osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_chapter_work.adoc

1141 lines
40 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// WSUG Chapter Work
[[ChapterWork]]
== Working With Captured Packets
[[ChWorkViewPacketsSection]]
=== Viewing Packets You Have Captured
Once you have captured some packets or you have opened a previously saved
capture file, you can view the packets that are displayed in the packet list
pane by simply clicking on a packet in the packet list pane, which will bring up
the selected packet in the tree view and byte view panes.
You can then expand any part of the tree to view detailed information about each
protocol in each packet. Clicking on an item in the tree will highlight the
corresponding bytes in the byte view. An example with a TCP packet selected is
shown in <<ChWorkSelPack1>>. It also has the Acknowledgment number in the TCP
header selected, which shows up in the byte view as the selected bytes.
[[ChWorkSelPack1]]
.Wireshark with a TCP packet selected for viewing
image::wsug_graphics/ws-packet-selected.png[{screenshot-attrs}]
You can also select and view packets the same way while Wireshark is capturing
if you selected “Update list of packets in real time” in the “Capture
Preferences” dialog box.
In addition you can view individual packets in a separate window as shown in
<<ChWorkPacketSepView>>. You can do this by double-clicking on an item in the
packet list or by selecting the packet in which you are interested in the packet
list pane and selecting menu:View[Show Packet in New Window]. This allows you to
easily compare two or more packets, even across multiple files.
[[ChWorkPacketSepView]]
.Viewing a packet in a separate window
image::wsug_graphics/ws-packet-sep-win.png[{screenshot-attrs}]
Along with double-clicking the packet list and using the main menu there are a
number of other ways to open a new packet window:
- Hold down the shift key and double-click on a frame link in the packet
details.
- From <<PacketListPopupMenuTable>>.
- From <<PacketDetailsPopupMenuTable>>.
[[ChWorkDisplayPopUpSection]]
=== Pop-up Menus
You can open a pop-up menu over the “Packet List”, its column heading,
“Packet Details”, or “Packet Bytes” by clicking your right mouse button
on the corresponding item.
[[ChWorkColumnHeaderPopUpMenuSection]]
==== Pop-up Menu Of The “Packet List” Column Header
[[ChWorkColumnHeaderPopUpMenu]]
.Pop-up menu of the “Packet List” column header
image::wsug_graphics/ws-column-header-popup-menu.png[{screenshot-attrs}]
The following table gives an overview of which functions are available
in this header, where to find the corresponding function in the main
menu, and a description of each item.
[[ColumnHeaderPopupMenuTable]]
.The menu items of the “Packet List” column header pop-up menu
[options="header",cols="3,7"]
|===============
|Item |Description
|menu:Align Left[] |
Left-align values in this column.
|menu:Align Center[] |
Center-align values in this column.
|menu:Align Right[] |
Right-align values in this column.
|menu:Column Preferences...[] |
Open the “Preferences” dialog for this column.
|menu:Edit Column[] |
Open the column editor toolbar for this column.
|menu:Resize To Contents[] |
Resize the column to fit its values.
|menu:Resolve Names[] |
If this column contains addresses, resolve them.
| _No., Time, Source, et al_ |
Show or hide a column by selecting its item.
|menu:Remove Column[] |
Remove this column, similar to deleting it in the “Preferences” dialog.
|===============
[[ChWorkPacketListPanePopUpMenuSection]]
==== Pop-up Menu Of The “Packet List” Pane
[[ChWorkPacketListPanePopUpMenu]]
.Pop-up menu of the “Packet List” pane
image::wsug_graphics/ws-packet-pane-popup-menu.png[{screenshot-attrs}]
The following table gives an overview of which functions are available
in this pane, where to find the corresponding function in the main menu,
and a short description of each item.
[[PacketListPopupMenuTable]]
.The menu items of the “Packet List” pop-up menu
[options="header",cols="3,1,6"]
|===============
|Item |Corresponding main menu item |Description
|menu:Mark Packet (toggle)[]|menu:Edit[]| Mark or unmark a packet.
|menu:Ignore Packet (toggle)[]|menu:Edit[]| Ignore or inspect this packet while dissecting the capture file.
|menu:Set Time Reference (toggle)[]|menu:Edit[]| Set or reset a time reference.
|menu:Time Shift[] |menu:Edit[] |
Opens the “Time Shift” dialog, which allows you to adjust the timestamps
of some or all packets.
|menu:Packet Comment...[] |menu:Edit[] |
Opens the “Packet Comment” dialog, which lets you add a comment to a
single packet. Note that the ability to save packet comments depends on
your file format. E.g. pcapng supports comments, pcap does not.
|menu:Edit Resolved Name[]||
Allows you to enter a name to resolve for the selected address.
|menu:Apply as Filter[]|menu:Analyze[]| Prepare and apply a display filter based on the currently selected item.
|menu:Prepare a Filter[]|menu:Analyze[]| Prepare a display filter based on the currently selected item.
