forked from osmocom/wireshark
1141 lines
40 KiB
XML
1141 lines
40 KiB
XML
<!-- WSUG Chapter Customizing -->
|
|
<!-- $Id$ -->
|
|
|
|
<chapter id="ChapterCustomize">
|
|
<title>Customizing Wireshark</title>
|
|
|
|
<section id="ChCustIntroduction"><title>Introduction</title>
|
|
<para>
|
|
Wireshark's default behaviour will usually suit your needs pretty well.
|
|
However, as you become more familiar with Wireshark, it can be customized
|
|
in various ways to suit your needs even better. In this chapter we explore:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
How to start Wireshark with command line parameters
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
How to colorize the packet list
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
How to control protocol dissection
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
How to use the various preference settings
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChCustCommandLine"><title>Start Wireshark from the command line</title>
|
|
<para>
|
|
You can start <application>Wireshark</application> from the command
|
|
line, but it can also be started from most Window managers
|
|
as well. In this section we will look at starting it from the command
|
|
line.
|
|
</para>
|
|
<para>
|
|
<application>Wireshark</application> supports a large number of
|
|
command line parameters. To see what they are, simply enter the
|
|
command <command>wireshark -h</command> and the help information
|
|
shown in <xref linkend="ChCustEx1"/> (or something similar) should be
|
|
printed.
|
|
<example id="ChCustEx1">
|
|
<title>Help information available from Wireshark</title>
|
|
<programlisting>
|
|
Wireshark 0.99.6
|
|
Interactively dump and analyze network traffic.
|
|
See http://www.wireshark.org for more information.
|
|
|
|
Copyright 1998-2007 Gerald Combs <gerald@wireshark.org> and contributors.
|
|
This is free software; see the source for copying conditions. There is NO
|
|
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
Usage: wireshark [options] ... [ <infile> ]
|
|
|
|
Capture interface:
|
|
-i <interface> name or idx of interface (def: first non-loopback)
|
|
-f <capture filter> packet filter in libpcap filter syntax
|
|
-s <snaplen> packet snapshot length (def: 65535)
|
|
-p don't capture in promiscuous mode
|
|
-k start capturing immediately (def: do nothing)
|
|
-Q quit Wireshark after capturing
|
|
-S update packet display when new packets are captured
|
|
-l turn on automatic scrolling while -S is in use
|
|
-B <buffer size> size of kernel buffer (def: 1MB)
|
|
-y <link type> link layer type (def: first appropriate)
|
|
-D print list of interfaces and exit
|
|
-L print list of link-layer types of iface and exit
|
|
|
|
Capture stop conditions:
|
|
-c <packet count> stop after n packets (def: infinite)
|
|
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
|
|
filesize:NUM - stop this file after NUM KB
|
|
files:NUM - stop after NUM files
|
|
Capture output:
|
|
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
|
|
filesize:NUM - switch to next file after NUM KB
|
|
files:NUM - ringbuffer: replace after NUM files
|
|
Input file:
|
|
-r <infile> set the filename to read from (no pipes or stdin!)
|
|
|
|
Processing:
|
|
-R <read filter> packet filter in Wireshark display filter syntax
|
|
-n disable all name resolutions (def: all enabled)
|
|
-N <name resolve flags> enable specific name resolution(s): "mntC"
|
|
|
|
User interface:
|
|
-g <packet number> go to specified packet number after "-r"
|
|
-m <font> set the font name used for most text
|
|
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
|
|
-X <key>:<value> eXtension options, see man page for details
|
|
-z <statistics> show various statistics, see man page for details
|
|
|
|
Output:
|
|
-w <outfile|-> set the output filename (or '-' for stdout)
|
|
|
|
Miscellaneous:
|
|
-h display this help and exit
|
|
-v display version info and exit
|
|
-P <key:path> persconf:path - personal configuration files
|
|
persdata:path - personal data files
|
|
-o <name>:<value> ... override preference or recent setting
|
|
|
|
</programlisting>
|
|
</example>
|
|
|
|
We will examine each of the command line options in turn.
