Deepak Rawat

April/2024
Wireshark is a comprehensive and versatile network monitoring tool that allows users to analyze and
inspect network traffic in real-time. As a popular packet analyzer, it offers a wide range of features that
cater to the needs of network administrators, security professionals, and developers. By providing deep
insights into the data flowing through networks, Wireshark assists in troubleshooting network issues,
identifying security threats, and optimizing network performance.

Developed and maintained by a dedicated community, Wireshark is an open-source software that

supports numerous protocols and operating systems, making it a reliable choice for various network
monitoring tasks. Its user-friendly interface simplifies the process of understanding complex network
activities, enabling users to make informed decisions and take appropriate actions.

Some of the key features that make Wireshark an essential network monitoring tool include:

1. Deep Packet Inspection (DPI): Wireshark's ability to decode thousands of protocols allows
users to examine the contents of individual packets and identify potential issues or security threats. This
feature is crucial in network security, as it helps users detect anomalies and malicious activities within
the network traffic.

2. Live Capture and Offline Analysis: Wireshark offers two modes of operation – live capture
and offline analysis. In live capture mode, users can monitor network traffic in real-time, while offline
analysis allows them to examine previously saved packet captures. This flexibility enables users to
choose the most suitable approach for their monitoring tasks, depending on the network environment
and requirements.

3. Advanced Filters and Display Filters: Wireshark provides users with powerful filtering
tools to help them focus on specific network traffic. Advanced filters enable users to set conditions to
include or exclude packets based on specific criteria, while display filters allow users to customize the
displayed information according to their needs. These filters simplify the process of identifying patterns
and troubleshooting issues within the network traffic.

4. Statistics and Reporting: Wireshark offers detailed statistics and graphical representations of
network traffic, aiding in performance analysis and capacity planning. Users can generate various types

1
of reports, such as protocol statistics, traffic flow analysis, and packet frequency charts, to gain a
comprehensive understanding of the network's performance and identify potential bottlenecks.

5. Exporting and Sharing: Wireshark allows users to export captured data in various formats,
including CSV, PcapNG, and others. This feature enables users to share captured data with colleagues
or perform further analysis using other tools and applications. Additionally, Wireshark supports
scripting and extension capabilities, allowing users to customize the tool according to their specific
needs and automate repetitive tasks.

In conclusion, Wireshark is an indispensable network monitoring tool that offers a wide range of
features to analyze, troubleshoot, and secure networks. Its open-source nature, extensive protocol
support, and user-friendly interface make it a top choice for professionals and enthusiasts alike in the
ever-evolving world of networking. By utilizing Wireshark's capabilities, users can gain deep insights
into their network traffic, ensuring optimal performance and security.

Installation
You can download Wireshark for your operating from here.

Installing Wireshark under Windows

The official Windows packages can be downloaded from the Wireshark main page or the download
page. Installer names contain the version and platform. For example, Wireshark-4.3.0-x64.exe installs
Wireshark 4.3.0 for Windows on 64-bit Intel processors. The Wireshark installer includes Npcap which
is required for packet capture. Windows packages automatically update. See Section 2.8, “Updating
Wireshark” for details.

Simply download the Wireshark installer from https://www.wireshark.org/download.html and execute

it. Official packages are signed by Wireshark Foundation. You can choose to install several optional
components and select the location of the installed package. The default settings are recommended for
most users.

Installation Components

On the Choose Components page of the installer you can select from the following:

 Wireshark - The network protocol analyzer that we all know and mostly love.
 TShark - A command-line network protocol analyzer. If you haven’t tried it you should.
 External Capture (extcap) - External Capture Interfaces
o Androiddump - Provide capture interfaces from Android devices.
o Etwdump - Provide an interface to read Event Tracing for Windows (ETW) event trace
(ETL).
o Randpktdump - Provide an interface to the random packet generator. (see also randpkt)
o Sshdump, Ciscodump, and Wifidump - Provide remote capture through SSH.
(tcpdump, Cisco EPC, wifi)
o UDPdump - Provide capture interface to receive UDP packets streamed from network
devices.

2
Additional Tasks

 Wireshark Start Menu Item - Add a shortcut to the start menu.

 Wireshark Desktop Icon - Add a Wireshark icon to the desktop.
 Associate trace file extensions with Wireshark - Associate standard network trace files to
Wireshark.

Install Location

By default Wireshark installs into %ProgramFiles%\Wireshark on 32-bit Windows and

%ProgramFiles64%\Wireshark on 64-bit Windows. This expands to C:\Program Files\Wireshark
on most systems.

Installing Npcap

The Wireshark installer contains the latest Npcap installer.

If you don’t have Npcap installed you won’t be able to capture live network traffic but you will still be
able to open saved capture files. By default the latest version of Npcap will be installed. If you don’t
wish to do this or if you wish to reinstall Npcap you can check the Install Npcap box as needed.

For more information about Npcap see https://npcap.com/ and https://gitlab.com/wireshark/wireshark/-

/wikis/Npcap.

Windows installer command line options

For special cases, there are some command line parameters available:

 /S runs the installer or uninstaller silently with default values. The silent installer will not
install Npcap.
 /desktopicon installation of the desktop icon, =yes - force installation, =no - don’t install,
otherwise use default settings. This option can be useful for a silent installer.
 /quicklaunchicon installation of the quick launch icon, =yes - force installation, =no - don’t
install, otherwise use default settings.
 /D sets the default installation directory ($INSTDIR), overriding InstallDir and
InstallDirRegKey. It must be the last parameter used in the command line and must not contain
any quotes even if the path contains spaces.
 /NCRC disables the CRC check. We recommend against using this flag.
 /EXTRACOMPONENTS comma separated list of optional components to install. The following
extcap binaries are supported.
o androiddump - Provide interfaces to capture from Android devices
o ciscodump - Provide interfaces to capture from a remote Cisco router through SSH
o randpktdump - Provide an interface to generate random captures using randpkt
o sshdump - Provide interfaces to capture from a remote host through SSH using a remote
capture binary
o udpdump - Provide a UDP receiver that gets packets from network devices

Example:

3
> Wireshark-4.2.5-x64.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no
/D=C:\Program Files\Foo

> Wireshark-4.2.5-x64.exe /S /EXTRACOMPONENTS=sshdump,udpdump

Running the installer without any parameters shows the normal interactive installer.

Manual Npcap Installation

As mentioned above, the Wireshark installer also installs Npcap. If you prefer to install Npcap
manually or want to use a different version than the one included in the Wireshark installer, you can
download Npcap from the main Npcap site at https://npcap.com/.

Update Npcap

Wireshark updates may also include a new version of Npcap. Manual Npcap updates instructions can
be found on the Npcap web site at https://npcap.com/. You may have to reboot your machine after
installing a new Npcap version.

Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the “Wireshark”
entry to start the uninstallation procedure.

The Wireshark uninstaller provides several options for removal. The default is to remove the core
components but keep your personal settings and Npcap. Npcap is kept in case other programs need it.

Uninstall Npcap

You can uninstall Npcap independently of Wireshark using the Npcap entry in the Programs and
Features control panel. Remember that if you uninstall Npcap you won’t be able to capture anything
with Wireshark.

Building from source under Windows

We strongly recommended using the binary installer for Windows unless you want to start developing
Wireshark on the Windows platform.

For further information how to obtain sources and build Wireshark for Windows from the sources see
the Developer’s Guide at:

 https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcObtain
 https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWindows

You may also want to have a look at the Development Wiki (https://gitlab.com/wireshark/wireshark/-
/wikis/Development) for the latest available development documentation.

Installing Wireshark under macOS

4
The official macOS packages can be downloaded from the Wireshark main page or the download page.
They are signed by Wireshark Foundation. Packages are distributed as disk images (.dmg) containing
the application bundle. Package names contain the platform and version. To install Wireshark simply
open the disk image and drag Wireshark to your /Applications folder. macOS packages automatically
update. See Section 2.8, “Updating Wireshark” for details.

In order to capture packets, you must install the “ChmodBPF” launch daemon. You can do so by
opening the Install ChmodBPF.pkg file in the Wireshark .dmg or from Wireshark itself by opening
Wireshark → About Wireshark selecting the “Folders” tab, and double-clicking “macOS Extras”.

The installer package includes Wireshark along with ChmodBPF and system path packages. See the
included Read me first.html file for more details.

Installing the binaries under UNIX

In general installing the binary under your version of UNIX will be specific to the installation methods
used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark
binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld.

2.6.1. Installing from RPMs under Red Hat and alike

Building RPMs from Wireshark’s source code results in several packages (most distributions follow
the same system):

 The wireshark package contains the core Wireshark libraries and command-line tools.
 The wireshark or wireshark-qt package contains the Qt-based GUI.

Many distributions use yum or a similar package management tool to make installation of software
(including its dependencies) easier. If your distribution uses yum, use the following command to install
Wireshark together with the Qt GUI:

yum install wireshark wireshark-qt

If you’ve built your own RPMs from the Wireshark sources you can install them by running, for
example:

rpm -ivh wireshark-2.0.0-1.x86_64.rpm wireshark-qt-2.0.0-1.x86_64.rpm

If the above command fails because of missing dependencies, install the dependencies first, and then
retry the step above.

2.6.2. Installing from debs under Debian, Ubuntu and other Debian derivatives

If you can just install from the repository then use

apt install wireshark

Apt should take care of all of the dependency issues for you.

5
 Capturing requires privileges

By installing Wireshark packages non-root, users won’t gain rights automatically to capture
packets. To allow non-root users to capture packets follow the procedure described in
https://gitlab.com/wireshark/wireshark/-/blob/master/packaging/debian/README.Debian
(/usr/share/doc/wireshark-common/README.Debian.gz)

2.6.3. Installing from portage under Gentoo Linux

Use the following command to install Wireshark under Gentoo Linux with all of the extra features:

USE="c-ares ipv6 snmp ssl kerberos threads selinux" emerge wireshark

2.6.4. Installing from packages under FreeBSD

Use the following command to install Wireshark under FreeBSD:

pkg_add -r wireshark

pkg_add should take care of all of the dependency issues for you.

Building from source under UNIX or Linux

We recommended using the binary installer for your platform unless you want to start developing
Wireshark.

Building Wireshark requires the proper build environment including a compiler and many supporting
libraries. For more information, see the Developer’s Guide at:

 https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcObtain
 https://www.wireshark.org/docs/wsdg_html_chunked/ChapterSetup#ChSetupUNIX

Updating Wireshark
By default, Wireshark on Windows and macOS will check for new versions and notify you when they
are available. If you have the Check for updates preference disabled or if you run Wireshark in an
isolated environment you should subscribe to the wireshark-announce mailing list to be notified of new
versions. See Section 1.6.5, “Mailing Lists” for details on subscribing to this list.

New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is done
the same way as installing it. Simply download and run the installer on Windows, or download and
drag the application on macOS. A reboot is usually not required and all your personal settings will
remain unchanged.

We offer two update channels, Stable and Development. The Stable channel is the default, and only
installs packages from stable (even-numbered) release branches. The Development channel installs
development and release candidate packages when they are available, and stable releases otherwise. To
configure your release channel, go to Preferences → Advanced and search for “update.channel”. See
Section 11.5, “Preferences” for details.

6
1.1.2. Features

The following are some of the many features Wireshark provides:

 Available for UNIX and Windows.

 Capture live packet data from a network interface.
 Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many
other packet capture programs.
 Import packets from text files containing hex dumps of packet data.
 Display packets with very detailed protocol information.
 Save packet data captured.
 Export some or all packets in a number of capture file formats.
 Filter packets on many criteria.
 Search for packets on many criteria.
 Colorize packet display based on filters.
 Create various statistics.
 …and a lot more!

Start Wireshark
You can start Wireshark from your shell or window manager.

Power user tip

TIPWhen starting Wireshark it’s possible to specify optional settings using the command
line. See Start Wireshark from the command line for details.

The following chapters contain many screenshots of Wireshark. As Wireshark runs on many different
platforms with many different window managers, different styles applied and there are different
versions of the underlying GUI toolkit used, your screen might look different from the provided
screenshots. But as there are no real differences in functionality these screenshots should still be well
understandable.

The Main window

Let’s look at Wireshark’s user interface. The Main window shows Wireshark as you would usually see
it after some packets are captured or loaded (how to do this will be described later).

7
Figure 2. The Main window

Wireshark’s main window consists of parts that are commonly known from many other GUI programs.
1. The menu (see The Menu) is used to start actions.

2. The main toolbar (see The “Main” Toolbar) provides quick access to frequently used items from the
menu.

3. The filter toolbar (see The “Filter” Toolbar) allows users to set display filters to filter which packets
are displayed (see Filtering Packets While Viewing).

4. The packet list pane (see The “Packet List” Pane) displays a summary of each packet captured. By
clicking on packets in this pane you control what is displayed in the other two panes.

5. The packet details pane (see The “Packet Details” Pane) displays the packet selected in the packet
list pane in more detail.
6. The packet bytes pane (see The “Packet Bytes” Pane) displays the data from the packet selected in
the packet list pane, and highlights the field selected in the packet details pane.

7. The packet diagram pane (see The “Packet Diagram” Pane) displays the packet selected in the packet
list as a textbook-style diagram.

8. The statusbar (see The Statusbar) shows some detailed information about the current program state
and the captured data.

8
 The layout of the main window can be customized by changing preference settings.
TIP
See Preferences for details.

Main Window Navigation

Packet list and detail navigation can be done entirely from the keyboard. Keyboard Navigation shows a
list of keystrokes that will let you quickly move around a capture file. See Go menu items for additional
navigation keystrokes.
Table 2. Keyboard Navigation
Accelerator Description

Tab or Shift + Tab Move between screen elements, e.g., from the toolbars to the packet list to
the packet detail.

↓ Move to the next packet or detail item.

↑ Move to the previous packet or detail item.

Ctrl + ↓ or F8 Move to the next packet, even if the packet list isn’t focused.

Ctrl + ↑ or F7 Move to the previous packet, even if the packet list isn’t focused.

Ctrl + . Move to the next packet of the conversation (TCP, UDP or IP).

Ctrl + , Move to the previous packet of the conversation (TCP, UDP or IP).

Alt + → or Option + Move to the next packet in the selection history.

→ (macOS)

Alt + ← or Option + Move to the previous packet in the selection history.

← (macOS)

← In the packet detail, closes the selected tree item. If it’s already closed,
jumps to the parent node.

→ In the packet detail, opens the selected tree item.

Shift + → In the packet detail, opens the selected tree item and all of its subtrees.

Ctrl + → In the packet detail, opens all tree items.

Ctrl + ← In the packet detail, closes all tree items.

Backspace In the packet detail, jumps to the parent node.

Return or Enter In the packet detail, toggles the selected tree item.

Help › About Wireshark › Keyboard Shortcuts will show a list of all shortcuts in the main window.
Additionally, typing anywhere in the main window will start filling in a display filter.

The Menu
9
Wireshark’s main menu is located either at the top of the main window (Windows, Linux) or at the top
of your main screen (macOS). An example is shown in The Menu.

Some menu items will be disabled (greyed out) if the corresponding feature isn’t
NOTE available. For example, you cannot save a capture file if you haven’t captured or loaded any
packets.

Figure 3. The Menu

The main menu contains the following items:

File
This menu contains items to open and merge capture files, save, print, or export capture files in
whole or in part, and to quit the Wireshark application. See The “File” Menu.
Edit
This menu contains items to find a packet, time reference or mark one or more packets, handle
configuration profiles, and set your preferences; (cut, copy, and paste are not presently
implemented). See The “Edit” Menu.
View
This menu controls the display of the captured data, including colorization of packets, zooming the
font, showing a packet in a separate window, expanding and collapsing trees in packet details, ….
See The “View” Menu.
Go
This menu contains items to go to a specific packet. See The “Go” Menu.

Capture
This menu allows you to start and stop captures and to edit capture filters. See The “Capture” Menu.
Analyze
This menu contains items to manipulate display filters, enable or disable the dissection of protocols,
configure user specified decodes and follow a TCP stream. See The “Analyze” Menu.
Statistics
This menu contains items to display various statistic windows, including a summary of the packets
that have been captured, display protocol hierarchy statistics and much more. See The “Statistics”
Menu.
Telephony
This menu contains items to display various telephony related statistic windows, including a media
analysis, flow diagrams, display protocol hierarchy statistics and much more. See The “Telephony”
Menu.
Wireless
10
 This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics.

Tools
This menu contains various tools available in Wireshark, such as creating Firewall ACL Rules. See
The “Tools” Menu.
Help
This menu contains items to help the user, e.g., access to some basic help, manual pages of the
various command line tools, online access to some of the webpages, and the usual about dialog. See
The “Help” Menu.
Each of these menu items is described in more detail in the sections that follow.

Shortcuts make life easier

TIPMost common menu items have keyboard shortcuts. For example, you can press the
Control and the K keys together to open the “Capture Options” dialog.

The “File” Menu

The Wireshark file menu contains the fields shown in File menu items.

Figure 4. The “File” Menu

Table 3. File menu items

11
Menu Item Accelerator Description

Open… Ctrl + O This shows the file open dialog box that allows
you to load a capture file for viewing. It is
discussed in more detail in The “Open Capture
File” Dialog Box.

Open Recent This lets you open recently opened capture files.
Clicking on one of the submenu items will open
the corresponding capture file directly.

Merge… This menu item lets you merge a capture file into
the currently loaded one. It is discussed in more
detail in Merging Capture Files.

Import from Hex Dump…
This menu item brings up the import file dialog
box that allows you to import a text file
containing a hex dump into a new temporary
capture. It is discussed in more detail in Import
Hex Dump.

Menu Item Accelerator Description

Close Ctrl + W This menu item closes the current capture. If you
haven’t saved the capture, you will be asked
to do so first (this can be disabled by a preference
setting).
Save Ctrl + S This menu item saves the current capture. If you
have not set a default capture file name
(perhaps with the -w <capfile> option), Wireshark
pops up the Save Capture File As dialog box
(which is discussed further in The “Save Capture
File As” Dialog Box).

If you have already saved the current capture, this

menu item will be greyed out.

You cannot save a live capture while the capture

is in progress. You must stop the capture in order
to save.

12
Save As… Shift + Ctrl + S This menu item allows you to save the current
capture file to whatever file you would like. It
pops up the Save Capture File As dialog box
(which is discussed further in The “Save Capture
File As” Dialog Box).

File Set › List Files This menu item allows you to show a list of files
in a file set. It pops up the Wireshark List File Set
dialog box (which is discussed further in File
Sets).

File Set › Next File If the currently loaded file is part of a file set,
jump to the next file in the set. If it isn’t part of a
file set or just the last file in that set, this item is
greyed out.

File Set › Previous File If the currently loaded file is part of a file set,
jump to the previous file in the set. If it isn’t part
of a file set or just the first file in that set, this item
is greyed out.

Export Specified Packets… This menu item allows you to export all (or some)
of the packets in the capture file to file. It pops up
the Wireshark Export dialog box (which is
discussed further in Exporting Data).

Menu Item Accelerator Description

Export Packet Ctrl + H These menu items allow you to export the
Dissections… currently selected bytes in the packet bytes pane to
a text file in a number of formats including plain,
CSV, and XML. It is discussed further in
The “Export Selected Packet Bytes” Dialog Box.
Export Objects These menu items allow you to export captured
DICOM, HTTP, IMF, SMB, or TFTP objects into
local files. It pops up a corresponding object list
(which is discussed further in The “Export
Objects” Dialog Box)
Print… Ctrl + P This menu item allows you to print all (or some)
of the packets in the capture file. It pops up the
Wireshark Print dialog box (which is discussed
further in Printing Packets).

