Witness: fix compiler warnings

[wireshark-wip.git] / docbook / wsug_src / WSUG_chapter_customize.xml

<!-- WSUG Chapter Customizing -->
<!-- $Id$ -->

<chapter id="ChapterCustomize">
  <title>Customizing Wireshark</title>

  <section id="ChCustIntroduction"><title>Introduction</title>
    <para>
    Wireshark's default behaviour will usually suit your needs pretty well.
    However, as you become more familiar with Wireshark, it can be customized
    in various ways to suit your needs even better. In this chapter we explore:
    <itemizedlist>
    <listitem>
      <para>
        How to start Wireshark with command line parameters
      </para>
    </listitem>
    <listitem>
      <para>
        How to colorize the packet list
      </para>
    </listitem>
    <listitem>
      <para>
        How to control protocol dissection
      </para>
    </listitem>
    <listitem>
      <para>
        How to use the various preference settings
      </para>
    </listitem>
    </itemizedlist>
    </para>
  </section>

  <section id="ChCustCommandLine"><title>Start Wireshark from the command line</title>
    <para>
      You can start <application>Wireshark</application> from the command
      line, but it can also be started from most Window managers
      as well. In this section we will look at starting it from the command
      line.
    </para>
    <para>
      <application>Wireshark</application> supports a large number of
      command line parameters. To see what they are, simply enter the
      command <command>wireshark -h</command> and the help information
      shown in <xref linkend="ChCustEx1"/> (or something similar) should be
      printed.
    <example id="ChCustEx1">
      <title>Help information available from Wireshark</title>
      <programlisting>
Wireshark 1.9.0 (SVN Rev 47047 from /trunk)
Interactively dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2013 Gerald Combs &lt;gerald@wireshark.org&gt; and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: wireshark [options] ... [ &lt;infile&gt; ]

Capture interface:
  -i &lt;interface&gt;           name or idx of interface (def: first non-loopback)
  -f &lt;capture filter&gt;      packet filter in libpcap filter syntax
  -s &lt;snaplen&gt;             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -I                       capture in monitor mode, if available
  -B &lt;buffer size&gt;         size of kernel buffer (def: 1MB)
  -y &lt;link type&gt;           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c &lt;packet count&gt;        stop after n packets (def: infinite)
  -a &lt;autostop cond.&gt; ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b &lt;ringbuffer opt.&gt; ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r &lt;infile&gt;              set the filename to read from (no pipes or stdin!)

Processing:
  -R &lt;read filter&gt;         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N &lt;name resolve flags&gt;  enable specific name resolution(s): "mntC"

User interface:
  -C &lt;config profile&gt;      start with specified configuration profile
  -d &lt;display filter&gt;      start with the given display filter
  -g &lt;packet number&gt;       go to specified packet number after "-r"
  -J &lt;jump filter&gt;         jump to the first packet matching the (display)
                           filter
  -j                       search backwards for a matching packet after "-J"
  -m &lt;font&gt;                set the font name used for most text
  -t ad|a|r|d|dd|e         output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -X &lt;key&gt;:&lt;value&gt;         eXtension options, see man page for details
  -z &lt;statistics&gt;          show various statistics, see man page for details

Output:
  -w &lt;outfile|-&gt;           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -P &lt;key&gt;:&lt;path&gt;          persconf:path - personal configuration files
                           persdata:path - personal data files
  -o &lt;name&gt;:&lt;value&gt; ...    override preference or recent setting
  -K &lt;keytab&gt;              keytab file to use for kerberos decryption
  --display=DISPLAY        X display to use