|
|
</para>
|
|
<para>
|
|
The first thing to notice is that issuing the command
|
|
<command>wireshark</command> by itself will bring up
|
|
<application>Wireshark</application>.
|
|
However, you can include as many of the command line parameters as
|
|
you like. Their meanings are as follows ( in alphabetical order ):
|
|
XXX - is the alphabetical order a good choice? Maybe better task based?
|
|
<variablelist>
|
|
<varlistentry><term><command>-a <capture autostop condition></command></term>
|
|
<listitem>
|
|
<para>
|
|
Specify a criterion that specifies when Wireshark is to stop writing
|
|
to a capture file. The criterion is of the form test:value, where test
|
|
is one of:
|
|
<variablelist>
|
|
<varlistentry><term><command>duration</command>:value</term>
|
|
<listitem><para>
|
|
Stop writing to a capture file after value of seconds have elapsed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>filesize</command>:value</term>
|
|
<listitem><para>
|
|
Stop writing to a capture file after it reaches a size of value
|
|
kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If
|
|
this option is used together with the -b option, Wireshark will
|
|
stop writing to the current capture file and switch to the next
|
|
one if filesize is reached.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>files</command>:value</term>
|
|
<listitem><para>
|
|
Stop writing to capture files after value number of files were
|
|
written.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-b <capture ring buffer option></command></term>
|
|
<listitem>
|
|
<para>
|
|
If a maximum capture file size was specified, cause Wireshark to run
|
|
in "ring buffer" mode, with the specified number of files. In "ring
|
|
buffer" mode, Wireshark will write to several capture files. Their
|
|
name is based on the number of the file and on the creation date and
|
|
time.
|
|
</para>
|
|
<para>
|
|
When the first capture file fills up, Wireshark will switch to writing
|
|
to the next file, until it fills up the last file, at which point
|
|
it'll discard the data in the first file (unless 0 is specified, in
|
|
which case, the number of files is unlimited) and start writing to
|
|
that file and so on.
|
|
</para>
|
|
<para>
|
|
If the optional duration is specified, Wireshark will switch also to
|
|
the next file when the specified number of seconds has elapsed even
|
|
if the current file is not completely fills up.
|
|
</para>
|
|
<para>
|
|
<variablelist>
|
|
<varlistentry><term><command>duration</command>:value</term>
|
|
<listitem><para>
|
|
Switch to the next file after value seconds have elapsed, even
|
|
if the current file is not completely filled up.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>filesize</command>:value</term>
|
|
<listitem><para>
|
|
Switch to the next file after it reaches a size of value kilobytes
|
|
(where a kilobyte is 1000 bytes, not 1024 bytes).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>files</command>:value</term>
|
|
<listitem><para>
|
|
Begin again with the first file after value number of files were
|
|
written (form a ring buffer).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-B <capture buffer size (Win32 only)></command></term>
|
|
<listitem>
|
|
<para>
|
|
Win32 only: set capture buffer size (in MB, default is 1MB). This
|
|
is used by the the capture driver to buffer packet data until that
|
|
data can be written to disk. If you encounter packet drops while
|
|
capturing, try to increase this size.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-c <capture packet count></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option specifies the maximum number of packets to capture
|
|
when capturing live data. It would be used in conjunction
|
|
with the <command>-k</command> option.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-D</command></term>
|
|
<listitem>
|
|
<para>
|
|
Print a list of the interfaces on which Wireshark can capture, and
|
|
exit. For each network interface, a number and an
|
|
interface name, possibly followed by a text description of the
|
|
interface, is printed. The interface name or the number can be supplied
|
|
to the <command>-i</command> flag to specify an interface on which to capture.
|
|
</para>
|
|
<para>
|
|
This can be useful on systems that don't have a command to list them
|
|
(e.g., Windows systems, or UNIX systems lacking <command>ifconfig -a</command>);
|
|
the number can be useful on Windows 2000 and later systems, where the
|
|
interface name is a somewhat complex string.
