email multiple times, with
limited line wrap etc.)
There are a couple of other special features to note. Any line where the first
non-whitespace character is `#' will be ignored as a comment. Any line beginning
non-whitespace character is “#” will be ignored as a comment. Any line beginning
with #TEXT2PCAP is a directive and options can be inserted after this command to
be processed by `text2pcap`. Currently there are no directives implemented; in the
future, these may be used to give more fine grained control on the dump and the

110
docbook/wsug_src/WSUG_chapter_advanced.asciidoc
View File

@ -10,7 +10,7 @@
=== Introduction
This chapter some of Wireshark's advanced features.
This chapter some of Wiresharks advanced features.
[[ChAdvFollowTCPSection]]
@ -20,7 +20,7 @@ If you are working with TCP based protocols it can be very helpful to see the
data from a TCP stream in the way that the application layer sees it. Perhaps
you are looking for passwords in a Telnet stream, or you are trying to make
sense of a data stream. Maybe you just need a display filter to show only the
packets of that TCP stream. If so, Wireshark's ability to follow a TCP stream
packets of that TCP stream. If so, Wiresharks ability to follow a TCP stream
will be useful to you.
Simply select a TCP packet in the packet list of the stream/connection you are
@ -47,7 +47,7 @@ image::wsug_graphics/ws-follow-stream.png[{screenshot-attrs}]
The stream content is displayed in the same sequence as it appeared on the
network. Traffic from A to B is marked in red, while traffic from B to A is
marked in blue. If you like, you can change these colors in the
``Colors'' page if the ``Preferences'' dialog.
“Colors” page if the “Preferences” dialog.
Non-printable characters will be replaced by dots.
@ -98,13 +98,13 @@ more formatting because they contain an image or HTML then this dialog can be us
This dialog can also be used to decode field bytes from base64, zlib compressed
or quoted-printable and show the decoded bytes as configurable output.
It's also possible to select a subset of bytes setting the start byte and end byte.
Its also possible to select a subset of bytes setting the start byte and end byte.
You can choose from the following actions:
. __Find__: Search for the given text. Matching text will be highlighted,
and the ``Find Next'' will search for more. In the context menu for the
find text it's possible to configure to use regular expression find.
find text its possible to configure to use regular expression find.
. __Print__: Print the bytes in the currently selected format.
@ -145,10 +145,10 @@ You can choose to view the data in one of the following formats:
screen space and is best used with binary protocols.
*HTML*:: This allows you to see all the data formatted as a HTML document.
The HTML supported is what's supported by the Qt QTextEdit class.
The HTML supported is whats supported by the Qt QTextEdit class.
*Image*:: This will try to convert the bytes into an image.
Images supported are what's supported by the Qt QImage class.
Images supported are whats supported by the Qt QImage class.
*ISO 8859-1*:: In this view you see the bytes as ISO 8859-1.
@ -168,14 +168,14 @@ The expert infos is a kind of log of the anomalies found by Wireshark in a
capture file.
The general idea behind the following ``Expert Info'' is to have a better
display of ``uncommon'' or just notable network behaviour. This way, both novice
display of “uncommon” or just notable network behaviour. This way, both novice
and expert users will hopefully find probable network problems a lot faster,
compared to scanning the packet list ``manually'' .
compared to scanning the packet list “manually” .
[WARNING]
.Expert infos are only a hint
====
Take expert infos as a hint what's worth looking at, but not more. For example,
Take expert infos as a hint whats worth looking at, but not more. For example,
the absence of expert infos doesn't necessarily mean everything is OK.
====
@ -216,10 +216,10 @@ GUI:
* __Chat (grey)__: information about usual workflow, e.g. a TCP packet with the
SYN flag set
* __Note (cyan)__: notable things, e.g. an application returned an ``usual''
* __Note (cyan)__: notable things, e.g. an application returned an “usual”
error code like HTTP 404
* __Warn (yellow)__: warning, e.g. application returned an ``unusual'' error
* __Warn (yellow)__: warning, e.g. application returned an “unusual” error
code like a connection problem
* __Error (red)__: serious problem, e.g. [Malformed Packet]
@ -254,7 +254,7 @@ There are some common groups of expert infos. The following are currently implem
* __Debug__: debugging (should not occur in release versions)
It's possible that more groups will be added in the future.
Its possible that more groups will be added in the future.
[[ChAdvExpertProtocol]]
@ -285,7 +285,7 @@ image::wsug_graphics/ws-expert-infos.png[{screenshot-attrs}]
An easy and quick way to find the most interesting infos (rather than using the
Details tab), is to have a look at the separate tabs for each severity level. As
the tab label also contains the number of existing entries, it's easy to find
the tab label also contains the number of existing entries, its easy to find
the tab with the most important entries.
There are usually a lot of identical expert infos only differing in the packet
@ -306,14 +306,14 @@ pinpoint problems.
[[ChAdvExpertColorizedTree]]
==== ``Colorized'' Protocol Details Tree
==== “Colorized” Protocol Details Tree
.The ``Colorized'' protocol details tree
.The “Colorized” protocol details tree
image::wsug_graphics/ws-expert-colored-tree.png[{screenshot-attrs}]
The protocol field causing an expert info is colorized, e.g. uses a cyan
background for a note severity level. This color is propagated to the toplevel
protocol item in the tree, so it's easy to find the field that caused the expert
protocol item in the tree, so its easy to find the field that caused the expert
info.
For the example screenshot above, the IP ``Time to live'' value is very low
@ -323,9 +323,9 @@ marked cyan as well.
[[ChAdvExpertColumn]]
==== ``Expert'' Packet List Column (optional)
==== “Expert” Packet List Column (optional)
.The ``Expert'' packet list column
.The “Expert” packet list column
image::wsug_graphics/ws-expert-column.png[{screenshot-attrs}]
An optional ``Expert Info Severity'' packet list column is available that
@ -337,7 +337,7 @@ the Preferences Columns page described in <<ChCustPreferencesSection>>.
=== TCP Analysis
By default, Wireshark's TCP dissector tracks the state of each TCP
By default, Wiresharks TCP dissector tracks the state of each TCP
session and provides additional information when problems or potential
problems are detected. Analysis is done once for each TCP packet when a
capture file is first opened. Packets are processed in the order in
@ -376,7 +376,7 @@ that this is not the same as the next expected acknowledgment number.
==== TCP ACKed unseen segment
Set when the expected next acknowledgement number is set for the reverse
direction and it's less than the current acknowledgement number.
direction and its less than the current acknowledgement number.
// TCP_A_DUPLICATE_ACK
[float]
@ -402,7 +402,7 @@ Set when all of the following are true:
- The current sequence number equals the next expected acknowledgement number.
- We saw the last acknowledgement less than 20ms ago.
Supersedes ``Out-Of-Order'', ``Spurious Retransmission'', and ``Retransmission''.
Supersedes “Out-Of-Order”, ``Spurious Retransmission'', and “Retransmission”.
// TCP_A_KEEP_ALIVE
[float]
@ -412,8 +412,8 @@ Set when the segment size is zero or one, the current sequence number
is one byte less than the next expected sequence number, and any of SYN,
FIN, or RST are set.
Supersedes ``Fast Retransmission'', ``Out-Of-Order'', ``Spurious
Retransmission'', and ``Retransmission''.
Supersedes ``Fast Retransmission'', “Out-Of-Order”, ``Spurious
Retransmission'', and “Retransmission”.
// TCP_A_KEEP_ALIVE_ACK
[float]
@ -428,7 +428,7 @@ Set when all of the following are true:
- The most recently seen packet in the reverse direction was a keepalive.
- The packet is not a SYN, FIN, or RST.
Supersedes ``Dup ACK'' and ``ZeroWindowProbeAck''.
Supersedes ``Dup ACK'' and “ZeroWindowProbeAck”.
// TCP_A_OUT_OF_ORDER
[float]
@ -442,13 +442,13 @@ Set when all of the following are true:
- The next expected sequence number and the next sequence number differ.
- The last segment arrived within the calculated RTT (3ms by default).
Supersedes ``Spurious Retransmission'' and ``Retransmission''.
Supersedes ``Spurious Retransmission'' and “Retransmission”.
// TCP_A_REUSED_PORTS
[float]
==== TCP Port numbers reused
Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same addresses and ports, and the sequencue number is different than the existing conversation's initial sequence number.
Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same addresses and ports, and the sequencue number is different than the existing conversations initial sequence number.
// TCP_A_LOST_PACKET
[float]
@ -469,7 +469,7 @@ direction. Set when all of the following are true:
- Data for this flow has been acknowledged. That is, the last-seen acknowledgement number has been set.
- The next sequence number is less than or equal to the last-seen acknowledgement number.
Supersedes ``Retransmission''.
Supersedes “Retransmission”.
// TCP_A_RETRANSMISSION
[float]
@ -534,7 +534,7 @@ Supersedes ``TCP Dup ACK''.
=== Time Stamps
Time stamps, their precisions and all that can be quite confusing. This section
will provide you with information about what's going on while Wireshark
will provide you with information about whats going on while Wireshark
processes time stamps.
While packets are captured, each packet is time stamped as it comes in. These
@ -565,13 +565,13 @@ capturing hardware, this resolution should be adequate.
Every capture file format that Wireshark knows supports time stamps. The time
stamp precision supported by a specific capture file format differs widely and
varies from one second ``0'' to one nanosecond ``0.123456789''. Most file
varies from one second “0” to one nanosecond “0.123456789”. Most file
formats store the time stamps with a fixed precision (e.g. microseconds), while
some file formats are even capable of storing the time stamp precision itself
(whatever the benefit may be).
The common libpcap capture file format that is used by Wireshark (and a lot of
other tools) supports a fixed microsecond resolution ``0.123456'' only.
other tools) supports a fixed microsecond resolution “0.123456” only.
Writing data into a capture file format that doesn't provide the capability to
store the actual precision will lead to loss of information. For example, if you
@ -599,7 +599,7 @@ Don't use USB connected NICs when you need precise time stamp
accuracy.
====
// (XXX - are there any such NIC's that generate time stamps on the USB
// (XXX - are there any such NICs that generate time stamps on the USB
// hardware?)
[[ChAdvTimezones]]
@ -632,15 +632,15 @@ only at a small part of the world.
For that reason, the earth is split into several different time zones, each zone
with a local time that corresponds to the local sunset.
The time zone's base time is UTC (Coordinated Universal Time) or Zulu Time
The time zones base time is UTC (Coordinated Universal Time) or Zulu Time
(military and aviation). The older term GMT (Greenwich Mean Time) shouldn't be
used as it is slightly incorrect (up to 0.9 seconds difference to UTC). The UTC
base time equals to 0 (based at Greenwich, England) and all time zones have an
offset to UTC between -12 to +14 hours!
For example: If you live in Berlin you are in a time zone one hour earlier than
UTC, so you are in time zone ``+1'' (time difference in hours compared to UTC).
If it's 3 o'clock in Berlin it's 2 o'clock in UTC ``at the same moment''.
UTC, so you are in time zone “+1” (time difference in hours compared to UTC).
If its 3 o'clock in Berlin its 2 o'clock in UTC ``at the same moment''.
Be aware that at a few places on earth don't use time zones with even hour
offsets (e.g. New Delhi uses UTC+05:30)!
@ -653,7 +653,7 @@ Further information can be found at: {wikipedia-main-url}Time_zone and
.What is daylight saving time (DST)?
****
Daylight Saving Time (DST), also known as Summer Time is intended to ``save''
Daylight Saving Time (DST), also known as Summer Time is intended to “save”
some daylight during the summer months. To do this, a lot of countries (but not
all!) add a DST hour to the already existing UTC offset. So you may need to take
another hour (or in very rare cases even two hours!) difference into your ``time
@ -661,7 +661,7 @@ zone calculations''.
Unfortunately, the date at which DST actually takes effect is different
throughout the world. You may also note, that the northern and southern
hemispheres have opposite DST's (e.g. while it's summer in Europe it's winter in
hemispheres have opposite DSTs (e.g. while its summer in Europe its winter in
Australia).
Keep in mind: UTC remains the same all year around, regardless of DST!
@ -673,16 +673,16 @@ link:{wikipedia-main-url}Daylight_saving[].
Further time zone and DST information can be found at
{greenwichmeantime-main-url} and {timeanddate-main-url}.
==== Set your computer's time correctly!
==== Set your computers time correctly!
If you work with people around the world it's very helpful to set your
computer's time and time zone right.
If you work with people around the world its very helpful to set your
computers time and time zone right.
You should set your computers time and time zone in the correct sequence:
. Set your time zone to your current location
. Set your computer's clock to the local time
. Set your computers clock to the local time
This way you will tell your computer both the local time and also the time
offset to UTC. Many organizations simply set the time zone on their servers and
@ -690,7 +690,7 @@ networking gear to UTC in order to make coordination and troubleshooting easier.
[TIP]
====
If you travel around the world, it's an often made mistake to adjust the hours
If you travel around the world, its an often made mistake to adjust the hours
of your computer clock to the local time. Don't adjust the hours but your time
zone setting instead! For your computer, the time is essentially the same as
before, you are simply in a different time zone with a different local time.
@ -704,16 +704,16 @@ for a lot more), for examples see {ntp-main-url}.
==== Wireshark and Time Zones
So what's the relationship between Wireshark and time zones anyway?
So whats the relationship between Wireshark and time zones anyway?
Wireshark's native capture file format (libpcap format), and some other capture
Wiresharks native capture file format (libpcap format), and some other capture
file formats, such as the Windows Sniffer, EtherPeek, AiroPeek, and Sun snoop
formats, save the arrival time of packets as UTC values. UN*X systems, and
``Windows NT based'' systems represent time internally as UTC. When Wireshark is
capturing, no conversion is necessary. However, if the system time zone is not
set correctly, the system's UTC time might not be correctly set even if the
set correctly, the systems UTC time might not be correctly set even if the
system clock appears to display correct local time. When capturing, WinPcap has
to convert the time to UTC before supplying it to Wireshark. If the system's
to convert the time to UTC before supplying it to Wireshark. If the systems
time zone is not set correctly, that conversion will not be done correctly.
Other capture file formats, such as the Microsoft Network Monitor, DOS-based
@ -731,7 +731,7 @@ values, this means that the arrival time will be displayed as the local time in
your time zone, which might not be the same as the arrival time in the time zone
in which the packet was captured. For capture files saving the arrival time of
packets as local time values, the conversion to UTC will be done using your time
zone's offset from UTC and DST rules, which means the conversion will not be
zones offset from UTC and DST rules, which means the conversion will not be
done correctly; the conversion back to local time for display might undo this
correctly, in which case the arrival time will be displayed as the arrival time
in which the packet was captured.
@ -747,9 +747,9 @@ in which the packet was captured.
|_Displayed Time (Local Time)_|02:00|05:00|09:00|10:00|11:00|19:00
|===============
For example let's assume that someone in Los Angeles captured a packet with
For example lets assume that someone in Los Angeles captured a packet with
Wireshark at exactly 2 o'clock local time and sends you this capture file. The
capture file's time stamp will be represented in UTC as 10 o'clock. You are
capture files time stamp will be represented in UTC as 10 o'clock. You are
located in Berlin and will see 11 o'clock on your Wireshark display.
Now you have a phone call, video conference or Internet meeting with that one to
@ -799,7 +799,7 @@ See <<ChUsePacketBytesPaneSection>>).
.The ``Packet Bytes'' pane with a reassembled tab
image::wsug_graphics/ws-bytes-pane-tabs.png[{screenshot-attrs}]
Reassembly might take place at several protocol layers, so it's possible that
Reassembly might take place at several protocol layers, so its possible that
multiple tabs in the ``Packet Bytes'' pane appear.
[NOTE]
@ -846,7 +846,7 @@ you hours of work. Unfortunately, it also has its drawbacks.
* _Name resolution will often fail._ The name to be resolved might simply be
unknown by the name servers asked, or the servers are just not available and
the name is also not found in Wireshark's configuration files.
the name is also not found in Wiresharks configuration files.
* _The resolved names are not stored in the capture file or somewhere else._ So
the resolved names might not be available if you open the capture file later
@ -925,7 +925,7 @@ The asynchronous DNS service works a bit differently. It will also ask the DNS
server, but it won't wait for the answer. It will just return to Wireshark in a
very short amount of time. The actual (and the following) address fields won't
show the resolved name until the DNS server returns an answer. As mentioned
above, the values get cached, so you can use menu:View[Reload] to ``update'' these
above, the values get cached, so you can use menu:View[Reload] to “update” these
fields to show the resolved values.
__hosts name resolution (hosts file)__: If DNS name resolution failed, Wireshark
@ -1005,7 +1005,7 @@ protocol preferences, e.g. to (very slightly) increase performance.
If the checksum validation is enabled and it detected an invalid checksum,
features like packet reassembly won't be processed. This is avoided as
incorrect connection data could ``confuse'' the internal database.
incorrect connection data could “confuse” the internal database.
==== Checksum offloading
@ -1017,7 +1017,7 @@ checksum and the receiving hardware validates this checksum. If the received
checksum is wrong Wireshark won't even see the packet, as the Ethernet hardware
internally throws away the packet.
Higher level checksums are ``traditionally'' calculated by the protocol
Higher level checksums are “traditionally” calculated by the protocol
implementation and the completed packet is then handed over to the hardware.
Recent network hardware can perform advanced features such as IP checksum
@ -1030,7 +1030,7 @@ garbage filled) checksum field to the hardware.
====
Checksum offloading often causes confusion as the network packets to be
transmitted are handed over to Wireshark before the checksums are actually
calculated. Wireshark gets these ``empty'' checksums and displays them as
calculated. Wireshark gets these “empty” checksums and displays them as
invalid, even though the packets will contain valid checksums when they leave
the network hardware later.
====