</programlisting>
    </example>

    We will examine each of the command line options in turn.
    </para>
    <para>
      The first thing to notice is that issuing the command
      <command>wireshark</command> by itself will bring up
      <application>Wireshark</application>.
      However, you can include as many of the command line parameters as
      you like. Their meanings are as follows ( in alphabetical order ):
      XXX - is the alphabetical order a good choice? Maybe better task based?
      <variablelist>
      <varlistentry><term><command>-a &lt;capture autostop condition></command></term>
      <listitem>
        <para>
        Specify a criterion that specifies when Wireshark is to stop writing
        to a capture file. The criterion is of the form test:value, where test
        is one of:
        <variablelist>
        <varlistentry><term><command>duration</command>:value</term>
            <listitem><para>
            Stop writing to a capture file after value of seconds have elapsed.
            </para></listitem>
        </varlistentry>
        <varlistentry><term><command>filesize</command>:value</term>
            <listitem><para>
            Stop writing to a capture file after it reaches a size of value
            kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If
            this option is used together with the -b option, Wireshark will
            stop writing to the current capture file and switch to the next
            one if filesize is reached.
            </para></listitem>
        </varlistentry>
        <varlistentry><term><command>files</command>:value</term>
            <listitem><para>
            Stop writing to capture files after value number of files were
            written.
            </para></listitem>
        </varlistentry>
        </variablelist>
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-b &lt;capture ring buffer option></command></term>
      <listitem>
        <para>
        If a maximum capture file size was specified, this option causes Wireshark to run
        in "ring buffer" mode, with the specified number of files. In "ring
        buffer" mode, Wireshark will write to several capture files. Their
        name is based on the number of the file and on the creation date and
        time.
        </para>
        <para>
        When the first capture file fills up Wireshark will switch to writing
        to the next file, and so on.  With the <command>files</command> option it's
        also possible to form a "ring buffer."  This will fill up new files until the
        number of files specified, at which point the data in the first file will be
        discarded so a new file can be written.
        </para>
        <para>
        If the optional <command>duration</command> is specified, Wireshark will also
        switch to the next file when the specified number of seconds has elapsed even
        if the current file is not completely fills up.
        </para>
        <para>
        <variablelist>
        <varlistentry><term><command>duration</command>:value</term>
            <listitem><para>
            Switch to the next file after value seconds have elapsed, even
            if the current file is not completely filled up.
            </para></listitem>
        </varlistentry>
        <varlistentry><term><command>filesize</command>:value</term>
            <listitem><para>
            Switch to the next file after it reaches a size of value kilobytes
            (where a kilobyte is 1000 bytes, not 1024 bytes).
            </para></listitem>
        </varlistentry>
        <varlistentry><term><command>files</command>:value</term>
            <listitem><para>
            Begin again with the first file after value number of files were
            written (form a ring buffer).
            </para></listitem>
        </varlistentry>
        </variablelist>
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-B &lt;capture buffer size (Win32 only)></command></term>
      <listitem>
        <para>
          Win32 only: set capture buffer size (in MB, default is 1MB). This
          is used by the capture driver to buffer packet data until that
          data can be written to disk. If you encounter packet drops while
          capturing, try to increase this size.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-c &lt;capture packet count></command></term>
      <listitem>
        <para>
          This option specifies the maximum number of packets to capture
          when capturing live data.  It would be used in conjunction
          with the <command>-k</command> option.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-D</command></term>
      <listitem>
        <para>
Print a list of the interfaces on which Wireshark can capture, and
exit.  For each network interface, a number and an
interface name, possibly followed by a text description of the
interface, is printed.  The interface name or the number can be supplied
to the <command>-i</command> flag to specify an interface on which to capture.
        </para>
        <para>
This can be useful on systems that don't have a command to list them
(e.g., Windows systems, or UNIX systems lacking <command>ifconfig -a</command>);
the number can be useful on Windows 2000 and later systems, where the
interface name is a somewhat complex string.
        </para>
        <para>
Note that "can capture" means that Wireshark was able to open
that device to do a live capture; if, on your system, a program doing a
network capture must be run from an account with special privileges (for
example, as root), then, if Wireshark is run with the <command>-D</command> flag and
is not run from such an account, it will not list any interfaces.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-f &lt;capture filter></command></term>
      <listitem>
        <para>
          This option sets the initial capture filter expression to
          be used when capturing packets.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-g &lt;packet number></command></term>
      <listitem>
        <para>
          After reading in a capture file using the -r flag, go to the given
          packet number.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-h</command></term>
      <listitem>
        <para>
          The <command>-h</command> option requests Wireshark to print
          its version and usage instructions (as shown above) and exit.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-i &lt;capture interface></command></term>
      <listitem>
        <para>
Set the name of the network interface or pipe to use for live packet
capture.
        </para>
        <para>
Network interface names should match one of the names listed in
<command>wireshark -D</command> (described above); a number, as reported by
<command>wireshark -D</command>, can also be used.  If you're using UNIX, <command>netstat
-i</command> or <command>ifconfig -a</command> might also work to list interface names,
although not all versions of UNIX support the <command>-a</command> flag to <command>ifconfig</command>.
        </para>
        <para>
If no interface is specified, Wireshark searches the list of
interfaces, choosing the first non-loopback interface if there are any
non-loopback interfaces, and choosing the first loopback interface if
there are no non-loopback interfaces; if there are no interfaces,
Wireshark reports an error and doesn't start the capture.
        </para>
        <para>
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input.  Data read from pipes must be in
standard libpcap format.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-J &lt;jump filter></command></term>
      <listitem>
        <para>
          After reading in a capture file using the <command>-r</command>
          flag, jump to the first packet which matches the filter expression.
          The filter expression is in display filter format. If an exact match
          cannot be found the first packet afterwards is selected.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-j</command></term>
      <listitem>
        <para>
          Use this option after the <command>-J</command> option to search
          backwards for a first packet to go to.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-k</command></term>
      <listitem>
        <para>
          The <command>-k</command> option specifies that Wireshark
          should start capturing packets immediately.  This option
          requires the use of the <command>-i</command> parameter to
          specify the interface that packet capture will occur from.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-l</command></term>
      <listitem>
        <para>
          This option turns on automatic scrolling if the packet
          list pane is being updated automatically as packets arrive
          during a capture ( as specified by the <command>-S</command>
          flag).
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-L</command></term>
      <listitem>
        <para>
          List the data link types supported by the interface and exit.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-m &lt;font></command></term>
      <listitem>