|
|
</para>
|
|
<para>
|
|
Note that "can capture" means that Wireshark was able to open
|
|
that device to do a live capture; if, on your system, a program doing a
|
|
network capture must be run from an account with special privileges (for
|
|
example, as root), then, if Wireshark is run with the <command>-D</command> flag and
|
|
is not run from such an account, it will not list any interfaces.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-f <capture filter></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option sets the initial capture filter expression to
|
|
be used when capturing packets.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-g <packet number></command></term>
|
|
<listitem>
|
|
<para>
|
|
After reading in a capture file using the -r flag, go to the given
|
|
packet number.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-h</command></term>
|
|
<listitem>
|
|
<para>
|
|
The <command>-h</command> option requests Wireshark to print
|
|
its version and usage instructions (as shown above) and exit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-i <capture interface></command></term>
|
|
<listitem>
|
|
<para>
|
|
Set the name of the network interface or pipe to use for live packet
|
|
capture.
|
|
</para>
|
|
<para>
|
|
Network interface names should match one of the names listed in
|
|
<command>wireshark -D</command> (described above); a number, as reported by
|
|
<command>wireshark -D</command>, can also be used. If you're using UNIX, <command>netstat
|
|
-i</command> or <command>ifconfig -a</command> might also work to list interface names,
|
|
although not all versions of UNIX support the <command>-a</command> flag to <command>ifconfig</command>.
|
|
</para>
|
|
<para>
|
|
If no interface is specified, Wireshark searches the list of
|
|
interfaces, choosing the first non-loopback interface if there are any
|
|
non-loopback interfaces, and choosing the first loopback interface if
|
|
there are no non-loopback interfaces; if there are no interfaces,
|
|
Wireshark reports an error and doesn't start the capture.
|
|
</para>
|
|
<para>
|
|
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
|
|
read data from the standard input. Data read from pipes must be in
|
|
standard libpcap format.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-k</command></term>
|
|
<listitem>
|
|
<para>
|
|
The <command>-k</command> option specifies that Wireshark
|
|
should start capturing packets immediately. This option
|
|
requires the use of the <command>-i</command> parameter to
|
|
specify the interface that packet capture will occur from.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-l</command></term>
|
|
<listitem>
|
|
<para>
|
|
This option turns on automatic scrolling if the packet
|
|
list pane is being updated automatically as packets arrive
|
|
during a capture ( as specified by the <command>-S</command>
|
|
flag).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-L</command></term>
|
|
<listitem>
|
|
<para>
|
|
List the data link types supported by the interface and exit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-m <font></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option sets the name of the font used for most text
|
|
displayed by Wireshark. XXX - add an example!
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-n</command></term>
|
|
<listitem>
|
|
<para>
|
|
Disable network object name resolution (such as hostname, TCP and UDP
|
|
port names).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-N <name resolving flags></command></term>
|
|
<listitem>
|
|
<para>
|
|
Turns on name resolving for particular types of addresses
|
|
and port numbers; the argument is a string that may contain
|
|
the letters <command>m</command> to enable MAC address
|
|
resolution, <command>n</command> to enable network address
|
|
resolution, and <command>t</command> to enable transport-layer
|
|
port number resolution. This overrides <command>-n</command>
|
|
if both <command>-N</command> and <command>-n</command> are
|
|
present. The letter C enables concurrent (asynchronous) DNS lookups.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><command>-o <preference/recent settings></command></term>
|
|
<listitem>
|
|
<para>
|
|
Sets a preference or recent value, overriding the default value and
|
|
any value read from a preference/recent file. The argument to the
|
|
flag is a string of the form prefname:value, where prefname
|
|
is the name of the preference (which is the same name that
|
|
would appear in the preference/recent file), and value is the value
|
|
to which it should be set. Multiple instances of
|
|
<command>-o <preference settings> </command> can be
|
|
given on a single command line.
|
|
</para>
|
|
<para>An example of setting a single preference would be: </para>
|
|
<para>
|
|
<command>
|
|
wireshark -o mgcp.display_dissect_tree:TRUE
|
|
</command>
|
|
</para>
|
|
<para>
|
|
An example of setting multiple preferences would be:
|
|
</para>
|
|
<para>
|
|
<command>
|
|
wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
|
|
</command>
|
|
</para>
|
|
<tip><title>Tip!</title>
|
|
<para>
|
|
You can get a list of all available preference strings from the
|
|
preferences file, see <xref linkend="AppFiles"/>.