// XXX - add a new section describing this better.
|menu:Conversation Filter[] ||
This menu item applies a display filter with the address information
from the selected packet. For example, the IP menu entry will set a
filter to show the traffic between the two IP addresses of the current
packet.
|menu:Colorize Conversation[] ||
This menu item uses a display filter with the address information from
the selected packet to build a new colorizing rule.
|menu:SCTP[] ||
Allows you to analyze and prepare a filter for this SCTP association.
|menu:Follow[TCP Stream] |menu:Analyze[] |
This menu item brings up a separate window and displays all the TCP
segments captured that are on the same TCP connection as a selected
packet, see <<ChAdvFollowStreamSection>>
|menu:Follow[UDP Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for UDP “streams”.
|menu:Follow[TLS Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for TLS or SSL streams.
See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions
on providing TLS keys.
|menu:Follow[HTTP Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for HTTP streams.
|menu:Copy[Summary as Text] ||
Copy the summary fields as displayed to the clipboard as tab-separated
text.
|menu:Copy[...as CSV] ||
Copy the summary fields as displayed to the clipboard as comma-separated
text.
|menu:Copy[...as YAML] ||
Copy the summary fields as displayed to the clipboard as YAML data.
|menu:Copy[As Filter] ||
Prepare a display filter based on the currently selected item and copy
that filter to the clipboard.
|menu:Copy[Bytes as Hex + ASCII Dump] ||
Copy the packet bytes to the clipboard in full “hexdump” format.
|menu:Copy[...as Hex Dump] ||
Copy the packet bytes to the clipboard in “hexdump” format without the
ASCII portion.
|menu:Copy[...as Printable Text] ||
Copy the packet bytes to the clipboard as ASCII text, excluding
non-printable characters.
|menu:Copy[...as a Hex Stream] ||
Copy the packet bytes to the clipboard as an unpunctuated list of hex
digits.
|menu:Copy[...as Raw Binary] ||
Copy the packet bytes to the clipboard as raw binary. The data is stored
in the clipboard using the MIME type “application/octet-stream”.
|menu:Protocol Preferences[] ||
Adjust the preferences for the selected protocol.
|menu:Decode As...[] |menu:Analyze[] |
Change or apply a new relation between two dissectors.
|menu:Show Packet in New Window[] |menu:View[] |
Shows the selected packet in a separate window. The separate window
shows only the packet details and bytes. See <<ChWorkPacketSepView>> for
details.
|===============
[[ChWorkPacketDetailsPanePopUpMenuSection]]
==== Pop-up Menu Of The “Packet Details” Pane
[[ChWorkPacketDetailsPanePopUpMenu]]
.Pop-up menu of the “Packet Details” pane
image::wsug_graphics/ws-details-pane-popup-menu.png[{screenshot-attrs}]
The following table gives an overview of which functions are available in this
pane, where to find the corresponding function in the main menu, and a short
description of each item.
[[PacketDetailsPopupMenuTable]]
.The menu items of the “Packet Details” pop-up menu
[options="header",cols="3,1,6"]
|===============
|Item |Corresponding main menu item |Description
|menu:Expand Subtrees[]|menu:View[]| Expand the currently selected subtree.
|menu:Collapse Subtrees[]|menu:View[]| Collapse the currently selected subtree.
|menu:Expand All[]|menu:View[]| Expand all subtrees in all packets in the capture.
|menu:Collapse All[]|menu:View[]| Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list.
|menu:Apply as Column[]|| Use the selected protocol item to create a new column in the packet list.
|menu:Apply as Filter[]|menu:Analyze[]| Prepare and apply a display filter based on the currently selected item.
|menu:Prepare a Filter[]|menu:Analyze[]| Prepare a display filter based on the currently selected item.
|menu:Colorize with Filter[]|| This menu item uses a display filter with the information from the selected protocol item to build a new colorizing rule.
|menu:Follow[TCP Stream] |menu:Analyze[] |
This menu item brings up a separate window and displays all the TCP
segments captured that are on the same TCP connection as a selected
packet, see <<ChAdvFollowStreamSection>>
|menu:Follow[UDP Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for UDP “streams”.
|menu:Follow[TLS Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for TLS or SSL streams.