        <para>
          This option sets the name of the font used for most text
          displayed by Wireshark. XXX - add an example!
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-n</command></term>
      <listitem>
        <para>
        Disable network object name resolution (such as hostname, TCP and UDP
        port names).
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-N &lt;name resolving flags></command></term>
      <listitem>
        <para>
          Turns on name resolving for particular types of addresses
          and port numbers; the argument is a string that may contain
          the letters <command>m</command> to enable MAC address
          resolution, <command>n</command> to enable network address
          resolution, and <command>t</command> to enable transport-layer
          port number resolution.  This overrides <command>-n</command>
          if both <command>-N</command> and <command>-n</command> are
          present. The letter C enables concurrent (asynchronous) DNS lookups.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry>
      <term><command>-o &lt;preference/recent settings&gt;</command></term>
      <listitem>
        <para>
          Sets a preference or recent value, overriding the default value and
          any value read from a preference/recent file.  The argument to the
          flag is a string of the form prefname:value, where prefname
          is the name of the preference (which is the same name that
          would appear in the preference/recent file), and value is the value
          to which it should be set.  Multiple instances of
          <command>-o &lt;preference settings&gt; </command> can be
          given on a single command line.
        </para>
        <para>An example of setting a single preference would be: </para>
        <para>
          <command>
        wireshark -o mgcp.display_dissect_tree:TRUE
          </command>
        </para>
        <para>
          An example of setting multiple preferences would be:
        </para>
        <para>
          <command>
        wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
          </command>
        </para>
        <tip><title>Tip!</title>
          <para>
        You can get a list of all available preference strings from the
        preferences file, see <xref linkend="AppFiles"/>.
          </para>
        </tip>
        <para>User access tables can be overridden using "uat," followed by
        the UAT file name and a valid record for the file: </para>
        <para>
          <command>
        wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\""
          </command>
        </para>
        <para>
          The example above would dissect packets with a libpcap data
          link type 147 as HTTP, just as if you had configured it in the
          DLT_USER protocol preferences.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-p</command></term>
      <listitem>
        <para>
          Don't put the interface into promiscuous mode.  Note that
          the interface might be in promiscuous mode for some other
          reason; hence, -p cannot be used to ensure that the only
          traffic that is captured is traffic sent to or from the
          machine on which Wireshark is running, broadcast traffic, and
          multicast traffic to addresses received by that machine.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-P &lt;path setting></command></term>
      <listitem>
        <para>
        Special path settings usually detected automatically. This is used
        for special cases, e.g. starting Wireshark from a known location on
        an USB stick.
        </para>
        <para>
        The criterion is of the form key:path, where key is one of:
        <variablelist>
        <varlistentry><term><command>persconf</command>:path</term>
            <listitem><para>
            path of personal configuration files, like the preferences files.
            </para></listitem>
        </varlistentry>
        <varlistentry><term><command>persdata</command>:path</term>
            <listitem><para>
            path of personal data files, it's the folder initially opened.
            After the initialization, the recent file will keep the folder
            last used.
            </para></listitem>
        </varlistentry>
        </variablelist>
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-Q</command></term>
      <listitem>
        <para>
          This option forces Wireshark to exit when capturing is
          complete. It can be used with the <command>-c</command> option.
          It must be used in conjunction with the
          <command>-i</command> and <command>-w</command> options.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-r &lt;infile></command></term>
      <listitem>
        <para>
          This option provides the name of a capture file for Wireshark
          to read and display. This capture file can be in one of the
          formats Wireshark understands.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-R &lt;read (display) filter></command></term>
      <listitem>
        <para>
          This option specifies a display filter to be applied when
          reading packets from a capture file. The syntax of this
          filter is that of the display filters discussed in
          <xref linkend="ChWorkDisplayFilterSection"/>.  Packets not
          matching the filter are discarded.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-s &lt;capture snaplen></command></term>
      <listitem>
        <para>
          This option specifies the snapshot length to use when
          capturing packets. Wireshark will only capture
          <command>&lt;snaplen></command> bytes of data for each packet.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-S</command></term>
      <listitem>
        <para>
          This option specifies that Wireshark will display packets as
          it captures them. This is done by capturing in one process
          and displaying them in a separate process. This is the same
          as "Update list of packets in real time" in the Capture Options
          dialog box.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry>
      <term><command>-t &lt;time stamp format></command></term>
      <listitem>
        <para>
          This option sets the format of packet timestamps that are
          displayed in the packet list window.  The format can be one of:
          <itemizedlist>
        <listitem>
          <para>
            <command>r</command> relative, which specifies timestamps are
            displayed relative to the first packet captured.
          </para>
        </listitem>
        <listitem>
          <para>
            <command>a</command> absolute, which specifies that actual times
            be displayed for all packets.
          </para>
        </listitem>
        <listitem>
          <para>
            <command>ad</command> absolute with date, which specifies that
            actual dates and times be displayed for all packets.
          </para>
        </listitem>
        <listitem>
          <para>
            <command>d</command> delta, which specifies that timestamps
            are relative to the previous packet.
          </para>
        </listitem>
        <listitem>
          <para>
            <command>e</command> epoch, which specifies that timestamps
            are seconds since epoch (Jan 1, 1970 00:00:00)
          </para>
        </listitem>
          </itemizedlist>
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-v</command></term>
      <listitem>
        <para>
          The <command>-v</command> option requests
          Wireshark to print out its version information and exit.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-w &lt;savefile></command></term>
      <listitem>
        <para>
          This option sets the name of the <command>savefile</command>
          to be used when saving a capture file.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-y &lt;capture link type></command></term>
      <listitem>
        <para>
        If a capture is started from the command line with -k, set the data
        link type to use while capturing packets. The values reported by -L
        are the values that can be used.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-X &lt;eXtension option></command></term>
      <listitem>
        <para>
        Specify an option to be passed to a TShark module. The eXtension
        option is in the form extension_key:value, where extension_key can
        be:
        </para>
        <para>
        <command>lua_script</command>:lua_script_filename; Tells Wireshark to load the given script in addition to the default Lua scripts.
        </para>
      </listitem>
    </varlistentry>
    <varlistentry><term><command>-z &lt;statistics-string></command></term>
      <listitem>
        <para>
        Get Wireshark to collect various types of statistics and display the
        result in a window that updates in semi-real time.
        XXX - add more details here!
        </para>
      </listitem>
    </varlistentry>
      </variablelist>
    </para>
  </section>

