You are on page 1of 65

Wireshark

1 ....................................................................................................................................................................................................4
1.1. Wireshark......................................................................................................................................................................................4
1.1.1. ..........................................................................................................................................................................................4
1.1.2. ..................................................................................................................................................................................................4
1.1.3. ..........................................................................................................................................................................4
1.1.4. ......................................................................................................................................................4
1.1.5. ..............................................................................................................................................................................4
1.1.6. ..............................................................................................................................................................4
1.1.7. ..........................................................................................................................................................................................4
1.1.8. Wireshark ....................................................................................................................................................................4
1.2. .....................................................................................................................................................................................................5
1.2.1. ..........................................................................................................................................................................................5
1.2.2. Microsoft Windows........................................................................................................................................................................5
1.2.3. Unix/Linux........................................................................................................................................................................................5
1.3. Wireshark......................................................................................................................................................................5
[6]
1.4. Wiresahrk ........................................................................................................................................................................................5
1.5. Wireshark ..................................................................................................................................................................................5
1.6. .................................................................................................................................................................................6
1.6.1. ..................................................................................................................................................................................................6
1.6.2. ..........................................................................................................................................................................................6
1.6.3. FAQ...................................................................................................................................................................................................6
1.6.4. ..........................................................................................................................................................................................6
1.6.5. ..........................................................................................................................................................................................6
1.6.6. UNIX/Linux ................................................................................................................................................6
1.6.7. Windows ....................................................................................................................................................6
2/ Wireshark.............................................................................................................................................................................8
2.1..............................................................................................................................................................................................................8
2.2...........................................................................................................................................................................................................8
2.3. UNIX ...................................................................................................................................................................................8
2.4. UNIX Wireshark..........................................................................................................................................................................9
2.5. UNIX ...........................................................................................................................................................................9
2.5.1. Linux RPM ...............................................................................................................................................9
2.5.2. Debian Deb .........................................................................................................................................................9
2.5.3. GentooLinux Portage..............................................................................................................................................9
2.5.4. FreeBSD ...............................................................................................................................................................9
2.6. UNIX [10].........................................................................................................................................................9
2.7. Windows ................................................................................................................................................................................9
2.8. Windows Wireshark...................................................................................................................................................................9
2.8.1. Wireshark.................................................................................................................................................................................9
2.8.2. WinPcap.........................................................................................................................................................................10
2.8.3. Wireshark...............................................................................................................................................................................10
2.8.4. WinPcap.................................................................................................................................................................................10
2.8.5. Wireshark...............................................................................................................................................................................11
2.8.6. WinPcap.................................................................................................................................................................................11
3 ...........................................................................................................................................................................................12
3.1. ...........................................................................................................................................................................................................12
3.2. Wireshark........................................................................................................................................................................................12
3.3. .......................................................................................................................................................................................................12
3.3.1. ....................................................................................................................................................................................12
3.4. .......................................................................................................................................................................................................13
3.5. "File"..................................................................................................................................................................................................13
3.6. "Edit".................................................................................................................................................................................................15
3.7. "View"...............................................................................................................................................................................................15
3.8. "Go"...................................................................................................................................................................................................17
3.9. "Capture"..........................................................................................................................................................................................18
3.10. "Analyze"........................................................................................................................................................................................18
3.11. "Statistics"......................................................................................................................................................................................19
3.12. "Help"..............................................................................................................................................................................................20
3.13. "Main".........................................................................................................................................................................................21
3.14. "Filter".........................................................................................................................................................................................22
3.15. "Pcaket List"...................................................................................................................................................................................23
3.16. "Packet Details".............................................................................................................................................................................23
3.17. "Packet Byte".................................................................................................................................................................................24
3.18. .....................................................................................................................................................................................................24
4 ...............................................................................................................................................................................25
4.1. ...........................................................................................................................................................................................................25
4.2. ...................................................................................................................................................................................................25

4.3. ...................................................................................................................................................................................................25
4.4. .......................................................................................................................................................................................25
4.5. .......................................................................................................................................................................................26
4.5.1. ............................................................................................................................................................................................26
4.5.2. ........................................................................................................................................................................27
4.5.3. ....................................................................................................................................................................................27
4.5.4. ....................................................................................................................................................................................27
4.5.5. ................................................................................................................................................................................27
4.5.6. ................................................................................................................................................................................................27
4.6. .......................................................................................................................................................................27
4.7. .......................................................................................................................................................................................28
4.8. ...............................................................................................................................................................................................28
4.8.1. ........................................................................................................................................................................28
4.9. ...........................................................................................................................................................................................29
4.9.1. ........................................................................................................................................................................................29
4.9.2. ................................................................................................................................................................................29
5 ...................................................................................................................................................................30
5.1. ...........................................................................................................................................................................................................30
5.2. ...........................................................................................................................................................................................30
5.2.1. ....................................................................................................................................................................30
5.2.2. ................................................................................................................................................................................31
5.3. ...............................................................................................................................................................................................31
5.3.1. "save Capture File As/".................................................................................................................................31
5.3.2. ........................................................................................................................................................................................33
5.4. ...........................................................................................................................................................................................33
5.4.1. ............................................................................................................................................................................33
5.5. ...................................................................................................................................................................................................34
5.5.1. ............................................................................................................................................................................35
5.6. ...................................................................................................................................................................................................35
5.6.1. "Export as Plain Text File"................................................................................................................................................35
5.6.2. "Export as PostScript File" .............................................................................................................................................35
5.6.3. "Export as CSV (Comma Separated Values) File" .......................................................................................................36
5.6.4. "Export as PSML File" .....................................................................................................................................................36
5.6.5. "Export as PDML File" ....................................................................................................................................................36
5.6.6. "Export selected packet bytes" .....................................................................................................................................37
5.6.7. "Export Objects" ..............................................................................................................................................................37
5.7. .......................................................................................................................................................................................................38
5.7.1. ..................................................................................................................................................................................38
5.8. ...............................................................................................................................................................................................39
5.9. ...............................................................................................................................................................................................39
6 ...........................................................................................................................................................................40
6.1. .......................................................................................................................................................................................40
6.2. ...............................................................................................................................................................................................40
6.2.1. ................................................................................................................................................................40
6.2.2. ................................................................................................................................................................42
6.3. ...........................................................................................................................................................................................43
6.4. ...............................................................................................................................................................................44
6.4.1. ................................................................................................................................................................................44
6.4.2. ............................................................................................................................................................................................44
6.4.3. ....................................................................................................................................................................................44
6.4.4. ....................................................................................................................................................................................44
6.5. Filter Expression/.............................................................................................................................................45
6.6. ...................................................................................................................................................................................45
6.7. .......................................................................................................................................................................................................46
6.7.1. ................................................................................................................................................................................46
6.7.2. "Find Next/".......................................................................................................................................................47
6.7.3. "Find Previous/"................................................................................................................................................47
6.8. ...............................................................................................................................................................................................47
6.8.1. "GO Back".......................................................................................................................................................................47
6.8.2. "Go Forward /"..............................................................................................................................................................47
6.8.3. "Go to Packet/".............................................................................................................................................47
6.8.4. "Go to Corresponding Packet/"......................................................................................................................47
6.8.5. "Go to Firest Packet/"......................................................................................................................................47
6.8.6. "Go to Last Packet/".....................................................................................................................................47
6.9. .......................................................................................................................................................................................................47
6.10. .....................................................................................................................................................................47
6.10.1. ..................................................................................................................................................................................47
7 ..................................................................................................................................................................................................49
7.1. ...........................................................................................................................................................................................................49

7.2. "Follow TCP Stream"...............................................................................................................................................................................49


