2006-05-30 19:45:12 +00:00
|
|
|
<!-- WSUG Chapter Capture -->
|
2004-08-06 21:06:27 +00:00
|
|
|
<!-- $Id$ -->
|
|
|
|
|
|
|
|
<chapter id="ChapterCapture">
|
|
|
|
<title>Capturing Live Network Data</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
|
|
|
|
<section id="ChCapIntroduction">
|
|
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Capturing live network data is one of the major features of Wireshark.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
The Wireshark capture engine provides the following features:
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
2004-09-15 21:35:58 +00:00
|
|
|
<para>
|
2004-09-15 20:28:39 +00:00
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
Capture from different kinds of network hardware (Ethernet, Token Ring,
|
|
|
|
ATM, ...).
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Stop the capture on different triggers like: amount of captured data,
|
|
|
|
captured time, captured number of packets.
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
2007-09-10 21:02:58 +00:00
|
|
|
Simultaneously show decoded packets while Wireshark keeps on capturing.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Filter packets, reducing the amount of data to be captured, see <xref
|
|
|
|
linkend="ChCapCaptureFilterSection"/>.
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
|
|
Capturing into multiple files while doing a long term capture, and in
|
|
|
|
addition the option to form a ringbuffer of these files, keeping only
|
|
|
|
the last x files, useful for a "very long term" capture, see <xref
|
|
|
|
linkend="ChCapCaptureFiles"/>.
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
2012-02-21 21:50:08 +00:00
|
|
|
Simultaneous capturing from multiple network interfaces.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para></listitem>
|
2012-02-21 21:46:06 +00:00
|
|
|
</itemizedlist>
|
|
|
|
The capture engine still lacks the following features:
|
|
|
|
<itemizedlist>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem><para>
|
|
|
|
Stop capturing (or doing some other action), depending on the captured
|
|
|
|
data.
|
|
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
2004-09-15 21:35:58 +00:00
|
|
|
</para>
|
2004-09-15 20:28:39 +00:00
|
|
|
</section>
|
2005-06-16 20:27:55 +00:00
|
|
|
|
|
|
|
<section id="ChCapPrerequisitesSection"><title>Prerequisites</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Setting up Wireshark to capture packets for the first time can be tricky.
|
2005-06-16 20:27:55 +00:00
|
|
|
</para>
|
|
|
|
<tip><title>Tip!</title><para>
|
|
|
|
A comprehensive guide "How To setup a Capture" is available at:
|
2006-05-31 21:49:26 +00:00
|
|
|
<ulink url="&WiresharkWikiPage;/CaptureSetup">&WiresharkWikiPage;/CaptureSetup</ulink>.
|
2005-06-16 20:27:55 +00:00
|
|
|
</para></tip>
|
|
|
|
<para>
|
|
|
|
Here are some common pitfalls:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to have root / Administrator privileges to start a live
|
|
|
|
capture.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to choose the right network interface to capture packet data
|
|
|
|
from.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
You need to capture at the right place in the network to see the
|
|
|
|
traffic you want to see.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
... and a lot more!.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you have any problems setting up your capture environment, you should
|
|
|
|
have a look at the guide mentioned above.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
<section id="ChCapCapturingSection"><title>Start Capturing</title>
|
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
One of the following methods can be used to start capturing packets with
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark:
|
2005-06-16 20:27:55 +00:00
|
|
|
<itemizedlist>
|
2004-08-06 21:06:27 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2004-09-15 20:28:39 +00:00
|
|
|
You can get an overview of the available local interfaces using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Interfaces" dialog box, see
|
2008-04-18 23:55:03 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialogWin32"/> or
|
2005-06-16 20:27:55 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialog"/>. You can start a
|
|
|
|
capture from this dialog box, using (one of) the "Capture" button(s).
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
You can start capturing using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Options" dialog box, see
|
2004-09-15 20:28:39 +00:00
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you have selected the right capture options before, you can
|
|
|
|
immediately start a capture using the
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Capture Start" menu / toolbar item. The capture
|
|
|
|
process will start immediately.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you already know the name of the capture interface, you can start
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark from the command line and use the following:
|
2004-09-15 20:28:39 +00:00
|
|
|
<programlisting>
|
2006-05-31 21:49:26 +00:00
|
|
|
wireshark -i eth0 -k
|
2004-09-15 20:28:39 +00:00
|
|
|
</programlisting>
|
2006-05-30 20:49:45 +00:00
|
|
|
This will start Wireshark capturing on interface eth0, more details
|
2005-06-16 20:27:55 +00:00
|
|
|
can be found at: <xref linkend="ChCustCommandLine"/>.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
</itemizedlist>
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2004-09-15 20:28:39 +00:00
|
|
|
<section id="ChCapInterfaceSection">
|
|
|
|
<title>The "Capture Interfaces" dialog box</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
When you select "Interfaces..." from the Capture menu, Wireshark pops
|
2004-09-15 20:28:39 +00:00
|
|
|
up the "Capture Interfaces" dialog box as shown in
|
2008-04-18 23:55:03 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialogWin32"/> or
|
2004-09-15 20:28:39 +00:00
|
|
|
<xref linkend="ChCapCaptureInterfacesDialog"/>.
|
2010-12-29 20:30:36 +00:00
|
|
|
<warning><title>This dialog consumes lots of system resources!</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
<para>
|
|
|
|
As the "Capture Interfaces" dialog is showing live captured data, it is
|
2006-09-28 19:53:11 +00:00
|
|
|
consuming a lot of system resources. Close this dialog as soon as
|
2004-09-15 20:28:39 +00:00
|
|
|
possible to prevent excessive system load.
|
|
|
|
</para>
|
|
|
|
</warning>
|
2008-04-19 10:11:45 +00:00
|
|
|
<note><title>Not all available interfaces may be displayed!</title>
|
2004-09-15 20:28:39 +00:00
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This dialog box will only show the local interfaces Wireshark knows
|
2009-05-26 13:52:43 +00:00
|
|
|
of. It will not show interfaces marked as hidden in <xref linkend="ChCustInterfaceOptionsSection"/>.
|
2008-04-19 10:11:45 +00:00
|
|
|
As Wireshark might not be able to detect all local interfaces, and it
|
2004-09-15 20:28:39 +00:00
|
|
|
cannot detect the remote interfaces available, there could be more capture
|
|
|
|
interfaces available than listed.
