| blob | bc3da31059362b1aaf00d46169ec1e8ac5531781 |
1 <!-- WSUG Chapter Work -->
2 <!-- $Id$ -->
4 <chapter id="ChapterWork">
5 <title>Working with captured packets</title>
7 <section id="ChWorkViewPacketsSection">
8 <title>Viewing packets you have captured</title>
9 <para>
10 Once you have captured some packets, or you have opened a previously
11 saved capture file, you can view the packets that are displayed in
12 the packet list pane by simply clicking on a packet in the
13 packet list pane, which will bring up the selected packet in the
14 tree view and byte view panes.
15 </para>
16 <para>
17 You can then expand any part of the tree view by clicking on the
18 <command>plus</command> sign (the symbol itself may vary) to the left of
19 that part of the payload,
20 and you can select individual fields by clicking on them in the tree
21 view pane. An example with a TCP packet selected is shown in
22 <xref linkend="ChWorkSelPack1"/>. It also has the Acknowledgment number
23 in the TCP header selected, which shows up in the byte view as the
24 selected bytes.
25 <figure id="ChWorkSelPack1">
26 <title>Wireshark with a TCP packet selected for viewing</title>
27 <graphic entityref="WiresharkPacketSelected1" format="PNG"/>
28 </figure>
29 </para>
30 <para>
31 You can also select and view packets the same way, while Wireshark is
32 capturing, if you selected "Update list of packets in real time" in the
33 Wireshark Capture Preferences dialog box.
34 </para>
35 <para>
36 In addition, you can view individual packets in a separate window as
37 shown in <xref linkend="ChWorkPacketSepView"/>. Do this by selecting the
38 packet in which you are interested in the packet list pane, and then
39 select "Show Packet in New Windows" from the Display menu. This
40 allows you to easily compare two or even more packets.
41 <figure id="ChWorkPacketSepView">
42 <title>Viewing a packet in a separate window</title>
43 <graphic entityref="WiresharkPacketSepView" format="PNG"/>
44 </figure>
45 </para>
46 </section>
48 <section id="ChWorkDisplayPopUpSection"><title>Pop-up menus</title>
49 <para>
50 You can bring up a pop-up menu over either the "Packet List", its
51 column header, or
52 "Packet Details" pane by clicking your right mouse button at the
53 corresponding pane.
54 </para>
56 <section id="ChWorkColumnHeaderPopUpMenuSection">
57 <title>Pop-up menu of the "Packet List" column header</title>
58 <para>
59 <figure id="ChWorkColumnHeaderPopUpMenu">
60 <title>Pop-up menu of the "Packet List" column header</title>
61 <graphic entityref="WiresharkColumnHeaderPopupMenu" format="PNG"/>
62 </figure>
63 </para>
64 <para>
65 The following table gives an overview of which functions are available
66 in this header, where to find the corresponding function in the main menu,
67 and a short description of each item.
68 </para>
69 <table id="ColumnHeaderPopupMenuTable">
70 <title>The menu items of the "Packet List" column header pop-up menu</title>
71 <tgroup cols="3">
72 <colspec colnum="1" colwidth="80pt"/>
73 <colspec colnum="2" colwidth="80pt"/>
74 <thead>
75 <row>
76 <entry>Item</entry>
77 <entry>Identical to main menu's item:</entry>
78 <entry>Description</entry>
79 </row>
80 </thead>
81 <tbody>
82 <row>
83 <entry><command>Sort Ascending</command></entry>
84 <entry></entry>
85 <entry>
86 <para>
87 Sort the packet list in ascending order based on this column.
88 </para>
89 </entry>
90 </row>
91 <row>
92 <entry><command>Sort Descending</command></entry>
93 <entry></entry>
94 <entry>
95 <para>
96 Sort the packet list in descending order based on this column.
97 </para>
98 </entry>
99 </row>
100 <row>
101 <entry><command>No Sort</command></entry>
102 <entry></entry>
103 <entry>
104 <para>
105 Remove sorting order based on this column.
106 </para>
107 </entry>
108 </row>
109 <row>
110 <entry>-----</entry>
111 <entry></entry>
112 <entry></entry>
113 </row>
114 <row>
115 <entry><command>Align Left</command></entry>
116 <entry></entry>
117 <entry>
118 <para>
119 Set left alignment of the values in this column.
120 </para>
121 </entry>
122 </row>
123 <row>
124 <entry><command>Align Center</command></entry>
125 <entry></entry>
126 <entry>
127 <para>
128 Set center alignment of the values in this column.
129 </para>
130 </entry>
131 </row>
132 <row>
133 <entry><command>Align Right</command></entry>
134 <entry></entry>
135 <entry>
136 <para>
137 Set right alignment of the values in this column.
138 </para>
139 </entry>
140 </row>
141 <row>
142 <entry>-----</entry>
143 <entry></entry>
144 <entry></entry>
145 </row>
146 <row>
147 <entry><command>Column Preferences...</command></entry>
148 <entry></entry>
149 <entry>
150 <para>
151 Open the Preferences dialog box on the column tab.
152 </para>
153 </entry>
154 </row>
155 <row>
156 <entry><command>Resize Column</command></entry>
157 <entry></entry>
158 <entry>
159 <para>
160 Resize the column to fit the values.
161 </para>
162 </entry>
163 </row>
164 <row>
165 <entry><command>Rename Column Title</command></entry>
166 <entry></entry>
167 <entry>
168 <para>
169 Allows you to change the title of the column header.
170 </para>
171 </entry>
172 </row>
173 <row>
174 <entry>-----</entry>
175 <entry></entry>
176 <entry></entry>
177 </row>
178 <row>
179 <entry><command>Displayed Column</command></entry>
180 <entry>View</entry>
181 <entry>
182 <para>
183 This menu items folds out with a list of all configured columns.
184 These columns can now be shown or hidden in the packet list.
185 </para>
186 </entry>
187 </row>
188 <row>
189 <entry><command>Hide Column</command></entry>
190 <entry></entry>
191 <entry>
192 <para>
193 Allows you to hide the column from the packet list.
194 </para>
195 </entry>
196 </row>
197 <row>
198 <entry><command>Remove Column</command></entry>
199 <entry></entry>
200 <entry>
201 <para>
202 Allows you to remove the column from the packet list.
203 </para>
204 </entry>
205 </row>
206 </tbody>
207 </tgroup>
208 </table>
209 </section>
211 <section id="ChWorkPacketListPanePopUpMenuSection">
212 <title>Pop-up menu of the "Packet List" pane</title>
213 <para>
214 <figure id="ChWorkPacketListPanePopUpMenu">
215 <title>Pop-up menu of the "Packet List" pane</title>
216 <graphic entityref="WiresharkPacketPanePopupMenu" format="PNG"/>
217 </figure>
218 </para>
219 <para>
220 The following table gives an overview of which functions are available
221 in this pane, where to find the corresponding function in the main menu,
222 and a short description of each item.