|
|
</para>
|
|
</tip>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-p</command></term>
|
|
<listitem>
|
|
<para>
|
|
Don't put the interface into promiscuous mode. Note that
|
|
the interface might be in promiscuous mode for some other
|
|
reason; hence, -p cannot be used to ensure that the only
|
|
traffic that is captured is traffic sent to or from the
|
|
machine on which Wireshark is running, broadcast traffic, and
|
|
multicast traffic to addresses received by that machine.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-P <path setting></command></term>
|
|
<listitem>
|
|
<para>
|
|
Special path settings usually detected automatically. This is used
|
|
for special cases, e.g. starting Wireshark from a known location on
|
|
an USB stick.
|
|
</para>
|
|
<para>
|
|
The criterion is of the form key:path, where key is one of:
|
|
<variablelist>
|
|
<varlistentry><term><command>persconf</command>:path</term>
|
|
<listitem><para>
|
|
path of personal configuration files, like the preferences files.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>persdata</command>:path</term>
|
|
<listitem><para>
|
|
path of personal data files, it's the folder initially opened.
|
|
After the initilization, the recent file will keep the folder
|
|
last used.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-Q</command></term>
|
|
<listitem>
|
|
<para>
|
|
This option forces Wireshark to exit when capturing is
|
|
complete. It can be used with the <command>-c</command> option.
|
|
It must be used in conjunction with the
|
|
<command>-i</command> and <command>-w</command> options.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-r <infile></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option provides the name of a capture file for Wireshark
|
|
to read and display. This capture file can be in one of the
|
|
formats Wireshark understands.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-R <read (display) filter></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option specifies a display filter to be applied when
|
|
reading packets from a capture file. The syntax of this
|
|
filter is that of the display filters discussed in
|
|
<xref linkend="ChWorkDisplayFilterSection"/>. Packets not
|
|
matching the filter are discarded.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-s <capture snaplen></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option specifies the snapshot length to use when
|
|
capturing packets. Wireshark will only capture
|
|
<command><snaplen></command> bytes of data for each packet.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-S</command></term>
|
|
<listitem>
|
|
<para>
|
|
This option specifies that Wireshark will display packets as
|
|
it captures them. This is done by capturing in one process
|
|
and displaying them in a separate process. This is the same
|
|
as "Update list of packets in real time" in the Capture Options
|
|
dialog box.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><command>-t <time stamp format></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option sets the format of packet timestamps that are
|
|
displayed in the packet list window. The format can be one of:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>r</command> relative, which specifies timestamps are
|
|
displayed relative to the first packet captured.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>a</command> absolute, which specifies that actual times
|
|
be displayed for all packets.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>ad</command> absolute with date, which specifies that
|
|
actual dates and times be displayed for all packets.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>d</command> delta, which specifies that timestamps
|
|
are relative to the previous packet.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>e</command> epoch, which specifies that timestamps
|
|
are seconds since epoch (Jan 1, 1970 00:00:00)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-v</command></term>
|
|
<listitem>
|
|
<para>
|
|
The <command>-v</command> option requests
|
|
Wireshark to print out its version information and exit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-w <savefile></command></term>
|
|
<listitem>
|
|
<para>
|
|
This option sets the name of the <command>savefile</command>
|
|
to be used when saving a capture file.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-y <capture link type></command></term>
|
|
<listitem>
|
|
<para>
|
|
If a capture is started from the command line with -k, set the data
|
|
link type to use while capturing packets. The values reported by -L
|
|
are the values that can be used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-X <eXtension option></command></term>
|
|
<listitem>
|
|
<para>
|
|
Specify an option to be passed to a TShark module. The eXtension
|
|
option is in the form extension_key:value, where extension_key can
|
|
be:
|
|
</para>
|
|
<para>
|
|
<command>lua_script</command>:lua_script_filename Tell Wireshark to load the given script in addition to the default Lua scripts.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>-z <statistics-string></command></term>
|
|
<listitem>
|
|
<para>
|
|
Get Wireshark to collect various types of statistics and display the
|
|
result in a window that updates in semi-real time.
|
|
XXX - add more details here!
