osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_chapter_io.adoc

979 lines
35 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// WSUG Chapter IO
[[ChapterIO]]
== File Input, Output, And Printing
[[ChIOIntroductionSection]]
=== Introduction
This chapter will describe input and output of capture data.
* Open capture files in various capture file formats
* Save and export capture files in various formats
* Merge capture files together
* Import text files containing hex dumps of packets
* Print packets
[[ChIOOpenSection]]
=== Open Capture Files
Wireshark can read in previously saved capture files. To read them, simply
select the menu:File[Open] menu or toolbar item. Wireshark will then pop up
the “File Open” dialog box, which is discussed in more detail in <<ChIOOpen>>.
[TIP]
.You can use drag and drop to open files
====
On most systems you can open a file by simply dragging it in your file manager and dropping it onto Wiresharks main window.
====
If you havent previously saved the current capture file you will be asked to
do so to prevent data loss. This warning can be disabled in the preferences.
In addition to its native file format (pcapng), Wireshark can read and write
capture files from a large number of other packet capture programs as well. See
<<ChIOInputFormatsSection>> for the list of capture formats Wireshark
understands.
[[ChIOOpen]]
==== The “Open Capture File” Dialog Box
The “Open Capture File” dialog box allows you to search for a capture file
containing previously captured packets for display in Wireshark. The following
sections show some examples of the Wireshark “Open File” dialog box. The
appearance of this dialog depends on the system. However, the functionality
should be the same across systems.
Common dialog behaviour on all systems:
* Select files and directories.
* Click the btn:[Open] button to accept your selected file and open it.
* Click the btn:[Cancel] button to go back to Wireshark and not load a capture file.
* The btn:[Help] button will take you to this section of the “Users Guide”.
Wireshark adds the following controls:
* View file preview information such as the size and the number of packets in a selected a capture file.
// XXX - we need a better description of these read filters
* Specify a read filter with the “Read filter” field.
This filter will be used when opening the new file.
The text field background will turn green for a valid filter string and red for an invalid one.
Read filters can be used to exclude various types of traffic, which can be useful for large capture files.
They use the same syntax as display filters, which are discussed in detail in <<ChWorkDisplayFilterSection>>.
* Optionally force Wireshark to read a file as a particular type using the “Automatically detect file type” dropdown.
[[ChIOOpenFileDialogWin32]]
.“Open” on Microsoft Windows
image::wsug_graphics/ws-open-win32.png[{medium-screenshot-attrs}]
This is the common Windows file open dialog along with some Wireshark extensions.
[[ChIOOpenFileDialog]]
.“Open” - Linux and UNIX
image::wsug_graphics/ws-open-qt5.png[{medium-screenshot-attrs}]
This is the common Qt file open dialog along with some Wireshark extensions.
// XXX Add macOS
[[ChIOInputFormatsSection]]
==== Input File Formats
The following file formats from other capture tools can be opened by Wireshark:
* pcapng. A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later
save files as pcapng by default. Versions prior to 1.8 used libpcap.
* libpcap. The default format used by the _libpcap_ packet capture library. Used
by _tcpdump, _Snort_, _Nmap_, _Ntop_, and many other tools.
* Oracle (previously Sun) _snoop_ and _atmsnoop_
* Finisar (previously Shomiti) _Surveyor_ captures
* Microsoft _Network Monitor_ captures
* Novell _LANalyzer_ captures
* AIX _iptrace_ captures
* Cinco Networks NetXray captures
* Network Associates Windows-based Sniffer and Sniffer Pro captures
* Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
* AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
* RADCOMs WAN/LAN Analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* HP-UXs nettl
* Toshibas ISDN routers dump output
* ISDN4BSD _i4btrace_ utility
* traces from the EyeSDN USB S0
* IPLog format from the Cisco Secure Intrusion Detection System
* pppd logs (pppdump format)
* the output from VMSs TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from Accellents 5Views LAN agents
* Endace Measurement Systems ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
* Catapult DCT2000 .out files
* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
* IBM Series (OS/400) Comm traces (ASCII &amp; UNICODE)
* Juniper Netscreen snoop captures
* Symbian OS btsnoop captures
* Tamosoft CommView captures
* Textronix K12xx 32bit .rf5 format captures
* Textronix K12 text file format captures
* Apple PacketLogger captures
* Captures from Aethra Telecommunications PC108 software for their test instruments
New file formats are added from time to time.
