osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_chapter_use.xml

2339 lines
74 KiB
XML
Raw Blame History

<!-- WSUG Chapter Three -->
<!-- $Id$ -->
<chapter id="ChapterUsing">
<title>User Interface</title>
<section id="ChUseIntroductionSection"><title>Introduction</title>
<para>
By now you have installed <application>Wireshark</application> and
are most likely keen to get started capturing your first packets. In
the next chapters we will explore:
<itemizedlist>
<listitem>
<para>
How the Wireshark user interface works
</para>
</listitem>
<listitem>
<para>
How to capture packets in <application>Wireshark</application>
</para>
</listitem>
<listitem>
<para>
How to view packets in <application>Wireshark</application>
</para>
</listitem>
<listitem>
<para>
How to filter packets in <application>Wireshark</application>
</para>
</listitem>
<listitem>
<para>
... and many other things!
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section id="ChUseStartSection"><title>Start Wireshark</title>
<para>
You can start Wireshark from your shell or window manager.
<tip><title>Tip!</title>
<para>
When starting Wireshark it's possible to specify optional settings using
the command line. See <xref linkend="ChCustCommandLine"/> for details.
</para>
</tip>
<note><title>Note!</title>
<para>
In the following chapters, a lot of screenshots from Wireshark will be shown.
As Wireshark runs on many different platforms and there are different
versions of the underlying GUI toolkit (GTK 1.x / 2.x) used, your
screen might look different from the provided screenshots. But as there
are no real differences in functionality, these screenshots should still
be well understandable.
</para>
</note>
</para>
</section>
<section id="ChUseMainWindowSection"><title>The Main window</title>
<para>
Let's look at Wireshark's user interface. <xref linkend="ChUseFig01"/> shows
Wireshark as you would usually see it after some packets are captured or loaded
(how to do this will be described later).
<figure id="ChUseFig01">
<title>The Main window</title>
<graphic scale="100" entityref="WiresharkThreePane1" format="PNG"/>
</figure>
</para>
<para>
Wireshark's main window consists of parts that are commonly known from many
other GUI programs.
<orderedlist>
<listitem>
<para>
The <emphasis>menu</emphasis> (see <xref linkend="ChUseMenuSection"/>)
is used to start actions.
</para>
</listitem>
<listitem>
<para>
The <emphasis>main toolbar</emphasis> (see <xref linkend="ChUseMainToolbarSection"/>)
provides quick access to frequently used items from the menu.
</para>
</listitem>
<listitem>
<para>
The <emphasis>filter toolbar</emphasis> (see <xref linkend="ChUseFilterToolbarSection"/>)
provides a way to directly manipulate the currently used display filter
(see <xref linkend="ChWorkDisplayFilterSection"/>).
</para>
</listitem>
<listitem>
<para>
The <emphasis>packet list pane</emphasis> (see <xref linkend="ChUsePacketListPaneSection"/>)
displays a summary of each packet captured. By clicking on packets
in this pane you control what is displayed in the other two panes.
</para>
</listitem>
<listitem>
<para>
The <emphasis>packet details pane</emphasis> (see <xref linkend="ChUsePacketDetailsPaneSection"/>)
displays the packet selected in the packet list pane in more detail.
</para>
</listitem>
<listitem>
<para>
The <emphasis>packet bytes pane</emphasis> (see <xref linkend="ChUsePacketBytesPaneSection"/>)
displays the data from the packet selected in the packet list pane, and
highlights the field selected in the packet details pane.
</para>
</listitem>
<listitem>
<para>
The <emphasis>statusbar</emphasis> (see <xref linkend="ChUseStatusbarSection"/>)
shows some detailed information about the current program state and
the captured data.
</para>
</listitem>
</orderedlist>
<tip><title>Tip!</title>
<para>
The layout of the main window can be customized by changing preference settings.
See <xref linkend="ChCustPreferencesSection"/> for details!
</para>
</tip>
</para>
<section id="ChUseMainWindowNavSection"><title>Main Window Navigation</title>
<para>
Packet list and detail navigation can be done entirely from the
keyboard. <xref linkend="ChUseTabNav"/> shows a list of keystrokes
that will let you quickly move around a capture file. See
<xref linkend="ChUseTabGo"/> for additional navigation keystrokes.
</para>
<table id="ChUseTabNav" frame="none">
<title>Keyboard Navigation</title>
<tgroup cols="2">
<colspec colnum="1" colwidth="72pt"/>
<thead>
<row>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>Tab, Shift+Tab</entry>
<entry><para>
Move between screen elements, e.g. from the toolbars
to the packet list to the packet detail.
</para></entry>
</row>
<row>
<entry>Down</entry>
<entry><para>
Move to the next packet or detail item.
</para></entry>
</row>
<row>
<entry>Up</entry>
<entry><para>
Move to the previous packet or detail item.
</para></entry>
</row>
<row>
<entry>Ctrl+Down, F8</entry>
<entry><para>
Move to the next packet, even if the packet
list isn't focused.
</para></entry>
</row>
<row>
<entry>Ctrl+Up, F7</entry>
<entry><para>
Move to the previous packet, even if the packet
list isn't focused.
</para></entry>
</row>
<row>
<entry>Left</entry>
<entry><para>
In the packet detail, closes the selected tree item.
If it's already closed, jumps to the parent node.
</para></entry>
</row>
<row>
<entry>Right</entry>
<entry><para>
In the packet detail, opens the selected tree item.
</para></entry>
</row>
<row>
<entry>Shift+Right</entry>
<entry><para>
In the packet detail, opens the selected tree item
and all of its subtrees.
</para></entry>
</row>
<row>
<entry>Ctrl+Right</entry>
<entry><para>
In the packet detail, opens all tree items.
</para></entry>
</row>
<row>
<entry>Ctrl+Left</entry>
<entry><para>
In the packet detail, closes all tree items.
</para></entry>
</row>
<row>
<entry>Backspace</entry>
<entry><para>
In the packet detail, jumps to the parent node.
</para></entry>
</row>
<row>
<entry>Return, Enter</entry>
<entry><para>
In the packet detail, toggles the selected
tree item.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
<para>
Additionally, typing anywhere in the main window will start filling
in a display filter.
</para>
</section>
</section>
<section id="ChUseMenuSection"><title>The Menu</title>
<para>
The Wireshark menu sits on top of the Wireshark window.
An example is shown in <xref linkend="ChUseWiresharkMenu"/>.
</para>
<note><title>Note!</title>
<para>
Menu items will be greyed out if the corresponding feature isn't
available. For example, you cannot save a capture file if you didn't
capture or load any data before.