7.2.1. "Follow TCP Stream"........................................................................................................................................................49
7.3. .......................................................................................................................................................................................................49
7.3.1. Wireshark ..............................................................................................................................................................................49
7.3.2. ................................................................................................................................................................................49
7.3.3. ............................................................................................................................................................................................50
7.4. ...........................................................................................................................................................................................................50
7.4.1. ........................................................................................................................................................50
7.4.2. Wireshark ..............................................................................................................................................................50
7.5. .......................................................................................................................................................................................................51
7.5.1. ................................................................................................................................................................................51
7.5.2. Wireshark .............................................................................................................................................................51
7.6. ...................................................................................................................................................................................................51
7.6.1. ............................................................................................................................................................................51
7.6.2. (mac ).............................................................................................................................................................51
7.6.3. IP ().....................................................................................................................................................................51
7.6.4. IPX ()...................................................................................................................................................................52
7.6.5. TCP/UDP ().....................................................................................................................................................52
7.7. .......................................................................................................................................................................................................52
7.7.1. Wireshark ..................................................................................................................................................................52
7.7.2. Checksum offloading...................................................................................................................................................................52
8 ..................................................................................................................................................................................................53
8.1. ...........................................................................................................................................................................................................53
8.2. ...................................................................................................................................................................................................53
8.3. "Protocol Hierarchy".......................................................................................................................................................................53
8.4. "Endpoints"..............................................................................................................................................................................................54
8.4.1. Endpoint?.........................................................................................................................................................................54
8.4.2. "Endpoints"...........................................................................................................................................................................55
8.4.3. "Endpoint List"..................................................................................................................................................55
8.5. /conversations.................................................................................................................................................................................55
8.5.1. /conversation?..........................................................................................................................................................55
8.5.2. "Conversations/" window....................................................................................................................................................55
8.5.3. Conversation List/.........................................................................................................................56
8.6. "IO Graphs".......................................................................................................................................................................................56
8.7. ...........................................................................................................................................................................................56
8.7.1. "Service Response Time DCE-RPC"....................................................................................................................................57
8.8. ...................................................................................................................................................................................57
9 Wireshark............................................................................................................................................................................58
9.1. ...........................................................................................................................................................................................................58
9.2. Wireshark........................................................................................................................................................................58
9.3. .......................................................................................................................................................................................59
9.4. ...........................................................................................................................................................................................61
9.4.1. "Enable Protocols"............................................................................................................................................................61
9.4.2. ............................................................................................................................................................................62
9.4.3. ....................................................................................................................................................................63
9.5. .......................................................................................................................................................................................................63
[21]
9.6. ...............................................................................................................................................................................................63
9.7. ...............................................................................................................................................................................................64
9.8. Tektronics K12xx/15 RF5 ...........................................................................................................................................................64
9.9. DLTs ..................................................................................................................................................................................64
9.10. SNMP .........................................................................................................................................................................................64

1
1.1. Wireshark
Wireshark

Wireshark
Wireshark (www.codepub.com)
1.1.1.
Wireshark




Wireshark
1.1.2.
UNIX Windows


/





1.1. Wireshark

1.1.3.
Wireshark
http://wiki.wireshark.org/CaptureSetup/NetworkMedia.
1.1.4.
Wireshark ???
1.1.5.
Wieshark ???
1.1.6.
( Wireshark )???
1.1.7.
Wireshark GPL GPL
Wireshark
1.1.8. Wireshark
Wireshark
Wireshark //Wireshark
[3]
Wireshark

Wireshark ()Wireshark

1.2.
Wireshark ...
1.2.1.
[4]

100MBIT/s 750MByties/min
CPU
Wireshark http://wiki.wireshark.org/KnownBugs/OutOfMemory
Wireshark /

[5]

1.2.2. Microsoft Windows


Windows 2000,XP Home ,XP Pro ,XP Tablet PCXP Media Center, Server 2003 or Vista( XP )
32-bit 400MHz ,64-bit WoW64 -
128MB 256Mbytes
75MB 800*600 1280*1024 65536(16bit)(256
legacy GTK1)

o windows
o MicroLogix support list, 802.11
o http://wiki.wireshark.org/CaptureSetup/NetworkMedia

Windows Wireshark
GTKWinPCap
Windows 95,98 ME Wireshark Ethereal0.99.0( WinPCap3.1),
: http://ethereal.com/download.html 2006 1 11 98/ME
Windows NT 4.0 Wireshark. Wireshark0.99.4( WinPCap3.1),
http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.4.exe 2005 12 31 NT 4.0

Windows CE windowsNT/XP
64-bit Wireshark 32bit ( WoW64), WinPCap4.0
()
1.2.3. Unix/Linux
Wireshark UNIX Windows
APPle Mac OSX
Debian GNU/Linux
FreeBSD
NetBSD
OpenPKG
Red Hat Fedora/Enterprise Linux
rPath Linux
Sun Solaris/i386
Sun Solaris/Sparc
wireshark-dev[AT]wireshark.org .
1.3. Wireshark
Wireshark http://www.wireshark.org/download.html.
Wireshark 4-8
Wireshark Wireshark-announce 1.6.4
[6]
1.4. Wiresahrk
1997 Gerald Combs Ethereal (Wireshark )

Ethereal 1998 Bug 0.2.0 Ethereal

Gilbert Ramirez
1998 10 Guy Harris TcpView Ethereal
998 TCP/IP Richard Sharpe
Ethereal
Ethereal Ethereal

2006 Moved HouseWireshark.


1.5. Wireshark
Wireshark Gerald Combs Wireshark team Wireshark team bug Wireshark

Wireshark Wireshark About, Wireshark


Wireshark authors
Wireshark GNU General Public Licence (GPL ), GPL Wireshark
Wireshark team
Wireshark Team
Wireshark team

The developers of Wireshark might improve your changes even more, as there's always room for improvement. Or they may implement
some advanced things on top of your code, which can be useful for yourself too.
The maintainers and developers of Wireshark will maintain your code as well, fixing it when API changes or other changes are made, and
generally keeping it in tune with what is happening with Wireshark. So if Wireshark is updated (which is done often), you can get a new
Wireshark version from the website and your changes will already be included without any effort for you.
Wireshar kits http://www.wireshark.org/download.html.
1.6.
Wireshark
1.6.1.
http://www.wireshark.org Wireshark
1.6.2.
Wireshark Wiki (http://wiki.wireshark.org) Wireshark wiki

1.6.3. FAQ
Frequently Asked Questions
Read The FAQ
FAQ

1.6.4.

Wireshark-users
Wireshark Wireshark

wireshark-announce
4-8
wireshark-dev
Wireshark
http://www.wireshark.org .

1.6.5.

Wireshark

1. Wireshark GTK+ Wireshark v UNIX/Linux


2. Wireshark
3.
4.
[7]
I got a warning while doing x

>100KB

1.6.6. UNIX/Linux

$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >&bt.txt
backtrace
^D
$

[8]

GDB ^D CTL+D GDB


bt.txt bug

GDB
wireshark-dev[AT]wireshark.org
1.6.7. Windows

Windows (.pdb),

[3]

[4]
The values below are the minimum requirements and only "rules of thumb" for use on a moderately used networkrules
of thumb
[5]
30 10
.
[6]

[7]
XX
[8]
"Type the characters in the first line verbatim! Those are back-tics there!",Those are back-tics there!back-tics=
Linux

2 / Wireshark
2.1.
Wireshark Wireshark


Linux Wireshark UNIX Wireshark . Windows
Wireshark. Wireshark
Wireshark

1.
2. ()/
3.
2.2.
Wireshark http://www.wireshark.org.

!
Wireshark, Wireshark

2.3. UNIX

1. GTK+, The GIMP Tool Kit.


Glib. www.gtk.org
2. Libpcap , Wireshark
www.tcpdump.org
RPMs.
GTK+ 2.1 GTK+
2.1. GTK+
gzip -dc gtk+-1.2.10.tar.gz | tar xvf <much output removed>
./configure
<much output removed>
make install
<much output remove>

2.1 GTK+ GTK+ GTK

tar xvf

Linux, GUN tar tar zxvfgtk+-1.2.10.tar.gz gunzip c gzcat


UNIX gzip dc

windows gtk+ gtk+-1_2_8_tar.gz


2.1 GTK+ GTK+
libpcap 2.2 libpcap tcpdump,
tcpdump
2.2. libpcap
gzip -dc libpcap-0.9.4.tar.Z | tar xvf <much output removed>
cd libpcap-0.9.4
./configure
<much output removed>
make
<much output removed>
make install
<much output removed>

Libpcap tarxvf
RedHat 6.x Mandrake, RPM Linux GTK+
Glib. 2.3 RedHat Linux 6.2 RPM
RPMs
2.3. RedHat Linux 6.2 RPM
cd /mnt/cdrom/RedHat/RPMS

rpm -ivh glib-1.2.6-3.i386.rpm


rpm -ivh glib-devel-1.2.6-3.i386.rpm
rpm -ivh gtk+-1.2.6-7.i386.rpm
rpm -ivh gtk+-devel-1.2.6-7.i386.rpm
rpm -ivh libpcap-0.4-19.i386.rpm

