Shark SE400 Guía de usuario

Wireshark User’s GuideFor Wireshark 1.99Ulf Lamping <ulf.lamping[AT]web.de>Richard Sharpe, NS Computer Software andServices P/L <rsharpe[AT]n

1Chapter 1. Introduction1.1. What is Wireshark?Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packetsan

File Input, Output, and Printing91Figure 5.6. “Merge” on Linux and UNIXThis is the common Gimp/GNOME file open dialog with additional Wireshark extens

File Input, Output, and Printing92There are a couple of other special features to note. Any line where the first non-whitespace characteris # will be

File Input, Output, and Printing93Figure 5.7. The “Import from Hex Dump” dialogSpecific controls of this import dialog are split in two sections:Input

File Input, Output, and Printing94Date/Time Tick this checkbox if there are timestamps associated with the framesin the text file to import you would

File Input, Output, and Printing95• The “List Files” dialog box will list the files Wireshark has recognized as being part of the currentfile set.• Ne

File Input, Output, and Printing96• Created the creation time of the file• Last Modified the last time the file was modified• Size the size of the fil

File Input, Output, and Printing97Figure 5.9. The “Export as Plain Text File” dialog box• The “Export to file:” frame chooses the file to export the p

File Input, Output, and Printing985.7.2. The “Export as PostScript File” dialog boxFigure 5.10. The "Export as PostScript File" dialog box•

File Input, Output, and Printing99• The Packet Details frame is described in Section 5.10, “The Packet Format frame”.5.7.3. The "Export as CSV (C

File Input, Output, and Printing100Figure 5.11. The "Export as PSML File" dialog box• Export to file: frame chooses the file to export the p

Introduction2Figure 1.1, “Wireshark captures packets and lets you examine their contents.” shows Wireshark havingcaptured some packets and waiting for

File Input, Output, and Printing1015.7.6. The "Export as PDML File" dialog boxExport packet data into PDML. This is an XML based format incl

File Input, Output, and Printing102Figure 5.12. The "Export as PDML File" dialog box• Export to file: frame chooses the file to export the p

File Input, Output, and Printing1035.7.7. The "Export selected packet bytes" dialog boxExport the bytes selected in the "Packet Bytes&q

File Input, Output, and Printing104• The Save in folder: field lets you select the folder to save to (from some predefined folders).• Browse for other

File Input, Output, and Printing105• Save All: Saves all objects in the list using the filename from the filename column. You will beasked what direct

File Input, Output, and Printing106• Output to file: specifies that printing be done to a file, usingthe filename entered in the field or selected wit

File Input, Output, and Printing107• Selected packet only process only the selected packet.• Marked packets only process only the marked packets.• Fro

108Chapter 6. Working with capturedpackets6.1. Viewing packets you have capturedOnce you have captured some packets or you have opened a previously sa

Working with captured packets109Figure 6.1. Wireshark with a TCP packet selected for viewingYou can also select and view packets the same way while Wi

Working with captured packets110selecting the packet in which you are interested in the packet list pane and selecting View → ShowPacket in New Window

Introduction31.1.3. Live capture from many different network mediaWireshark can capture traffic from many different network media types - and despite

Working with captured packets1116.2. Pop-up menusYou can bring up a pop-up menu over either the “Packet List”, its column header, or “Packet Details”p

Working with captured packets1126.2.1. Pop-up menu of the “Packet List” columnheaderFigure 6.3. Pop-up menu of the “Packet List” column header

Working with captured packets113The following table gives an overview of which functions are available in this header, where to findthe corresponding

Working with captured packets1146.2.2. Pop-up menu of the “Packet List” paneFigure 6.4. Pop-up menu of the “Packet List” pane

Working with captured packets115The following table gives an overview of which functions are available in this pane, where to find thecorresponding fu

Working with captured packets116Item Identical to main menu’sitem:DescriptionCopy/ As Filter Prepare a display filter based onthe currently selected i

Working with captured packets1176.2.3. Pop-up menu of the “Packet Details” paneFigure 6.5. Pop-up menu of the “Packet Details” pane

Working with captured packets118The following table gives an overview of which functions are available in this pane, where to find thecorresponding fu

