TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags

[wireshark-sm.git] / doc / wsug_src / wsug_use.adoc

// WSUG User Interface Chapter

[#ChapterUsing]

== User Interface

[#ChUseIntroductionSection]

=== Introduction

By now you have installed Wireshark and are likely keen to get started
capturing your first packets. In the next chapters we will explore:

* How the Wireshark user interface works
* How to capture packets in Wireshark
* How to view packets in Wireshark
* How to filter packets in Wireshark
* ... and many other things!

[#ChUseStartSection]

=== Start Wireshark

You can start Wireshark from your shell or window manager.

[TIP]
.Power user tip
====
When starting Wireshark it’s possible to specify optional settings using the
command line. See <<ChCustCommandLine>> for details.
====

The following chapters contain many screenshots of Wireshark. As
Wireshark runs on many different platforms with many different window managers,
different styles applied and there are different versions of the underlying GUI
toolkit used, your screen might look different from the provided screenshots.
But as there are no real differences in functionality these screenshots should
still be well understandable.

[#ChUseMainWindowSection]

=== The Main window

Let’s look at Wireshark’s user interface. <<ChUseFig01>> shows Wireshark as you
would usually see it after some packets are captured or loaded (how to do this
will be described later).

[#ChUseFig01]
.The Main window
image::images/ws-main.png[{screenshot-attrs}]

Wireshark’s main window consists of parts that are commonly known from many
other GUI programs.

. The _menu_ (see <<ChUseMenuSection>>) is used to start actions.
. The _main toolbar_ (see <<ChUseMainToolbarSection>>) provides quick access to
  frequently used items from the menu.
. The _filter toolbar_ (see <<ChUseFilterToolbarSection>>) allows users to
  set _display filters_ to filter which packets are displayed (see
  <<ChWorkDisplayFilterSection>>).
. The _packet list pane_ (see <<ChUsePacketListPaneSection>>) displays a summary
  of each packet captured. By clicking on packets in this pane you control what is
  displayed in the other two panes.
. The _packet details pane_ (see <<ChUsePacketDetailsPaneSection>>) displays the
  packet selected in the packet list pane in more detail.
. The _packet bytes pane_ (see <<ChUsePacketBytesPaneSection>>) displays the
  data from the packet selected in the packet list pane, and highlights the field
  selected in the packet details pane.
. The _packet diagram pane_ (see <<ChUsePacketDiagramPaneSection>>) displays the
  packet selected in the packet list as a textbook-style diagram.
. The _statusbar_ (see <<ChUseStatusbarSection>>) shows some detailed
  information about the current program state and the captured data.

[TIP]
====
The layout of the main window can be customized by changing preference settings.
See <<ChCustPreferencesSection>> for details.
====

[#ChUseMainWindowNavSection]

==== Main Window Navigation

Packet list and detail navigation can be done entirely from the keyboard.
<<ChUseTabNav>> shows a list of keystrokes that will let you quickly move around
a capture file. See <<ChUseTabGo>> for additional navigation keystrokes.

[#ChUseTabNav]
.Keyboard Navigation
[options="header",cols="1,3"]
|===
|Accelerator               |Description
|kbd:[Tab] or kbd:[Shift+Tab]|Move between screen elements, e.g., from the toolbars to the packet list to the packet detail.
|kbd:[↓]                   |Move to the next packet or detail item.
|kbd:[↑]                   |Move to the previous packet or detail item.
|kbd:[Ctrl+↓] or kbd:[F8]  |Move to the next packet, even if the packet list isn’t focused.
|kbd:[Ctrl+↑] or kbd:[F7]  |Move to the previous packet, even if the packet list isn’t focused.
|kbd:[Ctrl+.]              |Move to the next packet of the conversation (TCP, UDP or IP).
|kbd:[Ctrl+&#44;]          |Move to the previous packet of the conversation (TCP, UDP or IP).
|kbd:[Alt+→] or kbd:[Option+→] (macOS) |Move to the next packet in the selection history.
|kbd:[Alt+←] or kbd:[Option+←] (macOS)  |Move to the previous packet in the selection history.
|kbd:[←]                   |In the packet detail, closes the selected tree item. If it’s already closed, jumps to the parent node.
|kbd:[→]                   |In the packet detail, opens the selected tree item.
|kbd:[Shift+→]             |In the packet detail, opens the selected tree item and all of its subtrees.
|kbd:[Ctrl+→]              |In the packet detail, opens all tree items.
|kbd:[Ctrl+←]              |In the packet detail, closes all tree items.
|kbd:[Backspace]           |In the packet detail, jumps to the parent node.
|kbd:[Return] or kbd:[Enter] |In the packet detail, toggles the selected tree item.
|===

menu:Help[About Wireshark,Keyboard Shortcuts] will show a list of all shortcuts
in the main window. Additionally, typing anywhere in the main window will start
filling in a display filter.

[#ChUseMenuSection]

=== The Menu

Wireshark’s main menu is located either at the top of the main window (Windows,
Linux) or at the top of your main screen (macOS). An example is shown in
<<ChUseWiresharkMenu>>.

[NOTE]
====
Some menu items will be disabled (greyed out) if the corresponding feature isn’t
available. For example, you cannot save a capture file if you haven’t captured
or loaded any packets.
====

[#ChUseWiresharkMenu]
.The Menu
image::images/ws-menu.png[{screenshot-attrs}]

The main menu contains the following items:

menu:File[]::
This menu contains items to open and merge capture files, save, print, or export
capture files in whole or in part, and to quit the Wireshark application. See
<<ChUseFileMenuSection>>.

menu:Edit[]::
This menu contains items to find a packet, time reference or mark one or more
packets, handle configuration profiles, and set your preferences; (cut, copy,
and paste are not presently implemented). See <<ChUseEditMenuSection>>.

menu:View[]::
This menu controls the display of the captured data, including colorization of
packets, zooming the font, showing a packet in a separate window, expanding and
collapsing trees in packet details, .... See <<ChUseViewMenuSection>>.

menu:Go[]::
This menu contains items to go to a specific packet. See <<ChUseGoMenuSection>>.

menu:Capture[]::
This menu allows you to start and stop captures and to edit capture filters. See
<<ChUseCaptureMenuSection>>.

menu:Analyze[]::
This menu contains items to manipulate display filters, enable or disable the
dissection of protocols, configure user specified decodes and follow a TCP
stream. See <<ChUseAnalyzeMenuSection>>.

menu:Statistics[]::
This menu contains items to display various statistic windows, including a
summary of the packets that have been captured, display protocol hierarchy
statistics and much more. See <<ChUseStatisticsMenuSection>>.

menu:Telephony[]::
This menu contains items to display various telephony related statistic windows,
including a media analysis, flow diagrams, display protocol hierarchy statistics
and much more. See <<ChUseTelephonyMenuSection>>.

menu:Wireless[]::
This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics.

menu:Tools[]::
This menu contains various tools available in Wireshark, such as creating
Firewall ACL Rules. See <<ChUseToolsMenuSection>>.

menu:Help[]::
This menu contains items to help the user, e.g., access to some basic help,
manual pages of the various command line tools, online access to some of the
webpages, and the usual about dialog. See <<ChUseHelpMenuSection>>.