See the wiki page on link:{wireshark-wiki-url}SSL[SSL] for instructions
on providing TLS keys.
|menu:Follow[HTTP Stream] |menu:Analyze[] |
Same functionality as “Follow TCP Stream” but for HTTP streams.
|menu:Copy[All Visible Items] |menu:Edit[] |
Copy the packet details as displayed.
|menu:Copy[All Visible Selected Tree Items] |menu:Edit[] |
Copy the selected packet detail and its children as displayed.
|menu:Copy[Description] |menu:Edit[] |
Copy the displayed text of the selected field to the system clipboard.
|menu:Copy[Fieldname] |menu:Edit[] |
Copy the name of the selected field to the system clipboard.
|menu:Copy[Value] |menu:Edit[] |
Copy the value of the selected field to the system clipboard.
|menu:Copy[As Filter]| menu:Edit[] |
Prepare a display filter based on the currently selected item and copy
it to the clipboard.
|menu:Copy[Bytes as Hex + ASCII Dump] ||
Copy the packet bytes to the clipboard in full “hexdump” format.
|menu:Copy[...as Hex Dump] ||
Copy the packet bytes to the clipboard in “hexdump” format without the
ASCII portion.
|menu:Copy[...as Printable Text] ||
Copy the packet bytes to the clipboard as ASCII text, excluding
non-printable characters.
|menu:Copy[...as a Hex Stream] ||
Copy the packet bytes to the clipboard as an unpunctuated list of hex
digits.
|menu:Copy[...as Raw Binary] ||
Copy the packet bytes to the clipboard as raw binary. The data is stored
in the clipboard using the MIME type “application/octet-stream”.
|menu:Copy[...as Escaped String] ||
Copy the packet bytes to the clipboard as C-style escape sequences.
|menu:Export Packet Bytes...[] |menu:File[] |
This menu item is the same as the File menu item of the same name. It
allows you to export raw packet bytes to a binary file.
|menu:Wiki Protocol Page[]|| Show the wiki page corresponding to the currently selected protocol in your web browser.
|menu:Filter Field Reference[]|| Show the filter field reference web page corresponding to the currently selected protocol in your web browser.
|menu:Protocol Preferences[] ||
Adjust the preferences for the selected protocol.
|menu:Decode As...[]|menu:Analyze[]| Change or apply a new relation between two dissectors.
|menu:Go to Linked Packet[] |menu:Go[] |
If the selected field has a corresponding packet such as the matching
request for a DNS response, go to it.
|menu:Show Linked Packet in New Window[] |menu:Go[] |
If the selected field has a corresponding packet such as the matching
request for a DNS response, show the selected packet in a separate
window. See <<ChWorkPacketSepView>> for details.
|===============
[[ChWorkPacketBytesPanePopUpMenuSection]]
==== Pop-up Menu Of The “Packet Bytes” Pane
[[ChWorkPacketBytesPanePopUpMenu]]
.Pop-up menu of the “Packet Bytes” pane
image::wsug_graphics/ws-bytes-pane-popup-menu.png[{screenshot-attrs}]
The following table gives an overview of which functions are available
in this pane along with a short description of each item.
[[PacketBytesPopupMenuTable]]
.The menu items of the “Packet Bytes” pop-up menu
[options="header",cols="3,7"]
|===============
|Item |Description
|menu:Copy Bytes as Hex + ASCII Dump[] |
Copy the packet bytes to the clipboard in full “hexdump” format.
|menu:...as Hex Dump[] |
Copy the packet bytes to the clipboard in “hexdump” format without the
ASCII portion.
|menu:...as Printable Text[] |
Copy the packet bytes to the clipboard as ASCII text, excluding
non-printable characters.
|menu:...as a Hex Stream[] |
Copy the packet bytes to the clipboard as an unpunctuated list of hex
digits.
|menu:...as Raw Binary[] |
Copy the packet bytes to the clipboard as raw binary. The data is stored
in the clipboard using the MIME type “application/octet-stream”.
|menu:...as Escaped String[] |
Copy the packet bytes to the clipboard as C-style escape sequences.
|menu:Show bytes as hexadecimal[] |
Display the byte data as hexadecimal digits.
|menu:Show bytes as bits[] |
Display the byte data as binary digits.
|menu:Show text based on packet[] |
Show the “hexdump” data with text.
|menu:...as ASCII[] |
Use ASCII encoding when displaying “hexdump” text.
|menu:...as EBCDIC[] |
Use EBCDIC encoding when displaying “hexdump” text.
|===============
[[ChWorkDisplayFilterSection]]
=== Filtering Packets While Viewing
Wireshark has two filtering languages: One used when capturing packets, and one
used when displaying packets. In this section we explore that second type of
filter: Display filters. The first one has already been dealt with in
<<ChCapCaptureFilterSection>>.
Display filters allow you to concentrate on the packets you are interested in
while hiding the currently uninteresting ones. They allow you to select packets
by:
* Protocol
* The presence of a field
* The values of fields
* A comparison between fields
* ... and a lot more!