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChCustColorizationSection"><title>Packet colorization</title>
|
|
<para>
|
|
A very useful mechanism available in Wireshark is packet colorization.
|
|
You can set-up Wireshark so that it will colorize packets according to a
|
|
filter. This allows you to emphasize the packets you are usually
|
|
interested in.
|
|
</para>
|
|
<tip>
|
|
<title>Tip!</title>
|
|
<para>
|
|
You will find a lot of Coloring Rule examples at the <command>Wireshark
|
|
Wiki Coloring Rules page</command> at <ulink
|
|
url="&WiresharkWikiColoringRulesPage;">&WiresharkWikiColoringRulesPage;</ulink>.
|
|
</para>
|
|
</tip>
|
|
<para>
|
|
To colorize packets, select the Coloring Rules... menu item from
|
|
the View menu, Wireshark will pop up the "Coloring Rules"
|
|
dialog box as shown in <xref linkend="ChCustColoringRulesDialog"/>.
|
|
</para>
|
|
<figure id="ChCustColoringRulesDialog">
|
|
<title>The "Coloring Rules" dialog box</title>
|
|
<graphic entityref="WiresharkColoringRulesDialog" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
Once the Coloring Rules dialog box is up, there are a number
|
|
of buttons you can use, depending on whether or not you have any
|
|
color filters installed already.
|
|
</para>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
You will need to carefully select the order the coloring rules are listed
|
|
(and thus applied) as they are applied in order from top to bottom.
|
|
So, more specific rules need to be listed before more general rules.
|
|
For example, if you have a color rule for UDP before the one for DNS,
|
|
the color rule for DNS will never be applied (as DNS uses UDP, so the
|
|
UDP rule will be matching first).
|
|
</para>
|
|
</note>
|
|
<para>
|
|
If this is the first time you have used Coloring Rules, click on the New
|
|
button which will bring up the Edit color filter dialog box as shown in
|
|
<xref linkend="ChCustEditColorDialog"/>.
|
|
</para>
|
|
<figure id="ChCustEditColorDialog">
|
|
<title>The "Edit Color Filter" dialog box</title>
|
|
<graphic entityref="WiresharkEditColorDialog" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
In the Edit Color dialog box, simply enter a name for the color filter,
|
|
and enter a filter string in the Filter text field.
|
|
<xref linkend="ChCustEditColorDialog"/> shows the values
|
|
<command>arp</command> and <command>arp</command> which means that
|
|
the name of the color filter is <command>arp</command> and the filter
|
|
will select protocols of type <command>arp</command>. Once you have
|
|
entered these values, you can choose a foreground and background
|
|
color for packets that match the filter expression. Click on
|
|
<command>Foreground color...</command> or
|
|
<command>Background color...</command> to achieve this and
|
|
Wireshark will pop up the Choose foreground/background color for
|
|
protocol dialog box as shown in
|
|
<xref linkend="ChCustChooseColorDialog"/>.
|
|
</para>
|
|
<figure id="ChCustChooseColorDialog">
|
|
<title>The "Choose color" dialog box</title>
|
|
<graphic entityref="WiresharkChooseColorDialog" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
Select the color you desire for the selected packets and click on OK.
|
|
</para>
|
|
<note>
|
|
<title>Note!</title>
|
|
<para>
|
|
You must select a color in the colorbar next to the colorwheel to
|
|
load values into the RGB values. Alternatively, you can set the
|
|
values to select the color you want.
|
|
</para>
|
|
</note>
|
|
<para>
|
|
<xref linkend="ChCustColorFilterMany"/> shows an example of several color
|
|
filters being used in Wireshark. You may not like the color choices,
|
|
however, feel free to choose your own.
|
|
</para>
|
|
<para>
|
|
If you are uncertain which coloring rule actually took place for a
|
|
specific packet, have a look at the [Coloring Rule Name: ...] and
|
|
[Coloring Rule String: ...] fields.