Each of these menu items is described in more detail in the sections that follow.

[TIP]
.Shortcuts make life easier
====
Most common menu items have keyboard shortcuts. For example, you can
press the Control and the K keys together to open the
“Capture Options” dialog.
====

[#ChUseFileMenuSection]

=== The “File” Menu

The Wireshark file menu contains the fields shown in <<ChUseTabFile>>.

[#ChUseWiresharkFileMenu]
.The “File” Menu
image::images/ws-file-menu.png[{screenshot-attrs}]

[#ChUseTabFile]
.File menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                            |Accelerator |Description

|menu:Open...[]                       |kbd:[Ctrl+O]|
This shows the file open dialog box that allows you to load a
capture file for viewing. It is discussed in more detail in <<ChIOOpen>>.

|menu:Open Recent[]                   |            |
This lets you open recently opened capture files.
Clicking on one of the submenu items will open the corresponding capture file
directly.

|menu:Merge...[]                      |            |
This menu item lets you merge a capture file into the currently loaded one. It
is discussed in more detail in <<ChIOMergeSection>>.

|menu:Import from Hex Dump...[]       |            |
This menu item brings up the import file dialog box that allows you to import a
text file containing a hex dump into a new temporary capture. It is discussed in
more detail in <<ChIOImportSection>>.

|menu:Close[]                         |kbd:[Ctrl+W]|
This menu item closes the current capture. If you haven’t saved the capture, you
will be asked to do so first (this can be disabled by a preference setting).

|menu:Save[]                          |kbd:[Ctrl+S]|
This menu item saves the current capture. If you have not set a default capture
file name (perhaps with the -w <capfile> option), Wireshark pops up the
Save Capture File As dialog box (which is discussed further in <<ChIOSaveAs>>).

If you have already saved the current capture, this menu item will be greyed
out.

You cannot save a live capture while the capture is in progress. You must
stop the capture in order to save.

|menu:Save As...[]                    |kbd:[Shift+Ctrl+S]|
This menu item allows you to save the current capture file to whatever file you
would like. It pops up the Save Capture File As dialog box (which is discussed
further in <<ChIOSaveAs>>).

|menu:File Set[List Files]            ||
This menu item allows you to show a list of files in a file set. It pops up the
Wireshark List File Set dialog box (which is discussed further in
<<ChIOFileSetSection>>).

|menu:File Set[Next File]             ||
If the currently loaded file is part of a file set, jump to the next file in the
set. If it isn’t part of a file set or just the last file in that set, this item
is greyed out.

|menu:File Set[Previous File]         ||
If the currently loaded file is part of a file set, jump to the previous file in
the set. If it isn’t part of a file set or just the first file in that set, this
item is greyed out.

|menu:Export Specified Packets...[]                 ||
This menu item allows you to export all (or some) of the packets in the capture
file to file. It pops up the Wireshark Export dialog box (which is discussed
further in <<ChIOExportSection>>).

|menu:Export Packet Dissections...[]|kbd:[Ctrl+H]|
These menu items allow you to export the currently selected bytes in the packet
bytes pane to a text file in a number of formats including plain, CSV,
and XML. It is discussed further in <<ChIOExportSelectedDialog>>.

|menu:Export Objects[]           ||
These menu items allow you to export captured DICOM, FTP-DATA, HTTP, IMF, SMB,
or TFTP objects into local files. It pops up a corresponding object list
(which is discussed further in <<ChIOExportObjectsDialog>>)

|menu:Print...[]                      |kbd:[Ctrl+P]|
This menu item allows you to print all (or some) of the packets in the capture
file. It pops up the Wireshark Print dialog box (which is discussed further in
<<ChIOPrintSection>>).

|menu:Quit[]                          |kbd:[Ctrl+Q]|
This menu item allows you to quit from Wireshark. Wireshark will ask to save
your capture file if you haven’t previously saved it (this can be disabled by a
preference setting).

|===

[#ChUseEditMenuSection]

=== The “Edit” Menu

The Wireshark Edit menu contains the fields shown in <<ChUseTabEdit>>.

[#ChUseWiresharkEditMenu]
.The “Edit” Menu
image::images/ws-edit-menu.png[{screenshot-attrs}]

[#ChUseTabEdit]
.Edit menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                                    |Accelerator       |Description
|menu:Copy[]                                  ||
These menu items will copy the packet list, packet detail, or properties of
the currently selected packet to the clipboard.

|menu:Find Packet...[]                        |kbd:[Ctrl+F]      |
This menu item brings up a toolbar that allows you to find a packet by many
criteria. There is further information on finding packets in
<<ChWorkFindPacketSection>>.

|menu:Find Next[]                             |kbd:[Ctrl+N]      |
This menu item tries to find the next packet matching the settings from “Find
Packet...”.

|menu:Find Previous[]                         |kbd:[Ctrl+B]      |
This menu item tries to find the previous packet matching the settings from
“Find Packet...”.

|menu:Mark/Unmark Selected[]                  |kbd:[Ctrl+M]      |
This menu item marks the currently selected packet. See
<<ChWorkMarkPacketSection>> for details.

|menu:Mark All Displayed Packets[]            |kbd:[Ctrl+Shift+M]|
This menu item marks all displayed packets.

|menu:Unmark All Displayed Packets[]          |kbd:[Ctrl+Alt+M]  |
This menu item unmarks all displayed packets.

|menu:Next Mark[]                             |kbd:[Ctrl+Shift+N] |
Find the next marked packet.

|menu:Previous Mark[]                         |kbd:[Ctrl+Shift+B] |
Find the previous marked packet.

|menu:Ignore/Unignore Selected[]              |kbd:[Ctrl+D]      |
This menu item marks the currently selected packet as ignored. See
<<ChWorkIgnorePacketSection>> for details.

|menu:Ignore All Displayed[]                  |kbd:[Ctrl+Shift+D]|
This menu item marks all displayed packets as ignored.

|menu:Unignore All Displayed[]                |kbd:[Ctrl+Alt+D]  |
This menu item unmarks all ignored packets.