223 </para>
224 <table id="PacketListPopupMenuTable">
225 <title>The menu items of the "Packet List" pop-up menu</title>
226 <tgroup cols="3">
227 <colspec colnum="1" colwidth="80pt"/>
228 <colspec colnum="2" colwidth="80pt"/>
229 <thead>
230 <row>
231 <entry>Item</entry>
232 <entry>Identical to main menu's item:</entry>
233 <entry>Description</entry>
234 </row>
235 </thead>
236 <tbody>
237 <row>
238 <entry><command>Mark Packet (toggle)</command></entry>
239 <entry>Edit</entry>
240 <entry>
241 <para>
242 Mark/unmark a packet.
243 </para>
244 </entry>
245 </row>
246 <row>
247 <entry><command>Ignore Packet (toggle)</command></entry>
248 <entry>Edit</entry>
249 <entry>
250 <para>
251 Ignore or inspect this packet while dissecting the capture file.
252 </para>
253 </entry>
254 </row>
255 <row>
256 <entry><command>Set Time Reference (toggle)</command></entry>
257 <entry>Edit</entry>
258 <entry>
259 <para>
260 Set/reset a time reference.
261 </para>
262 </entry>
263 </row>
264 <row>
265 <entry><command>Manually Resolve Address</command></entry>
266 <entry></entry>
267 <entry>
268 <para>
269 Allows you to enter a name to resolve for the selected address.
270 </para>
271 </entry>
272 </row>
273 <row>
274 <entry>-----</entry>
275 <entry></entry>
276 <entry></entry>
277 </row>
278 <row>
279 <entry><command>Apply as Filter</command></entry>
280 <entry>Analyze</entry>
281 <entry>
282 <para>
283 Prepare and apply a display filter based on the currently selected
284 item.
285 </para>
286 </entry>
287 </row>
288 <row>
289 <entry><command>Prepare a Filter</command></entry>
290 <entry>Analyze</entry>
291 <entry>
292 <para>
293 Prepare a display filter based on the currently selected item.
294 </para>
295 </entry>
296 </row>
297 <row>
298 <entry><command>Conversation Filter</command></entry>
299 <entry>-</entry>
300 <entry>
301 <para>
302 This menu item applies a display filter with the address information
303 from the selected packet. E.g. the IP menu entry will set a filter
304 to show the traffic between the two IP addresses of the current
305 packet.
306 XXX - add a new section describing this better.
307 </para>
308 </entry>
309 </row>
310 <row>
311 <entry><command>Colorize Conversation</command></entry>
312 <entry>-</entry>
313 <entry>
314 <para>
315 This menu item uses a display filter with the address information
316 from the selected packet to build a new colorizing rule.
317 </para>
318 </entry>
319 </row>
320 <row>
321 <entry><command>SCTP</command></entry>
322 <entry>-</entry>
323 <entry>
324 <para>
325 Allows you to analyze and prepare a filter for this SCTP association.
326 </para>
327 </entry>
328 </row>
329 <row>
330 <entry><command>Follow TCP Stream</command></entry>
331 <entry>Analyze</entry>
332 <entry>
333 <para>
334 Allows you to view all the data on a TCP
335 stream between a pair of nodes.
336 </para>
337 </entry>
338 </row>
339 <row>
340 <entry><command>Follow UDP Stream</command></entry>
341 <entry>Analyze</entry>
342 <entry>
343 <para>
344 Allows you to view all the data on a UDP datagram
345 stream between a pair of nodes.
346 </para>
347 </entry>
348 </row>
349 <row>
350 <entry><command>Follow SSL Stream</command></entry>
351 <entry>Analyze</entry>
352 <entry>
353 <para>
354 Same as "Follow TCP Stream" but for SSL.
355 XXX - add a new section describing this better.
356 </para>
357 </entry>
358 </row>
359 <row>
360 <entry>-----</entry>
361 <entry></entry>
362 <entry></entry>
363 </row>
364 <row>
365 <entry><command>Copy/ Summary (Text)</command></entry>
366 <entry>-</entry>
367 <entry>
368 <para>
369 Copy the summary fields as displayed to the clipboard, as tab-separated text.
370 </para>
371 </entry>
372 </row>
373 <row>
374 <entry><command>Copy/ Summary (CSV)</command></entry>
375 <entry>-</entry>
376 <entry>
377 <para>
378 Copy the summary fields as displayed to the clipboard, as comma-separated text.
379 </para>
380 </entry>
381 </row>
382 <row>
383 <entry><command>Copy/ As Filter</command></entry>
384 <entry></entry>
385 <entry>
386 <para>
387 Prepare a display filter based on the currently selected item
388 and copy that filter to the clipboard.
389 </para>
390 </entry>
391 </row>
392 <row>
393 <entry><command>Copy/ Bytes (Offset Hex Text)</command></entry>
394 <entry>-</entry>
395 <entry>
396 <para>
397 Copy the packet bytes to the clipboard in hexdump-like format.
398 </para>
399 </entry>
400 </row>
401 <row>
402 <entry><command>Copy/ Bytes (Offset Hex)</command></entry>
403 <entry>-</entry>
404 <entry>
405 <para>
406 Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion.
407 </para>
408 </entry>
409 </row>
410 <row>
411 <entry><command>Copy/ Bytes (Printable Text Only)</command></entry>
412 <entry>-</entry>
413 <entry>
414 <para>
415 Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters.
416 </para>
417 </entry>
418 </row>
419 <row>
420 <entry><command>Copy/ Bytes (Hex Stream)</command></entry>
421 <entry>-</entry>
422 <entry>
423 <para>
424 Copy the packet bytes to the clipboard as an unpunctuated list of hex digits.
425 </para>
426 </entry>
427 </row>
428 <row>
429 <entry><command>Copy/ Bytes (Binary Stream)</command></entry>
430 <entry>-</entry>
431 <entry>
432 <para>
433 Copy the packet bytes to the clipboard as raw binary. The data is stored in the
434 clipboard as MIME-type "application/octet-stream".</para>
435 </entry>
436 </row>
437 <row>
438 <entry>-----</entry>
439 <entry></entry>
440 <entry></entry>
441 </row>
442 <row>
443 <entry><command>Decode As...</command></entry>
444 <entry>Analyze</entry>
445 <entry>
446 <para>
447 Change or apply a new relation between two dissectors.
448 </para>
449 </entry>
450 </row>
451 <row>
452 <entry><command>Print...</command></entry>
453 <entry>File</entry>
454 <entry>
455 <para>
456 Print packets.
457 </para>
458 </entry>
459 </row>
460 <row>
461 <entry><command>Show Packet in New Window</command></entry>
462 <entry>View</entry>
463 <entry>
464 <para>
465 Display the selected packet in a new window.
466 </para>
467 </entry>
468 </row>
469 </tbody>
470 </tgroup>
471 </table>
472 </section>
474 <section id="ChWorkPacketDetailsPanePopUpMenuSection">
475 <title>Pop-up menu of the "Packet Details" pane</title>
476 <para>
477 <figure id="ChWorkPacketDetailsPanePopUpMenu">
478 <title>Pop-up menu of the "Packet Details" pane</title>
479 <graphic entityref="WiresharkDetailsPanePopupMenu" format="PNG"/>
480 </figure>
481 </para>
482 <para>
483 The following table gives an overview of which functions are available
484 in this pane, where to find the corresponding function in the main menu,
485 and a short description of each item.
486 </para>
487 <table id="PacketDetailsPopupMenuTable">
488 <title>The menu items of the "Packet Details" pop-up menu</title>
489 <tgroup cols="3">
490 <colspec colnum="1" colwidth="80pt"/>
491 <colspec colnum="2" colwidth="80pt"/>
492 <thead>
493 <row>
494 <entry>Item</entry>
495 <entry>Identical to main menu's item:</entry>
496 <entry>Description</entry>
497 </row>
498 </thead>
499 <tbody>
500 <row>
501 <entry><command>Expand Subtrees</command></entry>
502 <entry>View</entry>
503 <entry>
504 <para>
505 Expand the currently selected subtree.
506 </para>
507 </entry>
508 </row>
509 <row>
510 <entry><command>Collapse Subtrees</command></entry>
511 <entry>View</entry>
512 <entry>
513 <para>
514 Collapse the currently selected subtree.
515 </para>
516 </entry>
517 </row>
518 <row>
519 <entry><command>Expand All</command></entry>
520 <entry>View</entry>
521 <entry>
522 <para>
523 Expand all subtrees in all packets in the capture.
524 </para>
525 </entry>
526 </row>
527 <row>
528 <entry><command>Collapse All</command></entry>
529 <entry>View</entry>
530 <entry>
531 <para>
532 Wireshark keeps a list of all the protocol subtrees that are
533 expanded, and uses it to ensure that the correct subtrees
534 are expanded when you display a packet. This menu item
535 collapses the tree view of all packets in the capture list.