13
Quit Ctrl + Q This menu item allows you to quit from
Wireshark. Wireshark will ask to save your
capture file if you haven’t previously saved it (this
can be disabled by a preference setting).

The “Edit” Menu

The Wireshark Edit menu contains the fields shown in Edit menu items.

Figure 5. The “Edit” Menu

Table 4. Edit menu items

Menu Item Accelerator Description

Copy These menu items will copy the packet list, packet
detail, or properties of the currently selected
packet to the clipboard.

Find Packet… Ctrl + F This menu item brings up a toolbar that allows
you to find a packet by many criteria. There is
further information on finding packets in Finding
Packets.

14
Find Next Ctrl + N This menu item tries to find the next packet
matching the settings from “Find Packet…”.

Find Previous Ctrl + B This menu item tries to find the previous packet
matching the settings from “Find Packet…”.

Mark/Unmark Selected Ctrl + M This menu item marks the currently selected
packet. See Marking Packets for details.

Mark All Displayed Packets Ctrl + Shift + M This menu item marks all displayed packets.

Unmark All Displayed Ctrl + Alt + M This menu item unmarks all displayed packets.
Packets

Next Mark Ctrl + Shift + N Find the next marked packet.

Menu Item Accelerator Description

Previous Mark Ctrl + Shift + B Find the previous marked packet.

Ignore/Unignore Selected Ctrl + D This menu item marks the currently selected
packet as ignored. See Ignoring Packets for details.

Ignore All Displayed Ctrl + Shift + D This menu item marks all displayed packets as
ignored.

Unignore All Displayed Ctrl + Alt + D This menu item unmarks all ignored packets.

Set/Unset Time Reference Ctrl + T This menu item set a time reference on the
currently selected packet. See Packet Time
Referencing for more information about the time
referenced packets.

Unset All Time References Ctrl + Alt + T This menu item removes all time references on the
packets.

Next Time Reference Ctrl + Alt + N This menu item tries to find the next time
referenced packet.

Previous Time Reference Ctrl + Alt + B This menu item tries to find the previous time
referenced packet.

Time Shift… Ctrl + Shift + T Opens the “Time Shift” dialog, which allows you
to adjust the timestamps of some or all packets.

15
Packet Comment…
Delete All Packet
Comments
Inject TLS Secrets
Menu Item Accelerator
Discard All Secrets
Configuration Profiles…
Preferences…
The “View” Menu
The Wireshark View menu contains the fields shown in View menu items.
Ctrl + Alt + C Opens the “Packet Comment” dialog, which lets
you add a comment to a single packet. Note that
the ability to save packet comments depends on
your file format. E.g., pcapng supports comments,
pcap does not.
This will delete all comments from all packets.
Note that the ability to save capture comments
depends on your file format. E.g., pcapng supports
comments, pcap does not.
Embeds the used TLS decryption secrets into the
capture file, which lets TLS be decrypted without
having the separate keylog file. Note that the
ability to save decryption secrets depends on your
file format. E.g., pcapng supports Decryption
Secrets Blocks, pcap does not.
Description
This will discard all embedded decryption secrets
from the capture file. Note that the ability to save
decryption secrets depends on your file format.
E.g., pcapng supports
Decryption Secrets Blocks, pcap does not.
Ctrl + Shift + A This menu item brings up a dialog box for
handling configuration profiles. More detail is
provided in Configuration Profiles.
Ctrl + Shift + P This menu item brings up a dialog box that allows
or Cmd + , you to set preferences for many parameters that
(macOS) control Wireshark. You can also save your
preferences so Wireshark will use them the next
time you start it. More detail is provided in
Preferences.
16
Figure 6. The “View” Menu

Table 5. View menu items

Menu Item Accelerator Description

Main Toolbar This menu item hides or shows the main toolbar,
see The “Main” Toolbar.

Filter Toolbar This menu item hides or shows the filter toolbar,
see The “Filter” Toolbar.

Wireless Toolbar This menu item hides or shows the wireless

toolbar. May not be present on some platforms.

Statusbar This menu item hides or shows the statusbar, see

The Statusbar.

Packet List This menu item hides or shows the packet list
pane, see The “Packet List” Pane.

Packet Details This menu item hides or shows the packet details
pane, see The “Packet Details” Pane.

Packet Bytes This menu item hides or shows the packet bytes
pane, see The “Packet Bytes” Pane.

17
Packet Diagram This menu item hides or shows the packet diagram
pane. See The “Packet Diagram” Pane.

Time Display Format › Selecting this tells Wireshark to display the time
Date and Time of Day: stamps in date and time of day format, see Time
1970-01-01 01:02:03.123456 Display Formats And Time References.

The fields “Time of Day”, “Date and Time of

Day”, “Seconds Since First Captured Packet”,
“Seconds Since Previous Captured Packet” and
“Seconds Since Previous Displayed Packet” are
mutually exclusive.
Time Display Format › Selecting this tells Wireshark to display time
stamps in time of day format, see Time Display
Time of Day:
Formats And Time References.
01:02:03.123456
Time Display Format › Selecting this tells Wireshark to display time
Seconds Since Epoch (1970- stamps in seconds since 1970-01-01 00:00:00, see
Time Display Formats And Time References.
01-01): 1234567890.123456

Time Display Format › Selecting this tells Wireshark to display time

Seconds Since First stamps in seconds since first captured packet
Captured Packet: format, see Time Display Formats And Time
123.123456 References.

Menu Item Accelerator Description

Time Display Format › Selecting this tells Wireshark to display time

Seconds Since Previous stamps in seconds since previous captured packet
format, see Time Display Formats And Time
Captured Packet: 1.123456
References.

Time Display Format › Selecting this tells Wireshark to display time

Seconds Since Previous stamps in seconds since previous displayed packet
format, see Time Display Formats And Time
Displayed Packet: 1.123456
References.

Time Display Format › Selecting this tells Wireshark to display time

Automatic (File Format stamps with the precision given by the capture file
Precision) format used, see Time Display Formats And Time
References.

The fields “Automatic”, “Seconds” and “…

seconds” are mutually exclusive.
18
Time Display Format ›
Seconds: 0
Time Display Format › …
seconds: 0….
Time Display Format ›
Display Seconds with hours
and minutes
Name Resolution › Edit
Resolved Name
Name Resolution › Enable
for MAC Layer
Name Resolution › Enable
for Network Layer
Name Resolution › Enable
for Transport Layer
Menu Item
Colorize Packet List
Auto Scroll in Live Capture
Selecting this tells Wireshark to display time
stamps with a precision of one second, see Time
Display Formats And Time References.
Selecting this tells Wireshark to display time
stamps with a precision of one second,
decisecond, centisecond, millisecond,
microsecond or nanosecond, see Time Display
Formats And Time References.
Selecting this tells Wireshark to display time
stamps in seconds, with hours and minutes.
This item allows you to manually enter names to
resolve IP addresses in the current packet, see
Name Resolution.
This item allows you to control whether or not
Wireshark translates MAC addresses into names,
see Name Resolution.
This item allows you to control whether or not
Wireshark translates network addresses into
names, see Name Resolution.
This item allows you to control whether or not
Wireshark translates transport addresses into
names, see Name Resolution.
Accelerator Description
This item allows you to control whether or not
Wireshark should colorize the packet list.
Enabling colorization will slow down the display
of new packets while capturing or loading capture
files.
This item allows you to specify that Wireshark
should scroll the packet list pane as new packets
come in, so you are always looking at the last
packet. If you do not specify this, Wireshark
simply adds new packets onto the end of the list,
but does not scroll the packet list pane.
19
Zoom In Ctrl + + Zoom into the packet data (increase the font size).

Zoom Out Ctrl + - Zoom out of the packet data (decrease the font
size).

Normal Size Ctrl + = Set zoom level back to 100% (set font size back to
normal).

Resize All Columns Shift + Ctrl + R Resize all column widths so the content will fit
into it.

Resizing may take a significant amount of time,

especially if a large capture file is loaded.
Displayed Columns This menu items folds out with a list of all
configured columns. These columns can now be
shown or hidden in the packet list.

Expand Subtrees Shift + → This menu item expands the currently selected
subtree in the packet details tree.

Collapse Subtrees Shift + ← This menu item collapses the currently selected
subtree in the packet details tree.

Expand All Ctrl + → Wireshark keeps a list of all the protocol subtrees
that are expanded, and uses it to ensure that the
correct subtrees are expanded when you display a
packet. This menu item expands all subtrees in all
packets in the capture.

Collapse All Ctrl + ← This menu item collapses the tree view of all
packets in the capture list.

Menu Item Accelerator Description

Colorize Conversation This menu item brings up a submenu that allows

you to color packets in the packet list pane based
on the addresses of the currently selected packet.
This makes it easy to distinguish packets
belonging to different conversations. Packet
colorization.

Colorize Conversation › These menu items enable one of the ten temporary
Color 1-10 color filters based on the currently selected
conversation.

20
Colorize Conversation › This menu item clears all temporary coloring
Reset coloring rules.

Colorize Conversation › This menu item opens a dialog window in which a

New Coloring Rule… new permanent coloring rule can be created based
on the currently selected conversation.

Coloring Rules… This menu item brings up a dialog box that allows
you to color packets in the packet list pane
according to filter expressions you choose. It can
be very useful for spotting certain types of
packets, see Packet colorization.

Internals Information about various internal data structures.

See Internals menu items below for more
information.

Show Packet in New Shows the selected packet in a separate window.

Window The separate window shows only the packet
details and bytes. See Viewing a packet in a
separate window for details.

Reload Ctrl + R This menu item allows you to reload the current
capture file.
Table 6. Internals menu items
Menu Item Description

Conversation Hash Tables Shows the tuples (address and port combinations) used to
identify each conversation.

Dissector Tables Shows tables of subdissector relationships.

Supported Protocols Displays supported protocols and protocol fields.

The “Go” Menu

The Wireshark Go menu contains the fields shown in Go menu items.

21
Figure 7. The “Go” Menu

Table 7. Go menu items

Menu Item Accelerator Description

Back Alt + ← Jump to the recently visited packet in the packet

history, much like the page history in a web
browser.

Forward Alt + → Jump to the next visited packet in the packet

history, much like the page history in a web
browser.

Go to Packet… Ctrl + G Bring up a window frame that allows you to

specify a packet number, and then goes to that
packet. See Go To A Specific Packet for details.

Go to Corresponding Go to the corresponding packet of the currently

Packet selected protocol field. If the selected field
doesn’t correspond to a packet, this item is
greyed out.

Menu Item Accelerator Description

22
Previous Packet Ctrl + ↑ Move to the previous packet in the list. This can
be used to move to the previous packet even if the
packet list doesn’t have keyboard focus.

Next Packet Ctrl + ↓ Move to the next packet in the list. This can be
used to move to the previous packet even if the
packet list doesn’t have keyboard focus.

First Packet Ctrl + Home Jump to the first packet of the capture file.

Last Packet Ctrl + End Jump to the last packet of the capture file.

Previous Packet In Ctrl + , Move to the previous packet in the current

Conversation conversation. This can be used to move to the
previous packet even if the packet list doesn’t
have keyboard focus.

Next Packet In Ctrl + . Move to the next packet in the current

Conversation conversation. This can be used to move to the
previous packet even if the packet list doesn’t
have keyboard focus.

The “Capture” Menu

The Wireshark Capture menu contains the fields shown in Capture menu items.

23
Figure 8. The “Capture” Menu

Table 8. Capture menu items

Menu Item Accelerator Description

Options… Ctrl + K Shows the Capture Options dialog box, which

allows you to configure interfaces and capture
options. See The “Capture Options” Dialog Box.

Start Ctrl + E Immediately starts capturing packets with the

same settings as the last time.

Stop Ctrl + E Stops the currently running capture. See Stop the
running capture.

Restart Ctrl + R Stops the currently running capture and starts it

again with the same options.

Capture Filters… Shows a dialog box that allows you to create and
edit capture filters. You can name filters and save
them for future use. See Defining And Saving
Filters.

Refresh Interfaces F5 Clear and recreate the interface list.

The “Analyze” Menu

The Wireshark Analyze menu contains the fields shown in Analyze menu items.

24
Figure 9. The “Analyze” Menu
Table 9. Analyze menu items
Menu Item
Display Filters…
Display Filter Macros…
Apply as Column
Menu Item
Apply as Filter
Accelerator Description
Displays a dialog box that allows you to create
and edit display filters. You can name filters, and
you can save them for future use. See Defining
And Saving Filters.
Shows a dialog box that allows you to create and
edit display filter macros. You can name filter
macros, and you can save them for future use.
See Defining And Saving Filter Macros.
Shift + Ctrl + I Adds the selected protocol item in the packet
details pane as a column to the packet list.
Accelerator Description
Change the current display filter and apply it
immediately. Depending on the chosen menu
item, the current display filter string will be
replaced or appended to by the selected protocol
field in the packet details pane.
25
Prepare as Filter Change the current display filter but won’t apply
it. Depending on the chosen menu item, the
current display filter string will be replaced or
appended to by the selected protocol field in the
packet details pane.

Conversation Filter Apply a conversation filter for various protocols.

Enabled Protocols… Shift + Ctrl + E Enable or disable various protocol dissectors. See
The “Enabled Protocols” dialog box.

Decode As… Decode certain packets as a particular protocol.

See User Specified Decodes.

Follow › TCP Stream Open a window that displays all the TCP
segments captured that are on the same TCP
connection as a selected packet. See Following
Protocol Streams.

Follow › UDP Stream Same functionality as “Follow TCP Stream” but

for UDP “streams”.

Follow › TLS Stream Same functionality as “Follow TCP Stream” but

for TLS or SSL streams. See the wiki page on
TLS for instructions on providing TLS keys.

Follow › HTTP Stream Same functionality as “Follow TCP Stream” but

for HTTP streams.

Expert Info Open a window showing expert information found

in the capture. Some protocol dissectors add
packet detail items for notable or unusual
behavior, such as invalid checksums or
retransmissions. Those items are shown here. See
Expert Information for more information.

The amount of information will vary depend on

the protocol

The “Statistics” Menu

The Wireshark Statistics menu contains the fields shown in Statistics menu items.

26
Figure 10. The “Statistics” Menu

Each menu item brings up a new window showing specific statistics.

Table 10. Statistics menu items

Menu Item Accelerator Description

Capture File Properties Show information about the capture file, see The
“Capture File Properties” Dialog.

Resolved Addresses See Resolved Addresses

Protocol Hierarchy Display a hierarchical tree of protocol statistics,

see The “Protocol Hierarchy” Window.

Conversations Display a list of conversations (traffic between

two endpoints), see The “Conversations” Window.

Endpoints Display a list of endpoints (traffic to/from an

address), see The “Endpoints” Window.

Packet Lengths See Packet Lengths

27
I/O Graphs Display user specified graphs (e.g., the number of
packets in the course of time), see The “I/O
Graphs” Window.

Menu Item Accelerator Description

Service Response Time Display the time between a request and the
corresponding response, see Service Response
Time.

DHCP (BOOTP) See DHCP (BOOTP) Statistics

NetPerfMeter See NetPerfMeter Statistics

ONC-RPC Programs See ONC-RPC Programs

29West See 29West

ANCP See ANCP

BACnet See BACnet

Collectd See Collectd

DNS See DNS

Flow Graph See Flow Graph

HART-IP See HART-IP

HPFEEDS See HPFEEDS

HTTP HTTP request/response statistics, see HTTP

Statistics

HTTP2 See HTTP2

Sametime See Sametime

TCP Stream Graphs See TCP Stream Graphs

UDP Multicast Streams See UDP Multicast Streams

Reliable Server Pooling See Reliable Server Pooling (RSerPool)

(RSerPool)

F5 See F5

IPv4 Statistics See IPv4 Statistics

28
IPv6 Statistics See IPv6 Statistics

The “Telephony” Menu

The Wireshark Telephony menu contains the fields shown in Telephony menu items.

Figure 11. The “Telephony” Menu

Each menu item shows specific telephony related statistics.

Table 11. Telephony menu items

Menu Item Accelerator Description

VoIP Calls… See VoIP Calls Window

ANSI See ANSI

GSM See GSM Windows

IAX2 Stream Analysis See IAX2 Stream Analysis Window

ISUP Messages See ISUP Messages Window

LTE See LTE

29
MTP3 See MTP3 Windows

Osmux See Osmux Windows

RTP See RTP Streams Window and RTP Stream

Analysis Window

RTSP See RTSP Window

SCTP See SCTP Windows

SMPP Operations See SMPP Operations Window

Menu Item Accelerator Description

UCP Messages See UCP Messages Window

H.225 See H.225 Window

SIP Flows See SIP Flows Window

SIP Statistics See SIP Statistics Window

WAP-WSP Packet Counter See WAP-WSP Packet Counter Window

The “Wireless” Menu

The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in The
“Wireless” Menu.

30
Figure 12. The “Wireless” Menu

Each menu item shows specific Bluetooth and IEEE 802.11 statistics.

Table 12. Wireless menu items

Menu Item Accelerator Description

Bluetooth ATT Server See Bluetooth ATT Server Attributes

Attributes

Bluetooth Devices See Bluetooth Devices

Menu Item Accelerator Description

Bluetooth HCI Summary See Bluetooth HCI Summary

WLAN Traffic See WLAN Traffic

The “Tools” Menu

The Wireshark Tools menu contains the fields shown in Tools menu items.

31
Figure 13. The “Tools” Menu

Table 13. Tools menu items

Menu Item Accelerator Description

Firewall ACL Rules This allows you to create command-line ACL

rules for many different firewall products,
including Cisco IOS, Linux Netfilter (iptables),
OpenBSD pf and Windows Firewall (via netsh).
Rules for MAC addresses, IPv4 addresses, TCP
and UDP ports, and IPv4+port combinations are
supported.

It is assumed that the rules will be applied to an

outside interface.

Menu item is greyed out unless one (and only one)

frame is selected in the packet list.

32
Credentials This allows you to extract credentials from the
current capture file. Some of the dissectors (ftp,
http, imap, pop, smtp) have been instrumented to
provide the module with usernames and
passwords and more will be instrumented in the
future. The window dialog provides you the
packet number where the credentials have been
found, the protocol that provided them, the
username and protocol specific information.

MAC Address Blocks This allows viewing the IEEE MAC address
registry data that Wireshark uses to resolve MAC
address blocks to vendor names. The table can be
searched by address prefix or vendor name.

TLS Keylog Launcher This can launch an application such as a web

browser or a terminal window with the
SSLKEYLOGFILE environment variable set to
the same value as the TLS secret log file. Note
that you will probably have to quit your existing
web browser session in order to have it run under
a fresh environment.

Lua Console This option allows you to work with the Lua
interpreter optionally built into Wireshark, to
inspect Lua internals and evaluate code. See “Lua
Support in Wireshark” in the Wireshark
Developer’s Guide.

The “Help” Menu

The Wireshark Help menu contains the fields shown in Help menu items.

33
Figure 14. The “Help” Menu

Table 14. Help menu items

Menu Item Accelerator Description

Contents F1 This menu item brings up a basic help system.

Manual Pages › … This menu item starts a Web browser showing one
of the locally installed html manual pages.

Website This menu item starts a Web browser showing the

webpage from: https://www.wireshark.org/.