</para>
</note>
<para>
<figure id="ChUseWiresharkMenu"><title>The Menu</title>
<graphic entityref="WiresharkMenuOnly" format="PNG"/>
</figure>
</para>
<para>
It contains the following items:
<variablelist>
<varlistentry><term><command>File</command></term>
<listitem>
<para>
This menu contains items to open and merge capture files,
save / print / export capture files in whole or in part,
and to quit from Wireshark. See <xref linkend="ChUseFileMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Edit</command></term>
<listitem>
<para>
This menu contains items to find a packet, time reference or mark one
or more packets, set your preferences,
(cut, copy, and paste are not presently implemented).
See <xref linkend="ChUseEditMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>View</command></term>
<listitem>
<para>This menu controls the display of the captured data,
including colorization of packets, zooming the font,
showing a packet in a separate window, expanding and collapsing trees in packet details, ....
See <xref linkend="ChUseViewMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Go</command></term>
<listitem>
<para>This menu contains items to go to a specific packet.
See <xref linkend="ChUseGoMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Capture</command></term>
<listitem>
<para>This menu allows you to start and stop captures and to edit capture filters.
See <xref linkend="ChUseCaptureMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Analyze</command></term>
<listitem>
<para>
This menu contains items to manipulate display filters, enable or
disable the dissection of protocols, configure user specified decodes
and follow a TCP stream.
See <xref linkend="ChUseAnalyzeMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Statistics</command></term>
<listitem>
<para>
This menu contains items to display various statistic windows,
including a summary of the packets that have been captured,
display protocol hierarchy statistics and much more.
See <xref linkend="ChUseStatisticsMenuSection"/>.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>Help</command></term>
<listitem>
<para>
This menu contains items to help the user, like access to some basic
help, a list of the supported protocols, manual pages, online access
to some of the webpages, and the usual about dialog.
See <xref linkend="ChUseHelpMenuSection"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
Each of these menu items is described in more detail in the sections
that follow.
</para>
<tip><title>Tip!</title>
<para>
You can access menu items directly or by pressing the corresponding
accelerator keys, which are shown at the right side of the
menu. For example, you can press the Control (or Strg in German) and the K
keys together to open the capture dialog.
</para>
</tip>
</section>
<section id="ChUseFileMenuSection"><title>The "File" menu</title>
<para>
The Wireshark file menu contains the fields shown in
<xref linkend="ChUseTabFile"/>.
</para>
<figure id="ChUseWiresharkFileMenu">
<title>The "File" Menu</title>
<graphic entityref="WiresharkFileMenu" format="PNG"/>
</figure>
<table id="ChUseTabFile" frame="none"><title>File menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Open...</command></entry>
<entry>Ctrl+O</entry>
<entry><para>
This menu item brings up the file open dialog box that
allows you to load a capture file for viewing. It is
discussed in more detail in <xref linkend="ChIOOpen"/>.
</para></entry>
</row>
<row>
<entry><command>Open Recent</command></entry>
<entry></entry>
<entry><para>
This menu item shows a submenu containing the recently opened
capture files. Clicking on one of the submenu items will open the
corresponding capture file directly.
</para></entry>
</row>
<row>
<entry><command>Merge...</command></entry>
<entry></entry>
<entry><para>
This menu item brings up the merge file dialog box that
allows you to merge a capture file into the currently loaded one.
It is discussed in more detail in <xref linkend="ChIOMergeSection"/>.
</para></entry>
</row>
<row>
<entry><command>Close</command></entry>
<entry>Ctrl+W</entry>
<entry><para>
This menu item closes the current capture. If you
haven't saved the capture, you will be asked to do so first
(this can be disabled by a preference setting).
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Save</command></entry>
<entry>Ctrl+S</entry>
<entry><para>
This menu item saves the current capture. If you
have not set a default capture file name (perhaps with
the -w &lt;capfile&gt; option), Wireshark pops up the
Save Capture File As dialog box (which is discussed
further in <xref linkend="ChIOSaveAs"/>).
</para><note>
<title>Note!</title>
<para>
If you have already saved the current capture, this
menu item will be greyed out.
</para>
</note><note>
<title>Note!</title>
<para>
You cannot save a live capture while it is in
progress. You must stop the capture in order to
save.
</para>
</note></entry>
</row>
<row>
<entry><command>Save As...</command></entry>
<entry>Shift+Ctrl+S</entry>
<entry><para>
This menu item allows you to save the current capture
file to whatever file you would like. It pops up the
Save Capture File As dialog box (which is discussed
further in <xref linkend="ChIOSaveAs"/>).
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>File Set > List Files</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to show a list of files in a file set.
It pops up the Wireshark List File Set dialog box (which is
discussed further in <xref linkend="ChIOFileSetSection"/>).
</para></entry>
</row>
<row>
<entry><command>File Set > Next File</command></entry>
<entry></entry>
<entry><para>
If the currently loaded file is part of a file set, jump to the
next file in the set. If it isn't part of a file set or just the
last file in that set, this item is greyed out.
</para></entry>
</row>
<row>
<entry><command>File Set > Previous File</command></entry>
<entry></entry>
<entry><para>
If the currently loaded file is part of a file set, jump to the
previous file in the set. If it isn't part of a file set or just
the first file in that set, this item is greyed out.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Export > as "Plain Text" file...</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to export all (or some) of the packets in
the capture file to a plain ASCII text file.
It pops up the Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportPlainDialog"/>).
</para></entry>
</row>
<row>
<entry><command>Export > as "PostScript" file...</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to export all (or some) of the packets in
the capture file to a PostScript file.
It pops up the Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportPSDialog"/>).
</para></entry>
</row>
<row>
<entry><command>Export > as "CSV" (Comma Separated Values packet summary) file...</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to export all (or some) of the packet summaries in
the capture file to a .csv file (e.g. used by spreadsheet programs).
It pops up the Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportCSVDialog"/>).
</para></entry>
</row>
<row>
<entry><command>Export > as "PSML" file...</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to export all (or some) of the packets in
the capture file to a PSML (packet summary markup language) XML file.
It pops up the Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportPSMLDialog"/>).
</para></entry>
</row>
<row>
<entry><command>Export > as "PDML" file...</command></entry>
<entry></entry>
<entry><para>
This menu item allows you to export all (or some) of the packets in
the capture file to a PDML (packet details markup language) XML file.
It pops up the Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportPDMLDialog"/>).
</para></entry>
</row>
<row>
<entry><command>Export > Selected Packet Bytes...</command></entry>
<entry>Ctrl+H</entry>
<entry><para>
This menu item allows you to export the currently selected bytes
in the packet bytes pane to a binary file. It pops up the
Wireshark Export dialog box (which is discussed further in
<xref linkend="ChIOExportSelectedDialog"/>)
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Print...</command></entry>
<entry>Ctrl+P</entry>
<entry><para>
This menu item allows you to print all (or some) of the packets in
the capture file. It pops up the Wireshark Print dialog
box (which is discussed further in
<xref linkend="ChIOPrintSection"/>).