Working with captured packets119Item Identical to main menu’sitem:DescriptionCopy/ Bytes (Offset Hex Text) Copy the packet bytes to theclipboard in he

Working with captured packets120Item Identical to main menu’sitem:DescriptionFilter Field Reference Show the filter field referenceweb page correspond

Introduction4Although Wireshark captures packets using a separate process the main interface is single-threadedand won’t benefit much from multi-core

Working with captured packets121NoteAll protocol and field names are entered in lowercase. Also, don’t forget to press enterafter entering the filter

Working with captured packets122As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10are hidden). The packe

Working with captured packets123English C-like Description and examplene != Not equal. ip.src!=10.0.0.5gt > Greater than. frame.len >10lt < L

Working with captured packets1246.4.3. Combining expressionsYou can combine filter expressions in Wireshark using the logical operators shown in Table

Working with captured packets125sequence at offset n is selected.This is equivalent to n:1.eth.src[0:3,1-2,:4,4:,2] ==00:00:83:00:83:00:00:83:00:20:20

Working with captured packets126Figure 6.7. The “Filter Expression” dialog boxWhen you first bring up the Filter Expression dialog box you are shown a

Working with captured packets127Predefined values Some of the protocol fields have predefined values available, muchlike enum’s in C. If the selected

Working with captured packets128Figure 6.8. The “Capture Filters” and “Display Filters” dialog boxesNew This button adds a new filter to the list of f

Working with captured packets129about the Add Expression dialog in Section 6.5, “The “Filter Expression”dialog box”OK Display Filter only: This button

Working with captured packets130ip.src==192.168.0.1 and tcp.flags.syn==1For more details on display filters, see Section 6.3, “Filtering packets while

Introduction5• Red Hat Enterprise/Fedora Linux• Sun Solaris/i386• Sun Solaris/SPARC• Canonical UbuntuIf a binary package is not available for your pla

Working with captured packets131This dialog box will let you enter a packet number. When you press OK, Wireshark will jump to thatpacket.6.9.4. The “G

Working with captured packets1326.12. Time display formats and timereferencesWhile packets are captured, each packet is timestamped. These timestamps

Working with captured packets133• Find Previous Find the previous time referenced packet in the “Packet List” pane.Figure 6.11. Wireshark showing a ti

134Chapter 7. Advanced Topics7.1. IntroductionThis chapter some of Wireshark’s advanced features.7.2. Following TCP streamsIf you are working with TCP

Advanced Topics1357.2.1. The “Follow TCP Stream” dialog boxFigure 7.1. The “Follow TCP Stream” dialog boxThe stream content is displayed in the same s

Advanced Topics136Non-printable characters will be replaced by dots.The stream content won’t be updated while doing a live capture. To get the latest

Advanced Topics137Packet # Severity Group Protocol Summary2 Chat Sequence TCP Connection reset(RST)8 Note Sequence TCP Keep-Alive9 Warn Sequence TCP F

Advanced Topics1387.3.2. “Expert Info” dialogYou can open the expert info dialog by selecting Analyze → Expert Info.Figure 7.2. The “Expert Info” dial

Advanced Topics1397.3.3. “Colorized” Protocol Details TreeFigure 7.3. The “Colorized” protocol details treeThe protocol field causing an expert info i

Advanced Topics1407.3.4. “Expert” Packet List Column (optional)Figure 7.4. The “Expert” packet list columnAn optional “Expert Info Severity” packet li

Introduction6There have also been a large number of people who have contributed protocol dissectors to Wireshark,and it is expected that this will con

Advanced Topics141While capturing, Wireshark uses the libpcap (WinPcap) capture library which supports microsecondresolution. Unless you are working w

Advanced Topics142What are time zones?People expect that the time reflects the sunset. Dawn should be in the morning maybe around06:00 and dusk in the

Advanced Topics143TipIf you travel around the world, it’s an often made mistake to adjust the hours of yourcomputer clock to the local time. Don’t

Advanced Topics144Conclusion: You may not bother about the date/time of the time stamp you currently look at unlessyou must make sure that the date/ti

Advanced Topics145The tooltip of the higher level protocol setting will notify you if and which lower level protocol settingalso has to be considered.