It may not be possible to read some formats dependent on the packet types
captured. Ethernet captures are usually supported for most file formats but it
may not be possible to read other packet types such as PPP or IEEE 802.11 from
all file formats.
[[ChIOSaveSection]]
=== Saving Captured Packets
You can save captured packets by using the menu:File[Save] or menu:File[Save As...] menu items.
You can choose which packets to save and which file format to be used.
Not all information will be saved in a capture file. For example, most file
formats dont record the number of dropped packets. See
<<ChAppFilesCaptureFilesSection>> for details.
[[ChIOSaveAs]]
==== The “Save Capture File As” Dialog Box
The “Save Capture File As” dialog box allows you to save the current capture to a file.
The exact appearance of this dialog depends on your system.
However, the functionality is the same across systems.
Examples are shown below.
[[ChIOSaveAsFileWin32]]
.“Save” on Microsoft Windows
image::wsug_graphics/ws-save-as-win32.png[{medium-screenshot-attrs}]
This is the common Windows file save dialog with some additional Wireshark extensions.
[[ChIOSaveAsFile2]]
.“Save” on Linux and UNIX
image::wsug_graphics/ws-save-as-qt5.png[{medium-screenshot-attrs}]
This is the common Qt file save dialog with additional Wireshark extensions.
// XXX Add macOS
You can perform the following actions:
* Type in the name of the file in which you wish to save the captured packets.
* Select the directory to save the file into.
* Specify the format of the saved capture file by clicking on the “Save as” drop down box.
You can choose from the types described in <<ChIOOutputFormatsSection>>.
Some capture formats may not be available depending on the packet types captured.
* The btn:[Help] button will take you to this section of the “Users Guide”.
* “Compress with gzip” will compress the capture file as it is being written to disk.
* Click the btn:[Save] button to accept your selected file and save it.
* Click on the btn:[Cancel] button to go back to Wireshark without saving any packets.
If you dont provide a file extension to the filename (e.g. `.pcap`) Wireshark will append the standard file extension for that file format.
[TIP]
.Wireshark can convert file formats
====
You can convert capture files from one format to another by opening a capture and saving it as a different format.
====
If you wish to save some of the packets in your capture file you can do so via <<ChIOExportSpecifiedPacketsDialog>>.
[[ChIOOutputFormatsSection]]
==== Output File Formats
Wireshark can save the packet data in its native file format (pcapng) and in the
file formats of other protocol analyzers so other tools can read the capture
data.
[NOTE]
.Saving in a different format might lose data
====
Saving your file in a different format might lose information such as comments, name resolution, and time stamp resolution.
See <<ChAdvTimestamps>> for more information on time stamps.
====
The following file formats can be saved by Wireshark (with the known file extensions):
* pcapng ({asterisk}.pcapng). A flexible, extensible successor to the
libpcap format. Wireshark 1.8 and later save files as pcapng by
default. Versions prior to 1.8 used libpcap.
* libpcap, tcpdump and various other tools using tcpdumps capture
format ({asterisk}.pcap,{asterisk}.cap,{asterisk}.dmp)
* Accellent 5Views ({asterisk}.5vw)
* HP-UXs nettl ({asterisk}.TRC0,{asterisk}.TRC1)
* Microsoft Network Monitor - NetMon ({asterisk}.cap)
* Network Associates Sniffer - DOS ({asterisk}.cap,{asterisk}.enc,{asterisk}.trc,*fdc,{asterisk}.syc)
* Network Associates Sniffer - Windows ({asterisk}.cap)
* Network Instruments Observer version 9 ({asterisk}.bfr)
* Novell LANalyzer ({asterisk}.tr1)
* Oracle (previously Sun) snoop ({asterisk}.snoop,{asterisk}.cap)
* Visual Networks Visual UpTime traffic ({asterisk}.{asterisk})
New file formats are added from time to time.