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Quit</command></entry>
<entry>Ctrl+Q</entry>
<entry><para>
This menu item allows you to quit from Wireshark.
Wireshark will ask to save your capture file if you haven't saved
it before (this can be disabled by a preference setting).
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseEditMenuSection"><title>The "Edit" menu</title>
<para>
The Wireshark Edit menu contains the fields shown in
<xref linkend="ChUseTabEdit"/>.
</para>
<figure id="ChUseWiresharkEditMenu">
<title>The "Edit" Menu</title>
<graphic entityref="WiresharkEditMenu" format="PNG"/>
</figure>
<table id="ChUseTabEdit" frame="none">
<title>Edit menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Copy > As Filter</command></entry>
<entry>Shift+Ctrl+C</entry>
<entry><para>
This menu item will use the selected item in the detail view to
create a display filter. This display filter is then copied to
the clipboard.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Find Packet...</command></entry>
<entry>Ctrl+F</entry>
<entry><para>
This menu item brings up a dialog box that allows you
to find a packet by many criteria.
There is further information on finding packets in
<xref linkend="ChWorkFindPacketSection"/>.
</para></entry>
</row>
<row>
<entry><command>Find Next</command></entry>
<entry>Ctrl+N</entry>
<entry><para>
This menu item tries to find the next packet matching the
settings from "Find Packet...".
</para></entry>
</row>
<row>
<entry><command>Find Previous</command></entry>
<entry>Ctrl+B</entry>
<entry><para>
This menu item tries to find the previous packet matching the
settings from "Find Packet...".
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Mark Packet (toggle)</command></entry>
<entry>Ctrl+M</entry>
<entry><para>
This menu item "marks" the currently selected packet. See
<xref linkend="ChWorkMarkPacketSection"/> for details.
</para></entry>
</row>
<row>
<entry><command>Find Next Mark</command></entry>
<entry>Shift+Ctrl+N</entry>
<entry><para>
Find the next marked packet.
</para></entry>
</row>
<row>
<entry><command>Find Previous Mark</command></entry>
<entry>Shift+Ctrl+B</entry>
<entry><para>
Find the previous marked packet.
</para></entry>
</row>
<row>
<entry><command>Mark All Packets</command></entry>
<entry></entry>
<entry><para>
This menu item "marks" all packets.
</para></entry>
</row>
<row>
<entry><command>Unmark All Packets</command></entry>
<entry></entry>
<entry><para>This menu item "unmarks" all marked packets.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Set Time Reference (toggle)</command></entry>
<entry>Ctrl+T</entry>
<entry><para>
This menu item set a time reference on the currently selected
packet. See <xref linkend="ChWorkTimeReferencePacketSection"/> for more information
about the time referenced packets.
</para></entry>
</row>
<row>
<entry><command>Find Next Reference</command></entry>
<entry></entry>
<entry><para>
This menu item tries to find the next time referenced packet.
</para></entry>
</row>
<row>
<entry><command>Find Previous Reference</command></entry>
<entry></entry>
<entry><para>
This menu item tries to find the previous time referenced packet.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Preferences...</command></entry>
<entry>Shift+Ctrl+P</entry>
<entry><para>
This menu item brings up a dialog box that allows
you to set preferences for many parameters that control
Wireshark. You can also save your preferences so Wireshark
will use them the next time you start it. More detail
is provided in <xref linkend="ChCustPreferencesSection"/>.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseViewMenuSection"><title>The "View" menu</title>
<para>
The Wireshark View menu contains the fields shown in
<xref linkend="ChUseTabView"/>.
</para>
<figure id="ChUseWiresharkViewMenu">
<title>The "View" Menu</title>
<graphic entityref="WiresharkViewMenu" format="PNG"/>
</figure>
<table id="ChUseTabView" frame="none">
<title>View menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Main Toolbar</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the main toolbar, see
<xref linkend="ChUseMainToolbarSection"/>.
</para></entry>
</row>
<row>
<entry><command>Filter Toolbar</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the filter toolbar, see
<xref linkend="ChUseFilterToolbarSection"/>.
</para></entry>
</row>
<row>
<entry><command>Statusbar</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the statusbar, see
<xref linkend="ChUseStatusbarSection"/>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Packet List</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the packet list pane, see
<xref linkend="ChUsePacketListPaneSection"/>.
</para></entry>
</row>
<row>
<entry><command>Packet Details</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the packet details pane, see
<xref linkend="ChUsePacketDetailsPaneSection"/>.
</para></entry>
</row>
<row>
<entry><command>Packet Bytes</command></entry>
<entry></entry>
<entry><para>
This menu item hides or shows the packet bytes pane, see
<xref linkend="ChUsePacketBytesPaneSection"/>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.123456</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display the
time stamps in date and time of day format, see
<xref linkend="ChWorkTimeFormatsSection"/>.
<note><title>Note!</title>
<para>
The fields "Time of Day", "Date and Time of
Day", "Seconds Since Beginning of Capture", "Seconds Since
Previous Captured Packet" and "Seconds Since Previous
Displayed Packet" are mutually exclusive.
</para>
</note>
</para></entry>
</row>
<row>
<entry><command>Time Display Format > Time of Day: 01:02:03.123456</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time
stamps in time of day format, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Time Display Format > Seconds Since Beginning of Capture: 123.123456</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time
stamps in seconds since beginning of capture format, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Time Display Format > Seconds Since Previous Captured Packet: 1.123456</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time stamps in
seconds since previous captured packet format, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Time Display Format > Seconds Since Previous Displayed Packet: 1.123456</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time stamps in
seconds since previous displayed packet format, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Time Display Format > ------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Time Display Format > Automatic (File Format Precision)</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time stamps with the
precision given by the capture file format used, see
<xref linkend="ChWorkTimeFormatsSection"/>.
<note><title>Note!</title>
<para>
The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive.
</para>
</note>
</para></entry>
</row>
<row>
<entry><command>Time Display Format > Seconds: 0</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time stamps with a precision of one second, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Time Display Format > ...seconds: 0....</command></entry>
<entry></entry>
<entry><para>
Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see
<xref linkend="ChWorkTimeFormatsSection"/>.
</para></entry>
</row>
<row>
<entry><command>Name Resolution > Resolve Name</command></entry>
<entry></entry>
<entry><para>
This item allows you to trigger a name resolve of the current packet
only, see <xref linkend="ChAdvNameResolutionSection"/>.
</para></entry>
</row>
<row>
<entry><command>Name Resolution > Enable for MAC Layer</command></entry>
<entry></entry>
<entry><para>
This item allows you to control whether or not
Wireshark translates MAC addresses into names, see
<xref linkend="ChAdvNameResolutionSection"/>.