RedHat 6.2 RMPs RMPs


Debian apt-ge apt-get 2.4 Deban Deb
2.4. Deban Deb
apt-get install wireshark-dev

2.4. UNIX Wireshark


Unix Wireshark
1. Linux gzip'd tar , UNIX GUN tar Linux
tar zxvf wireshark-0.99.5-tar.gz
UNIX
gzip -d wireshark-0.99.5-tar.gz
tar xvf wireshark-0.99.5-tar

[9]

gzip dc Wireshark-0.99.5-tar.gz|tar xvf

Windows Wireshark,
2.
3. Unix
./configure
configure. 2.6 UNIX
4. make
make
5.
make install
make install Wireshark, Wireshark
2.5. UNIX
UNIX UNIX AIX smit Tru64 UNIX
setld
2.5.1. Linux RPM
Wireshark RPM
rpm -ivh wireshark-0.99.5.i386.rpm
Wireshark REDHAT 2.3 RedHat Linux
6.2 RPM
2.5.2. Debian Deb
Debian Wireshark
apt-get install Wireshark
apt-get
2.5.3. Gentoo Linux Portage
Gentoo Linux wireshark
USE="adns gtk ipv6 portaudio snmp ssl kerberos threads selinux" emerge wireshark
2.5.4. FreeBSD
FreeBSD Wireshark
pkg_add -r wireshark
pkg_add
[10]
2.6. UNIX

configure config.log()

GTK+ GTK+configure libpcap()


sed solaris libtool
sed sed http://directory.fsf.org/GNU/sed.html.
wireshark-dev config.log
make
2.7. Windows
Windows Wireshark Windows Wireshark
WIKI http://wiki.wireshark.org/Development
2.8. Windows Wireshark
Windows Wireshark
2.8.1. Wireshark
Wireshark Wireshark-setup-x.y.z.exe. Wireshark WinPcap,

http://www.wireshark.org/download.html#releases Wireshark

[11]
Wireshark( GTK1 GTK2 ):
GTK2 GUI GTK1 Windows 256 8bit GTK2. GTK1

Wireshark GTK1-Wireshark GUI


Wireshark GTK2-Wireshark GUI GTK2 GUI
GTK-Wimp-GTKWimp GTK2 ( windows32 )
TSshark-TShark
/(Wireshark,TShark ):
Dissector Plugins-
Tree Statistics Plugins-
Mate - Meta Analysis and Tracing Engine (experimental): http://wiki.wireshark.org/Mate.
SNMP MIBs: SNMPMIBS
Tools/(
Users Guide-- internet.
EditcapEditcapisaprogramthatreadsacapturefileandwritessomeorallofthepacketsintoanothercapturefile./Editcap
or
Text2Pcap - Text2pcap is a program that reads in an ASCII hex dump and writes the data into a libpcap-style capture file./Tex2pcap
ASCII hex libpcap
Mergecap - Mergecap is a program that combines multiple saved capture files into a single output file. / Mergecap

Capinfos - Capinfos is a program that provides information on capture files. /Capinfos


Additional Tasks
Start Menu Shortcuts--
Desktop Icon-- Wireshark
Quick Launch Icon-- Wireshark
Associate file extensions to Wireshark-Wireshark - Wireshark
Install WinPcap?
Wireshark WinPcap
WinPcap
Currently installed WinPcap version- WinPcap
Install WinPcap x.x - Wireshark
Start WinPcap service "NPF" at startup - WinPcap NPF -
WinPcap
Wireshark http://wiki.wireshark.org/WinPcap
WinPcap http://www.winpcap.org


/NCRC CRC
/S Wireshark. WinPcap!
/desktopicon /desktopicon=yes
/quicklaunchicon =yes-=no-
/D ($INSTDIR),
2.5.
wireshark-setup-0.99.5.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo

2.8.2. WinPcap

Wireshark WinPcap WinPcap


WinPcap Wireshark WinPcap WinPcap
WinPcap alpha or beta
WinPcap http://www.winpcap.org
Wiretapped.net : http://www.mirrors.wiretapped.net/security/packet-capture/winpcap
WinPcap auto-installer NT4.0/2000/XP/vista
2.8.3. Wireshark
WinPcap Wireshark Wireshark 1.6.4


8-12 Wireshark
2.8.4. WinPcap
WinPcap WinPcap WinPcap

WinPcap WinPcap, WinPcap

2.8.5. Wireshark
Wireshark,/Wireshark
Wireshark WinPcap.
WinPcap Wireshark WinPcap
2.8.6. WinPcap
WinPcap,/WinPcap

WinPcap Wireshark

[9]

Pipelin
UNIX/LINUX Wireshark
UNIX/LINUX UNIX/LINUX 1
2
Linux GTK+
libpcap. 2.3 UNIX tar zxvf
Wireshark-0.99.5-tar.gz;make;make install.
[11]

[10]

3
3.1.
Wireshark,
Wireshark




3.2. Wireshark
Shell Wireshark.

Wireshark 9.2 Wireshark

Wireshark GUI Toolkit(GTK1.x/2x),

3.3.
3.1 /
3.1.

Wireshark
1. 3.4
2. ( 3.13 "Main")
3. Fiter toolbar/( 3.14 "Filter")( 6.3:)
4. Packet List 3.15 "Pcaket List"

5. Packet detail 3.16 "Packet Details" Packet list


6. Packet bytes 3.17 "Packet Byte" Packet list Packet details

7. 3.18

9.5
3.3.1.
Packet list Detail 3.1 3.5 "GO"

3.1.

Tab,Shift+Tab

Down

Up

Ctrl-Down,F8 Packet list


Ctrl-UP,F7

Packet list

Left

Pactect Detail

Right

Packet Detail .

Backspace

Packet Detail

Return,Enter

Packet Detail

filter
3.4.
Wireshark Wireshark 3.2
3.2.

:
File
save/,Print/,Export/ Wireshark . 3.5 "File"
Edit
3.6 "Edit"
View
3.7 "View"

GO
3.8 "Go"
Capture
3.9 "Capture"
Analyze
TCP 3.10 "Analyze"
Statistics
3.11 "Statistics"
Help
3.12
"Help"

CTR+K
3.5. "File"
WireSharkFile 3.2 File
3.3. File

3.2. File

Open...

Ctr+O

5.2.1

Open Recent

Merg

5.4

Close

Ctrl+W

Wireshark
5.3.1 "save Capture File As/"

Save

Crl+S

Save As

Shift+Ctrl+S

( 5.3.1
"save Capture File As/")

File Set>List Files

, 5.5

File Set>Next File

File set>Previous Files

Export> as Plain Text File

plain ASCII text


Wireshark , 5.6.1 "Export as Plain Text File"

Export >as "PostScript" Files

PostScrit
5.6.2 "Export as PostScript File"

Export > as "CVS" (Comma Separated


Values Packet Summary)File...

.cvs ,
5.6.3 "Export as CSV (Comma Separated Values) File"

Export > as PSML File

PSML XML
5.6.4 "Export as PSML File"

Export as "PDML" File...

PDML() XML
, 5.6.5 "Export as PDML File"

Packet byte
5.6.6 "Export selected packet bytes"

Export > Selected Packet Bytes


Print

Ctr+P

5.7

Quit

Ctrl+Q

Wireshark,Wireshark

3.6. "Edit"
Wireshark "Edit" 3.3 Edit
3.4. "Edit"

3.3. Edit

Copy>As Filter

Shift+Ctrl+C

Find Packet...

Ctr+F

???

Find Next

Ctrl+N

Find packet

Find Previous

Ctr+B

Mark Packet(toggle)

Ctrl+M

6.9

Find Next Mark

Shift+Ctrl+N

Find Previous Mark

Ctrl+Shift+B

Mark ALL Packets

Unmark All Packet

Set Time
Reference(toggle)

Ctrl+T

, 6.10.1

Find Next Reference

Find Previous Refrence...

Preferences...