Whether or not the above tools will be more helpful than Wireshark is a different question ;-)
[NOTE]
.Third party protocol analyzers may require specific file extensions
====
Wireshark examines a files contents to determine its type. Some other protocol
analyzers only look at a filename extensions. For example, you might need to use
the `.cap` extension in order to open a file using _Sniffer_.
====
[[ChIOMergeSection]]
=== Merging Capture Files
Sometimes you need to merge several capture files into one. For example, this can
be useful if you have captured simultaneously from multiple interfaces at once
(e.g. using multiple instances of Wireshark).
There are three ways to merge capture files using Wireshark:
* Use the menu:File[Merge] menu to open the “Merge” dialog.
See <<ChIOMergeDialog>> for details.
This menu item will be disabled unless you have loaded a capture file.
* Use _drag and drop_ to drop multiple files on the main window.
Wireshark will try to merge the packets in chronological order from the dropped files into a newly created temporary file.
If you drop a single file it will simply replace the existing capture.
* Use the `mergecap` tool from the command line to merge capture files.
This tool provides the most options to merge capture files.
See <<AppToolsmergecap>> for details.
[[ChIOMergeDialog]]
==== The “Merge With Capture File” Dialog Box
This lets you select a file to be merged into the currently loaded file.
If your current data has not been saved you will be asked to save it first.
Most controls of this dialog will work the same way as described in the “Open Capture File” dialog box.
See <<ChIOOpen>> for details.
Specific controls of this merge dialog are:
Prepend packets::
Prepend the packets from the selected file before the currently loaded packets.
Merge chronologically::
Merge both the packets from the selected and currently loaded file in chronological order.
Append packets::
Append the packets from the selected file after the currently loaded packets.
[[ChIOMergeFileTab]]
.“Merge Capture File As” dialog box examples
[[ChIOMergeFileWin32]]
.“Merge” on Microsoft Windows
image::wsug_graphics/ws-merge-win32.png[{medium-screenshot-attrs}]
This is the common Windows file open dialog with additional Wireshark extensions.
[[ChIOMergeFile2]]
.“Merge” on Linux and UNIX
image::wsug_graphics/ws-merge-qt5.png[{medium-screenshot-attrs}]
This is the Qt file open dialog with additional Wireshark extensions.
// XXX Add macOS
[[ChIOImportSection]]
=== Import Hex Dump
Wireshark can read in an ASCII hex dump and write the data described into a
temporary libpcap capture file. It can read hex dumps with multiple packets in
them, and build a capture file of multiple packets. It is also capable of
generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build
fully processable packet dumps from hexdumps of application-level data only.
Wireshark understands a hexdump of the form generated by `od -Ax -tx1 -v`. In
other words, each byte is individually displayed and surrounded with a space.
Each line begins with an offset describing the position in the packet, each
new packet starts with an offset of 0 and there is a space separating the
offset from the following bytes. The offset is a hex number (can also be octal
or decimal), of more than two hex digits.
Here is a sample dump that can be imported:
----
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........
----
There is no limit on the width or number of bytes per line. Also the text dump
at the end of the line is ignored. Byte and hex numbers can be uppercase or
lowercase. Any text before the offset is ignored, including email forwarding
characters _>_. Any lines of text between the bytestring lines are ignored.