  <section id="ChCustColorizationSection"><title>Packet colorization</title>
    <para>
      A very useful mechanism available in Wireshark is packet colorization.
      You can set-up Wireshark so that it will colorize packets according to a
      filter. This allows you to emphasize the packets you are (usually)
      interested in.
    </para>
    <tip>
      <title>Tip!</title>
      <para>
      You will find a lot of Coloring Rule examples at the <command>Wireshark
      Wiki Coloring Rules page</command> at <ulink
      url="&WiresharkWikiColoringRulesPage;">&WiresharkWikiColoringRulesPage;</ulink>.
      </para>
    </tip>
    <para>
      There are two types of coloring rules in Wireshark; temporary ones that are
      only used until you quit the program, and permanent ones that will be saved to
      a preference file so that they are available on a next session.
    </para>
    <para>
      Temporary coloring rules can be added by selecting a packet and pressing
      the &lt;ctrl&gt; key together with one of the number keys. This will
      create a coloring rule based on the currently selected conversation. It will
      try to create a conversation filter based on TCP first, then UDP, then IP
      and at last Ethernet. Temporary filters can also be created by selecting
      the "Colorize with Filter > Color X" menu items when rightclicking in the
      packet-detail pane.
    </para>

    <para>
      To permanently colorize packets, select the <command>Coloring Rules...</command> menu item from
      the <command>View</command> menu; Wireshark will pop up the "Coloring Rules"
      dialog box as shown in <xref linkend="ChCustColoringRulesDialog"/>.
    </para>
    <figure id="ChCustColoringRulesDialog">
      <title>The "Coloring Rules" dialog box</title>
      <graphic entityref="WiresharkColoringRulesDialog" format="PNG"/>
    </figure>
    <para>
      Once the Coloring Rules dialog box is up, there are a number
      of buttons you can use, depending on whether or not you have any
      color filters installed already.
    </para>
    <note><title>Note!</title>
    <para>
          You will need to carefully select the order the coloring rules are listed
          as they are applied in order from top to bottom.
      So, more specific rules need to be listed before more general rules.
      For example, if you have a color rule for UDP before the one for DNS,
      the color rule for DNS will never be applied (as DNS uses UDP, so the
      UDP rule will match first).
    </para>
    </note>
    <para>
      If this is the first time you have used Coloring Rules, click on the New
      button which will bring up the Edit color filter dialog box as shown in
      <xref linkend="ChCustEditColorDialog"/>.
    </para>
    <figure id="ChCustEditColorDialog">
      <title>The "Edit Color Filter" dialog box</title>
      <graphic entityref="WiresharkEditColorDialog" format="PNG"/>
    </figure>
    <para>
      In the Edit Color dialog box, simply enter a name for the color filter,
      and enter a filter string in the Filter text field.
      <xref linkend="ChCustEditColorDialog"/> shows the values
    <command>arp</command> and <command>arp</command> which means that
    the name of the color filter is <command>arp</command> and the filter
    will select protocols of type <command>arp</command>.  Once you have
    entered these values, you can choose a foreground and background
    color for packets that match the filter expression.  Click on
    <command>Foreground color...</command> or
    <command>Background color...</command> to achieve this and
    Wireshark will pop up the Choose foreground/background color for
    protocol dialog box as shown in
    <xref linkend="ChCustChooseColorDialog"/>.
    </para>
    <figure id="ChCustChooseColorDialog">
      <title>The "Choose color" dialog box</title>
      <graphic entityref="WiresharkChooseColorDialog" format="PNG"/>
    </figure>
    <para>
      Select the color you desire for the selected packets and click on OK.
    </para>
    <note>
      <title>Note!</title>
      <para>
    You must select a color in the colorbar next to the colorwheel to
    load values into the RGB values. Alternatively, you can set the
    values to select the color you want.
      </para>
    </note>
    <para>
      <xref linkend="ChCustColorFilterMany"/> shows an example of several color
    filters being used in Wireshark. You may not like the color choices,
    however, feel free to choose your own.
    </para>
    <para>
    If you are uncertain which coloring rule actually took place for a
    specific packet, have a look at the [Coloring Rule Name: ...] and
    [Coloring Rule String: ...] fields.
    </para>
    <figure id="ChCustColorFilterMany">
      <title>Using color filters with Wireshark</title>
      <graphic entityref="WiresharkColoringFields" format="PNG"/>
    </figure>
  </section>

  <section id="ChCustProtocolDissectionSection">
    <title>Control Protocol dissection</title>
    <para>
        The user can control how protocols are dissected.
    </para>
    <para>
        Each protocol has its own dissector, so dissecting a complete packet will
        typically involve several dissectors. As Wireshark tries to find the
        right dissector for each packet (using static "routes" and heuristics
        "guessing"), it might choose the wrong dissector in your specific
        case. For example, Wireshark won't know if you use a common protocol
        on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of
        the standard port 80.
    </para>
    <para>
        There are two ways to control the relations between protocol
        dissectors: disable a protocol dissector completely or temporarily
        divert the way Wireshark calls the dissectors.
    </para>
    <section id="ChAdvEnabledProtocols"><title>The "Enabled Protocols" dialog
    box</title>
    <para>
        The Enabled Protocols dialog box lets you enable or
        disable specific protocols; all protocols are enabled by default.
        When a protocol is disabled, Wireshark stops processing a packet
        whenever that protocol is encountered.
    </para>
    <note><title>Note!</title>
        <para>
        Disabling a protocol will prevent information about higher-layer
        protocols from being displayed.  For example,
        suppose you disabled the IP protocol and selected
        a packet containing Ethernet, IP, TCP, and HTTP
        information.  The Ethernet information would be
        displayed, but the IP, TCP and HTTP information
        would not - disabling IP would prevent it and
        the other protocols from being displayed.
        </para>
    </note>
        <para>
          To enable/disable protocols select the <command>Enabled Protocols...</command>
          item from the <command>Analyze</command> menu; Wireshark will pop up the "Enabled Protocols"
          dialog box as shown in <xref linkend="ChAdvEnabledProtocolsFig"/>.
        </para>
    <figure id="ChAdvEnabledProtocolsFig">
      <title>The "Enabled Protocols" dialog box</title>
      <graphic entityref="WiresharkEnabledProtocols" format="PNG"/>
    </figure>
    <para>
        To disable or enable a protocol, simply click on it using the
        mouse or press the space bar when the protocol is highlighted.
                Note that typing the first few letters
                of the protocol name when the Enabled Protocols dialog box is active
                will temporarily open a search text box and
                automatically select the first matching protocol name (if it exists).
    </para>
    <warning><title>Warning!</title>
        <para>
        You have to use the Save button to save your settings. The OK or Apply
        buttons will not save your changes permanently, so they will be lost
        when Wireshark is closed.
        </para>
    </warning>
    <para>
      You can choose from the following actions:
      <orderedlist>
    <listitem>
      <para>
        <command>Enable All</command>: Enable all protocols in the list.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Disable All</command>: Disable all protocols in the list.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Invert</command>: Toggle the state of all protocols in the
        list.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>OK</command>: Apply the changes and close the dialog box.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Apply</command>: Apply the changes and keep the dialog box
        open.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Save</command>: Save the settings to the disabled_protos, see
        <xref linkend="AppFiles"/> for details.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Cancel</command>: Cancel the changes and close the dialog box.
      </para>
    </listitem>
      </orderedlist>
    </para>
    </section>

    <section id="ChAdvDecodeAs"><title>User Specified Decodes</title>
    <para>
        The "Decode As" functionality let you temporarily divert specific
        protocol dissections. This might be useful for example, if you do some
        uncommon experiments on your network.
    </para>
        <para>
          Decode As is accessed by selecting the <command>Decode As...</command> item from
          the <command>Analyze</command> menu; Wireshark will pop up the "Decode As"
          dialog box as shown in <xref linkend="ChAdvDecodeAsFig"/>.
        </para>
    <para>
    <figure id="ChAdvDecodeAsFig">
      <title>The "Decode As" dialog box</title>
      <graphic scale="100" entityref="WiresharkDecodeAs" format="PNG"/>
    </figure>
    The content of this dialog box depends on the selected packet when it
    was opened.
    <warning><title>Warning!</title>
        <para>
        These settings will be lost if you quit Wireshark or change profile,
        unless you save the entries in the <command>Show User Specified Decodes...</command>
        windows (<xref linkend="ChAdvDecodeAsShow"/>).
        </para>
    </warning>
      <orderedlist>
    <listitem>
      <para>
        <command>Decode</command>: Decode packets the selected way.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Do not decode</command>: Do not decode packets the selected
        way.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Link/Network/Transport</command>: Specify the network layer
        at which "Decode As" should take place. Which of these pages are
        available depends on the content of the selected packet when this
        dialog box is opened.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Show Current</command>: Open a dialog box showing the
        current list of user specified decodes.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>OK</command>: Apply the currently selected decode and close
        the dialog box.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Apply</command>: Apply the currently selected decode and keep
        the dialog box open.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Cancel</command>: Cancel the changes and close the dialog box.
      </para>
    </listitem>
      </orderedlist>
    </para>
    </section>