536 </para>
537 </entry>
538 </row>
539 <row>
540 <entry>-----</entry>
541 <entry></entry>
542 <entry></entry>
543 </row>
544 <row>
545 <entry><command>Apply as Column</command></entry>
546 <entry></entry>
547 <entry>
548 <para>
549 Use the selected protocol item to create a new column in the packet list.
550 </para>
551 </entry>
552 </row>
553 <row>
554 <entry>-----</entry>
555 <entry></entry>
556 <entry></entry>
557 </row>
558 <row>
559 <entry><command>Apply as Filter</command></entry>
560 <entry>Analyze</entry>
561 <entry>
562 <para>
563 Prepare and apply a display filter based on the currently selected
564 item.
565 </para>
566 </entry>
567 </row>
568 <row>
569 <entry><command>Prepare a Filter</command></entry>
570 <entry>Analyze</entry>
571 <entry>
572 <para>
573 Prepare a display filter based on the currently selected item.
574 </para>
575 </entry>
576 </row>
577 <row>
578 <entry><command>Colorize with Filter</command></entry>
579 <entry>-</entry>
580 <entry>
581 <para>
582 This menu item uses a display filter with the information
583 from the selected protocol item to build a new colorizing rule.
584 </para>
585 </entry>
586 </row>
587 <row>
588 <entry><command>Follow TCP Stream</command></entry>
589 <entry>Analyze</entry>
590 <entry>
591 <para>
592 Allows you to view all the data on a TCP
593 stream between a pair of nodes.
594 </para>
595 </entry>
596 </row>
597 <row>
598 <entry><command>Follow UDP Stream</command></entry>
599 <entry>Analyze</entry>
600 <entry>
601 <para>
602 Allows you to view all the data on a UDP datagram
603 stream between a pair of nodes.
604 </para>
605 </entry>
606 </row>
607 <row>
608 <entry><command>Follow SSL Stream</command></entry>
609 <entry>Analyze</entry>
610 <entry>
611 <para>
612 Same as "Follow TCP Stream" but for SSL.
613 XXX - add a new section describing this better.
614 </para>
615 </entry>
616 </row>
617 <row>
618 <entry>-----</entry>
619 <entry></entry>
620 <entry></entry>
621 </row>
622 <row>
623 <entry><command>Copy/ Description</command></entry>
624 <entry>Edit</entry>
625 <entry>
626 <para>
627 Copy the displayed text of the selected field to the system
628 clipboard.
629 </para>
630 </entry>
631 </row>
632 <row>
633 <entry><command>Copy/ Fieldname</command></entry>
634 <entry>Edit</entry>
635 <entry>
636 <para>
637 Copy the name of the selected field to the system clipboard.
638 </para>
639 </entry>
640 </row>
641 <row>
642 <entry><command>Copy/ Value</command></entry>
643 <entry>Edit</entry>
644 <entry>
645 <para>
646 Copy the value of the selected field to the system clipboard.
647 </para>
648 </entry>
649 </row>
650 <row>
651 <entry><command>Copy/ As Filter</command></entry>
652 <entry>Edit</entry>
653 <entry>
654 <para>
655 Prepare a display filter based on the currently selected item
656 and copy it to the clipboard.
657 </para>
658 </entry>
659 </row>
660 <row>
661 <entry><command>Copy/ Bytes (Offset Hex Text)</command></entry>
662 <entry>-</entry>
663 <entry>
664 <para>
665 Copy the packet bytes to the clipboard in hexdump-like format; similar to the Packet List Pane
666 command, but copies only the bytes relevant to the selected part of the tree (the bytes selected
667 in the Packet Bytes Pane).
668 </para>
669 </entry>
670 </row>
671 <row>
672 <entry><command>Copy/ Bytes (Offset Hex)</command></entry>
673 <entry>-</entry>
674 <entry>
675 <para>
676 Copy the packet bytes to the clipboard in hexdump-like format, but without the text portion; similar to the Packet List Pane
677 command, but copies only the bytes relevant to the selected part of the tree (the bytes selected
678 in the Packet Bytes Pane).
679 </para>
680 </entry>
681 </row>
682 <row>
683 <entry><command>Copy/ Bytes (Printable Text Only)</command></entry>
684 <entry>-</entry>
685 <entry>
686 <para>
687 Copy the packet bytes to the clipboard as ASCII text, excluding non-printable characters; similar to the Packet List Pane
688 command, but copies only the bytes relevant to the selected part of the tree (the bytes selected
689 in the Packet Bytes Pane).
690 </para>
691 </entry>
692 </row>
693 <row>
694 <entry><command>Copy/ Bytes (Hex Stream)</command></entry>
695 <entry>-</entry>
696 <entry>
697 <para>
698 Copy the packet bytes to the clipboard as an unpunctuated list of hex digits; similar to the Packet List Pane
699 command, but copies only the bytes relevant to the selected part of the tree (the bytes selected
700 in the Packet Bytes Pane).
701 </para>
702 </entry>
703 </row>
704 <row>
705 <entry><command>Copy/ Bytes (Binary Stream)</command></entry>
706 <entry>-</entry>
707 <entry>
708 <para>
709 Copy the packet bytes to the clipboard as raw binary; similar to the Packet List Pane
710 command, but copies only the bytes relevant to the selected part of the tree (the bytes selected
711 in the Packet Bytes Pane). The data is stored in the
712 clipboard as MIME-type "application/octet-stream".</para>
713 </entry>
714 </row>
715 <row>
716 <entry><command>Export Selected Packet Bytes...</command></entry>
717 <entry>File</entry>
718 <entry>
719 <para>
720 This menu item is the same as the File menu item of the same
721 name. It allows you to export raw packet bytes to a binary file.
722 </para>
723 </entry>
724 </row>
725 <row>
726 <entry>-----</entry>
727 <entry></entry>
728 <entry></entry>
729 </row>
730 <row>
731 <entry><command>Wiki Protocol Page</command></entry>
732 <entry>-</entry>
733 <entry>
734 <para>
735 Show the wiki page corresponding to the currently selected protocol
736 in your web browser.
737 </para>
738 </entry>
739 </row>
740 <row>
741 <entry><command>Filter Field Reference</command></entry>
742 <entry>-</entry>
743 <entry>
744 <para>
745 Show the filter field reference web page corresponding to the
746 currently selected protocol in your web browser.
747 </para>
748 </entry>
749 </row>
750 <row>
751 <entry><command>Protocol Preferences...</command></entry>
752 <entry>-</entry>
753 <entry>
754 <para>
755 The menu item takes you to the properties dialog and selects the
756 page corresponding to the protocol if there are properties
757 associated with the highlighted field.
758 More information on preferences can be found in
759 <xref linkend="ChCustGUIPrefPage"/>.