|
|
</para>
|
|
<figure id="ChCustColorFilterMany">
|
|
<title>Using color filters with Wireshark</title>
|
|
<graphic entityref="WiresharkColoringFields" format="PNG"/>
|
|
</figure>
|
|
</section>
|
|
|
|
<section id="ChCustProtocolDissectionSection">
|
|
<title>Control Protocol dissection</title>
|
|
<para>
|
|
The user can control how protocols are dissected.
|
|
</para>
|
|
<para>
|
|
Each protocol has its own dissector, so dissecting a complete packet will
|
|
typically involve several dissectors. As Wireshark tries to find the
|
|
right dissector for each packet (using static "routes" and heuristics
|
|
"guessing"), it might choose the wrong dissector in your specific
|
|
case. For example, Wireshark won't know if you use a common protocol
|
|
on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of
|
|
the standard port 80.
|
|
</para>
|
|
<para>
|
|
There are two ways to control the relations between protocol
|
|
dissectors: disable a protocol dissector completely or temporarily
|
|
divert the way Wireshark calls the dissectors.
|
|
</para>
|
|
<section id="ChAdvEnabledProtocols"><title>The "Enabled Protocols" dialog
|
|
box</title>
|
|
<para>
|
|
The Enabled Protocols dialog box lets you enable or
|
|
disable specific protocols, all protocols are enabled by default.
|
|
When a protocol is disabled, Wireshark stops processing a packet
|
|
whenever that protocol is encountered.
|
|
</para>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
Disabling a protocol will prevent information about higher-layer
|
|
protocols from being displayed. For example,
|
|
suppose you disabled the IP protocol and selected
|
|
a packet containing Ethernet, IP, TCP, and HTTP
|
|
information. The Ethernet information would be
|
|
displayed, but the IP, TCP and HTTP information
|
|
would not - disabling IP would prevent it and
|
|
the other protocols from being displayed.
|
|
</para>
|
|
</note>
|
|
<figure id="ChAdvEnabledProtocolsFig">
|
|
<title>The "Enabled Protocols" dialog box</title>
|
|
<graphic entityref="WiresharkEnabledProtocols" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
To disable or enable a protocol, simply click on it using the
|
|
mouse or press the space bar when the protocol is highlighted.
|
|
</para>
|
|
<warning><title>Warning!</title>
|
|
<para>
|
|
You have to use the Save button to save your settings. The OK or Apply
|
|
buttons will not save your changes permanently, so they will be lost
|
|
when Wireshark is closed.
|
|
</para>
|
|
</warning>
|
|
<para>
|
|
You can choose from the following actions:
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Enable All</command> Enable all protocols in the list.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Disable All</command> Disable all protocols in the list.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Invert</command> Toggle the state of all protocols in the
|
|
list.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>OK</command> Apply the changes and close the dialog box.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Apply</command> Apply the changes and keep the dialog box
|
|
open.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Save</command> Save the settings to the disabled_protos, see
|
|
<xref linkend="AppFiles"/> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Cancel</command> Cancel the changes and close the dialog box.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChAdvDecodeAs"><title>User Specified Decodes</title>
|
|
<para>
|
|
The "Decode As" functionality let you temporarily divert specific
|
|
protocol dissections. This might be useful for example, if you do some
|
|
uncommon experiments on your network.
|
|
</para>
|
|
<para>
|
|
<figure id="ChAdvDecodeAsFig">
|
|
<title>The "Decode As" dialog box</title>
|
|
<graphic scale="100" entityref="WiresharkDecodeAs" format="PNG"/>
|
|
</figure>
|
|
The content of this dialog box depends on the selected packet when it
|
|
was opened.
|
|
<warning><title>Warning!</title>
|
|
<para>
|
|
The user specified decodes can not be saved. If you quit Wireshark,
|
|
these settings will be lost.
|
|
</para>
|
|
</warning>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Decode</command> Decode packets the selected way.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Do not decode</command> Do not decode packets the selected
|
|
way.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Link/Network/Transport</command> Specify the network layer
|
|
at which "Decode As" should take place. Which of these pages are
|
|
available, depends on the content of the selected packet when this
|
|
dialog box was opened.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Show Current</command> Open a dialog box showing the
|
|
current list of user specified decodes.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>OK</command> Apply the currently selected decode and close
|
|
the dialog box.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Apply</command> Apply the currently selected decode and keep
|
|
the dialog box open.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Cancel</command> Cancel the changes and close the dialog box.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChAdvDecodeAsShow"><title>Show User Specified Decodes</title>
|
|
<para>
|
|
This dialog box shows the currently active user specified decodes.