|
|
|
|
</para>
|
|
|
|
</note>
|
2012-02-21 21:46:06 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
As it is possible to simultaneously capture packets from multiple interfaces,
|
|
|
|
the toggle buttons can be used to select one or more interfaces.
|
|
|
|
</para>
|
2008-04-18 23:55:03 +00:00
|
|
|
<figure id="ChCapCaptureInterfacesDialogWin32">
|
2008-04-19 10:11:45 +00:00
|
|
|
<title>The "Capture Interfaces" dialog box on Microsoft Windows</title>
|
2008-04-18 23:55:03 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInterfacesDialogWin32" format="PNG"/>
|
|
|
|
</figure>
|
2004-09-15 20:28:39 +00:00
|
|
|
<figure id="ChCapCaptureInterfacesDialog">
|
2008-04-19 10:11:45 +00:00
|
|
|
<title>The "Capture Interfaces" dialog box on Unix/Linux</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInterfacesDialog" format="PNG"/>
|
2004-09-15 20:28:39 +00:00
|
|
|
</figure>
|
|
|
|
<variablelist>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Device (Unix/Linux only)</command></term>
|
2008-04-18 23:55:03 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The interface device name.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-09-15 20:28:39 +00:00
|
|
|
<varlistentry><term><command>Description</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2009-05-26 13:52:43 +00:00
|
|
|
The interface description provided by the operating system, or the
|
|
|
|
user defined comment added in <xref linkend="ChCustInterfaceOptionsSection"/>.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>IP</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2010-12-29 18:16:50 +00:00
|
|
|
The first IP address Wireshark could find for this interface.
|
|
|
|
You can click on the address to cycle through other addresses
|
|
|
|
assigned to it, if available.
|
2012-02-21 21:46:06 +00:00
|
|
|
If no address could be found "none" will be displayed.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Packets</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The number of packets captured from this interface, since this
|
|
|
|
dialog was opened. Will be greyed out, if no packet was captured
|
|
|
|
in the last second.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Packets/s</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Number of packets captured in the last second. Will be greyed out,
|
|
|
|
if no packet was captured in the last second.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Stop</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop a currently running capture.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Start</command></term>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
Start a capture on all selected interfaces immediately, using the settings
|
|
|
|
from the last capture or the default settings, if no options have been
|
|
|
|
set.
|
2004-09-15 20:28:39 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-08-25 20:02:57 +00:00
|
|
|
<varlistentry><term><command>Options</command></term>
|
2004-09-15 20:28:39 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
Open the Capture Options dialog with the marked interfaces selected, see
|
2004-09-15 20:28:39 +00:00
|
|
|
<xref linkend="ChCapCaptureOptions"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-06-21 15:15:07 +00:00
|
|
|
<varlistentry><term><command>Details (Microsoft Windows only)</command></term>
|
2006-08-25 20:02:57 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2008-06-21 15:15:07 +00:00
|
|
|
Open a dialog with detailed information about the interface, see
|
|
|
|
<xref linkend="ChCapInterfaceDetailsSection"/>.
|
2006-08-25 20:02:57 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-04-19 10:11:45 +00:00
|
|
|
<varlistentry><term><command>Help</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Show this help page.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-09-15 20:28:39 +00:00
|
|
|
<varlistentry><term><command>Close</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Close this dialog box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
2008-06-21 13:59:52 +00:00
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
<section id="ChCapCaptureOptions">
|
|
|
|
<title>The "Capture Options" dialog box</title>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
When you select Options... from the Capture menu (or use the corresponding
|
2006-05-30 20:49:45 +00:00
|
|
|
item in the "Main" toolbar), Wireshark pops
|
2004-08-06 21:06:27 +00:00
|
|
|
up the "Capture Options" dialog box as shown in
|
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapCaptureOptionsDialog">
|
|
|
|
<title>The "Capture Options" dialog box</title>
|
2009-12-02 19:33:28 +00:00
|
|
|
<graphic entityref="WiresharkCaptureOptionsDialog"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
</figure>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
If you are unsure which options to choose in this dialog box, just try
|
|
|
|
keeping the defaults as this should work well in many cases.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<section><title>Capture frame</title>
|
2012-02-21 21:46:06 +00:00
|
|
|
<para>
|
|
|
|
The table shows the settings for all available interfaces:
|
|
|
|
<itemizedlist>
|
2004-08-06 21:06:27 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
The name of the interface and its IP addresses. If no address could
|
|
|
|
be resolved from the system, "none" will be shown.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
2012-02-21 21:46:06 +00:00
|
|
|
<note>
|
2009-12-02 19:33:28 +00:00
|
|
|
<title>Note</title>
|
|
|
|
<para>loopback interfaces are not available on Windows platforms.</para>
|
|
|
|
</note>
|
2004-08-06 21:06:27 +00:00
|
|
|
</listitem>
|
2004-09-15 20:48:24 +00:00
|
|
|
<listitem>
|
2012-02-21 21:46:06 +00:00
|
|
|
<para>
|
|
|
|
The link-layer header type.
|
2004-09-15 20:48:24 +00:00
|
|
|
</para>
|
2012-02-21 21:46:06 +00:00
|
|
|
</listitem>
|
|
|
|
<listitem>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
The information whether promicuous mode is enabled or disabled.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
2012-02-21 21:46:06 +00:00
|
|
|
</listitem>
|
2010-12-29 18:16:50 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
The maximum amount of data that will be captured for each packet.
|
|
|
|
The default value is set to the 65535 bytes.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2009-12-02 19:33:28 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
The size of the kernel buffer that is reserved to keep the captured packets.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
The information whether packets will be captured in monitor mode (Unix/Linux only).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The chosen capture filter.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
By marking the
|
|
|
|
checkboxes in the first column the interfaces are selected to be
|
|
|
|
captured from. By double-clicking on an interface the "Edit Interface Settings"
|
|
|
|
dialog box as shown in
|
|
|
|
<xref linkend="ChCapEditInterfacesSettingsDialog"/> will be opened.
