2006-05-30 19:45:12 +00:00
|
|
|
<!-- WSUG Chapter Capture -->
|
2004-08-06 21:06:27 +00:00
|
|
|
<!-- $Id$ -->
|
|
|
|
|
|
|
|
<chapter id="ChapterCapture">
|
|
|
|
<title>Capturing Live Network Data</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
|
|
|
|
<section id="ChCapIntroduction">
|
|
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Capturing live network data is one of the major features of Wireshark.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
The Wireshark capture engine provides the following features:
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
2004-09-15 21:35:58 +00:00
|
|
|
<para>
|
2004-09-15 20:28:39 +00:00
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
Capture from different kinds of network hardware (Ethernet, Token Ring,
|
|
|
|
ATM, ...).
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Stop the capture on different triggers like: amount of captured data,
|
|
|
|
captured time, captured number of packets.
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
2007-09-10 21:02:58 +00:00
|
|
|
Simultaneously show decoded packets while Wireshark keeps on capturing.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Filter packets, reducing the amount of data to be captured, see <xref
|
|
|
|
linkend="ChCapCaptureFilterSection"/>.
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Capturing into multiple files while doing a long term capture, and in
|
|
|
|
addition the option to form a ringbuffer of these files, keeping only
|
|
|
|
the last x files, useful for a "very long term" capture, see <xref
|
|
|
|
linkend="ChCapCaptureFiles"/>.
|
|
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
The capture engine still lacks the following features:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
Simultaneous capturing from multiple network interfaces (however, you
|
2006-05-30 20:49:45 +00:00
|
|
|
can start multiple instances of Wireshark and merge capture files later).
|
2004-09-15 20:28:39 +00:00
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Stop capturing (or doing some other action), depending on the captured
|
|
|
|
data.
|
|
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
2004-09-15 21:35:58 +00:00
|
|
|
</para>
|
2004-09-15 20:28:39 +00:00
|
|
|
</section>
|
2005-06-16 20:27:55 +00:00
|
|
|
|
|
|
|
<section id="ChCapPrerequisitesSection"><title>Prerequisites</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Setting up Wireshark to capture packets for the first time can be tricky.
|
2005-06-16 20:27:55 +00:00
|
|
|
</para>
|
|
|
|
<tip><title>Tip!</title><para>
|
|
|
|
A comprehensive guide "How To setup a Capture" is available at:
|
2006-05-31 21:49:26 +00:00
|
|
|
<ulink url="&WiresharkWikiPage;/CaptureSetup">&WiresharkWikiPage;/CaptureSetup</ulink>.
|
2005-06-16 20:27:55 +00:00
|
|
|
</para></tip>
|
|
|
|
<para>
|
|
|
|
Here are some common pitfalls:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to have root / Administrator privileges to start a live
|
|
|
|
capture.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to choose the right network interface to capture packet data
|
|
|
|
from.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to capture at the right place in the network to see the
|
|
|
|
traffic you want to see.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
... and a lot more!.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you have any problems setting up your capture environment, you should
|
|
|
|
have a look at the guide mentioned above.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
<section id="ChCapCapturingSection"><title>Start Capturing</title>
|
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
One of the following methods can be used to start capturing packets with
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark:
|
2005-06-16 20:27:55 +00:00
|
|
|
<itemizedlist>
|
2004-08-06 21:06:27 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2004-09-15 20:28:39 +00:00
|
|
|
You can get an overview of the available local interfaces using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Interfaces" dialog box, see
|
2008-04-18 23:55:03 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialogWin32"/> or
|
2005-06-16 20:27:55 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialog"/>. You can start a
|
|
|
|
capture from this dialog box, using (one of) the "Capture" button(s).