Advanced Topics1467.7.3. IP name resolution (network layer)Try to resolve an IP address (e.g. 216.239.37.99) to something more “human readable”.DNS/co

Advanced Topics147What are checksums for?Checksums are used to ensure the integrity of data portions for data transmission or storage. Achecksum is ba

Advanced Topics148Recent network hardware can perform advanced features such as IP checksum calculation, also knownas checksum offloading. The network

149Chapter 8. Statistics8.1. IntroductionWireshark provides a wide range of network statistics which can be accessed via the Statistics menu.These sta

Statistics150Figure 8.1. The "Summary" window

Introduction7Read the FAQBefore sending any mail to the mailing lists below, be sure to read the FAQ. It will oftenanswer any questions you might have

Statistics151• File: general information about the capture file.• Time: the timestamps when the first and the last packet were captured (and the time

Statistics152Figure 8.2. The "Protocol Hierarchy" windowThis is a tree of all the protocols in the capture. Each row contains the statistica

Statistics153Percent Bytes The percentage of protocol bytes relative to the total bytes in the captureBytes The total number of bytes of this protocol

Statistics154Name resolution will be done if selected in the window and if it is active for the specific protocollayer (MAC layer for the selected Eth

Statistics155Token Ring Identical to the Token Ring MAC-48 address.UDP A combination of the IP address and the UDP port used, so different UDPports on

Statistics1568.6. The "IO Graphs" windowUser configurable graph of the captured network packets.You can define up to five differently colore

Statistics157• Style: the style of the graph (Line/Impulse/FBar/Dot)• X Axis• Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.

Statistics158First of all, you have to select the DCE-RPC interface:Figure 8.6. The "Compute DCE-RPC statistics" windowYou can optionally se

Statistics159Figure 8.7. The "DCE-RPC Statistic for …" windowEach row corresponds to a method of the interface selected (so the EPM interfac

Statistics160Figure 8.8. The "Compare" windowYou can configure the following:

Introduction8not interested in your specific problem. If required you will be asked for further data bythe persons who really can help you.Don’t send

Statistics161• Start compare: Start comparing when this many IP IDs are matched. A zero value starts comparingimmediately.• Stop compare: Stop compa

Statistics162Figure 8.9. The "WLAN Traffic Statistics" windowEach row in the list shows the statistical values for exactly one wireless netw

163Chapter 9. Telephony9.1. IntroductionWireshark provides a wide range of telephony related network statistics which can be accessed viathe Telephony

Telephony164Figure 9.1. The “RTP Stream Analysis” windowStarting with basic data as packet number and sequence number, further statistics are created

Telephony1659.3. VoIP CallsThe VoIP Calls window shows a list of all detected VoIP calls in the captured traffic. It finds callsby their signaling.Mor

Telephony166Figure 9.3. The “LTE RLC Traffic Statistics” windowAt the top, the check-box allows this window to include RLC PDUs found within MAC PDUs

Telephony1679.6. The protocol specific statistics windowsThe protocol specific statistics windows display detailed information of specific protocols a

168Chapter 10. Customizing Wireshark10.1. IntroductionWireshark’s default behaviour will usually suit your needs pretty well. However, as you become m

Customizing Wireshark169Processing: -R <read filter> packet filter in Wireshark display filter syntax -n disable

Customizing Wireshark170which point the data in the first file will be discarded so a newfile can be written.If the optional <command>duration&l

9Chapter 2. Building and InstallingWireshark2.1. IntroductionAs with all things there must be a beginning and so it is with Wireshark. To use Wireshar

Customizing Wireshark171-i <capture interface> Set the name of the network interface or pipe to use for livepacket capture.Network interface nam

Customizing Wireshark172the same name that would appear in the preferences orrecent file), and value is the value to which it should be set.Multiple

Customizing Wireshark173-S This option specifies that Wireshark will display packets asit captures them. This is done by capturing in

Customizing Wireshark174to the my.lua script.If two scripts wereloaded, such as -Xlua_script:my.luaand -Xlua_script:other.luain that order,

Customizing Wireshark175Figure 10.1. The “Coloring Rules” dialog boxIf this is the first time using the Coloring Rules dialog and you’re using the def

Customizing Wireshark176The first match winsMore specific rules should usually be listed before more general rules. For example, ifyou have a coloring