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<term>
|
2012-02-21 21:46:06 +00:00
|
|
|
<command>Capture on all interfaces</command>
|
2004-08-06 21:06:27 +00:00
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
As Wireshark can capture on multiple interfaces, it is possible to choose to capture on all available interfaces.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
2012-02-21 21:46:06 +00:00
|
|
|
</listitem>
|
2004-08-06 21:06:27 +00:00
|
|
|
</varlistentry>
|
2009-12-02 19:33:28 +00:00
|
|
|
<varlistentry>
|
2010-12-29 18:16:50 +00:00
|
|
|
<term>
|
2012-02-21 21:46:06 +00:00
|
|
|
<command>Capture all packets in promiscuous mode</command>
|
2010-12-29 18:16:50 +00:00
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
This checkbox allows you to specify that Wireshark
|
|
|
|
should put all interfaces in promiscuous mode when capturing.
|
2010-12-29 18:16:50 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2012-08-14 07:56:36 +00:00
|
|
|
<varlistentry><term><command>Capture Filter</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify a capture filter for all interfaces
|
|
|
|
that are currently selected. Once a filter has been entered in this field,
|
|
|
|
the newly selected interfaces will inherit the filter.
|
|
|
|
Capture filters are discussed in more details in
|
|
|
|
<xref linkend="ChCapCaptureFilterSection"/>. It defaults to empty, or
|
|
|
|
no filter.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
You can also click on the button labeled "Capture Filter", and Wireshark
|
|
|
|
will bring up the Capture Filters dialog box and allow you to create
|
|
|
|
and/or select a filter. Please see
|
|
|
|
<xref linkend="ChWorkDefineFilterSection"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Compile selected BPFs</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This button allows you to compile the capture filter into BPF code and
|
|
|
|
pop up a window showing you the resulting pseudo code. This can help in
|
|
|
|
understanding the working of the capture filter you created.
|
|
|
|
The "Compile selected BPFs" button leads you to
|
|
|
|
<xref linkend="ChCapCompileSelectedBpfsDialog"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2010-12-29 18:16:50 +00:00
|
|
|
<varlistentry>
|
2009-12-02 19:33:28 +00:00
|
|
|
<term>
|
2012-02-21 21:46:06 +00:00
|
|
|
<command>Manage Interfaces</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The "Manage Interfaces" button leads you to
|
|
|
|
<xref linkend="ChCapManageInterfacesDialog"/> where pipes can be defined,
|
|
|
|
local interfaces scanned or hidden, or remote interfaces added (Windows only).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2010-12-29 18:26:04 +00:00
|
|
|
</varlistentry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Capture File(s) frame</title>
|
|
|
|
<para>
|
|
|
|
An explanation about capture file usage can be found in <xref
|
|
|
|
linkend="ChCapCaptureFiles"/>.
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>File</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify the file name that will be
|
|
|
|
used for the capture file. This field is left blank by default.
|
|
|
|
If the field is left blank, the capture data will be stored in a
|
|
|
|
temporary file, see <xref linkend="ChCapCaptureFiles"/> for
|
|
|
|
details.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
You can also click on the button to the right of this field to
|
|
|
|
browse through the filesystem.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Use multiple files</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Instead of using a single file, Wireshark will automatically switch
|
2004-08-06 21:06:27 +00:00
|
|
|
to a new one, if a specific trigger condition is reached.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2012-02-21 21:46:06 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Use pcap-ng format</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This checkbox allows you to specify that Wireshark saves the captured
|
|
|
|
packets in pcap-ng format. This next generation capture file format is
|
|
|
|
currently in development. If more than one interface is chosen for
|
|
|
|
capturing, this checkbox is set by default. See
|
|
|
|
<ulink url="&WiresharkWikiPcapNgPage;"/> for more details on pcap-ng.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<varlistentry><term><command>Next file every n megabyte(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Switch to the next file after the given
|
|
|
|
number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been
|
|
|
|
captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Next file every n minute(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Switch to the next file after the given
|
|
|
|
number of second(s)/minutes(s)/hours(s)/days(s) have elapsed.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Ring buffer with n files</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Form a ring buffer of the capture files, with
|
|
|
|
the given number of files.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Stop capture after n file(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Multiple files only: Stop capturing after switching to the next
|
|
|
|
file the given number of times.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Stop Capture... frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>... after n packet(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of packets have been
|
|
|
|
captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>... after n megabytes(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of
|
|
|
|
byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been captured.
|
|
|
|
This option is greyed out, if "Use multiple files" is selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>... after n minute(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Stop capturing after the given number of
|
|
|
|
second(s)/minutes(s)/hours(s)/days(s) have elapsed.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Display Options frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Update list of packets in real time</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This option allows you to specify that Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
should update the packet list pane in real time. If you
|
2006-05-30 20:49:45 +00:00
|
|
|
do not specify this, Wireshark does not display any
|
2004-08-06 21:06:27 +00:00
|
|
|
packets until you stop the capture. When you check this,
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark captures in a separate process
|
2004-08-06 21:06:27 +00:00
|
|
|
and feeds the captures to the display process.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Automatic scrolling in live capture</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This option allows you to specify that Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
should scroll the packet list pane as new packets come
|
|
|
|
in, so you are always looking at the last packet. If you
|
2006-05-30 20:49:45 +00:00
|
|
|
do not specify this, Wireshark simply adds new packets onto
|
2004-08-06 21:06:27 +00:00
|
|
|
the end of the list, but does not scroll the packet list
|
|
|
|
pane. This option is greyed out if
|
|
|
|
"Update list of packets in real time" is disabled.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Hide capture info dialog</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2007-09-10 21:02:58 +00:00
|
|
|
If this option is checked, the capture info dialog described in
|
|
|
|
<xref linkend="ChCapRunningSection"/> will be hidden.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Name Resolution frame</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable MAC name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates MAC addresses into names, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable network name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates network addresses into names, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Enable transport name resolution</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option allows you to control whether or not
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark translates transport addresses into protocols, see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChAdvNameResolutionSection"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
<section><title>Buttons</title>
|
|
|
|
<para>
|
|
|
|
Once you have set the values you desire and have selected the
|
2006-08-07 21:34:48 +00:00
|
|
|
options you need, simply click on <command>Start</command> to commence the
|
2004-08-06 21:06:27 +00:00
|
|
|
capture, or <command>Cancel</command> to cancel the capture.
|
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
If you start a capture, Wireshark allows you to stop capturing when
|
2005-06-16 20:27:55 +00:00
|
|
|
you have enough packets captured, for details see
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="ChCapRunningSection"/>.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
</section>
|
2009-12-02 19:33:28 +00:00
|
|
|
|
2012-02-21 21:46:06 +00:00
|
|
|
<section id="ChCapEditInterfaceSettingsSection">
|
|
|
|
<title>The "Edit Interface Settings" dialog box</title>
|
|
|
|
<para>
|
|
|
|
If you double-click on an interface in <xref linkend="ChCapCaptureOptionsDialog"/>
|
|
|
|
the following dialog box pops up.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapEditInterfacesSettingsDialog">
|
|
|
|
<title>The "Edit Interface Settings" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureEditInterfacesSettingsDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
You can set the following fields in this dialog box:
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>IP address</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The IP address(es) of the selected interface. If no address could
|
|
|
|
be resolved from the system, "none" will be shown.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Link-layer header type</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Unless you are in the rare situation that you need this, just keep
|
|
|
|
the default. For a detailed description, see
|
|
|
|
<xref linkend="ChCapLinkLayerHeader"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Wireless settings (Windows only)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Here you can set the settings for wireless capture using the AirPCap adapter.