The offsets are used to track the bytes, so offsets must be correct. Any line
which has only bytes without a leading offset is ignored. An offset is
recognized as being a hex number longer than two characters. Any text after the
bytes is ignored (e.g. the character dump). Any hex numbers in this text are
also ignored. An offset of zero is indicative of starting a new packet, so a
single text file with a series of hexdumps can be converted into a packet
capture with multiple packets. Packets may be preceded by a timestamp. These are
interpreted according to the format given. If not the first packet is
timestamped with the current time the import takes place. Multiple packets are
written with timestamps differing by one microsecond each. In general, short of
these restrictions, Wireshark is pretty liberal about reading in hexdumps and
has been tested with a variety of mangled outputs (including being forwarded
through email multiple times, with limited line wrap etc.)
There are a couple of other special features to note. Any line where the first
non-whitespace character is `#` will be ignored as a comment. Any line beginning
with `#TEXT2PCAP` is a directive and options can be inserted after this command to
be processed by Wireshark. Currently there are no directives implemented. In the
future these may be used to give more fine grained control on the dump and the
way it should be processed e.g. timestamps, encapsulation type etc. Wireshark
also allows the user to read in dumps of application-level data, by inserting
dummy L2, L3 and L4 headers before each packet. The user can elect to insert
Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers
before each packet. This allows Wireshark or any other full-packet decoder to
handle these dumps.
[[ChIOImportDialog]]
==== The “Import From Hex Dump” Dialog Box
This dialog box lets you select a text file, containing a hex dump of packet
data, to be imported and set import parameters.
[[ChIOFileImportDialog]]
.The “Import from Hex Dump” dialog
image::wsug_graphics/ws-file-import.png[{medium-screenshot-attrs}]
Specific controls of this import dialog are split in two sections:
Import from:: Determine which input file has to be imported and how it is to be
interpreted.
Encapsulation:: Determine how the data is to be encapsulated.
The import parameters are as follows:
Filename / Browse::
Enter the name of the text file to import. You can use _Browse_ to browse for a
file.
Offsets::
Select the radix of the offsets given in the text file to import. This is
usually hexadecimal, but decimal and octal are also supported. Select _None_
when only the bytes are present. These will be imported as a single packet.
Timestamp Format::
This is the format specifier used to parse the timestamps in the text file to
import. It uses a simple syntax to describe the format of the timestamps, using
%H for hours, %M for minutes, %S for seconds, etc. The straightforward HH:MM:SS
format is covered by %T. For a full definition of the syntax look for
`strptime(3)`. If there are no timestamps in the text file to import leave this
field empty and timestamps will be generated based on the time of import.
Direction indication::
Tick this box if the text file to import has direction indicators before each
frame. These are on a separate line before each frame and start with either
_I_ or _i_ for input and _O_ or _o_ for output.
The encapsulation parameters are as follows:
Encapsulation type::
Here you can select which type of frames you are importing. This all depends on
from what type of medium the dump to import was taken. It lists all types that
Wireshark understands, so as to pass the capture file contents to the right
dissector.
Dummy header::
When Ethernet encapsulation is selected you have to option to prepend dummy
headers to the frames to import. These headers can provide artificial Ethernet,
IP, UDP, TCP or SCTP headers or SCTP data chunks. When selecting a type of
dummy header the applicable entries are enabled, others are grayed out and
default values are used.
When the _Wireshark Upper PDU export_ encapsulation is selected the option
_ExportPDU_ becomes available. This allows you to enter the name of the
dissector these frames are to be directed to.
Maximum frame length::
You may not be interested in the full frames from the text file, just the first
part. Here you can define how much data from the start of the frame you want to
import. If you leave this open the maximum is set to 256kiB.
Once all input and import parameters are setup click btn:[Import] to start the
import. If your current data wasnt saved before you will be asked to save it
first.
When completed there will be a new capture file loaded with the frames imported
from the text file.
[[ChIOFileSetSection]]
=== File Sets
When using the “Multiple Files” option while doing a capture (see:
<<ChCapCaptureFiles>>), the capture data is spread over several capture files,
called a file set.