FAQs This menu item starts a Web browser showing

various FAQs.

Downloads This menu item starts a Web browser showing the

downloads from: https://www.wireshark.org/
download.html.

Wiki This menu item starts a Web browser showing

the front page from: https://gitlab.com/
wireshark/wireshark/-/wikis/.

Menu Item Accelerator Description

34
Sample Captures This menu item starts a Web browser showing the
sample captures from: https://gitlab.com/
wireshark/wireshark/-/wikis/SampleCaptures.

About Wireshark This menu item brings up an information window

that provides various detailed information items
on Wireshark, such as how it’s built, the plugins
loaded, the used folders, …

Opening a Web browser might be unsupported in your version of Wireshark. If this is the
case the corresponding menu items will be hidden.

NOTE
If calling a Web browser fails on your machine, nothing happens, or the browser starts but
no page is shown, have a look at the web browser setting in the preferences dialog.

The “Main” Toolbar

The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be
customized by the user, but it can be hidden using the View menu if the space on the screen is needed
to show more packet data.
Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu items.
For example, in the image below shows the main window toolbar after a file has been opened. Various
file-related buttons are enabled, but the stop capture button is disabled because a capture is not in
progress.

Figure 15. The “Main” toolbar

Table 15. Main toolbar items

35
Toolbar Toolbar Item Menu Item Description
Icon

[ Start ] Capture › Start Starts capturing packets with the same

options as the last capture or the default
options if none were set (Start Capturing).

[ Stop ] Capture › Stop Stops the currently running capture (Start

Capturing).

[ Restart ] Capture › Restart Restarts the current capture session.

[ Options… ] Capture › Opens the “Capture Options” dialog box.

Options… See Start Capturing for details.

Toolbar Toolbar Item Menu Item Description

Icon

[ Open… ] File › Open… Opens the file open dialog box, which
allows you to load a capture file for
viewing. It is discussed in more detail in
The “Open Capture File” Dialog Box.

[ Save As… ] File › Save As… Save the current capture file to whatever file
you would like. See The “Save Capture File
As” Dialog Box for details. If you currently
have a temporary capture file open the
“Save” icon will be shown instead.

[ Close ] File › Close Closes the current capture. If you have not
saved the capture, you will be asked to save
it first.

[ Reload ] View › Reload Reloads the current capture file.

[ Find Packet… ] Edit › Find Find a packet based on different criteria. See
Packet… Finding Packets for details.

[ Go Back ] Go › Go Back Jump back in the packet history. Hold down

the Alt key ( Option on macOS) to go back
in the selection history.

[ Go Forward ] Go › Go Forward Jump forward in the packet history. Hold

down the Alt key ( Option on macOS) to go
forward in the selection history.

[ Go to Packet… ] Go › Go to Packet… Go to a specific packet.

36
 [ Go To First Go › First Packet Jump to the first packet of the capture file.
Packet ]
[ Go To Last Go › Last Packet Jump to the last packet of the capture file.
Packet ]
[ Auto Scroll in Live View › Auto Scroll Auto scroll packet list while doing a live
Capture ] in Live Capture capture (or not).

[ Colorize ] View › Colorize Colorize the packet list (or not).

[ Zoom In ] View › Zoom In Zoom into the packet data (increase the font
size).

[ Zoom Out ] View › Zoom Out Zoom out of the packet data (decrease the
font size).

[ Normal Size ] View › Normal Size Set zoom level back to 100%.

Toolbar Toolbar Item Menu Item Description

Icon

[ Resize Columns ] View › Resize Resize columns, so the content fits into
Columns them.

The “Filter” Toolbar

The filter toolbar lets you quickly edit and apply display filters. More information on display filters is
available in Filtering Packets While Viewing.

Figure 16. The “Filter” toolbar

Table 16. Filter toolbar items

Toolbar Name Description
Icon

Bookmarks Manage or select saved filters.

37
 Filter Input The area to enter or edit a display filter string, see
Building Display Filter Expressions. A syntax check of
your filter string is done while you are typing. The
background will turn red if you enter an incomplete or
invalid string, and will become green when you enter a
valid string.

After you’ve changed something in this field, don’t

forget to press the Apply button (or the Enter/Return
key), to apply this filter string to the display.

This field is also where the current applied filter is

displayed.
Clear Reset the current display filter and clear the edit area.

Apply Apply the current value in the edit area as the new
display filter.

Applying a display filter on large capture files might

take quite a long time.
Recent Select from a list of recently applied filters.

Add Button Add a new filter button.

Toolbar Name Description

Icon

[ Squirre Filter Button Filter buttons are handy shortcuts that apply a display
ls ] filter as soon as you press them. You can create filter
buttons by pressing the [ + ] button, right-clicking in the
filter button area, or opening the Filter Button section of
the Preferences Dialog. The example shows a filter
button with the label “Squirrels”. If you have lots of
buttons you can arrange them into groups by using “//”
as a label separator. For example, if you create buttons
named “Not Squirrels // Rabbits” and “Not Squirrels //
Capybaras” they will show up in the toolbar under a
single button named “Not Squirrels”.

The “Packet List” Pane

38
The packet list pane displays all the packets in the current capture file.

Figure 17. The “Packet List” pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane,
more details will be displayed in the “Packet Details” and “Packet Bytes” panes.
While dissecting a packet, Wireshark will place information from the protocol dissectors into the
columns. As higher-level protocols might overwrite information from lower levels, you will typically
see the information from the highest possible level only.
For example, let’s look at a packet containing TCP inside IP inside an Ethernet packet. The Ethernet
dissector will write its data (such as the Ethernet addresses), the IP dissector will overwrite this by its
own (such as the IP addresses), the TCP dissector will overwrite the IP information, and so on.
There are many different columns available. You can choose which columns are displayed in the
preferences. See Preferences.
The default columns will show:

• [ No. ] The number of the packet in the capture file. This number won’t change, even if a display filter
is used.

• [ Time ] The timestamp of the packet. The presentation format of this timestamp can be changed, see
Time Display Formats And Time References.
• [ Source ] The address where this packet is coming from.

• [ Destination ] The address where this packet is going to.

• [ Protocol ] The protocol name in a short (perhaps abbreviated) version.

• [ Length ] The length of each packet.

• [ Info ] Additional information about the packet content.

The first column shows how each packet is related to the selected packet. For example, in the image
above the first packet is selected, which is a DNS request. Wireshark shows a rightward arrow for the
request itself, followed by a leftward arrow for the response in packet 2. Why is there a dashed line?
There are more DNS packets further down that use the same port numbers. Wireshark treats them as
belonging to the same conversation and draws a line connecting them.
Related packet symbols

First packet in a conversation.

39
 Part of the selected conversation.

Not part of the selected conversation.

Last packet in a conversation.

Request.

Response.

The selected packet acknowledges this packet.

The selected packet is a duplicate acknowledgement of this packet.

The selected packet is related to this packet in some other way, e.g., as part of reassembly.

The packet list has an Intelligent Scrollbar which shows a miniature map of nearby packets. Each raster
line of the scrollbar corresponds to a single packet, so the number of packets shown in the map depends
on your physical display and the height of the packet list. A tall packet list on a highresolution
(“Retina”) display will show you quite a few packets. In the image above the scrollbar shows the status
of more than 500 packets along with the 15 shown in the packet list itself.
Right clicking will show a context menu, described in Pop-up menu of the “Packet List” pane.

The “Packet Details” Pane

The packet details pane shows the current packet (selected in the “Packet List” pane) in a more detailed
form.

Figure 18. The “Packet Details” pane

40
This pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. The
protocol summary lines (subtree labels) and fields of the packet are shown in a tree which can be
expanded and collapsed.
There is a context menu (right mouse click) available. See details in Pop-up menu of the “Packet
Details” pane.
Some protocol fields have special meanings.

• Generated fields. Wireshark itself will generate additional protocol information which isn’t present
in the captured data. This information is enclosed in square brackets (“[” and “]”). Generated
information includes response times, TCP analysis, IP geolocation information, and checksum
validation.

• Links. If Wireshark detects a relationship to another packet in the capture file it will generate a link
to that packet. Links are underlined and displayed in blue. If you double-clicked on a link Wireshark
will jump to the corresponding packet.

The “Packet Bytes” Pane

The packet bytes pane shows the data of the current packet (selected in the “Packet List” pane) in a
hexdump style.

Figure 19. The “Packet Bytes” pane

The “Packet Bytes” pane shows a canonical hex dump of the packet data. Each line contains the data
offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a
period (“.”).
Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has
reassembled some packets into a single chunk of data. (See Packet Reassembly for details). In this case
you can see each data source by clicking its corresponding tab at the bottom of the pane.
The default mode for viewing will highlight the bytes for a field where the mouse pointer is hovering
above. The highlight will follow the mouse cursor as it moves. If this highlighting is not required or
wanted, there are two methods for deactivating the functionality:
• Temporary By holding down the Ctrl button while moving the mouse, the highlighted field will not
change

• Permanently Using the context menu (right mouse click) the hover highlighting may be
activated/deactivated. This setting is stored in the selected profile recent file.
41
Figure 20. The “Packet Bytes” pane with tabs

Additional tabs typically contain data reassembled from multiple packets or decrypted data.

The “Packet Diagram” Pane

The packet diagram pane shows the current packet (selected in the “Packet List” pane) as a diagram,
similar to ones used in textbooks and IETF RFCs.

Figure 21. The “Packet Diagram” pane

This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List”
pane as a series of diagrams.
There is a context menu (right mouse click) available. For details see Pop-up menu of the “Packet
Diagram” pane.

The Statusbar
42
The statusbar displays informational messages.

In general, the left side will show context related information, the middle part will show information
about the current capture file, and the right side will show the selected configuration profile. Drag the
handles between the text areas to change the size.

Figure 22. The initial Statusbar

This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started.

Figure 23. The Statusbar with a loaded capture file

The colorized bullet… on the left shows the highest expert information level found in the currently
loaded capture file. Hovering the mouse over this icon will show a description of the expert info
level, and clicking the icon will bring up the Expert Information dialog box. For a detailed
description of this dialog and each expert level, see Expert Information.

The edit icon… on the left side lets you add a comment to the capture file using the Capture File
Properties dialog.
The left side… shows the capture file name by default. It also shows field information when hovering
over and selecting items in the packet detail and packet bytes panes, as well as general notifications.
The middle…
shows the current number of packets in the capture file. The following values are displayed:

Packets
The number of captured packets.

Displayed
The number of packets currently being displayed.

Marked
The number of marked packets. Only displayed if you marked any packets.

Dropped
The number of dropped packets Only displayed if Wireshark was unable to capture all packets.
Ignored
The number of ignored packets Only displayed if you ignored any packets.

The right side… shows the selected configuration profile. Clicking on this part of the statusbar will
bring up a menu with all available configuration profiles, and selecting from this list will change the
configuration profile.

43
Figure 24. The Statusbar with a configuration profile menu

For a detailed description of configuration profiles, see Configuration Profiles.

Figure 25. The Statusbar with a selected protocol field

This is displayed if you have selected a protocol field in the “Packet Details” pane.

The value between the parentheses (in this example “ipv6.src”) is the display filter
TIP field for the selected item. You can become more familiar with display filter fields by selecting
different packet detail items.

Figure 26. The Statusbar with a display filter message

This is displayed if you are trying to use a display filter which may have unexpected results.

44
Capturing Live Network Data

Introduction
Capturing live network data is one of the major features of Wireshark.

The Wireshark capture engine provides the following features:

• Capture from different kinds of network hardware such as Ethernet or 802.11.

• Simultaneously capture from multiple network interfaces.

• Stop the capture on different triggers such as the amount of captured data, elapsed time, or the number
of packets.

• Simultaneously show decoded packets while Wireshark is capturing.

• Filter packets, reducing the amount of data to be captured. See Filtering while capturing.

• Save packets in multiple files while doing a long-term capture, optionally rotating through a fixed
number of files (a “ringbuffer”). See Capture files and file modes.

The capture engine still lacks the following features:

• Stop capturing (or perform some other action) depending on the captured data.

Prerequisites
Setting up Wireshark to capture packets for the first time can be tricky. A comprehensive guide “How
To setup a Capture” is available at https://gitlab.com/wireshark/wireshark/-/wikis/ CaptureSetup.
Here are some common pitfalls:

• You may need special privileges to start a live capture.

• You need to choose the right network interface to capture packet data from.

• You need to capture at the right place in the network to see the traffic you want to see.

If you have any problems setting up your capture environment, you should have a look at the guide
mentioned above.

Start Capturing
The following methods can be used to start capturing packets with Wireshark:

• You can double-click on an interface in the welcome screen.

45
 • You can select an interface in the welcome screen, then select Capture › Start or click the first
toolbar button.
• You can get more detailed information about available interfaces using The “Capture Options” Dialog
Box (Capture › Options…).
• If you already know the name of the capture interface you can start Wireshark from the command
line:

This will start Wireshark capturing on interface eth0. More details can be found at Start Wireshark from
the command line.

The “Capture” Section Of The Welcome Screen

When you open Wireshark without starting a capture or opening a capture file it will display the
“Welcome Screen,” which lists any recently opened capture files and available capture interfaces.
Network activity for each interface will be shown in a sparkline next to the interface name. It is
possible to select more than one interface and capture from them simultaneously.

Figure 27. Capture interfaces on Microsoft Windows

Figure 28. Capture interfaces on macOS

Some interfaces allow or require configuration prior to capture. This will be indicated by a
configuration icon ( ) to the left of the interface name. Clicking on the icon will show the
configuration dialog for that interface.
Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter.

46
Wireshark isn’t limited to just network interfaces — on most systems you can also capture USB,
Bluetooth, and other types of packets. Note also that an interface might be hidden if it’s inaccessible to
Wireshark or if it has been hidden as described in The “Manage Interfaces” Dialog Box.

The “Capture Options” Dialog Box

When you select Capture › Options… (or use the corresponding item in the main toolbar), Wireshark
pops up the “Capture Options” dialog box as shown in The “Capture Options” input tab. If you are
unsure which options to choose in this dialog box, leaving the defaults settings as they are should work
well in many cases.

Figure 29. The “Capture Options” input tab

The “Input” tab contains the “Interface” table, which shows the following columns:

Interface
The interface name.

Some interfaces allow or require configuration prior to capture. This will be indicated by a
configuration icon ( ) to the left of the interface name. Clicking on the icon will show the
configuration dialog for that interface.
Traffic
A sparkline showing network activity over time.

Link-layer Header
The type of packet captured by this interface. In some cases it is possible to change this. See
Linklayer header type for more details.
Promiscuous
Lets you put this interface in promiscuous mode while capturing. Note that another application
might override this setting.
47
Snaplen
The snapshot length, or the number of bytes to capture for each packet. You can set an explicit
length if needed, e.g., for performance or privacy reasons.
Buffer
The size of the kernel buffer that is reserved for capturing packets. You can increase or decrease this
as needed, but the default is usually sufficient.
Monitor Mode
Lets you capture full, raw 802.11 headers. Support depends on the interface type, hardware, driver,
and OS. Note that enabling this might disconnect you from your wireless network.
Capture Filter
The capture filter applied to this interface. You can edit the filter by double-clicking on it. See
Filtering while capturing for more details about capture filters.
Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses.

If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings
above will be overridden.
“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same
time.
[ Manage Interfaces ] opens the The “Manage Interfaces” dialog box where pipes can be defined, local
interfaces scanned or hidden, or remote interfaces added.
[ Compile Selected BPFs ] opens The “Compiled Filter Output” dialog box, which shows you the
compiled bytecode for your capture filter. This can help to better understand the capture filter you
created.

Linux power user tip

The execution of BPFs can be sped up on Linux by turning on BPF Just In Time
compilation by executing TIP
$ echo 1 >/proc/sys/net/core/bpf_jit_enable if it is not enabled already. To make

the change persistent you can use sysfsutils.

48
Figure 30. The “Capture Options” output tab

The “Output” tab shows the following information:

Capture to a permanent file File

This field allows you to specify the file name that will be used for the capture file. It is left blank
by default. If left blank, the capture data will be stored in a temporary file. See Capture files and
file modes for details. You can also click on the button to the right of this field to browse through
the filesystem.
Output format
Allows you to set the format of the capture file. pcapng is the default and is more flexible than
pcap. pcapng might be required, e.g., if more than one interface is chosen for capturing. See
https://gitlab.com/wireshark/wireshark/-/wikis/Development/PcapNg for more details on pcapng.

Create a new file automatically…

Sets the conditions for switching a new capture file. A new capture file can be created based on the
following conditions:
• The number of packets in the capture file.

• The size of the capture file.

• The duration of the capture file.

• The wall clock time.

Use a ring buffer with

Multiple files only. Form a ring buffer of the capture files with the given number of files.

More details about capture files can be found in Capture files and file modes.

49
Figure 31. The “Capture Options” options tab

The “Options” tab shows the following information:

Display Options
Update list of packets in real-time
Updates the packet list pane in real time during capture. If you do not enable this, Wireshark will
not display any packets until you stop the capture. When you check this, Wireshark captures in a
separate process and feeds the captures to the display process.
Automatically scroll during live capture
Scroll the packet list pane as new packets come in, so you are always looking at the most recent
packet. Automatic scrolling is temporarily disabled when manually scrolling upwards or
performing a "Go" action so that the selected packet can be examined. It will resume upon
manually scrolling to the end of the packet list. If you do not specify this Wireshark adds new
packets to the packet list but does not scroll the packet list pane. This option has no effect if
“Update list of packets in real-time” is disabled.
Show capture information during capture
If this option is enabled, the capture information dialog described in While a Capture is running
… will be shown while packets are captured.
Name Resolution
Resolve MAC addresses
Translate MAC addresses into names.

Resolve network names

Translate network addresses into names.

Resolve transport names

Translate transport names (port numbers).

See Name Resolution for more details on each of these options.

50
Stop capture automatically after…
Capturing can be stopped based on the following conditions:

• The number of packets in the capture file.

• The number of capture files.

• The capture file size.

• The capture file duration.

You can double click on an interface row in the “Input“ tab or click [ Start ] from any tab to commence
the capture. You can click [ Cancel ] to apply your changes and close the dialog.

The “Manage Interfaces” Dialog Box

Figure 32. The “Manage Interfaces” dialog box

The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage
the following:
Show
Whether or not to show or hide this interface in the welcome screen and the “Capture Options”
dialog.
Friendly Name
A name for the interface that is human readable.

Interface Name

51
 The device name of the interface.
Comment
Can be used to add a descriptive comment for the interface.

The “Pipes” tab lets you capture from a named pipe. To successfully add a pipe, its associated named
pipe must have already been created. Click [ + ] and type the name of the pipe including its path.
Alternatively, [ Browse ] can be used to locate the pipe.
To remove a pipe from the list of interfaces, select it and press [ - ].

On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different
machine. The Remote Packet Capture Protocol service must first be running on the target platform
before Wireshark can connect to it.
On Linux or Unix you can capture (and do so more securely) through an SSH tunnel.

To add a new remote capture interface, click [ + ] and specify the following:

Host
The IP address or host name of the target platform where the Remote Packet Capture Protocol
service is listening. The drop-down list contains the hosts that have previously been successfully
contacted. The list can be emptied by choosing “Clear list” from the drop-down list.
Port
Set the port number where the Remote Packet Capture Protocol service is listening on. Leave blank
to use the default port (2002).
Null authentication
Select this if you don’t need authentication to take place for a remote capture to be started. This
depends on the target platform. This is exactly as secure as it appears, i.e., it is not secure at all.
Password authentication
Lets you specify the username and password required to connect to the Remote Packet Capture
Protocol service.
Each interface can optionally be hidden. In contrast to the local interfaces, they are not saved in the
preferences file.