|
|
|
|
For a detailed description, see the AirPCap Users Guide.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Remote settings (Windows only)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Here you can set the settings for remote capture.
|
|
|
|
For a detailed description, see <xref linkend="ChCapInterfaceRemoteSection"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Capture packets in promiscuous mode</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This checkbox allows you to specify that Wireshark
|
|
|
|
should put the interface in promiscuous mode when capturing.
|
|
|
|
If you do not specify this, Wireshark will only capture the
|
|
|
|
packets going to or from your computer (not
|
|
|
|
all packets on your LAN segment).
|
|
|
|
</para>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>
|
|
|
|
If some other process has put the interface in
|
|
|
|
promiscuous mode you may be capturing in promiscuous
|
|
|
|
mode even if you turn off this option.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>
|
|
|
|
Even in promiscuous mode you still won't necessarily see all packets
|
|
|
|
on your LAN segment, see <ulink url="&WiresharkFAQPromiscPage;"/> for
|
|
|
|
some more explanations.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Limit each packet to n bytes</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify the maximum amount of
|
|
|
|
data that will be captured for each packet, and is
|
|
|
|
sometimes referred to as the <command>snaplen</command>. If disabled,
|
|
|
|
the value is set to the maximum 65535, which will be sufficient for most
|
|
|
|
protocols. Some rules of thumb:
|
|
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you are unsure, just keep the default value.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you don't need all of the data in a packet - for example, if you
|
|
|
|
only need the link-layer, IP, and TCP headers - you might want to
|
|
|
|
choose a small snapshot length, as less CPU time is required for
|
|
|
|
copying packets, less buffer space is required for packets, and thus
|
|
|
|
perhaps fewer packets will be dropped if traffic is very heavy.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you don't capture all of the data in a packet, you might find that
|
|
|
|
the packet data you want is in the part that's dropped, or that
|
|
|
|
reassembly isn't possible as the data required for reassembly is
|
|
|
|
missing.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Buffer size: n megabyte(s)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Enter the buffer size to be used while capturing. This is the size
|
|
|
|
of the kernel buffer which will keep the captured packets, until
|
|
|
|
they are written to disk. If you encounter packet drops, try
|
|
|
|
increasing this value.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>Capture packets in monitor mode (Unix/Linux only)</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This checkbox allows you to setup the Wireless interface to capture
|
|
|
|
all traffic it can receive, not just the traffic on the BSS to which
|
|
|
|
it is associated, which can happen even when you set promiscuous mode.
|
|
|
|
Also it might be necessary to turn this option on in order to see
|
|
|
|
IEEE 802.11 headers and/or radio information from the captured frames.
|
|
|
|
</para>
|
|
|
|
<note>
|
|
|
|
<title>Note</title>
|
|
|
|
<para>
|
|
|
|
In monitor mode the adapter might disassociate itself from the network
|
|
|
|
it was associated to.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Capture Filter</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This field allows you to specify a capture filter.
|
|
|
|
Capture filters are discussed in more details in
|
|
|
|
<xref linkend="ChCapCaptureFilterSection"/>. It defaults to empty, or
|
|
|
|
no filter.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
You can also click on the button labeled "Capture Filter", and Wireshark
|
|
|
|
will bring up the Capture Filters dialog box and allow you to create
|
|
|
|
and/or select a filter. Please see
|
|
|
|
<xref linkend="ChWorkDefineFilterSection"/>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Compile BPF</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This button allows you to compile the capture filter into BPF code and
|
|
|
|
pop up a window showing you the resulting pseudo code. This can help in
|
|
|
|
understanding the working of the capture filter you created.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
|
2012-08-14 07:56:36 +00:00
|
|
|
<section id="ChCapCompileSelectedBpfsSection">
|
|
|
|
<title>The "Compile Results" dialog box</title>
|
|
|
|
<para>
|
|
|
|
This figure shows the compile results of the selected interfaces.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapCompileSelectedBpfsDialog">
|
|
|
|
<title>The "Compile Results" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureCompileSelectedBPFsDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
In the left window the interface names are listed. A green bullet indicates a successful
|
|
|
|
compilation, a red bullet a failure. The results of an individual interface are shown
|
|
|
|
in the right window, when it is selected.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
2012-02-21 21:46:06 +00:00
|
|
|
<section id="ChCapManageInterfacesSection">
|
|
|
|
<title>The "Add New Interfaces" dialog box</title>
|
|
|
|
<para>
|
|
|
|
As a central point to manage interfaces this dialog box consists of three tabs
|
|
|
|
to add or remove interfaces.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapManageInterfacesDialog">
|
|
|
|
<title>The "Add New Interfaces" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureManageInterfacesDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<section>
|
|
|
|
<title>Add or remove pipes</title>
|
|
|
|
<figure id="ChCapManageInterfacesPipesDialog">
|
|
|
|
<title>The "Add New Interfaces - Pipes" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureManageInterfacesPipesDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>To successfully add a pipe, this pipe must have already been created.
|
|
|
|
Click the "New" button and type the name of the pipe including its path.
|
|
|
|
Alternatively, the "Browse" button can be used to locate the pipe.
|
|
|
|
With the "Save" button the pipe is added to the list of available interfaces.