|menu:Set/Unset Time Reference[]              |kbd:[Ctrl+T]      |
This menu item set a time reference on the currently selected packet. See
<<ChWorkTimeReferencePacketSection>> for more information about the time
referenced packets.

|menu:Unset All Time References[]             |kbd:[Ctrl+Alt+T]  |
This menu item removes all time references on the packets.

|menu:Next Time Reference[]                   |kbd:[Ctrl+Alt+N]  |
This menu item tries to find the next time referenced packet.

|menu:Previous Time Reference[]               |kbd:[Ctrl+Alt+B]  |
This menu item tries to find the previous time referenced packet.

|menu:Time Shift...[]                         |kbd:[Ctrl+Shift+T]|
Opens the “Time Shift” dialog, which allows you to adjust the timestamps
of some or all packets.

|menu:Packet Comment...[]                      |kbd:[Ctrl+Alt+C] |
Opens the “Packet Comment” dialog, which lets you add a comment to a
single packet. Note that the ability to save packet comments depends on
your file format. E.g., pcapng supports comments, pcap does not.

|menu:Delete All Packet Comments[]             ||
This will delete all comments from all packets. Note that the ability to save
capture comments depends on your file format. E.g., pcapng supports
comments, pcap does not.

|menu:Inject TLS Secrets[]                        ||
Embeds the used TLS decryption secrets into the capture file, which lets
TLS be decrypted without having the separate keylog file.
Note that the ability to save decryption secrets depends on your file
format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

|menu:Discard All Secrets[]                   ||
This will discard all embedded decryption secrets from the capture file.
Note that the ability to save decryption secrets depends on your file
format. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

|menu:Configuration Profiles...[]             |kbd:[Ctrl+Shift+A]|
This menu item brings up a dialog box for handling configuration profiles.  More
detail is provided in <<ChCustConfigProfilesSection>>.

|menu:Preferences...[]                        |kbd:[Ctrl+Shift+P] or kbd:[Cmd+,] (macOS)|
This menu item brings up a dialog box that allows you to set preferences for
many parameters that control Wireshark.  You can also save your preferences so
Wireshark will use them the next time you start it. More detail is provided in
<<ChCustPreferencesSection>>.

|===

[#ChUseViewMenuSection]

=== The “View” Menu

The Wireshark View menu contains the fields shown in <<ChUseTabView>>.

[#ChUseWiresharkViewMenu]
.The “View” Menu
image::images/ws-view-menu.png[{screenshot-attrs}]

[#ChUseTabView]
.View menu items
[options="header",cols="3,2,5"]
|===
|Menu Item              |Accelerator|Description
|menu:Main Toolbar[]    ||This menu item hides or shows the main toolbar, see <<ChUseMainToolbarSection>>.
|menu:Filter Toolbar[]  ||This menu item hides or shows the filter toolbar, see <<ChUseFilterToolbarSection>>.
|menu:Wireless Toolbar[]||This menu item hides or shows the wireless toolbar. May not be present on some platforms.
|menu:Statusbar[]       ||This menu item hides or shows the statusbar, see <<ChUseStatusbarSection>>.
|menu:Packet List[]     ||This menu item hides or shows the packet list pane, see <<ChUsePacketListPaneSection>>.
|menu:Packet Details[]  ||This menu item hides or shows the packet details pane, see <<ChUsePacketDetailsPaneSection>>.
|menu:Packet Bytes[]    ||This menu item hides or shows the packet bytes pane, see <<ChUsePacketBytesPaneSection>>.
|menu:Packet Diagram[]  ||This menu item hides or shows the packet diagram pane. See <<ChUsePacketDiagramPaneSection>>.
|menu:Time Display Format[Date and Time of Day: 1970-01-01 01:02:03.123456]|| Selecting this tells Wireshark to display the time stamps in date and time of day format, see <<ChWorkTimeFormatsSection>>.

The fields “Time of Day”, “Date and Time of Day”, “Seconds Since First
Captured Packet”, “Seconds Since Previous Captured Packet” and “Seconds
Since Previous Displayed Packet” are mutually exclusive.

|menu:Time Display Format[Time of Day: 01:02:03.123456]||Selecting this tells Wireshark to display time stamps in time of day format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Epoch (1970-01-01): 1234567890.123456]||Selecting this tells Wireshark to display time stamps in seconds since 1970-01-01 00:00:00, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since First Captured Packet: 123.123456]||Selecting this tells Wireshark to display time stamps in seconds since first captured packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Previous Captured Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous captured packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Seconds Since Previous Displayed Packet: 1.123456]||Selecting this tells Wireshark to display time stamps in seconds since previous displayed packet format, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Automatic (File Format Precision)]||Selecting this tells Wireshark to display time stamps with the precision given by the capture file format used, see <<ChWorkTimeFormatsSection>>.

The fields “Automatic”, “Seconds” and “...seconds” are mutually exclusive.

|menu:Time Display Format[Seconds: 0]||Selecting this tells Wireshark to display time stamps with a precision of one second, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[...seconds: 0....]||Selecting this tells Wireshark to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see <<ChWorkTimeFormatsSection>>.
|menu:Time Display Format[Display Seconds with hours and minutes]||Selecting this tells Wireshark to display time stamps in seconds, with hours and minutes.
|menu:Name Resolution[Edit Resolved Name]||This item allows you to manually enter names to resolve IP addresses in the current packet, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for MAC Layer]||This item allows you to control whether or not Wireshark translates MAC addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Network Layer]||This item allows you to control whether or not Wireshark translates network addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Name Resolution[Enable for Transport Layer]||This item allows you to control whether or not Wireshark translates transport addresses into names, see <<ChAdvNameResolutionSection>>.
|menu:Zoom In[]                     |kbd:[Ctrl+&#43;]   | Zoom into the packet data (increase the font size).
|menu:Zoom Out[]                    |kbd:[Ctrl+-]       | Zoom out of the packet data (decrease the font size).
|menu:Normal Size[]                 |kbd:[Ctrl+=]       | Set zoom level back to 100% (set font size back to normal).
|menu:Expand Subtrees[]                             |kbd:[Shift+→]|This menu item expands the currently selected subtree in the packet details tree.
|menu:Collapse Subtrees[]                           |kbd:[Shift+←]|This menu item collapses the currently selected subtree in the packet details tree.
|menu:Expand All[]                                  |kbd:[Ctrl+→] |Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.
|menu:Collapse All[]                                |kbd:[Ctrl+←] |This menu item collapses the tree view of all packets in the capture list.
|menu:Colorize Packet List[]||This item allows you to control whether or not Wireshark should colorize the packet list.