760 </para>
761 </entry>
762 </row>
763 <row>
764 <entry>-----</entry>
765 <entry></entry>
766 <entry></entry>
767 </row>
768 <row>
769 <entry><command>Decode As...</command></entry>
770 <entry>Analyze</entry>
771 <entry>
772 <para>
773 Change or apply a new relation between two dissectors.
774 </para>
775 </entry>
776 </row>
777 <row>
778 <entry><command>Disable Protocol</command></entry>
779 <entry></entry>
780 <entry>
781 <para>
782 Allows you to temporarily disable a protocol dissector, which may
783 be blocking the legitimate dissector.
784 </para>
785 </entry>
786 </row>
787 <row>
788 <entry><command>Resolve Name</command></entry>
789 <entry>View</entry>
790 <entry>
791 <para>
792 Causes a name resolution to be performed for
793 the selected packet, but NOT every packet in the capture.
794 </para>
795 </entry>
796 </row>
797 <row>
798 <entry><command>Go to Corresponding Packet</command></entry>
799 <entry>Go</entry>
800 <entry>
801 <para>
802 If the selected field has a corresponding packet, go to it.
803 Corresponding packets will usually be a request/response packet pair
804 or such.
805 </para>
806 </entry>
807 </row>
808 </tbody>
809 </tgroup>
810 </table>
811 </section>
813 </section>
815 <section id="ChWorkDisplayFilterSection">
816 <title>Filtering packets while viewing</title>
817 <para>
818 Wireshark has two filtering languages: One used when capturing
819 packets, and one used when displaying packets. In this section we
820 explore that second type of filter: Display filters. The first one
821 has already been dealt with in
822 <xref linkend="ChCapCaptureFilterSection"/>.
823 </para>
824 <para>
825 Display filters allow you to concentrate on the packets you are
826 interested in while hiding the currently uninteresting ones. They allow
827 you to select packets by:
828 <itemizedlist>
829 <listitem><para>Protocol</para></listitem>
830 <listitem><para>The presence of a field</para></listitem>
831 <listitem><para>The values of fields</para></listitem>
832 <listitem><para>A comparison between fields</para></listitem>
833 <listitem><para>... and a lot more!</para></listitem>
834 </itemizedlist>
835 </para>
836 <para>
837 To select packets based on protocol type, simply type the protocol in which you
838 are interested in the <command>Filter:</command> field in the filter
839 toolbar of the Wireshark window and press enter to initiate
840 the filter. <xref linkend="ChWorkTCPFilter"/> shows an example of what
841 happens when you type <command>tcp</command> in the filter field.
842 </para>
843 <note>
844 <title>Note!</title>
845 <para>
846 All protocol and field names are entered in lowercase. Also, don't
847 forget to press enter after entering the filter expression.
848 </para>
849 </note>
850 <figure id="ChWorkTCPFilter"><title>Filtering on the TCP protocol</title>
851 <graphic entityref="WiresharkFilterTCP" format="JPG"/>
852 </figure>
853 <para>
854 As you might have noticed, only packets of the TCP protocol are displayed
855 now (e.g. packets 1-10 are hidden). The packet numbering will remain as
856 before, so the first packet shown is now packet number 11.
857 </para>
858 <note>
859 <title>Note!</title>
860 <para>
861 When using a display filter, all packets remain in the capture file.
862 The display filter only changes the display of the capture file but
863 not its content!
864 </para>
865 </note>
866 <para>
867 You can filter on any protocol that Wireshark understands.
868 You can also filter on any field that a dissector adds to the tree
869 view, but only if the dissector has added an abbreviation for the
870 field. A list of such fields is available in Wireshark in the
871 <command>Add Expression...</command> dialog box. You can find more
872 information on the <command>Add Expression...</command> dialog box
873 in <xref linkend="ChWorkFilterAddExpressionSection"/>.
874 </para>
875 <para>
876 For example, to narrow the packet list pane down to only those
877 packets to or from the IP address 192.168.0.1, use
878 <command>ip.addr==192.168.0.1</command>.
879 </para>
880 <note>
881 <title>Note!</title>
882 <para>
883 To remove the filter, click on the <command>Clear</command> button
884 to the right of the filter field.
885 </para>
886 </note>
887 </section>
889 <section id="ChWorkBuildDisplayFilterSection">
890 <title>Building display filter expressions</title>
891 <para>
892 Wireshark provides a simple but powerful display filter language that allows you
893 to build quite complex filter expressions. You can compare
894 values in packets as well as combine expressions into more
895 specific expressions. The following sections provide more
896 information on doing this.
897 </para>
898 <tip>
899 <title>Tip!</title>
900 <para>
901 You will find a lot of Display Filter examples at the <command>Wireshark
902 Wiki Display Filter page</command> at <ulink
903 url="&WiresharkWikiDisplayFiltersPage;">&WiresharkWikiDisplayFiltersPage;</ulink>.
904 </para>
905 </tip>
906 <section>
907 <title>Display filter fields</title>
908 <para>
909 Every field in the packet details pane can be used as a filter
910 string, this will result in showing only the packets where this field
911 exists. For example: the
912 filter string: <command>tcp</command> will show all packets containing the
913 tcp protocol.
914 </para>
915 <para>
916 There is a complete list of all filter fields available
917 through the menu item "Help/Supported Protocols" in the page "Display Filter
918 Fields" of the Supported Protocols dialog.
919 </para>
920 <para>
921 XXX - add some more info here and a link to the statusbar info.
922 </para>
923 </section>
924 <section>
925 <title>Comparing values</title>
926 <para>
927 You can build display filters that compare values using a number
928 of different comparison operators. They are shown in
929 <xref linkend="DispCompOps"/>.
930 </para>
931 <tip><title>Tip!</title>
932 <para>
933 You can use English and C-like terms in the same way, they can even be
934 mixed in a filter string!
935 </para>
936 </tip>
937 <table id="DispCompOps">
938 <title>Display Filter comparison operators</title>
939 <tgroup cols="3">
940 <colspec colnum="1" colwidth="50pt"/>
941 <colspec colnum="2" colwidth="50pt"/>
942 <thead>
943 <row>
944 <entry>English</entry>
945 <entry>C-like</entry>
946 <entry>Description and example</entry>
947 </row>
948 </thead>
949 <tbody>
950 <row>
951 <entry>eq</entry>
952 <entry><programlisting>==</programlisting></entry>
953 <entry><para>
954 <command>Equal</command></para><para>
955 <programlisting>ip.src==10.0.0.5</programlisting>
956 </para></entry>
957 </row>
958 <row>
959 <entry>ne</entry>
960 <entry><programlisting>!=</programlisting></entry>
961 <entry><para>
962 <command>Not equal</command></para><para>
963 <programlisting>ip.src!=10.0.0.5</programlisting>
964 </para></entry>
965 </row>
966 <row>
967 <entry>gt</entry>
968 <entry><programlisting>></programlisting></entry>
969 <entry><para>
970 <command>Greater than</command></para><para>
971 <programlisting>frame.len > 10</programlisting>
972 </para></entry>
973 </row>
974 <row>
975 <entry>lt</entry>
976 <entry><programlisting><</programlisting></entry>
977 <entry><para><command>Less than</command></para><para>
978 <programlisting>frame.len < 128</programlisting>
979 </para></entry>
980 </row>
981 <row>
982 <entry>ge</entry>
983 <entry><programlisting>>=</programlisting></entry>
984 <entry><para>
985 <command>Greater than or equal to</command></para><para>
986 <programlisting>frame.len ge 0x100</programlisting>
987 </para></entry>
988 </row>
989 <row>
990 <entry>le</entry>
991 <entry><programlisting><=</programlisting></entry>
992 <entry><para>
993 <command>Less than or equal to</command></para><para>
994 <programlisting>frame.len <= 0x20</programlisting>
995 </para></entry>
996 </row>
997 </tbody>
998 </tgroup>
999 </table>
1000 <para>
1001 In addition, all protocol fields are typed.
1002 <xref linkend="ChWorkFieldTypes"/> provides a list of the types and
1003 example of how to express them.