|
|
|
|
Afterwards, other pipes can be added.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
To remove a pipe from the list of interfaces it first has to be selected. Then
|
|
|
|
click the "Delete" button.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section>
|
|
|
|
<title>Add or hide local interfaces</title>
|
|
|
|
<figure id="ChCapManageInterfacesLocalDialog">
|
|
|
|
<title>The "Add New Interfaces - Local Interfaces" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureManageInterfacesLocalDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
The tab "Local Interfaces" contains a list of available local interfaces, including
|
|
|
|
the hidden ones, which are not shown in the other lists.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If a new local interface is added, for example, a wireless interface has been
|
|
|
|
activated, it is not automatically added to the list to prevent the constant scanning
|
|
|
|
for a change in the list of available interfaces. To renew the list a rescan can be done.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
One way to hide an interface is to change the preferences. If the "Hide" checkbox
|
|
|
|
is activated and the "Apply" button clicked, the interface will not be seen in the
|
|
|
|
lists of the "Capture Options" or "Capture Interfaces" dialog box any more. The changes
|
|
|
|
are also saved in the "Preferences" file.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section>
|
|
|
|
<title>Add or hide remote interfaces</title>
|
|
|
|
<figure id="ChCapManageInterfacesRemoteDialog">
|
|
|
|
<title>The "Add New Interfaces - Remote Interfaces" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureManageInterfacesRemoteDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
In this tab interfaces on remote hosts can be added. One or more of these
|
|
|
|
interfaces can be hidden. In contrast to the local interfaces they are not
|
|
|
|
saved in the "Preferences" file.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
To remove a host including all its interfaces from the list, it has to be
|
|
|
|
selected. Then click the "Delete" button.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
For a detailed description, see <xref linkend="ChCapInterfaceRemoteSection"/>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
2009-12-02 19:33:28 +00:00
|
|
|
<section id="ChCapInterfaceRemoteSection">
|
|
|
|
<title>The "Remote Capture Interfaces" dialog box</title>
|
|
|
|
<para>
|
|
|
|
Besides doing capture on local interfaces Wireshark is capable of
|
|
|
|
reaching out across the network to a so called capture daemon or service
|
|
|
|
processes to receive captured data from.
|
|
|
|
</para>
|
|
|
|
<note><title>Microsoft Windows only</title>
|
|
|
|
<para>
|
|
|
|
This dialog and capability is only available on Microsoft Windows. On
|
|
|
|
Linux/Unix you can achieve the same effect (securely) through an SSH
|
|
|
|
tunnel.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<para>
|
|
|
|
The Remote Packet Capture Protocol service must first be running on the
|
|
|
|
target platform before Wireshark can connect to it. The easiest way is
|
|
|
|
to install WinPcap from <ulink url="&WinPcapDownloadWebsite;"/> on the
|
|
|
|
target. Once installation is completed go to the Services control panel,
|
|
|
|
find the Remote Packet Capture Protocol service and start it.
|
|
|
|
</para>
|
|
|
|
<note><title>Note</title>
|
|
|
|
<para>
|
|
|
|
Make sure you have outside access to port 2002 on the target platform.
|
|
|
|
This is the port where the Remote Packet Capture Protocol service can
|
|
|
|
be reached, by default.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<para>
|
2012-02-21 21:46:06 +00:00
|
|
|
To access the Remote Capture Interfaces dialog use the
|
|
|
|
"Add New Interfaces - Remote" dialog, see
|
|
|
|
<xref linkend="ChCapManageInterfacesRemoteDialog"/>, and select "Add".
|
2009-12-02 19:33:28 +00:00
|
|
|
</para>
|
|
|
|
<section><title>Remote Capture Interfaces</title>
|
|
|
|
<figure id="ChCapInterfaceRemoteDialog">
|
|
|
|
<title>The "Remote Capture Interfaces" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureOptionsRemoteInterfacesDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
You have to set the following parameter in this dialog:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>Host</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Enter the IP address or host name of the target platform where the
|
2012-02-21 21:46:06 +00:00
|
|
|
Remote Packet Capture Protocol service is listening. The drop down list
|
|
|
|
contains the hosts that have previously been successfully contacted.
|
|
|
|
The list can be emptied by choosing "Clear list" from the drop down list.
|
2009-12-02 19:33:28 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Port</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Set the port number where the Remote Packet Capture Protocol service
|
|
|
|
is listening on. Leave open to use the default port (2002).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Null authentication</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Select this if you don't need authentication to take place for a
|
|
|
|
remote capture to be started. This depends on the target platform.
|
|
|
|
Configuring the target platform like this makes it insecure.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Password authentication</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This is the normal way of connecting to a target platform. Set the
|
|
|
|
credentials needed to connect to the Remote Packet Capture Protocol
|
|
|
|
service.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
2012-02-21 21:46:06 +00:00
|
|
|
<!-- <section><title>Remote Capture</title>
|
2009-12-02 19:33:28 +00:00
|
|
|
<para>
|
|
|
|
When the connection to the Remote Packet Capture Protocol service is
|
|
|
|
successfully established the "Capture Options" dialog looks like this,
|
|
|
|
see <xref linkend="ChCapInterfaceRemoteCapDialog"/>.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapInterfaceRemoteCapDialog">
|
|
|
|
<title>The "Remote Capture" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureOptionsRemoteCaptureDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
The Interface dropdown list now shows the IP address or host name of the
|
|
|
|
Remote Packet Capture Protocol service and the other field shows the
|
|
|
|
interfaces on the remote target. After selecting the desired interface
|
|
|
|
just click <command>Start</command> to start the remote capture.
|
|
|
|
</para>
|
2012-02-21 21:46:06 +00:00
|
|
|
</section> -->
|
2009-12-02 19:33:28 +00:00
|
|
|
<section><title>Remote Capture Settings</title>
|
|
|
|
<para>
|
2010-11-27 16:51:24 +00:00
|
|
|
The remote capture can be further fine tuned to match your situation.
|
2012-02-21 21:46:06 +00:00
|
|
|
The <command>Remote Settings</command> button in
|
|
|
|
<xref linkend="ChCapEditInterfacesSettingsDialog"/> gives you this option.
|
2009-12-02 19:33:28 +00:00
|
|
|
It pops up the dialog shown in
|
|
|
|
<xref linkend="ChCapInterfaceRemoteSettingsDialog"/>.
|
|
|
|
</para>
|
|
|
|
<figure id="ChCapInterfaceRemoteSettingsDialog">
|
|
|
|
<title>The "Remote Capture Settings" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureOptionsRemoteSettingsDialog" format="PNG"/>
|
|
|
|
</figure>
|
|
|
|
<para>
|
|
|
|
You can set the following parameters in this dialog:
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>Do not capture own RPCAP traffic</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option sets a capture filter so that the traffic flowing back
|
|
|
|
from the Remote Packet Capture Protocol service to Wireshark isn't
|
|
|
|
captured as well and also send back. The recursion in this saturates
|
|
|
|
the link with duplicate traffic.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
You only should switch this off when capturing on an interface other
|
|
|
|
then the interface connecting back to Wireshark.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Use UDP for data transfer</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Remote capture control and data flows over a TCP connection. This
|
|
|
|
option allows you to choose an UDP stream for data transfer.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Sampling option None</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option instructs the Remote Packet Capture Protocol service to
|
|
|
|
send back all captured packets which have passed the capture filter.