Enabling colorization will slow down the display of new packets while
capturing or loading capture files.

|menu:Colorize Conversation[]                       |                   |This menu item brings up a submenu that allows you to color packets in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. <<ChCustColorizationSection>>.
|menu:Colorize Conversation[Color 1-10]             |                   |These menu items enable one of the ten temporary color filters based on the currently selected conversation.
|menu:Colorize Conversation[Reset coloring]         |                   |This menu item clears all temporary coloring rules.
|menu:Colorize Conversation[New Coloring Rule...]   |                   |This menu item opens a dialog window in which a new permanent coloring rule can be created based on the currently selected conversation.
|menu:Coloring Rules...[]                           |                   |This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see <<ChCustColorizationSection>>.
|menu:Resize All Columns[]          |kbd:[Shift+Ctrl+R] | Resize all column widths so the content will fit into it.

Resizing may take a significant amount of time, especially if a large capture file is loaded.

|menu:Internals[]                                   |                   |Information about various internal data structures. See <<ChUseInternals>> below for more information.

|menu:Show Packet in New Window[] ||
Shows the selected packet in a separate window. The separate window
shows only the packet details and bytes of that packet, and will
continue to do so even if another packet is selected in the main window.
See <<ChWorkPacketSepView>> for details.

|menu:Reload[]                                      |kbd:[Ctrl+R]       |This menu item allows you to reload the current capture file.
|===

[#ChUseInternals]
.Internals menu items
[options="header",cols="3,5"]
|===
|Menu Item|Description
|menu:Conversation Hash Tables[]| Shows the tuples (address and port combinations) used to identify each conversation.
|menu:Dissector Tables[]| Shows tables of subdissector relationships.
|menu:Supported Protocols[]| Displays supported protocols and protocol fields.
|===


[#ChUseGoMenuSection]

=== The “Go” Menu

The Wireshark Go menu contains the fields shown in <<ChUseTabGo>>.

[#ChUseWiresharkGoMenu]
.The “Go” Menu
image::images/ws-go-menu.png[{screenshot-attrs}]

[#ChUseTabGo]
.Go menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                              |Accelerator        |Description
|menu:Back[]                            |kbd:[Alt+←] |Jump to the recently visited packet in the packet history, much like the page history in a web browser.
|menu:Forward[]                         |kbd:[Alt+→] |Jump to the next visited packet in the packet history, much like the page history in a web browser.
|menu:Go to Packet...[]                 |kbd:[Ctrl+G]       |Bring up a window frame that allows you to specify a packet number, and then goes to that packet. See <<ChWorkGoToPacketSection>> for details.
|menu:Go to Corresponding Packet[]      |                   |Go to the corresponding packet of the currently selected protocol field (e.g., the reply
corresponding to a request packet, or vice versa). If the selected field doesn’t correspond to a packet, this item is greyed out.
|menu:Previous Packet[]                 |kbd:[Ctrl+↑]|Move to the previous packet in the list.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet[]                     |kbd:[Ctrl+↓]|Move to the next packet in the list.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:First Packet[]                    |kbd:[Ctrl+Home]    |Jump to the first packet of the capture file.
|menu:Last Packet[]                     |kbd:[Ctrl+End]     |Jump to the last packet of the capture file.
|menu:Previous Packet In Conversation[] |kbd:[Ctrl+&#44;]  |Move to the previous packet in the current conversation.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Next Packet In Conversation[]     |kbd:[Ctrl+.]       |Move to the next packet in the current conversation.  This can be used to move to the previous packet even if the packet list doesn’t have keyboard focus.
|menu:Auto Scroll in Live Capture[] |                   |This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet.  If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.
|===

[#ChUseCaptureMenuSection]

=== The “Capture” Menu

The Wireshark Capture menu contains the fields shown in <<ChUseTabCap>>.

[#ChUseWiresharkCaptureMenu]
.The “Capture” Menu
image::images/ws-capture-menu.png[{screenshot-attrs}]

[#ChUseTabCap]
.Capture menu items
[options="header",cols="3,2,5"]
|===
|Menu Item                  |Accelerator    |Description

|menu:Options...[]          |kbd:[Ctrl+K]   |
Shows the Capture Options dialog box, which allows you to configure
interfaces and capture options.
See <<ChCapCaptureOptions>>.

|menu:Start[]               |kbd:[Ctrl+E]   |
Immediately starts capturing packets with the same settings as the last
time.

|menu:Stop[]                |kbd:[Ctrl+E]   |
Stops the currently running capture. See <<ChCapStopSection>>.

|menu:Restart[]             |kbd:[Ctrl+R]   |
Stops the currently running capture and starts it again with the same
options.

|menu:Capture Filters...[]  |               |
Shows a dialog box that allows you to create and edit capture filters.
You can name filters and save them for future use.
See <<ChWorkDefineFilterSection>>.

|menu:Refresh Interfaces[]  |kbd:[F5]       |
Clear and recreate the interface list.

|===

[#ChUseAnalyzeMenuSection]

=== The “Analyze” Menu

The Wireshark Analyze menu contains the fields shown in <<ChUseAnalyze>>.

[#ChUseWiresharkAnalyzeMenu]
.The “Analyze” Menu
image::images/ws-analyze-menu.png[{screenshot-attrs}]

[#ChUseAnalyze]
.Analyze menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Display Filters...[]          ||
Displays a dialog box that allows you to create and edit display
filters. You can name filters, and you can save them for future use.
See <<ChWorkDefineFilterSection>>.

|menu:Display Filter Macros...[]    ||
Shows a dialog box that allows you to create and edit display filter
macros. You can name filter macros, and you can save them for future
use.
See <<ChWorkDefineFilterMacrosSection>>.

|menu:Display Filter Expression...[]    ||
Shows a dialog box that allows you to build a display filter expression
to apply. This shows possible fields and their applicable relations and
values, and allows you to search by name and description.
See <<ChWorkFilterAddExpressionSection>>.

|menu:Apply as Column[]             |kbd:[Shift+Ctrl+I]|
Adds the selected protocol item in the packet details pane as a column
to the packet list.

|menu:Apply as Filter[]             ||
Change the current display filter and apply it immediately. Depending on
the chosen menu item, the current display filter string will be replaced
or appended to by the selected protocol field in the packet details
pane.

|menu:Prepare as Filter[]            ||
Change the current display filter but won’t apply it. Depending on the
chosen menu item, the current display filter string will be replaced or
appended to by the selected protocol field in the packet details pane.

|menu:Conversation Filter[]         ||
Apply a conversation filter for various protocols.

|menu:Enabled Protocols...[]        |kbd:[Shift+Ctrl+E]|
Enable or disable various protocol dissectors. See <<ChAdvEnabledProtocols>>.