Shift+Ctrl+P

Wireshark
9.5

3.7. "View"
3.4 "View" Wireshar View
3.5. "View"

3.4. "View"

Main Toolbar

Main toolbar(), 3.13 "Main"

Filter Toolbar

Filter Toolbar() 3.14 "Filter"

Statusbar

, 3.18

Packet List

Packet List pane(), 3.15 "Pcaket List"

Packet Details

Packet details pane(). 3.16 "Packet Details"

Packet Bytes

packet Bytes pane() 3.17 "Packet Byte"


Wireshark -() 6.10

Time Display Fromat>Date and Time


of Day: 1970-01-01 01:02:03.123456

"Time of Day","Date and Time of Day","Seconds Since Beginning of


Capture","Seconds Since Previous Captured Packet""Seconds Since Previous Displayed
Packet"

Time Display Format>Time of Day:


01:02:03.123456

-(), 6.10

Time Display Format > Seconds


Since Beginning of Capture:
123.123456

6.10

Time Display Format > Seconds


Since Previous Captured Packet:
1.123456

6.10

Time Display Format > Seconds


Since Previous Displayed Packet:
1.123456

, 6.10

Time Display Format > ----- 6.10


Time Display Format > Automatic
(File Format Precision)

"Automatic","Seconds""...seconds"

Time Display Format > Seconds: 0

1 6.10

Time Display Format > ...seconds:


0....

1 0.1 0.01 6.10

Name Resolution > Resolve Name

7.6

Name Resolution > Enable for MAC


Layer

Mac

Name Resolution > Enable for


Network Layer

(ip ), 7.6

Name Resolution > Enable for


Transport Layer

7.6

Colorize Packet List

Auto Scrooll in Live Capture

Zoom In

Ctrl++

Zoom Out

Ctrl+-

Normal Size

Ctrl+=

Resiz All Columnus

Expend Subtrees

Expand All

Collapse All

Coloring Rulues...

9.3

Show Packet in New Window

( View,Byte View )

Reload

Ctrl+R

3.8. "Go"
Wireshark "GO" 3.5 "GO"
3.6. "GO"

3.5. "GO"

Back

Alt+Left

ForWard

Alt+Right

Go to Packet

Ctrl+G

6.8

Go to Corresponding Packet

Previous Packet

Ctrl+UP

Next Packet

Ctrl+Down

First Packet

Last Packet

3.9. "Capture"
"Capture" 3.6 "Capture"
3.7. "Capture"

3.6. "Capture"

Interface...
Options...
Start
Stop

, 4.4

Ctrl+K ,( 4.5 )

Ctrl+E 4.9.1

Restart

Capture Filters...

6.6

3.10. "Analyze"
"Analyze" 3.7 "analyze"
3.8. "Analyze"

3.7. "analyze"

Display
Filters...

6.6

Apply as
Filter>...

Detail

Prepare a
Filter>...

Detail

Firewall ACL
Rules

ACL (), Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and


Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, IPv4+

Enable
Protocols...
[a]

Shift+Ctrl+R 9.4.1 "Enable Protocols"

3.11. "Statistics"
Wireshark "statistics" 3.8
3.9. "Statistics"

3.8.

Summary

, 8.2

Protocol Hierarchy

8.3 "Protocol Hierarchy"

Conversations/

(),???

EndPoints

(), 8.4.2 "Endpoints"

IO Graphs

(-) 8.6 "IO Graphs"

Conversation List

, 8.5.3 Conversation List/

Endpoint List

8.4.3 "Endpoint List"

Service Response Time

8.7

ANSI

8.8

GSM

8.8

H.225...

8.8

ISUP Message

8.8

Types

8.8

MTP3

8.8

RTP

8.8

GSM

8.8

SIP

8.8

VOIP Calls...

8.8

WAP-WSP...

8.8

HTTP

HTTP / 8.8

ISUP Messages

8.8

ONC-RPC Programs

8.8

TCP Stream Graph

8.8

3.12. "Help"
3.9
3.10.

3.9.

Contents

F1

Supported Protocols

Manaul Pages>...

Wireshark Online>

About Wireshark

Wireshark

WEB

Wireshark
3.13. "Main"
,

(.)
3.11.

3.10.

Capture/Interfaces...

, 4.3

Capture/Options

4.4

Start

Capture/Start

STOP

Capture/Stop

4.3

Restar

Caputer/Rstart

Open...

File/Open

5.2.1
( 5.3.1 "save
Capture File As/"

Save As...

File/Save As...

Close

File/Close

Reload

View/Reload

Print

File/Print

( 5.7 )

Find packet...

Edit/Find Packet...

6.7

Go Back

Go/Go Back

Go Forward

Go/Go Forward

Go to Packet...

Go/Go to Packet...

Go To First
Packet

Go/First Packet

Go To Last
Packet

Go/Last Packet

Colorize

View/Coloreze

Auto Scroll in
Live

View/Auto Scrool in Live


Capture

Zoom in

View/Zoom In

zoom out

View/Zoom Out

Normal Size

View/Normal Size

100%

Resize Columns View/Resize Columns

()

Capture Filters.. Capture/Capture Filters...

6.6

Display Filters..

6.6

Analyze/ Filters...

Coloring Rules... View/Coloring Rules...

9.3

Preferences...

Edit/Preferences

9.5

Help

Help/Contents

3.14. "Filter"
6.3
3.12.

3.11.

, 6.7

[a]

6.4 ,

Apply()

...

6.5 Filter Expression/

[a]

Filter 0.99.4

3.15. "Pcaket List"


Packet list/
3.13. "Packet list/"

"Packet Detail/""Packet Byte/"


()Wireshark

TCP ,IP ,()( IP


( IP ) TCP IP
9.5

No.
Time 6.10
Source
Destination
Protocal
Info
6.3
3.16. "Packet Details"
"Packet Details/"()
3.14. "Packet Details/"

6.4

Generated fields/ Wireshark


Wireshark TCP TCP [SEQ/ACK analysis]
Links/ Wireshark

3.17. "Packet Byte"


Packet Byte/ 16
3.15. Packet Byte/

16 16 ASCII
Wireshark 7.5 .

3.16. "Paket Bytes/"

3.18.

3.17.

Wireshark
3.18.

P:
D:
M: .
3.19.

"Packet Detail/"

( app.opcode)

4
4.1.
Wireshar
Wiershark
(ATM...)
...

4.8
N 4.6

Wireshark
()
()
4.2.
Wireshark

:http://wiki.wireshark.org/CaptureSetup.

[12]
root/Administrator


4.3.

4.1 "Capture Interfaces",

"

"

" 4.2 "Capture Option/"


"

wireshark -i eth0 -k
eht0 9.2 Wireshark
4.4.
"Interface..." 4.1 "Capture Interfaces"

"Capture Interfaces"/

Wireshark Wireshark Wireshark

4.1. "Capture Interfaces"

IP
Wireshark IP IP DHCP )"Unkow", IP
().
Packets

Packets/s

Stop

Capture

Options

, 4.5
Details( Win32 )

Close

4.5.
"start..."(),Wireshark "Capture Option/" 4.2 "Capture Option/
"
4.2. "Capture Option/"

4.5.1.
Interface

non-loopback()(windows
)
-i <interface>
IP address
IP IP "unknown"
Link-layer header type
4.7
Buffer size: n megabyte(s)

Windows
Capture packets in promiscuous mode
Wireshark ()Wireshark
[13]
()

http://www.wireshark.org/faq.html#promiscsniff
Limit each packet to n bytes
[14]
"snaplen". 65535
())

IP TCP
cpu

( snpaplen )

Capture Filter
4.8
6.6
4.5.2.
4.6
File
4.6

Use multiple files


Wireshark
Next file every n megabyte(s)
Use multiple files,
Next file every n minutes(s)
Use multiple files,
Ring buffer with n files
Use multiple files,
Stop caputure after n file(s)
Use multiple files,( n n+1 ?)
4.5.3.
... after n packet(s)

... after n megabytes(s)


(byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) )"user multiple files",
... after n minute(s)

4.5.4.
Update list of packets in real time
Wireshark Wireshark

Automatic scrolling in live capture


Wireshark
"update list of packets in real time",
Hide capture info dialog

4.5.5.
Enable MAC name resolution
Wireshark MAC 7.6
Enable network name resolution
Wireshark 7.6
4.5.6.
start , Cancel .
4.9
4.6.
libpcap (linux )() Wireshark

()"Multiple files/
"

Wireshark ()
()

???
4.1.
"File"

"Use multiple files" "Ring buffer with n files"

Mode

Single temporary file

etherXXXXXX (where XXXXXX )

foo.cap

Single named file

foo.cap

foo.cap

Multiple
files,continuous

foo_00001_20040205110102.cap,
foo_00002_20040205110102.cap, ...

foo.cap

Multiple files,ring
buffer

foo_00001_20040205110102.cap,
foo_00002_20040205110102.cap, ...