To select packets based on protocol type, simply type the protocol in which you
are interested in the _Filter:_ field in the filter toolbar of the Wireshark
window and press enter to initiate the filter. <<ChWorkTCPFilter>> shows an
example of what happens when you type _tcp_ in the filter field.
[NOTE]
====
All protocol and field names are entered in lowercase. Also, dont forget to press enter after entering the filter expression.
====
[[ChWorkTCPFilter]]
.Filtering on the TCP protocol
image::wsug_graphics/ws-display-filter-tcp.png[{screenshot-attrs}]
As you might have noticed, only packets of the TCP protocol are displayed now
(e.g. packets 1-10 are hidden). The packet numbering will remain as before, so
the first packet shown is now packet number 11.
[NOTE]
====
When using a display filter, all packets remain in the capture file. The display
filter only changes the display of the capture file but not its content!
====
You can filter on any protocol that Wireshark understands. You can also filter
on any field that a dissector adds to the tree view, but only if the dissector
has added an abbreviation for the field. A list of such fields is available in
Wireshark in the _Add Expression..._ dialog box. You can find more information
on the _Add Expression..._ dialog box in <<ChWorkFilterAddExpressionSection>>.
For example, to narrow the packet list pane down to only those packets to or
from the IP address 192.168.0.1, use `ip.addr==192.168.0.1`.
[NOTE]
====
To remove the filter, click on the btn:[Clear] button to the right of the filter field.
====
[[ChWorkBuildDisplayFilterSection]]
=== Building Display Filter Expressions
Wireshark provides a simple but powerful display filter language that allows you
to build quite complex filter expressions. You can compare values in packets as
well as combine expressions into more specific expressions. The following
sections provide more information on doing this.
[TIP]
====
You will find a lot of Display Filter examples at the _Wireshark Wiki Display
Filter page_ at: link:{wireshark-wiki-url}DisplayFilters[].
====
==== Display Filter Fields
Every field in the packet details pane can be used as a filter string, this will
result in showing only the packets where this field exists. For example: the
filter string: _tcp_ will show all packets containing the tcp protocol.
There is a complete list of all filter fields available through the menu item
menu:View[Internals,Supported Protocols].
// XXX - add some more info here and a link to the statusbar info.
==== Comparing Values
You can build display filters that compare values using a number of different
comparison operators. They are shown in <<DispCompOps>>.
[TIP]
====
You can use English and C-like terms in the same way, they can even be mixed in a filter string.
====
[[DispCompOps]]
.Display Filter comparison operators
[options="header",cols="1,1,4"]
|===============
|English|C-like|Description and example
|eq |== |Equal. `ip.src==10.0.0.5`
|ne |!= |Not equal. `ip.src!=10.0.0.5`
|gt |> |Greater than. `frame.len > 10`
|lt |< |Less than. `frame.len < 128`
|ge |>= |Greater than or equal to. `frame.len ge 0x100`
|le |\<= |Less than or equal to. `frame.len <= 0x20`
|contains||Protocol, field or slice contains a value. `sip.To contains "a1762"`
|matches|~|Protocol or text field match Perl regualar expression. `http.host matches "acme\.(org\|com\|net)"`
|bitwise_and|&|Compare bit field value. `tcp.flags & 0x02`
|===============
In addition, all protocol fields have a type. <<ChWorkFieldTypes>> provides a list
of the types and example of how to express them.
[[ChWorkFieldTypes]]
.Display Filter Field Types
Unsigned integer::
Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, octal,
or hexadecimal. The following display filters are equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x5dc
Signed integer::
Can be 8, 16, 24, 32, or 64 bits. As with unsigned integers you can use
decimal, octal, or hexadecimal.
Boolean::
A boolean field is present in the protocol decode only if its value is true. For
example, `tcp.flags.syn` is present, and thus true, only if the SYN flag is
present in a TCP segment header.
The filter expression `tcp.flags.syn` will select only those packets for which
this flag exists, that is, TCP segments where the segment header contains the
SYN flag. Similarly, to find source-routed token ring packets, use a filter
expression of `tr.sr`.
Ethernet address::
6 bytes separated by a colon (:), dot (.) or dash (-) with one or two bytes between separators:
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff
IPv4 address::
ip.addr == 192.168.0.1
Classless InterDomain Routing (CIDR) notation can be used to test if
an IPv4 address is in a certain subnet. For example, this display
filter will find all packets in the 129.111 Class-B network:
ip.addr == 129.111.0.0/16
IPv6 address::
`ipv6.addr == ::1`
As with IPv4 addresses, IPv6 addresses can match a subnet.
Text string::
`http.request.uri == "https://www.wireshark.org/"`
----
udp contains 81:60:03
----
The example above match packets that contains the 3-byte sequence 0x81, 0x60,
0x03 anywhere in the UDP header or payload.