As it can become tedious to work with a file set by hand, Wireshark provides
some features to handle these file sets in a convenient way.
.How does Wireshark detect the files of a file set?
****
A filename in a file set uses the format Prefix_Number_DateTimeSuffix which
might look something like `test_00001_20210714183910.pcap`. All files of a file
set share the same prefix (e.g. “test”) and suffix (e.g. “.pcap”) and a
varying middle part.
To find the files of a file set, Wireshark scans the directory where the
currently loaded file resides and checks for files matching the filename pattern
(prefix and suffix) of the currently loaded file.
This simple mechanism usually works well but has its drawbacks. If several file
sets were captured with the same prefix and suffix, Wireshark will detect them
as a single file set. If files were renamed or spread over several directories
the mechanism will fail to find all files of a set.
****
The following features in the menu:File[File Set] submenu are available to work
with file sets in a convenient way:
* The “List Files” dialog box will list the files Wireshark has recognized as
being part of the current file set.
* btn:[Next File] closes the current and opens the next file in the file
set.
* btn:[Previous File] closes the current and opens the previous file in the
file set.
[[ChIOFileSetListDialog]]
==== The “List Files” Dialog Box
.The “List Files” dialog box
image::wsug_graphics/ws-file-set-dialog.png[{medium-screenshot-attrs}]
Each line contains information about a file of the file set:
Filename::
The name of the file. If you click on the filename (or the radio
button left to it), the current file will be closed and the corresponding
capture file will be opened.
Created::
The creation time of the file.
Last Modified::
The last time the file was modified.
Size::
The size of the file.
The last line will contain info about the currently used directory where all of
the files in the file set can be found.
The content of this dialog box is updated each time a capture file is
opened/closed.
The btn:[Close] button will, well, close the dialog box.
[[ChIOExportSection]]
// - Add {missing} for other exports?
=== Exporting Data
Wireshark provides a variety of options for exporting packet data.
This section describes general ways to export data from the main Wireshark application.
There are many other ways to export or extract data from capture files, including processing <<AppToolstshark,tshark>> output and customizing Wireshark and tshark using Lua scripts.
[[ChIOExportSpecifiedPacketsDialog]]
==== The “Export Specified Packets” Dialog Box
.The “Export Specified Packets” dialog box
image::wsug_graphics/ws-export-specified-packets.png[{medium-screenshot-attrs}]
This is similar to the “<<ChIOSaveAs,Save>>” dialog box, but it lets you save specific packets.
This can be useful for trimming irrelevant or unwanted packets from a capture file.
See <<ChIOPacketRangeSection,Packet Range>> for details on the range controls.
[[ChIOExportPacketDissectionsDialog]]
==== The “Export Packet Dissections” Dialog Box
This lets you save the packet list, packet details, and packet bytes as plain text, CSV, JSON, and other formats.
.The “Export Packet Dissections” dialog box
image::wsug_graphics/ws-export-packet-dissections.png[{medium-screenshot-attrs}]
The format can be selected from the “Export As” dropdown and further customized using the “<<ChIOPacketRangeSection,Packet Range>>” and “<<ChIOPacketRangeSection,Packet Format>>” controls.
Some controls are unavailable for some formats, notably CSV and JSON.
The following formats are supported:
* Plain text as shown in the main window
* link:{wikipedia-main-url}Comma-separated_values[Comma-separated values (CSV)]
* link:{wikipedia-main-url}C_(programming_language)[C-compatible] byte arrays
* link:https://web.archive.org/web/20141115200425/http://www.nbee.org/doku.php?id=netpdl:psml_specification[PSML] (summary XML)
* link:https://web.archive.org/web/20140416072301/http://www.nbee.org/doku.php?id=netpdl:pdml_specification[PDML] (detailed XML)
* link:{wikipedia-main-url}JSON[JavaScript Object Notation (JSON)]
Here are some examples of exported data:
.Plain text
----
No. Time Source Destination Protocol Length SSID Info
1 0.000000 200.121.1.131 172.16.0.122 TCP 1454 10554 → 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]
Frame 1: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits)
Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13
Internet Protocol Version 4, Src: 200.121.1.131 (200.121.1.131), Dst: 172.16.0.122 (172.16.0.122)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 1440
Identification: 0x0141 (321)
Flags: 0x0000
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 106
Protocol: TCP (6)
Header checksum: 0xd390 [validation disabled]
[Header checksum status: Unverified]
Source: 200.121.1.131 (200.121.1.131)
Destination: 172.16.0.122 (172.16.0.122)
[Source GeoIP: PE, ASN 6147, Telefonica del Peru S.A.A.]