Single temporary file


().
Single named file

Multiple files,continuous
single name file
Multiple files,ring buffer
"multiple files continuous" ring buffer with n

4.7.

BSD 802.11 ()"802.11""Ethernet""Ethernet"


();"802.11" 802.11 "802.11
""802.11"
Endace DAG card()(E synchronous serial line
)"PPP over serial" "Cisco HDLC"( google )
Endace DAG card() ATM "RFC 1483 IP-over-ATM""Sun raw ATM" RFC 1483
IP(RFC 1483 LLC-encapsulated IP,) SunATM
"Ethernet""DOCSIS" Cisco Cable Modem Termination System(CMTS
) DOCSIS()"DOCSIS",
4.8.
Wireshark libpcap (what about winpcap?) tcpdump

http://wiki.wireshark.org/CaptureFilters .
Wireshark ( 4.2 "Capture Option/") tcpdump
tcpdump http://www.tcpdump.org/tcpdump_man.html tcpdump
(and/or) not:
[not] primitive [and|or [not] primitive ...]
4.1. telnet
tcp port 23 and host 10.0.0.5
10.0.0.5 Telnet and 4.2 10.0.0.5 telnet
10.0.0.5 telnet
4.2. 10.0.0.5 telnet
tcp host 23 and not src host 10.0.0.5

[src|dst] host <host>


ip src|dst

ether [src|dst] host <ehost>


src|dst ether host

gateway host<host>
host host ip ip host
[src|dst] net <net> [{mask<mask>}|{len <len>}]
src|dst
CIDR()
[tcp|udp] [src|dst] port <port]
tcp,udp src|dst tcp|udp tcp udp tcp|udp src|dst

less|greater <length>

ip|ether proto <protocol>


ip
ether|ip broadcast|multicast
/ip
<expr> relop <expr>
http://www.tcpdump.org/tcpdump_man.html
4.8.1.
Wireshark ( SSH,X11 Window )
()
wireshark ()
Wireshark

SSHCONNECTION(ssh)

<remote IP> <remote port> <local IP> <local port>


SSH_CLIENT (ssh)
<remote IP> <remote port> <local port>
REMOTEHOST (tcsh, others?)
<remote name>
DISPLAY (x11)
[remote name]:<display num>
SESSIONNAME (terminal server)
<remote name>
4.9.

4.3.

()

"Hide capture info dialog box"


4.9.1.

stop"

1. "

"Hide capture info dialog"

2. "Capture/
3. "

Stop"

Stop"

4. :Ctrl+E
5.
4.9.2.

:
1. "Capture/
2. "

[12]

Restart"

Restart"

Windows
Wireshak

[14]
,, Winpcap snap:len:
snapshot length,snaplen
[13]

5
5.1.





5.2.
Wireshark File/

OpenWireshark

5.2.1

Wireshark
Wireshark ()
Wireshark (libpcap tcpdump/Windump libpcap/WinPcap )Wireshark
5.2.2
5.2.1.
5.1 Wireshark

GTK+


Open/OK
Cancle Wireshark
Wireshark
()
"filter:"
filter ( 6.3
)
XXXX-we need a better description of these read filters()
7.6

5.1.
5.1. Windows

Microsoft Windows(GTK2 installed)


wireshark

"help"
"Filter." windows (
)
: Wireshark Open
[a]

5.2. GtK

Unix/Linux:GTK version >= 2.4


Gimp/GNOME

+
"-"("Home","Desktop","Filesystem"
)
Wireshark "Open"

5.3. GTK

Unix/Linux: GTK version < 2.4 / Microsoft Windows (GTK1 installed)


gimp/gnome windows gtk1

Open

[a]

Wireshark

5.2.2.

libpcap, tcpdump and various other tools using tcpdump's capture format
Sun snoop and atmsnoop
Shomiti/Finisar Surveyor captures
Novell LANalyzer captures
Microsoft Network Monitor captures
AIX's iptrace captures
Cinco Networks NetXray captures
Network Associates Windows-based Sniffer and Sniffer Pro captures
Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
RADCOM's WAN/LAN Analyzer captures
Network Instruments Observer version 9 captures
Lucent/Ascend router debug output
HP-UX's nettl
Toshiba's ISDN routers dump output
ISDN4BSD i4btrace utility
traces from the EyeSDN USB S0
IPLog format from the Cisco Secure Intrusion Detection System
pppd logs (pppdump format)
the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
the text output from the DBS Etherwatch VMS utility
Visual Networks' Visual UpTime traffic capture
the output from CoSine L2 debug
the output from Accellent's 5Views LAN agents
Endace Measurement Systems' ERF format captures
Linux Bluez Bluetooth stack hcidump -w traces
Catapult DCT2000 .out files

()
wireshark
5.3.
File->Save As...

???
5.3.1. "save Capture File As/"

"Save Capture File As"???

GTK+
5.2. "Save Capture File As"
5.4. Windows

Microsoft Windows(GTK2 installed)


wireshark

"help"
-.pcap,Wireshark

5.5. GtK

Unix/Linux:GTK version >= 2.4


Gimp/GNOME

"Browse for other flders"+

5.6. GTK

Unix/Linux: GTK version < 2.4 / Microsoft Windows (GTK1 installed)


gimp/gnome windows gtk1


1.
2.
3. 5.8
4. "File type/"???

()
5. "Save/OK"
6. "Cancel"
5.3.2.
Wireshark (libpcap)

7.3
Wireshark
libpcap, tcpdump and various other tools using tcpdump's capture format (*.pcap,*.cap,*.dmp)
Accellent 5Views (*.5vw)
HP-UX's nettl (*.TRC0,*.TRC1)
Microsoft Network Monitor - NetMon (*.cap)
Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*fdc,*.syc)
Network Associates Sniffer - Windows (*.cap)
Network Instruments Observer version 9 (*.bfr)
Novell LANalyzer (*.tr1)
Sun snoop (*.snoop,*.cap)
Visual Networks Visual UpTime traffic (*.*)
5.4.
(Wireshark
Wireshark )

"File"menu item "Merge"( "") 5.4.1


Wireshark
Wireshark ()
mergecap ???
5.4.1.

Wireshark

"Open Capture Files/" 5.2.1

5.3. "Merge Capture File As"


5.7. Windows ""

Microsoft Windows(GTK2 installed)


wireshark

5.8. GtK

Unix/Linux:GTK version >= 2.4


Gimp/GNOME

5.9. GTK

Unix/Linux: GTK version < 2.4 / Microsoft Windows (GTK1 installed)

5.5.
( 4.6 )"Multiple Files/".
Wirreshark
Wireshark t ?
+"_"++"_"++"test_00001_20060420183910.pcap".
("test")(:".pcap")
Wireshark

Wireshark

"File""File Set"
List Files
Next Files

Previous Files
5.5.1.
5.10.