1004 <table id="ChWorkFieldTypes">
1005 <title>Display Filter Field Types</title>
1006 <tgroup cols="2">
1007 <thead>
1008 <row>
1009 <entry>Type</entry>
1010 <entry>Example</entry>
1011 </row>
1012 </thead>
1013 <tbody>
1014 <row>
1015 <entry>
1016 Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
1017 </entry>
1018 <entry><para>
1019 You can express integers in decimal, octal, or
1020 hexadecimal. The following display filters are
1021 equivalent:
1022 <programlisting>
1023 ip.len le 1500
1024 ip.len le 02734
1025 ip.len le 0x436
1026 </programlisting>
1027 </para></entry>
1028 </row>
1029 <row>
1030 <entry>
1031 Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
1032 </entry>
1033 <entry></entry>
1034 </row>
1035 <row>
1036 <entry>Boolean</entry>
1037 <entry><para>
1038 A boolean field is present in the protocol decode
1039 only if its value is true. For example,
1040 <command>tcp.flags.syn</command> is present, and
1041 thus true, only if the SYN flag is present in a
1042 TCP segment header.</para><para>
1043 Thus the filter expression
1044 <command>tcp.flags.syn</command> will select only
1045 those packets for which this flag exists, that is,
1046 TCP segments where the segment header contains the
1047 SYN flag. Similarly, to find source-routed token
1048 ring packets, use a filter expression of
1049 <command>tr.sr</command>.
1050 </para></entry>
1051 </row>
1052 <row>
1053 <entry>Ethernet address (6 bytes)</entry>
1054 <entry><para>Separators can be a colon
1055 (:), dot (.) or dash (-) and can have one or
1056 two bytes between separators:<programlisting>
1057 eth.dst == ff:ff:ff:ff:ff:ff
1058 eth.dst == ff-ff-ff-ff-ff-ff
1059 eth.dst == ffff.ffff.ffff</programlisting></para></entry>
1060 </row>
1061 <row>
1062 <entry>IPv4 address</entry>
1063 <entry>
1064 <para>ip.addr == 192.168.0.1</para>
1065 <para>Classless InterDomain Routing (CIDR) notation
1066 can be used to test if an IPv4 address is in a
1067 certain subnet. For example, this display filter
1068 will find all packets in the 129.111 Class-B
1069 network:
1070 </para><para>ip.addr == 129.111.0.0/16</para></entry>
1071 </row>
1072 <row>
1073 <entry>IPv6 address</entry>
1074 <entry>ipv6.addr == ::1</entry>
1075 </row>
1076 <row>
1077 <entry>IPX address</entry>
1078 <entry>ipx.addr == 00000000.ffffffffffff</entry>
1079 </row>
1080 <row>
1081 <entry>String (text)</entry>
1082 <entry>http.request.uri == "http://www.wireshark.org/"</entry>
1083 </row>
1084 </tbody>
1085 </tgroup>
1086 </table>
1087 </para>
1088 </section>
1089 <section>
1090 <title>Combining expressions</title>
1091 <para>
1092 You can combine filter expressions in Wireshark using the
1093 logical operators shown in <xref linkend="FiltLogOps"/>
1094 </para>
1095 <table id="FiltLogOps">
1096 <title>Display Filter Logical Operations</title>
1097 <tgroup cols="3">
1098 <colspec colnum="1" colwidth="50pt"/>
1099 <colspec colnum="2" colwidth="50pt"/>
1100 <thead>
1101 <row>
1102 <entry>English</entry>
1103 <entry>C-like</entry>
1104 <entry>Description and example</entry>
1105 </row>
1106 </thead>
1107 <tbody>
1108 <row>
1109 <entry>and</entry>
1110 <entry>&&</entry>
1111 <entry><para>
1112 <command>Logical AND</command></para><para>
1113 <programlisting>ip.src==10.0.0.5 and tcp.flags.fin</programlisting>
1114 </para></entry>
1115 </row>
1116 <row>
1117 <entry>or</entry>
1118 <entry>||</entry>
1119 <entry><para>
1120 <command>Logical OR</command></para><para>
1121 <programlisting>ip.scr==10.0.0.5 or ip.src==192.1.1.1</programlisting>
1122 </para></entry>
1123 </row>
1124 <row>
1125 <entry>xor</entry>
1126 <entry>^^</entry>
1127 <entry><para>
1128 <command>Logical XOR</command></para><para>
1129 <programlisting>tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29</programlisting>
1130 </para></entry>
1131 </row>
1132 <row>
1133 <entry>not</entry>
1134 <entry>!</entry>
1135 <entry><para>
1136 <command>Logical NOT</command></para><para>
1137 <programlisting>not llc</programlisting>
1138 </para></entry>
1139 </row>
1140 <row>
1141 <entry>[...]</entry>
1142 <entry></entry>
1143 <entry><para>
1144 <command>Substring Operator</command></para><para>
1145 Wireshark allows you to select subsequences of a
1146 sequence in rather elaborate ways. After a label you
1147 can place a pair of brackets [] containing a comma
1148 separated list of range specifiers. </para><para>
1149 <programlisting>eth.src[0:3] == 00:00:83</programlisting></para><para>
1150 The example above uses the n:m format to specify a
1151 single range. In this case n is the beginning offset
1152 and m is the length of the range
1153 being specified.</para><para>
1154 <programlisting>
1155 eth.src[1-2] == 00:83
1156 </programlisting></para><para>
1157 The example above uses the n-m format to specify a
1158 single range. In this case n is the beginning offset
1159 and m is the ending offset. </para><para>
1160 <programlisting>eth.src[:4] == 00:00:83:00</programlisting></para><para>
1161 The example above uses the :m format, which takes
1162 everything from the beginning of a sequence to offset m.
1163 It is equivalent to 0:m</para><para>
1164 <programlisting>eth.src[4:] == 20:20</programlisting></para><para>
1165 The example above uses the n: format, which takes
1166 everything from offset n to the end of the
1167 sequence. </para><para>
1168 <programlisting>eth.src[2] == 83</programlisting></para><para>
1169 The example above uses the n format to specify a
1170 single range. In this case the element in the
1171 sequence at offset n is selected. This is equivalent
1172 to n:1.</para><para>
1173 <programlisting>eth.src[0:3,1-2,:4,4:,2] ==
1174 00:00:83:00:83:00:00:83:00:20:20:83</programlisting></para><para>
1175 Wireshark allows you to string together single ranges
1176 in a comma separated list to form compound ranges as
1177 shown above.
1178 </para></entry>
1179 </row>
1180 </tbody>
1181 </tgroup>
1182 </table>
1183 </section>
1184 <section id="ChWorkBuildDisplayFilterMistake"><title>A common mistake</title>
1185 <warning><title>Warning!</title>
1186 <para>
1187 Using the != operator on combined expressions like: eth.addr, ip.addr,
1188 tcp.port, udp.port and alike will probably not work as expected!
1189 </para>
1190 </warning>
1191 <para>
1192 Often people use a filter string to display something like
1193 <command>ip.addr == 1.2.3.4</command> which will display all packets
1194 containing the IP address 1.2.3.4.
1195 </para>
1196 <para>
1197 Then they use <command>ip.addr != 1.2.3.4</command> to see all packets
1198 not containing the IP address 1.2.3.4 in it. Unfortunately, this does
1199 <command>not</command> do the expected.