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
You can start capturing using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Options" dialog box, see
|
2004-09-15 20:28:39 +00:00
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you have selected the right capture options before, you can
|
|
|
|
immediately start a capture using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Start" menu / toolbar item. The capture
|
|
|
|
process will start immediately.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you already know the name of the capture interface, you can start
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark from the command line and use the following:
|
2004-09-15 20:28:39 +00:00
|
|
|
<programlisting>
|
2006-05-31 21:49:26 +00:00
|
|
|
wireshark -i eth0 -k
|
2004-09-15 20:28:39 +00:00
|
|
|
</programlisting>
|
2006-05-30 20:49:45 +00:00
|
|
|
This will start Wireshark capturing on interface eth0, more details
|
2005-06-16 20:27:55 +00:00
|
|
|
can be found at: <xref linkend="ChCustCommandLine"/>.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
</itemizedlist>
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2004-09-15 20:28:39 +00:00
|
|
|
<section id="ChCapInterfaceSection">
|
|
|
|
<title>The "Capture Interfaces" dialog box</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
When you select "Interfaces..." from the Capture menu, Wireshark pops
|
2004-09-15 20:28:39 +00:00
|
|
|
up the "Capture Interfaces" dialog box as shown in
|
2008-04-18 23:55:03 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialogWin32"/> or
|
2004-09-15 20:28:39 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialog"/>.
|
2008-04-19 10:11:45 +00:00
|
|
|
<warning><title>This dialog consumes lot's of system resources!</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
<para>
|
|
|
|
As the "Capture Interfaces" dialog is showing live captured data, it is
|
2006-09-28 19:53:11 +00:00
|
|
|
consuming a lot of system resources. Close this dialog as soon as
|
2004-09-15 20:28:39 +00:00
|
|
|
possible to prevent excessive system load.
|
|
|
|
</para>
|
|
|
|
</warning>
|
2008-04-19 10:11:45 +00:00
|
|
|
<note><title>Not all available interfaces may be displayed!</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This dialog box will only show the local interfaces Wireshark knows
|
2008-04-19 10:11:45 +00:00
|
|
|
of. It will not show interfaces marked as hidden in the "Interface Options"
|
|
|
|
preferences dialog.
|
|
|
|
As Wireshark might not be able to detect all local interfaces, and it
|
2004-09-15 20:28:39 +00:00
|
|
|
cannot detect the remote interfaces available, there could be more capture
|
|
|
|
interfaces available than listed.
|
|
|
|
</para>
|
|
|
|
</note>
|
2008-04-18 23:55:03 +00:00
|
|
|
<figure id="ChCapCaptureInterfacesDialogWin32">
|
2008-04-19 10:11:45 +00:00
|
|
|
<title>The "Capture Interfaces" dialog box on Microsoft Windows</title>
|
2008-04-18 23:55:03 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInterfacesDialogWin32" format="PNG"/>
|
|
|
|
</figure>
|
2004-09-15 20:28:39 +00:00
|
|
|
<figure id="ChCapCaptureInterfacesDialog">
|
2008-04-19 10:11:45 +00:00
|
|
|
<title>The "Capture Interfaces" dialog box on Unix/Linux</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInterfacesDialog" format="PNG"/>
|
2004-09-15 20:28:39 +00:00
|
|
|
</figure>
|
|
|
|
<variablelist>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Device (Unix/Linux only)</command></term>
|
2008-04-18 23:55:03 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The interface device name.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-09-15 20:28:39 +00:00
|
|
|
<varlistentry><term><command>Description</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The interface description provided by the operating system.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>IP</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
The first IP address Wireshark could resolve from this interface.