12
docbook/wsug_src/WSUG_chapter_build_install.asciidoc
View File

@ -115,9 +115,9 @@ On the _Choose Components_ page of the installer you can select from the followi
- *Rawshark* - Raw packet filter.
* *User's Guide* - Local installation of the User's Guide. The Help buttons on
* *Users Guide* - Local installation of the Users Guide. The Help buttons on
most dialogs will require an internet connection to show help pages if the
User's Guide is not installed locally.
Users Guide is not installed locally.
[[ChBuildInstallWinAdditionalTasks]]
@ -260,7 +260,7 @@ included _Read me first_ file for more details.
=== Building Wireshark from source under UNIX
Building Wireshark requires the proper build environment including a
compiler and many supporting libraries. See the Developer's Guide at
compiler and many supporting libraries. See the Developers Guide at
{wireshark-developers-guide-url} for more information.
Use the following general steps to build Wireshark from source under UNIX or Linux:
@ -323,7 +323,7 @@ UNIX (formerly Digital UNIX) you would use _setld_.
==== Installing from RPMs under Red Hat and alike
Building RPMs from Wireshark's source code results in several packages (most
Building RPMs from Wiresharks source code results in several packages (most
distributions follow the same system):
* The `wireshark` package contains the core Wireshark libraries and command-line
@ -369,7 +369,7 @@ Use the following command to install downloaded Wireshark debs under Debian:
$ dpkg -i wireshark-common_2.0.5.0-1_i386.deb wireshark_wireshark-2.0.5.0-1_i386.deb
----
dpkg doesn't take care of all dependencies, but reports what's missing.
dpkg doesn't take care of all dependencies, but reports whats missing.
[NOTE]
@ -430,7 +430,7 @@ We strongly recommended that you use the binary installer for Windows unless you
want to start developing Wireshark on the Windows platform.
For further information how to build Wireshark for Windows from the sources
see the Developer's Guide at {wireshark-developers-guide-url}.
see the Developers Guide at {wireshark-developers-guide-url}.
You may also want to have a look at the Development Wiki
({wireshark-wiki-url}Development) for the latest available development