</para></entry>
</row>
<row>
<entry><command>Name Resolution > Enable for Network Layer</command></entry>
<entry></entry>
<entry><para>
This item allows you to control whether or not
Wireshark translates network addresses into names, see
<xref linkend="ChAdvNameResolutionSection"/>.
</para></entry>
</row>
<row>
<entry><command>Name Resolution > Enable for Transport Layer</command></entry>
<entry></entry>
<entry><para>
This item allows you to control whether or not
Wireshark translates transport addresses into names, see
<xref linkend="ChAdvNameResolutionSection"/>.
</para></entry>
</row>
<row>
<entry><command>Colorize Packet List</command></entry>
<entry></entry>
<entry><para>
This item allows you to control whether or not Wireshark should colorize
the packet list.</para>
<note><title>Note!</title><para>
Enabling colorization will slow down the display
of new packets while capturing / loading capture files.
</para></note></entry>
</row>
<row>
<entry><command>Auto Scroll in Live Capture</command></entry>
<entry></entry>
<entry><para>
This item allows you to specify that Wireshark
should scroll the packet list pane as new packets come
in, so you are always looking at the last packet. If you
do not specify this, Wireshark simply adds new packets onto
the end of the list, but does not scroll the packet list
pane.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Zoom In</command></entry>
<entry>Ctrl++</entry>
<entry><para>
Zoom into the packet data (increase the font size).
</para></entry>
</row>
<row>
<entry><command>Zoom Out</command></entry>
<entry>Ctrl+-</entry>
<entry><para>
Zoom out of the packet data (decrease the font size).
</para></entry>
</row>
<row>
<entry><command>Normal Size</command></entry>
<entry>Ctrl+=</entry>
<entry><para>
Set zoom level back to 100% (set font size back to normal).
</para></entry>
</row>
<row>
<entry><command>Resize All Columns</command></entry>
<entry></entry>
<entry><para>
Resize all column widths so the content will fit into it.
</para>
<note><title>Note!</title><para>
Resizing may take a significant amount of time, especially if a
large capture file is loaded.
</para></note>
</entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Expand Subtrees</command></entry>
<entry></entry>
<entry><para>
This menu item expands the currently selected subtree in the
packet details tree.
</para></entry>
</row>
<row>
<entry><command>Expand All</command></entry>
<entry></entry>
<entry><para>
Wireshark keeps a list of all the protocol subtrees
that are expanded, and uses it to ensure that the
correct subtrees are expanded when you display a packet.
This menu item expands all subtrees in all packets in
the capture.
</para></entry>
</row>
<row>
<entry><command>Collapse All</command></entry>
<entry></entry>
<entry><para>
This menu item collapses the tree view of all packets
in the capture list.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Coloring Converation</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a submenu that allows you
to color packets in the packet list pane based
on the addresses of the currently selected packet.
This makes it easy to distinguish packets
belonging to different conversations.
<xref linkend="ChCustColorizationSection"/>.
</para></entry>
</row>
<row>
<entry><command>Coloring Converation > Color 1-10</command></entry>
<entry></entry>
<entry><para>
These menu items enable one of the ten temporary color
filters based on the currently selected conversation.
</para></entry>
</row>
<row>
<entry><command>Coloring Converation > Reset coloring</command></entry>
<entry></entry>
<entry><para>
This menu item clears all temporary coloring rules.
</para></entry>
</row>
<row>
<entry><command>Coloring Converation > New Coloring Rule...</command></entry>
<entry></entry>
<entry><para>
This menu item opens a dialog window in which a new
permanent coloring rule can be created based on the
currently selected conversation.
</para></entry>
</row>
<row>
<entry><command>Coloring Rules...</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a dialog box that allows you
to color packets in the packet list pane according to
filter expressions you choose. It can be very useful
for spotting certain types of packets, see
<xref linkend="ChCustColorizationSection"/>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Show Packet in New Window</command></entry>
<entry></entry>
<entry><para>
This menu item brings up the selected packet in a
separate window. The separate window shows only the
tree view and byte view panes.
</para></entry>
</row>
<row>
<entry><command>Reload</command></entry>
<entry>Ctrl-R</entry>
<entry><para>
This menu item allows you to reload the current
capture file.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseGoMenuSection"><title>The "Go" menu</title>
<para>
The Wireshark Go menu contains the fields shown in
<xref linkend="ChUseTabGo"/>.
</para>
<figure id="ChUseWiresharkGoMenu">
<title>The "Go" Menu</title>
<graphic entityref="WiresharkGoMenu" format="PNG"/>
</figure>
<table id="ChUseTabGo" frame="none">
<title>Go menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Back</command></entry>
<entry>Alt+Left</entry>
<entry><para>
Jump to the recently visited packet in the packet
history, much like the page history in a web browser.
</para></entry>
</row>
<row>
<entry><command>Forward</command></entry>
<entry>Alt+Right</entry>
<entry><para>
Jump to the next visited packet in the packet
history, much like the page history in a web browser.
</para></entry>
</row>
<row>
<entry><command>Go to Packet...</command></entry>
<entry>Ctrl-G</entry>
<entry><para>
Bring up a dialog box that allows you
to specify a packet number, and then goes to that packet. See
<xref linkend="ChWorkGoToPacketSection"/> for details.
</para></entry>
</row>
<row>
<entry><command>Go to Corresponding Packet</command></entry>
<entry></entry>
<entry><para>
Go to the corresponding packet of the currently
selected protocol field. If the selected field doesn't correspond
to a packet, this item is greyed out.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Previous Packet</command></entry>
<entry>Ctrl+Up</entry>
<entry><para>
Move to the previous packet in the list. This can be
used to move to the previous packet even if the packet
list doesn't have keyboard focus.
</para></entry>
</row>
<row>
<entry><command>Next Packet</command></entry>
<entry>Ctrl+Down</entry>
<entry><para>
Move to the next packet in the list. This can be
used to move to the previous packet even if the packet
list doesn't have keyboard focus.
</para></entry>
</row>
<row>
<entry><command>First Packet</command></entry>
<entry></entry>
<entry><para>
Jump to the first packet of the capture file.
</para></entry>
</row>
<row>
<entry><command>Last Packet</command></entry>
<entry></entry>
<entry><para>
Jump to the last packet of the capture file.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseCaptureMenuSection"><title>The "Capture" menu</title>
<para>
The Wireshark Capture menu contains the fields shown in
<xref linkend="ChUseTabCap"/>.