|
2004-09-15 20:28:39 +00:00
|
|
|
If no address could be resolved (e.g. no DHCP server available),
|
|
|
|
"unknown" will be displayed. If more than one IP address could be
|
|
|
|
resolved, only the first is shown (unpredictable which one in that
|
|
|
|
case).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Packets</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The number of packets captured from this interface, since this
|
|
|
|
dialog was opened. Will be greyed out, if no packet was captured
|
|
|
|
in the last second.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Packets/s</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Number of packets captured in the last second. Will be greyed out,
|
|
|
|
if no packet was captured in the last second.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Stop</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop a currently running capture.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Start</command></term>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Start a capture on this interface immediately, using the settings
|
|
|
|
from the last capture.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-08-25 20:02:57 +00:00
|
|
|
<varlistentry><term><command>Options</command></term>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Open the Capture Options dialog with this interface selected, see
|
|
|
|
<xref linkend="ChCapCaptureOptions"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-08-25 20:02:57 +00:00
|
|
|
<varlistentry><term><command>Details (Win32 only)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Open a dialog with detailed information about the interface.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Help</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Show this help page.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-09-15 20:28:39 +00:00
|
|
|
<varlistentry><term><command>Close</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Close this dialog box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
<section id="ChCapCaptureOptions">
|
|
|
|
<title>The "Capture Options" dialog box</title>
|
|
|
|
<para>
|
2004-09-15 20:28:39 +00:00
|
|
|
When you select Start... from the Capture menu (or use the corresponding
|
2006-05-30 20:49:45 +00:00
|
|
|
item in the "Main" toolbar), Wireshark pops
|
2004-08-06 21:06:27 +00:00
|
|
|
up the "Capture Options" dialog box as shown in
|
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapCaptureOptionsDialog">
|
|
|
|
<title>The "Capture Options" dialog box</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<graphic entityref="WiresharkCaptureOptionsDialog" format="JPG"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
</figure>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
If you are unsure which options to choose in this dialog box, just try
|
|
|
|
keeping the defaults as this should work well in many cases.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<para>
|
|
|
|
You can set the following fields in this dialog box:
|
|
|
|
</para>
|
|
|
|
<section><title>Capture frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>Interface</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field specifies the interface you want to capture on.
|
|
|
|
You can only capture on one interface, and you can only
|
2006-05-30 20:49:45 +00:00
|
|
|
capture on interfaces that Wireshark has found on the
|
2004-08-06 21:06:27 +00:00
|
|
|
system. It is a drop-down list, so simply click on the
|
|
|
|
button on the right hand side and select the interface you
|
|
|
|
want. It defaults to the first non-loopback interface that
|
|
|
|
supports capturing, and if there are none, the first
|
|
|
|
loopback interface. On some systems, loopback interfaces
|
|
|
|
cannot be used for capturing (loopback interfaces are not available
|
|
|
|
on Windows platforms).
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This field performs the same function as the
|
|
|
|
<command>-i <interface></command> command line option.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-09-15 20:48:24 +00:00
|
|
|
<varlistentry><term><command>IP address</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The IP address(es) of the selected interface. If no address could
|
|
|
|
be resolved from the system, "unknown" will be shown.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<varlistentry><term><command>Link-layer header type</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Unless you are in the rare situation that you need this, just keep
|
|
|
|
the default. For a detailed description, see
|
|
|
|
<xref linkend="ChCapLinkLayerHeader"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Buffer size: n megabyte(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Enter the buffer size to be used while capturing. This is the size
|
|
|
|
of the kernel buffer which will keep the captured packets, until
|
|
|
|
they are written to disk. If you encounter packet drops, try
|
|
|
|
increasing this value.
|
|
|
|
</para>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>This option is only available on Windows platforms.</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Capture packets in promiscuous mode</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This checkbox allows you to specify that Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
should put the interface in promiscuous mode when capturing.
|
2006-05-30 20:49:45 +00:00
|
|
|
If you do not specify this, Wireshark will only capture the
|
2004-08-06 21:06:27 +00:00
|
|
|
packets going to or from your computer (not
|
|
|
|
all packets on your LAN segment).
|
|
|
|
</para>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>
|
|
|
|
If some other process has put the interface in
|
|
|
|
promiscuous mode you may be capturing in promiscuous
|
|
|
|
mode even if you turn off this option
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>
|
|
|
|
Even in promiscuous mode you still won't necessarily see all packets
|
2006-05-30 20:49:45 +00:00
|
|
|
on your LAN segment, see <ulink url="&WiresharkFAQPromiscPage;"/> for
|
2004-08-06 21:06:27 +00:00
|
|
|
some more explanations.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Limit each packet to n bytes</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify the maximum amount of
|
|
|
|
data that will be captured for each packet, and is
|
|
|
|
sometimes referred to as the <command>snaplen</command>. If disabled,
|
|
|
|
the default is 65535, which will be sufficient for most
|
|
|
|
protocols. Some rules of thumb:
|
|
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you are unsure, just keep the default value.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you don't need all of the data in a packet - for example, if you
|
|
|
|
only need the link-layer, IP, and TCP headers - you might want to
|
|
|
|
choose a small snapshot length, as less CPU time is required for
|
|
|
|
copying packets, less buffer space is required for packets, and thus
|
|
|
|
perhaps fewer packets will be dropped if traffic is very heavy.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you don't capture all of the data in a packet, you might find that
|
|
|
|
the packet data you want is in the part that's dropped, or that
|
|
|
|
reassembly isn't possible as the data required for reassembly is
|
|
|
|
missing.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Capture Filter</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify a capture filter.