Make sure you have outside access to port 2002 on the target platform. This is the
NOTE
default port used by the Remote Packet Capture Protocol service.

To remove a host including all its interfaces from the list, select it and click the [ - ] button.

The “Compiled Filter Output” Dialog Box

52
This figure shows the results of compiling the BPF filter for the selected interfaces.

Figure 33. The “Compiled Filter Output” dialog box

In the list on the left the interface names are listed. The results of compiling a filter for the selected
interface are shown on the right.

Capture files and file modes

While capturing, the underlying libpcap capturing engine will grab the packets from the network card
and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved
into a capture file.
By default, Wireshark saves packets to a temporary file. You can also tell Wireshark to save to a
specific (“permanent”) file and switch to a different file after a given time has elapsed or a given
number of packets have been captured. These options are controlled in the “Capture Options” dialog’s
“Output” tab.

Figure 34. Capture output options

53
 Working with large files (several hundred MB) can be quite slow. If you plan to do a long-
term capture or capturing from a high traffic network, think about using one of
TIP the “Multiple files” options. This will spread the captured packets over several smaller
files which can be much more pleasant to work with.

Using the “Multiple files” option may cut context related information. Wireshark keeps context
information of the loaded packet data, so it can report context related problems (like a stream error) and
keeps information about context related protocols (e.g., where data is exchanged at the establishing
phase and only referred to in later packets). As it keeps this information only for the loaded file, using
one of the multiple file modes may cut these contexts. If the establishing phase is saved in one file and
the things you would like to see is in another, you might not see some of the valuable context related
information.
Information about the folders used for capture files can be found in Files and Folders.

Table 17. Capture file mode selected by capture options

File Name “Create a “Use a ring Mode Resulting filename(s) used
new file…” buffer…”

- - - Single temporary wireshark_<interface

file name>XXXXXX.pcap[ng]
(<interface name> is the "friendly
name" of the capture interface if
available and the system name if
not, when capturing on a single
interface, and "N_interfaces"
where N is the number of
interfaces, when capturing on
multiple interfaces; XXXXXX is a
unique 6 character alphanumeric
sequence.)

foo.cap - - Single named file foo.cap

foo.cap x - Multiple files, foo_00001_20240714110102.cap,

continuous foo_00002_20240714110318.cap,
…
foo.cap x x Multiple files, ring foo_00001_20240714110102.cap,
buffer foo_00002_20240714110318.cap,
…
Single temporary file
A temporary file will be created and used (this is the default). After capturing is stopped this file can
be saved later under a user specified name.
Single named file
A single capture file will be used. Choose this mode if you want to place the new capture file in a
specific folder.
54
Multiple files, continuous
Like the “Single named file” mode, but a new file is created and used after reaching one of the
multiple file switch conditions (one of the “Next file every…” values).
Multiple files, ring buffer
Much like “Multiple files continuous”, reaching one of the multiple files switch conditions (one of
the “Next file every …” values) will switch to the next file. This will be a newly created file if value
of “Ring buffer with n files” is not reached, otherwise it will replace the oldest of the formerly used
files (thus forming a “ring”).
This mode will limit the maximum disk usage, even for an unlimited amount of capture input data,
only keeping the latest captured data.

Link-layer header type

In most cases you won’t have to modify link-layer header type. Some exceptions are as follows:

If you are capturing on an Ethernet device you might be offered a choice of “Ethernet” or “DOCSIS”.
If you are capturing traffic from a Cisco Cable Modem Termination System that is putting DOCSIS
traffic onto the Ethernet to be captured, select “DOCSIS”, otherwise select “Ethernet”.
If you are capturing on an 802.11 device on some versions of BSD you might be offered a choice of
“Ethernet” or “802.11”. “Ethernet” will cause the captured packets to have fake (“cooked”) Ethernet
headers. “802.11” will cause them to have full IEEE 802.11 headers. Unless the capture needs to be
read by an application that doesn’t support 802.11 headers you should select “802.11”.
If you are capturing on an Endace DAG card connected to a synchronous serial line you might be
offered a choice of “PPP over serial” or “Cisco HDLC”. If the protocol on the serial line is PPP, select
“PPP over serial” and if the protocol on the serial line is Cisco HDLC, select “Cisco HDLC”.
If you are capturing on an Endace DAG card connected to an ATM network you might be offered a
choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only traffic being captured is RFC 1483
LLC-encapsulated IP, or if the capture needs to be read by an application that doesn’t support SunATM
headers, select “RFC 1483 IP-over-ATM”, otherwise select “Sun raw ATM”.

Filtering while capturing

Wireshark supports limiting the packet capture to packets that match a capture filter. Wireshark capture
filters are written in libpcap filter language. Below is a brief overview of the libpcap filter language’s
syntax. Complete documentation can be found at the pcap-filter man page. You can find many Capture
Filter examples at https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
You enter the capture filter into the “Filter” field of the Wireshark “Capture Options” dialog box, as
shown in The “Capture Options” input tab.
A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or)
and optionally preceded by not:

55
An example is shown in A capture filter for telnet that captures traffic to and from a particular host.

Example 1. A capture filter for telnet that captures traffic to and from a particular host

This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives
and the and conjunction. Another example is shown in Capturing all telnet traffic not from 10.0.0.5,
and shows how to capture all telnet traffic except that from 10.0.0.5.
Example 2. Capturing all telnet traffic not from 10.0.0.5

A primitive is simply one of the following: [src|dst] host <host>

This primitive allows you to filter on a host IP address or name. You can optionally precede the
primitive with the keyword src|dst to specify that you are only interested in source or destination
addresses. If these are not present, packets where the specified address appears as either the source
or the destination address will be selected.
ether [src|dst] host <ehost>
This primitive allows you to filter on Ethernet host addresses. You can optionally include the
keyword src|dst between the keywords ether and host to specify that you are only interested in
source or destination addresses. If these are not present, packets where the specified address appears
in either the source or destination address will be selected.
gateway host <host>
This primitive allows you to filter on packets that used host as a gateway. That is, where the
Ethernet source or destination was host but neither the source nor destination IP address was host.
[src|dst] net <net> [{mask <mask>}|{len <len>}]
This primitive allows you to filter on network numbers. You can optionally precede this primitive
with the keyword src|dst to specify that you are only interested in a source or destination network. If
neither of these are present, packets will be selected that have the specified network in either the
source or destination address. In addition, you can specify either the netmask or the CIDR prefix for
the network if they are different from your own.

[tcp|udp] [src|dst] port <port>

56
 This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this
primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only
interested in source or destination ports and TCP or UDP packets respectively. The keywords
tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP and UDP protocols and when the
specified address appears in either the source or destination port field.
less|greater <length>
This primitive allows you to filter on packets whose length was less than or equal to the specified
length, or greater than or equal to the specified length, respectively.
ip|ether proto <protocol>
This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP
layer.
ether|ip broadcast|multicast
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.

<expr> relop <expr>

This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in
packets. Please see the pcap-filter man page at https://www.tcpdump.org/manpages/pcapfilter.7.html
for more details.

Automatic Remote Traffic Filtering

If Wireshark is running remotely (using e.g., SSH, an exported X11 window, a terminal server, …), the
remote content has to be transported over the network, adding a lot of (usually unimportant) packets to
the actually interesting traffic.
To avoid this, Wireshark tries to figure out if it’s remotely connected (by looking at some specific
environment variables) and automatically creates a capture filter that matches aspects of the
connection.
The following environment variables are analyzed:

SSH_CONNECTION (ssh)
<remote IP> <remote port> <local IP> <local port>

SSH_CLIENT (ssh)
<remote IP> <remote port> <local port>
REMOTEHOST (tcsh, others?)
<remote name>

DISPLAY (x11)
[remote name]:<display num>
57
SESSIONNAME (terminal server)
<remote name>

On Windows it asks the operating system if it’s running in a Remote Desktop Services environment.

While a Capture is running …

You might see the following dialog box while a capture is running:

Figure 35. The “Capture Information” dialog box

This dialog box shows a list of protocols and their activity over time. It can be enabled via the
“capture.show_info” setting in the “Advanced” preferences.

Stop the running capture

A running capture session will be stopped in one of the following ways:

1. The [ Stop Capture ] button in the “Capture Information” dialog box.

2. The Capture › Stop menu item.

3. The [ Stop ] toolbar button.

4. Pressing Ctrl + E .

5. The capture will be automatically stopped if one of the Stop Conditions is met, e.g., the maximum
amount of data was captured.

Restart a running capture

A running capture session can be restarted with the same capture options as the last time, this will
remove all packets previously captured. This can be useful, if some uninteresting packets are captured
and there’s no need to keep them.
Restart is a convenience function and equivalent to a capture stop following by an immediate capture
start. A restart can be triggered in one of the following ways:

1. Using the Capture › Restart menu item.

58
2. Using the [ Restart ] toolbar button.

59
File Input, Output, And Printing

Introduction
This chapter will describe input and output of capture data.

• Open capture files in various capture file formats

• Save and export capture files in various formats

• Merge capture files together

• Import text files containing hex dumps of packets

• Print packets

Open Capture Files

Wireshark can read in previously saved capture files. To read them, simply select the File › Open menu
or toolbar item. Wireshark will then pop up the “File Open” dialog box, which is discussed in more
detail in The “Open Capture File” Dialog Box.

You can use drag and drop to open files

TIPOn most systems you can open a file by simply dragging it in your file manager and
dropping it onto Wireshark’s main window.

If you haven’t previously saved the current capture file you will be asked to do so to prevent data loss.
This warning can be disabled in the preferences.
In addition to its native file format (pcapng), Wireshark can read and write capture files from a large
number of other packet capture programs as well. See Input File Formats for the list of capture formats
Wireshark understands.

The “Open Capture File” Dialog Box

The “Open Capture File” dialog box allows you to search for a capture file containing previously
captured packets for display in Wireshark. The following sections show some examples of the
Wireshark “Open File” dialog box. The appearance of this dialog depends on the system. However, the
functionality should be the same across systems.
Common dialog behavior on all systems:

• Select files and directories.

• Click the [ Open ] button to accept your selected file and open it.

• Click the [ Cancel ] button to go back to Wireshark and not load a capture file.

60
 • The [ Help ] button will take you to this section of the “User’s Guide”.

Wireshark adds the following controls:

• View file preview information such as the size and the number of packets in a selected a capture file.

• Specify a read filter with the “Read filter” field. This filter will be used when opening the new file.
The text field background will turn green for a valid filter string and red for an invalid one. Read
filters can be used to exclude various types of traffic, which can be useful for large capture files. They
use the same syntax as display filters, which are discussed in detail in Filtering Packets While
Viewing.

• Optionally force Wireshark to read a file as a particular type using the “Automatically detect file
type” drop-down.

Figure 36. “Open” on Microsoft Windows

This is the common Windows file open dialog along with some Wireshark extensions.

61
Figure 37. “Open” - Linux and UNIX

This is the common Qt file open dialog along with some Wireshark extensions.

Input File Formats

The native capture file formats used by Wireshark are:

• pcap. The default format used by the libpcap packet capture library. Used by tcpdump, _Snort, Nmap,
Ntop, and many other tools.

• pcapng. A flexible, extensible successor to the pcap format. Wireshark 1.8 and later save files as
pcapng by default. Versions prior to 1.8 used pcap. Used by Wireshark and by tcpdump in newer
versions of macOS.

The following file formats from other capture tools can be opened by Wireshark:

• Oracle (previously Sun) snoop and atmsnoop captures

• Finisar (previously Shomiti) Surveyor captures

• Microsoft Network Monitor captures

• Novell LANalyzer captures

• AIX iptrace captures

• Cinco Networks NetXray captures

• NETSCOUT (previously Network Associates/Network General) Windows-based Sniffer and Sniffer

Pro captures

• Network General/Network Associates DOS-based Sniffer captures

(compressed or uncompressed) captures

• LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/PacketGrabber captures

• RADCOM’s WAN/LAN Analyzer captures

• Viavi (previously Network Instruments) Observer captures

• Lucent/Ascend router debug output

• captures from HP-UX nettl

• Toshiba’s ISDN routers dump output

• output from i4btrace from the ISDN4BSD project

• traces from the EyeSDN USB S0

• the IPLog format output from the Cisco Secure Intrusion Detection System

62
• pppd logs (pppdump format)

• the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities

• the text output from the DBS Etherwatch VMS utility

• Visual Networks’ Visual UpTime traffic capture

• the output from CoSine L2 debug

• the output from InfoVista (previously Accellent) 5Views LAN agents

• Endace Measurement Systems’ ERF format captures

• Linux Bluez Bluetooth stack hcidump -w traces

• Catapult (now Ixia/Keysight) DCT2000 .out files

• Gammu generated text output from Nokia DCT3 phones in Netmonitor mode

• IBM Series (OS/400) Comm traces (ASCII & UNICODE)

• Juniper Netscreen snoop captures

• Symbian OS btsnoop captures

• Tamosoft CommView captures

• Tektronix K12xx 32bit .rf5 format captures

• Tektronix K12 text file format captures

• Apple PacketLogger captures

• Captures from Aethra Telecommunications’ PC108 software for their test instruments

• Citrix NetScaler Trace files

• Android Logcat binary and text format logs

• Colasoft Capsa and PacketBuilder captures

• Micropross mplog files

• Unigraf DPA-400 DisplayPort AUX channel monitor traces

• 802.15.4 traces from Daintree’s Sensor Network Analyzer

• MPEG-2 Transport Streams as defined in ISO/IEC 13818-1

• Log files from the candump utility

• Logs from the BUSMASTER tool

• Ixia IxVeriWave raw captures

• Rabbit Labs CAM Inspector files

• systemd journal files

63
 • 3GPP TS 32.423 trace files

New file formats are added from time to time.

It may not be possible to read some formats dependent on the packet types captured. Ethernet captures
are usually supported for most file formats but it may not be possible to read other packet types such as
PPP or IEEE 802.11 from all file formats.

Saving Captured Packets

You can save captured packets by using the File › Save or File › Save As… menu items. You can
choose which packets to save and which file format to be used.
Not all information will be saved in a capture file. For example, most file formats don’t record the
number of dropped packets. See Capture Files for details.

The “Save Capture File As” Dialog Box

The “Save Capture File As” dialog box allows you to save the current capture to a file. The exact
appearance of this dialog depends on your system. However, the functionality is the same across
systems. Examples are shown below.

Figure 38. “Save” on Microsoft Windows

This is the common Windows file save dialog with some additional Wireshark extensions.

64
Figure 39. “Save” on Linux and UNIX

This is the common Qt file save dialog with additional Wireshark extensions.

You can perform the following actions:

• Type in the name of the file in which you wish to save the captured packets.

• Select the directory to save the file into.

• Specify the format of the saved capture file by clicking on the “Save as” drop-down box. You can
choose from the types described in Output File Formats. Some capture formats may not be available
depending on the packet types captured.

• The [ Help ] button will take you to this section of the “User’s Guide”.

• “Compress with gzip” will compress the capture file as it is being written to disk.

• Click the [ Save ] button to accept your selected file and save it.

• Click on the [ Cancel ] button to go back to Wireshark without saving any packets.

If you don’t provide a file extension to the filename (e.g., .pcap) Wireshark will append the standard
file extension for that file format.

Wireshark can convert file formats

TIPYou can convert capture files from one format to another by opening a capture and
saving it as a different format.

If you wish to save some of the packets in your capture file you can do so via The “Export Specified
Packets” Dialog Box.

Output File Formats

65
Wireshark can save the packet data in its native file format (pcapng) and in the file formats of other
protocol analyzers so other tools can read the capture data.

Saving in a different format might lose data

NOTESaving your file in a different format might lose information such as comments,
name resolution, and time stamp resolution. See Time Stamps for more information on
time stamps.

The following file formats can be saved by Wireshark (with the known file extensions):

• pcapng (*.pcapng). A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later
save files as pcapng by default. Versions prior to 1.8 used libpcap.
• pcap (*.pcap). The default format used by the libpcap packet capture library. Used by tcpdump,
_Snort, Nmap, Ntop, and many other tools.

• Accellent 5Views (*.5vw)

• captures from HP-UX nettl ({asterisktrc0,*.trc1)

• Microsoft Network Monitor - NetMon (*.cap)

• Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*.fdc,*.syc)

• Cinco Networks NetXray captures (*.cap)

• Network Associates Sniffer - Windows (*.cap)

• Network Instruments/Viavi Observer (*.bfr)

• Novell LANalyzer (*.tr1)

• Oracle (previously Sun) snoop (*.snoop,*.cap)

• Visual Networks Visual UpTime traffic (*.*)

• Symbian OS btsnoop captures (*.log)

• Tamosoft CommView captures (*.ncf)

• Catapult (now Ixia/Keysight) DCT2000 .out files (*.out)

• Endace Measurement Systems’ ERF format capture(*.erf)

• EyeSDN USB S0 traces (*.trc)

• Tektronix K12 text file format captures (*.txt)

• Tektronix K12xx 32bit .rf5 format captures (*.rf5)

• Android Logcat binary logs (*.logcat)

• Android Logcat text logs (*.*)

• Citrix NetScaler Trace files (*.cap)

66
New file formats are added from time to time.

Whether or not the above tools will be more helpful than Wireshark is a different question ;-)

Third party protocol analyzers may require specific file extensions

NOTEWireshark examines a file’s contents to determine its type. Some other protocol
analyzers only look at a file’s extension. For example, you might need to use the .cap
extension in order to open a file using the Windows version of Sniffer.

Merging Capture Files

Sometimes you need to merge several capture files into one. For example, this can be useful if you have
captured simultaneously from multiple interfaces at once (e.g., using multiple instances of Wireshark).
There are three ways to merge capture files using Wireshark:

• Use the File › Merge menu to open the “Merge” dialog. See The “Merge With Capture File” Dialog
Box for details. This menu item will be disabled unless you have loaded a capture file.
• Use drag and drop to drop multiple files on the main window. Wireshark will try to merge the packets
in chronological order from the dropped files into a newly created temporary file. If you drop a single
file, it will simply replace the existing capture.

• Use the mergecap tool from the command line to merge capture files. This tool provides the most
options to merge capture files. See mergecap: Merging multiple capture files into one for details.

The “Merge With Capture File” Dialog Box

This lets you select a file to be merged into the currently loaded file. If your current data has not been
saved you will be asked to save it first.
Most controls of this dialog will work the same way as described in the “Open Capture File” dialog
box. See The “Open Capture File” Dialog Box for details.
Specific controls of this merge dialog are:

Prepend packets
Prepend the packets from the selected file before the currently loaded packets.

Merge chronologically
Merge both the packets from the selected and currently loaded file in chronological order.

Append packets
Append the packets from the selected file after the currently loaded packets.

67
Figure 40. “Merge” on Microsoft Windows

This is the common Windows file open dialog with additional Wireshark extensions.

Figure 41. “Merge” on Linux and UNIX

This is the Qt file open dialog with additional Wireshark extensions.