</para>
<figure id="ChUseWiresharkCaptureMenu">
<title>The "Capture" Menu</title>
<graphic entityref="WiresharkCaptureMenu" format="PNG"/>
</figure>
<table id="ChUseTabCap" frame="none">
<title>Capture menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Interfaces...</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a dialog box that shows what's going on
at the network interfaces Wireshark knows of, see
<xref linkend="ChCapInterfaceSection"/>) .
</para></entry>
</row>
<row>
<entry><command>Options...</command></entry>
<entry>Ctrl+K</entry>
<entry><para>
This menu item brings up the Capture Options
dialog box (discussed further in
<xref linkend="ChCapCaptureOptions"/>) and allows you to
start capturing packets.
</para></entry>
</row>
<row>
<entry><command>Start</command></entry>
<entry></entry>
<entry><para>
Immediately start capturing packets with the same settings than
the last time.
</para></entry>
</row>
<row>
<entry><command>Stop</command></entry>
<entry>Ctrl+E</entry>
<entry><para>
This menu item stops the currently running capture, see
<xref linkend="ChCapStopSection"/>) .
</para></entry>
</row>
<row>
<entry><command>Restart</command></entry>
<entry></entry>
<entry><para>
This menu item stops the currently running capture and starts
again with the same options, this is just for convenience.
</para></entry>
</row>
<row>
<entry><command>Capture Filters...</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a dialog box that allows you to
create and edit capture filters. You can name filters,
and you can save them for future use. More detail on
this subject is provided in
<xref linkend="ChWorkDefineFilterSection"/>
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseAnalyzeMenuSection"><title>The "Analyze" menu</title>
<para>
The Wireshark Analyze menu contains the fields shown in
<xref linkend="ChUseAnalyze"/>.
</para>
<figure id="ChUseWiresharkAnalyzeMenu">
<title>The "Analyze" Menu</title>
<graphic entityref="WiresharkAnalyzeMenu" format="PNG"/>
</figure>
<table id="ChUseAnalyze" frame="none"><title>Analyze menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Display Filters...</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a dialog box that allows you
to create and edit display filters. You can name
filters, and you can save them for future use. More
detail on this subject is provided in
<xref linkend="ChWorkDefineFilterSection"/>
</para></entry>
</row>
<row>
<entry><command>Apply as Filter > ...</command></entry>
<entry></entry>
<entry><para>
These menu items will change the current display filter and apply
the changed filter immediately. Depending on the chosen menu item,
the current display filter string will be replaced or appended to
by the selected protocol field in the packet details pane.
</para></entry>
</row>
<row>
<entry><command>Prepare a Filter > ...</command></entry>
<entry></entry>
<entry><para>
These menu items will change the current display filter but won't
apply the changed filter. Depending on the chosen menu item,
the current display filter string will be replaced or appended to
by the selected protocol field in the packet details pane.
</para></entry>
</row>
<row>
<entry><command>Firewall ACL Rules</command></entry>
<entry></entry>
<entry><para>
This allows you to create command-line ACL rules for many different
firewall products, including Cisco IOS, Linux Netfilter (iptables),
OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses,
IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are
supported.
</para><para>
It is assumed that the rules will be applied to an outside interface.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Enabled Protocols...</command></entry>
<entry>Shift+Ctrl+R</entry>
<entry><para>
This menu item allows the user to enable/disable protocol
dissectors, see <xref linkend="ChAdvEnabledProtocols"/>
</para></entry>
</row>
<row>
<entry><command>Decode As...</command></entry>
<entry></entry>
<entry><para>
This menu item allows the user to force Wireshark to
decode certain packets as a particular protocol, see
<xref linkend="ChAdvDecodeAs"/>
</para></entry>
</row>
<row>
<entry><command>User Specified Decodes...</command></entry>
<entry></entry>
<entry><para>
This menu item allows the user to force Wireshark to
decode certain packets as a particular protocol, see
<xref linkend="ChAdvDecodeAsShow"/>
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Follow TCP Stream</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a separate window and displays
all the TCP segments captured that are on the same TCP
connection as a selected packet, see
<xref linkend="ChAdvFollowTCPSection"/>
</para></entry>
</row>
<row>
<entry><command>Follow UDP Stream</command></entry>
<entry></entry>
<entry><para>
Same functionality as "Follow TCP Stream" but
for UDP streams.
</para></entry>
</row>
<row>
<entry><command>Follow SSL Stream</command></entry>
<entry></entry>
<entry><para>
Same functionality as "Follow TCP Stream" but for SSL streams.
XXX - how to provide the SSL keys?
</para></entry>
</row>
<row>
<entry><command>Expert Info</command></entry>
<entry></entry>
<entry><para>
Open a dialog showing some expert information about the captured
packets in a log style display.
The amount of information will depend on the protocol and varies
from very detailed to none existing. This is currently a work in
progress. XXX - add a new section about this and link from here
</para></entry>
</row>
<row>
<entry><command>Expert Info Composite</command></entry>
<entry></entry>
<entry><para>
Same information as in "Expert Info" but trying to group items
together for faster analysis.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseStatisticsMenuSection"><title>The "Statistics" menu</title>
<para>
The Wireshark Statistics menu contains the fields shown in
<xref linkend="ChUseStatistics"/>.
</para>
<figure id="ChUseWiresharkStatisticsMenu">
<title>The "Statistics" Menu</title>
<graphic entityref="WiresharkStatisticsMenu" format="PNG"/>
</figure>
<para>
All menu items will bring up a new window showing specific statistical
information.
</para>
<table id="ChUseStatistics" frame="none">
<title>Statistics menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Summary</command></entry>
<entry></entry>
<entry><para>
Show information about the data captured, see <xref
linkend="ChStatSummary"/>.
</para></entry>
</row>
<row>
<entry><command>Protocol Hierarchy</command></entry>
<entry></entry>
<entry><para>
Display a hierarchical tree of protocol statistics, see <xref
linkend="ChStatHierarchy"/>.
</para></entry>
</row>
<row>
<entry><command>Conversations</command></entry>
<entry></entry>
<entry><para>
Display a list of conversations (traffic between two endpoints),
see <xref linkend="ChStatConversationsWindow"/>.
</para></entry>
</row>
<row>
<entry><command>Endpoints</command></entry>
<entry></entry>
<entry><para>
Display a list of endpoints (traffic to/from an address), see
<xref linkend="ChStatEndpointsWindow"/>.
</para></entry>
</row>
<row>
<entry><command>IO Graphs</command></entry>
<entry></entry>
<entry><para>
Display user specified graphs (e.g. the number of packets in the
course of time), see <xref linkend="ChStatIOGraphs"/>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>Conversation List</command></entry>
<entry></entry>
<entry><para>
Display a list of conversations, obsoleted by the combined window
of Conversations above, see
<xref linkend="ChStatConversationListWindow"/>.