|
|
|
|
Capture filters are discussed in more details in
|
|
|
|
<xref linkend="ChCapCaptureFilterSection"/>. It defaults to empty, or
|
|
|
|
no filter.
|
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
You can also click on the button labelled Capture Filter, and Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
will bring up the Capture Filters dialog box and allow you to create
|
|
|
|
and/or select a filter. Please see
|
|
|
|
<xref linkend="ChWorkDefineFilterSection"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Capture File(s) frame</title>
|
|
|
|
<para>
|
|
|
|
An explanation about capture file usage can be found in <xref
|
|
|
|
linkend="ChCapCaptureFiles"/>.
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>File</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify the file name that will be
|
|
|
|
used for the capture file. This field is left blank by default.
|
|
|
|
If the field is left blank, the capture data will be stored in a
|
|
|
|
temporary file, see <xref linkend="ChCapCaptureFiles"/> for
|
|
|
|
details.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
You can also click on the button to the right of this field to
|
|
|
|
browse through the filesystem.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Use multiple files</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Instead of using a single file, Wireshark will automatically switch
|
2004-08-06 21:06:27 +00:00
|
|
|
to a new one, if a specific trigger condition is reached.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Next file every n megabyte(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Switch to the next file after the given
|
|
|
|
number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been
|
|
|
|
captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Next file every n minute(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Switch to the next file after the given
|
|
|
|
number of second(s)/minutes(s)/hours(s)/days(s) have elapsed.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Ring buffer with n files</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Form a ring buffer of the capture files, with
|
|
|
|
the given number of files.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Stop capture after n file(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Stop capturing after switching to the next
|
|
|
|
file the given number of times.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Stop Capture... frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>... after n packet(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of packets have been
|
|
|
|
captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>... after n megabytes(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of
|
|
|
|
byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been captured.
|
|
|
|
This option is greyed out, if "Use multiple files" is selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>... after n minute(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of
|
|
|
|
second(s)/minutes(s)/hours(s)/days(s) have elapsed.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Display Options frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Update list of packets in real time</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This option allows you to specify that Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
should update the packet list pane in real time. If you
|
2006-05-30 20:49:45 +00:00
|
|
|
do not specify this, Wireshark does not display any
|
2004-08-06 21:06:27 +00:00
|
|
|
packets until you stop the capture. When you check this,
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark captures in a separate process
|
2004-08-06 21:06:27 +00:00
|
|
|
and feeds the captures to the display process.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Automatic scrolling in live capture</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This option allows you to specify that Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
should scroll the packet list pane as new packets come
|
|
|
|
in, so you are always looking at the last packet. If you
|
2006-05-30 20:49:45 +00:00
|
|
|
do not specify this, Wireshark simply adds new packets onto
|
2004-08-06 21:06:27 +00:00
|
|
|
the end of the list, but does not scroll the packet list
|
|
|
|
pane. This option is greyed out if
|
|
|
|
"Update list of packets in real time" is disabled.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Hide capture info dialog</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2007-09-10 21:02:58 +00:00
|
|
|
If this option is checked, the capture info dialog described in
|
|
|
|
<xref linkend="ChCapRunningSection"/> will be hidden.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Name Resolution frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable MAC name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates MAC addresses into names, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable network name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates network addresses into names, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable transport name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates transport addresses into protocols, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Buttons</title>
|
|
|
|
<para>
|
|
|
|
Once you have set the values you desire and have selected the
|
2006-08-07 21:34:48 +00:00
|
|
|
options you need, simply click on <command>Start</command> to commence the
|
2004-08-06 21:06:27 +00:00
|
|
|
capture, or <command>Cancel</command> to cancel the capture.