62
docbook/wsug_src/WSUG_chapter_capture.asciidoc
View File

@ -25,7 +25,7 @@ The Wireshark capture engine provides the following features:
<<ChCapCaptureFilterSection>>.
* Save packets in multiple files while doing a long term capture, optionally
rotating through a fixed number of files (a ``ringbuffer''). See
rotating through a fixed number of files (a “ringbuffer”). See
<<ChCapCaptureFiles>>.
* Simultaneously capture from multiple network interfaces.
@ -131,7 +131,7 @@ comment added in <<ChCustInterfaceOptionsSection>>.
_IP_::
The first IP address Wireshark could find for this interface. You can click on
the address to cycle through other addresses assigned to it, if available. If no
address could be found ``none'' will be displayed.
address could be found “none” will be displayed.
_Packets_::
@ -186,7 +186,7 @@ the defaults as this should work well in many cases.
The table shows the settings for all available interfaces:
* The name of the interface and its IP addresses. If no address could be
resolved from the system, ``none'' will be shown.
resolved from the system, “none” will be shown.
--
[NOTE]
====
@ -366,7 +366,7 @@ You can set the following fields in this dialog box:
_IP address_::
The IP address(es) of the selected interface. If no address could be resolved
from the system ``none'' will be shown.
from the system “none” will be shown.
_Link-layer header type_::
Unless you are in the rare situation that requires this keep the default setting.
@ -410,7 +410,7 @@ most protocols. Some rules of thumb:
dropped if traffic is very heavy.
* If you don't capture all of the data in a packet you might find that the
packet data you want is in the part that's dropped or that reassembly isn't
packet data you want is in the part thats dropped or that reassembly isn't
possible as the data required for reassembly is missing.
_Buffer size: n megabyte(s)_::
@ -498,7 +498,7 @@ activated, it is not automatically added to the list to prevent the constant
scanning for a change in the list of available interfaces. To renew the list a
rescan can be done.
One way to hide an interface is to change the preferences. If the ``Hide''
One way to hide an interface is to change the preferences. If the “Hide”
checkbox is activated and the btn:[Apply] button clicked, the interface will
not be seen in the lists of the ``Capture Interfaces'' dialog box any more. The
changes are also saved in the `preferences` file.
@ -645,9 +645,9 @@ from the network card and keep the packet data in a (relatively) small kernel
buffer. This data is read by Wireshark and saved into a capture file.
By default Wireshark saves packets to a temporary file. You can also tell
Wireshark to save to a specific (``permanent'') file and switch to a
Wireshark to save to a specific (“permanent”) file and switch to a
different file after a given time has elapsed or a given number of packets
have been captured. These options are controlled in the ``Output'' tab in
have been captured. These options are controlled in the “Output” tab in
the ``Capture Options'' dialog.
[[ChCapCaptureOptionsOutputDialog]]
@ -703,7 +703,7 @@ _Multiple files, ring buffer_::
conditions (one of the ``Next file every ...'' values) will switch to the next
file. This will be a newly created file if value of ``Ring buffer with n files''
is not reached, otherwise it will replace the oldest of the formerly used files
(thus forming a ``ring'').
(thus forming a “ring”).
+
This mode will limit the maximum disk usage, even for an unlimited amount of
capture input data, only keeping the latest captured data.
@ -716,16 +716,16 @@ In most cases you won't have to modify link-layer header type. Some exceaptions
are as follows:
If you are capturing on an Ethernet device you might be offered a choice of
``Ethernet'' or ``DOCSIS''. If you are capturing traffic from a Cisco Cable
“Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable
Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be
captured, select ``DOCSIS'', otherwise select ``Ethernet''.
captured, select “DOCSIS”, otherwise select “Ethernet”.
If you are capturing on an 802.11 device on some versions of BSD you might be
offered a choice of ``Ethernet'' or ``802.11''. ``Ethernet'' will cause the
captured packets to have fake (``cooked'') Ethernet headers. ``802.11'' will
offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the
captured packets to have fake (“cooked”) Ethernet headers. “802.11” will
cause them to have full IEEE 802.11 headers. Unless the capture needs to be read
by an application that doesn't support 802.11 headers you should select
``802.11''.
“802.11”.
If you are capturing on an Endace DAG card connected to a synchronous serial
line you might be offered a choice of ``PPP over serial'' or ``Cisco HDLC''. If
@ -747,7 +747,7 @@ overview of the syntax follows. Complete documentation can be found in
the link:{pcap-filter-man-page-url}[pcap-filter man page]. You can find
a lot of Capture Filter examples at {wireshark-wiki-url}CaptureFilters.
You enter the capture filter into the ``Filter'' field of the Wireshark
You enter the capture filter into the “Filter” field of the Wireshark
``Capture Options'' dialog box, as shown in <<ChCapCaptureOptionsDialog>>.
A capture filter takes the form of a series of primitive expressions connected
@ -786,26 +786,26 @@ tcp port 23 and not src host 10.0.0.5
// XXX - add examples to the following list.
A primitive is simply one of the following: _[src|dst] host &lt;host&gt;_::
A primitive is simply one of the following: _[src|dst] host <host>_::
This primitive allows you to filter on a host IP address or name. You can
optionally precede the primitive with the keyword _src|dst_ to specify that you
are only interested in source or destination addresses. If these are not
present, packets where the specified address appears as either the source or the
destination address will be selected.
_ether [src|dst] host &lt;ehost&gt;_::
_ether [src|dst] host <ehost>_::
This primitive allows you to filter on Ethernet host addresses. You can
optionally include the keyword _src|dst_ between the keywords _ether_ and _host_
to specify that you are only interested in source or destination addresses. If
these are not present, packets where the specified address appears in either the
source or destination address will be selected.
_gateway host &lt;host&gt;_::
_gateway host <host>_::
This primitive allows you to filter on packets that used _host_ as a gateway.
That is, where the Ethernet source or destination was _host_ but neither the
source nor destination IP address was _host_.
_[src|dst] net &lt;net&gt; [{mask &lt;mask&gt;}|{len &lt;len&gt;}]_::
_[src|dst] net <net> [{mask <mask>}|{len <len>}]_::
This primitive allows you to filter on network numbers. You can optionally
precede this primitive with the keyword _src|dst_ to specify that you are only
interested in a source or destination network. If neither of these are present,
@ -814,7 +814,7 @@ destination address. In addition, you can specify either the netmask or the CIDR
prefix for the network if they are different from your own.
_[tcp|udp] [src|dst] port &lt;port&gt;_::
_[tcp|udp] [src|dst] port <port>_::
This primitive allows you to filter on TCP and UDP port numbers. You can
optionally precede this primitive with the keywords _src|dst_ and _tcp|udp_
which allow you to specify that you are only interested in source or destination
@ -825,12 +825,12 @@ If these are not specified, packets will be selected for both the TCP and UDP
protocols and when the specified address appears in either the source or
destination port field.
_less|greater &lt;length&gt;_::
_less|greater <length>_::
This primitive allows you to filter on packets whose length was less than or
equal to the specified length, or greater than or equal to the specified length,
respectively.
_ip|ether proto &lt;protocol&gt;_::
_ip|ether proto <protocol>_::
This primitive allows you to filter on the specified protocol at either the
Ethernet layer or the IP layer.
@ -838,7 +838,7 @@ _ether|ip broadcast|multicast_::
This primitive allows you to filter on either Ethernet or IP broadcasts or
multicasts.
_&lt;expr&gt; relop &lt;expr&gt;_:: This primitive allows you to create
_<expr> relop <expr>_:: This primitive allows you to create
complex filter expressions that select bytes or ranges of bytes in
packets. Please see the pcap-filter man page at
{pcap-filter-man-page-url} for more details.
@ -853,31 +853,31 @@ terminal server, ...), the remote content has to be transported over the
network, adding a lot of (usually unimportant) packets to the actually
interesting traffic.
To avoid this, Wireshark tries to figure out if it's remotely connected (by
To avoid this, Wireshark tries to figure out if its remotely connected (by
looking at some specific environment variables) and automatically creates a
capture filter that matches aspects of the connection.
The following environment variables are analyzed:
_$$SSH_CONNECTION$$_ (ssh)::
&lt;remote IP&gt; &lt;remote port&gt; &lt;local IP&gt; &lt;local port&gt;
<remote IP> <remote port> <local IP> <local port>
_$$SSH_CLIENT$$_ (ssh)::
&lt;remote IP&gt; &lt;remote port&gt; &lt;local port&gt;
<remote IP> <remote port> <local port>
_REMOTEHOST_ (tcsh, others?)::
&lt;remote name&gt;
<remote name>
_DISPLAY_ (x11)::
[remote name]:&lt;display num&gt;
[remote name]:<display num>
_SESSIONNAME_ (terminal server)::
&lt;remote name&gt;
<remote name>
On Windows it asks the operating system if it's running in a Remote Desktop Services environment.
On Windows it asks the operating system if its running in a Remote Desktop Services environment.
////
@ -934,7 +934,7 @@ dialog'' option is used.
A running capture session can be restarted with the same capture options as the
last time, this will remove all packets previously captured. This can be useful,
if some uninteresting packets are captured and there's no need to keep them.
if some uninteresting packets are captured and theres no need to keep them.
Restart is a convenience function and equivalent to a capture stop following by
an immediate capture start. A restart can be triggered in one of the following