Transmission Control Protocol, Src Port: 10554, Dst Port: 80, Seq: 1, Ack: 1, Len: 1400
----
[TIP]
====
If you would like to be able to <<ChIOImportSection,import>> any previously exported packets from a plain text file it is recommended that you do the following:
* Add the “Absolute date and time” column.
* Temporarily hide all other columns.
* Disable the menu:Edit[Preferences,Protocols,Data] “Show not dissected data
on new Packet Bytes pane” preference. More details are provided in
<<ChCustPreferencesSection>>
* Include the packet summary line.
* Exclude column headings.
* Exclude packet details.
* Include the packet bytes.
====
.CSV
----
"No.","Time","Source","Destination","Protocol","Length","SSID","Info","Win Size"
"1","0.000000","200.121.1.131","172.16.0.122","TCP","1454","","10554 > 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
"2","0.000011","172.16.0.122","200.121.1.131","TCP","54","","[TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=53200 Len=0","53200"
"3","0.025738","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=1401 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
"4","0.025749","172.16.0.122","200.121.1.131","TCP","54","","[TCP Window Update] [TCP ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=63000 Len=0","63000"
"5","0.076967","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Previous segment not captured] [TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=4201 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
----
.JSON
----
{
"_index": "packets-2014-06-22",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.encap_type": "1",
"frame.time": "Jun 22, 2014 13:29:41.834477000 PDT",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1403468981.834477000",
"frame.time_delta": "0.450535000",
"frame.time_delta_displayed": "0.450535000",
"frame.time_relative": "0.450535000",
"frame.number": "2",
"frame.len": "86",
"frame.cap_len": "86",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ipv6:icmpv6",
"frame.coloring_rule.name": "ICMP",
"frame.coloring_rule.string": "icmp || icmpv6"
},
"eth": {
"eth.dst": "33:33:ff:9e:e3:8e",
"eth.dst_tree": {
"eth.dst_resolved": "33:33:ff:9e:e3:8e",
"eth.dst.oui": "3355647",
"eth.addr": "33:33:ff:9e:e3:8e",
"eth.addr_resolved": "33:33:ff:9e:e3:8e",
"eth.addr.oui": "3355647",
"eth.dst.lg": "1",
"eth.lg": "1",
"eth.dst.ig": "1",
"eth.ig": "1"
},
"eth.src": "00:01:5c:62:8c:46",
"eth.src_tree": {
"eth.src_resolved": "00:01:5c:62:8c:46",
"eth.src.oui": "348",
"eth.src.oui_resolved": "Cadant Inc.",
"eth.addr": "00:01:5c:62:8c:46",
"eth.addr_resolved": "00:01:5c:62:8c:46",
"eth.addr.oui": "348",
"eth.addr.oui_resolved": "Cadant Inc.",
"eth.src.lg": "0",
"eth.lg": "0",
"eth.src.ig": "0",
"eth.ig": "0"
},
"eth.type": "0x000086dd"
},
"ipv6": {
"ipv6.version": "6",
"ip.version": "6",
"ipv6.tclass": "0x00000000",
"ipv6.tclass_tree": {
"ipv6.tclass.dscp": "0",
"ipv6.tclass.ecn": "0"
},
"ipv6.flow": "0x00000000",
"ipv6.plen": "32",
"ipv6.nxt": "58",
"ipv6.hlim": "255",
"ipv6.src": "2001:558:4080:16::1",
"ipv6.addr": "2001:558:4080:16::1",
"ipv6.src_host": "2001:558:4080:16::1",