|
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
If you start a capture, Wireshark allows you to stop capturing when
|
2005-06-16 20:27:55 +00:00
|
|
|
you have enough packets captured, for details see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChCapRunningSection"/>.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChCapCaptureFiles"><title>Capture files and file modes</title>
|
|
|
|
<para>
|
|
|
|
While capturing, the underlying libpcap capturing engine will grab the
|
|
|
|
packets from the network card and keep the packet data in a (relatively)
|
2006-05-22 08:14:01 +00:00
|
|
|
small kernel buffer. This data is read by Wireshark and saved into
|
2004-08-06 21:06:27 +00:00
|
|
|
the capture file(s) the user specified.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Different modes of operation are available when saving this packet data to
|
|
|
|
the capture file(s).
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
Working with large files (several 100 MB's) can be quite slow. If you plan
|
|
|
|
to do a long term capture or capturing from a high traffic network, think
|
|
|
|
about using one of the "Multiple files" options. This will spread the
|
|
|
|
captured packets over several smaller files which can be much more
|
|
|
|
pleasant to work with.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<note><title>Note!</title>
|
|
|
|
<para>
|
|
|
|
Using Multiple files may cut context related information.
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark keeps context information of the loaded packet data, so it can
|
2004-08-06 21:06:27 +00:00
|
|
|
report context related problems (like a stream error) and keeps information
|
|
|
|
about context related protocols (e.g. where data is exchanged at the
|
|
|
|
establishing phase and only referred to in later packets).
|
|
|
|
As it keeps this information only for the loaded file, using one of
|
2005-06-16 20:27:55 +00:00
|
|
|
the multiple file modes may cut these contexts. If the establishing phase
|
2004-08-06 21:06:27 +00:00
|
|
|
is saved in one file and the things you would like to see is in another,
|
|
|
|
you might not see some of the valuable context related information.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
Information about the folders used for the capture file(s), can be found
|
|
|
|
in <xref linkend="AppFiles"/>.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
|
|
|
|
<table id="ChCapTabCaptureFiles"><title>Capture file mode selected by capture options</title>
|
2005-06-16 20:27:55 +00:00
|
|
|
<tgroup cols="5">
|
2004-08-06 21:06:27 +00:00
|
|
|
<colspec colnum="1" colwidth="72pt"/>
|
|
|
|
<colspec colnum="2" colwidth="80pt"/>
|
|
|
|
<colspec colnum="3" colwidth="80pt"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
<colspec colnum="4" colwidth="80pt"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
<thead>
|
|
|
|
<row>
|
|
|
|
<entry>"File" option</entry>
|
|
|
|
<entry>"Use multiple files" option</entry>
|
|
|
|
<entry>"Ring buffer with n files" option</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry>Mode</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>Resulting filename(s) used</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Single temporary file</command></entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>etherXXXXXX (where XXXXXX is a unique number)</entry>
|
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Single named file</command></entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>foo.cap</entry>
|
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>x</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Multiple files, continuous</command></entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ...</entry>
|
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>x</entry>
|
|
|
|
<entry>x</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Multiple files, ring buffer</command></entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ...</entry>
|
|
|
|
</row>
|
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</table>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Single temporary file</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
A temporary file will be created and used (this is the default). After the
|
|
|
|
capturing is stopped, this file can be saved later under a user specified
|
|
|
|
name.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Single named file</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
A single capture file will be used. If you want to place the new capture
|
|
|
|
file to a specific folder, choose this mode.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Multiple files, continuous</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Like the "Single named file" mode, but a new file is created and used,
|
|
|
|
after reaching one of the multiple file switch conditions (one of the
|
|
|
|
"Next file every ..." values).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Multiple files, ring buffer</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Much like "Multiple files continuous", reaching one of the multiple files
|
|
|
|
switch conditions (one of the "Next file every ..." values) will switch
|
|
|
|
to the next file. This will be a newly created file if value of "Ring
|
|
|
|
buffer with n files" is not reached, otherwise it will replace the oldest
|
|
|
|
of the formerly used files (thus forming a "ring").