74
docbook/wsug_src/WSUG_chapter_customize.asciidoc
View File

@ -10,7 +10,7 @@
=== Introduction
Wireshark's default behaviour will usually suit your needs pretty well. However,
Wiresharks default behaviour will usually suit your needs pretty well. However,
as you become more familiar with Wireshark, it can be customized in various ways
to suit your needs even better. In this chapter we explore:
@ -152,7 +152,7 @@ name is based on the number of the file and on the creation date and
time.
+
When the first capture file fills up Wireshark will switch to writing
to the next file, and so on. With the <command>files</command> option it's
to the next file, and so on. With the <command>files</command> option its
also possible to form a ``ring buffer.'' This will fill up new files until the
number of files specified, at which point the data in the first file will be
discarded so a new file can be written.
@ -235,7 +235,7 @@ interfaces, and choosing the first loopback interface if there are no
non-loopback interfaces; if there are no interfaces, Wireshark reports an error
and doesn't start the capture.
+
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read
Pipe names should be either the name of a FIFO (named pipe) or “-” to read
data from the standard input. Data read from pipes must be in standard libpcap
format.
@ -322,7 +322,7 @@ wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
You can get a list of all available preference strings from the
preferences file. See <<AppFiles>> for details.
User access tables can be overridden using ``uat,'' followed by
User access tables can be overridden using “uat,” followed by
the UAT file name and a valid record for the file:
----
@ -355,7 +355,7 @@ The criterion is of the form key:path, where key is one of:
persdata:path::
Path of personal data files, it's the folder initially opened. After the
Path of personal data files, its the folder initially opened. After the
initialization, the recent file will keep the folder last used.
--
@ -413,7 +413,7 @@ are seconds since epoch (Jan 1, 1970 00:00:00)
-u <s | hms>::
Show timesamps as seconds (`s', the default) or hours, minutes, and seconds (`hms')
Show timesamps as seconds (“s”, the default) or hours, minutes, and seconds (“hms”)
-v::
@ -509,7 +509,7 @@ will match first).
====
You can create a new rule by clicking on the btn:[+] button. You can delete
one or more rules by clicking the btn:[-] button. The ``copy'' button will
one or more rules by clicking the btn:[-] button. The “copy” button will
duplicate a rule.
You can edit a rule by double-clicking on its name or filter. In
@ -543,7 +543,7 @@ The user can control how protocols are dissected.
Each protocol has its own dissector, so dissecting a complete packet will
typically involve several dissectors. As Wireshark tries to find the right
dissector for each packet (using static ``routes'' and heuristics ``guessing"),
dissector for each packet (using static “routes” and heuristics ``guessing"),
it might choose the wrong dissector in your specific case. For example,
Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g.
using HTTP on TCP port 800 instead of the standard port 80.
@ -683,8 +683,8 @@ image::wsug_graphics/ws-gui-preferences.png[{screenshot-attrs}]
==== Interface Options
In the ``Capture'' preferences it is possible to configure several options for the
interfaces available on your computer. Select the ``Capture'' pane and press the
In the “Capture” preferences it is possible to configure several options for the
interfaces available on your computer. Select the “Capture” pane and press the
btn:[Edit] button. In this window it is possible to change the default
link-layer header type for the interface, add a comment or choose to hide a
interface from other parts of the program.
@ -718,7 +718,7 @@ Configuration Profiles can be used to configure and use more than one set of
preferences and configurations. Select the _Configuration Profiles..._ menu item
from the _Edit_ menu, or simply press Shift-Ctrl-A; and Wireshark will pop up
the Configuration Profiles dialog box as shown in
<<ChCustGUIConfigProfilesPage>>. It is also possible to click in the ``Profile''
<<ChCustGUIConfigProfilesPage>>. It is also possible to click in the “Profile”
part of the statusbar to popup a menu with available Configuration Profiles
(<<ChUseWiresharkStatusbarProfile>>).
@ -774,7 +774,7 @@ Configuration files stored in the Profiles:
* Some recent settings (recent), such as pane sizes in the Main window
(<<ChUseMainWindowSection>>), column widths in the packet list
(<<ChUsePacketListPaneSection>>), all selections in the ``View'' menu
(<<ChUsePacketListPaneSection>>), all selections in the “View” menu
(<<ChUseViewMenuSection>>) and the last directory navigated to in the File
Open dialog.
@ -792,12 +792,12 @@ profile is ``New profile'' and can be changed in the Properties field.
Copy::
This button adds a new profile to the profiles list, copying all configuration
from the profile currently selected in the list. The name of the created profile
is the same as the copied profile, with the text ``(copy)'' applied. The name
is the same as the copied profile, with the text “(copy)” applied. The name
can be changed in the Properties field.
Delete::
This button deletes the selected profile, including all configuration files used
in this profile. It is not possible to delete the ``Default'' profile.
in this profile. It is not possible to delete the “Default” profile.
Configuration Profiles::
You can select a configuration profile from this list (which will fill in the
@ -812,9 +812,9 @@ configurations'' folder. If adding multiple profiles with the same name, only
one profile will be created.
On Windows the profile name cannot start or end with a period (.), and cannot
contain any of the following characters: `&#x5c;', `&#x2f;', `:', `&#x2a;',
`&#x3f;', `&#x60;', `<', `>', `&#x7c;', or `&#x2b;'. On Unix the profile name
cannot contain the `&#x2f;' character.
contain any of the following characters: “{backslash}”, “/”, “:”, “{asterisk}”,
“?”, “{backtick}”, “<”, “>”, “|”, or “{plus}”. On Unix the profile name
cannot contain the “/” character.
--
btn:[OK]::
@ -913,23 +913,23 @@ under ESP protocol preference respectively.
This table is handled by an <<ChUserTable>> with the following fields.
Initiator's SPI::
Initiator's SPI of the IKE_SA. This field takes hexadecimal string without
``0x'' prefix and the length must be 16 hex chars (represents 8 octets).
Initiators SPI::
Initiators SPI of the IKE_SA. This field takes hexadecimal string without
“0x” prefix and the length must be 16 hex chars (represents 8 octets).
Responder's SPI::
Responder's SPI of the IKE_SA. This field takes hexadecimal string without
``0x'' prefix and the length must be 16 hex chars (represents 8 octets).
Responders SPI::
Responders SPI of the IKE_SA. This field takes hexadecimal string without
“0x” prefix and the length must be 16 hex chars (represents 8 octets).
SK_ei::
Key used to encrypt/decrypt IKEv2 packets from initiator to responder. This
field takes hexadecimal string without ``0x'' prefix and its length must meet
field takes hexadecimal string without “0x” prefix and its length must meet
the requirement of the encryption algorithm selected.
SK_er::
Key used to encrypt/decrypt IKEv2 packets from responder to initiator. This
field takes hexadecimal string without ``0x'' prefix and its length must meet
field takes hexadecimal string without “0x” prefix and its length must meet
the requirement of the encryption algorithm selected.
Encryption Algorithm::
@ -937,12 +937,12 @@ Encryption algorithm of the IKE_SA.
$$SK_ai$$::
Key used to calculate Integrity Checksum Data for IKEv2 packets from responder
to initiator. This field takes hexadecimal string without ``0x'' prefix and its
to initiator. This field takes hexadecimal string without “0x” prefix and its
length must meet the requirement of the integrity algorithm selected.
$$SK_ar$$::
Key used to calculate Integrity Checksum Data for IKEv2 packets from initiator
to responder. This field takes hexadecimal string without ``0x'' prefix and its
to responder. This field takes hexadecimal string without “0x” prefix and its
length must meet the requirement of the integrity algorithm selected.
Integrity Algorithm::
@ -964,20 +964,20 @@ Wireshark uses this table to allow the user to define the name and syntax of
Object Identifiers that Wireshark does not know about (for example, a privately
defined X.400 extension). It also allows the user to override the name and
syntax of Object Identifiers that Wireshark does know about (e.g. changing the
name ``id-at-countryName'' to just ``c'').
name “id-at-countryName” to just “c”).
This table is handled by an <<ChUserTable>> with the following fields.
OID::
The string representation of the Object Identifier e.g. ``2.5.4.6''.
The string representation of the Object Identifier e.g. “2.5.4.6”.
Name::
The name that should be displayed by Wireshark when the Object Identifier is
dissected e.g. (``c'');
dissected e.g. (“c”);
Syntax::
The syntax of the value associated with the Object Identifier. This must be one
of the syntaxes that Wireshark already knows about (e.g. ``PrintableString'').
of the syntaxes that Wireshark already knows about (e.g. “PrintableString”).
[[ChPresContextList]]
@ -1081,7 +1081,7 @@ different SNMP-engines the first entry to match both is taken, if you need a
catch all engine-id (empty) that entry should be the last one.
Authentication model::
Which auth model to use (either ``MD5'' or ``SHA1'').
Which auth model to use (either “MD5” or “SHA1”).
Password::
The authentication password. Use _\xDD_ for unprintable characters. An
@ -1091,7 +1091,7 @@ _\x01\x02\x03\x04\x05\x06_. The _\_ character must be treated as an unprintable
character, i.e. it must be entered as _\x5C_ or _\x5c_.
Privacy protocol::
Which encryption algorithm to use (either ``DES'' or ``AES").
Which encryption algorithm to use (either “DES” or ``AES").
Privacy password::
The privacy password. Use _\xDD_ for unprintable characters. An hexadecimal
@ -1118,7 +1118,7 @@ specific case and a general one the specific one must appear first in the list.
Protocol::
This is the name of the encapsulating protocol (the lowest layer in the packet
data) it can be either just the name of the protocol (e.g. mtp2, eth_witoutfcs,
sscf-nni ) or the name of the encapsulation protocol and the ``application''
sscf-nni ) or the name of the encapsulation protocol and the “application”
protocol over it separated by a colon (e.g sscop:sscf-nni, sscop:alcap,
sscop:nbap, ...)
@ -1136,21 +1136,21 @@ One of the user dlts.
Payload protocol::
This is the name of the payload protocol (the lowest layer in the packet data).
(e.g. ``eth'' for ethernet, ``ip'' for IPv4)
(e.g. “eth” for ethernet, “ip” for IPv4)
Header size::
If there is a header protocol (before the payload protocol) this tells which
size this header is. A value of 0 disables the header protocol.
Header protocol::
The name of the header protocol to be used (uses ``data'' as default).
The name of the header protocol to be used (uses “data” as default).
Trailer size::
If there is a trailer protocol (after the payload protocol) this tells which
size this trailer is. A value of 0 disables the trailer protocol.
Trailer protocol::
The name of the trailer protocol to be used (uses ``data'' as default).
The name of the trailer protocol to be used (uses “data” as default).
++++++++++++++++++++++++++++++++++++++
<!-- End of WSUG Chapter Customizing -->

25
docbook/wsug_src/WSUG_chapter_introduction.asciidoc
View File

@ -15,8 +15,8 @@ capture network packets and tries to display that packet data as detailed as
possible.
You could think of a network packet analyzer as a measuring device used to
examine what's going on inside a network cable, just like a voltmeter is used by
an electrician to examine what's going on inside an electric cable (but at a
examine whats going on inside a network cable, just like a voltmeter is used by
an electrician to examine whats going on inside an electric cable (but at a
higher level, of course).
In the past, such tools were either very expensive, proprietary, or both.
@ -164,9 +164,10 @@ is single-threaded and won't benefit much from multi-core systems.
* 300 MB available disk space. Capture files require additional disk space.
* 1024&#xd7;768 (1280&#xd7;1024 or higher recommended) resolution with at
least 16 bit color. 8 bit color should work but user experience will be
degraded. Power users will find multiple monitors useful.
* 1024 {multiplication} 768 (1280 {multiplication} 1024 or higher
recommended) resolution with at least 16-bit color. 8-bit color should
work but user experience will be degraded. Power users will find
multiple monitors useful.
* A supported network card for capturing
@ -181,7 +182,7 @@ is single-threaded and won't benefit much from multi-core systems.
- Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[].
Older versions of Windows which are outside Microsoft's extended lifecycle
Older versions of Windows which are outside Microsofts extended lifecycle
support window are no longer supported. It is often difficult or impossible to
support these systems due to circumstances beyond our control, such as third
party libraries on which we depend or due to necessary features that are only
@ -310,7 +311,7 @@ You gain three benefits by contributing your improvements back to the community:
will know that you have helped people in the same way that the developers of
Wireshark have helped people.
. The developers of Wireshark might improve your changes even more, as there's
. The developers of Wireshark might improve your changes even more, as theres
always room for improvement. Or they may implement some advanced things on top
of your code, which can be useful for yourself too.
@ -344,7 +345,7 @@ You will find lots of useful information on the Wireshark homepage at
The Wireshark Wiki at {wireshark-wiki-url} provides a
wide range of information related to Wireshark and packet capture in general.
You will find a lot of information not part of this user's guide. For example,
You will find a lot of information not part of this users guide. For example,
there is an explanation how to capture on a switched network, an ongoing effort
to build a protocol reference and a lot more.
@ -383,7 +384,7 @@ You will find the FAQ inside Wireshark by clicking the menu item Help/Contents
and selecting the FAQ page in the dialog shown.
An online version is available at the Wireshark website at
{wireshark-faq-url}. You might prefer this online version, as it's
{wireshark-faq-url}. You might prefer this online version, as its
typically more up to date and the HTML format is easier to use.
[[ChIntroMailingLists]]
@ -430,7 +431,7 @@ version of Wireshark.
When reporting problems with Wireshark please supply the following information:
. The version number of Wireshark and the dependent libraries linked with it,
such as Qt or GLib. You can obtain this from Wireshark's about box or the
such as Qt or GLib. You can obtain this from Wiresharks about box or the
command _wireshark -v_.
. Information about the platform you run Wireshark on.
@ -445,7 +446,7 @@ When reporting problems with Wireshark please supply the following information:
[NOTE]
.Don't send large files
====
Do not send large files (&gt; 1 MB) to the mailing lists. Just place a note that
Do not send large files (> 1 MB) to the mailing lists. Just place a note that
further data is available on request. Large files will only annoy a lot of
people on the list who are not interested in your specific problem. If required
you will be asked for further data by the persons who really can help you.
@ -473,7 +474,7 @@ backtrace
^D
----
If you do not have _gdb_ available, you will have to check out your operating system's debugger.
If you do not have _gdb_ available, you will have to check out your operating systems debugger.
Mail _backtrace.txt_ to mailto:{wireshark-dev-list-email}[].