</para></entry>
</row>
<row>
<entry><command>Endpoint List</command></entry>
<entry></entry>
<entry><para>
Display a list of endpoints, obsoleted by the combined window
of Endpoints above, see
<xref linkend="ChStatEndpointListWindow"/>.
</para></entry>
</row>
<row>
<entry><command>Service Response Time</command></entry>
<entry></entry>
<entry><para>
Display the time between a request and the corresponding response, see
<xref linkend="ChStatSRT"/>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>ANSI</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>GSM</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>H.225...</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>ISUP Message Types</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>MTP3</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>RTP</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>SCTP</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>SIP</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>VoIP Calls...</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>WAP-WSP...</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>BOOTP-DHCP</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>HTTP</command></entry>
<entry></entry>
<entry><para>HTTP request/response statistics, see <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>ISUP Messages</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>ONC-RPC Programs</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
<row>
<entry><command>TCP Stream Graph</command></entry>
<entry></entry>
<entry><para>See <xref linkend="ChStatXXX"/></para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseHelpMenuSection"><title>The "Help" menu</title>
<para>
The Wireshark Help menu contains the fields shown in
<xref linkend="ChUseHelp"/>.
</para>
<figure id="ChUseWiresharkHelpMenu">
<title>The "Help" Menu</title>
<graphic entityref="WiresharkHelpMenu" format="PNG"/>
</figure>
<table id="ChUseHelp" frame="none">
<title>Help menu items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Menu Item</entry>
<entry>Accelerator</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>Contents</command></entry>
<entry>F1</entry>
<entry><para>
This menu item brings up a basic help system.
</para></entry>
</row>
<row>
<entry><command>Supported Protocols</command></entry>
<entry></entry>
<entry><para>
This menu item brings up a dialog box showing the supported
protocols and protocol fields.
</para></entry>
</row>
<row>
<entry><command>Manual Pages > ...</command></entry>
<entry></entry>
<entry><para>
This menu item starts a Web browser showing one of the locally
installed html manual pages.
</para></entry>
</row>
<row>
<entry><command>Wireshark Online > ...</command></entry>
<entry></entry>
<entry><para>
This menu item starts a Web browser showing the chosen
webpage from:
<ulink url="&WiresharkWebSite;">&WiresharkWebSite;</ulink>.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><command>About Wireshark</command></entry>
<entry></entry>
<entry><para>
This menu item brings up an information window that
provides some information on Wireshark, such as the plugins, the
used folders, ...
</para></entry>
</row>
</tbody>
</tgroup>
</table>
<note><title>Note!</title>
<para>
Calling a Web browser might be unsupported in your version of Wireshark.
If this is the case, the corresponding menu items will be hidden.
</para>
</note>
<note><title>Note!</title>
<para>
If calling a Web browser fails on your machine, maybe because just nothing
happens or the browser is started but no page is shown, have a look at the
web browser setting in the preferences dialog.
</para>
</note>
</section>
<section id="ChUseMainToolbarSection"><title>The "Main" toolbar</title>
<para>
The main toolbar provides quick access to frequently used items from the
menu. This toolbar cannot be customized by the user, but it can be hidden
using the View menu, if the space on the screen is needed to show even
more packet data.
</para>
<para>
As in the menu, only the items useful in the current program state will
be available. The others will be greyed out (e.g. you cannot save a capture
file if you haven't loaded one).
<figure id="ChUseWiresharkMainToolbar">
<title>The "Main" toolbar</title>
<graphic entityref="WiresharkMainToolbar" format="PNG"/>
</figure>
</para>
<table id="ChUseMainToolbar" frame="none">
<title>Main toolbar items</title>
<tgroup cols="4">
<colspec colnum="1" colwidth="40pt"/>
<colspec colnum="2" colwidth="80pt"/>
<colspec colnum="3" colwidth="80pt"/>
<thead>
<row>
<entry>Toolbar Icon</entry>
<entry>Toolbar Item</entry>
<entry>Corresponding Menu Item</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureInterfaces" format="PNG"/></entry>
<entry><command>Interfaces...</command></entry>
<entry>Capture/Interfaces...</entry>
<entry><para>
This item brings up the Capture Interfaces List
dialog box (discussed further in
<xref linkend="ChCapCapturingSection"/>).
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureOptions" format="PNG"/></entry>
<entry><command>Options...</command></entry>
<entry>Capture/Options...</entry>
<entry><para>
This item brings up the Capture Options
dialog box (discussed further in
<xref linkend="ChCapCapturingSection"/>) and allows you to
start capturing packets.
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureStart" format="PNG"/></entry>
<entry><command>Start</command></entry>
<entry>Capture/Start</entry>
<entry><para>
This item starts capturing packets with the options form
the last time.
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureStop" format="PNG"/></entry>
<entry><command>Stop</command></entry>
<entry>Capture/Stop</entry>
<entry><para>
This item stops the currently running live capture process
<xref linkend="ChCapCapturingSection"/>).
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureRestart" format="PNG"/></entry>
<entry><command>Restart</command></entry>
<entry>Capture/Restart</entry>
<entry><para>
This item stops the currently running live capture process
and restarts it again, for convenience.
</para>
</entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarOpen" format="PNG"/></entry>
<entry><command>Open...</command></entry>
<entry>File/Open...</entry>
<entry><para>
This item brings up the file open dialog box that
allows you to load a capture file for viewing. It is
discussed in more detail in <xref linkend="ChIOOpen"/>.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarSaveAs" format="PNG"/></entry>
<entry><command>Save As...</command></entry>
<entry>File/Save As...</entry>
<entry><para>
This item allows you to save the current capture file to whatever
file you would like. It pops up the Save Capture File As dialog
box (which is discussed further in <xref linkend="ChIOSaveAs"/>).
</para>
<note><title>Note!</title>
<para>
If you currently have a temporary capture file, the Save icon
<inlinegraphic entityref="WiresharkToolbarSave" format="PNG"/> will be
shown instead.
</para></note>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarClose" format="PNG"/></entry>
<entry><command>Close</command></entry>
<entry>File/Close</entry>
<entry><para>
This item closes the current capture. If you
have not saved the capture, you will be asked to save it first.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarReload" format="PNG"/></entry>
<entry><command>Reload</command></entry>
<entry>View/Reload</entry>
<entry><para>
This item allows you to reload the current capture file.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarPrint" format="PNG"/></entry>
<entry><command>Print...</command></entry>
<entry>File/Print...</entry>
<entry><para>
This item allows you to print all (or some of) the packets in
the capture file. It pops up the Wireshark Print dialog
box (which is discussed further in
<xref linkend="ChIOPrintSection"/>).