    <section id="ChAdvDecodeAsShow"><title>Show User Specified Decodes</title>
    <para>
    This dialog box shows the currently active user specified decodes. These entries
    can be saved into current profile for later session.
    <figure id="ChAdvDecodeAsShowFig">
      <title>The "Decode As: Show" dialog box</title>
      <graphic entityref="WiresharkDecodeAsShow" format="PNG"/>
    </figure>
      <orderedlist>
    <listitem>
      <para>
        <command>OK</command>: Close this dialog box.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Save</command>: Save the entries in the table into current profile.
      </para>
    </listitem>
    <listitem>
      <para>
        <command>Clear</command>: Removes all user specified decodes without updating the profile.
      </para>
    </listitem>
      </orderedlist>
    </para>
  </section>
  </section>

  <section id="ChCustPreferencesSection"><title>Preferences</title>
    <para>
      There are a number of preferences you can set. Simply
      select the <command>Preferences...</command> menu item from
      the <command>Edit</command> menu; and Wireshark
      will pop up the Preferences dialog box as shown in
      <xref linkend="ChCustGUIPrefPage"/>, with the "User Interface" page as
      default. On the left side is a tree where you can select the page to be
      shown.
      <note><title>Note!</title>
      <para>
      Preference settings are added frequently. For a recent explanation of
      the preference pages and their settings have a look at the
      <command>Wireshark Wiki Preferences page</command> at <ulink
      url="&WiresharkWikiPreferencesPage;">&WiresharkWikiPreferencesPage;</ulink>.
      </para>
      </note>
      <warning>
        <title>Warning!</title>
        <para>
        The OK or Apply button will not save the preference settings,
        you'll have to save the settings by clicking the Save button.
        </para>
      </warning>
    <itemizedlist>
        <listitem>
          <para>
              The <command>OK</command> button will apply the preferences
            settings and close the dialog.
          </para>
        </listitem>
        <listitem>
          <para>
              The <command>Apply</command> button will apply the preferences
            settings and keep the dialog open.
          </para>
        </listitem>
        <listitem>
          <para>
              The <command>Save</command> button will apply the preferences
            settings, save the settings on the hard disk and keep the dialog open.
          </para>
        </listitem>
        <listitem>
          <para>
              The <command>Cancel</command> button will restore all preferences
            settings to the last saved state.
          </para>
        </listitem>
    </itemizedlist>
    </para>
    <figure id="ChCustGUIPrefPage">
      <title>The preferences dialog box</title>
      <graphic entityref="WiresharkGUIPreferences" format="PNG"/>
    </figure>

    <section id="ChCustInterfaceOptionsSection"><title>Interface Options</title>
    <para>
      In the Capture preferences it is possible to configure several options for the interfaces
      available on your computer. Select the <command>Capture</command> pane and press the
      Interfaces: <command>Edit</command> button.  In this window it is possible to change the
      default link-layer header type for the interface, add a comment or choose to hide a
      interface from other parts of the program.
    </para>
    <figure id="ChCustInterfaceOptionsPage">
      <title>The interface options dialog box</title>
      <graphic entityref="WiresharkGUIInterfaceOptions" format="PNG"/>
    </figure>
    <para>Each row contains options for each interface available on your computer.</para>
    <itemizedlist>
      <listitem>
    <para><command>Device</command>: the device name provided by the operating system.</para>
      </listitem>
      <listitem>
    <para><command>Description</command>: provided by the operating system.</para>
      </listitem>
      <listitem>
    <para><command>Default link-layer</command>: each interface may provide several
    link-layer header types. The default link-layer chosen here is the one used when you
    first start Wireshark.  It is also possible to change this value in
    <xref linkend="ChCapCaptureOptions"/> when you start a capture.
    For a detailed description, see <xref linkend="ChCapLinkLayerHeader"/>.</para>
      </listitem>
      <listitem>
    <para><command>Comment</command>: a user provided description of the interface.
    This comment will be used as a description instead of the operating system
    description.</para>
      </listitem>
      <listitem>
    <para><command>Hide?</command>: enable this option to hide the interface from other
    parts of the program.</para>
      </listitem>
    </itemizedlist>
    </section>
  </section>