83
docbook/wsug_src/WSUG_chapter_io.asciidoc
View File

@ -31,10 +31,10 @@ select the menu:File[Open] menu or toolbar item. Wireshark will then pop up
the ``File Open'' dialog box, which is discussed in more detail in <<ChIOOpen>>.
[TIP]
.It's convenient to use drag-and-drop
.Its convenient to use drag-and-drop
====
You can open a file by simply dragging it in your file manager and dropping it
onto Wireshark's main window. However, drag-and-drop may not be available in all
onto Wiresharks main window. However, drag-and-drop may not be available in all
desktop environments.
====
@ -73,7 +73,7 @@ Wireshark extensions to the standard behaviour of these dialogs:
* Specify a display filter with the btn:[Filter] button and filter field.
This filter will be used when opening the new file. The text field background
becomes green for a valid filter string and red for an invalid one. Clicking
on the btn:[Filter] button causes Wireshark to pop up the ``Filters''
on the btn:[Filter] button causes Wireshark to pop up the “Filters”
dialog box (which is discussed further in <<ChWorkDisplayFilterSection>>).
+
// XXX - we need a better description of these read filters
@ -93,18 +93,18 @@ it can be a good idea to set at least the filter in advance here.
[[ChIOOpenFileDialogWin32]]
.``Open'' on Microsoft Windows
.“Open” on Microsoft Windows
image::wsug_graphics/ws-open-win32.png[{screenshot-attrs}]
This is the common Windows file open dialog - plus some Wireshark extensions.
Specific for this dialog:
* The btn:[Help] button will lead you to this section of this ``User's Guide''.
* The btn:[Help] button will lead you to this section of this “`User”s Guide''.
[[ChIOOpenFileDialog]]
.``Open'' - Linux and UNIX
.“Open” - Linux and UNIX
image::wsug_graphics/ws-open-gtk24.png[{screenshot-attrs}]
This is the common Gimp/GNOME file open dialog plus some Wireshark extensions.
@ -116,7 +116,7 @@ Specific for this dialog:
persistent.
* The btn:[-] button allows you to remove a selected directory from the list.
Some items (such as ``Desktop'') cannot be removed from the favorites list.
Some items (such as “Desktop”) cannot be removed from the favorites list.
* If Wireshark doesn't recognize the selected file as a capture file it will
grey out the btn:[Open] button.
@ -155,15 +155,15 @@ The following file formats from other capture tools can be opened by Wireshark:
* AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
* RADCOM's WAN/LAN Analyzer captures
* RADCOMs WAN/LAN Analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* HP-UX's nettl
* HP-UXs nettl
* Toshiba's ISDN routers dump output
* Toshibas ISDN routers dump output
* ISDN4BSD _i4btrace_ utility
@ -173,7 +173,7 @@ The following file formats from other capture tools can be opened by Wireshark:
* pppd logs (pppdump format)
* the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the output from VMSs TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
@ -181,7 +181,7 @@ The following file formats from other capture tools can be opened by Wireshark:
* the output from CoSine L2 debug
* the output from Accellent's 5Views LAN agents
* the output from Accellents 5Views LAN agents
* Endace Measurement Systems' ERF format captures
@ -236,21 +236,21 @@ should be the same across systems.
[[ChIOSaveAsFileWin32]]
.``Save'' on Microsoft Windows
.“Save” on Microsoft Windows
image::wsug_graphics/ws-save-as-win32.png[{screenshot-attrs}]
This is the common Windows file save dialog with some additional Wireshark extensions.
Specific behavior for this dialog:
* If available, the ``Help'' button will lead you to this section of this "User's Guide".
* If available, the “Help” button will lead you to this section of this "Users Guide".
* If you don't provide a file extension to the filename (e.g. `.pcap`) Wireshark
will append the standard file extension for that file format.
[[ChIOSaveAsFile2]]
.``Save'' on Linux and UNIX
.“Save” on Linux and UNIX
image::wsug_graphics/ws-save-as-gtk24.png[{screenshot-attrs}]
This is the common Gimp/GNOME file save dialog with additional Wireshark extensions.
@ -309,29 +309,30 @@ time stamp accuracy; see the <<ChAdvTimestamps>> for details.
The following file formats can be saved by Wireshark (with the known file extensions):
* pcapng ($$*$$.pcapng). A flexible, etensible successor to the libpcap format.
Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8
used libpcap.
* pcapng ({asterisk}.pcapng). A flexible, etensible successor to the
libpcap format. Wireshark 1.8 and later save files as pcapng by
default. Versions prior to 1.8 used libpcap.
* libpcap, tcpdump and various other tools using tcpdump's capture format ($$*$$.pcap,$$*$$.cap,$$*$$.dmp)
* libpcap, tcpdump and various other tools using tcpdumps capture
format ({asterisk}.pcap,{asterisk}.cap,{asterisk}.dmp)
* Accellent 5Views ($$*$$.5vw)
* Accellent 5Views ({asterisk}.5vw)
* HP-UX's nettl ($$*$$.TRC0,$$*$$.TRC1)
* HP-UXs nettl ({asterisk}.TRC0,{asterisk}.TRC1)
* Microsoft Network Monitor - NetMon ($$*$$.cap)
* Microsoft Network Monitor - NetMon ({asterisk}.cap)
* Network Associates Sniffer - DOS ($$*$$.cap,$$*$$.enc,$$*$$.trc,*fdc,$$*$$.syc)
* Network Associates Sniffer - DOS ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,*fdc,{asterisk}.syc)
* Network Associates Sniffer - Windows ($$*$$.cap)
* Network Associates Sniffer - Windows ({asterisk}.cap)
* Network Instruments Observer version 9 ($$*$$.bfr)
* Network Instruments Observer version 9 ({asterisk}.bfr)
* Novell LANalyzer ($$*$$.tr1)
* Novell LANalyzer ({asterisk}.tr1)
* Oracle (previously Sun) snoop ($$*$$.snoop,$$*$$.cap)
* Oracle (previously Sun) snoop ({asterisk}.snoop,{asterisk}.cap)
* Visual Networks Visual UpTime traffic ($$*.*$$)
* Visual Networks Visual UpTime traffic ({asterisk}.{asterisk})
New file formats are added from time to time.
@ -341,7 +342,7 @@ Whether or not the above tools will be more helpful than Wireshark is a differen
[NOTE]
.Third party protocol analyzers may require specific file extensions
====
Wireshark examines a file's contents to determine its type. Some other protocol
Wireshark examines a files contents to determine its type. Some other protocol
analyzers only look at a filename extensions. For example, you might need to use
the `.cap` extension in order to open a file using _Sniffer_.
====
@ -356,7 +357,7 @@ be useful if you have captured simultaneously from multiple interfaces at once
There are three ways to merge capture files using Wireshark:
* Use the menu:File[Merge] menu to open the ``Merge'' dialog. See
* Use the menu:File[Merge] menu to open the “Merge” dialog. See
<<ChIOMergeDialog>>. This menu item will be disabled unless you have loaded a
capture file.
@ -398,14 +399,14 @@ Append the packets from the selected file after the currently loaded packets.
[[ChIOMergeFileWin32]]
.``Merge'' on Microsoft Windows
.“Merge” on Microsoft Windows
image::wsug_graphics/ws-merge-win32.png[{screenshot-attrs}]
This is the common Windows file open dialog with additional Wireshark extensions.
[[ChIOMergeFile2]]
.``Merge'' on Linux and UNIX
.“Merge” on Linux and UNIX
image::wsug_graphics/ws-merge-gtk24.png[{screenshot-attrs}]
This is the common Gimp/GNOME file open dialog with additional Wireshark extensions.
@ -440,7 +441,7 @@ Here is a sample dump that can be imported:
There is no limit on the width or number of bytes per line. Also the text dump
at the end of the line is ignored. Byte and hex numbers can be uppercase or
lowercase. Any text before the offset is ignored, including email forwarding
characters _&gt;_. Any lines of text between the bytestring lines are ignored.
characters _>_. Any lines of text between the bytestring lines are ignored.
The offsets are used to track the bytes, so offsets must be correct. Any line
which has only bytes without a leading offset is ignored. An offset is
recognized as being a hex number longer than two characters. Any text after the
@ -550,7 +551,7 @@ some features to handle these file sets in a convenient way.
****
A filename in a file set uses the format Prefix_Number_DateTimeSuffix which
might look something like `test_00001_20060420183910.pcap`. All files of a file
set share the same prefix (e.g. ``test'') and suffix (e.g. ``.pcap'') and a
set share the same prefix (e.g. “test”) and suffix (e.g. “.pcap”) and a
varying middle part.
To find the files of a file set, Wireshark scans the directory where the
@ -716,7 +717,7 @@ image::wsug_graphics/ws-export-psml.png[{screenshot-attrs}]
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
There's no such thing as a packet details frame for PSML export, as the packet
Theres no such thing as a packet details frame for PSML export, as the packet
format is defined by the PSML specification.
[[ChIOExportPDMLDialog]]
@ -729,7 +730,7 @@ link:http://www.nbee.org/doku.php?id=netpdl:pdml_specification[].
[NOTE]
====
The PDML specification is not officially released and Wireshark's implementation
The PDML specification is not officially released and Wiresharks implementation
of it is still in an early beta state, so please expect changes in future
Wireshark versions.
====
@ -741,7 +742,7 @@ image::wsug_graphics/ws-export-pdml.png[{screenshot-attrs}]
* The _Packet Range_ frame is described in <<ChIOPacketRangeSection>>.
There's no such thing as a packet details frame for PDML export, as the packet
Theres no such thing as a packet details frame for PDML export, as the packet
format is defined by the PDML specification.
[[ChIOExportSelectedDialog]]
@ -790,7 +791,7 @@ image::wsug_graphics/ws-export-objects.png[{screenshot-attrs}]
typically indicates that the file was received in response to a HTTP POST
request.
* _Help:_ Opens this section in the user's guide.
* _Help:_ Opens this section in the users guide.
* _Close:_ Closes this dialog.
@ -809,14 +810,14 @@ image::wsug_graphics/ws-export-objects.png[{screenshot-attrs}]
=== Printing packets
To print packets, select the menu:File[Print...] menu item. When you
do this Wireshark pops up the ``Print'' dialog box as shown in
do this Wireshark pops up the “Print” dialog box as shown in
<<ChIOPrintDialogBox>>.
==== The ``Print'' dialog box
==== The “Print” dialog box
[[ChIOPrintDialogBox]]
.The ``Print'' dialog box
.The “Print” dialog box
image::wsug_graphics/ws-print.png[{screenshot-attrs}]
The following fields are available in the Print dialog box: _Printer_::