Import Hex Dump

Wireshark can read in a hex dump and write the data described into a temporary libpcap capture file. It
can read hex dumps with multiple packets in them, and build a capture file of multiple packets. It is
also capable of generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully
processable packet dumps from hexdumps of application-level data only. Alternatively, a Dummy PDU
header can be added to specify a dissector the data should be passed to initially.
68
Two methods for converting the input are supported:

Standard ASCII Hexdumps

Wireshark understands a hexdump of the form generated by od -Ax -tx1 -v. In other words, each byte is
individually displayed, with spaces separating the bytes from each other. Hex digits can be upper or
lowercase.
In normal operation, each line must begin with an offset describing the position in the packet, followed
a colon, space, or tab separating it from the bytes. There is no limit on the width or number of bytes per
line, but lines with only hex bytes without a leading offset are ignored (i.e., line breaks should not be
inserted in long lines that wrap.) Offsets are more than two digits; they are in hex by default, but can
also be in octal or decimal. Each packet must begin with offset zero, and an offset zero indicates the
beginning of a new packet. Offset values must be correct; an unexpected value causes the current
packet to be aborted and the next packet start awaited. There is also a single packet mode with no
offsets.
Packets may be preceded by a direction indicator ('I' or 'O') and/or a timestamp if indicated. If both are
present, the direction indicator precedes the timestamp. The format of the timestamps must be
specified. If no timestamp is parsed, in the case of the first packet the current system time is used, while
subsequent packets are written with timestamps one microsecond later than that of the previous packet.
Other text in the input data is ignored. Any text before the offset is ignored, including email forwarding
characters '>'. Any text on a line after the bytes is ignored, e.g., an ASCII character dump (but see -a to
ensure that hex digits in the character dump are ignored). Any line where the first non-whitespace
character is a '#' will be ignored as a comment. Any lines of text between the bytestring lines are
considered preamble; the beginning of the preamble is scanned for the direction indicator and
timestamp as mentioned above and otherwise ignored.
Any line beginning with #TEXT2PCAP is a directive and options can be inserted after this command to
be processed by Wireshark. Currently there are no directives implemented; in the future, these may be
used to give more fine-grained control on the dump and the way it should be processed e.g.,
timestamps, encapsulation type etc.
In general, short of these restrictions, Wireshark is pretty liberal about reading in hexdumps and has
been tested with a variety of mangled outputs (including being forwarded through email multiple times,
with limited line wrap etc.)
Here is a sample dump that can be imported, including optional directional indicator and timestamp:
I 2019-05-14T19:04:57Z 000000 00 e0 1e
a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........

69
Regular Text Dumps

Wireshark is also capable of scanning the input using a custom Perl regular expression as specified by
GLib’s GRegex here. Using a regex capturing a single packet in the given file Wireshark will search the
given file from start to the second to last character (the last character has to be \n and is ignored) for
non-overlapping (and non-empty) strings matching the given regex and then identify the fields to
import using named capturing subgroups. Using provided format information for each field they are
then decoded and translated into a standard libpcap file retaining packet order.
Note that each named capturing subgroup has to match exactly once a packet, but they may be present
multiple times in the regex.
For example, the following dump:

> 0:00:00.265620 a130368b000000080060

> 0:00:00.280836 a1216c8b00000000000089086b0b82020407
< 0:00:00.295459 a2010800000000000000000800000000
> 0:00:00.296982 a1303c8b00000008007088286b0bc1ffcbf0f9ff
> 0:00:00.305644 a121718b0000000000008ba86a0b8008
< 0:00:00.319061 a2010900000000000000001000600000
> 0:00:00.330937 a130428b00000008007589186b0bb9ffd9f0fdfa3eb4295e99f3aaffd2f005
> 0:00:00.356037 a121788b0000000000008a18

could be imported using these settings:

mestamp: %H:%M:%S.%f

Caution has to be applied when discarding the anchors ^ and $, as the input is searched, not parsed,
meaning even most incorrect regexes will produce valid looking results when not anchored (however,
anchors are not guaranteed to prevent this). It is generally recommended to sanity check any files
created using this conversion.
Supported fields:

• data: Actual captured frame data

The only mandatory field. This should match the encoded binary data captured and is used as the
actual frame data to import.
• time: timestamp for the packet

The captured field will be parsed according to the given timestamp format into a timestamp.
70
 If no timestamp is present an arbitrary counter will count up seconds and nanoseconds by one each
packet.
• dir: the direction the packet was sent over the wire

The captured field is expected to be one character in length, any remaining characters are ignored
(e.g., given "Input" only the 'I' is looked at). This character is compared to lists of characters
corresponding to inbound and outbound and the packet is assigned the corresponding direction. If
neither list yields a match, the direction is set to unknown.
If this field is not specified the entire file has no directional information.

• seqno: an ID for this packet

Each packet can be assigned an arbitrary ID that can used as field by Wireshark. This field is
assumed to be a positive integer base 10. This field can e.g. be used to reorder out of order captures
after the import.
If this field is not given, no IDs will be present in the resulting file.

The “Import From Hex Dump” Dialog Box

This dialog box lets you select a text file, containing a hex dump of packet data, to be imported and set
import parameters.

71
Figure 42. The “Import from Hex Dump” dialog in Hex Dump mode

Specific controls of this import dialog are split in three sections:

File Source
Determine which input file has to be imported

Input Format
Determine how the input file has to be interpreted.

Encapsulation
Determine how the data is to be encapsulated.

File source

Filename / Browse
Enter the name of the text file to import. You can use Browse to browse for a file.

Input Format
72
This section is split in the two alternatives for input conversion, accessible in the two Tabs "Hex
Dump" and "Regular Expression"

In addition to the conversion mode specific inputs, there are also common parameters, currently only
the timestamp format.

The Hex Dump tab

Offsets
Select the radix of the offsets given in the text file to import. This is usually hexadecimal, but
decimal and octal are also supported. Select None when only the bytes are present. These will be
imported as a single packet.
Direction indication
Tick this box if the text file to import has direction indicators before each frame. These are on a
separate line before each frame and start with either I or i for input and O or o for output.

The Regular Expression tab

Figure 43. The "Regular Expression" tab inside the "Import from Hex Dump” dialog.

Packet format regular expression

This is the regex used for searching packets and metadata inside the input file. Named capturing
subgroups are used to find the individual fields. Anchors ^ and $ are set to match directly before and
after newlines \n or \r\n. See GRegex for a full documentation.
Data encoding
The Encoding used for the binary data. Supported encodings are plain-hexadecimal, -octal, -binary
and base64. Plain here means no additional characters are present in the data field beyond
whitespaces, which are ignored. Any unexpected characters abort the import process.
Ignored whitespaces are \r, \n, \t, \v, ` ` and only for hex :, only for base64 =.

Any incomplete bytes at the field’s end are assumed to be padding to fill the last complete byte.
These bits should be zero, however, this is not checked.
Direction indication

73
 The lists of characters indicating incoming vs. outgoing packets. These fields are only available
when the regex contains a (?<dir>…) group.

Common items

Timestamp Format
This is the format specifier used to parse the timestamps in the text file to import. It uses the same
format as strptime(3) with the addition of %f for zero padded fractions of seconds. The precision of
%f is determined from its length. The most common fields are %H, %M and %S for hours, minutes
and seconds. The straightforward HH:MM:SS format is covered by %T. For a full definition of the
syntax look for strptime(3),
In Regex mode this field is only available when a (?<time>…) group is present.

In Hex Dump mode if there are no timestamps in the text file to import, leave this field empty and
timestamps will be generated based on the time of import.

Encapsulation

Encapsulation type
Here you can select which type of frames you are importing. This all depends on from what type of
medium the dump to import was taken. It lists all types that Wireshark understands, so as to pass the
capture file contents to the right dissector.
Dummy header
When Ethernet encapsulation is selected you have to option to prepend dummy headers to the
frames to import. These headers can provide artificial Ethernet, IP, UDP, TCP or SCTP headers or
SCTP data chunks. When selecting a type of dummy header, the applicable entries are enabled,
others are greyed out and default values are used. When the Wireshark Upper PDU export
encapsulation is selected the option ExportPDU becomes available. This allows you to select the
name of the dissector these frames are to be directed to.
Maximum frame length
You may not be interested in the full frames from the text file, just the first part. Here you can define
how much data from the start of the frame you want to import. If you leave this open the maximum
is set to 256kiB.
Once all input and import parameters are setup click [ Import ] to start the import. If your current data
wasn’t saved before you will be asked to save it first.
If the import button doesn’t unlock, make sure all encapsulation parameters are in the expected range
and all unlocked fields are populated when using regex mode (the placeholder text is not used as
default).
When completed there will be a new capture file loaded with the frames imported from the text file.

File Sets
74
When using the “Multiple Files” option while doing a capture (see: Capture files and file modes), the
capture data is spread over several capture files, called a file set.
As it can become tedious to work with a file set by hand, Wireshark provides some features to handle
these file sets in a convenient way.

How does Wireshark detect the files of a file set?

A filename in a file set uses the format Prefix_Number_DateTimeSuffix (or, in Wireshark 4.4.0 and
later, Prefix_DateTime_NumberSuffix) which might look something like
test_00001_20240714183910.pcap. All files of a file set share the same prefix (e.g., “test”) and
suffix (e.g., “.pcap”) and a varying middle part. Files are also allowed to have a second compression
suffix of types that Wireshark can open; the compression suffix does not have to match for all files
in a set.

To find the files of a file set, Wireshark scans the directory where the currently loaded file resides
and checks for files matching the filename pattern (prefix and suffix) of the currently loaded file.
This simple mechanism usually works well but has its drawbacks. If several file sets were
captured with the same prefix and suffix, Wireshark will detect them as a single file set. If files
were renamed or spread over several directories the mechanism will fail to find all files of a set.

The following features in the File › File Set submenu are available to work with file sets in a
convenient way:
• The “List Files” dialog box will list the files Wireshark has recognized as being part of the current
file set.

• [ Next File ] closes the current and opens the next file in the file set.

• [ Previous File ] closes the current and opens the previous file in the file set.

The “List Files” Dialog Box

75
Figure 44. The “List Files” dialog box

Each line contains information about a file of the file set:

Filename
The name of the file. If you click on the filename (or the radio button left to it), the current file will
be closed and the corresponding capture file will be opened.
Created
The creation time of the file.

Last Modified
The last time the file was modified.

Size
The size of the file.

The last line will contain info about the currently used directory where all of the files in the file set can
be found.
The content of this dialog box is updated each time a capture file is opened/closed.

The [ Close ] button will, well, close the dialog box.

Exporting Data
Wireshark provides a variety of options for exporting packet data. This section describes general ways
to export data from the main Wireshark application. There are many other ways to export or extract
data from capture files, including processing tshark output and customizing Wireshark and TShark
using Lua scripts.

The “Export Specified Packets” Dialog Box

76
Figure 45. The “Export Specified Packets” dialog box

This is similar to the “Save” dialog box, but it lets you save specific packets. This can be useful for
trimming irrelevant or unwanted packets from a capture file. See Packet Range for details on the range
controls.

The “Export Packet Dissections” Dialog Box

This lets you save the packet list, packet details, and packet bytes as plain text, CSV, JSON, and other
formats.

Figure 46. The “Export Packet Dissections” dialog box

77
The format can be selected from the “Export As” drop-down and further customized using the “Packet
Range” and “Packet Format” controls. Some controls are unavailable for some formats, notably CSV
and JSON. The following formats are supported:
• Plain text as shown in the main window

• Comma-separated values (CSV)

• C-compatible byte arrays

• PSML (summary XML)

• PDML (detailed XML)

• JavaScript Object Notation (JSON)

Here are some examples of exported data:

Plain text

No. Time Source Destination Protocol Length

SSID Info
1 0.000000 200.121.1.131 172.16.0.122 TCP 1454
10554 → 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]

Frame 1: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits)
Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13
Internet Protocol Version 4, Src: 200.121.1.131 (200.121.1.131), Dst: 172.16.0.122
(172.16.0.122)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 1440
Identification: 0x0141 (321)
Flags: 0x0000
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 106
Protocol: TCP (6)
Header checksum: 0xd390 [validation disabled]
[Header checksum status: Unverified]
Source: 200.121.1.131 (200.121.1.131)
Destination: 172.16.0.122 (172.16.0.122)
[Source GeoIP: PE, ASN 6147, Telefonica del Peru S.A.A.] Transmission Control
Protocol, Src Port: 10554, Dst Port: 80, Seq: 1, Ack: 1, Len:
1400

78
 If you would like to be able to import any previously exported packets from a plain text file
it is recommended that you do the following:
• Add the “Absolute date and time” column.

• Temporarily hide all other columns.

TIP• Disable the Edit › Preferences › Protocols › Data “Show not dissected data on new

Packet Bytes pane” preference. More details are provided in Preferences

• Include the packet summary line.

• Exclude column headings.

• Exclude packet details.

• Include the packet bytes.

CSV

"No.","Time","Source","Destination","Protocol","Length","SSID","Info","Win Size"
"1","0.000000","200.121.1.131","172.16.0.122","TCP","1454","","10554 > 80 [ACK]
Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
"2","0.000011","172.16.0.122","200.121.1.131","TCP","54","","[TCP ACKed unseen
segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=53200 Len=0","53200"
"3","0.025738","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Spurious
Retransmission] 10554 > 80 [ACK] Seq=1401 Ack=1 Win=65535 Len=1400 [TCP segment of a
reassembled PDU]","65535"
"4","0.025749","172.16.0.122","200.121.1.131","TCP","54","","[TCP Window Update] [TCP
ACKed unseen segment] 80 > 10554 [ACK] Seq=1 Ack=11201 Win=63000 Len=0","63000"
"5","0.076967","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Previous segment not
captured] [TCP Spurious Retransmission] 10554 > 80 [ACK] Seq=4201 Ack=1 Win=65535
Len=1400 [TCP segment of a reassembled PDU]","65535"

JSON

{
"_index": "packets-2014-06-22",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.encap_type": "1",
"frame.time": "Jun 22, 2014 13:29:41.834477000 PDT",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1403468981.834477000",
79
 "frame.time_delta": "0.450535000",
"frame.time_delta_displayed": "0.450535000",
"frame.time_relative": "0.450535000",
"frame.number": "2",
"frame.len": "86",
"frame.cap_len": "86",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ipv6:icmpv6",
"frame.coloring_rule.name": "ICMP",
"frame.coloring_rule.string": "icmp || icmpv6"
},
"eth": {
"eth.dst": "33:33:ff:9e:e3:8e",
"eth.dst_tree": {
"eth.dst_resolved": "33:33:ff:9e:e3:8e",
"eth.dst.oui": "3355647",
"eth.addr": "33:33:ff:9e:e3:8e",
"eth.addr_resolved": "33:33:ff:9e:e3:8e",
"eth.addr.oui": "3355647",
"eth.dst.lg": "1",
"eth.lg": "1",
"eth.dst.ig": "1",
"eth.ig": "1"
},
"eth.src": "00:01:5c:62:8c:46",
"eth.src_tree": {
"eth.src_resolved": "00:01:5c:62:8c:46",
"eth.src.oui": "348",
"eth.src.oui_resolved": "Cadant Inc.",
"eth.addr": "00:01:5c:62:8c:46",
"eth.addr_resolved": "00:01:5c:62:8c:46",
"eth.addr.oui": "348",
"eth.addr.oui_resolved": "Cadant Inc.",
"eth.src.lg": "0",
"eth.lg": "0",
"eth.src.ig": "0",
"eth.ig": "0"
},
"eth.type": "0x000086dd"
},
"ipv6": {
"ipv6.version": "6",
"ip.version": "6",
"ipv6.tclass": "0x00000000",
"ipv6.tclass_tree": {
80
 "ipv6.tclass.dscp": "0",
"ipv6.tclass.ecn": "0"
},
"ipv6.flow": "0x00000000",
"ipv6.plen": "32",
"ipv6.nxt": "58",
"ipv6.hlim": "255",
"ipv6.src": "2001:558:4080:16::1",
"ipv6.addr": "2001:558:4080:16::1",
"ipv6.src_host": "2001:558:4080:16::1",
"ipv6.host": "2001:558:4080:16::1",
"ipv6.dst": "ff02::1:ff9e:e38e",
"ipv6.addr": "ff02::1:ff9e:e38e",
"ipv6.dst_host": "ff02::1:ff9e:e38e",
"ipv6.host": "ff02::1:ff9e:e38e",
"ipv6.geoip.src_summary": "US, ASN 7922, Comcast Cable Communications, LLC",
"ipv6.geoip.src_summary_tree": {
"ipv6.geoip.src_country": "United States",
"ipv6.geoip.country": "United States",
"ipv6.geoip.src_country_iso": "US",
"ipv6.geoip.country_iso": "US",
"ipv6.geoip.src_asnum": "7922",
"ipv6.geoip.asnum": "7922",
"ipv6.geoip.src_org": "Comcast Cable Communications, LLC",
"ipv6.geoip.org": "Comcast Cable Communications, LLC",
"ipv6.geoip.src_lat": "37.751",
"ipv6.geoip.lat": "37.751",
"ipv6.geoip.src_lon": "-97.822",
"ipv6.geoip.lon": "-97.822"
}
},
"icmpv6": {
"icmpv6.type": "135",
"icmpv6.code": "0",
"icmpv6.checksum": "0x00005b84",
"icmpv6.checksum.status": "1",
"icmpv6.reserved": "00:00:00:00",
"icmpv6.nd.ns.target_address": "2001:558:4080:16:be36:e4ff:fe9e:e38e",
"icmpv6.opt": {
"icmpv6.opt.type": "1",
"icmpv6.opt.length": "1",
"icmpv6.opt.linkaddr": "00:01:5c:62:8c:46",
"icmpv6.opt.src_linkaddr": "00:01:5c:62:8c:46"
}
}
}
81
 }
}
]

The “Export Selected Packet Bytes” Dialog Box

Export the bytes selected in the “Packet Bytes” pane into a raw binary file.

Figure 47. The “Export Selected Packet Bytes” dialog box

File name
The file name to export the packet data to.

Save as type The file

extension.

The “Export PDUs to File…” Dialog Box

The “Export PDUs to File…” dialog box allows you to filter the captured Protocol Data Units (PDUs)
and export them into the file. It allows you to export reassembled PDUs avoiding lower layers such as
HTTP without TCP, and decrypted PDUs without the lower protocols such as HTTP without TLS and
TCP.

1. In the main menu select File › Export PDUs to File…. Wireshark will open a corresponding dialog
Export PDUs to File window.

82
 Figure 48. Export PDUs to File window

2. To select the data according to your needs, optionally type a filter value into the Display Filter field.
For more information about filter syntax, see the Wireshark Filters man page.

3. In the field below the Display Filter field you can choose the level from which you want to export
the PDUs to the file. There are seven levels:

a. DLT User. You can export a protocol, which is framed in the user data link type table without the
need to reconfigure the DLT user table. For more information, see the How to Dissect Anything
page.

b. DVB-CI. You can use it for the Digital Video Broadcasting (DVB) protocol.

c. Logcat and Logcat Text. You can use them for the Android logs.

d. OSI layer 3. You can use it to export PDUs encapsulated in the IPSec or SCTP protocols.

e. OSI layer 4. You can use it to export PDUs encapsulated in the TCP or UDP protocols.

f. OSI layer 7. You can use it to export the following protocols: CredSSP over TLS, Diameter,
protocols encapsulated in TLS and DTLS, H.248, Megaco, RELOAD framing, SIP, SMPP.

As a developer you can add any dissector to the existing list or define a new
NOTE
entry in the list by using the functions in epan/exported_pdu.h.