"ipv6.host": "2001:558:4080:16::1",
"ipv6.dst": "ff02::1:ff9e:e38e",
"ipv6.addr": "ff02::1:ff9e:e38e",
"ipv6.dst_host": "ff02::1:ff9e:e38e",
"ipv6.host": "ff02::1:ff9e:e38e",
"ipv6.geoip.src_summary": "US, ASN 7922, Comcast Cable Communications, LLC",
"ipv6.geoip.src_summary_tree": {
"ipv6.geoip.src_country": "United States",
"ipv6.geoip.country": "United States",
"ipv6.geoip.src_country_iso": "US",
"ipv6.geoip.country_iso": "US",
"ipv6.geoip.src_asnum": "7922",
"ipv6.geoip.asnum": "7922",
"ipv6.geoip.src_org": "Comcast Cable Communications, LLC",
"ipv6.geoip.org": "Comcast Cable Communications, LLC",
"ipv6.geoip.src_lat": "37.751",
"ipv6.geoip.lat": "37.751",
"ipv6.geoip.src_lon": "-97.822",
"ipv6.geoip.lon": "-97.822"
}
},
"icmpv6": {
"icmpv6.type": "135",
"icmpv6.code": "0",
"icmpv6.checksum": "0x00005b84",
"icmpv6.checksum.status": "1",
"icmpv6.reserved": "00:00:00:00",
"icmpv6.nd.ns.target_address": "2001:558:4080:16:be36:e4ff:fe9e:e38e",
"icmpv6.opt": {
"icmpv6.opt.type": "1",
"icmpv6.opt.length": "1",
"icmpv6.opt.linkaddr": "00:01:5c:62:8c:46",
"icmpv6.opt.src_linkaddr": "00:01:5c:62:8c:46"
}
}
}
}
}
]
----
[[ChIOExportSelectedDialog]]
==== The “Export Selected Packet Bytes” Dialog Box
Export the bytes selected in the “Packet Bytes” pane into a raw binary file.
.The “Export Selected Packet Bytes” dialog box
image::wsug_graphics/ws-export-selected.png[{medium-screenshot-attrs}]
File name::
The file name to export the packet data to.
Save as type::
The file extension.
[[ChIOExportPDUSDialog]]
==== The “Export PDUs to File...” Dialog Box
{missing}
[[ChIOExportTLSSessionKeys]]
==== The “Export TLS Session Keys...” Dialog Box
{missing}
[[ChIOExportObjectsDialog]]
==== The “Export Objects” Dialog Box
This feature scans through the selected protocol's streams in the currently
open capture file or running capture and allows the user to export reassembled
objects to the disk. For example, if you select HTTP, you can export HTML
documents, images, executables, and any other files transferred over HTTP
to the disk. If you have a capture running, this list is automatically
updated every few seconds with any new objects seen. The saved objects can then
be opened or examined independently of Wireshark.
.The “Export Objects” dialog box
image::wsug_graphics/ws-export-objects.png[{screenshot-attrs}]
Columns:
Packet::
The packet number in which this object was found. In some
cases, there can be multiple objects in the same packet.
Hostname::
The hostname of the server that sent this object.
Content Type::
The content type of this object.
Size::
The size of this object in bytes.
Filename:
The filename for this object. Each protocol generates
the filename differently. For example, HTTP uses the
final part of the URI and IMF uses the subject of the email.
Inputs:
Text Filter::
Only displays objects containing the specified text string.
Help::
Opens this section of the “Users Guide”.
Save All::
Saves all objects (including those not displayed) using the filename from the
filename column. You will be asked what directory or folder to save them in.
Close::
Closes the dialog without exporting.