22
docbook/wsug_src/WSUG_chapter_statistics.asciidoc
View File

@ -44,11 +44,11 @@ be pretty hard to understand.
[[ChStatSummary]]
=== The ``Summary'' window
=== The “Summary” window
General statistics about the current capture file.
.The ``Summary'' window
.The “Summary” window
image::wsug_graphics/ws-stats-summary.png[{screenshot-attrs}]
* __File__: general information about the capture file.
@ -88,7 +88,7 @@ The btn:[Copy] button will let you copy the window contents as CSV or YAML.
.Protocol hierarchy columns
_Protocol_:: This protocol's name
_Protocol_:: This protocols name
_Percent Packets_:: The percentage of protocol packets relative to all packets in
the capture
@ -136,7 +136,7 @@ description of the known endpoint types can be found in
[[ChStatConversationsWindow]]
==== The ``Conversations'' window
==== The “Conversations” window
The conversations window is similar to the endpoint Window. See
<<ChStatEndpointsWindow>> for a description of their common features. Along with
@ -144,9 +144,9 @@ addresses, packet counters, and byte counters the conversation window adds four
columns: the start time of the conversation (``Rel Start'') or (``Abs Start''),
the duration of the conversation in seconds, and the average bits (not bytes)
per second in each direction. A timeline graph is also drawn across the
``Rel Start'' / ``Abs Start'' and ``Duration'' columns.
``Rel Start'' / ``Abs Start'' and “Duration” columns.
.The ``Conversations'' window
.The “Conversations” window
image::wsug_graphics/ws-stats-conversations.png[{screenshot-attrs}]
Each row in the list shows the statistical values for exactly one conversation.
@ -196,7 +196,7 @@ you're looking for.
_Bluetooth_:: A MAC-48 address similar to Ethernet.
_Ethernet_:: Identical to the Ethernet device's MAC-48 identifier.
_Ethernet_:: Identical to the Ethernet devices MAC-48 identifier.
_Fibre Channel_:: A MAC-48 address similar to Ethernet.
@ -209,7 +209,7 @@ _IPv4_:: Identical to the 32-bit IPv4 address.
_IPv6_:: Identical to the 128-bit IPv6 address.
_IPX_:: A concatenation of a 32 bit network number and 48 bit node address, by
default the Ethernet interface's MAC-48 address.
default the Ethernet interfaces MAC-48 address.
_JXTA_:: A 160 bit SHA-1 URN.
@ -242,11 +242,11 @@ will be received by some or all of the listed unicast endpoints.
[[ChStatEndpointsWindow]]
==== The ``Endpoints'' window
==== The “Endpoints” window
This window shows statistics about the endpoints captured.
.The ``Endpoints'' window
.The “Endpoints” window
image::wsug_graphics/ws-stats-endpoints.png[{screenshot-attrs}]
For each supported protocol, a tab is shown in this window. Each tab label shows
@ -421,7 +421,7 @@ You can configure the following:
The info column contains new numbering so the same packets are parallel.
The color filtering differentiate the two files from each other. A
``zebra'' effect is create if the Info column is sorted.
“zebra” effect is create if the Info column is sorted.
[TIP]
====

10
docbook/wsug_src/WSUG_chapter_troubleshoot.asciidoc
View File

@ -38,7 +38,7 @@ systems and then copy the capture file to your system for later analysis. For
more details on capturing with _tcpdump_, see <<Ch05tcpdump>>.
* Once you have captured packets that you think relate to the problem, load them
into Wireshark and look for your problem. Using Wireshark's filtering and
into Wireshark and look for your problem. Using Wiresharks filtering and
colorization capabilities, you can quickly narrow down the capture to the area
of interest.
@ -49,7 +49,7 @@ more details on capturing with _tcpdump_, see <<Ch05tcpdump>>.
=== Capturing in the presence of switches and routers
In the old days of Ethernet, all network traffic was spread over one ``yellow''
In the old days of Ethernet, all network traffic was spread over one “yellow”
cable through the whole network. Capturing data was easy, as all packets from
the network could be captured using the ``promiscuous mode'' at any place in the
network. The only devices blocking network traffic, were routers. But as routers
@ -62,12 +62,12 @@ change.
At the next stage, Ethernet switches became widely available. This complicated
things a lot. When capturing traffic on a computer connected to a switch,
usually the switch will only forward packets to the computer, which are directed
to it, or to all computers (broadcasts). It's much the same like deactivating
to it, or to all computers (broadcasts). Its much the same like deactivating
the promiscuous mode of the capturing network card.
There are some ways to circumvent this.
Many vendor's switches support a feature known as ``port spanning'' or ``port
Many vendors switches support a feature known as ``port spanning'' or ``port
mirroring'' in which all of the traffic to and from port A are also sent out
port B. An excellent reference on the ``port spanning'' feature of Cisco
switches can be found at
@ -82,4 +82,4 @@ exchanged.
++++++++++++++++++++++++++++++++++++++
<!-- End of WSUG Chapter 4 -->
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++