Filename ()
Created
Last Modified
size
"...indirctory:"

Close
5.6.
Wireshark Wireshark

XXX - add detailed descriptions of the output formats and some sample output, too./
5.6.1. "Export as Plain Text File"
"plain Asc "
5.11. "Export as Plain Text File"

Export to file:
Packet Range 5.8
Packet Details ???
5.6.2. "Export as PostScript File"
PostScript PostScript

PostScribt ghostscrip PDF foo.ps ps2pdf foo.ps


5.12. "Export as PostScript File"

Export to file:
Packet Range: 5.8
Packet Details: ???
5.6.3. "Export as CSV (Comma Separated Values) File"

xp
CVS
Export to file
Packet Range 5.8
5.6.4. "Export as PSML File"
PSML xml PSML http://www.nbee.org/Docs/NetPDL/PSML.htm.
5.13. "Export as PSML File"

Export to file:
Packet Range: 5.8
Packet details PSML
5.6.5. "Export as PDML File"
PDML PDML xml PDML :http://www.nbee.org/Docs/NetPDL/PDML.htm

PDML Wireshark PDML


5.14. "Export as PDML File"

Export to file:
Packet Range: 5.8
Packet details PDML
5.6.6. "Export selected packet bytes"
5.15. "Export Selected Packet Bytes"

Name:
Save in folder:
Browser for other folders
5.6.7. "Export Objects"
HTML HTTP

( Wireshark ) GTK1 Wireshark

5.16. "Export Objects"


Packet num

Hostname
HTTP
Content Type
HTTP
Bytes

Filename
URL ("/")"HTTP POST"
( CGI URL)

Help
(5.6.7 )
Close

Save As
filename
Save All
filename /
,Wireshark ()
5.7.
File "Print..." 5.17 "Print"
5.7.1.
5.17. "Print"

Printer

Print Text
plain text
PostScript
[15]
PostScrtipt
Output to file

Output to file:, Browse


Print command

Windows
lpr.You would change it to specify a particular queue if you need to print to a queue other than the default.:
lpr -Pmypostscript
Output to file,
Packet Range
5.8
Packet Format
5.19 "Packet Format"

5.8.
,()"Packet Range"
5.18. "Packet Range"

Captured Displayed
All packets

Selected packet only

Marked packets only

From first to last marked packet

Specify a packet range


5,50-15,20- 5 10-15 ( 1015) 20
5.9.

5.19. "Packet Format"

Packet summary line


"Packet List"
Packet Details
Packet Details
All collaspsed
"Packet Details""all collapsed"()
As displayed
"Packet Details"
All expanded
"Packet Details""all expanded"()
Packet bytes
"Packet Bytes"
Each Packet on a new page
(/ text )

[15]

Output to file,out put to file


.out, acrobat .ps, Acrobat Distiller PDF

PostScript print text

6
6.1.

"+", 6.1 Wireshark TCP


[16]
TCP (ack:190)
6.1. Wireshark TCP

Wireshark ((update list of packet in real time ))


6.2
Display->Show Packet in New Windows
6.2.

6.2.

6.2.1.
6.3.


6.1.

Mark Packet(toggle)

Edit

Set Time
Reference(toggle)

Edit

Apply as Filter

Analyze

Prepare a Filter

Analyze

Conversation Filter

()(XXX - add a new section describing this better.---


)

STCP

Follow TCP Stream

Analyze

TCP

Follow SLL Stream

Analyze

TCP SSL

Copy/Summary(TEXT)

( tab )

Copy/Summary(CVS)

(CVS ,)

Copy/As Filter

Copy/Bytes(Offset Hex
Text)

16

Copy/Bytes(Offset Text)

16

Copy/ Bytes (Printable


Text Only)

ASCII

-----

-----

Copy/ Bytes (HEX Stream) -

16 an unpunctuated list of hex digits

Copy/ Bytes (Binary


Stream)

raw binary "MIME-type application/octet-stream"


GTK+1.x

Export Selected Packet


Bytes...

File

Raw packet

Decode As...

Analyze

()

Print...

File

---

Show Packet in New


Window

View

6.2.2.
6.4.

6.2.

Expand Subtrees

View

Expand All

View

Collapse All

View

Copy/Description

Copy/AS Filter

Edit

Copy/Bytes(Offset Hex
Text)

Hexdump-like
()

Copy/Bytes(Offset Hex) -

Hexdump-linke
()

COPY/Bytes (printable
Text Only)

ASCII

Copy/Bytes(Hex
Stream)

j unpunctuated list hex digits


()

Copy/Bytes(Binary
Stream)

raw binary (
) MIME-typeApplication/octet-stream. GTK+1.x

Export Selected Packet


Bytes...

File

raw packet

-----

---

Apply as Filter

analyze

Preapare a Filter

Analyze

Follow TCP Stream

Analyze

TCP

Follow SSL Stream

Analyze

Wiki Protocol Page

WIKI

Filter Field Reference

WEB

Protocol Preferences...

???

Decode As...

Analyze

()

Resolve Name...

View

Go to corresponding
Packet ...

Go

-----

-----

TNND,
6.3.
Wireshark 4.8

:





Filter ??? tcp
6.5. TCP

TCP 1-10
11

Wireshark
Add Expression.... 6.5 Filter Expression/
192.168.0.1 ip.addr==192.168.0.


Clear
6.4.
Wireshark

Wireshark Wiki Display http://wiki.wireshark.org/DisplayFilters.


6.4.1.
:TCP TCP

"Help/Support Protocals"//"Display Filter Fields/"


6.4.2.
6.3

(c-link)
6.3.
English C-linke

eq

==

Equal
ip.addr==10.0.0.5

ne

!=

Not equal
ip.addr!=10.0.0.5

gt

>

Greate than
frame.pkt_len>10

lt

<

Less than
frame.pkt_len<128

ge

>=

Greater than or equal to


frame.pkt_len ge 0x100

le

<=

Equal
frame.pkt_len <= 0x20

6.4.3.
6.4
6.4.
English C-linke

&&

Logical AND
ip.addr==10.0.0.5 and tcp.flags.fin

or

||

Logical OR
ip.addr==10.0.0.5 or ip.addr==192.1.1.1

xor

^^

Logical XOR
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not

Logical Not
not llc

and

Substring Operator
Wireshark []()
eht.src[0:3] == 00:00:83
n:m n (0 1
)m
eth.src[1-2] == 00:83
n-m n ,m
eth.src[:4]=00:00:83:00
:m m 0:m
eth.src[4:]=20:20
n: n
eht.src[2] == 83
n n n:1
eth.src[0:3,102,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
Wireshark

[...]

6.4.4.

"!=" eth.addr,ip.addr,tcp.port,udp.port

ip.addr ==1.2.3.4 ip 1.2.3.4


ip.addr !=1.2.3.4 ip 1.2.3.4
1.2.3.4 ip.addr !=1.2.3.4 "
ip 1.2.3.4" ip 1,2,3,4
ip 1.2.3.4 !(ip.addr==1.2.3.4):"'
ip.addr 1.2.3.4''",:" ip.addr 1.2.3.4 "
6.5. Filter Expression/
Wireshark
Wireshark

()
6.6.

Field Name
+
Relation
is present
()
("=="),
Value
field name ( ).
Predefined values
C
Range

OK
OK
Cancel
Cancle Add Expression
6.6.

1 Capture Capture Filters...2 Analyze Display filter...Wireshark


6.7 """"

Save OK Apply wireshark


6.7. """"

New
Filter nameFilter string "new"( filtername
)
Delete

Filter name

Filter string

Add Expression
6.5 Filter Expression/
OK

save
???
Close

6.7.
Edit Find Packet....Wireshark 6.8
"Find Packet/".
6.7.1.
6.8. "Find Packet/"

Display filter
Filter: OK()
192.168.0.1 :
ip.addr == 192.168.0.1 and tcp.flags.syn
6.3
Hex Value

"00:00"
String

UP

Down
()
6.7.2. "Find Next/"

6.7.3. "Find Previous/"

6.8.
"Go"
6.8.1. "GO Back"
Go back web
6.8.2. "Go Forward /"
web
6.8.3. "Go to Packet/"
6.9. "GO to packet/"

OK( jump to, OK?).


6.8.4. "Go to Corresponding Packet/"

()
6.8.5. "Go to Firest Packet/"

6.8.6. "Go to Last Packet/"

6.9.

// 5.8

Mark packet(toggle)
Mark all packets .
Unmark all packets
"Edit"Mark packet(toggle)
6.10.