Customizing Wireshark177Figure 10.3. Using color filters with Wireshark

Customizing Wireshark17810.4. Control Protocol dissectionThe user can control how protocols are dissected.Each protocol has its own dissector, so diss

Customizing Wireshark179Figure 10.4. The “Enabled Protocols” dialog boxTo disable or enable a protocol, simply click on it using the mouse or press th

Customizing Wireshark180You can choose from the following actions:1. Enable All: Enable all protocols in the list.2. Disable All: Disable all protocol

Building and Installing Wireshark10• Wireshark - The network protocol analyzer that we all know and mostly love.• TShark - A command-line network prot

Customizing Wireshark1812. Do not decode: Do not decode packets the selected way.3. Link/Network/Transport: Specify the network layer at which

Customizing Wireshark182Figure 10.7, “The preferences dialog box”, with the “User Interface” page as default. On the left sideis a tree where you can

Customizing Wireshark18310.5.1. Interface OptionsIn the “Capture” preferences it is possible to configure several options for the interfaces available

Customizing Wireshark18410.6. Configuration ProfilesConfiguration Profiles can be used to configure and use more than one set of prefere

Customizing Wireshark185All other configurations are stored in the personal configuration folder, and are common to all profiles.Figure 10.9. The conf

Customizing Wireshark186The profile name will be used as a folder name in the configured“Personal configurations” folder. If adding multiple prof

Customizing Wireshark187databases are available at no cost, while others require a licensing fee. See the MaxMind web site formore information.This ta

Customizing Wireshark188Whilst Wireshark has knowledge about many of the OIDs and the syntax of their associated values,the extensibility means that o

Customizing Wireshark189Directory name A module directory, e.g. /usr/local/snmp/mibs. Wiresharkautomatically uses the standard SMI path for your

Customizing Wireshark190Stk file to protocol matching is handled by an Section 10.7, “User Table” with the following fields.Match string A partial mat

Wireshark User’s Guide: For Wireshark 1.99by Ulf Lamping, Richard Sharpe, and Ed WarnickeCopyright © 2004-2014 Ulf Lamping, Richard Sharpe, Ed Warnick

Building and Installing Wireshark112.3.5. Windows installer command line optionsFor special cases, there are some command line parameters available:•

191Appendix A. Wireshark MessagesWireshark provides you with additional information generated out of the plain packet data or it mayneed to indicate d

Wireshark Messages192A.2.3. [Time from request: 0.123 seconds]The time between the request and the response packets.A.2.4. [Stream setup by PROTOCOL (

193Appendix B. Files and FoldersB.1. Capture FilesTo understand which information will remain available after the captured packets are saved to a capt

Files and Folders194B.2. Configuration Files and FoldersWireshark uses a number of files and folders while it is running. Some of these reside in the

Files and Folders195File/Folder Description Unix/Linux folders Windows foldersipxnets IPX name resolution. /etc/ipxnets,$HOME/.wireshark/ipxnets%WIRES

Files and Folders196"<filter name>" <filter string>The settings from this file are read in at program start andwritte

Files and Folders197An example is:# Comments must be prepended by the # sign!192.168.0.1 homeserverThe settings from this file are read in at program

Files and Folders198temp folder If you start a new capture and don’t specify a filename for it,Wireshark uses this directory to store that file; see S

Files and Folders199# Maps Wireshark protocol names to section names below. Each key MUST match# a valid protocol name. Each value MUST have a matchin

Files and Folders200Windows NT 4 1C:\WINNT\Profiles\<username>\Application Data\WiresharkWindows ME, Windows 98 withuser profiles 1In Windows ME

Building and Installing Wireshark122.3.10. Uninstall WinPcapYou can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Progra

201Appendix C. Protocols and ProtocolFieldsWireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).A comprehensive li

202Appendix D. Related command linetoolsD.1. IntroductionAlong with the main application, Wireshark comes with an array of command line tools which ca

Related command line tools203 -w <outfile|-> write packets to a pcap-format file named "outfile"

Related command line tools204D.4. dumpcap: Capturing with dumpcap forviewing with WiresharkDumpcap is a network traffic dump tool. It captures packet

Related command line tools205"Capture packets from interface eth0 until 60s passed into output.pcapng"Use Ctrl-C to stop capturing at any ti