122
docbook/wsug_src/WSUG_chapter_use.asciidoc
View File

@ -28,7 +28,7 @@ You can start Wireshark from your shell or window manager.
[TIP]
.Power user tip
====
When starting Wireshark it's possible to specify optional settings using the
When starting Wireshark its possible to specify optional settings using the
command line. See <<ChCustCommandLine>> for details.
====
@ -43,7 +43,7 @@ still be well understandable.
=== The Main window
Let's look at Wireshark's user interface. <<ChUseFig01>> shows Wireshark as you
Lets look at Wiresharks user interface. <<ChUseFig01>> shows Wireshark as you
would usually see it after some packets are captured or loaded (how to do this
will be described later).
@ -51,7 +51,7 @@ will be described later).
.The Main window
image::wsug_graphics/ws-main.png[{screenshot-attrs}]
Wireshark's main window consists of parts that are commonly known from many
Wiresharks main window consists of parts that are commonly known from many
other GUI programs.
. The _menu_ (see <<ChUseMenuSection>>) is used to start actions.
@ -91,19 +91,19 @@ a capture file. See <<ChUseTabGo>> for additional navigation keystrokes.
|===============
|Accelerator |Description
|kbd:[Tab], kbd:[Shift+Tab]|Move between screen elements, e.g. from the toolbars to the packet list to the packet detail.
|kbd:[Down] |Move to the next packet or detail item.
|kbd:[Up] |Move to the previous packet or detail item.
|kbd:[Ctrl+Down], kbd:[F8] |Move to the next packet, even if the packet list isn't focused.
|kbd:[Ctrl+Up], kbd:[F7] |Move to the previous packet, even if the packet list isn't focused.
|kbd:[↓] |Move to the next packet or detail item.
|kbd:[↑] |Move to the previous packet or detail item.
|kbd:[Ctrl+↓], kbd:[F8] |Move to the next packet, even if the packet list isn't focused.
|kbd:[Ctrl+↑], kbd:[F7] |Move to the previous packet, even if the packet list isn't focused.
|kbd:[Ctrl+.] |Move to the next packet of the conversation (TCP, UDP or IP).
|kbd:[Ctrl+&#x2c;] |Move to the previous packet of the conversation (TCP, UDP or IP).
|kbd:[Alt+Right] or kbd:[Option+Right] (macOS) |Move to the next packet in the selection history.
|kbd:[Alt+Left] or kbd:[Option+Right] (macOS) |Move to the previous packet in the selection history.
|kbd:[Left] |In the packet detail, closes the selected tree item. If it's already closed, jumps to the parent node.
|kbd:[Right] |In the packet detail, opens the selected tree item.
|kbd:[Shift+Right] |In the packet detail, opens the selected tree item and all of its subtrees.
|kbd:[Ctrl+Right] |In the packet detail, opens all tree items.
|kbd:[Ctrl+Left] |In the packet detail, closes all tree items.
|kbd:[Ctrl+&#44;] |Move to the previous packet of the conversation (TCP, UDP or IP).
|kbd:[Alt+→] or kbd:[Option+→] (macOS) |Move to the next packet in the selection history.
|kbd:[Alt+←] or kbd:[Option+←] (macOS) |Move to the previous packet in the selection history.
|kbd:[←] |In the packet detail, closes the selected tree item. If its already closed, jumps to the parent node.
|kbd:[→] |In the packet detail, opens the selected tree item.
|kbd:[Shift+→] |In the packet detail, opens the selected tree item and all of its subtrees.
|kbd:[Ctrl+→] |In the packet detail, opens all tree items.
|kbd:[Ctrl+←] |In the packet detail, closes all tree items.
|kbd:[Backspace] |In the packet detail, jumps to the parent node.
|kbd:[Return], kbd:[Enter] |In the packet detail, toggles the selected tree item.
|===============
@ -116,7 +116,7 @@ filling in a display filter.
=== The Menu
Wireshark's main menu is located either at the top of the main window (Windows,
Wiresharks main menu is located either at the top of the main window (Windows,
Linux) or at the top of your main screen (macOS). An example is shown in
<<ChUseWiresharkMenu>>.
@ -194,12 +194,12 @@ press the Control (or Strg in German) and the K keys together to open the
[[ChUseFileMenuSection]]
=== The ``File'' menu
=== The “File” menu
The Wireshark file menu contains the fields shown in <<ChUseTabFile>>.
[[ChUseWiresharkFileMenu]]
.The ``File'' Menu
.The “File” Menu
image::wsug_graphics/ws-file-menu.png[{screenshot-attrs}]
[[ChUseTabFile]]
@ -232,7 +232,7 @@ will be asked to do so first (this can be disabled by a preference setting).
|menu:Save[] |kbd:[Ctrl+S]|
This menu item saves the current capture. If you have not set a default capture
file name (perhaps with the -w &lt;capfile&gt; option), Wireshark pops up the
file name (perhaps with the -w <capfile> option), Wireshark pops up the
Save Capture File As dialog box (which is discussed further in <<ChIOSaveAs>>).
If you have already saved the current capture, this menu item will be greyed
@ -290,12 +290,12 @@ preference setting).
[[ChUseEditMenuSection]]
=== The ``Edit'' menu
=== The “Edit” menu
The Wireshark Edit menu contains the fields shown in <<ChUseTabEdit>>.
[[ChUseWiresharkEditMenu]]
.The ``Edit'' Menu
.The “Edit” Menu
image::wsug_graphics/ws-edit-menu.png[{screenshot-attrs}]
[[ChUseTabEdit]]
@ -388,12 +388,12 @@ Wireshark will use them the next time you start it. More detail is provided in
[[ChUseViewMenuSection]]
=== The ``View'' menu
=== The “View” menu
The Wireshark View menu contains the fields shown in <<ChUseTabView>>.
[[ChUseWiresharkViewMenu]]
.The ``View'' Menu
.The “View” Menu
image::wsug_graphics/ws-view-menu.png[{screenshot-attrs}]
[[ChUseTabView]]
@ -435,7 +435,7 @@ The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive.
Enabling colorization will slow down the display of new packets while capturing / loading capture files.
|menu:Auto Scroll in Live Capture[] | |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
|menu:Zoom In[] |kbd:[Ctrl+&#x2b;] | Zoom into the packet data (increase the font size).
|menu:Zoom In[] |kbd:[Ctrl+&#43;] | Zoom into the packet data (increase the font size).
|menu:Zoom Out[] |kbd:[Ctrl+-] | Zoom out of the packet data (decrease the font size).
|menu:Normal Size[] |kbd:[Ctrl+=] | Set zoom level back to 100% (set font size back to normal).
|menu:Resize All Columns[] |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it.
@ -443,10 +443,10 @@ Enabling colorization will slow down the display of new packets while capturing
Resizing may take a significant amount of time, especially if a large capture file is loaded.
|menu:Displayed Columns[] | |This menu items folds out with a list of all configured columns. These columns can now be shown or hidden in the packet list.
|menu:Expand Subtrees[] |kbd:[Shift+&#x2192;]|This menu item expands the currently selected subtree in the packet details tree.
|menu:Collapse Subtrees[] |kbd:[Shift+&#x2190;]|This menu item collapses the currently selected subtree in the packet details tree.
|menu:Expand All[] |kbd:[Ctrl+&#x2192;] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.
|menu:Collapse All[] |kbd:[Ctrl+&#x2190;] |This menu item collapses the tree view of all packets in the capture list.
|menu:Expand Subtrees[] |kbd:[Shift+]|This menu item expands the currently selected subtree in the packet details tree.
|menu:Collapse Subtrees[] |kbd:[Shift+]|This menu item collapses the currently selected subtree in the packet details tree.
|menu:Expand All[] |kbd:[Ctrl+] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.
|menu:Collapse All[] |kbd:[Ctrl+] |This menu item collapses the tree view of all packets in the capture list.
|menu:Colorize Conversation[] | |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>.
|menu:Colorize Conversation[Color 1-10] | |These menu items enable one of the ten temporary color filters based on the currently selected conversation.
|menu:Colorize Conversation[Reset coloring] | |This menu item clears all temporary coloring rules.
@ -458,12 +458,12 @@ Resizing may take a significant amount of time, especially if a large capture fi
[[ChUseGoMenuSection]]
=== The ``Go'' menu
=== The “Go” menu
The Wireshark Go menu contains the fields shown in <<ChUseTabGo>>.
[[ChUseWiresharkGoMenu]]
.The ``Go'' Menu
.The “Go” Menu
image::wsug_graphics/ws-go-menu.png[{screenshot-attrs}]
[[ChUseTabGo]]
@ -471,26 +471,26 @@ image::wsug_graphics/ws-go-menu.png[{screenshot-attrs}]
[options="header",cols="3,2,5"]
|===============
|Menu Item |Accelerator |Description
|menu:Back[] |kbd:[Alt+&#x2190;] |Jump to the recently visited packet in the packet history, much like the page history in a web browser.
|menu:Forward[] |kbd:[Alt+&#x2192;] |Jump to the next visited packet in the packet history, much like the page history in a web browser.
|menu:Back[] |kbd:[Alt+] |Jump to the recently visited packet in the packet history, much like the page history in a web browser.
|menu:Forward[] |kbd:[Alt+] |Jump to the next visited packet in the packet history, much like the page history in a web browser.
|menu:Go to Packet...[] |kbd:[Ctrl+G] |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details.
|menu:Go to Corresponding Packet[] | |Go to the corresponding packet of the currently selected protocol field. If the selected field doesn't correspond to a packet, this item is greyed out.
|menu:Previous Packet[] |kbd:[Ctrl+&#x2191;]|Move to the previous packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:Next Packet[] |kbd:[Ctrl+&#x2193;]|Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:Previous Packet[] |kbd:[Ctrl+]|Move to the previous packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:Next Packet[] |kbd:[Ctrl+]|Move to the next packet in the list. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:First Packet[] |kbd:[Ctrl+Home] |Jump to the first packet of the capture file.
|menu:Last Packet[] |kbd:[Ctrl+End] |Jump to the last packet of the capture file.
|menu:Previous Packet In Conversation[] |kbd:[Ctrl+&#x2c;] |Move to the previous packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:Previous Packet In Conversation[] |kbd:[Ctrl+&#44;] |Move to the previous packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|menu:Next Packet In Conversation[] |kbd:[Ctrl+.] |Move to the next packet in the current conversation. This can be used to move to the previous packet even if the packet list doesn't have keyboard focus.
|===============
[[ChUseCaptureMenuSection]]
=== The ``Capture'' menu
=== The “Capture” menu
The Wireshark Capture menu contains the fields shown in <<ChUseTabCap>>.
[[ChUseWiresharkCaptureMenu]]
.The ``Capture'' Menu
.The “Capture” Menu
image::wsug_graphics/ws-capture-menu.png[{screenshot-attrs}]
[[ChUseTabCap]]
@ -498,7 +498,7 @@ image::wsug_graphics/ws-capture-menu.png[{screenshot-attrs}]
[options="header",cols="3,2,5"]
|===============
|Menu Item |Accelerator |Description
|menu:Interfaces...[] |kbd:[Ctrl+I] |This menu item brings up a dialog box that shows what's going on at the network interfaces Wireshark knows of, see <<ChCapInterfaceSection>>) .
|menu:Interfaces...[] |kbd:[Ctrl+I] |This menu item brings up a dialog box that shows whats going on at the network interfaces Wireshark knows of, see <<ChCapInterfaceSection>>) .
|menu:Options...[] |kbd:[Ctrl+K] |This menu item brings up the Capture Options dialog box (discussed further in <<ChCapCaptureOptions>>) and allows you to start capturing packets.
|menu:Start[] |kbd:[Ctrl+E] |Immediately start capturing packets with the same settings than the last time.
|menu:Stop[] |kbd:[Ctrl+E] |This menu item stops the currently running capture, see <<ChCapStopSection>>) .
@ -508,12 +508,12 @@ image::wsug_graphics/ws-capture-menu.png[{screenshot-attrs}]
[[ChUseAnalyzeMenuSection]]
=== The ``Analyze'' menu
=== The “Analyze” menu
The Wireshark Analyze menu contains the fields shown in <<ChUseAnalyze>>.
[[ChUseWiresharkAnalyzeMenu]]
.The ``Analyze'' Menu
.The “Analyze” Menu
image::wsug_graphics/ws-analyze-menu.png[{screenshot-attrs}]
[[ChUseAnalyze]]
@ -538,12 +538,12 @@ image::wsug_graphics/ws-analyze-menu.png[{screenshot-attrs}]
[[ChUseStatisticsMenuSection]]
=== The ``Statistics'' menu
=== The “Statistics” menu
The Wireshark Statistics menu contains the fields shown in <<ChUseStatistics>>.
[[ChUseWiresharkStatisticsMenu]]
.The ``Statistics'' Menu
.The “Statistics” Menu
image::wsug_graphics/ws-statistics-menu.png[{screenshot-attrs}]
All menu items will bring up a new window showing specific statistical information.
@ -579,12 +579,12 @@ All menu items will bring up a new window showing specific statistical informati
[[ChUseTelephonyMenuSection]]
=== The ``Telephony'' menu
=== The “Telephony” menu
The Wireshark Telephony menu contains the fields shown in <<ChUseTelephony>>.
[[ChUseWiresharkTelephonyMenu]]
.The ``Telephony'' Menu
.The “Telephony” Menu
image::wsug_graphics/ws-telephony-menu.png[{screenshot-attrs}]
All menu items will bring up a new window showing specific telephony related statistical information.
@ -613,12 +613,12 @@ All menu items will bring up a new window showing specific telephony related sta
[[ChUseToolsMenuSection]]
=== The ``Tools'' menu
=== The “Tools” menu
The Wireshark Tools menu contains the fields shown in <<ChUseTools>>.
[[ChUseWiresharkToolsMenu]]
.The ``Tools'' Menu
.The “Tools” Menu
image::wsug_graphics/ws-tools-menu.png[{screenshot-attrs}]
[[ChUseTools]]
@ -630,17 +630,17 @@ image::wsug_graphics/ws-tools-menu.png[{screenshot-attrs}]
It is assumed that the rules will be applied to an outside interface.
|menu:Lua[]|| These options allow you to work with the Lua interpreter optionally build into Wireshark. See the ``Lua Support in Wireshark'' in the Wireshark Developer's Guide.
|menu:Lua[]|| These options allow you to work with the Lua interpreter optionally build into Wireshark. See the ``Lua Support in Wireshark'' in the Wireshark Developers Guide.
|===============
[[ChUseInternalsMenuSection]]
=== The ``Internals'' menu
=== The “Internals” menu
The Wireshark Internals menu contains the fields shown in <<ChUseInternals>>.
[[ChUseWiresharkInternalsMenu]]
.The ``Internals'' Menu
.The “Internals” Menu
image::wsug_graphics/ws-internals-menu.png[{screenshot-attrs}]
[[ChUseInternals]]
@ -654,12 +654,12 @@ image::wsug_graphics/ws-internals-menu.png[{screenshot-attrs}]
[[ChUseHelpMenuSection]]
=== The ``Help'' menu
=== The “Help” menu
The Wireshark Help menu contains the fields shown in <<ChUseHelp>>.
[[ChUseWiresharkHelpMenu]]
.The ``Help'' Menu
.The “Help” Menu
image::wsug_graphics/ws-help-menu.png[{screenshot-attrs}]
[[ChUseHelp]]
@ -674,7 +674,7 @@ image::wsug_graphics/ws-help-menu.png[{screenshot-attrs}]
|menu:Downloads[]|| This menu item starts a Web browser showing the downloads from: link:{wireshark-download-url}[].
|menu:Wiki[]|| This menu item starts a Web browser showing the front page from: link:{wireshark-wiki-url}[].
|menu:Sample Captures[]|| This menu item starts a Web browser showing the sample captures from: link:{wireshark-wiki-url}SampleCaptures[].
|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it's built, the plugins loaded, the used folders, ...
|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how its built, the plugins loaded, the used folders, ...
|===============
@ -690,7 +690,7 @@ preferences dialog.
[[ChUseMainToolbarSection]]
=== The ``Main'' toolbar
=== The “Main” toolbar
The main toolbar provides quick access to frequently used items from the menu.
This toolbar cannot be customized by the user, but it can be hidden using the
@ -702,7 +702,7 @@ you haven't loaded one).
[[ChUseWiresharkMainToolbar]]
.The ``Main'' toolbar
.The “Main” toolbar
image::wsug_graphics/ws-main-toolbar.png[{screenshot-attrs}]
[[ChUseMainToolbar]]
@ -744,14 +744,14 @@ If you currently have a temporary capture file, the Save icon will be shown ins
[[ChUseFilterToolbarSection]]
=== The ``Filter'' toolbar
=== The “Filter” toolbar
The filter toolbar lets you quickly edit and apply display filters. More
information on display filters is available in <<ChWorkDisplayFilterSection>>.
[[ChUseWiresharkFilterToolbar]]
.The ``Filter'' toolbar
.The “Filter” toolbar
image::wsug_graphics/ws-filter-toolbar.png[{screenshot-attrs}]
[[ChUseFilterToolbar]]
@ -794,7 +794,7 @@ dissectors into the columns. As higher level protocols might overwrite
information from lower levels, you will typically see the information from the
highest possible level only.
For example, let's look at a packet containing TCP inside IP inside an Ethernet
For example, lets look at a packet containing TCP inside IP inside an Ethernet
packet. The Ethernet dissector will write its data (such as the Ethernet
addresses), the IP dissector will overwrite this by its own (such as the IP
addresses), the TCP dissector will overwrite the IP information, and so on.
@ -866,7 +866,7 @@ The packet list has an _Intelligent Scrollbar_ which shows a miniature map of
nearby packets. Each https://en.wikipedia.org/wiki/Raster_graphics[raster line]
of the scrollbar corresponds to a single packet, so the number of packets shown
in the map depends on your physical display and the height of the packet list. A
tall packet list on a high-resolution (``Retina'') display will show you quite a
tall packet list on a high-resolution (“Retina”) display will show you quite a
few packets. In the image above the scrollbar shows the status of more than 500
packets along with the 15 shown in the packet list itself.
@ -896,7 +896,7 @@ Some protocol fields have special meanings.
* *Generated fields.* Wireshark itself will generate additional protocol
information which isn't present in the captured data. This information is
enclosed in square brackets (`[' and `]'). Generated information includes
enclosed in square brackets (“[” and “]”). Generated information includes
response times, TCP analysis, GeoIP information, and checksum validation.
* *Links.* If Wireshark detects a relationship to another packet in the capture
@ -919,7 +919,7 @@ image::wsug_graphics/ws-bytes-pane.png[{screenshot-attrs}]
The ``Packet Bytes'' pane shows a canonical
https://en.wikipedia.org/wiki/Hex_dump[hex dump] of the packet data. Each line
contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes.
Non-printalbe bytes are replaced with a period (`.').
Non-printalbe bytes are replaced with a period (“.”).
Depending on the packet data, sometimes more than one page is available, e.g.
when Wireshark has reassembled some packets into a single chunk of data. (See
@ -1006,7 +1006,7 @@ Details'' pane.
[TIP]
====
The value between the parentheses (in this example `ipv6.src') can be used as a
The value between the parentheses (in this example “ipv6.src”) can be used as a
display filter, representing the selected protocol field.
====