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This mode will limit the maximum disk usage, even for an unlimited amount of
|
|
|
|
capture input data, keeping the latest captured data.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChCapLinkLayerHeader"><title>Link-layer header type</title>
|
|
|
|
<para>
|
|
|
|
In the usual case, you won't have to choose this link-layer header type.
|
|
|
|
The following paragraphs describe the exceptional cases, where
|
2006-09-13 20:37:37 +00:00
|
|
|
selecting this type is possible, so you will have a guide of what to do:
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an 802.11 device on some versions of BSD, this
|
|
|
|
might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause
|
|
|
|
the captured packets to have fake Ethernet headers; "802.11" will cause
|
|
|
|
them to have IEEE 802.11 headers. Unless the capture needs to be read by
|
|
|
|
an application that doesn't support 802.11 headers, you should select
|
|
|
|
"802.11".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Endace DAG card connected to a synchronous
|
|
|
|
serial line, this might offer a choice of "PPP over serial" or
|
|
|
|
"Cisco HDLC"; if the protocol on the serial line is PPP, select
|
|
|
|
"PPP over serial", and if the protocol on the serial line is Cisco HDLC,
|
|
|
|
select "Cisco HDLC".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Endace DAG card connected to an ATM network,
|
|
|
|
this might offer a choice of "RFC 1483 IP-over-ATM" or "Sun raw ATM".
|
|
|
|
If the only traffic being captured is RFC 1483 LLC-encapsulated IP, or if
|
|
|
|
the capture needs to be read by an application that doesn't support SunATM
|
|
|
|
headers, select "RFC 1483 IP-over-ATM", otherwise select "Sun raw ATM".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Ethernet device, this might offer a choice of
|
|
|
|
"Ethernet" or "DOCSIS". If you are capturing traffic from a Cisco Cable
|
|
|
|
Modem Termination System that is putting DOCSIS traffic onto the Ethernet
|
|
|
|
to be captured, select "DOCSIS", otherwise select "Ethernet".
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChCapCaptureFilterSection"><title>Filtering while capturing</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the libpcap filter language for capture filters.
|
2004-08-06 21:06:27 +00:00
|
|
|
This is explained in the tcpdump man page, which can be hard to
|
|
|
|
understand, so it's explained here to some extent.
|
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
<tip>
|
|
|
|
<title>Tip!</title>
|
2005-01-29 14:43:33 +00:00
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
You will find a lot of Capture Filter examples at <ulink
|
2006-05-30 20:49:45 +00:00
|
|
|
url="&WiresharkWikiCaptureFiltersPage;">&WiresharkWikiCaptureFiltersPage;</ulink>.
|
2005-01-29 14:43:33 +00:00
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</tip>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2006-05-22 08:21:22 +00:00
|
|
|
You enter the capture filter into the Filter field of the Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
Capture Options dialog box, as shown in
|
2004-09-15 20:55:51 +00:00
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>. The following is an outline
|
|
|
|
of the syntax of the <command>tcpdump</command> capture filter language.
|
|
|
|
See the expression option at the tcpdump manual page for details:
|
2005-07-14 21:45:18 +00:00
|
|
|
<ulink url="&TcpdumpManpage;"/>.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A capture filter takes the form of a series of primitive expressions
|
2005-01-18 23:06:10 +00:00
|
|
|
connected by conjunctions (<command>and/or</command>) and optionally
|
2004-08-06 21:06:27 +00:00
|
|
|
preceded by <command>not</command>:
|
|
|
|
<programlisting>
|
|
|
|
[not] <command>primitive</command> [and|or [not] <command>primitive</command> ...]
|
|
|
|
</programlisting>
|
|
|
|
An example is shown in <xref linkend="ChCapExFilt1"/>.