|
|
|
|
This is usually not a problem on a remote capture session with
|
|
|
|
sufficient bandwidth.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Sampling option 1 of x packets</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option limits the Remote Packet Capture Protocol service to send
|
|
|
|
only a sub sampling of the captured data, in terms of number of
|
|
|
|
packets. This allows capture over a narrow band remote capture
|
|
|
|
session of a higher bandwidth interface.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Sampling option 1 every x milliseconds</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This option limits the Remote Packet Capture Protocol service to send
|
|
|
|
only a sub sampling of the captured data, in terms of time. This
|
|
|
|
allows capture over a narrow band capture session of a higher
|
|
|
|
bandwidth interface.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
2008-06-21 15:15:07 +00:00
|
|
|
<section id="ChCapInterfaceDetailsSection">
|
|
|
|
<title>The "Interface Details" dialog box</title>
|
|
|
|
<para>
|
|
|
|
When you select Details from the Capture Interface menu, Wireshark pops
|
|
|
|
up the "Interface Details" dialog box as shown in
|
|
|
|
<xref linkend="ChCapInterfaceDetailsDialog"/>. This dialog shows various
|
|
|
|
characteristics and statistics for the selected interface.
|
|
|
|
</para>
|
|
|
|
<note><title>Microsoft Windows only</title>
|
|
|
|
<para>This dialog is only available on Microsoft Windows</para>
|
|
|
|
</note>
|
|
|
|
<figure id="ChCapInterfaceDetailsDialog">
|
|
|
|
<title>The "Interface Details" dialog box</title>
|
|
|
|
<graphic entityref="WiresharkCaptureInterfaceDetailsDialog" format="JPG"/>
|
|
|
|
</figure>
|
|
|
|
</section>
|
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
<section id="ChCapCaptureFiles"><title>Capture files and file modes</title>
|
|
|
|
<para>
|
|
|
|
While capturing, the underlying libpcap capturing engine will grab the
|
|
|
|
packets from the network card and keep the packet data in a (relatively)
|
2006-05-22 08:14:01 +00:00
|
|
|
small kernel buffer. This data is read by Wireshark and saved into
|
2004-08-06 21:06:27 +00:00
|
|
|
the capture file(s) the user specified.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Different modes of operation are available when saving this packet data to
|
|
|
|
the capture file(s).
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
Working with large files (several 100 MB's) can be quite slow. If you plan
|
|
|
|
to do a long term capture or capturing from a high traffic network, think
|
|
|
|
about using one of the "Multiple files" options. This will spread the
|
|
|
|
captured packets over several smaller files which can be much more
|
|
|
|
pleasant to work with.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<note><title>Note!</title>
|
|
|
|
<para>
|
|
|
|
Using Multiple files may cut context related information.
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark keeps context information of the loaded packet data, so it can
|
2004-08-06 21:06:27 +00:00
|
|
|
report context related problems (like a stream error) and keeps information
|
|
|
|
about context related protocols (e.g. where data is exchanged at the
|
|
|
|
establishing phase and only referred to in later packets).
|
|
|
|
As it keeps this information only for the loaded file, using one of
|
2005-06-16 20:27:55 +00:00
|
|
|
the multiple file modes may cut these contexts. If the establishing phase
|
2004-08-06 21:06:27 +00:00
|
|
|
is saved in one file and the things you would like to see is in another,
|
|
|
|
you might not see some of the valuable context related information.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
Information about the folders used for the capture file(s), can be found
|
|
|
|
in <xref linkend="AppFiles"/>.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
|
|
|
|
<table id="ChCapTabCaptureFiles"><title>Capture file mode selected by capture options</title>
|
2005-06-16 20:27:55 +00:00
|
|
|
<tgroup cols="5">
|
2004-08-06 21:06:27 +00:00
|
|
|
<colspec colnum="1" colwidth="72pt"/>
|
|
|
|
<colspec colnum="2" colwidth="80pt"/>
|
|
|
|
<colspec colnum="3" colwidth="80pt"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
<colspec colnum="4" colwidth="80pt"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
<thead>
|
|
|
|
<row>
|
|
|
|
<entry>"File" option</entry>
|
|
|
|
<entry>"Use multiple files" option</entry>
|
|
|
|
<entry>"Ring buffer with n files" option</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry>Mode</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>Resulting filename(s) used</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Single temporary file</command></entry>
|
2010-06-03 21:39:38 +00:00
|
|
|
<entry>wiresharkXXXXXX (where XXXXXX is a unique number)</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Single named file</command></entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>foo.cap</entry>
|
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>x</entry>
|
|
|
|
<entry>-</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Multiple files, continuous</command></entry>
|
2010-06-03 21:39:38 +00:00
|
|
|
<entry>foo_00001_20100205110102.cap, foo_00002_20100205110318.cap, ...</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry>foo.cap</entry>
|
|
|
|
<entry>x</entry>
|
|
|
|
<entry>x</entry>
|
2005-06-16 20:27:55 +00:00
|
|
|
<entry><command>Multiple files, ring buffer</command></entry>
|
2010-06-03 21:39:38 +00:00
|
|
|
<entry>foo_00001_20100205110102.cap, foo_00002_20100205110318.cap, ...</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</table>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Single temporary file</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
A temporary file will be created and used (this is the default). After the
|
|
|
|
capturing is stopped, this file can be saved later under a user specified
|
|
|
|
name.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Single named file</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
A single capture file will be used. If you want to place the new capture
|
|
|
|
file to a specific folder, choose this mode.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Multiple files, continuous</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Like the "Single named file" mode, but a new file is created and used,
|
|
|
|
after reaching one of the multiple file switch conditions (one of the
|
|
|
|
"Next file every ..." values).
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>Multiple files, ring buffer</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Much like "Multiple files continuous", reaching one of the multiple files
|
|
|
|
switch conditions (one of the "Next file every ..." values) will switch
|
|
|
|
to the next file. This will be a newly created file if value of "Ring
|
|
|
|
buffer with n files" is not reached, otherwise it will replace the oldest
|
|
|
|
of the formerly used files (thus forming a "ring").