1200 </para>
1201 <para>
1202 Instead, that expression will even be true for packets where either
1203 source or destination IP address equals 1.2.3.4. The reason for this,
1204 is that the expression <command>ip.addr != 1.2.3.4</command> must be read as "the
1205 packet contains a field named ip.addr with a value
1206 different from 1.2.3.4". As an IP datagram contains both a source and
1207 a destination address, the expression will evaluate to true whenever
1208 at least one of the two addresses differs from 1.2.3.4.
1209 </para>
1210 <para>
1211 If you want to
1212 filter out all packets containing IP datagrams to or from IP address
1213 1.2.3.4, then the correct filter is <command>!(ip.addr == 1.2.3.4)</command> as it
1214 reads "show me all the packets for which it is not true
1215 that a field named ip.addr exists with a value of 1.2.3.4", or in
1216 other words, "filter out all packets for which there are
1217 no occurrences of a field named ip.addr with the value 1.2.3.4".
1218 </para>
1219 </section>
1220 </section>
1222 <section id="ChWorkFilterAddExpressionSection">
1223 <title>The "Filter Expression" dialog box</title>
1224 <para>
1225 When you are accustomed to Wireshark's filtering system and know what
1226 labels you wish to use in your filters it can be very quick to
1227 simply type a filter string. However if you are new to Wireshark or
1228 are working with a slightly unfamiliar protocol it can be very
1229 confusing to try to figure out what to type. The Filter Expression
1230 dialog box helps with this.
1231 </para>
1232 <tip><title>Tip!</title>
1233 <para>
1234 The "Filter Expression" dialog box is an excellent way to learn how to
1235 write Wireshark display filter strings.
1236 </para>
1237 </tip>
1238 <figure id="ChWorkFilterAddExpression1">
1239 <title>The "Filter Expression" dialog box</title>
1240 <graphic entityref="WiresharkFilterAddExpression" format="PNG"/>
1241 </figure>
1242 <para>
1243 When you first bring up the Filter Expression dialog box you are shown a
1244 tree list of field names, organized by protocol, and a box for
1245 selecting a relation.
1246 </para>
1247 <variablelist>
1248 <varlistentry><term><command>Field Name</command></term>
1249 <listitem>
1250 <para>
1251 Select a protocol field from the protocol field tree.
1252 Every protocol with filterable fields is listed at the
1253 top level. (You can search for a particular protocol
1254 entry by entering the first few letters of the protocol name).
1255 By clicking on the "+" next to a protocol name
1256 you can get a list of the field names available for filtering
1257 for that protocol.
1258 </para>
1259 </listitem>
1260 </varlistentry>
1261 <varlistentry><term><command>Relation</command></term>
1262 <listitem>
1263 <para>
1264 Select a relation from the list of available relation.
1265 The <command>is present</command> is a unary relation which
1266 is true if the selected field is present in a packet. All
1267 other listed relations are binary relations which require additional
1268 data (e.g. a <command>Value</command> to match) to complete.
1269 </para>
1270 </listitem>
1271 </varlistentry>
1272 </variablelist>
1273 <para>
1274 When you select a field from the field name list and select a
1275 binary relation (such as the equality relation ==) you will be
1276 given the opportunity to enter a value, and possibly some range
1277 information.
1278 </para>
1279 <variablelist>
1280 <varlistentry><term><command>Value</command></term>
1281 <listitem>
1282 <para>
1283 You may enter an appropriate value in the
1284 <command>Value</command> text box. The <command>Value</command>
1285 will also indicate the type of value for the
1286 <command>field name</command> you have selected (like
1287 character string).
1288 </para>
1289 </listitem>
1290 </varlistentry>
1291 <varlistentry><term><command>Predefined values</command></term>
1292 <listitem>
1293 <para>
1294 Some of the protocol fields have predefined values available, much like
1295 enum's in C. If the selected protocol field has such values defined, you
1296 can choose one of them here.
1297 </para>
1298 </listitem>
1299 </varlistentry>
1300 <varlistentry><term><command>Range</command></term>
1301 <listitem>
1302 <para>
1303 XXX - add an explanation here!
1304 </para>
1305 </listitem>
1306 </varlistentry>
1307 <varlistentry><term><command>OK</command></term>
1308 <listitem>
1309 <para>
1310 When you have built a satisfactory expression click
1311 <command>OK</command> and a filter string will be
1312 built for you.
1313 </para>
1314 </listitem>
1315 </varlistentry>
1316 <varlistentry><term><command>Cancel</command></term>
1317 <listitem>
1318 <para>
1319 You can leave the <command>Add Expression...</command> dialog
1320 box without any effect by clicking the <command>Cancel</command>
1321 button.
1322 </para>
1323 </listitem>
1324 </varlistentry>
1325 </variablelist>
1326 </section>
1328 <section id="ChWorkDefineFilterSection"><title>Defining and saving filters</title>
1329 <para>
1330 You can define filters with Wireshark and give them labels for
1331 later use. This can save time in remembering and retyping some of
1332 the more complex filters you use.
1333 </para>
1334 <para>
1335 To define a new filter or edit an existing one, select the
1336 <command>Capture Filters...</command> menu item from the Capture menu
1337 or the <command>Display Filters...</command> menu item from the Analyze
1338 menu. Wireshark will then pop up the Filters dialog as shown in
1339 <xref linkend="FiltersDialog"/>.
1340 </para>
1341 <note>
1342 <title>Note!</title>
1343 <para>
1344 The mechanisms for defining and saving capture filters and display
1345 filters are almost identical. So both will be described here,
1346 differences between these two will be marked as such.
1347 </para>
1348 </note>
1349 <warning><title>Warning!</title>
1350 <para>
1351 You must use <command>Save</command> to save your filters permanently.
1352 <command>Ok</command> or <command>Apply</command> will not save the filters,
1353 so they will be lost when you close Wireshark.
1354 </para>
1355 </warning>
1356 <figure id="FiltersDialog">
1357 <title>The "Capture Filters" and "Display Filters" dialog boxes</title>
1358 <graphic entityref="WiresharkFilters" format="PNG"/>
1359 </figure>
1360 <para>
1361 <variablelist>
1362 <varlistentry><term><command>New</command></term>
1363 <listitem>
1364 <para>
1365 This button adds a new filter to the list of filters. The currently
1366 entered values from Filter name and Filter string will be used. If
1367 any of these fields are empty, it will be set to "new".
1368 </para>
1369 </listitem>
1370 </varlistentry>
1371 <varlistentry><term><command>Delete</command></term>
1372 <listitem>
1373 <para>
1374 This button deletes the selected filter. It will be greyed out, if no
1375 filter is selected.
1376 </para>
1377 </listitem>
1378 </varlistentry>
1379 <varlistentry><term><command>Filter</command></term>
1380 <listitem>
1381 <para>
1382 You can select a filter from this list (which will fill in the
1383 filter name and filter string in the fields down at the bottom of the
1384 dialog box).
1385 </para>
1386 </listitem>
1387 </varlistentry>
1388 <varlistentry><term><command>Filter name:</command></term>
1389 <listitem>
1390 <para>
1391 You can change the name of the currently selected filter here.
1392 </para>
1393 <note><title>Note!</title>
1394 <para>
1395 The filter name will only be used in this dialog to identify the
1396 filter for your convenience, it will not be used elsewhere. You can
1397 add multiple filters with the same name, but this is not very useful.