30
docbook/wsug_src/WSUG_chapter_work.asciidoc
View File

@ -73,7 +73,7 @@ description of each item.
.The menu items of the ``Packet List'' column header pop-up menu
[options="header",cols="3,2,5"]
|===============
|Item|Identical to main menu's item:|Description
|Item|Identical to main menus item:|Description
|menu:Sort Ascending[]|| Sort the packet list in ascending order based on this column.
|menu:Sort Descending[]|| Sort the packet list in descending order based on this column.
|menu:No Sort[]|| Remove sorting order based on this column.
@ -103,7 +103,7 @@ The following table gives an overview of which functions are available in this
.The menu items of the ``Packet List'' pop-up menu
[options="header",cols="3,2,5"]
|===============
|Item|Identical to main menu's item:|Description
|Item|Identical to main menus item:|Description
|menu:Mark Packet (toggle)[]|menu:Edit[]| Mark/unmark a packet.
|menu:Ignore Packet (toggle)[]|menu:Edit[]| Ignore or inspect this packet while dissecting the capture file.
|menu:Set Time Reference (toggle)[]|menu:Edit[]| Set/reset a time reference.
@ -123,7 +123,7 @@ The following table gives an overview of which functions are available in this
|menu:Copy/ Bytes (Offset Hex)[]|| Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion.
|menu:Copy/ Bytes (Printable Text Only)[]|| Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters.
|menu:Copy/ Bytes (Hex Stream)[]|| Copy the packet bytes to the clipboard as an unpunctuated list of hex digits.
|menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary. The data is stored in the clipboard as MIME-type ``application/octet-stream''.
|menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary. The data is stored in the clipboard as MIME-type “application/octet-stream”.
|menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors.
|menu:Print...[]|File| Print packets.
|menu:Show Packet in New Window[]|menu:View[]| Display the selected packet in a new window.
@ -148,7 +148,7 @@ description of each item.
.The menu items of the ``Packet Details'' pop-up menu
[options="header",cols="3,2,5"]
|===============
|Item|Identical to main menu's item:|Description
|Item|Identical to main menus item:|Description
|menu:Expand Subtrees[]|menu:View[]| Expand the currently selected subtree.
|menu:Collapse Subtrees[]|menu:View[]| Collapse the currently selected subtree.
|menu:Expand All[]|menu:View[]| Expand all subtrees in all packets in the capture.
@ -168,7 +168,7 @@ description of each item.
|menu:Copy/ Bytes (Offset Hex)[]|| Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
|menu:Copy/ Bytes (Printable Text Only)[]|| Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
|menu:Copy/ Bytes (Hex Stream)[]|| Copy the packet bytes to the clipboard as an unpunctuated list of hex digits; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane).
|menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane). The data is stored in the clipboard as MIME-type ``application/octet-stream''.
|menu:Copy/ Bytes (Binary Stream)[]|| Copy the packet bytes to the clipboard as raw binary; similar to the Packet List Pane command, but copies only the bytes relevant to the selected part of the tree (the bytes selected in the Packet Bytes Pane). The data is stored in the clipboard as MIME-type “application/octet-stream”.
|menu:Export Selected Packet Bytes...[]|menu:File[]| This menu item is the same as the File menu item of the same name. It allows you to export raw packet bytes to a binary file.
|menu:Wiki Protocol Page[]|| Show the wiki page corresponding to the currently selected protocol in your web browser.
|menu:Filter Field Reference[]|| Show the filter field reference web page corresponding to the currently selected protocol in your web browser.
@ -474,7 +474,7 @@ for which there are no occurrences of a field named ip.addr with the value
=== The ``Filter Expression'' dialog box
When you are accustomed to Wireshark's filtering system and know what labels you
When you are accustomed to Wiresharks filtering system and know what labels you
wish to use in your filters it can be very quick to simply type a filter string.
However if you are new to Wireshark or are working with a slightly unfamiliar
protocol it can be very confusing to try to figure out what to type. The
@ -518,7 +518,7 @@ also indicate the type of value for the _field name_ you have selected (like
character string).
_Predefined values_::
Some of the protocol fields have predefined values available, much like enum's
Some of the protocol fields have predefined values available, much like enums
in C. If the selected protocol field has such values defined, you can choose one
of them here.
@ -565,7 +565,7 @@ image::wsug_graphics/ws-filters.png[{screenshot-attrs}]
_New_::
This button adds a new filter to the list of filters. The currently entered
values from Filter name and Filter string will be used. If any of these fields
are empty, it will be set to ``new''.
are empty, it will be set to “new”.
_Delete_::
@ -651,7 +651,7 @@ For more details on display filters, see <<ChWorkDisplayFilterSection>>
+
Search for a specific byte sequence in the packet data.
+
For example, use ``00:00'' to find the next packet including two null bytes in the packet data.
For example, use “00:00” to find the next packet including two null bytes in the packet data.
* _String_
+
@ -710,7 +710,7 @@ Wireshark will jump to that packet.
If a protocol field is selected which points to another packet in the capture
file, this command will jump to that packet.
As these protocol fields now work like links (just as in your Web browser), it's
As these protocol fields now work like links (just as in your Web browser), its
easier to simply double-click on the field to jump to the corresponding field.
==== The ``Go to First Packet'' command
@ -744,7 +744,7 @@ There are three functions to manipulate the marked state of a packet:
* _Unmark all packets_ reset the mark state of all packets.
These mark functions are available from the ``Edit'' menu, and the ``Mark packet
These mark functions are available from the “Edit” menu, and the ``Mark packet
(toggle)'' function is also available from the pop-up menu of the ``Packet
List'' pane.
@ -768,7 +768,7 @@ There are three functions to manipulate the ignored state of a packet:
* _Un-Ignore all packets_ reset the ignored state of all packets.
These ignore functions are available from the ``Edit'' menu, and the ``Ignore
These ignore functions are available from the “Edit” menu, and the ``Ignore
packet (toggle)'' function is also available from the pop-up menu of the
``Packet List'' pane.
@ -816,9 +816,9 @@ The available precisions (aka. the number of displayed decimal places) are:
the actually available precision is smaller, zeros will be appended. If the
precision is larger, the remaining decimal places will be cut off.
Precision example: If you have a timestamp and it's displayed using, ``Seconds
Precision example: If you have a timestamp and its displayed using, ``Seconds
Since Previous Packet'' the value might be 1.123456. This will be displayed
using the ``Automatic'' setting for libpcap files (which is microseconds). If
using the “Automatic” setting for libpcap files (which is microseconds). If
you use Seconds it would show simply 1 and if you use Nanoseconds it shows
1.123456000.
@ -829,7 +829,7 @@ you use Seconds it would show simply 1 and if you use Nanoseconds it shows
The user can set time references to packets. A time reference is the starting
point for all subsequent packet time calculations. It will be useful, if you
want to see the time values relative to a special packet, e.g. the start of a
new request. It's possible to set multiple time references in the capture file.
new request. Its possible to set multiple time references in the capture file.
The time references will not be saved permanently and will be lost when you
close the capture file.

2
docbook/wsug_src/WSUG_preface.asciidoc
View File

@ -31,7 +31,7 @@ useful information regarding these topics can be found at the Wireshark
Wiki at link:{wireshark-wiki-url}[].
By reading this book, you will learn how to install Wireshark, how to use the
basic elements of the graphical user interface (such as the menu) and what's
basic elements of the graphical user interface (such as the menu) and whats
behind some of the advanced features that are not always obvious at first sight.
It will hopefully guide you around some common problems that frequently appear
for new (and sometimes even advanced) users of Wireshark.