4. To finish exporting PDUs to file, click the [ OK ] button in the bottom-right corner. This will close
the originally captured file and open the exported results instead as a temporary file in the main
Wireshark window.

5. You may save the temporary file just like any captured file. See Saving Captured Packets for details.

83
 The file produced has a Wireshark Upper PDU encapsulation type that has
NOTEsomewhat limited support outside of Wireshark, but is very flexible and can
contain PDUs for any protocol for which there is a Wireshark dissector.

The “Strip Headers…” Dialog Box

The “Strip Headers…” dialog box allows you to filter known encapsulation types on whatever protocol
layer they appear and export them into a new capture file, removing lower-level protocols. It allows
you to export reassembled packets and frames without lower layers such as GPF, GRE, GSE, GTP-U,
MPLS, MPE, PPP, and more. If Wireshark has performed decryption, then you can export decrypted IP
from protocols like IEEE 802.11 or IPSec without having to save encryption keys.
The procedure is similar to that of The “Export PDUs to File…” Dialog Box:

1. In the main menu select File › Strip Headers…. Wireshark will open a corresponding dialog.

2. To select the data according to your needs, optionally type a filter value into the Display Filter field.
For more information about filter syntax, see the Wireshark Filters man page.

3. In the field below the Display Filter field you can choose the encapsulation type you want to find and
export to the file. There are two encapsulations supported:

a. Ethernet. You can use it to export Ethernet encapsulated in other protocols.

b. IP. You can use it to export IPv4 and IPv6 encapsulated in other protocols.

As a developer you can add encapsulations to the list by using the functions
NOTE
in epan/exported_pdu.h.

4. To finish exporting to file, click the [ OK ] button in the bottom-right corner. This will close the
originally captured file and open the exported results instead as a temporary file in the main Wireshark
window.

5. You may save the temporary file just like any captured file. See Saving Captured Packets for details.

The new capture files produced have standard encapsulation types and can be
NOTE
read in nearly any tool.

The “Export TLS Session Keys…” Dialog Box

Transport Layer Security (TLS) encrypts the communication between a client and a server. The most
common use for it is web browsing via HTTPS.
Decryption of TLS traffic requires TLS secrets. You can get them in the form of stored session keys in a
"key log file", or by using an RSA private key file. For more details, see the TLS wiki page.
84
The File › Export TLS Session Keys… menu option generates a new "key log file" which contains
TLS session secrets known by Wireshark. This feature is useful if you typically decrypt TLS sessions
using the RSA private key file. The RSA private key is very sensitive because it can be used to decrypt
other TLS sessions and impersonate the server. Session keys can be used only to decrypt sessions from
the packet capture file. However, session keys are the preferred mechanism for sharing data over the
Internet.
To export captured TLS session keys, follow the steps below:

1. In the main menu select File › Export TLS Session Keys…. Wireshark will open a corresponding
dialog Export TLS Session Keys window.

Figure 49. Export TLS Session Keys window

2. Type the desired file name in the Save As field.

3. Choose the destination folder for your file in the Where field.

4. Press the [ Save ] button to complete the export file procedure.

The “Export Objects” Dialog Box

This feature scans through the selected protocol’s streams in the currently open capture file or running
capture and allows the user to export reassembled objects to the disk. For example, if you select HTTP,
you can export HTML documents, images, executables, and any other files transferred over HTTP to
the disk. If you have a capture running, this list is automatically updated every few seconds with any
new objects seen. The saved objects can then be opened or examined independently of Wireshark.

85
Figure 50. The “Export Objects” dialog box

Columns:

Packet
The packet number in which this object was found. In some cases, there can be multiple objects in
the same packet.
Hostname
The hostname of the server that sent this object.

Content Type
The content type of this object.

Size
The size of this object in bytes.

Filename: The filename for this object. Each protocol generates the filename differently. For example,
HTTP uses the final part of the URI and IMF uses the subject of the email.
Inputs:

Text Filter
Only displays objects containing the specified text string.

86
Help
Opens this section of the “User’s Guide”.

Save All
Saves all objects (including those not displayed) using the filename from the filename column. You
will be asked what directory or folder to save them in.
Close
Closes the dialog without exporting.

Save
Saves the currently selected object as a filename you specify. The default filename to save as is
taken from the filename column of the objects list.

Printing Packets
To print packets, select the File › Print… menu item. Wireshark will display the “Print” dialog box as
shown below.

It’s easy to waste paper doing this

WARNINGPrinted output can contain lots of text, particularly if you print packet
details and bytes.

The “Print” Dialog Box

87
Figure 51. The “Print” dialog box

The “Print” dialog box shows a preview area which shows the result of changing the packet format
settings. You can zoom in and out using the + and - keys and reset the zoom level using the 0 key. The
following settings are available in the Print dialog box:
Packet Format
Lets you specify what gets printed. See The “Packet Format” frame for details.

Summary line
Include a summary line for each packet. The line will contain the same fields as the packet list.
Details
Print details for each packet.

Bytes
Print a hex dump of each packet.

Packet Range
Select the packets to be printed. See The “Packet Range” Frame for details.

[ Page Setup… ] lets you select the page size and orientation.
[ Print… ] prints to your default printer.
88
[ Cancel ] will close the dialog without printing.

[ Help ] will display this section of the “User’s Guide”.

The “Packet Range” Frame

The packet range frame is a part of the “Export Specified Packets,” “Export Packet Dissections,” and
“Print” dialog boxes. You can use it to specify which packets will be exported or printed.

Figure 52. The “Packet Range” frame

By default, the [ Displayed ] button is set, which only exports or prints the packets that match the
current display filter. Selecting [ Captured ] will export or print all packets. You can further limit what
you export or print to the following:
All packets
All captured or displayed packets depending on the primary selection above.

Selected packet
Only the selected packet.

Marked packets
Only marked packets. See Marking Packets.

First to last marked

Lets you mark an inclusive range of packets.

Range
Lets you manually specify a range of packets, e.g., 5,10-15,20- will process the packet number five,
the packets from packet number ten to fifteen (inclusive) and every packet from number twenty to
the end of the capture.
Remove ignored packets
Don’t export or print ignored packets. See Ignoring Packets.

The Packet Format Frame

89
The packet format frame is also a part of the “Export Packet Dissections” and “Print” dialog boxes. You
can use it to specify which parts of dissection are exported or printed.

Figure 53. The “Packet Format” frame

Each of the settings below correspond to the packet list, packet detail, and packet bytes in the main
window.
Packet summary line
Export or print each summary line as shown in the “Packet List” pane.

Packet details
Export or print the contents of the “Packet Details” tree.

All collapsed
Export or print as if the “Packet Details” tree is in the “all collapsed” state.

As displayed
Export or print as if the “Packet Details” tree is in the “as displayed” state.

All expanded
Export or print as if the “Packet Details” tree is in the “all expanded” state.

Packet Bytes
Export or print the contents of the “Packet Bytes” pane.

Each packet on a new page

For printing and some export formats, put each packet on a separate page. For example, when
exporting to a text file this will put a form feed character between each packet.
Capture information header
Add a header to each page with capture filename and the number of total packets and shown
packets.

90
Working With Captured Packets

Viewing Packets You Have Captured

Once you have captured some packets or you have opened a previously saved capture file, you can
view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet
list pane, which will bring up the selected packet in the tree view and byte view panes.
You can then expand any part of the tree to view detailed information about each protocol in each
packet. Clicking on an item in the tree will highlight the corresponding bytes in the byte view. An
example with a TCP packet selected is shown in Wireshark with a TCP packet selected for viewing. It
also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as
the selected bytes.

Figure 54. Wireshark with a TCP packet selected for viewing

You can also select and view packets the same way while Wireshark is capturing if you selected
“Update list of packets in real time” in the “Capture Preferences” dialog box.
In addition you can view individual packets in a separate window as shown in Viewing a packet in a
separate window. You can do this by double-clicking on an item in the packet list or by selecting the
packet in which you are interested in the packet list pane and selecting View › Show Packet in New
Window. This allows you to easily compare two or more packets, even across multiple files.

91
Figure 55. Viewing a packet in a separate window

Along with double-clicking the packet list and using the main menu there are a number of other ways
to open a new packet window:
• Hold down the shift key and double-click on a frame link in the packet details.

• From The menu items of the “Packet List” pop-up menu.

• From The menu items of the “Packet Details” pop-up menu.

Pop-up Menus
You can open a pop-up menu over the “Packet List”, its column heading, “Packet Details”, or “Packet
Bytes” by clicking your right mouse button on the corresponding item.

Pop-up Menu Of The “Packet List” Column Header

92
Figure 56. Pop-up menu of the “Packet List” column header

The following table gives an overview of which functions are available in this header, where to find the
corresponding function in the main menu, and a description of each item.
Table 18. The menu items of the “Packet List” column header pop-up menu
Item Description

Align Left Left-align values in this column.

Align Center Center-align values in this column.

Align Right Right-align values in this column.

Column Preferences… Open the “Preferences” dialog for this column.

Edit Column Open the column editor toolbar for this column.

Resize To Contents Resize the column to fit its values.

Resolve Names If this column contains addresses, resolve them.

No., Time, Source, et al. Show or hide a column by selecting its item.

Remove Column Remove this column, similar to deleting it in the “Preferences” dialog.

Pop-up Menu Of The “Packet List” Pane

93
Figure 57. Pop-up menu of the “Packet List” pane

The following table gives an overview of which functions are available in this pane, where to find the
corresponding function in the main menu, and a short description of each item.
Table 19. The menu items of the “Packet List” pop-up menu
Item Corresp Description
onding
main
menu
item

Mark Packet (toggle) Edit Mark or unmark a packet.

Ignore Packet (toggle) Edit Ignore or inspect this packet while dissecting the capture
file.

Set Time Reference (toggle) Edit Set or reset a time reference.

Time Shift Edit Opens the “Time Shift” dialog, which allows you to adjust
the timestamps of some or all packets.

Packet Comment… Edit Opens the “Packet Comment” dialog, which lets you add a
comment to a single packet. Note that the ability to save
packet comments depends on your file format. E.g., pcapng
supports comments, pcap does not.

94
Item Corresp Description
onding
main
menu
item

Edit Resolved Name Allows you to enter a name to resolve for the selected
address.

Apply as Filter Analyze Immediately replace or append the current display filter
based on the most recent packet list or packet details item
selected. The first submenu item shows the filter and
subsequent items show the different ways that the filter can
be applied.

Prepare as Filter Analyze Change the current display filter based on the most recent
packet list or packet details item selected, but don’t apply it.
The first submenu item shows the filter and subsequent
items show the different ways that the filter can be changed.

Conversation Filter Apply a display filter with the address information from the
selected packet. For example, the IP menu entry will set a
filter to show the traffic between the two IP addresses of the
current packet.

Colorize Conversation Create a new colorizing rule based on address information

from the selected packet.

SCTP Allows you to analyze and prepare a filter for this SCTP
association.

Follow › TCP Stream Analyze Open a window that displays all the TCP segments captured
that are on the same TCP connection as a selected packet.
See Following Protocol Streams.

Follow › UDP Stream Analyze Same functionality as “Follow TCP Stream” but for UDP
“streams”.

Follow › DCCP Stream Analyze Same functionality as “Follow TCP Stream” but for DCCP
streams.

Follow › TLS Stream Analyze Same functionality as “Follow TCP Stream” but for TLS or
SSL streams. See the wiki page on SSL for instructions on
providing TLS keys.

Follow › HTTP Stream Analyze Same functionality as “Follow TCP Stream” but for HTTP
streams.
95
Copy › Summary as Text Copy the summary fields as displayed to the clipboard as
tab-separated text.

Item Corresp Description

onding
main
menu
item

Copy › …as CSV Copy the summary fields as displayed to the clipboard as
comma-separated text.

Copy › …as YAML Copy the summary fields as displayed to the clipboard as
YAML data.

Copy › As Filter Prepare a display filter based on the currently selected item
and copy that filter to the clipboard.

Copy › Bytes as Hex + Copy the packet bytes to the clipboard in full “hexdump”
ASCII format.
Dump
Copy › …as Hex Dump Copy the packet bytes to the clipboard in “hexdump” format
without the ASCII portion.

Copy › …as Printable Text Copy the packet bytes to the clipboard as ASCII text,
excluding non-printable characters.

Copy › …as a Hex Stream Copy the packet bytes to the clipboard as an unpunctuated
list of hex digits.

Copy › …as Raw Binary Copy the packet bytes to the clipboard as raw binary. The
data is stored in the clipboard using the MIME type
“application/octet-stream”.

Protocol Preferences Adjust the preferences for the selected protocol.

Decode As… Analyze Change or apply a new relation between two dissectors.

Show Packet in New View Shows the selected packet in a separate window. The
Window separate window shows only the packet details and bytes.
See Viewing a packet in a separate window for details.

Pop-up Menu Of The “Packet Details” Pane

96
Figure 58. Pop-up menu of the “Packet Details” pane

The following table gives an overview of which functions are available in this pane, where to find the
corresponding function in the main menu, and a short description of each item.
Table 20. The menu items of the “Packet Details” pop-up menu
Item Corresp Description
onding
main
menu
item
Expand Subtrees View Expand the currently selected subtree.

Collapse Subtrees View Collapse the currently selected subtree.

Expand All View Expand all subtrees in all packets in the capture.

Collapse All View Wireshark keeps a list of all the protocol subtrees that are
expanded, and uses it to ensure that the correct subtrees are
expanded when you display a packet. This menu item
collapses the tree view of all packets in the capture list.

Edit Resolved Name View Allows you to enter a name to resolve for the selected
address.
97
Item
Apply as Column
Apply as Filter
Prepare as Filter
Colorize with Filter
Follow › TCP Stream
Follow › UDP Stream
Follow › TLS Stream
Follow › HTTP Stream
Copy › All Visible Items
Copy › All Visible Selected
Tree Items
Copy › Description
Corresp Description
onding
main
menu
item
Use the selected protocol item to create a new column in the
packet list.
Analyze Immediately replace or append the current display filter
based on the most recent packet list or packet details item
selected. The first submenu item shows the filter and
subsequent items show the different ways that the filter can
be applied.
Analyze Change the current display filter based on the most recent
packet list or packet details item selected, but don’t apply it.
The first submenu item shows the filter and subsequent
items show the different ways that the filter can be changed.
This menu item uses a display filter with the information
from the selected protocol item to build a new colorizing
rule.
Analyze Open a window that displays all the TCP segments captured
that are on the same TCP connection as a selected packet.
See Following Protocol Streams.
Analyze Same functionality as “Follow TCP Stream” but for UDP
“streams”.
Analyze Same functionality as “Follow TCP Stream” but for TLS or
SSL streams. See the wiki page on SSL for instructions on
providing TLS keys.
Analyze Same functionality as “Follow TCP Stream” but for HTTP
streams.
Edit Copy the packet details as displayed.
Edit Copy the selected packet detail and its children as displayed.
Edit Copy the displayed text of the selected field to the system
clipboard.
98
Copy › Fieldname Edit Copy the name of the selected field to the system clipboard.

Copy › Value Edit Copy the value of the selected field to the system clipboard.

Item Corresp Description

onding
main
menu
item

Copy › As Filter Edit Prepare a display filter based on the currently selected item
and copy it to the clipboard.

Copy › Bytes as Hex + Copy the packet bytes to the clipboard in full “hexdump”
ASCII format.
Dump
Copy › …as Hex Dump Copy the packet bytes to the clipboard in “hexdump” format
without the ASCII portion.

Copy › …as Printable Text Copy the packet bytes to the clipboard as ASCII text,
excluding non-printable characters.

Copy › …as a Hex Stream Copy the packet bytes to the clipboard as an unpunctuated
list of hex digits.

Copy › …as Raw Binary Copy the packet bytes to the clipboard as raw binary. The
data is stored in the clipboard using the MIME type
“application/octet-stream”.

Copy › …as Escaped String Copy the packet bytes to the clipboard as C-style escape
sequences.

Export Packet Bytes… File This menu item is the same as the File menu item of the
same name. It allows you to export raw packet bytes to a
binary file.

Wiki Protocol Page Open the wiki page for the selected protocol in your web
browser.

Filter Field Reference Open the filter field reference web page for the selected
protocol in your web browser.

Protocol Preferences Adjust the preferences for the selected protocol.

Decode As… Analyze Change or apply a new relation between two dissectors.

99
Go to Linked Packet Go If the selected field has a corresponding packet such as the
matching request for a DNS response, go to it.

Show Linked Packet in Go If the selected field has a corresponding packet such as the
New Window matching request for a DNS response, show the selected
packet in a separate window. See Viewing a packet in a
separate window for details.

Pop-up Menu Of The “Packet Bytes” Pane

Figure 59. Pop-up menu of the “Packet Bytes” pane

The following table gives an overview of which functions are available in this pane along with a short
description of each item.
Table 21. The menu items of the “Packet Bytes” pop-up menu
Item Description

Copy Bytes as Hex + ASCII Copy the packet bytes to the clipboard in full “hexdump” format.
Dump

…as Hex Dump Copy the packet bytes to the clipboard in “hexdump” format without
the ASCII portion.

100
…as Printable Text Copy the packet bytes to the clipboard as ASCII text, excluding
nonprintable characters.

…as a Hex Stream Copy the packet bytes to the clipboard as an unpunctuated list of hex
digits.

…as Raw Binary Copy the packet bytes to the clipboard as raw binary. The data is stored
in the clipboard using the MIME type “application/octetstream”.

…as Escaped String Copy the packet bytes to the clipboard as C-style escape sequences.

Show bytes as hexadecimal Display the byte data as hexadecimal digits.

Show bytes as bits Display the byte data as binary digits.

Item Description

Show text based on packet Show the “hexdump” data with text.

…as ASCII Use ASCII encoding when displaying “hexdump” text.

…as EBCDIC Use EBCDIC encoding when displaying “hexdump” text.

Pop-up Menu Of The “Packet Diagram” Pane

Figure 60. Pop-up menu of the “Packet Diagram” pane

The following table gives an overview of which functions are available in this pane along with a short
description of each item.
Table 22. The menu items of the “Packet Diagram” pop-up menu
Item Description

Show Field Values Display current value for each field on the packet diagram.

Save Diagram As… Save the packet diagram to an image file (PNG, BMP, JPEG).

101
Copy as Raster Image Copy the packet diagram to the clipboard in raster (ARGB32) format.

Filtering Packets While Viewing

Wireshark has two filtering languages: capture filters and display filters. Capture filters are used for
filtering when capturing packets and are discussed in Filtering while capturing. Display filters are used
for filtering which packets are displayed and are discussed below. For more information about display
filter syntax, see the wireshark-filter(4) man page.
Display filters allow you to concentrate on the packets you are interested in while hiding the currently
uninteresting ones. They allow you to only display packets based on:
• Protocol

• The presence of a field

• The values of fields

• A comparison between fields

• … and a lot more!

To only display packets containing a particular protocol, type the protocol name in the display filter
toolbar of the Wireshark window and press enter to apply the filter. Filtering on the TCP protocol
shows an example of what happens when you type tcp in the display filter toolbar.

102
As you may have noticed, only packets containing the TCP protocol are now displayed, so packets 110
are hidden and packet number 11 is the first packet displayed.

When using a display filter, all packets remain in the capture file. The display filter
NOTE only changes the display of the capture file but not its
content!