|menu:Decode As...[]                ||
Decode certain packets as a particular protocol. See <<ChAdvDecodeAs>>.

|menu:SCTP[]                        ||
Allows you to analyze and prepare a filter for this SCTP association.
See <<ChTelSCTP>>.

|menu:Follow[]                      ||
Opens a sub-menu with options of various types of protocol streams
to follow. The entries for protocols which aren't found in the
currently selected packet will be disabled.
See <<ChAdvFollowStreamSection>>.

|menu:Show Packet Bytes[]           ||
Open a window allowing for decoding and reformatting packet bytes.
You can do actions like Base64 decode, decompress, interpret as
a different character encoding, interpret bytes as an image format,
and save, print, or copy to the clipboard the results.
See <<ChAdvShowPacketBytes>> for more information.

|menu:Expert Info[]                 ||
Open a window showing expert information found in the capture.
Some protocol dissectors add packet detail items for notable or unusual
behavior, such as invalid checksums or retransmissions.
Those items are shown here.
See <<ChAdvExpert>> for more information.

The amount of information will vary depend on the protocol
|===

[#ChUseStatisticsMenuSection]

=== The “Statistics” Menu

The Wireshark Statistics menu contains the fields shown in <<ChUseStatistics>>.

[#ChUseWiresharkStatisticsMenu]
.The “Statistics” Menu
image::images/ws-statistics-menu.png[{screenshot-attrs}]

Each menu item brings up a new window showing specific statistics.

[#ChUseStatistics]
.Statistics menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Capture File Properties[]|| Show information about the capture file, see <<ChStatSummary>>.
|menu:Resolved Addresses[]||See <<ChStatResolvedAddresses>>
|menu:Protocol Hierarchy[]|| Display a hierarchical tree of protocol statistics, see <<ChStatHierarchy>>.
|menu:Conversations[]|| Display a list of conversations (traffic between two endpoints), see <<ChStatConversationsWindow>>.
|menu:Endpoints[]|| Display a list of endpoints (traffic to/from an address), see <<ChStatEndpointsWindow>>.
|menu:Packet Lengths[]||See <<ChStatPacketLengths>>
|menu:I/O Graphs[]|| Display user specified graphs (e.g., the number of packets in the course of time), see <<ChStatIOGraphs>>.
|menu:Service Response Time[]|| Display the time between a request and the corresponding response, see <<ChStatSRT>>.
|menu:DHCP (BOOTP)[]||See <<ChStatDHCPBOOTP>>
|menu:NetPerfMeter[]||See <<ChStatNetPerfMeter>>
|menu:ONC-RPC Programs[]||See <<ChStatONCRPC>>
|menu:29West[]||See <<ChStat29West>>
|menu:ANCP[]||See <<ChStatANCP>>
|menu:BACnet[]||See <<ChStatBACnet>>
|menu:Collectd[]||See <<ChStatCollectd>>
|menu:DNS[]||See <<ChStatDNS>>
//|menu:Compare...[]||See <<ChStatOtherProtocols>>
|menu:Flow Graph[]||See <<ChStatFlowGraph>>
|menu:HART-IP[]||See <<ChStatHARTIP>>
|menu:HPFEEDS[]||See <<ChStatHPFEEDS>>
|menu:HTTP[]||HTTP request/response statistics, see <<ChStatHTTP>>
|menu:HTTP2[]||See <<ChStatHTTP2>>
|menu:Sametime[]||See <<ChStatSametime>>
|menu:TCP Stream Graphs[]||See <<ChStatTCPStreamGraphs>>
|menu:UDP Multicast Streams[]||See <<ChStatUDPMulticastStreams>>
|menu:Reliable Server Pooling (RSerPool)[]||See <<ChStatRSerPool>>
|menu:F5[]||See <<ChStatF5>>
|menu:IPv4 Statistics[]||See <<ChStatIPv4>>
|menu:IPv6 Statistics[]||See <<ChStatIPv6>>


|===

[#ChUseTelephonyMenuSection]

=== The “Telephony” Menu

The Wireshark Telephony menu contains the fields shown in <<ChUseTelephony>>.

[#ChUseWiresharkTelephonyMenu]
.The “Telephony” Menu
image::images/ws-telephony-menu.png[{screenshot-attrs}]

Each menu item shows specific telephony related statistics.

[#ChUseTelephony]
.Telephony menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:VoIP Calls...[]||See <<ChTelVoipCalls>>
|menu:ANSI[]||See <<ChTelANSI>>
|menu:GSM[]||See <<ChTelGSM>>
|menu:IAX2 Stream Analysis[]||See <<ChTelIAX2Analysis>>
|menu:ISUP Messages[]||See <<ChTelISUPMessages>>
|menu:LTE[]||See <<ChTelLTE>>
|menu:MTP3[]||See <<ChTelMTP3>>
|menu:Osmux[]||See <<ChTelOsmux>>
|menu:RTP[]||See <<ChTelRTPStreams>> and <<ChTelRTPAnalysis>>
|menu:RTSP[]||See <<ChTelRTSP>>
|menu:SCTP[]||See <<ChTelSCTP>>
|menu:SMPP Operations[]||See <<ChTelSMPPOperations>>
|menu:UCP Messages[]||See <<ChTelUCPMessages>>
|menu:H.225[]||See <<ChTelH225>>
|menu:SIP Flows[]||See <<ChTelSIPFlows>>
|menu:SIP Statistics[]||See <<ChTelSIPStatistics>>
|menu:WAP-WSP Packet Counter[]||See <<ChTelWAPWSPPacketCounter>>

|===

[#ChUseWirelessMenuSection]

=== The “Wireless” Menu

The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in <<ChUseWiresharkWirelessMenu>>.

[#ChUseWiresharkWirelessMenu]
.The “Wireless” Menu
image::images/ws-wireless-menu.png[{screenshot-attrs}]

Each menu item shows specific Bluetooth and IEEE 802.11 statistics.

[#ChUseWireless]
.Wireless menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description

|menu:Bluetooth ATT Server Attributes[]||See <<ChWirelessBluetoothATTServerAttributes>>
|menu:Bluetooth Devices[]||See <<ChWirelessBluetoothDevices>>
|menu:Bluetooth HCI Summary[]||See <<ChWirelessBluetoothHCISummary>>
|menu:WLAN Traffic[]||See <<ChWirelessWLANTraffic>>

|===

[#ChUseToolsMenuSection]

=== The “Tools” Menu

The Wireshark Tools menu contains the fields shown in <<ChUseTools>>.

[#ChUseWiresharkToolsMenu]
.The “Tools” Menu
image::images/ws-tools-menu.png[{screenshot-attrs}]

[#ChUseTools]
.Tools menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:Firewall ACL Rules[]|| This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh).  Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported.