|
|
|
|
|
|
|
|
<example id="ChCapExFilt1">
|
|
|
|
<title>
|
2006-08-07 21:34:48 +00:00
|
|
|
A capture filter for telnet that captures traffic to and from a
|
2004-08-06 21:06:27 +00:00
|
|
|
particular host
|
|
|
|
</title>
|
|
|
|
<programlisting>
|
|
|
|
tcp port 23 and host 10.0.0.5
|
|
|
|
</programlisting>
|
|
|
|
</example>
|
|
|
|
This example captures telnet traffic to and from the host
|
|
|
|
10.0.0.5, and shows how to use two primitives and the
|
|
|
|
<command>and</command> conjunction. Another example is shown in
|
|
|
|
<xref linkend="ChCapExFilt2"/>, and shows how to capture all
|
|
|
|
telnet traffic except that from 10.0.0.5.
|
|
|
|
<example id="ChCapExFilt2">
|
|
|
|
<title>
|
|
|
|
Capturing all telnet traffic not from 10.0.0.5</title>
|
|
|
|
<programlisting>
|
2007-03-01 21:08:01 +00:00
|
|
|
tcp port 23 and not src host 10.0.0.5
|
2004-08-06 21:06:27 +00:00
|
|
|
</programlisting>
|
|
|
|
</example>
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
XXX - add examples to the following list.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A primitive is simply one of the following:
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>[src|dst] host <host></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on a host IP
|
|
|
|
address or name. You can optionally precede the
|
|
|
|
primitive with the keyword <command>src|dst</command>
|
|
|
|
to specify that you are only interested in source or
|
|
|
|
destination addresses. If these are not present,
|
|
|
|
packets where the specified address appears as either
|
|
|
|
the source or the destination address will be selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>ether [src|dst] host <ehost></command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on Ethernet host
|
|
|
|
addresses. You can optionally include the keyword
|
|
|
|
<command>src|dst</command> between the keywords
|
|
|
|
<command>ether</command> and <command>host</command>
|
|
|
|
to specify that you are only interested in source
|
|
|
|
or destination addresses. If these are not present,
|
|
|
|
packets where the specified address appears in either
|
|
|
|
the source or destination address will be selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>gateway host <host></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on packets that
|
|
|
|
used <command>host</command> as a gateway. That is, where
|
|
|
|
the Ethernet source or destination was
|
|
|
|
<command>host</command> but neither the source nor
|
|
|
|
destination IP address was <command>host</command>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>
|
|
|
|
[src|dst] net <net> [{mask <mask>}|{len <len>}]
|
|
|
|
</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on network numbers.
|
|
|
|
You can optionally precede this primitive with the
|
|
|
|
keyword <command>src|dst</command> to specify that you
|
|
|
|
are only interested in a source or destination network.
|
|
|
|
If neither of these are present, packets will be
|
|
|
|
selected that have the specified network in either the
|
|
|
|
source or destination address. In addition, you can
|
|
|
|
specify either the netmask or the CIDR prefix for the
|
|
|
|
network if they are different from your own.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>[tcp|udp] [src|dst] port <port></command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on TCP and UDP port
|
|
|
|
numbers. You can optionally precede this primitive with
|
|
|
|
the keywords <command>src|dst</command> and
|
|
|
|
<command>tcp|udp</command> which allow you to specify
|
|
|
|
that you are only interested in source or destination
|
|
|
|
ports and TCP or UDP packets respectively. The
|
|
|
|
keywords <command>tcp|udp</command> must appear before
|
|
|
|
<command>src|dst</command>.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If these are not specified, packets will be selected
|
|
|
|
for both the TCP and UDP protocols and when the
|
|
|
|
specified address appears in either the source or
|
|
|
|
destination port field.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>less|greater <length></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on packets whose
|
|
|
|
length was less than or equal to the specified length,
|
|
|
|
or greater than or equal to the specified length,
|
|
|
|
respectively.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>ip|ether proto <protocol></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on the specified
|
|
|
|
protocol at either the Ethernet layer or the IP layer.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>ether|ip broadcast|multicast</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on either
|
|
|
|
Ethernet or IP broadcasts or multicasts.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command><expr> relop <expr></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to create complex filter
|
|
|
|
expressions that select bytes or ranges of bytes in
|
2005-07-14 21:45:18 +00:00
|
|
|
packets. Please see the tcpdump man page at
|
|
|
|
<ulink url="&TcpdumpManpage;"/> for more details.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
2006-08-28 21:11:10 +00:00
|
|
|
<section id="ChCapCaptureAutoFilterSection">
|
|
|
|
<title>Automatic Remote Traffic Filtering</title>