Related command line tools206D.6. rawshark: Dump and analyze networktraffic.Rawshark reads a stream of packets from a file or pipe, and prints a line

Related command line tools207Duplicate packet removal: -d remove packet if duplicate (window == 5). -D <dup window>

Related command line tools208 eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer logcat - An

Related command line tools209 fddi - FDDI fddi-nettl - FDDI with nettl headers fddi-swapped - FDDI with bit-swapped MAC addresses flexray

Related command line tools210 nfc-llcp - NFC LLCP nflog - NFLOG nstrace10 - NetScaler Encapsulation 1.0 of Ethernet nstrace20 - NetScaler

Building and Installing Wireshark132.6.1. Installing from rpm’s under Red Hat and alikeUse the following command to install the Wireshark RPM

Related command line tools211D.8. mergecap: Merging multiple capture filesinto oneMergecap is a program that combines multiple saved capture files int

Related command line tools212A simple example merging dhcp-capture.pcapng and imap-1.pcapng intooutfile.pcapng is shown below.Simple example of

Related command line tools213where <infile> specifies input filename (use - for standard input) <outfile> specifies output filename

Related command line tools214 -n use PCAP-NG instead of PCAP as output format.D.10. reordercap: Reorder a capture filereordercap

215Chapter 11. This Document’s License(GPL)As with the original license and documentation distributed with Wireshark, this document is coveredby the G

This Document’s License (GPL)216 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other wo

This Document’s License (GPL)217the scope of this License. 3. You may copy and distribute the Program (or a work based on it,under Section 2) in obje

This Document’s License (GPL)218may not distribute the Program at all. For example, if a patentlicense would not permit royalty-free redistribution o

This Document’s License (GPL)219YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHERPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PART

Building and Installing Wireshark14You need to install its development package as well. configure will also fail if you do not havelibpcap (at least t

15Chapter 3. User Interface3.1. IntroductionBy now you have installed Wireshark and are most likely keen to get started capturing your firstpackets. I

User Interface16Figure 3.1. The Main windowWireshark’s main window consists of parts that are commonly known from many other GUI programs.1. The menu

User Interface172. The main toolbar (see Section 3.16, “The “Main” toolbar”) provides quick access to frequentlyused items from the menu.3. The filter

User Interface18Accelerator DescriptionReturn, Enter In the packet detail, toggles the selected treeitem.Additionally, typing anywhere in the main win

User Interface19Internals This menu contains items that show information about the internals of Wireshark.See Section 3.14, “The “Internals” menu”.Hel

User Interface20Figure 3.3. The “File” Menu

iiiPreface ... viii1. Foreword ...

User Interface21Table 3.2. File menu itemsMenu Item Accelerator DescriptionOpen… Ctrl+O This menu item brings up thefile open dialog box that allowsyo

User Interface22Menu Item Accelerator DescriptionSave As… Shift+Ctrl+S This menu item allows you tosave the current capture fileto whatever file you w

User Interface23Menu Item Accelerator DescriptionWireshark DICOM object list(which is discussed further inSection 5.7.8, “The "ExportObjects"

User Interface24Figure 3.4. The “Edit” Menu

User Interface25Table 3.3. Edit menu itemsMenu Item Accelerator DescriptionCopy → DescriptionShift+Ctrl+D This menu item will copy thedescription of t

User Interface26Menu Item Accelerator Descriptionselected packet. SeeSection 6.12.1, “Packettime referencing” for moreinformation about the timerefere

User Interface27Figure 3.5. The “View” Menu

User Interface28Table 3.4. View menu itemsMenu Item Accelerator DescriptionMain Toolbar This menu item hides orshows the main toolbar, seeSection 3.16

User Interface29Menu Item Accelerator DescriptionTime Display Format →Seconds Since Beginning ofCapture: 123.123456Selecting this tells Wireshark todi

User Interface30Menu Item Accelerator DescriptionName Resolution → Enable forNetwork LayerThis item allows you to controlwhether or not Wiresharktrans

Wireshark User’s Guideiv3.3. The Main window ... 153.3.1. Main

User Interface31Menu Item Accelerator Descriptionexpanded, and uses it to ensurethat the correct subtrees areexpanded when you display apacket. This m