----
sip.To contains "a1762"
----
Above example match packets where SIP To-header contains the string "a1762"
anywhere in the header.
----
http.host matches "acme\.(org|com|net)"
----
The example above match HTTP packets where the HOST header contains acme.org or acme.com
or acme.net. Comparisons are case-insensitive. Note: Wireshark needs to be built with
libpcre in order to be able to use the `matches` resp. `{tilde}` operator.
----
tcp.flags & 0x02
----
That expression will match all packets that contain a “tcp.flags” field with the 0x02 bit,
i.e. the SYN bit, set.
==== Combining Expressions
You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>>
[[FiltLogOps]]
.Display Filter Logical Operations
[options="header",cols="1,1,4"]
|===============
|English|C-like|Description and example
|and |&amp;&amp;| Logical AND. `ip.src==10.0.0.5 and tcp.flags.fin`
|or |\|\| | Logical OR. `ip.scr==10.0.0.5 or ip.src==192.1.1.1`
|xor |^^ | Logical XOR. `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29`
|not |! | Logical NOT. `not llc`
|[...] | | See “Slice Operator” below.
|in | | See “Membership Operator” below.
|===============
==== Slice Operator
Wireshark allows you to select subsequences of a sequence in rather elaborate
ways. After a label you can place a pair of brackets [] containing a comma
separated list of range specifiers.
----
eth.src[0:3] == 00:00:83
----
The example above uses the n:m format to specify a single range. In this case n
is the beginning offset and m is the length of the range being specified.
----
eth.src[1-2] == 00:83
----
The example above uses the n-m format to specify a single range. In this case n
is the beginning offset and m is the ending offset.
----
eth.src[:4] == 00:00:83:00
----
The example above uses the :m format, which takes everything from the beginning
of a sequence to offset m. It is equivalent to 0:m
----
eth.src[4:] == 20:20
----
The example above uses the n: format, which takes everything from offset n to
the end of the sequence.
----
eth.src[2] == 83
----
The example above uses the n format to specify a single range. In this case the
element in the sequence at offset n is selected. This is equivalent to n:1.
----
eth.src[0:3,1-2,:4,4:,2] ==
00:00:83:00:83:00:00:83:00:20:20:83
----
Wireshark allows you to string together single ranges in a comma separated list
to form compound ranges as shown above.
==== Membership Operator
Wireshark allows you to test a field for membership in a set of values or
fields. After the field name, use the in operator followed by the set items
surrounded by braces {}.
----
tcp.port in {80 443 8080}
----
This can be considered a shortcut operator, as the previous expression could
have been expressed as:
----
tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
----
The set of values can also contain ranges:
----
tcp.port in {443 4430..4434}
----
This is not merely a shortcut for `tcp.port == 443 || (tcp.port >= 4430 &&
tcp.port <= 4434)`. Comparison operators are usually satisfied when any field
matches the filter, and thus a packet with ports 80 and 56789 would match this
alternative display filter since `56789 >= 4430 && 80 <= 4434` is true. The
membership operator instead tests the same field against the range condition.
Sets are not just limited to numbers, other types can be used as well:
----
http.request.method in {"HEAD" "GET"}
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
frame.time_delta in {10 .. 10.5}
----
==== Functions
The display filter language has a number of functions to convert fields, see
<<DispFunctions>>.
[[DispFunctions]]
.Display Filter Functions
[options="header",cols="1,4"]
|===============
|Function|Description
|upper |Converts a string field to uppercase.
|lower |Converts a string field to lowercase.
|len |Returns the byte length of a string or bytes field.
|count |Returns the number of field occurrences in a frame.
|string |Converts a non-string field to a string.
|===============
The `upper` and `lower` functions can used to force case-insensitive matches:
`lower(http.server) contains "apache"`.
To find HTTP requests with long request URIs: `len(http.request.uri) > 100`.
Note that the `len` function yields the string length in bytes rather than
(multi-byte) characters.
Usually an IP frame has only two addresses (source and destination), but in case
of ICMP errors or tunneling, a single packet might contain even more addresses.
These packets can be found with `count(ip.addr) > 2`.
The `string` function converts a field value to a string, suitable for use with operators
like "matches" or "contains". Integer fields are converted to their decimal representation.
It can be used with IP/Ethernet addresses (as well as others), but not with string or
byte fields.
For example, to match odd frame numbers:
----
string(frame.number) matches "[13579]$"
----
to match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
----
string(ip.dst) matches "^172\.(1[6-9]|2[0-9]|3[0-1])\..{1,3}\.255"
----
[[ChWorkBuildDisplayFilterMistake]]
==== A Common Mistake
Using the != operator on combined expressions like eth.addr, ip.addr,
tcp.port, and udp.port will probably not work as expected. Wireshark
will show the warning “"!=" is deprecated or may have unexpected
results” when you use it.