  <section id="ChCustConfigProfilesSection"><title>Configuration Profiles</title>
    <para>
      Configuration Profiles can be used to configure and use more than one set of preferences
      and configurations. Select the <command>Configuration Profiles...</command> menu item from
      the <command>Edit</command> menu, or simply press Shift-Ctrl-A; and Wireshark will pop up the
      Configuration Profiles dialog box as shown in <xref linkend="ChCustGUIConfigProfilesPage"/>.
      It is also possible to click in the "Profile" part of the statusbar to popup a menu with
      available Configuration Profiles (<xref linkend="ChUseWiresharkStatusbarProfile"/>).
    </para>
    <para>
      Configuration files stored in the Profiles:
      <itemizedlist>
    <listitem>
      <para>
        Preferences (preferences) (<xref linkend="ChCustPreferencesSection"/>)
      </para>
    </listitem>
    <listitem>
      <para>
        Capture Filters (cfilters) (<xref linkend="ChWorkDefineFilterSection"/>)
      </para>
    </listitem>
    <listitem>
      <para>
        Display Filters (dfilters) (<xref linkend="ChWorkDefineFilterSection"/>)
      </para>
    </listitem>
    <listitem>
      <para>
        Coloring Rules (colorfilters) (<xref linkend="ChCustColorizationSection"/>)
      </para>
    </listitem>
    <listitem>
      <para>
        Disabled Protocols (disabled_protos) (<xref linkend="ChAdvEnabledProtocols"/>)
      </para>
    </listitem>
    <listitem>
      <para>
        User Accessible Tables:
        <itemizedlist>
          <listitem>
        <para>
          Custom HTTP headers (custom_http_header_fields)
        </para>
          </listitem>
          <listitem>
        <para>
          Custom IMF headers (imf_header_fields)
        </para>
          </listitem>
          <listitem>
        <para>
          Custom LDAP AttributeValue types (custom_ldap_attribute_types)
        </para>
          </listitem>
          <listitem>
        <para>
          Display Filter Macros (dfilter_macros) (<xref linkend="ChDisplayFilterMacrosSection"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          ESS Category Attributes (ess_category_attributes) (<xref linkend="ChEssCategoryAttributes"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          GeoIP Database Paths (geoip_db_paths) (<xref linkend="ChGeoIPDbPaths"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          K12 Protocols (k12_protos) (<xref linkend="ChK12ProtocolsSection"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          Object Identifier Names and Associated Syntaxes (<xref linkend="ChObjectIdentifiers"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          PRES Users Context List (pres_context_list) (<xref linkend="ChPresContextList"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          SCCP Users Table (sccp_users) (<xref linkend="ChSccpUsers"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          SNMP Enterprise Specific Trap Types (snmp_specific_traps) (<xref linkend="ChSNMPEnterpriseSpecificTrapTypes"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          SNMP Users (snmp_users) (<xref linkend="ChSNMPUsersSection"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          User DLTs Table (user_dlts) (<xref linkend="ChUserDLTsSection"/>)
        </para>
          </listitem>
          <listitem>
        <para>
          IKEv2 decryption table (ikev2_decryption_table) (<xref linkend="ChIKEv2DecryptionSection"/>)
        </para>
          </listitem>
        </itemizedlist>
      </para>
    </listitem>
    <listitem>
      <para>
        Changed dissector assignments (decode_as_entries), which can be set in <command>Decode As...</command>
        dialog box (<xref linkend="ChAdvDecodeAs"/>), and further saved in the <command>User Specified Decodes...</command>
        window (<xref linkend="ChAdvDecodeAsShow"/>).
      </para>
    </listitem>
    <listitem>
      <para>
        Some recent settings (recent), such as pane sizes in the Main window
        (<xref linkend="ChUseMainWindowSection"/>), column widths in the packet list
        (<xref linkend="ChUsePacketListPaneSection"/>), all selections in the "View" menu
        (<xref linkend="ChUseViewMenuSection"/>) and the last directory navigated to in the
        File Open dialog.
      </para>
    </listitem>
      </itemizedlist>
      <note><title>Other configurations</title>
      <para>
    All other configurations are stored in the personal configuration folder,
    and are common to all profiles.
      </para>
      </note>
    </para>
    <figure id="ChCustGUIConfigProfilesPage">
      <title>The configuration profiles dialog box</title>
      <graphic entityref="WiresharkGUIConfigProfiles" format="PNG"/>
    </figure>
    <para>
      <variablelist>
    <varlistentry><term><command>New</command></term>
    <listitem>
      <para>
        This button adds a new profile to the profiles list.  The name of the
        created profile is "New profile" and can be changed in the Properties field.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Copy</command></term>
    <listitem>
      <para>
        This button adds a new profile to the profiles list, copying all configuration
        from the profile currently selected in the list.  The name of the created
        profile is the same as the copied profile, with the text "(copy)" applied.
        The name can be changed in the Properties field.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Delete</command></term>
    <listitem>
      <para>
        This button deletes the selected profile, including all configuration
        files used in this profile.  It is not possible to delete the "Default" profile.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Configuration Profiles</command></term>
    <listitem>
      <para>
        You can select a configuration profile from this list (which will fill
        in the profile name in the fields down at the bottom of the dialog box).
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Profile name:</command></term>
    <listitem>
      <para>
        You can change the name of the currently selected profile here.
      </para>
      <note><title>Used as a folder name</title>
      <para>
        The profile name will be used as a folder name in the configured
        "Personal configurations" folder. If adding multiple profiles with the
        same name, only one profile will be created.
      </para>
      </note>
      <note><title>Illegal characters</title>
      <para>
        On Windows the profile name cannot start or end with a period (.), and cannot contain
        any of the following characters: <command>\ / : * ? " &lt; &gt; |</command>
      </para>
      <para>
        On Unix the profile name cannot contain the '<command>/</command>' character.
      </para>
      </note>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>OK</command></term>
    <listitem>
      <para>
        This button saves all changes, applies the selected profile and closes the dialog.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Apply</command></term>
    <listitem>
      <para>
        This button saves all changes, applies the selected profile and keeps the dialog open.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Cancel</command></term>
    <listitem>
      <para>
        Close this dialog. This will discard unsaved settings, new profiles will not be added
        and deleted profiles will not be deleted.
      </para>
    </listitem>
    </varlistentry>
    <varlistentry><term><command>Help</command></term>
    <listitem>
      <para>
        Show this help page.
      </para>
    </listitem>
    </varlistentry>
      </variablelist>
    </para>
  </section>
  <section id="ChUserTable"><title>User Table</title>
    <para>
      The User Table editor is used for managing various tables in wireshark. Its main dialog works
      very similarly to that of <xref linkend="ChCustColorizationSection"/>.
      </para>
  </section>


  <section id="ChDisplayFilterMacrosSection"><title>Display Filter Macros</title>
    <para>
    Display Filter Macros are a mechanism to create shortcuts for complex filters. For example defining a
    display filter macro named <command>tcp_conv</command> whose text is
    <command> ( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or
    (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) ) </command>
    would allow to use a display filter like <command>${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}</command>
    instead of typing the whole filter.
      </para>
    <para>
    Display Filter Macros can be managed with a <xref linkend="ChUserTable"/> by selecting
    <command>Analyze &#x2192; Display Filter Macros</command> from the menu.
    The User Table has  the following fields
      </para>
            <variablelist>
      <varlistentry><term><command>Name</command></term>
      <listitem>
        <para>
            The name of the macro.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Text</command></term>
      <listitem>
        <para>
            The replacement text for the macro it uses $1, $2, $3, ... as the input arguments.
        </para>
      </listitem>
      </varlistentry>
      </variablelist>

  </section>


  <section id="ChEssCategoryAttributes"><title>ESS Category Attributes</title>
  <para>
    Wireshark uses this table to map ESS Security Category attributes to textual
    representations.  The values to put in this table are usually found in a
    <ulink url="http://www.xmlspif.org/">XML SPIF</ulink>, which is used for defining
    security labels.
  </para>
  <para>
    This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
  </para>
  <variablelist>
      <varlistentry><term><command>Tag Set</command></term>
      <listitem>
          <para>
            An Object Identifier representing the Category Tag Set.
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Value</command></term>
      <listitem>
          <para>
            The value (Label And Cert Value) representing the Category.
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Name</command></term>
      <listitem>
          <para>
            The textual representation for the value.
          </para>
      </listitem>
      </varlistentry>
  </variablelist>
  </section>