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarFind" format="PNG"/></entry>
<entry><command>Find Packet...</command></entry>
<entry>Edit/Find Packet...</entry>
<entry><para>
This item brings up a dialog box that allows you
to find a packet. There is further information on finding packets
in <xref linkend="ChWorkFindPacketSection"/>.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarGoBack" format="PNG"/></entry>
<entry><command>Go Back</command></entry>
<entry>Go/Go Back</entry>
<entry><para>
This item jumps back in the packet history.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarGoForward" format="PNG"/></entry>
<entry><command>Go Forward</command></entry>
<entry>Go/Go Forward</entry>
<entry><para>
This item jumps forward in the packet history.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarGoTo" format="PNG"/></entry>
<entry><command>Go to Packet...</command></entry>
<entry>Go/Go to Packet...</entry>
<entry><para>
This item brings up a dialog box that allows you
to specify a packet number to go to that packet.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarGoFirst" format="PNG"/></entry>
<entry><command>Go To First Packet</command></entry>
<entry>Go/First Packet</entry>
<entry><para>
This item jumps to the first packet of the capture file.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarGoLast" format="PNG"/></entry>
<entry><command>Go To Last Packet</command></entry>
<entry>Go/Last Packet</entry>
<entry><para>
This item jumps to the last packet of the capture file.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarColorize" format="PNG"/></entry>
<entry><command>Colorize</command></entry>
<entry>View/Colorize</entry>
<entry><para>
Colorize the packet list (or not).
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarAutoScroll" format="PNG"/></entry>
<entry><command>Auto Scroll in Live Capture</command></entry>
<entry>View/Auto Scroll in Live Capture</entry>
<entry><para>
Auto scroll packet list while doing a live capture (or not).
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarZoomIn" format="PNG"/></entry>
<entry><command>Zoom In</command></entry>
<entry>View/Zoom In</entry>
<entry><para>
Zoom into the packet data (increase the font size).
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarZoomOut" format="PNG"/></entry>
<entry><command>Zoom Out</command></entry>
<entry>View/Zoom Out</entry>
<entry><para>
Zoom out of the packet data (decrease the font size).
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarZoom100" format="PNG"/></entry>
<entry><command>Normal Size</command></entry>
<entry>View/Normal Size</entry>
<entry><para>
Set zoom level back to 100%.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarResizeColumns" format="PNG"/></entry>
<entry><command>Resize Columns</command></entry>
<entry>View/Resize Columns</entry>
<entry><para>
Resize columns, so the content fits into them.
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarCaptureFilters" format="PNG"/></entry>
<entry><command>Capture Filters...</command></entry>
<entry>Capture/Capture Filters...</entry>
<entry><para>
This item brings up a dialog box that allows you to
create and edit capture filters. You can name filters,
and you can save them for future use. More detail on
this subject is provided in
<xref linkend="ChWorkDefineFilterSection"/>.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
<entry><command>Display Filters...</command></entry>
<entry>Analyze/Display Filters...</entry>
<entry><para>
This item brings up a dialog box that allows you
to create and edit display filters. You can name
filters, and you can save them for future use. More
detail on this subject is provided in
<xref linkend="ChWorkDefineFilterSection"/>.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarColoringRules" format="PNG"/></entry>
<entry><command>Coloring Rules...</command></entry>
<entry>View/Coloring Rules...</entry>
<entry><para>
This item brings up a dialog box that allows you
color packets in the packet list pane according to
filter expressions you choose. It can be very useful
for spotting certain types of packets. More
detail on this subject is provided in
<xref linkend="ChCustColorizationSection"/>.
</para></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarPreferences" format="PNG"/></entry>
<entry><command>Preferences...</command></entry>
<entry>Edit/Preferences</entry>
<entry><para>
This item brings up a dialog box that allows
you to set preferences for many parameters that control
Wireshark. You can also save your preferences so Wireshark
will use them the next time you start it. More detail
is provided in <xref linkend="ChCustPreferencesSection"/>
</para></entry>
</row>
<row>
<entry><command>------</command></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarHelp" format="PNG"/></entry>
<entry><command>Help</command></entry>
<entry>Help/Contents</entry>
<entry><para>
This item brings up help dialog box.
</para></entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="ChUseFilterToolbarSection"><title>The "Filter" toolbar</title>
<para>
The filter toolbar lets you quickly edit and apply display filters. More information on
display filters is available in <xref linkend="ChWorkDisplayFilterSection"/>.
<figure id="ChUseWiresharkFilterToolbar">
<title>The "Filter" toolbar</title>
<graphic entityref="WiresharkFilterToolbar" format="PNG"/>
</figure>
<table id="ChUseFilterToolbar" frame="none">
<title>Filter toolbar items</title>
<tgroup cols="3">
<colspec colnum="1" colwidth="40pt"/>
<colspec colnum="2" colwidth="80pt"/>
<thead>
<row>
<entry>Toolbar Icon</entry>
<entry>Toolbar Item</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><graphic entityref="WiresharkToolbarDisplayFilters" format="PNG"/></entry>
<entry><command>Filter:</command></entry>
<entry><para>
Brings up the filter construction dialog, described in <xref linkend="FiltersDialog"/>.
</para>
</entry>
</row>
<row>
<entry></entry>
<entry>Filter input</entry>
<entry>
<para>
The area to enter or edit a display filter string,
see <xref linkend="ChWorkBuildDisplayFilterSection"/>
. A syntax check of your filter string is done while you are typing.
The background will turn red if you enter an incomplete or invalid
string, and will become green when you enter a valid string. You can
click on the pull down arrow to select a previously-entered filter
string from a list. The entries in the pull down list will remain
available even after a program restart.
</para>
<note><title>Note!</title>
<para>
After you've changed something in this field, don't forget to press
the Apply button (or the Enter/Return key), to apply this filter
string to the display.
</para>
</note>
<note><title>Note!</title>
<para>
This field is also where the current filter in effect is displayed.
</para>
</note>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarAdd" format="PNG"/></entry>
<entry><command>Expression...</command></entry>
<entry><para>
The middle button labeled "Add Expression..." opens a dialog box that lets
you edit a display filter from a list of protocol fields, described in
<xref linkend="ChWorkFilterAddExpressionSection"/>
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarClear" format="PNG"/></entry>
<entry><command>Clear</command></entry>
<entry><para>
Reset the current display filter and clears the edit area.
</para>
</entry>
</row>
<row>
<entry><graphic entityref="WiresharkToolbarApply" format="PNG"/></entry>
<entry><command>Apply</command></entry>
<entry><para>
Apply the current value in the edit area as the new display filter.
<note><title>Note!</title>
<para>
Applying a display filter on large capture files might take quite a long time!
</para>
</note>
</para>
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</section>
<section id="ChUsePacketListPaneSection"><title>The "Packet List" pane</title>
<para>
The packet list pane displays all the packets in the current capture
file.