Often people use a filter string to display something like `ip.addr == 1.2.3.4`
which will display all packets containing the IP address 1.2.3.4.
Then they use `ip.addr != 1.2.3.4` to see all packets not containing the IP
address 1.2.3.4 in it. Unfortunately, this does _not_ do the expected.
Instead, that expression will even be true for packets where either source or
destination IP address equals 1.2.3.4. The reason for this, is that the
expression `ip.addr != 1.2.3.4` must be read as “the packet contains a field
named ip.addr with a value different from 1.2.3.4”. As an IP datagram contains
both a source and a destination address, the expression will evaluate to true
whenever at least one of the two addresses differs from 1.2.3.4.
If you want to filter out all packets containing IP datagrams to or from IP
address 1.2.3.4, then the correct filter is `!(ip.addr == 1.2.3.4)` as it reads
“show me all the packets for which it is not true that a field named ip.addr
exists with a value of 1.2.3.4”, or in other words, “filter out all packets
for which there are no occurrences of a field named ip.addr with the value
1.2.3.4”.
[[ChWorkBuildDisplayFilterTransitional]]
==== Sometimes Fields Change Names
As protocols evolve they sometimes change names or are superseded by
newer standards. For example, DHCP extends and has largely replaced
BOOTP and TLS has replaced SSL. If a protocol dissector originally used
the older names and fields for a protocol the Wireshark development team
might update it to use the newer names and fields. In such cases they
will add an alias from the old protocol name to the new one in order to
make the transition easier.
For example, the DHCP dissector was originally developed for the BOOTP
protocol but as of Wireshark 3.0 all of the “bootp” display filter
fields have been renamed to their “dhcp” equivalents. You can still use
the old filter names for the time being, e.g. “bootp.type” is equivalent
to “dhcp.type” but Wireshark will show the warning “"bootp.type" is
deprecated or may have unexpected results” when you use it. Support for
the deprecated fields may be removed in the future.
[[ChWorkFilterAddExpressionSection]]
=== The “Filter Expression” Dialog Box
When you are accustomed to Wiresharks filtering system and know what labels you
wish to use in your filters it can be very quick to simply type a filter string.
However if you are new to Wireshark or are working with a slightly unfamiliar
protocol it can be very confusing to try to figure out what to type. The
“Filter Expression” dialog box helps with this.
[TIP]
====
The “Filter Expression” dialog box is an excellent way to learn how to write
Wireshark display filter strings.
====
[[ChWorkFilterAddExpression1]]
.The “Filter Expression” dialog box
image::wsug_graphics/ws-filter-add-expression.png[{screenshot-attrs}]
When you first bring up the Filter Expression dialog box you are shown a tree
of field names, organized by protocol, and a box for selecting a relation.
_Field Name_::
Select a protocol field from the protocol field tree. Every protocol with
filterable fields is listed at the top level. (You can search for a particular
protocol entry by entering the first few letters of the protocol name). By
expanding a protocol name you can get a list of the field names available for
filtering for that protocol.
_Relation_::
Select a relation from the list of available relation. The _is present_ is a
unary relation which is true if the selected field is present in a packet. All
other listed relations are binary relations which require additional data (e.g.
a _Value_ to match) to complete.
When you select a field from the field name list and select a binary relation
(such as the equality relation ==) you will be given the opportunity to enter a
value, and possibly some range information.
_Value_::
You may enter an appropriate value in the _Value_ text box. The _Value_ will
also indicate the type of value for the _field name_ you have selected (like
character string).
_Predefined values_::
Some of the protocol fields have predefined values available, much like enums
in C. If the selected protocol field has such values defined, you can choose one
of them here.
_Range_::
A range of integers or a group of ranges, such as `1-12` or `39-42,98-2000`.
_OK_::
When you have built a satisfactory expression click btn:[OK] and a filter string
will be built for you.
_Cancel_::
You can leave the “Add Expression...” dialog box without any effect by
clicking the btn:[Cancel] button.
[[ChWorkDefineFilterSection]]
=== Defining And Saving Filters
You can define filters with Wireshark and give them labels for later use. This
can save time in remembering and retyping some of the more complex filters you
use.
To define a new filter or edit an existing one, select menu:Capture[Capture
Filters...] or menu:Analyze[Display Filters...]. Wireshark will then pop up the
Filters dialog as shown in
<<FiltersDialog>>.
The mechanisms for defining and saving capture filters and display filters are
almost identical. Both will be described here but the differences between these two
will be marked as such.
[WARNING]
====
You must use btn:[Save] to save your filters permanently. btn:[OK] or
btn:[Apply] will not save the filters and they will be lost when you close
Wireshark.