To remove the filter, click on the [ Clear ] button to the right of the display filter field. All packets will
become visible again.
Display filters can be very powerful and are discussed in further detail in Building Display Filter
Expressions
It’s also possible to create display filters with the Display Filter Expression dialog box. More
information about the Display Filter Expression dialog box is available in The “Display Filter
Expression” Dialog Box.

103
Building Display Filter Expressions
Wireshark provides a display filter language that enables you to precisely control which packets are
displayed. They can be used to check for the presence of a protocol or field, the value of a field, or even
compare two fields to each other. These comparisons can be combined with logical operators, like
"and" and "or", and parentheses into complex expressions.
The following sections will go into the display filter functionality in more detail.

There are many display filter examples on the Wireshark Wiki Display Filter page at:
TIP https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters.

Display Filter Fields

The simplest display filter is one that displays a single protocol. To only display packets containing a
particular protocol, type the protocol into Wireshark’s display filter toolbar. For example, to only
display TCP packets, type tcp into Wireshark’s display filter toolbar. Similarly, to only display packets
containing a particular field, type the field into Wireshark’s display filter toolbar. For example, to only
display HTTP requests, type http.request into Wireshark’s display filter toolbar.
You can filter on any protocol that Wireshark supports. You can also filter on any field that a dissector
adds to the tree view, if the dissector has added an abbreviation for that field. A full list of the available
protocols and fields is available through the menu item View › Internals › Supported Protocols.

Comparing Values

You can build display filters that compare values using a number of different comparison operators. For
example, to only display packets to or from the IP address 192.168.0.1, use ip.addr==192.168.0.1.

A complete list of available comparison operators is shown in Display Filter comparison operators.

English and C-like operators are interchangeable and can be mixed within a filter
TIP string.

Table 23. Display Filter comparison operators

English Alias C-like Description Example

eq any_eq == Equal (any if more than one) ip.src == 10.0.0.5

ne all_ne != Not equal (all if more than one) ip.src != 10.0.0.5

all_eq === Equal (all if more than one) ip.src === 10.0.0.5

any_ne !== Not equal (any if more than one) ip.src !== 10.0.0.5

104
gt > Greater than frame.len > 10

lt < Less than frame.len < 128

ge >= Greater than or equal to frame.len ge 0x100

le <= Less than or equal to frame.len <= 0x20

contains Protocol, field or slice contains sip.To contains "a1762"

a value

matches ~ Protocol or text field matches a http.host matches

Perl-compatible regular "acme\\.(org|com|net)"
expression

The meaning of != (all not equal) was changed in Wireshark 3.6. Before it used to
NOTE
mean "any not equal".

All protocol fields have a type. Display Filter Field Types provides a list of the types with examples of
how to use them in display filters.

Display Filter Field Types

Unsigned integer
Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, octal, hexadecimal or binary.
The following display filters are equivalent:

105
 ip.len le 1500 ip.len

le 02734 ip.len le

0x5dc

ip.len le 0b10111011100

Signed integer
Can be 8, 16, 24, 32, or 64 bits. As with unsigned integers you can use decimal, octal, hexadecimal
or binary.
Boolean
Can be 1 or "True", 0 or "False" (without quotes).
A Boolean field is present regardless if its value is true or false. For example, tcp.flags.syn is present
in all TCP packets containing the flag, whether the SYN flag is 0 or 1. To only match TCP packets
with the SYN flag set, you need to use tcp.flags.syn == 1 or tcp.flags.syn == True.
Ethernet address
6 bytes separated by a colon (:), dot (.), or dash (-) with one or two bytes between separators:
eth.dst == ff:ff:ff:ff:ff:ff eth.dst == ff-

ff-ff-ff-ff-ff

eth.dst == ffff.ffff.ffff

IPv4 address ip.addr ==

192.168.0.1

Classless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain
subnet. For example, this display filter will find all packets in the 129.111 Class-B network:

ip.addr == 129.111.0.0/16

IPv6 address
ipv6.addr == ::1

As with IPv4 addresses, IPv6 addresses can match a subnet.

Text string http.request.uri ==

"https://www.wireshark.org/"

Strings are a sequence of bytes. Functions like lower() use ASCII, otherwise no particular encoding
is assumed. String literals are specified with double quotes. Characters can also be specified using a
byte escape sequence using hex \xhh or octal \ddd, where h and d are hex and octal numerical digits
respectively:

dns.qry.name contains "www.\x77\x69\x72\x65\x73\x68\x61\x72\x6b.org"

106
 Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat
backslash as a literal character.

http.user_agent matches r"\(X11;"

Date and time frame.time == "Sep 26, 2004

23:18:04.954975" ntp.xmt ge "2020-07-04
12:34:56"

The value of an absolute time field is expressed as a string, using one of the two formats above.
Fractional seconds can be omitted or specified up to nanosecond precision; extra trailing zeros are
allowed but not other digits. The string cannot take a time zone suffix, and is always parsed as in the
local time zone, even for fields that are displayed in UTC.
In the first format, the abbreviated month names must be in English regardless of locale. In the
second format, any number of time fields may be omitted, in the order from least significant
(seconds) to most, but at least the entire date must be specified:

frame.time < "2022-01-01"

In the second format, a T may appear between the date and time as in ISO 8601, but not when less
significant times are dropped.

Some Examples

The display filter above matches packets that contains the 3-byte sequence 0x81, 0x60, 0x03 anywhere
in the UDP header or payload.

The display filter above matches packets where the SIP To-header contains the string "a1762"
anywhere in the header.

The display filter above matches HTTP packets where the HOST header contains acme.org, acme.com,
or acme.net. Comparisons are case-insensitive.

That display filter will match all packets that contain the “tcp.flags” field with the 0x02 bit, i.e., the
SYN bit, set.

Possible Pitfalls Using Regular Expressions

107
String literals containing regular expressions are parsed twice. Once by Wireshark’s display filter
engine and again by the PCRE2 library. It’s important to keep this in mind when using the "matches"
operator with regex escape sequences and special characters.
For example, the filter expression frame matches "AB\x43" uses the string "ABC" as input pattern to
PCRE. However, the expression frame matches "AB\\x43" uses the string "AB\x43" as the pattern. In
this case both expressions give the same result because Wireshark and PCRE both support the same
byte escape sequence (0x43 is the ASCII hex code for C).

An example where this fails badly is foo matches "bar\x28". Because 0x28 is the ASCII code for ( the
pattern input to PCRE is "bar(". This regular expression is syntactically invalid (missing closing
parenthesis). To match a literal parenthesis in a display filter regular expression it must be escaped
(twice) with backslashes.

Using raw strings avoids most problem with the "matches" operator and double
TIP
escape requirements.

Combining Expressions

You can combine filter expressions in Wireshark using the logical operators shown in Display Filter
Logical Operations
Table 24. Display Filter Logical Operations
English C-like Description Example

and && Logical AND ip.src==10.0.0.5 and tcp.flags.fin

or || Logical OR ip.src==10.0.0.5 or ip.src==192.1.1.1

xor ^^ Logical XOR tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not ! Logical NOT not llc

[…] Subsequence See “Slice Operator” below.

in Set http.request.method in {"HEAD", "GET"}. See

Membership “Membership Operator” below.

Slice Operator

Wireshark allows you to select a subsequence of byte arrays (including protocols) or text strings in
rather elaborate ways. After a label you can place a pair of brackets [] containing a comma separated
list of range specifiers.

108
The example above uses the n:m format to specify a single range. In this case n is the beginning offset
and m is the length of the range being specified.

The example above uses the n-m format to specify a single range. In this case n is the beginning offset
and m is the ending offset.

The example above uses the :m format, which takes everything from the beginning of a sequence to
offset m. It is equivalent to 0:m

The example above uses the n: format, which takes everything from offset n to the end of the sequence.

The example above uses the n format to specify a single range. In this case the element in the sequence
at offset n is selected. This is equivalent to n:1.

Wireshark allows you to string together single ranges in a comma separated list to form compound
ranges as shown above.
You can use the slice operator on a protocol name, too, to slice the bytes associated with that protocol.
The frame protocol can be useful, encompassing all the captured data (not including secondary data
sources like decrypted data.)
Offsets can be negative, indicating an offset from the end of a field.

The two examples above both check the last four bytes of a frame.

Slices of string fields yield strings, and are indexed on codepoint boundaries after conversation of the
string to UTF-8, not bytes.

109
The second example above will match regardless of whether the original string was in Windows1251,
UTF-8, or UTF-16, so long as the converted string starts with those ten characters.
Byte slices can be directly compared to strings; this converts the string to the corresponding UTF-8
byte sequence. To compare string slices with byte sequences, use the @ operator, below.

The Layer Operator

A field can be restricted to a certain layer in the protocol stack using the layer operator (#), followed by
a decimal number:

matches only the inner (second) layer in the packet. Layers use simple stacking semantics and protocol
layers are counted sequentially starting from 1. For example, in a packet that contains two IPv4
headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source
address can be matched with "ip.src#2".
For more complicated ranges the same syntax used with slices is valid:

means layers number 2, 3 or 4 inclusive. The hash symbol is required to distinguish a layer range from
a slice.

The At Operator

By prefixing the field name with an at sign (@) the comparison is done against the raw packet data for
the field.
A character string must be decoded from a source encoding during dissection. If there are decoding
errors the resulting string will usually contain replacement characters:

The at operator allows testing the raw undecoded data:

The syntactical rules for a bytes field type apply to the second example.
When a bytes field is compared with a literal string, it is compared with the UTF-8
representation of that string. The at operator compares a string field with the actual
byte representation in the original encoding, which may not be UTF-8.

110
 As an example, SMPP has a bytes field, smpp.message, and a string field,
smpp.message_text, that refer to the same data. If the first four characters of the
message is the string "Text" in the UTF-16 encoding, the following filters all match.

smpp.message[:8] == 00:54:00:65:00:73:00:74 smpp.message[:8]

== "\x00T\x00e\x00s\x00t"
smpp.message_text[:4] == "Test"
smpp.message_text[:4] == "\x54\x65\x73\x74"
@smpp.message_text[:8] == 00:54:00:65:00:73:00:74
@smpp.message_text[:8] == "\x00T\x00e\x00s\x00t"

NOTE
The following filters do NOT match.

@smpp.message_text[:4] == "\x00T\x00e\x00s\x00t"
smpp.message[:4] == "Test" smpp.message[:8]
== "Test"
@smpp.message_text[:4] == "Test"
@smpp.message_text[:8] == "Test"

The first filter above does not match because of operator precedence left-to-right;
[email protected]_text is converted to bytes before the slice operator is applied, so the
length of the necessary slice is 8. The other filters do not match because the literal
string "Test" is always converted to its 4 octet UTF-8 representation when comparing
against bytes, and it does not match the UTF-16 representation of the field bytes.

Membership Operator

Wireshark allows you to test a field for membership in a set of values or fields. After the field name,
use the in operator followed by the set items surrounded by braces {}. For example, to display packets
with a TCP source or destination port of 80, 443, or 8080, you can use tcp.port in {80, 443, 8080}. Set
elements must be separated by commas. The set of values can also contain ranges: tcp.port in
{443,4430..4434}.

111
Sets are not just limited to numbers, other types can be used as well:

Arithmetic operators

You can perform the arithmetic operations on numeric fields shown in Display Filter Arithmetic
Operations
Table 25. Display Filter Arithmetic Operations
Name Syntax Alternative Description

Unary minus -A Negation of A

Addition A+B Add B to A

Subtraction A-B Subtract B from A

Name Syntax Alternative Description

112
Multiplicatio A * B Multiply A times B
n

Division A/B Divide A by B

Modulo A%B Remainder of A divided by B

Bitwise AND A & B A bitand B Bitwise AND of A and B

An unfortunate quirk in the filter syntax is that the subtraction operator must be preceded by a space
character, so "A-B" must be written as "A -B" or "A - B".
Arithmetic expressions can be grouped using curly braces.

For example, frames where capture length resulted in truncated TCP options:

Functions

The display filter language has a number of functions to convert fields, see Display Filter Functions.

Table 26. Display Filter Functions

Function Description

upper Converts a string field to uppercase.

lower Converts a string field to lowercase.

len Returns the byte length of a string or bytes field.

count Returns the number of field occurrences in a frame.

string Converts a non-string field to a string.

vals Converts a field value to its value string, if it has one.

dec Converts an unsigned integer field to a decimal string.

hex Converts an unsigned integer field to a hexadecimal string.

max Return the maximum value for the arguments.

min Return the minimum value for the arguments.

abs Return the absolute value for the argument.

The upper and lower functions can used to force case-insensitive matches: lower(http.server) contains
"apache".

113
To find HTTP requests with long request URIs: len(http.request.uri) > 100. Note that the len function
yields the string length in bytes rather than (multi-byte) characters.

Usually an IP frame has only two addresses (source and destination), but in case of ICMP errors or
tunneling, a single packet might contain even more addresses. These packets can be found with
count(ip.addr) > 2.
The string function converts a field value to a string, suitable for use with operators like "matches" or
"contains". Integer fields are converted to their decimal representation. It can be used with IP/Ethernet
addresses (as well as others), but not with string or byte fields.
For example, to match odd frame numbers:

To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):

The vals function converts an integer or boolean field value to a string using the field’s associated value
string, if it has one.
The functions max() and min() take any number of arguments of the same type and returns the
largest/smallest respectively of the set.

Field References

An expression of the form ${some.proto.field} is called a field reference. Its value is read from the
corresponding field in the currently selected field in the GUI. This is a powerful way to build dynamic
filters, such as frames since the last five minutes to the selected frame:

or all HTTP packets whose +ip.dst value equals the "A" record of the DNS response in the current
frame:

The notation of field references is similar to that of macros but they are syntactically distinct. Field
references, like other complex filters, make excellent use cases for macros, saved filters, and filter
buttons

Sometimes Fields Change Names

114
As protocols evolve they sometimes change names or are superseded by newer standards. For example,
DHCP extends and has largely replaced BOOTP and TLS has replaced SSL. If a protocol dissector
originally used the older names and fields for a protocol the Wireshark development team might update
it to use the newer names and fields. In such cases they will add an alias from the old protocol name to
the new one in order to make the transition easier.
For example, the DHCP dissector was originally developed for the BOOTP protocol but as of
Wireshark 3.0 all of the “bootp” display filter fields have been renamed to their “dhcp” equivalents.
You can still use the old filter names for the time being, e.g., “bootp.type” is equivalent to “dhcp.type”
but Wireshark will show the warning “"bootp" is deprecated” when you use it. Support for the
deprecated fields may be removed in the future.

Some protocol names can be ambiguous

In some particular cases relational expressions (equal, less than, etc.) can be ambiguous. The filter
name of a protocol or protocol field can contain any letter and digit in any order, possibly separated by
dots. That can be indistinguishable from a literal value (usually numerical values in hexadecimal). For
example the semantic value of fc can be the protocol Fibre Channel or the number 0xFC in
hexadecimal because the 0x prefix is optional for hexadecimal numbers.
Any value that matches a registered protocol or protocol field filter name is interpreted semantically as
such. If it doesn’t match a protocol name the normal rules for parsing literal values apply.
So in the case of 'fc' the lexical token is interpreted as "Fibre Channel" and not 0xFC. In the case of 'fd'
it would be interpreted as 0xFD because it is a well-formed hexadecimal literal value (according to the
rules of display filter language syntax) and there is no protocol registered with the filter name 'fd'.
How ambiguous values are interpreted may change in the future. To avoid this problem and resolve the
ambiguity there is additional syntax available. Values prefixed with a dot are always treated as a
protocol name. The dot stands for the root of the protocol namespace and is optional). Values prefixed
with a colon are always interpreted as a byte array.

If you are writing a script, or you think your expression may not be giving the expected results because
of the syntactical ambiguity of some filter expression it is advisable to use the explicit syntax to
indicate the correct meaning for that expression.

The “Display Filter Expression” Dialog Box

When you are accustomed to Wireshark’s filtering system and know what labels you wish to use in
your filters it can be very quick to simply type a filter string. However, if you are new to Wireshark or
are working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to
type. The “Display Filter Expression” dialog box helps with this.

115
When you first bring up the Display Filter Expression dialog box you are shown a tree of field names,
organized by protocol, and a box for selecting a relation.
Field Name
Select a protocol field from the protocol field tree. Every protocol with filterable fields is listed at
the top level. You can search for a particular protocol entry by entering the first few letters of the
protocol name. By expanding a protocol name you can get a list of the field names available for
filtering for that protocol.
Relation
Select a relation from the list of available relation. The is present is a unary relation which is true if
the selected field is present in a packet. All other listed relations are binary relations which require
additional data (e.g. a Value to match) to complete.

When you select a field from the field name list and select a binary relation (such as the equality
relation ==) you will be given the opportunity to enter a value, and possibly some range
information.
Value

116
 You may enter an appropriate value in the Value text box. The Value will also indicate the type of
value for the Field Name you have selected (like character string).
Predefined Values
Some of the protocol fields have predefined values available, much like enumerations in C. If the
selected protocol field has such values defined, you can choose one of them here.
Search
Lets you search for a full or partial field name or description. Regular expressions are supported.
For example, searching for “tcp.*flag” shows the TCP flags fields supported by a wide variety of
dissectors, while “^tcp.flag” shows only the TCP flags fields supported by the TCP dissector.
Range
A range of integers or a group of ranges, such as 1-12 or 39-42,98-2000.

[ Help ]
Opens this section of the User’s Guide.

[ OK ]
When you have built a satisfactory expression click [ OK ] and a filter string will be built for you.

[ Cancel ]
You can leave the “Add Expression…” dialog box without any effect by clicking the [ Cancel ]
button.

Defining And Saving Filters

You create pre-defined filters that appear in the capture and display filter bookmark menus ( ). This
can save time in remembering and retyping some of the more complex filters you use.
To create or edit capture filters, select Manage Capture Filters from the capture filter bookmark menu
or Capture › Capture Filters… from the main menu. Display filters can be created or edited by
selecting Manage Display Filters from the display filter bookmark menu or Analyze › Display
Filters… from the main menu. Wireshark will open the corresponding dialog as shown in The “Capture
Filters” and “Display Filters” dialog boxes. The two dialogs look and work similar to one another. Both
are described here, and the differences are noted as needed.

117
Figure 63. The “Capture Filters” and “Display Filters” dialog boxes

[+]
Adds a new filter to the list. You can edit the filter name or expression by double-clicking on it.

The filter name is used in this dialog to identify the filter for your convenience and is not used
elsewhere. You can create multiple filters with the same name, but this is not very useful.
When typing in a filter string, the background color will change depending on the validity of the
filter similar to the main capture and display filter toolbars.
[-]
Delete the selected filter. This will be greyed out if no filter is selected.

[ Copy ]
Copy the selected filter. This will be greyed out if no filter is selected.

[ OK ]
Saves the filter settings and closes the dialog.

[ Cancel ]
Closes the dialog without saving any changes.

Defining And Saving Filter Macros

118
You can define a filter macro with Wireshark and label it for later use. This can save time in
remembering and retyping some of the more complex filters you use.
To define and save your own filter macros, follow the steps below:

1. In the main menu select Analyze › Display Filter Macros…. Wireshark will open a corresponding
dialog Display Filter Macros window.

Figure 64. Display Filter Macros window

2. To add a new filter macro, click the [ + ] button in the bottom-left corner. A new row will appear in
the Display Filter Macros table above.

3. Enter the name of your macro in the Macro Name column. Enter your filter macro in the Macro
Expression column.
4. To save your modifications, click the [ OK ] button in the bottom-right corner of the Display Filter
Macros window.