1398 </para>
1399 </note>
1400 </listitem>
1401 </varlistentry>
1402 <varlistentry><term><command>Filter string:</command></term>
1403 <listitem>
1404 <para>
1405 You can change the filter string of the currently selected filter here.
1406 Display Filter only: the string will be syntax checked while you are
1407 typing.
1408 </para>
1409 </listitem>
1410 </varlistentry>
1411 <varlistentry><term><command>Add Expression...</command></term>
1412 <listitem>
1413 <para>
1414 Display Filter only: This button brings up the Add Expression
1415 dialog box which assists in building filter strings. You can find
1416 more information about the Add Expression dialog in
1417 <xref linkend="ChWorkFilterAddExpressionSection"/>
1418 </para>
1419 </listitem>
1420 </varlistentry>
1421 <varlistentry><term><command>OK</command></term>
1422 <listitem>
1423 <para>
1424 Display Filter only: This button applies the selected filter to the
1425 current display and closes the dialog.
1426 </para>
1427 </listitem>
1428 </varlistentry>
1429 <varlistentry><term><command>Apply</command></term>
1430 <listitem>
1431 <para>
1432 Display Filter only: This button applies the selected filter to the
1433 current display, and keeps the dialog open.
1434 </para>
1435 </listitem>
1436 </varlistentry>
1437 <varlistentry><term><command>Save</command></term>
1438 <listitem>
1439 <para>
1440 Save the current settings in this dialog. The file location and
1441 format is explained in <xref linkend="AppFiles"/>.
1442 </para>
1443 </listitem>
1444 </varlistentry>
1445 <varlistentry><term><command>Close</command></term>
1446 <listitem>
1447 <para>
1448 Close this dialog. This will discard unsaved settings.
1449 </para>
1450 </listitem>
1451 </varlistentry>
1452 </variablelist>
1453 </para>
1454 </section>
1456 <section id="ChWorkDefineFilterMacrosSection"><title>Defining and saving filter macros</title>
1457 <para>
1458 You can define filter macros with Wireshark and give them labels for
1459 later use. This can save time in remembering and retyping some of
1460 the more complex filters you use.
1461 </para>
1462 <para>
1463 XXX - add an explanation of this.
1464 </para>
1465 </section>
1467 <section id="ChWorkFindPacketSection"><title>Finding packets</title>
1468 <para>
1469 You can easily find packets once you have captured some packets or
1470 have read in a previously saved capture file. Simply select the
1471 <command>Find Packet...</command> menu item from the
1472 <command>Edit</command> menu. Wireshark will pop up the dialog box
1473 shown in <xref linkend="ChWorkFindPacketDialog"/>.
1474 </para>
1475 <section><title>The "Find Packet" dialog box</title>
1476 <figure id="ChWorkFindPacketDialog">
1477 <title>The "Find Packet" dialog box</title>
1478 <graphic entityref="WiresharkFindPacket" format="PNG"/>
1479 </figure>
1480 <para>
1481 You might first select the kind of thing to search for:
1482 <itemizedlist>
1483 <listitem>
1484 <para>
1485 <command>Display filter</command>
1486 </para>
1487 <para>
1488 Simply enter a display filter string into the
1489 <command>Filter:</command> field, select a direction, and click on OK.
1490 </para>
1491 <para>
1492 For example, to find the three way handshake for a connection from
1493 host 192.168.0.1, use the following filter string:
1494 <programlisting>ip.src==192.168.0.1 and tcp.flags.syn==1</programlisting>
1495 For more details on display filters, see <xref linkend="ChWorkDisplayFilterSection"/>
1496 </para>
1497 </listitem>
1498 <listitem>
1499 <para>
1500 <command>Hex Value</command>
1501 </para>
1502 <para>
1503 Search for a specific byte sequence in the packet data.
1504 </para>
1505 <para>
1506 For example, use "00:00" to find the next packet including two
1507 null bytes in the packet data.
1508 </para>
1509 </listitem>
1510 <listitem>
1511 <para>
1512 <command>String</command>
1513 </para>
1514 <para>
1515 Find a string in the packet data, with various options.
1516 </para>
1517 </listitem>
1518 </itemizedlist>
1519 </para>
1520 <para>
1521 The value to be found will be syntax checked while you type it in. If the
1522 syntax check of your value succeeds, the background of the entry field
1523 will turn green, if it fails, it will turn red.
1524 </para>
1525 <para>
1526 You can choose the search direction:
1527 <itemizedlist>
1528 <listitem>
1529 <para><command>Up</command></para>
1530 <para>Search upwards in the packet list (decreasing packet numbers).</para>
1531 </listitem>
1532 </itemizedlist>
1533 <itemizedlist>
1534 <listitem>
1535 <para><command>Down</command></para>
1536 <para>Search downwards in the packet list (increasing packet numbers).</para>
1537 </listitem>
1538 </itemizedlist>
1539 </para>
1540 </section>
1541 <section><title>The "Find Next" command</title>
1542 <para>
1543 "Find Next" will continue searching with the same options used in the last
1544 "Find Packet".
1545 </para>
1546 </section>
1547 <section><title>The "Find Previous" command</title>
1548 <para>
1549 "Find Previous" will do the same thing as "Find Next", but with reverse
1550 search direction.
1551 </para>
1552 </section>
1553 </section>
1555 <section id="ChWorkGoToPacketSection"><title>Go to a specific packet</title>
1556 <para>
1557 You can easily jump to specific packets with one of the menu items in the
1558 Go menu.
1559 </para>
1560 <section><title>The "Go Back" command</title>
1561 <para>
1562 Go back in the packet history, works much like the page history in current
1563 web browsers.
1564 </para>
1565 </section>
1566 <section><title>The "Go Forward" command</title>
1567 <para>
1568 Go forward in the packet history, works much like the page history in
1569 current web browsers.
1570 </para>
1571 </section>
1572 <section><title>The "Go to Packet" dialog box</title>
1573 <figure id="ChWorkGoToPacketDialog">
1574 <title>The "Go To Packet" dialog box</title>
1575 <graphic entityref="WiresharkGoToPacket" format="PNG"/>
1576 </figure>
1577 <para>
1578 This dialog box will let you enter a packet number. When you press
1579 <command>OK</command>, Wireshark will jump to that packet.
1580 </para>
1581 </section>
1582 <section><title>The "Go to Corresponding Packet" command</title>
1583 <para>
1584 If a protocol field is selected which points to another packet in the
1585 capture file, this command will jump to that packet.
1586 </para>
1587 <note><title>Note!</title>
1588 <para>
1589 As these protocol fields now work like links (just as in your
1590 Web browser), it's easier to simply double-click on the field to jump
1591 to the corresponding field.
1592 </para>
1593 </note>
1594 </section>
1595 <section><title>The "Go to First Packet" command</title>
1596 <para>
1597 This command will simply jump to the first packet displayed.
1598 </para>
1599 </section>
1600 <section><title>The "Go to Last Packet" command</title>
1601 <para>
1602 This command will simply jump to the last packet displayed.
1603 </para>
1604 </section>
1605 </section>
1607 <section id="ChWorkMarkPacketSection"><title>Marking packets</title>
1608 <para>
1609 You can mark packets in the "Packet List" pane. A marked packet will
1610 be shown with black background, regardless of the coloring rules set.
1611 Marking a packet can be useful to find it later while analyzing in a large
1612 capture file.
1613 </para>
1614 <warning><title>Warning!</title>
1615 <para>
1616 The packet marks are not stored in the capture file or anywhere else,
1617 so all packet marks will be lost if you close the capture file.