<figure id="ChUseWiresharkListPane">
<title>The "Packet List" pane</title>
<graphic entityref="WiresharkListPane" format="PNG"/>
</figure>
Each line in the packet list corresponds to one packet in the capture
file. If you select a line in this pane, more details will be displayed in
the "Packet Details" and "Packet Bytes" panes.
</para>
<para>
While dissecting a packet, Wireshark will place information from the
protocol dissectors into the columns. As higher level protocols might
overwrite information from lower levels, you will typically see the
information from the highest possible level only.
</para>
<para>
For example, let's look at a packet containing TCP inside IP inside
an Ethernet packet. The Ethernet dissector will write its data (such as
the Ethernet addresses), the IP dissector will overwrite this by its own
(such as the IP addresses), the TCP dissector will overwrite the IP
information, and so on.
</para>
<para>
There are a lot of different columns available. Which columns are
displayed can be selected by preference settings, see
<xref linkend="ChCustPreferencesSection"/>.
</para>
<para>
The default columns will show:
<itemizedlist>
<listitem>
<para><command>No.</command>
The number of the packet in the capture file. This number won't change,
even if a display filter is used.
</para>
</listitem>
<listitem>
<para><command>Time</command>
The timestamp of the packet. The presentation format of this timestamp
can be changed, see <xref linkend="ChWorkTimeFormatsSection"/>.
</para>
</listitem>
<listitem>
<para><command>Source</command>
The address where this packet is coming from.
</para>
</listitem>
<listitem>
<para><command>Destination</command>
The address where this packet is going to.
</para>
</listitem>
<listitem>
<para><command>Protocol</command>
The protocol name in a short (perhaps abbreviated) version.
</para>
</listitem>
<listitem>
<para><command>Info</command>
Additional information about the packet content.
</para>
</listitem>
</itemizedlist>
</para>
<para>
There is a context menu (right mouse click) available, see details in
<xref linkend="ChWorkPacketListPanePopUpMenu"/>.
</para>
</section>
<section id="ChUsePacketDetailsPaneSection"><title>The "Packet Details" pane</title>
<para>
The packet details pane shows the current packet (selected in the "Packet List"
pane) in a more detailed form.
<figure id="ChUseWiresharkDetailsPane">
<title>The "Packet Details" pane</title>
<graphic entityref="WiresharkDetailsPane" format="PNG"/>
</figure>
</para>
<para>
This pane shows the protocols and protocol fields of the packet selected
in the "Packet List" pane. The protocols and fields of the packet are
displayed using a tree, which can be expanded and collapsed.
</para>
<para>
There is a context menu (right mouse click) available, see details in
<xref linkend="ChWorkPacketDetailsPanePopUpMenu"/>.
</para>
<para>
Some protocol fields are specially displayed.
</para>
<itemizedlist>
<listitem>
<para>
<command>Generated fields</command>
Wireshark itself will generate additional protocol fields which are
surrounded by brackets. The information in these fields is derived from the
known context to other packets in the capture file. For example, Wireshark
is doing a sequence/acknowledge analysis of each TCP stream,
which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol.
</para>
</listitem>
<listitem>
<para>
<command>Links</command>
If Wireshark detected a relationship to another packet in the capture file,
it will generate a link to that packet. Links are underlined and displayed
in blue. If double-clicked, Wireshark jumps to the corresponding packet.
</para>
</listitem>
</itemizedlist>
</section>
<section id="ChUsePacketBytesPaneSection"><title>The "Packet Bytes" pane</title>
<para>
The packet bytes pane shows the data of the current packet (selected in the "Packet List"
pane) in a hexdump style.
<figure id="ChUseWiresharkBytesPane">
<title>The "Packet Bytes" pane</title>
<graphic entityref="WiresharkBytesPane" format="PNG"/>
</figure>
</para>
<para>
As usual for a hexdump, the left side shows the offset in the packet data,
in the middle the packet data is shown in a hexadecimal representation and
on the right the corresponding ASCII characters (or . if not appropriate)
are displayed.
</para>
<para>
Depending on the packet data, sometimes more than one page is available,
e.g. when Wireshark has reassembled some packets into a single chunk of
data, see <xref linkend="ChAdvReassemblySection"/>. In this case there are
some additional tabs shown at the bottom of the pane to let you select
the page you want to see.
<figure id="ChUseWiresharkBytesPaneTabs">
<title>The "Packet Bytes" pane with tabs</title>
<graphic entityref="WiresharkBytesPaneTabs" format="PNG"/>
</figure>
</para>
<note><title>Note!</title>
<para>
The additional pages might contain data picked from multiple packets.
</para>
</note>
<para>
The context menu (right mouse click) of the tab labels will show a list of
all available pages. This can be helpful if the size in the pane is too
small for all the tab labels.
</para>
</section>
<section id="ChUseStatusbarSection"><title>The Statusbar</title>
<para>
The statusbar displays informational messages.
</para>
<para>
In general, the left side will show context related information, while the
right side will show the current number of packets.
</para>
<para>
<figure id="ChUseWiresharkStatusbarEmpty">
<title>The initial Statusbar</title>
<graphic entityref="WiresharkStatusbarEmpty" format="PNG"/>
</figure>
This statusbar is shown while no capture file is loaded, e.g. when
Wireshark is started.
</para>
<para>
<figure id="ChUseWiresharkStatusbarLoaded">
<title>The Statusbar with a loaded capture file</title>
<graphic entityref="WiresharkStatusbarLoaded" format="PNG"/>
</figure>
The left side shows information about the capture file, its
name, its size and the elapsed time while it was being captured.
</para>
<para>
The right side shows the current number of packets in the
capture file. The following values are displayed:
<itemizedlist mark="bullet">
<listitem>
<para><emphasis>P:</emphasis> the number of captured packets</para>
</listitem>
<listitem>
<para><emphasis>D:</emphasis> the number of packets currently being
displayed</para>
</listitem>
<listitem>
<para><emphasis>M:</emphasis> the number of marked packets</para>
</listitem>
</itemizedlist>
</para>
<para>
<figure id="ChUseWiresharkStatusbarSelected">
<title>The Statusbar with a selected protocol field</title>
<graphic entityref="WiresharkStatusbarSelected" format="PNG"/>
</figure>
This is displayed if you have selected a protocol field from the
"Packet Details" pane.
</para>
<tip><title>Tip!</title>
<para>
The value between the brackets (in this example
<command>arp.opcode</command>) can be used as a display filter string,
representing the selected protocol field.
</para>
</tip>
</section>
</chapter>
<!-- End of WSUG Chapter 3 -->
Reference in New Issue View Git Blame Copy Permalink