It is assumed that the rules will be applied to an outside interface.

Menu item is greyed out unless one (and only one) frame is selected in the packet list.
|menu:Credentials[]|| This allows you to extract credentials from the current capture file. Some of the dissectors (ftp, http, imap, pop, smtp) have been instrumented to provide the module with usernames and passwords and more will be instrumented in the future. The window dialog provides you the packet number where the credentials have been found, the protocol that provided them, the username and protocol specific information.
|menu:MAC Address Blocks[]|| This allows viewing the IEEE MAC address registry data that Wireshark uses to resolve MAC address blocks to vendor names. The table can be searched by address prefix or vendor name.
|menu:TLS Keylog Launcher[]|| This can launch an application such as a web browser or a terminal window with the SSLKEYLOGFILE environment variable set to the same value as the TLS secret log file. Note that you will probably have to quit your existing web browser session in order to have it run under a fresh environment.
|menu:Lua Console[]|| This option allows you to work with the Lua interpreter optionally built into Wireshark, to inspect Lua internals and evaluate code.
See “Lua Support in Wireshark” in the Wireshark Developer’s Guide.
|===

[#ChUseHelpMenuSection]

=== The “Help” Menu

The Wireshark Help menu contains the fields shown in <<ChUseHelp>>.

[#ChUseWiresharkHelpMenu]
.The “Help” Menu
image::images/ws-help-menu.png[{screenshot-attrs}]

[#ChUseHelp]
.Help menu items
[options="header",cols="3,2,5"]
|===
|Menu Item|Accelerator|Description
|menu:User's Guide[]|F1| This menu item brings up the Wireshark User's Guide you're reading right now.
|menu:Manual Pages[...]|| This menu item starts a Web browser showing one of the locally installed html manual pages.
|menu:Website[]|| This menu item starts a Web browser showing the webpage from: link:{wireshark-main-url}[].
|menu:FAQs[]|| This menu item starts a Web browser showing various FAQs.
|menu:Downloads[]|| This menu item starts a Web browser showing the downloads from: link:{wireshark-download-url}[].
|menu:Wiki[]|| This menu item starts a Web browser showing the front page from: link:{wireshark-wiki-url}[].
|menu:Sample Captures[]|| This menu item starts a Web browser showing the sample captures from: link:{wireshark-wiki-url}SampleCaptures[].
|menu:About Wireshark[]|| This menu item brings up an information window that provides various detailed information items on Wireshark, such as how it’s built, the plugins loaded, the used folders, ...

|===

[NOTE]
====
Opening a Web browser might be unsupported in your version of Wireshark. If this
is the case the corresponding menu items will be hidden.

If calling a Web browser fails on your machine, nothing happens, or the browser
starts but no page is shown, have a look at the web browser setting in the
preferences dialog.
====

[#ChUseMainToolbarSection]

=== The “Main” Toolbar

The main toolbar provides quick access to frequently used items
from the menu. This toolbar cannot be customized by the user, but it can
be hidden using the View menu if the space on the screen is needed to
show more packet data.

Items in the toolbar will be enabled or disabled (greyed out) similar to
their corresponding menu items. For example, in the image below shows
the main window toolbar after a file has been opened. Various
file-related buttons are enabled, but the stop capture button is
disabled because a capture is not in progress.

[#ChUseWiresharkMainToolbar]

.The “Main” toolbar
image::images/ws-main-toolbar.png[{screenshot-attrs}]

:toolbar-icon-attrs: height=24,width=24

[#ChUseMainToolbar]
.Main toolbar items
[options="header",cols="1,2,2,4"]
|===
|Toolbar Icon|Toolbar Item|Menu Item|Description
|image:images/toolbar/x-capture-start.png[{toolbar-icon-attrs}] |btn:[Start]|menu:Capture[Start]| Starts capturing packets with the same options as the last capture or the default options if none were set (<<ChCapCapturingSection>>).
|image:images/toolbar/x-capture-stop.png[{toolbar-icon-attrs}]      |btn:[Stop]|menu:Capture[Stop]| Stops the currently running capture (<<ChCapCapturingSection>>).
|image:images/toolbar/x-capture-restart.png[{toolbar-icon-attrs}]   |btn:[Restart]|menu:Capture[Restart]| Restarts the current capture session.
|image:images/toolbar/x-capture-options.png[{toolbar-icon-attrs}]   |btn:[Options...]|menu:Capture[Options...]| Opens the “Capture Options” dialog box. See <<ChCapCapturingSection>> for details.
// --
|image:images/toolbar/document-open.png[{toolbar-icon-attrs}]         |btn:[Open...]|menu:File[Open...]| Opens the file open dialog box, which allows you to load a capture file for viewing. It is discussed in more detail in <<ChIOOpen>>.
|image:images/toolbar/x-capture-file-save.png[{toolbar-icon-attrs}]   |btn:[Save As...]|menu:File[Save As...]| Save the current capture file to whatever file you would like. See <<ChIOSaveAs>> for details. If you currently have a temporary capture file open the “Save” icon  will be shown instead.
|image:images/toolbar/x-capture-file-close.png[{toolbar-icon-attrs}]  |btn:[Close]|menu:File[Close]|Closes the current capture. If you have not saved the capture, you will be asked to save it first.
|image:images/toolbar/x-capture-file-reload.png[{toolbar-icon-attrs}] |btn:[Reload]|menu:View[Reload]| Reloads the current capture file.
// --
|image:images/toolbar/edit-find.png[{toolbar-icon-attrs}]   |btn:[Find Packet...]|menu:Edit[Find Packet...]|Find a packet based on different criteria. See <<ChWorkFindPacketSection>> for details.
|image:images/toolbar/go-previous.png[{toolbar-icon-attrs}] |btn:[Go Back]|menu:Go[Go Back]|Jump back in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go back in the selection history.
|image:images/toolbar/go-next.png[{toolbar-icon-attrs}]     |btn:[Go Forward]|menu:Go[Go Forward]|Jump forward in the packet history. Hold down the kbd:[Alt] key (kbd:[Option] on macOS) to go forward in the selection history.
|image:images/toolbar/go-jump.png[{toolbar-icon-attrs}]     |btn:[Go to Packet...]|menu:Go[Go to Packet...]| Go to a specific packet.
|image:images/toolbar/go-first.png[{toolbar-icon-attrs}]    |btn:[Go To First Packet]|menu:Go[First Packet]| Jump to the first packet of the capture file.
|image:images/toolbar/go-last.png[{toolbar-icon-attrs}]     |btn:[Go To Last Packet]|menu:Go[Last Packet]| Jump to the last packet of the capture file.
|image:images/toolbar/x-stay-last.png[{toolbar-icon-attrs}] |btn:[Auto Scroll in Live Capture]|menu:View[Auto Scroll in Live Capture]| Auto scroll packet list while doing a live capture (or not).
// --
|image:images/toolbar/x-colorize-packets.png[{toolbar-icon-attrs}] |btn:[Colorize]|menu:View[Colorize]| Colorize the packet list (or not).
// --
|image:images/toolbar/zoom-in.png[{toolbar-icon-attrs}]          |btn:[Zoom In]|menu:View[Zoom In]| Zoom into the packet data (increase the font size).
|image:images/toolbar/zoom-out.png[{toolbar-icon-attrs}]         |btn:[Zoom Out]|menu:View[Zoom Out]| Zoom out of the packet data (decrease the font size).
|image:images/toolbar/zoom-original.png[{toolbar-icon-attrs}]    |btn:[Normal Size]|menu:View[Normal Size]| Set zoom level back to 100%.
|image:images/toolbar/x-resize-columns.png[{toolbar-icon-attrs}] |btn:[Resize Columns]|menu:View[Resize Columns]| Resize columns, so the content fits into them.
|image:images/toolbar/x-reset-layout_2.png[{toolbar-icon-attrs}] |btn:[Reset Layout]|menu:View[Reset Layout]| Reset layout to default size.
// --
//|image:images/toolbar/stock_colorselector_24.png[{toolbar-icon-attrs}]|btn:[Coloring Rules...]|menu:View[Coloring Rules...]| This item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in <<ChCustColorizationSection>>.
|===