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This mode will limit the maximum disk usage, even for an unlimited amount of
|
|
|
|
capture input data, keeping the latest captured data.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChCapLinkLayerHeader"><title>Link-layer header type</title>
|
|
|
|
<para>
|
|
|
|
In the usual case, you won't have to choose this link-layer header type.
|
|
|
|
The following paragraphs describe the exceptional cases, where
|
2006-09-13 20:37:37 +00:00
|
|
|
selecting this type is possible, so you will have a guide of what to do:
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an 802.11 device on some versions of BSD, this
|
|
|
|
might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause
|
|
|
|
the captured packets to have fake Ethernet headers; "802.11" will cause
|
|
|
|
them to have IEEE 802.11 headers. Unless the capture needs to be read by
|
|
|
|
an application that doesn't support 802.11 headers, you should select
|
|
|
|
"802.11".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Endace DAG card connected to a synchronous
|
|
|
|
serial line, this might offer a choice of "PPP over serial" or
|
|
|
|
"Cisco HDLC"; if the protocol on the serial line is PPP, select
|
|
|
|
"PPP over serial", and if the protocol on the serial line is Cisco HDLC,
|
|
|
|
select "Cisco HDLC".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Endace DAG card connected to an ATM network,
|
|
|
|
this might offer a choice of "RFC 1483 IP-over-ATM" or "Sun raw ATM".
|
|
|
|
If the only traffic being captured is RFC 1483 LLC-encapsulated IP, or if
|
|
|
|
the capture needs to be read by an application that doesn't support SunATM
|
|
|
|
headers, select "RFC 1483 IP-over-ATM", otherwise select "Sun raw ATM".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If you are capturing on an Ethernet device, this might offer a choice of
|
|
|
|
"Ethernet" or "DOCSIS". If you are capturing traffic from a Cisco Cable
|
|
|
|
Modem Termination System that is putting DOCSIS traffic onto the Ethernet
|
|
|
|
to be captured, select "DOCSIS", otherwise select "Ethernet".
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChCapCaptureFilterSection"><title>Filtering while capturing</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the libpcap filter language for capture filters.
|
2004-08-06 21:06:27 +00:00
|
|
|
This is explained in the tcpdump man page, which can be hard to
|
|
|
|
understand, so it's explained here to some extent.
|
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
<tip>
|
|
|
|
<title>Tip!</title>
|
2005-01-29 14:43:33 +00:00
|
|
|
<para>
|
2005-06-16 20:27:55 +00:00
|
|
|
You will find a lot of Capture Filter examples at <ulink
|
2006-05-30 20:49:45 +00:00
|
|
|
url="&WiresharkWikiCaptureFiltersPage;">&WiresharkWikiCaptureFiltersPage;</ulink>.
|
2005-01-29 14:43:33 +00:00
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</tip>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2006-05-22 08:21:22 +00:00
|
|
|
You enter the capture filter into the Filter field of the Wireshark
|
2004-08-06 21:06:27 +00:00
|
|
|
Capture Options dialog box, as shown in
|
2004-09-15 20:55:51 +00:00
|
|
|
<xref linkend="ChCapCaptureOptionsDialog"/>. The following is an outline
|
|
|
|
of the syntax of the <command>tcpdump</command> capture filter language.
|
|
|
|
See the expression option at the tcpdump manual page for details:
|
2005-07-14 21:45:18 +00:00
|
|
|
<ulink url="&TcpdumpManpage;"/>.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A capture filter takes the form of a series of primitive expressions
|
2005-01-18 23:06:10 +00:00
|
|
|
connected by conjunctions (<command>and/or</command>) and optionally
|
2004-08-06 21:06:27 +00:00
|
|
|
preceded by <command>not</command>:
|
|
|
|
<programlisting>
|
|
|
|
[not] <command>primitive</command> [and|or [not] <command>primitive</command> ...]
|
|
|
|
</programlisting>
|
|
|
|
An example is shown in <xref linkend="ChCapExFilt1"/>.
|
|
|
|
|
|
|
|
<example id="ChCapExFilt1">
|
|
|
|
<title>
|
2006-08-07 21:34:48 +00:00
|
|
|
A capture filter for telnet that captures traffic to and from a
|
2004-08-06 21:06:27 +00:00
|
|
|
particular host
|
|
|
|
</title>
|
|
|
|
<programlisting>
|
|
|
|
tcp port 23 and host 10.0.0.5
|
|
|
|
</programlisting>
|
|
|
|
</example>
|
|
|
|
This example captures telnet traffic to and from the host
|
|
|
|
10.0.0.5, and shows how to use two primitives and the
|
|
|
|
<command>and</command> conjunction. Another example is shown in
|
|
|
|
<xref linkend="ChCapExFilt2"/>, and shows how to capture all
|
|
|
|
telnet traffic except that from 10.0.0.5.
|
|
|
|
<example id="ChCapExFilt2">
|
|
|
|
<title>
|
|
|
|
Capturing all telnet traffic not from 10.0.0.5</title>
|
|
|
|
<programlisting>
|
2007-03-01 21:08:01 +00:00
|
|
|
tcp port 23 and not src host 10.0.0.5
|
2004-08-06 21:06:27 +00:00
|
|
|
</programlisting>
|
|
|
|
</example>
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
XXX - add examples to the following list.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A primitive is simply one of the following:
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>[src|dst] host <host></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on a host IP
|
|
|
|
address or name. You can optionally precede the
|
|
|
|
primitive with the keyword <command>src|dst</command>
|
|
|
|
to specify that you are only interested in source or
|
|
|
|
destination addresses. If these are not present,
|
|
|
|
packets where the specified address appears as either
|
|
|
|
the source or the destination address will be selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>ether [src|dst] host <ehost></command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on Ethernet host
|
|
|
|
addresses. You can optionally include the keyword
|
|
|
|
<command>src|dst</command> between the keywords
|
|
|
|
<command>ether</command> and <command>host</command>
|
|
|
|
to specify that you are only interested in source
|
|
|
|
or destination addresses. If these are not present,
|
|
|
|
packets where the specified address appears in either
|
|
|
|
the source or destination address will be selected.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>gateway host <host></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on packets that
|
|
|
|
used <command>host</command> as a gateway. That is, where
|
|
|
|
the Ethernet source or destination was
|
|
|
|
<command>host</command> but neither the source nor
|
|
|
|
destination IP address was <command>host</command>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>
|
|
|
|
[src|dst] net <net> [{mask <mask>}|{len <len>}]
|
|
|
|
</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on network numbers.
|
|
|
|
You can optionally precede this primitive with the
|
|
|
|
keyword <command>src|dst</command> to specify that you
|
|
|
|
are only interested in a source or destination network.