7.3
3.5 "File"
:
Date and Time of Day: 1970-01-01 01:02:03.123456
Time of Day: 01:02:03.123456
Seconds Since Beginning of Capture: 123.123456 (
6.10.1 )
Seconds Since Previous Captured Packet: 1.123456
Seconds Since Previous Displayed Packet: 1.123456
( 10 )
Automatic ()
Seconds, Deciseconds, Centiseconds, Milliseconds, Microseconds or Nanoseconds
0.
Seconds Since Previous Packet 1.123456."Automatic"
libpcap () 1(nanoseconds), 1.123456000.
6.10.1.
,

"Seconds Since Beginning of Capture"

Edit Time Reference 3.6 "Edit",


Set Time Refernce(toggle)
Find Next
Find Previous
6.10.

time *REF*( 10 )

[16]

16 190

7
7.1.
Wireshark
7.2. "Follow TCP Stream"
TCP Tcp "Following TCP streams" telnet
TCP Wireshark "Following TCP streams"
TCP Wireshark "Following TCP Streams"()
Wireshark TCP 7.1 "Follow TCP Stream"

Follow Tcp Stream Tcp


7.2.1. "Follow TCP Stream"
7.1. "Follow TCP Stream"

A B B A
"Edit/Preferences""Colores"
XXX - What about line wrapping (maximum line length) and CRNL conversions?
TCP

1. Save As
2. Print
3. Direction ("Entire conversation", "data from A to B only" or "data from B to A only").
4. Filter out this stream TCP
5. Close

1. AsCII ASCII ASCII HTTP.


2. EBCDICFor the big-iron freaks out there. EBCDIC IBM
3. HEX Dump.
4. C Arrays. C
5. RAW ASCII save As
7.3.
Wireshark

Wireshark libpcap(WinPcap) libraray() libpcap(winpcap)


Wireshark
7.3.1. Wireshark
Wireshak ( 1.1.1970 )(10 ) Wireshark
3.7 "View""Time Display Format"
Wireshark
Wireshark libpcap(WinPcap)
7.3.2.

Wireshark "0" "0.123456789"

Wireshark() libpcap "0.123456"

libpcap ()Wireshark
7.3.3.
"Wireshark "Wireshark
()

USB USB

[17]
USB ( USB )
7.4.
:-)

()

7.1.
?
6 2000.

UTC(Coordinated Universal Time) Zulu () GTM()( UTC


0.9 )UTC 0()-12~+14
UTC 1 "+1"( UTC ) 3 UTC

( UTC+05:30)
http://en.wikipedia.org/wiki/time_zone http://en.wikipedia.org/wiki/Coordinated_Universal_Time
7.2.
DST?
Daylight Saving Time(DST),(
) DST UTC ( 2 )

DST
DST UTC
http://en.wikipedia.org/wiki/Daylight_saving.
7.4.1.

1.
2.

(Network Time Protocol NTP) NTP Wireshark


NTP http://www.ntp.org/
7.4.2. Wireshark
Wireshark
Wireshark (libpcap ), sniffer,EtherPeek,AiroPeek Sun snoop UTC
UNIX Windos NT (NT 4.0,2000,xp,2003,vista) UTC. Wireshark
UTC "windows 9X (win95,98,winMe)"
WinPcap UTC Wireshark.
Microsoft Network Monitor,Dos-based Sniffer, Network Instruments Observer
Wireshark UTC Wireshark
UTC
Wireshark UTC
UTC
UTC DST

7.3. UTC
Los Angeles New York Madrid London Berlin Tokyo
Capture File(UTC)

10:00

10:00

10:00

10:00

10:00 10:00

Los Angeles New York Madrid London Berlin Tokyo


Local Offset to UTC

-8

Displayed Time(local Time) 02:00

-5

-1

+1

+9

05:00

09:00

10:00

11:00 19:00

2:00 UTC 10:00.


11:00
2:00,
11:00
///DST
/DST
7.5.
7.5.1.
() TCP ,TCP
(:or is stream-based like TCP, which doesn't know data chunks at all.)
()

Wireshark //reasembling(desegmentation, defragmentation, ...)


7.5.2. Wireshark
Wireshark Wireshark Wireshark "Packet Bytes"
(Packet Bytes 3.7 "View")
7.2. "Packet Bytes "

"Packet Bytes"

HTTP Get ( HTML )Wireshark 16 "Packet Bytes""Uncompressed


entity body"
2005 9 200 9

1. (TCP)
2. (:HTTP)
tooltip
7.6.
/()/ Wireshark
???

7.6.1.
Wireshark


()
DNS Wireshark Wireshark DNS
Wireshark wireshark wireshark
Wireshark DHCP Wireshark (
DNS dns )

"View/Reload"
7.6.2. (mac )
MAC (e.g. 00:09:5b:01:02:03)"Human readable"
ARP () Wireshark IP (e.g. 00:09:5b:01:02:03->192.168.0.1)
Ethernet codes(ethers file) ARP Wireshark ethers mac
(e.g. 00:09:5b:01:02:03 -> homerouter).
Ethernet manufacturer codes (manuf file) ARP ethers Wireshark mac
mac IEEE (
)(e.g.
00:09:5b:01:02:03 -> Netgear_01:02:03).
7.6.3. IP ()
IP (e.g. 216.239.37.99)/"Human readable"

DNS/ADNS name resolution(system/library service)Wireshark ADSN library -? IP


(e.g. 216.239.37.99 -> www.1.google.com). DNS DNS Wireshark DNS
ADNS library()

Wireshark wireshark
ADNS
DNS vs. ADNS ip "Human readable"() DNS gethostname()
hosts (e.g. /etc/hosts,/windows/system32/drivers/etc/hosts) DNS

DNS ADNS DNS gethost() DNS


()ADNS DNS Wireshark
ADNS "View/Reload"

hosts name resolution(hosts file) dns Wireshark IP (e.g.


216.239.37.99 -> www.google.com)
7.6.4. IPX ()
ipxnet name resolution (ipxnets file) ()
7.6.5. TCP/UDP ()
[18]
TCP/UDP (e.g.80)"human readable"
TCP/UDP port conversion (system service) Wireshark TCP/UDP (e.g. 80->http)
XXX - mention the role of the /etc/services file (but don't forget the files and folders section)!
7.7.
/

redundancy check()

100%
CRC32

http://en.wikipedia.org/wiki/Checksum
7.7.1. Wireshark
Wireshark TCPIP
"normal receiver".e.g.:[correct], [invalid, must be 0x12345678]

7.7.2. Checksum offloading

Wireshark

IP checksum offloading

checksum offloading WiresharkWireshark

Checksum offloading [invalid]

Checksum offloading
[19]
checksum offloading
Wireshark

[17]

: Wireshark

[19]
Windows ->->->-
[18]

8
8.1.
Wireshark
()( HTPP )

o Summary
o Protocal Hierarchy:
o Endpoints ip
o Conversations IP
o IO Graphs

o Service Response Time
o Various other

8.2.

8.1. "Summary"

File

Time

Capture
()
Display

Traffic
Captured Displayed
8.3. "Protocol Hierarchy"

8.2. "Protocol Hierarchy"

+/-

Protocol

%Packets

Packet

Bytes

MBit/s

End Packets
End Bytes
End MBit/s

99.17% IP85.83% TCP ( 100%)

100%: TCP 85.83%(HTTP...)


85% TCP TCP ACK

IP (
ip IP )
8.4. "Endpoints"

Hostlist/ Endpoint
8.4.1. Endpoint?
Wireshark :
Ethernet
MAC
Fibre Channel

FDDI
FDDI FDDI MAC
IPV4
IP IP
IPX

TCP
TCP IP TCP IP TCP
Token Ring
Token Ring() Token Ring MAC
UDP
UDP IP UDP UDP IP UDP
Broadcast / multicast endpoints/
/()
8.4.2. "Endpoints"

8.3. "Endpoints"

("Ethernet :5" 5 ethenet )


().

Name resolution ( Ethernet endpoint MAC )


"Netgear", IP ( arp )( mac :ff:ff:ff:ff:ff:ff)
MAC

()
8.4.3. "Endpoint List"
Before the combined window described above was available, each of its pages were shown as separate windows. Even though the combined
window is much more convenient to use, these separate windows are still available. The main reason is, they might process faster for very large
capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.
8.5. /conversations

8.5.1. /conversation?
IP IP
8.5.2. "Conversations/" window
8.4.2 "Endpoints"
8.4. "Conversations"

8.5.3. Conversation List/


Before the combined window described above was available, each of its pages were shown as separate windows. Even though the combined
window is much more convenient to use, these separate windows are still available. The main reason is, they might process faster for very large
capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.
8.6. "IO Graphs"

8.5. "IO Graphs"

Graphs
Graph 1-5: 1-5 ( graph 1)
Color: ()
Filter:(only the packets that pass this filter will be taken into account for that graph)
Style:(Line/Impulse/FBar)
X Axis
Tick interval X (10/1/0.1/0.01/0.001 seconds))
Pixels per tick X 10/5/2/1 px
Y Axis
Unit y (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...)
Ssale Y (10,20,50,100,200,500,...)
XXX - describe the Advanced feature.
8.7.