[#ChUseFilterToolbarSection]

=== The “Filter” Toolbar

The filter toolbar lets you quickly edit and apply display filters. More
information on display filters is available in <<ChWorkDisplayFilterSection>>.

[#ChUseWiresharkFilterToolbar]

.The “Filter” toolbar
image::images/ws-filter-toolbar.png[{screenshot-attrs}]

// Icons themselves are 32px high.
:filter-icon-attrs: height=24

[#ChUseFilterToolbar]
.Filter toolbar items
[options="header",cols="1,3,5"]
|===
|Toolbar Icon|Name|Description
|image:images/toolbar/filter-toolbar-bookmark.png[{filter-icon-attrs}]|Bookmarks|Manage or select <<ChWorkDefineFilterSection,saved filters>>.
|image:images/toolbar/filter-toolbar-input.png[{filter-icon-attrs}]|Filter Input|The area to enter or edit a display filter string, see <<ChWorkBuildDisplayFilterSection>>. A syntax check of your filter string is done while you are typing. The background will turn red if you enter an incomplete or invalid string, and will become green when you enter a valid string.

After you’ve changed something in this field, don’t forget to press the Apply
button (or the Enter/Return key), to apply this filter string to the display.

This field is also where the current applied filter is displayed.

|image:images/toolbar/filter-toolbar-clear.png[{filter-icon-attrs}]|Clear|Reset the current display filter and clear the edit area.
|image:images/toolbar/filter-toolbar-apply.png[{filter-icon-attrs}]|Apply|Apply the current value in the edit area as the new display filter.

Applying a display filter on large capture files might take quite a long time.

|image:images/toolbar/filter-toolbar-recent.png[{filter-icon-attrs}]|Recent|Select from a list of recently applied filters.
|image:images/toolbar/filter-toolbar-add.png[{filter-icon-attrs}]|Add Button|Add a new filter button.
|btn:[Squirrels]|Filter Button|
Filter buttons are handy shortcuts that apply a display filter as soon as you press them.
You can create filter buttons by pressing the btn:[{plus}] button, right-clicking in the filter button area, or opening the <<ChCustFilterButtons,Filter Button>> section of the <<ChCustPreferencesSection,Preferences Dialog>>.
The example shows a filter button with the label “Squirrels”.
If you have lots of buttons you can arrange them into groups by using “//” as a label separator.
For example, if you create buttons named “Not Squirrels // Rabbits” and “Not Squirrels // Capybaras” they will show up in the toolbar under a single button named “Not Squirrels”.

|===


[#ChUsePacketListPaneSection]

=== The “Packet List” Pane

The packet list pane displays all the packets in the current capture file.

[#ChUseWiresharkListPane]
.The “Packet List” pane
image::images/ws-list-pane.png[{screenshot-attrs}]

Each line in the packet list corresponds to one packet in the capture file. If
you select a line in this pane, more details will be displayed in the “Packet
Details” and “Packet Bytes” panes.

While dissecting a packet, Wireshark will place information from the protocol
dissectors into the columns. As higher-level protocols might overwrite
information from lower levels, you will typically see the information from the
highest possible level only.

For example, let’s look at a packet containing TCP inside IP inside an Ethernet
packet. The Ethernet dissector will write its data (such as the Ethernet
addresses), the IP dissector will overwrite this by its own (such as the IP
addresses), the TCP dissector will overwrite the IP information, and so on.

There are many different columns available. You can choose which columns are
displayed in the preferences. See <<ChCustPreferencesSection>>.

The default columns will show:

* btn:[No.] The number of the packet in the capture file. This number won’t
  change, even if a display filter is used.

* btn:[Time] The timestamp of the packet. The presentation format of this
  timestamp can be changed, see <<ChWorkTimeFormatsSection>>.

* btn:[Source] The address where this packet is coming from.

* btn:[Destination] The address where this packet is going to.

* btn:[Protocol] The protocol name in a short (perhaps abbreviated) version.

* btn:[Length] The length of each packet.

* btn:[Info] Additional information about the packet content.

The first column shows how each packet is related to the selected packet. For
example, in the image above the first packet is selected, which is a DNS
request. Wireshark shows a rightward arrow for the request itself, followed by a
leftward arrow for the response in packet 2. Why is there a dashed line? There
are more DNS packets further down that use the same port numbers. Wireshark
treats them as belonging to the same conversation and draws a line connecting
them.

// Images were created on macOS 10.11 using a retina display. Lines were
// 36 physical pixels high.

[horizontal]
.Related packet symbols

image:images/related-first.png[{related-attrs}]::
  First packet in a conversation.

image:images/related-current.png[{related-attrs}]::
  Part of the selected conversation.

image:images/related-other.png[{related-attrs}]::
  _Not_ part of the selected conversation.

image:images/related-last.png[{related-attrs}]::
  Last packet in a conversation.

image:images/related-request.png[{related-attrs}]::
  Request.

image:images/related-response.png[{related-attrs}]::
  Response.

image:images/related-ack.png[{related-attrs}]::
  The selected packet acknowledges this packet.

image:images/related-dup-ack.png[{related-attrs}]::
  The selected packet is a duplicate acknowledgement of this packet.

image:images/related-segment.png[{related-attrs}]::
  The selected packet is related to this packet in some other way, e.g., as part
  of reassembly.