====
[[FiltersDialog]]
.The “Capture Filters” and “Display Filters” dialog boxes
image::wsug_graphics/ws-filters.png[{screenshot-attrs}]
_New_::
This button adds a new filter to the list of filters. The currently entered
values from Filter name and Filter string will be used. If any of these fields
are empty, it will be set to “new”.
_Delete_::
This button deletes the selected filter. It will be greyed out, if no filter is
selected.
_Filter_::
You can select a filter from this list (which will fill in the filter name and
filter string in the fields down at the bottom of the dialog box).
_Filter name:_::
You can change the name of the currently selected filter here.
+
The filter name will only be used in this dialog to identify the filter for your
convenience, it will not be used elsewhere. You can add multiple filters with
the same name, but this is not very useful.
_Filter string:_::
You can change the filter string of the currently selected filter here. Display
Filter only: the string will be syntax checked while you are typing.
_Add Expression..._::
Display Filter only: This button brings up the Add Expression dialog box which
assists in building filter strings. You can find more information about the Add
Expression dialog in <<ChWorkFilterAddExpressionSection>>
_OK_::
Display Filter only: This button applies the selected filter to the current
display and closes the dialog.
_Apply_::
Display Filter only: This button applies the selected filter to the current
display, and keeps the dialog open.
_Save_::
Save the current settings in this dialog. The file location and format is
explained in <<AppFiles>>.
_Close_::
Close this dialog. This will discard unsaved settings.
[[ChWorkDefineFilterMacrosSection]]
=== Defining And Saving Filter Macros
You can define filter macros with Wireshark and give them labels for later use.
This can save time in remembering and retyping some of the more complex filters
you use.
// XXX - add an explanation of this.
[[ChWorkFindPacketSection]]
=== Finding Packets
You can easily find packets once you have captured some packets or have
read in a previously saved capture file. Simply select menu:Edit[Find
Packet...] in the main menu. Wireshark will open a toolbar between the
main toolbar and the packet list shown in <<ChWorkFindPacketToolbar>>.
==== The “Find Packet” Toolbar
[[ChWorkFindPacketToolbar]]
.The “Find Packet” toolbar
image::wsug_graphics/ws-find-packet.png[{screenshot-attrs}]
You can search using the following criteria:
Display filter::
Enter a display filter string into the text entry field and click the btn:[Find] button.
+
For example, to find the three way handshake for a connection from host 192.168.0.1, use the following filter string:
+
----
ip.src==192.168.0.1 and tcp.flags.syn==1
----
+
The value to be found will be syntax checked while you type it in. If
the syntax check of your value succeeds, the background of the entry
field will turn green, if it fails, it will turn red. For more details
see <<ChWorkDisplayFilterSection>>
Hexadecimal Value::
Search for a specific byte sequence in the packet data.
+
For example, use “ef:bb:bf” to find the next packet that contains the
link:{wikipedia-main-url}/Byte_order_mark[UTF-8 byte order mark].
String::
Find a string in the packet data, with various options.
Regular Expression::
Search the packet data using link:{pcre2pattern-url}[Perl-compatible
regular expressions]. PCRE patterns are beyond the scope of this
document, but typing “pcre test” into your favorite search engine
should return a number of sites that will help you test and explore
your expressions.
[[ChWorkGoToPacketSection]]
=== Go To A Specific Packet
You can easily jump to specific packets with one of the menu items in
the menu:Go[] menu.
==== The “Go Back” Command
Go back in the packet history, works much like the page history in most
web browsers.
==== The “Go Forward” Command
Go forward in the packet history, works much like the page history in
most web browsers.
==== The “Go to Packet” Toolbar
[[ChWorkGoToPacketToolbar]]
.The “Go To Packet” toolbar
image::wsug_graphics/ws-goto-packet.png[{screenshot-attrs}]
This toolbar can be opened by selecting menu:Go[Go to packet...] from
the main menu. It appears between the main toolbar and the packet list,
similar to the <<ChWorkFindPacketToolbar,”Find Packet” toolbar>>.
When you enter a packet number and press press btn:[Go to packet]
Wireshark will jump to that packet.
==== The “Go to Corresponding Packet” Command
If a protocol field is selected which points to another packet in the capture
file, this command will jump to that packet.
As these protocol fields now work like links (just as in your Web browser), its
easier to simply double-click on the field to jump to the corresponding field.
==== The “Go to First Packet” Command
This command will jump to the first packet displayed.
==== The “Go to Last Packet” Command
This command will jump to the last packet displayed.
[[ChWorkMarkPacketSection]]
=== Marking Packets
You can mark packets in the “Packet List” pane. A marked packet will be shown
with black background, regardless of the coloring rules set. Marking a packet
can be useful to find it later while analyzing in a large capture file.