1618 </para>
1619 </warning>
1620 <para>
1621 You can use packet marking to control the output of packets when
1622 saving/exporting/printing. To do so, an option in the packet range is
1623 available, see <xref linkend="ChIOPacketRangeSection"/>.
1624 </para>
1625 <para>
1626 There are three functions to manipulate the marked state of a packet:
1627 <itemizedlist>
1628 <listitem>
1629 <para>
1630 <command>Mark packet (toggle)</command> toggles the marked state
1631 of a single packet.
1632 </para>
1633 </listitem>
1634 <listitem>
1635 <para>
1636 <command>Mark all displayed packets</command> set the mark state of all
1637 displayed packets.
1638 </para>
1639 </listitem>
1640 <listitem>
1641 <para>
1642 <command>Unmark all packets</command> reset the mark state of all
1643 packets.
1644 </para>
1645 </listitem>
1646 </itemizedlist>
1647 These mark functions are available from the "Edit" menu, and the
1648 "Mark packet (toggle)" function is also available from the pop-up menu of
1649 the "Packet List" pane.
1650 </para>
1651 </section>
1653 <section id="ChWorkIgnorePacketSection"><title>Ignoring packets</title>
1654 <para>
1655 You can ignore packets in the "Packet List" pane. Wireshark will then pretend that this
1656 packets does not exist in the capture file.
1657 An ignored packet will be shown with white background and gray foreground, regardless
1658 of the coloring rules set.
1659 </para>
1660 <warning><title>Warning!</title>
1661 <para>
1662 The packet ignored marks are not stored in the capture file or anywhere else,
1663 so all packet ignored marks will be lost if you close the capture file.
1664 </para>
1665 </warning>
1666 <para>
1667 There are three functions to manipulate the ignored state of a packet:
1668 <itemizedlist>
1669 <listitem>
1670 <para>
1671 <command>Ignore packet (toggle)</command> toggles the ignored state
1672 of a single packet.
1673 </para>
1674 </listitem>
1675 <listitem>
1676 <para>
1677 <command>Ignore all displayed packets</command> set the ignored state of all
1678 displayed packets.
1679 </para>
1680 </listitem>
1681 <listitem>
1682 <para>
1683 <command>Un-Ignore all packets</command> reset the ignored state of all
1684 packets.
1685 </para>
1686 </listitem>
1687 </itemizedlist>
1688 These ignore functions are available from the "Edit" menu, and the
1689 "Ignore packet (toggle)" function is also available from the pop-up menu of
1690 the "Packet List" pane.
1691 </para>
1692 </section>
1694 <section id="ChWorkTimeFormatsSection"><title>Time display formats and time
1695 references</title>
1696 <para>
1697 While packets are captured, each packet is timestamped. These timestamps
1698 will be saved to the capture file, so they will be available for later
1699 analysis.
1700 </para>
1701 <para>
1702 A detailed description of timestamps, timezones and alike can be found at: <xref
1703 linkend="ChAdvTimestamps"/>.
1704 </para>
1705 <para>
1706 The timestamp presentation format and the precision in the packet list can
1707 be chosen using the View menu, see <xref linkend="ChUseWiresharkViewMenu"/>.
1708 </para>
1709 <para>
1710 The available presentation formats are:
1711 <itemizedlist>
1712 <listitem><para><command>Date and Time of Day: 1970-01-01 01:02:03.123456</command>
1713 The absolute date and time of the day when the packet was captured.</para>
1714 </listitem>
1715 <listitem><para><command>Time of Day: 01:02:03.123456</command>
1716 The absolute time of the day when the packet was captured.</para>
1717 </listitem>
1718 <listitem><para><command>Seconds Since Beginning of Capture: 123.123456</command>
1719 The time relative to the start of the capture file or the first
1720 "Time Reference" before this packet (see <xref
1721 linkend="ChWorkTimeReferencePacketSection"/>).</para>
1722 </listitem>
1723 <listitem><para><command>Seconds Since Previous Captured Packet: 1.123456</command>
1724 The time relative to the previous captured packet.</para>
1725 </listitem>
1726 <listitem><para><command>Seconds Since Previous Displayed Packet: 1.123456</command>
1727 The time relative to the previous displayed packet.</para>
1728 </listitem>
1729 <listitem><para><command>Seconds Since Epoch (1970-01-01): 1234567890.123456</command>
1730 The time relative to epoch (midnight UTC of January 1, 1970).</para>
1731 </listitem>
1732 </itemizedlist>
1733 </para>
1734 <para>
1735 The available precisions (aka. the number of displayed decimal places) are:
1736 <itemizedlist>
1737 <listitem><para><command>Automatic</command>
1738 The timestamp precision of
1739 the loaded capture file format will be used (the default).</para>
1740 </listitem>
1741 <listitem><para><command>Seconds, Deciseconds, Centiseconds, Milliseconds,
1742 Microseconds or Nanoseconds</command>
1743 The timestamp precision will be forced to the given setting. If the
1744 actually available
1745 precision is smaller, zeros will be appended. If the precision is larger,
1746 the remaining decimal places will be cut off.</para>
1747 </listitem>
1748 </itemizedlist>
1749 </para>
1750 <para>
1751 Precision example: If you have a timestamp and it's displayed using,
1752 "Seconds Since Previous Packet", : the value might be 1.123456. This will
1753 be displayed using the "Automatic" setting for libpcap files (which is
1754 microseconds). If you use Seconds it would show simply 1 and if you use
1755 Nanoseconds it shows 1.123456000.
1756 </para>
1757 <section id="ChWorkTimeReferencePacketSection">
1758 <title>Packet time referencing</title>
1759 <para>
1760 The user can set time references to packets. A time reference is the
1761 starting point for all subsequent packet time calculations. It will be
1762 useful, if you want to see the time values relative to a special packet,
1763 e.g. the start of a new request. It's possible to set multiple time
1764 references in the capture file.
1765 </para>
1766 <warning><title>Warning!</title>
1767 <para>
1768 The time references will not be saved permanently and will be lost when
1769 you close the capture file.
1770 </para>
1771 </warning>
1772 <note><title>Note!</title>
1773 <para>
1774 Time referencing will only be useful, if the time display format is set to
1775 "Seconds Since Beginning of Capture". If one of the other time display
1776 formats are used, time referencing will have no effect (and will make no
1777 sense either).
1778 </para>
1779 </note>
1780 <para>
1781 To work with time references, choose one of the "Time Reference" items
1782 in the "Edit" menu , see <xref linkend="ChUseEditMenuSection"/>, or from
1783 the pop-up menu of the "Packet List" pane.
1784 </para>
1785 <itemizedlist>
1786 <listitem><para><command>Set Time Reference (toggle)</command>
1787 Toggles the time reference state of the currently selected
1788 packet to on or off.</para>
1789 </listitem>
1790 <listitem><para><command>Find Next</command>
1791 Find the next time referenced packet in the "Packet List" pane.
1792 </para>
1793 </listitem>
1794 <listitem><para><command>Find Previous</command>
1795 Find the previous time referenced packet in the "Packet List"
1796 pane.
1797 </para>
1798 </listitem>
1799 </itemizedlist>
1800 <para>
1801 <figure id="ChWorkTimeReference">
1802 <title>Wireshark showing a time referenced packet</title>
1803 <graphic entityref="WiresharkTimeReference" format="PNG"/>
1804 </figure>
1805 </para>
1806 <para>
1807 A time referenced packet will be marked with the string *REF* in the Time
1808 column (see packet number 10). All subsequent packets will show the time
1809 since the last time reference.
1810 </para>
1811 </section>
1812 </section>
1814 </chapter>
1815 <!-- End of WSUG Chapter Work -->