|
|
|
|
<para>
|
|
|
|
If Wireshark is running remotely (using e.g. SSH, an exported X11 window,
|
|
|
|
a terminal server, ...), the remote content has to be transported over
|
|
|
|
the network, adding a lot of (usually unimportant) packets to the actually
|
|
|
|
interesting traffic.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
To avoid this, Wireshark tries to figure out if it's remotely connected
|
|
|
|
(by looking at some specific environment variables) and automatically
|
|
|
|
creates a capture filter that matches aspects of the connection.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following environment variables are analyzed:
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>SSH_CONNECTION</command> (ssh)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote IP> <remote port> <local IP> <local port>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>SSH_CLIENT</command> (ssh)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote IP> <remote port> <local port>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>REMOTEHOST</command> (tcsh, others?)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote name>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>DISPLAY</command> (x11)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
[remote name]:<display num>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
2006-09-15 21:35:01 +00:00
|
|
|
<term><command>SESSIONNAME</command> (terminal server)</term>
|
2006-08-28 21:11:10 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote name>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
2004-08-06 21:06:27 +00:00
|
|
|
</section>
|
|
|
|
|
2004-09-15 21:12:29 +00:00
|
|
|
<section id="ChCapRunningSection"><title>While a Capture is running ...</title>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2004-09-15 21:12:29 +00:00
|
|
|
While a capture is running, the following dialog box is shown:
|
2004-08-06 21:06:27 +00:00
|
|
|
<figure id="ChCapCaptureInfoDialog">
|
|
|
|
<title>The "Capture Info" dialog box</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInfoDialog" format="JPG"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
</figure>
|
|
|
|
This dialog box will inform you about the number of captured packets and
|
2006-09-13 20:37:37 +00:00
|
|
|
the time since the capture was started. The selection of which protocols
|
2004-08-06 21:06:27 +00:00
|
|
|
are counted cannot be changed.
|
|
|
|
</para>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
This Capture Info dialog box can be hidden, using the "Hide capture info
|
|
|
|
dialog" option in the Capture Options dialog box.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<section id="ChCapStopSection"><title>Stop the running capture</title>
|
|
|
|
<para>
|
|
|
|
A running capture session will be stopped in one of the following ways:
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<para>Using the
|
2006-08-25 20:02:57 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop" button from the <command>Capture Info dialog box
|
2004-08-06 21:06:27 +00:00
|
|
|
</command>.
|
|
|
|
</para>
|
|
|
|
<note><title>Note!</title>
|
|
|
|
<para>
|
|
|
|
The Capture Info dialog box might be hidden, if the option "Hide capture
|
|
|
|
info dialog" is used.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<para>Using the <command>menu item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"Capture/<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop".
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>toolbar item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop".
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Pressing the accelerator keys: <command>Ctrl+E</command>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>The capture will be automatically stopped, if one of the
|
|
|
|
<command>Stop Conditions</command> is exceeded, e.g. the maximum amount
|
|
|
|
of data was captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</section>
|
|
|
|
<section id="ChCapRestartSection"><title>Restart a running capture</title>
|
|
|
|
<para>
|
|
|
|
A running capture session can be restarted with the same capture options
|
2007-09-10 21:02:58 +00:00
|
|
|
as the last time, this will remove all packets previously captured.
|
2005-06-16 20:27:55 +00:00
|
|
|
This can be useful, if some uninteresting packets are captured and
|
|
|
|
there's no need to keep them.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Restart is a convenience function and
|
|
|
|
equivalent to a capture stop following by an immediate capture start.
|
|
|
|
A restart can be triggered in one of the following ways:
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>menu item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"Capture/<inlinegraphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Restart".
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>toolbar item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Restart".
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</para>
|
2004-08-06 21:06:27 +00:00
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
</chapter>
|
2006-05-30 19:45:12 +00:00
|
|
|
<!-- End of WSUG Chapter Capture -->
|
2004-08-06 21:06:27 +00:00
|
|
|
|
2006-09-28 19:53:11 +00:00
|
|
|
|