User Interface32Figure 3.6. The “Go” Menu

User Interface33Table 3.5. Go menu itemsMenu Item Accelerator DescriptionBack Alt+←Jump to the recently visitedpacket in the packet history,much like

User Interface34Figure 3.7. The “Capture” Menu

User Interface35Table 3.6. Capture menu itemsMenu Item Accelerator DescriptionInterfaces… Ctrl+I This menu item brings up adialog box that shows what’

User Interface36Figure 3.8. The “Analyze” Menu

User Interface37Table 3.7. Analyze menu itemsMenu Item Accelerator DescriptionDisplay Filters… This menu item brings up adialog box that allows you to

User Interface38Menu Item Accelerator Descriptiona particular protocol, seeSection 10.4.3, “Show UserSpecified Decodes”Follow TCP Stream This menu ite

User Interface39Figure 3.9. The “Statistics” MenuAll menu items will bring up a new window showing specific statistical information.

User Interface40Table 3.8. Statistics menu itemsMenu Item Accelerator DescriptionSummary Show information about thedata captured, see Section 8.2,“The

Wireshark User’s Guidev5.4.1. The “Merge with Capture File” dialog box ... 905.5. Import hex dump ...

User Interface41Menu Item Accelerator DescriptionTCP Stream Graph See Section 8.10, “The protocolspecific statistics windows”UDP Multicast Streams See

User Interface42Figure 3.10. The “Telephony” MenuAll menu items will bring up a new window showing specific telephony related statistical information.

User Interface43Table 3.9. Telephony menu itemsMenu Item Accelerator DescriptionIAX2 See Section 9.6, “The protocolspecific statistics windows”SMPP Op

User Interface44Figure 3.11. The “Tools” Menu

User Interface45Table 3.10. Tools menu itemsMenu Item Accelerator DescriptionFirewall ACL Rules This allows you to createcommand-line ACL rulesfor man

User Interface46Figure 3.12. The “Internals” Menu

User Interface47Table 3.11. Help menu itemsMenu Item Accelerator DescriptionDissector tables This menu item brings up adialog box showing the tableswi

User Interface48Figure 3.13. The “Help” Menu

User Interface49Table 3.12. Help menu itemsMenu Item Accelerator DescriptionContents F1 This menu item brings up abasic help system.Manual Pages → …Th

User Interface50Figure 3.14. The “Main” toolbarTable 3.13. Main toolbar itemsToolbar Icon Toolbar Item Corresponding MenuItemDescriptionInterfaces…Cap

Wireshark User’s Guidevi7.4.1. Wireshark internals ... 1407.4.2. Capture fil

User Interface51Toolbar Icon Toolbar Item Corresponding MenuItemDescriptionIf you currently have atemporary capture file,the Save icon will beshown in

User Interface52Toolbar Icon Toolbar Item Corresponding MenuItemDescriptionZoom InView → Zoom InZoom into the packetdata (increase the fontsize).Zoom

User Interface53Toolbar Icon Toolbar Item Corresponding MenuItemDescriptionyour preferences soWireshark will usethem the next timeyou start it. Morede

User Interface54Toolbar Icon Toolbar Item DescriptionThis field is also where thecurrent filter in effect isdisplayed.Expression… The middle button la

User Interface55While dissecting a packet, Wireshark will place information from the protocol dissectors into thecolumns. As higher level protocols mi

User Interface56• Links If Wireshark detected a relationship to another packet in the capture file, it will generate alink to that packet. Links are u

User Interface57This statusbar is shown while no capture file is loaded, e.g. when Wireshark is started.Figure 3.21. The Statusbar with a loaded captu

User Interface58Figure 3.24. The Statusbar with a display filter messageThis is displayed if you are trying to use a display filter which may have une

59Chapter 4. Capturing Live NetworkData4.1. IntroductionCapturing live network data is one of the major features of Wireshark.The Wireshark capture en

Capturing Live Network Data60Windows” or Figure 4.2, “The “Capture Interfaces” dialog box on Unix/Linux” for moreinformation. You can star

Wireshark User’s Guidevii10.16. SMI (MIB and PIB) Paths ... 18810.17. SNMP Ente

Capturing Live Network Data61Figure 4.2. The “Capture Interfaces” dialog box on Unix/LinuxDevice (Unix/Linux only) The interface device name.Descripti