Save::
Saves the currently selected object as a filename you specify. The
default filename to save as is taken from the filename column of the objects
list.
[[ChIOPrintSection]]
=== Printing Packets
To print packets, select the menu:File[Print...] menu item.
Wireshark will display the “Print” dialog box as shown below.
[WARNING]
.Its easy to waste paper doing this
====
Printed output can contain lots of text, particularly if you print packet details and bytes.
====
==== The “Print” Dialog Box
[[ChIOPrintDialogBox]]
.The “Print” dialog box
image::wsug_graphics/ws-print.png[{medium-screenshot-attrs}]
The “Print” dialog box shows a preview area which shows the result of changing the packet format settings.
You can zoom in and out using the kbd:[{plus}] and kbd:[-] keys and reset the zoom level using the kbd:[0] key.
The following settings are available in the Print dialog box:
Packet Format::
Lets you specify what gets printed. See <<ChIOPacketFormatFrame>> for details.
Summary line:::
Include a summary line for each packet.
The line will contain the same fields as the packet list.
Details:::
Print details for each packet.
Bytes:::
Print a hex dump of each packet.
Packet Range::
Select the packets to be printed. See <<ChIOPacketRangeSection>> for details.
btn:[Page Setup...] lets you select the page size and orientation.
btn:[Print...] prints to your default printer.
btn:[Cancel] will close the dialog without printing.
btn:[Help] will display this section of the “Users Guide”.
[[ChIOPacketRangeSection]]
=== The “Packet Range” Frame
The packet range frame is a part of the “<<ChIOExportSpecifiedPacketsDialog,Export Specified Packets>>,” “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>,” and “<<ChIOPrintSection,Print>>” dialog boxes.
You can use it to specify which packets will be exported or printed.
[[ChIOPacketRangeFrame]]
.The “Packet Range” frame
image::wsug_graphics/ws-packet-range.png[{medium-screenshot-attrs}]
By default the btn:[Displayed] button is set, which only exports or prints the packets that match the current display filter.
Selecting btn:[Captured] will export or print all packets.
You can further limit what you export or print to the following:
All packets::
All captured or displayed packets depending on the primary selection above.
Selected packet::
Only the selected packet.
Marked packets::
Only marked packets. See <<ChWorkMarkPacketSection>>.
First to last marked::
Lets you mark an inclusive range of packets.
Range::
Lets you manually specify a range of packets, e.g. _5,10-15,20-_ will process the packet number five, the packets from packet number ten to fifteen (inclusive) and every packet from number twenty to the end of the capture.
Remove ignored packets::
Don't export or print ignored packets.
See <<ChWorkIgnorePacketSection>>.
[[ChIOPacketFormatSection]]
=== The Packet Format Frame
The packet format frame is also a part of the “<<ChIOExportPacketDissectionsDialog,Export Packet Dissections>>” and “<<ChIOPrintSection,Print>>” dialog boxes.
You can use it to specify which parts of dissection are exported or printed.
[[ChIOPacketFormatFrame]]
.The “Packet Format” frame
image::wsug_graphics/ws-packet-format.png[{small-screenshot-attrs}]
Each of the settings below correspond to the packet list, packet detail, and packet bytes in the main window.
Packet summary line::
Export or print each summary line as shown in the “Packet List” pane.
Packet details::
Export or print the contents of the “Packet Details” tree.
All collapsed:::
Export or print as if the “Packet Details” tree is in the “all collapsed” state.
As displayed:::
Export or print as if the “Packet Details” tree is in the “as displayed” state.
All expanded:::
Export or print as if the “Packet Details” tree is in the “all expanded” state.
Packet Bytes::
Export or print the contents of the “Packet Bytes” pane.
Each packet on a new page::
For printing and some export formats, put each packet on a separate page.
For example, when exporting to a text file this will put a form feed character between each packet.
// End of WSUG Chapter IO
View Git Blame Copy Permalink