  <section id="ChGeoIPDbPaths"><title>GeoIP Database Paths</title>
    <para>
      If your copy of Wireshark supports <ulink url="http://www.maxmind.com/">MaxMind's</ulink> GeoIP library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, ISPs, and other bits of information. Some databases are <ulink url="http://www.maxmind.com/download/geoip/database/">available at no cost</ulink>, while others require a licensing fee. See <ulink url="http://www.maxmind.com/app/ip-location">the MaxMind web site</ulink> for more information.
    </para>
    <para>
     This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
    </para>
    <variablelist>
      <varlistentry><term><command>Database pathname</command></term>
        <listitem>
          <para>
            This specifies a directory containing GeoIP data files. Any files
            beginning with <filename>Geo</filename> and ending with
            <filename>.dat</filename> will be automatically loaded. A total of 8
            files can be loaded.
          </para>
          <para>
            The locations for your data files are up to you, but <filename class='directory'>/usr/share/GeoIP</filename> (Linux), <filename class='directory'>C:\GeoIP</filename> (Windows), <filename class='directory'>C:\Program Files\Wireshark\GeoIP</filename> (Windows) might be good choices.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

      <section id="ChIKEv2DecryptionSection"><title>IKEv2 decryption table</title>
    <para>
          Wireshark can decrypt Encrypted Payloads of IKEv2 (Internet Key Exchange version 2) packets if necessary information is provided.
          Note that you can decrypt only IKEv2 packets with this feature. If you want to decrypt IKEv1 packets or ESP packets,
          use Log Filename setting under ISAKMP protocol preference or settings under ESP protocol preference respectively.
   </para>
   <para>
         This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
      </para>
      <variablelist>
      <varlistentry><term><command>Initiator's SPI</command></term>
      <listitem>
        <para>
            Initiator's SPI of the IKE_SA. This field takes hexadecimal string without "0x" prefix
                        and the length must be 16 hex chars (represents 8 octets).
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Responder's SPI</command></term>
      <listitem>
        <para>
            Responder's SPI of the IKE_SA. This field takes hexadecimal string without "0x" prefix
                        and the length must be 16 hex chars (represents 8 octets).
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>SK_ei</command></term>
      <listitem>
        <para>
            Key used to encrypt/decrypt IKEv2 packets from initiator to responder.
                        This field takes hexadecimal string without "0x" prefix and its length
                        must meet the requirement of the encryption algorithm selected.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>SK_er</command></term>
      <listitem>
        <para>
            Key used to encrypt/decrypt IKEv2 packets from responder to initiator.
                        This field takes hexadecimal string without "0x" prefix and its length
                        must meet the requirement of the encryption algorithm selected.
        </para>
      </listitem>
      </varlistentry>
            <varlistentry><term><command>Encryption Algorithm</command></term>
      <listitem>
        <para>
            Encryption algorithm of the IKE_SA.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>SK_ai</command></term>
      <listitem>
        <para>
            Key used to calculate Integrity Checksum Data for IKEv2 packets from responder to initiator.
                        This field takes hexadecimal string without "0x" prefix and its length
                        must meet the requirement of the integrity algorithm selected.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>SK_ar</command></term>
      <listitem>
        <para>
            Key used to calculate Integrity Checksum Data for IKEv2 packets from initiator to responder.
                        This field takes hexadecimal string without "0x" prefix and its length
                        must meet the requirement of the integrity algorithm selected.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Integrity Algorithm</command></term>
      <listitem>
        <para>
            Integrity algorithm of the IKE_SA.
        </para>
      </listitem>
      </varlistentry>

      </variablelist>
  </section>

  <section id="ChObjectIdentifiers"><title>Object Identifiers</title>
  <para>
    Many protocols that use ASN.1 use Object Identifiers (OIDs) to uniquely identify certain pieces of information. In many cases, they are used in an extension mechanism so that new object identifiers (and associated values) may be defined without needing to change the base standard.
  </para>
  <para>
    Whilst Wireshark has knowledge about many of the OIDs and the syntax of their associated values, the extensibility means that other values may be encountered.
  </para>
  <para>
    Wireshark uses this table to allow the user to define the name and syntax of Object Identifiers that Wireshark does not know about (for example, a privately defined X.400 extension). It also allows the user to override the name and syntax of Object Identifiers that Wireshark does know about (e.g. changing the name "id-at-countryName" to just "c").
  </para>
  <para>
    This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
  </para>
  <variablelist>
      <varlistentry><term><command>OID</command></term>
      <listitem>
          <para>
        The string representation of the Object Identifier e.g. "2.5.4.6".
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Name</command></term>
      <listitem>
          <para>
        The name that should be displayed by Wireshark when the Object Identifier is dissected e.g. ("c");
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Syntax</command></term>
      <listitem>
          <para>
        The syntax of the value associated with the Object Identifier. This must be one of the syntaxes that Wireshark already knows about (e.g. "PrintableString").
          </para>
      </listitem>
      </varlistentry>
  </variablelist>
  </section>

  <section id="ChPresContextList"><title>PRES Users Context List</title>
  <para>
    Wireshark uses this table to map a presentation context identifier to a given object identifier when the
    capture does not contain a PRES package with a presentation context definition list for the conversation.
  </para>
  <para>
    This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
  </para>
  <variablelist>
      <varlistentry><term><command>Context Id</command></term>
      <listitem>
          <para>
            An Integer representing the presentation context identifier for which this association is valid.
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Syntax Name OID</command></term>
      <listitem>
          <para>
            The object identifier representing the abstract syntax name, which defines the protocol that is
        carried over this association.
          </para>
      </listitem>
      </varlistentry>
  </variablelist>
  </section>


      <section id="ChSccpUsers"><title>SCCP users Table</title>
    <para>
          Wireshark uses this table to map specific protocols to a certain DPC/SSN combination for SCCP.
   </para>
   <para>
         This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
      </para>
      <variablelist>
      <varlistentry><term><command>Network Indicator</command></term>
      <listitem>
        <para>
            An Integer representing the network indicator for which this association is valid.
        </para>
      </listitem>
      </varlistentry>

      <varlistentry><term><command>Called DPCs</command></term>
      <listitem>
        <para>
            An range of integers representing the dpcs for which this association is valid.
        </para>
      </listitem>
      </varlistentry>

      <varlistentry><term><command>Called SSNs</command></term>
      <listitem>
        <para>
            An range of integers representing the ssns for which this association is valid.
        </para>
      </listitem>
      </varlistentry>

      <varlistentry><term><command>User protocol</command></term>
      <listitem>
        <para>
            The protocol that is carried over this association
        </para>
      </listitem>
      </varlistentry>