DCE-RPC

Fibre Channel
H.225 RAS
LDAP
MGCP
ONC-RPC
SMB
DCE-RPC

Windows ()
8.7.1. "Service Response Time DCE-RPC"
DCE-RPC
8.6. "Compute DCE-RPC statistics"

8.7. The "DCE-RPC Statistic for ..."

Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls,
and the statistics of the SRT time is calculated.
8.8.
The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document.
Some of these statistics are described at the http://wiki.wireshark.org/Statistics pages.

9 Wireshark

9.6 0.99.5 Wireshark


9.1.
Wireshark Wireshark Wireshark
:
Wireshark
()


9.2. Wireshark
Wireshark
Wireshark Wireshark -h
9.1 Wireshark
9.1. Wireshark
Version 0.99.0
Copyright 1998-2006 Gerald Combs <gerald@wireshark.org> and contributors.
Compiled with GTK+ 2.6.9, with GLib 2.6.6, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.2.2, with ADNS, with Lua 5.1.
Running with WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on
libpcap version 0.9[.x] on Windows XP Service Pack 2, build 2600.
wireshark [ -vh ] [ -DklLnpQS ] [ -a <capture autostop condition> ] ...
[ -b <capture ring buffer option> ] ...
[ -B <capture buffer size> ]
[ -c <capture packet count> ] [ -f <capture filter> ]
[ -g <packet number> ] [ -i <capture interface> ] [ -m <font> ]
[ -N <name resolving flags> ] [ -o <preference/recent setting> ] ...
[ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ]
[ -t <time stamp format> ] [ -w <savefile> ] [ -y <capture link type> ]
[ -X <eXtension option> ] [ -z <statistics> ] [ <infile> ]

Wireshark Wireshark()()

-a <capture autostop condition>


Wireshark test:value,test
duration:value
Value
filesize:value
Value kilobytes(kilobytes 1000bytes, 1024 bytes)-b
Wireshark
files:value
Value
-b <capture ring buffer option>
Wireshark "ring buffer""ring buffer"Wireshark

Wireshark Wireshark (
files 0 0)
duration Wireshark
duration:value
Value
filesize:value
value kilobytes (kelobyte 1000bytes, 1024bytes)
files:value
value
-B <capture buffer size (Win32 only)>
Win32:( MB, 1MB).

-c <capture packet count>


-k
-D
Wireshark ()
-i ()
( Windows, ifconfig -a UNIX ); Windows 2000

" Wireshark "Wireshark


( rootWindows Administrators )-D
-f <capture filter>


-g <packet number>
-r
-h
-h Wireshark ()
-i <capture interface>

Wireshark -D Wireshark -D UNIX,netstat -i ifconfig -a


UNIX -a,ifconfig
Wireshark
wireshark
FIFO()"-" libpcap
-k
-k Wireshark -i
-l
"Packet list"-S
-m <font>

-n
( TCP,UDP )
-N <name resolving flags>
m MAC n t
-n -N -n C ()DNS
-o <preference/recent settings>
Preference/recent file
prefname:value,prefnmae ( preference/recent file )value -o <preference
settings>

wireshark -o mgcp.display_dissect_tree:TRUE

wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627

???
-p
-p

-Q
Wireshark -c -i -w
-r <infile>
Wireshark
-R <read(display) filter>
6.3
-s <capture snaplen>
Wireshark <snaplen>
-S
Wireshark "Update list of packets in
real time/"
-t <time stamp format>

r
a absolute,
ad
d delta
e epoch epoch (1970 1 1 00:00:00 )
-v
Wireshark
-w <savefile>
savefile
-y <capture link type>
-k -y The values reported by -L are the values that can be used.
-X <eXtension option>
TShark eXtension extension_key:extension_key:
lua_script:lua_script_filename, Wireshark Lua scripts.
-z <statistics-string>
Wireshark
9.3.
Packet colorization() Wireshark Wireshark

http://wiki.wireshark.org/ColoringRules Wireshark Wiki Coloring Rules page


View Coloring Rules..."Coloring Rules" 9.1 "Coloring Rules"
9.1. "Coloring Rules"

Coloring Rules ( once sth,you have a lot of


tmd )

(
) UDP DNS DNS ( DNS UDP UDP
netscreen )
NEW???
9.2. "Edit Color Filter"

String ??? arp,arp arp,string arp


arp Foreground color... / Background color.../
Choose foreground/background color for protocol ( 9.3 "Choose color")

9.3. "Choose color"

OK

You must select a color in the colorbar next to the colorwheel to load values into the RGB values. Alternatively, you can set the values to
select the color you want.
9.4 Wireshark
[Coloring Rule Name: ...] and [Coloring Rule String: ...]
9.4. Wireshark

9.4.
[20]

,wireshark ("routes"
"guessing"), TCP Wireshark
HTTP 800 80

9.4.1. "Enable Protocols"


Eable Protocols enabledisable enable disabled,Wireshark

IP Ethernet,IP,TCP HTTP
IP IP TCP,HTTP
9.5. "Enabled Protocols"

enable/disable

Save OKApply Wireshark

1. Enable All
2. Disable All
3. Invert enable/disable
4. OK
5. Apply
6. Save
7. Cancel
9.4.2.
"packet list""Decode As" Decode As
9.6. "Decode As"

Wireshark
1. Decode
2. Do not decode
3. Link/Network/Transport

4. Show Current
5. OK
6. Apply
7. Cancel
9.4.3.

9.7. "Decode As: Show"

1. OK
2. Clear
9.5.
Wireshark "Edit""Preferences..." Preferences ???:"User interface"

Wireshark Wiki Preferences :http://wiki.wireshark.org/Preferences.

OK Apply Save

OK
Apply
Save
Cancel
9.8. preferences

[21]

9.6.
9.3

9.7.
Display Filter Macros tcp_conv ( (ip.src == $1and ip.dst
== $2 and tcp.srcpt == $3 and tcp.dstpt == $4) or (ip.src == $2and ip.dst == $1 and tcp.srcpt == $4 and tcp.dstpt == $3) )
${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
9.6 Display Filter Macros View (
User table)
name

text
$1,$2,$3...

Windows GTK2 3 10.99.5


23Windows+GTK2

1. tcp_conv
2.
ip.src == $1and ip.dst == $2 and tcp.srcpt == $3 and tcp.dstpt == $4,$1,$2,$3,$4
ip $1,$2,$3,$4,
3. ${: 1; 2; 3;....}
${tcp_conv:10.1.1.2;10.1.1.3;1200;1400},tcp_conv 10.1.1.2 $1

Wireshark
9.8. Tektronics K12xx/15 RF5
Tektronix's K12xx/15 rf5 helper files(*.stk)Wireshark stk (
)
Stk 9.6 ,
match
a partial match for an stk filename, the first match wins, so if you have a specific case and a general one the specific one must appear first in
the list
protos
This is the name of the encapsulating protocol (the lowest layer in the packet data) it can be either just the name of the protocol (e.g. mtp2,
eth_witoutfcs, sscf-nni ) or the name of the encapsulation protocol and the "application" protocol over it separated by a colon (e.g sscop:sscf-nni,
sscop:alcap, sscop:nbap, ...) (www.codepub.com)
9.9. DLTs
pcap DLTs (147 to 162) ,Wireshark DLT
9.6 DLT
encap
dlts
payload_proto
payload()
header_size
header ( payload ) Wireshark header 0 header protocol.
header_proto
header ("data")
trailer_size
trailer ( paylod ) 0
trailer_proto
trailer ("data")
9.10. SNMP
Wireshark SNMP SNMPv3
9.6
engine_id
engine id, engine id 16 0102030405
userName
SNMP-engines if you need a catch all engine-id (empty) that
entry should be the last one.

,(MD5 SHA1)
authPassword
"\xDD" 16 "\xDD"16 010203040506
'\x01\x02\x03\x04\x05\x06'.
priv_proto
(DES AES)
privPassword
"\xDD" 16 "\xDD"16 010203040506
'\x01\x02\x03\x04\x05\x06'.

[20]

dissector:dissct decode

[21]

Wireshark User table