|
|
<figure id="ChAdvDecodeAsShowFig">
|
|
<title>The "Decode As: Show" dialog box</title>
|
|
<graphic entityref="WiresharkDecodeAsShow" format="PNG"/>
|
|
</figure>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>OK</command> Close this dialog box.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Clear</command> Removes all user specified decodes.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="ChCustPreferencesSection"><title>Preferences</title>
|
|
<para>
|
|
There are a number of preferences you can set. Simply
|
|
select the Preferences... menu item from the Edit menu, and Wireshark
|
|
will pop up the Preferences dialog box as shown in
|
|
<xref linkend="ChCustGUIPrefPage"/>, with the "User Interface" page as
|
|
default. On the left side is a tree where you can select the page to be
|
|
shown.
|
|
<note><title>Note!</title>
|
|
<para>
|
|
Preference settings are added frequently. For a recent explanation of
|
|
the preference pages and their settings have a look at the
|
|
<command>Wireshark Wiki Preferences page</command> at <ulink
|
|
url="&WiresharkWikiPreferencesPage;">&WiresharkWikiPreferencesPage;</ulink>.
|
|
</para>
|
|
</note>
|
|
<warning>
|
|
<title>Warning!</title>
|
|
<para>
|
|
The OK or Apply button will not save the preference settings,
|
|
you'll have to save the settings by clicking the Save button.
|
|
</para>
|
|
</warning>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <command>OK</command> button will apply the preferences
|
|
settings and close the dialog.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>Apply</command> button will apply the preferences
|
|
settings and keep the dialog open.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>Save</command> button will apply the preferences
|
|
settings, save the settings on the hard disk and keep the dialog open.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>Cancel</command> button will restore all preferences
|
|
settings to the last saved state.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<figure id="ChCustGUIPrefPage">
|
|
<title>The preferences dialog box</title>
|
|
<graphic entityref="WiresharkGUIPreferences" format="PNG"/>
|
|
</figure>
|
|
</section>
|
|
<section id="ChUserTable"><title>User Table</title>
|
|
<para>
|
|
The User Table editor is used for managing various tables in wireshark. It's main dialog works
|
|
very similarly to that of <xref linkend="ChCustColorizationSection"/>.
|
|
</para>
|
|
</section>
|
|
|
|
|
|
<section id="ChDisplayFilterMacrosSection"><title>Display Filter Macros</title>
|
|
<para>
|
|
Display Filter Macos are a mechanism to create shortcuts for complex filters. For example defining a
|
|
display filter macro named <command>tcp_conv</command> whose text is
|
|
<command> ( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or
|
|
(ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) ) </command>
|
|
would allow to use a display filter like <command>${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}</command>
|
|
instead of typing the whole filter.
|
|
</para>
|
|
<para>
|
|
Display Filter Macos can be managed with a <xref linkend="ChUserTable"/> selecting
|
|
the <command>Display Filter Macros</command> menu item from the <command>View</command> Menu.
|
|
The User Table has the following fields
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry><term><command>name</command></term>
|
|
<listitem>
|
|
<para>
|
|
the name of the macro.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>text</command></term>
|
|
<listitem>
|
|
<para>
|
|
the replacement text for the macro it uses $1, $2, $3, ... as the input arguments.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
|
|
<section id="ChK12ProtocolsSection"><title>Tektronix K12xx/15 RF5 protocols Table</title>
|
|
<para>
|
|
The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are
|
|
used by a certain interface. Wireshark doesn't read these stk files, it uses a table that helps it identify
|
|
which lowest layer protocol to use.
|
|
</para>
|
|
<para>
|
|
Stk file to protocol matching is handled by an <xref linkend="ChUserTable"/> with the following fields.