|
|
|
|
If neither of these are present, packets will be
|
|
|
|
selected that have the specified network in either the
|
|
|
|
source or destination address. In addition, you can
|
|
|
|
specify either the netmask or the CIDR prefix for the
|
|
|
|
network if they are different from your own.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>[tcp|udp] [src|dst] port <port></command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on TCP and UDP port
|
|
|
|
numbers. You can optionally precede this primitive with
|
|
|
|
the keywords <command>src|dst</command> and
|
|
|
|
<command>tcp|udp</command> which allow you to specify
|
|
|
|
that you are only interested in source or destination
|
|
|
|
ports and TCP or UDP packets respectively. The
|
|
|
|
keywords <command>tcp|udp</command> must appear before
|
|
|
|
<command>src|dst</command>.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
If these are not specified, packets will be selected
|
|
|
|
for both the TCP and UDP protocols and when the
|
|
|
|
specified address appears in either the source or
|
|
|
|
destination port field.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>less|greater <length></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on packets whose
|
|
|
|
length was less than or equal to the specified length,
|
|
|
|
or greater than or equal to the specified length,
|
|
|
|
respectively.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>ip|ether proto <protocol></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on the specified
|
|
|
|
protocol at either the Ethernet layer or the IP layer.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>ether|ip broadcast|multicast</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to filter on either
|
|
|
|
Ethernet or IP broadcasts or multicasts.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command><expr> relop <expr></command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This primitive allows you to create complex filter
|
|
|
|
expressions that select bytes or ranges of bytes in
|
2005-07-14 21:45:18 +00:00
|
|
|
packets. Please see the tcpdump man page at
|
|
|
|
<ulink url="&TcpdumpManpage;"/> for more details.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
2006-08-28 21:11:10 +00:00
|
|
|
<section id="ChCapCaptureAutoFilterSection">
|
|
|
|
<title>Automatic Remote Traffic Filtering</title>
|
|
|
|
<para>
|
|
|
|
If Wireshark is running remotely (using e.g. SSH, an exported X11 window,
|
|
|
|
a terminal server, ...), the remote content has to be transported over
|
|
|
|
the network, adding a lot of (usually unimportant) packets to the actually
|
|
|
|
interesting traffic.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
To avoid this, Wireshark tries to figure out if it's remotely connected
|
|
|
|
(by looking at some specific environment variables) and automatically
|
|
|
|
creates a capture filter that matches aspects of the connection.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following environment variables are analyzed:
|
|
|
|
</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>SSH_CONNECTION</command> (ssh)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote IP> <remote port> <local IP> <local port>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>SSH_CLIENT</command> (ssh)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote IP> <remote port> <local port>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>REMOTEHOST</command> (tcsh, others?)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote name>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>DISPLAY</command> (x11)</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
[remote name]:<display num>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
2006-09-15 21:35:01 +00:00
|
|
|
<term><command>SESSIONNAME</command> (terminal server)</term>
|
2006-08-28 21:11:10 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<remote name>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</section>
|
2004-08-06 21:06:27 +00:00
|
|
|
</section>
|
|
|
|
|
2004-09-15 21:12:29 +00:00
|
|
|
<section id="ChCapRunningSection"><title>While a Capture is running ...</title>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2004-09-15 21:12:29 +00:00
|
|
|
While a capture is running, the following dialog box is shown:
|
2004-08-06 21:06:27 +00:00
|
|
|
<figure id="ChCapCaptureInfoDialog">
|
|
|
|
<title>The "Capture Info" dialog box</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<graphic entityref="WiresharkCaptureInfoDialog" format="JPG"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
</figure>
|
|
|
|
This dialog box will inform you about the number of captured packets and
|
2006-09-13 20:37:37 +00:00
|
|
|
the time since the capture was started. The selection of which protocols
|
2004-08-06 21:06:27 +00:00
|
|
|
are counted cannot be changed.
|
|
|
|
</para>
|
|
|
|
<tip><title>Tip!</title>
|
|
|
|
<para>
|
|
|
|
This Capture Info dialog box can be hidden, using the "Hide capture info
|
|
|
|
dialog" option in the Capture Options dialog box.
|
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<section id="ChCapStopSection"><title>Stop the running capture</title>
|
|
|
|
<para>
|
|
|
|
A running capture session will be stopped in one of the following ways:
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<para>Using the
|
2006-08-25 20:02:57 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop" button from the <command>Capture Info dialog box
|
2004-08-06 21:06:27 +00:00
|
|
|
</command>.
|
|
|
|
</para>
|
|
|
|
<note><title>Note!</title>
|
|
|
|
<para>
|
|
|
|
The Capture Info dialog box might be hidden, if the option "Hide capture
|
|
|
|
info dialog" is used.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
2005-06-16 20:27:55 +00:00
|
|
|
<para>Using the <command>menu item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"Capture/<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop".
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>toolbar item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureStop" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Stop".
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Pressing the accelerator keys: <command>Ctrl+E</command>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>The capture will be automatically stopped, if one of the
|
|
|
|
<command>Stop Conditions</command> is exceeded, e.g. the maximum amount
|
|
|
|
of data was captured.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</para>
|
2005-06-16 20:27:55 +00:00
|
|
|
</section>
|
|
|
|
<section id="ChCapRestartSection"><title>Restart a running capture</title>
|
|
|
|
<para>
|
|
|
|
A running capture session can be restarted with the same capture options
|
2007-09-10 21:02:58 +00:00
|
|
|
as the last time, this will remove all packets previously captured.
|
2005-06-16 20:27:55 +00:00
|
|
|
This can be useful, if some uninteresting packets are captured and
|
|
|
|
there's no need to keep them.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Restart is a convenience function and
|
|
|
|
equivalent to a capture stop following by an immediate capture start.
|
|
|
|
A restart can be triggered in one of the following ways:
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>menu item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"Capture/<inlinegraphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Restart".
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>Using the <command>toolbar item</command>
|
2006-05-30 20:49:45 +00:00
|
|
|
"<inlinegraphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/>
|
2005-06-16 20:27:55 +00:00
|
|
|
Restart".
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</para>
|
2004-08-06 21:06:27 +00:00
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
</chapter>
|
2006-05-30 19:45:12 +00:00
|
|
|
<!-- End of WSUG Chapter Capture -->
|
2004-08-06 21:06:27 +00:00
|
|
|
|
2006-09-28 19:53:11 +00:00
|
|
|
|