The packet list has an _Intelligent Scrollbar_ which shows a miniature map of
nearby packets. Each https://en.wikipedia.org/wiki/Raster_graphics[raster line]
of the scrollbar corresponds to a single packet, so the number of packets shown
in the map depends on your physical display and the height of the packet list. A
tall packet list on a high-resolution (“Retina”) display will show you quite a
few packets. In the image above the scrollbar shows the status of more than 500
packets along with the 15 shown in the packet list itself.

Right clicking will show a context menu, described in
<<ChWorkPacketListPanePopUpMenu>>.

[#ChUsePacketDetailsPaneSection]

=== The “Packet Details” Pane

The packet details pane shows the current packet (selected in the “Packet List”
pane) in a more detailed form.

[#ChUseWiresharkDetailsPane]

.The “Packet Details” pane
image::images/ws-details-pane.png[{screenshot-attrs}]

This pane shows the protocols and protocol fields of the packet selected in the
“Packet List” pane. The protocol summary lines (subtree labels) and fields of the
packet are shown in a tree which can be expanded and collapsed.

There is a context menu (right mouse click) available. See details in
<<ChWorkPacketDetailsPanePopUpMenu>>.

Some protocol fields have special meanings.

* *Generated fields.* Wireshark itself will generate additional protocol
  information which isn’t present in the captured data. This information
  is enclosed in square brackets (“[” and “]”). Generated information
  includes response times, TCP analysis, IP geolocation information, and
  checksum validation.

* *Links.* If Wireshark detects a relationship to another packet in the capture
  file it will generate a link to that packet. Links are underlined and
  displayed in blue. If you double-clicked on a link  Wireshark will jump to the
  corresponding packet.

[#ChUsePacketBytesPaneSection]

=== The “Packet Bytes” Pane

The packet bytes pane shows the data of the current packet (selected in the
“Packet List” pane) in a hexdump style.

[#ChUseWiresharkBytesPane]

.The “Packet Bytes” pane
image::images/ws-bytes-pane.png[{screenshot-attrs}]

The “Packet Bytes” pane shows a canonical
https://en.wikipedia.org/wiki/Hex_dump[hex dump] of the packet data. Each line
contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes.
Non-printable bytes are replaced with a period (“.”).

Depending on the packet data, sometimes more than one page is available, e.g.
when Wireshark has reassembled some packets into a single chunk of data. (See
<<ChAdvReassemblySection>> for details). In this case you can see each data
source by clicking its corresponding tab at the bottom of the pane.

The default mode for viewing will highlight the bytes for a field where the
mouse pointer is hovering above. The highlight will follow the mouse cursor
as it moves. If this highlighting is not required or wanted, there are two
methods for deactivating the functionality:

* *Temporary* By holding down the Ctrl button while moving the mouse, the
  highlighted field will not change

* *Permanently* Using the context menu (right mouse click) the hover highlighting
  may be activated/deactivated. This setting is stored in the selected profile
  __recent__ file.

[#ChUseWiresharkBytesPaneTabs]
.The “Packet Bytes” pane with tabs
image::images/ws-bytes-pane-tabs.png[{screenshot-attrs}]

Additional tabs typically contain data reassembled from multiple packets or
decrypted data.

[#ChUsePacketDiagramPaneSection]

=== The “Packet Diagram” Pane

The packet diagram pane shows the current packet (selected in the “Packet List”
pane) as a diagram, similar to ones used in textbooks and IETF RFCs.

[#ChUseWiresharkDiagramPane]

.The “Packet Diagram” pane
image::images/ws-diagram-pane.png[{screenshot-attrs}]

This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List” pane as a series of diagrams.

There is a context menu (right mouse click) available.
For details see <<ChWorkPacketDiagramPanePopUpMenu>>.

[#ChUseStatusbarSection]

=== The Statusbar

The statusbar displays informational messages.

In general, the left side will show context related information, the middle part
will show information about the current capture file, and the right side will
show the selected configuration profile. Drag the handles between the text areas
to change the size.

[#ChUseWiresharkStatusbarEmpty]
.The initial Statusbar
image::images/ws-statusbar-empty.png[{statusbar-attrs}]

This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started.

[#ChUseWiresharkStatusbarLoaded]
.The Statusbar with a loaded capture file
image::images/ws-statusbar-loaded.png[{statusbar-attrs}]

The colorized bullet...:: on the left shows the highest expert information level found in the currently loaded capture file.
Hovering the mouse over this icon will show a description of the expert info level, and clicking the icon will bring up the Expert Information dialog box.
For a detailed description of this dialog and each expert level, see <<ChAdvExpert>>.

The edit icon...:: on the left side lets you add a comment to the capture file using the <<ChStatSummary,Capture File Properties>> dialog.

The left side...:: shows the capture file name by default.
It also shows field information when hovering over and selecting items in the packet detail and packet bytes panes, as well as general notifications.

The middle...:: shows the current number of packets in the capture file.
The following values are displayed:

Packets::: The number of captured packets.

Displayed::: The number of packets currently being displayed.

Marked::: The number of marked packets. Only displayed if you marked any packets.

Dropped::: The number of dropped packets Only displayed if Wireshark was unable to capture all packets.

Ignored::: The number of ignored packets Only displayed if you ignored any packets.

//Load time::: The time it took to load the capture (wall clock time).

The right side...:: shows the selected configuration profile.
Clicking on this part of the statusbar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile.

[#ChUseWiresharkStatusbarProfile]
.The Statusbar with a configuration profile menu
image::images/ws-statusbar-profile.png[{pdf-scaledwidth},height=192]

For a detailed description of configuration profiles, see <<ChCustConfigProfilesSection>>.

[#ChUseWiresharkStatusbarSelected]
.The Statusbar with a selected protocol field
image::images/ws-statusbar-selected.png[{statusbar-attrs}]

This is displayed if you have selected a protocol field in the “Packet Details” pane.

[TIP]
====
The value between the parentheses (in this example “ipv6.src”) is the display filter field for the selected item.
You can become more familiar with display filter fields by selecting different packet detail items.
====

[#ChUseWiresharkStatusbarFilter]

//FIXME: Remove or choose a better example of a display filter message.
.The Statusbar with a display filter message
image::images/ws-statusbar-filter.png[{statusbar-attrs}]

This is displayed if you are trying to use a display filter which may have unexpected results.

// End of WSUG Chapter 3