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry><term><command>match</command></term>
|
|
<listitem>
|
|
<para>
|
|
a partial match for an stk filename, the first match wins, so if you have a specific case and a
|
|
general one the specific one must appear first in the list.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>protos</command></term>
|
|
<listitem>
|
|
<para>
|
|
This is the name of the encapsulating protocol (the lowest layer in the packet data) it can be either
|
|
just the name of the protocol (e.g. mtp2, eth_witoutfcs, sscf-nni ) or the name of the encapsulation
|
|
protocol and the "application" protocol over it separated by a colon (e.g sscop:sscf-nni, sscop:alcap, sscop:nbap, ...)
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
|
|
<section id="ChUserDLTsSection"><title>User DLTs protocol table</title>
|
|
<para>
|
|
When a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know which protocol(s) to use for each user DLT.
|
|
</para>
|
|
<para>
|
|
This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry><term><command>encap</command></term>
|
|
<listitem>
|
|
<para>
|
|
one of the user dlts.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>payload_proto</command></term>
|
|
<listitem>
|
|
<para>
|
|
This is the name of the payload protocol (the lowest layer in the packet data).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>header_size</command></term>
|
|
<listitem>
|
|
<para>
|
|
if there is a header protocol (before the payload protocol) this tells which size this header is. A value of 0 disables the header protocol.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>header_proto</command></term>
|
|
<listitem>
|
|
<para>
|
|
The name of the header protocol to be used (uses "data" as default).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>trailer_size</command></term>
|
|
<listitem>
|
|
<para>
|
|
if there is a trailer protocol (after the payload protocol) this tells which size this trailer is. A value of 0 disables the trailer protocol.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>trailer_proto</command></term>
|
|
<listitem>
|
|
<para>
|
|
The name of the trailer protocol to be used (uses "data" as default).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChSNMPUsersSection"><title>SNMP users Table</title>
|
|
<para>
|
|
Wireshark uses this table to verify auhentication and to decrypt encrypted SNMPv3 packets.
|
|
</para>
|
|
<para>
|
|
This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry><term><command>engine_id</command></term>
|
|
<listitem>
|
|
<para>
|
|
If given this entry will be used only for packets whose engine id is this.
|
|
This field takes an hexadecimal string in the form 0102030405.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>userName</command></term>
|
|
<listitem>
|
|
<para>
|
|
This is the userName. When a single user has more than one password
|
|
for different SNMP-engines the first entry to match both is taken, if you
|
|
need a catch all engine-id (empty) that entry should be the last one.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>auth_model</command></term>
|
|
<listitem>
|
|
<para>
|
|
Which auth model to use (either "MD5" or "SHA1").
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>authPassword</command></term>
|
|
<listitem>
|
|
<para>
|
|
The authentication password. Use '\xDD' for unprintable charachters.
|
|
An hexadecimal password must be entered as a sequence of '\xDD' characters.
|
|
For example the hex passowrd 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>priv_proto</command></term>
|
|
<listitem>
|
|
<para>
|
|
Which encryption algorithm to use (either "DES" or "AES").
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>privPassword</command></term>
|
|
<listitem>
|
|
<para>
|
|
The privacy password. Use '\xDD' for unprintable charachters.
|
|
An hexadecimal password must be entered as a sequence of '\xDD' characters.
|
|
For example the hex passowrd 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section id="ChSccpUsers"><title>SCCP users Table</title>
|
|
<para>
|
|
Wireshark uses this table to map specific protocols to a certain DPC/SSN combination for SCCP.
|
|
</para>
|
|
<para>
|
|
This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry><term><command>ni</command></term>
|
|
<listitem>
|
|
<para>
|
|
An Integer representing the network indicator for which this association is valid.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>called_pc</command></term>
|
|
<listitem>
|
|
<para>
|
|
An range of integers representing the dpcs for which this association is valid.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>called_ssn</command></term>
|
|
<listitem>
|
|
<para>
|
|
An range of integers representing the ssns for which this association is valid.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>user</command></term>
|
|
<listitem>
|
|
<para>
|
|
The protocol that is carried over this association
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
|
|
</variablelist>
|
|
</section>
|
|
|
|
|
|
</chapter>
|
|
<!-- End of WSUG Chapter Customizing -->
|
|
|
|
|