      </variablelist>
  </section>


  <section id="ChSNMPSMIModules"><title>SMI (MIB and PIB) Modules</title>
    <para>
      If your copy of Wireshark supports libSMI, you can specify a list of MIB
      and PIB modules here. The COPS and SNMP dissectors can use them to resolve
      OIDs.
    </para>
    <variablelist>
      <varlistentry><term><command>Module name</command></term>
        <listitem>
          <para>
            The name of the module, e.g. <database>IF-MIB</database>.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>


  <section id="ChSNMPSMIPaths"><title>SMI (MIB and PIB) Paths</title>
    <para>
      If your copy of Wireshark supports libSMI, you can specify one or more
      paths to MIB and PIB modules here.
    </para>
    <variablelist>
      <varlistentry><term><command>Directory name</command></term>
        <listitem>
          <para>
            A module directory, e.g. <filename
            class='directory'>/usr/local/snmp/mibs</filename>. Wireshark
            automatically uses the standard SMI path for your system, so you
            usually don't have to add anything here.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>


  <section id="ChSNMPEnterpriseSpecificTrapTypes"><title>SNMP Enterprise Specific Trap Types</title>
  <para>
    Wireshark uses this table to map specific-trap values to user defined descriptions in a Trap PDU.
    The description is shown in the packet details specific-trap element.
  </para>
  <para>
    This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
  </para>
  <variablelist>
      <varlistentry><term><command>Enterprise OID</command></term>
      <listitem>
          <para>
            The object identifier representing the object generating the trap.
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Trap Id</command></term>
      <listitem>
          <para>
            An Integer representing the specific-trap code.
          </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Description</command></term>
      <listitem>
          <para>
            The description to show in the packet details.
          </para>
      </listitem>
      </varlistentry>
  </variablelist>
  </section>

  <section id="ChSNMPUsersSection"><title>SNMP users Table</title>
    <para>
      Wireshark uses this table to verify authentication and to decrypt encrypted SNMPv3 packets.
    </para>
    <para>
     This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
    </para>
    <variablelist>
      <varlistentry><term><command>Engine ID</command></term>
        <listitem>
          <para>
            If given this entry will be used only for packets whose engine id is this.
            This field takes an hexadecimal string in the form 0102030405.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry><term><command>Username</command></term>
        <listitem>
          <para>
            This is the userName. When a single user has more than one password
            for different SNMP-engines the first entry to match both is taken, if you
            need a catch all engine-id (empty) that entry should be the last one.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry><term><command>Authentication model</command></term>
        <listitem>
          <para>
            Which auth model to use (either "MD5" or "SHA1").
          </para>
        </listitem>
      </varlistentry>
      <varlistentry><term><command>Password</command></term>
        <listitem>
          <para>
            The authentication password. Use '\xDD' for unprintable characters.
            An hexadecimal password must be entered as a sequence of '\xDD' characters.
            For example the hex password 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'.
            The '\' character must be treated as an unprintable character, i.e.
            it must be entered as '\x5C' or '\x5c'.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry><term><command>Privacy protocol</command></term>
        <listitem>
          <para>
            Which encryption algorithm to use (either "DES" or "AES").
          </para>
        </listitem>
      </varlistentry>
      <varlistentry><term><command>Privacy password</command></term>
        <listitem>
          <para>
            The privacy password. Use '\xDD' for unprintable characters.
            An hexadecimal password must be entered as a sequence of '\xDD' characters.
            For example the hex password 010203040506 must be entered as '\x01\x02\x03\x04\x05\x06'.
            The '\' character must be treated as an unprintable character, i.e.
            it must be entered as '\x5C' or '\x5c'.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

    <section id="ChK12ProtocolsSection"><title>Tektronix K12xx/15 RF5 protocols Table</title>
    <para>
    The Tektronix K12xx/15 rf5 file format uses helper files (*.stk) to identify the various protocols that are
    used by a certain interface. Wireshark doesn't read these stk files, it uses a table that helps it identify
    which lowest layer protocol to use.
   </para>
   <para>
         Stk file to protocol matching is handled by an <xref linkend="ChUserTable"/> with the following fields.
      </para>
      <variablelist>
      <varlistentry><term><command>Match string</command></term>
      <listitem>
        <para>
           A partial match for an stk filename, the first match wins, so if you have a specific case and a
           general one the specific one must appear first in the list.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Protocol</command></term>
      <listitem>
        <para>
            This is the name of the encapsulating protocol (the lowest layer in the packet data) it can be either
            just the name of the protocol (e.g. mtp2, eth_witoutfcs, sscf-nni ) or the name of the encapsulation
            protocol and the "application" protocol over it separated by a colon (e.g sscop:sscf-nni, sscop:alcap, sscop:nbap, ...)
        </para>
      </listitem>
      </varlistentry>
      </variablelist>
  </section>

      <section id="ChUserDLTsSection"><title>User DLTs protocol table</title>
    <para>
          When a pcap file uses one of the user DLTs (147 to 162) wireshark uses this table to know which protocol(s) to use for each user DLT.
   </para>
   <para>
         This table is handled by an <xref linkend="ChUserTable"/> with the following fields.
      </para>
      <variablelist>
      <varlistentry><term><command>DLT</command></term>
      <listitem>
        <para>
            One of the user dlts.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Payload protocol</command></term>
      <listitem>
        <para>
            This is the name of the payload protocol (the lowest layer in the packet data). (e.g. "eth" for ethernet, "ip" for IPv4)
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Header size</command></term>
      <listitem>
        <para>
            If there is a header protocol (before the payload protocol) this tells which size this header is. A value of 0 disables the header protocol.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Header protocol</command></term>
      <listitem>
        <para>
            The name of the header protocol to be used (uses "data" as default).
        </para>
      </listitem>
      </varlistentry>
            <varlistentry><term><command>Trailer size</command></term>
      <listitem>
        <para>
            If there is a trailer protocol (after the payload protocol) this tells which size this trailer is. A value of 0 disables the trailer protocol.
        </para>
      </listitem>
      </varlistentry>
      <varlistentry><term><command>Trailer protocol</command></term>
      <listitem>
        <para>
            The name of the trailer protocol to be used (uses "data" as default).
        </para>
      </listitem>
      </varlistentry>

      </variablelist>
  </section>

</chapter>
<!-- End of WSUG Chapter Customizing -->