The packet marks are not stored in the capture file or anywhere else. All
packet marks will be lost when the capture file is closed.
You can use packet marking to control the output of packets when saving,
exporting, or printing. To do so, an option in the packet range is available,
see <<ChIOPacketRangeSection>>.
There are three functions to manipulate the marked state of a packet:
* _Mark packet (toggle)_ toggles the marked state of a single packet.
* _Mark all displayed packets_ set the mark state of all displayed packets.
* _Unmark all packets_ reset the mark state of all packets.
These mark functions are available from the “Edit” menu, and the “Mark packet
(toggle)” function is also available from the pop-up menu of the “Packet
List” pane.
[[ChWorkIgnorePacketSection]]
=== Ignoring Packets
You can ignore packets in the “Packet List” pane. Wireshark will then pretend
that this packets does not exist in the capture file. An ignored packet will be
shown with white background and gray foreground, regardless of the coloring
rules set.
The packet ignored marks are not stored in the capture file or anywhere else.
All “packet ignored” marks will be lost when you close the capture file.
There are three functions to manipulate the ignored state of a packet:
* _Ignore packet (toggle)_ toggles the ignored state of a single packet.
* _Ignore all displayed packets_ set the ignored state of all displayed packets.
* _Un-Ignore all packets_ reset the ignored state of all packets.
These ignore functions are available from the “Edit” menu, and the “Ignore
packet (toggle)” function is also available from the pop-up menu of the
“Packet List” pane.
[[ChWorkTimeFormatsSection]]
=== Time Display Formats And Time References
While packets are captured, each packet is timestamped. These timestamps will be
saved to the capture file, so they will be available for later analysis.
A detailed description of timestamps, timezones and alike can be found at:
<<ChAdvTimestamps>>.
The timestamp presentation format and the precision in the packet list can be
chosen using the View menu, see <<ChUseWiresharkViewMenu>>.
The available presentation formats are:
* _Date and Time of Day: 1970-01-01 01:02:03.123456_ The absolute date and time
of the day when the packet was captured.
* _Time of Day: 01:02:03.123456_ The absolute time of the day when the packet
was captured.
* _Seconds Since Beginning of Capture: 123.123456_ The time relative to the
start of the capture file or the first “Time Reference” before this packet
(see <<ChWorkTimeReferencePacketSection>>).
* _Seconds Since Previous Captured Packet: 1.123456_ The time relative to the
previous captured packet.
* _Seconds Since Previous Displayed Packet: 1.123456_ The time relative to the
previous displayed packet.
* _Seconds Since Epoch (1970-01-01): 1234567890.123456_ The time relative to
epoch (midnight UTC of January 1, 1970).
The available precisions (aka. the number of displayed decimal places) are:
* _Automatic_ The timestamp precision of the loaded capture file format will be
used (the default).
* _Seconds, Deciseconds, Centiseconds, Milliseconds, Microseconds or
Nanoseconds_ The timestamp precision will be forced to the given setting. If
the actually available precision is smaller, zeros will be appended. If the
precision is larger, the remaining decimal places will be cut off.
Precision example: If you have a timestamp and its displayed using, “Seconds
Since Previous Packet” the value might be 1.123456. This will be displayed
using the “Automatic” setting for libpcap files (which is microseconds). If
you use Seconds it would show simply 1 and if you use Nanoseconds it shows
1.123456000.
[[ChWorkTimeReferencePacketSection]]
==== Packet Time Referencing
The user can set time references to packets. A time reference is the starting
point for all subsequent packet time calculations. It will be useful, if you
want to see the time values relative to a special packet, e.g. the start of a
new request. Its possible to set multiple time references in the capture file.
The time references will not be saved permanently and will be lost when you
close the capture file.
Time referencing will only be useful if the time display format is set to
“Seconds Since Beginning of Capture”. If one of the other time display formats
are used, time referencing will have no effect (and will make no sense either).
To work with time references, choose one of the menu:Time Reference[] items in
the menu:[Edit] menu or from the pop-up menu of the “Packet List” pane. See
<<ChUseEditMenuSection>>.
* _Set Time Reference (toggle)_ Toggles the time reference state of the
currently selected packet to on or off.
* _Find Next_ Find the next time referenced packet in the “Packet List” pane.
* _Find Previous_ Find the previous time referenced packet in the “Packet
List” pane.
[[ChWorkTimeReference]]
.Wireshark showing a time referenced packet
image::wsug_graphics/ws-time-reference.png[{screenshot-attrs}]
A time referenced packet will be marked with the string $$*REF*$$ in the Time
column (see packet number 10). All subsequent packets will show the time since
the last time reference.
// End of WSUG Chapter Work
View Git Blame Copy Permalink