Capturing Live Network Data624.5. The “Capture Options” dialog boxWhen you select Capture → Options… (or use the corresponding item in the main toolba

Capturing Live Network Data63Figure 4.3. The “Capture Options” dialog box

Capturing Live Network Data64TipIf you are unsure which options to choose in this dialog box just try keeping the defaultsas this should work well in

Capturing Live Network Data65The execution of BPFs can be sped up on Linux by turning on BPF JIT by executing$ echo 1 >/proc/sys/net/core/bpf_jit_e

Capturing Live Network Data66Wireshark does not display any packets until you stop thecapture. When you check this, Wireshark captures in a s

Capturing Live Network Data67Figure 4.4. The “Edit Interface Settings” dialog boxYou can set the following fields in this dialog box:IP address The IP

Capturing Live Network Data68Limit each packet to n bytes This field allows you to specify the maximum amount of datathat will be captured for each pa

Capturing Live Network Data69Figure 4.5. The “Compile Results” dialog boxIn the left window the interface names are listed. The results of an individu

Capturing Live Network Data70Figure 4.6. The “Add New Interfaces” dialog box

viiiPreface1. ForewordWireshark is one of those programs that many network managers would love to be able to use, butthey are often prevented from get

Capturing Live Network Data714.8.1. Add or remove pipesFigure 4.7. The “Add New Interfaces - Pipes” dialog boxTo successfully add a pipe, this pipe mu

Capturing Live Network Data724.8.2. Add or hide local interfacesFigure 4.8. The “Add New Interfaces - Local Interfaces” dialog boxThe tab “Local Inter

Capturing Live Network Data734.8.3. Add or hide remote interfacesFigure 4.9. The “Add New Interfaces - Remote Interfaces” dialog boxIn this tab interf

Capturing Live Network Data74NoteMake sure you have outside access to port 2002 on the target platform. This is the portwhere the Remote Packet Captur

Capturing Live Network Data75Password authentication This is the normal way of connecting to a target platform. Setthe credentials needed to connect t

Capturing Live Network Data76number of packets. This allows capture over a narrow bandremote capture session of a higher bandwidth interface.Sampli

Capturing Live Network Data77Figure 4.12. The “Interface Details” dialog box4.11. Capture files and file modesWhile capturing the underlying libpcap c

Capturing Live Network Data78Using Multiple files may cut context related information. Wireshark keeps context information of theloaded packet data, s

Capturing Live Network Data79headers. “802.11” will cause them to have full IEEE 802.11 headers. Unless the capture needs to beread by an application

Capturing Live Network Data80gateway host <host> This primitive allows you to filter on packets that used host as agateway. That is, where the E

Prefaceix4. About this documentThis book was originally developed by Richard Sharpe with funds provided from the Wireshark Fund.It was updated by Ed W

Capturing Live Network Data814.14. While a Capture is running …While a capture is running, the following dialog box is shown:Figure 4.13. The “Capture

Capturing Live Network Data821.Using the Capture → Stop menu item.2. Using the Stop toolbar button.3. Pressing Ctrl+E.4. The capture will be automatic

83Chapter 5. File Input, Output, andPrinting5.1. IntroductionThis chapter will describe input and output of capture data.• Open capture files in vario

File Input, Output, and Printing84• View file preview information such as the filesize and the number of packets in a selected a capturefile.• Specify

File Input, Output, and Printing85Figure 5.2. “Open” - Linux and UNIXThis is the common Gimp/GNOME file open dialog plus some Wireshark extensions.Spe

File Input, Output, and Printing86• Network Associates Windows-based Sniffer and Sniffer Pro captures• Network General/Network Associates DOS-based Sn

File Input, Output, and Printing87It may not be possible to read some formats dependent on the packet types captured. Ethernet capturesare usually sup

File Input, Output, and Printing88Figure 5.4. “Save” on Linux and UNIXThis is the common Gimp/GNOME file save dialog with additional Wireshark extensi

File Input, Output, and Printing891. Click the Save or OK button to accept your selected file and save to it. If Wireshark has a problemsaving the cap

File Input, Output, and Printing90•Use the File → Merge menu to open the “Merge” dialog. See Section 5.4.1, “The “Merge withCapture File” dialog box”.