To learn more about display filter macro syntax, see Display Filter Macros.

Finding Packets
119
You can easily find packets once you have captured some packets or have read in a previously saved
capture file. Simply select Edit › Find Packet… in the main menu. Wireshark will open a toolbar
between the main toolbar and the packet list shown in The “Find Packet” toolbar.

The “Find Packet” Toolbar

Figure 65. The “Find Packet” toolbar

You can search using the following criteria:

Display filter
Enter a display filter string into the text entry field and click the [ Find ] button. + For example, to
find the three-way handshake for a connection from host 192.168.0.1, use the following filter string:

The value to be found will be syntax checked while you type it in. If the syntax check of your value
succeeds, the background of the entry field will turn green, if it fails, it will turn red. For more
details see Filtering Packets While Viewing
Hexadecimal Value
Search for a specific byte sequence in the packet data.

For example, use “ef:bb:bf” to find the next packet that contains the UTF-8 byte order mark.

String
Find a string in the packet data, with various options.

Regular Expression
Search the packet data using Perl-compatible regular expressions. PCRE patterns are beyond the
scope of this document, but typing “pcre test” into your favorite search engine should return a
number of sites that will help you test and explore your expressions.

Go To A Specific Packet
You can easily jump to specific packets with one of the menu items in the Go menu.

The “Go Back” Command

120
Go back in the packet history, works much like the page history in most web browsers.

The “Go Forward” Command

Go forward in the packet history, works much like the page history in most web browsers.

The “Go to Packet” Toolbar

Figure 66. The “Go To Packet” toolbar

This toolbar can be opened by selecting Go › Go to packet… from the main menu. It appears between
the main toolbar and the packet list, similar to the ”Find Packet” toolbar.
When you enter a packet number and press [ Go to packet ] Wireshark will jump to that packet.

The “Go to Corresponding Packet” Command

If a protocol field is selected which points to another packet in the capture file, this command will jump
to that packet.
As these protocol fields now work like links (just as in your Web browser), it’s easier to simply double-
click on the field to jump to the corresponding field.

The “Go to First Packet” Command

This command will jump to the first packet displayed.

The “Go to Last Packet” Command

This command will jump to the last packet displayed.

Marking Packets
You can mark packets in the “Packet List” pane. A marked packet will be shown with black
background, regardless of the coloring rules set. Marking a packet can be useful to find it later while
analyzing in a large capture file.
Marked packet information is not stored in the capture file or anywhere else. It will be lost when the
capture file is closed.
You can use packet marking to control the output of packets when saving, exporting, or printing. To do
so, an option in the packet range is available, see The “Packet Range” Frame.
121
There are several ways to mark and unmark packets. From the Edit menu you can select from the
following:

• Mark/Unmark Selected toggles the marked state of the current selection. This option is also
available in the packet list context menu.
• Mark All Displayed set the mark state of all displayed packets.

• Unmark All Displayed reset the mark state of all packets.

You can also mark and unmark a packet by clicking on it in the packet list with the middle mouse
button.

Ignoring Packets
You can ignore packets in the “Packet List” pane. Wireshark will then pretend that they not exist in the
capture file. An ignored packet will be shown with white background and grey foreground, regardless
of the coloring rules set.
Ignored packet information is not stored in the capture file or anywhere else. It will be lost when the
capture file is closed.
There are several ways to ignore and unignore packets. From the Edit menu you can select from the
following:
• Ignore/Unignore Selected toggles the ignored state of the current selection. This option is also
available in the packet list context menu.

• Ignore All Displayed set the ignored state of all displayed packets.

• Unignore All Displayed reset the ignored state of all packets.

Time Display Formats And Time References

While packets are captured, each packet is timestamped. These timestamps will be saved to the capture
file, so they will be available for later analysis.
A detailed description of timestamps, timezones and alike can be found at: Time Stamps.

The timestamp presentation format and the precision in the packet list can be chosen using the View
menu, see The “View” Menu.
The available presentation formats are:

• Date and Time of Day: 1970-01-01 01:02:03.123456 The absolute date and time of the day when
the packet was captured.

• Time of Day: 01:02:03.123456 The absolute time of the day when the packet was captured.

122
 • Seconds Since First Captured Packet: 123.123456 The time relative to the start of the capture file
or the first “Time Reference” before this packet (see Packet Time Referencing).

• Seconds Since Previous Captured Packet: 1.123456 The time relative to the previous captured
packet.

• Seconds Since Previous Displayed Packet: 1.123456 The time relative to the previous displayed
packet.

• Seconds Since Epoch (1970-01-01): 1234567890.123456 The time relative to epoch (midnight UTC
of January 1, 1970).

The available precisions (aka. the number of displayed decimal places) are:

• Automatic (from capture file) The timestamp precision of the loaded capture file format will be
used (the default).
• Seconds, Tenths of a second, Hundredths of a second, Milliseconds, Microseconds or
Nanoseconds The timestamp precision will be forced to the given setting. If the actually available
precision is smaller, zeros will be appended. If the precision is larger, the remaining decimal places
will be cut off.

Precision example: If you have a timestamp and it’s displayed using, “Seconds Since Previous Packet”
the value might be 1.123456. This will be displayed using the “Automatic” setting for libpcap files
(which is microseconds). If you use Seconds it would show simply 1 and if you use Nanoseconds it
shows 1.123456000.

Packet Time Referencing

The user can set time references to packets. A time reference is the starting point for all subsequent
packet time calculations. It will be useful, if you want to see the time values relative to a special packet,
e.g., the start of a new request. It’s possible to set multiple time references in the capture file.
The time references will not be saved permanently and will be lost when you close the capture file.

Time referencing will only be useful if the time display format is set to “Seconds Since First Captured
Packet”. If one of the other time display formats are used, time referencing will have no effect (and will
make no sense either).
To work with time references, choose one of the Time Reference items in the menu:[Edit] menu or
from the pop-up menu of the “Packet List” pane. See The “Edit” Menu.
• Set Time Reference (toggle) Toggles the time reference state of the currently selected packet to on
or off.

• Find Next Find the next time referenced packet in the “Packet List” pane.

• Find Previous Find the previous time referenced packet in the “Packet List” pane.

123
Figure 67. Wireshark showing a time referenced packet

A time referenced packet will be marked with the string *REF* in the Time column (see packet number
10). All subsequent packets will show the time since the last time reference.

Time Shifting Packets

Sometimes you will want to adjust the timestamps in a capture file. This may be because a machine
performing the capture had an inaccurate clock, or because the capture was originally saved with
timestamps in local time (perhaps even to a capture file format that only writes times in local time, or
only writes the time of day but not the date). One common use is to synchronize timestamps between
captures made on different machines with relative clock skew or clock drift before merging them.
Selecting Edit › Time Shift… from the main menu opens the "Time Shift" dialog.

124
Figure 68. The “Time Shift” dialog

Shift all packets by…

Apply a fixed offset, entered as a relative time in hours, minutes, and seconds, to the timestamps for
all packets. This is useful for correcting small known errors or timezones.
Set the time for packet…
Apply offsets based on one or, if the box is checked, two given packets to the timestamps for all
packets. Enter the packet number and absolute date and time for the packet(s). When one packet is
used, a fixed offset is applied that can be used to correct for clock skew. When two packets are used,
the correction for all other packets is computed linearly, which can be used to correct for clock drift.
This is useful when the precise date and time for particular packets are known, e.g. packets
containing the NTP or PTP protocols.
Undo all shifts
This removes all unsaved time shifts from packets.

Time shifts are applied to all packets

NOTETime shifts are applied to all packets in the capture, including ignored packets
and packets that are not displayed due to the current filter. Wireshark does not have a
method to adjust the timestamps of individual or selected packets.

The offset currently applied to time shifted packets is in the frame.offset_shift field, which can be
viewed in the packet details.

125
Figure 69. A Time Shifted Packet

After time shifts are applied, the file will have unsaved changes, which are indicated with an * beside
its name in the title bar. Beginning with Wireshark 4.2.0, saving the file will write the corrected
timestamps to the capture file. If you attempt to close the capture file without saving it, a dialog will
prompt you to save in order to prevent losing your changes (unless that warning has been disabled in
the preferences.)

126
Advanced Topics
Introduction
This chapter will describe some of Wireshark’s advanced features.

Following Protocol Streams

It can be very helpful to see a protocol in the way that the application layer sees it. Perhaps you are
looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you
just need a display filter to show only the packets in a TLS or SSL stream. If so, Wireshark’s ability to
follow protocol streams will be useful to you.
To filter to a particular stream, select a TCP, UDP, DCCP, TLS, HTTP, HTTP/2, QUIC or SIP packet in
the packet list of the stream/connection you are interested in and then select the menu item Analyze ›
Follow › TCP Stream (or use the context menu in the packet list). Wireshark will set an appropriate
display filter and display a dialog box with the data from the stream laid out, as shown in The “Follow
TCP Stream” dialog box.

The stream content is displayed in the same sequence as it appeared on the network. Non-printable
characters are replaced by dots. Traffic from the client to the server is colored red, while traffic from
the server to the client is colored blue. These colors can be changed by opening Edit › Preferences and
under Appearance › Font and Colors, selecting different colors for the [ Sample "Follow Stream"
client text ] and [ Sample "Follow Stream" server text ] options.
127
The stream content won’t be updated while doing a live capture. To get the latest content you’ll have to
reopen the dialog.
You can choose from the following actions:

[ Help ]
Show this help.

[ Filter out this stream ]

Apply a display filter removing the current stream data from the display.

[ Print ]
Print the stream data in the currently selected format.

[ Save as… ]
Save the stream data in the currently selected format.

[ Back ]
Close this dialog box and restore the previous display filter.

[ Close ]
Close this dialog box, leaving the current display filter in effect.

By default, Wireshark displays both client and server data. You can select the Entire conversation to
switch between both, client to server, or server to client data.
You can choose to view the data in one of the following formats:

ASCII
In this view you see the data from each direction in ASCII. Obviously best for ASCII based
protocols, e.g., HTTP.
C Arrays
This allows you to import the stream data into your own C program.

EBCDIC
For the big-iron freaks out there.

HEX Dump
This allows you to see all the data. This will require a lot of screen space and is best used with
binary protocols.
UTF-8
Like ASCII, but decode the data as UTF-8.

128
UTF-16
Like ASCII, but decode the data as UTF-16.

YAML
This allows you to load the stream as YAML.

The YAML output is divided into 2 main sections:

• The peers section where for each peer you found the peer index, the host address and the port number.

• The packets section where for each packet you found the packet number in the original capture, the
peer index, the packet index for this peer, the timestamp in seconds and the data in base64 encoding.

Example 3. Follow Stream YAML output

The same example but in old YAML format (before version 3.5):

129
How the old format data can be found in the new format:
New YAML format Old YAML format

AAA: packet number in the

original capture BBB:
peer index
CCC: packet index for
this peer
DDD: data in base64
encoding

Raw
This allows you to load the unaltered stream data into a different program for further examination.
The display will show the data as strings of hex characters with each frame on a separate line, but
“Save As” will result in a binary file without any added line separators.
You can optionally show the delta time each time the direction changes (turns) or for every packet or
event.
You can switch between streams using the “Stream” selector.

You can search for text by entering it in the “Find” entry box and pressing [ Find Next ].

Figure 71. The “Follow HTTP/2 Stream” dialog box

The HTTP/2 Stream dialog is similar to the "Follow TCP Stream" dialog, except for an additional
"Substream" dialog field. HTTP/2 Streams are identified by a HTTP/2 Stream Index (field name
http2.streamid) which are unique within a TCP connection. The “Stream” selector determines the TCP
connection whereas the “Substream” selector is used to pick the HTTP/2 Stream ID.
The QUIC protocol is similar, the first number selects the QUIC connection number while the
"Substream" field selects the QUIC Stream ID.

130
Figure 72. The “Follow SIP Call” dialog box

The SIP call is shown with same dialog, just filter is based on sip.Call-ID field. Count of streams is
fixed to 0 and the field is disabled.

Show Packet Bytes

If a selected packet field does not show all the bytes (i.e., they are truncated when displayed) or if they
are shown as bytes rather than string or if they require more formatting because they contain an image
or HTML then this dialog can be used.
This dialog can also be used to decode field bytes from base64, zlib compressed or quoted-printable
and show the decoded bytes as configurable output. It’s also possible to select a subset of bytes setting
the start byte and end byte.
You can choose from the following actions:

[ Help ]
Show this help.

[ Print ]
Print the bytes in the currently selected format.

[ Copy ]
Copy the bytes to the clipboard in the currently selected format.

[ Save As ]
Save the bytes in the currently selected format.

[ Close ]

131
 Close this dialog box.

You can choose to decode the data from one of the following formats:

None
This is the default which does not decode anything.

Base64
This will decode from Base64.

Compressed
This will decompress the buffer using zlib.

Hex Digits
This will decode from a string of hex digits. Non-hex characters are skipped.

Quoted-Printable
This will decode from a Quoted-Printable string.
ROT-13
This will decode ROT-13 encoded text.

You can choose to view the data in one of the following formats:

ASCII
In this view you see the bytes as ASCII. All control characters and non-ASCII bytes are replaced by
dot.
ASCII & Control
In this view all control characters are shown using a UTF-8 symbol and all non-ASCII bytes are
replaced by dot.
C Array
This allows you to import the field data into your own C program.

EBCDIC
For the big-iron freaks out there.

Hex Dump
This allows you to see all the data. This will require a lot of screen space and is best used with
binary protocols.
HTML
This allows you to see all the data formatted as a HTML document. The HTML supported is what’s
supported by the Qt QTextEdit class.
132
Image
This will try to convert the bytes into an image. Most popular formats are supported including PNG,
JPEG, GIF, and BMP.
ISO 8859-1
In this view you see the bytes as ISO 8859-1.

Raw
This allows you to load the bytes into a different program for further examination. The display will
show HEX data, but “Save As” will result in a binary file.
UTF-8
In this view you see the bytes as UTF-8.

UTF-16
In this view you see the bytes as UTF-16.
YAML
This will show the bytes as a YAML binary dump.

You can search for text by entering it in the “Find” entry box and pressing [ Find Next ].

Expert Information
Wireshark keeps track of any anomalies and other items of interest it finds in a capture file and shows
them in the Expert Information dialog. The goal is to give you a better idea of uncommon or notable
network behavior and to let novice and expert users find network problems faster than manually
scanning through the packet list.

Expert information is only a hint

Expert information is the starting point for investigation, not the stopping
WARNINGpoint. Every network is different, and it’s up to you to verify that
Wireshark’s expert information applies to your particular situation. The presence
of expert information doesn’t necessarily indicate a problem and absence of
expert information doesn’t necessarily mean everything is OK.

The amount of expert information largely depends on the protocol being used. While dissectors for
some common protocols like TCP and IP will show detailed information, other dissectors will show
little or none.
The following describes the components of a single expert information entry along with the expert user
interface.

Expert Information Entries

133
Expert information entries are grouped by severity level (described below) and contain the following:
Table 27. Example expert information items
Packet # Summary Group Protocol

592 TCP: [TCP Out- Malformed TCP

OfOrder] …

1202 DNS: Standard query Protocol DNS

response …

443 TCP: 80 → 59322 Sequence TCP

[RST]
Seq=12761 Win=0
Len=0
Severity

Every expert information item has a severity level. The following levels are used, from lowest to
highest. Wireshark marks them using different colors, which are shown in parentheses:
Chat (blue)
Information about usual workflow, e.g., a TCP packet with the SYN flag set.

Note (cyan)
Notable events, e.g., an application returned a common error code such as HTTP 404.

Warn (yellow)
Warnings, e.g., application returned an unusual error code like a connection problem.

Error (red)
Serious problems, such as malformed packets.

Summary

Short explanatory text for each expert information item.

Group

Along with severity levels, expert information items are categorized by group. The following groups
are currently implemented:
Assumption
The protocol field has incomplete data and was dissected based on assumed value.

Checksum
A checksum was invalid.
134
Comment
Packet comment.

Debug
Debugging information. You shouldn’t see this group in release versions of Wireshark.

Decryption
A decryption issue.

Deprecated
The protocol field has been deprecated.

Malformed
Malformed packet or dissector has a bug. Dissection of this packet aborted.
Protocol
Violation of a protocol’s specification (e.g., invalid field values or illegal lengths). Dissection of this
packet probably continued.
Reassemble
Problems while reassembling, e.g., not all fragments were available or an exception happened
during reassembly.
Request Code
An application request (e.g., File Handle == x). Usually assigned the Chat severity level.

Response Code
An application response code indicates a potential problem, e.g., HTTP 404 page not found.

Security
A security problem, e.g., an insecure implementation.

Sequence
A protocol sequence number was suspicious, e.g., it wasn’t continuous or a retransmission was
detected.
Undecoded
Dissection incomplete or data can’t be decoded for other reasons.

It’s possible that more groups will be added in the future.

Protocol

The protocol dissector that created the expert information item.

135
The “Expert Information” Dialog

You can open the expert info dialog by selecting Analyze › Expert Info or by clicking the expert level
indicator in the main status bar.
Right-clicking on an item will allow you to apply or prepare a filter based on the item, copy its
summary text, and other tasks.

Figure 73. The “Expert Information” dialog box

You can choose from the following actions:

Limit to display filter

Only show expert information items present in packets that match the current display filter.

Group by summary
Group items by their summary instead of the groups described above.

Search
Only show items that match the search string, such as “dns”. Regular expressions are supported.

Show…
Lets you show or hide each severity level. For example, you can deselect Chat and Note severities if
desired.
[ Help ]
Takes you to this section of the User’s Guide.

[ Close ]
Closes the dialog
136
“Colorized” Protocol Details Tree

Figure 74. The “Colorized” protocol details tree

The packet detail tree marks fields with expert information based on their severity level color, e.g.,
“Warning” severities have a yellow background. This color is propagated to the top-level protocol item
in the tree in order to make it easy to find the field that created the expert information.
For the example screenshot above, the IP “Time to live” value is very low (only 1), so the
corresponding protocol field is marked with a cyan background. To make it easier find that item in the
packet tree, the IP protocol toplevel item is marked cyan as well.

“Expert” Packet List Column (Optional)

Figure 75. The “Expert” packet list column

An optional “Expert Info Severity” packet list column is available that displays the most significant
severity of a packet or stays empty if everything seems OK. This column is not displayed by default but
can be easily added using the Preferences Columns page described in Preferences.

137
TCP Analysis
By default, Wireshark’s TCP dissector tracks the state of each TCP session and provides additional
information when problems or potential problems are detected. Analysis is done once for each TCP
packet when a capture file is first opened. Packets are processed in the order in which they appear in
the packet list. You can enable or disable this feature via the “Analyze TCP sequence numbers” TCP
dissector preference.
For analysis of data or protocols layered on top of TCP (such as HTTP), see TCP Reassembly.

Figure 76. “TCP Analysis” packet detail items

TCP Analysis flags are added to the TCP protocol tree under “SEQ/ACK analysis”. Each flag is
described below. Terms such as “next expected sequence number” and “next expected acknowledgment
number” refer to the following”:
Next expected sequence number
The last-seen sequence number plus segment length. Set when there are no analysis flags and for
zero window probes. This is initially zero and calculated based on the previous packet in the same
TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.
Next expected acknowledgment number
The last-seen sequence number for segments. Set when there are no analysis flags and for zero
window probes.
Last-seen acknowledgment number
Always updated for each packet. Note that this is not the same as the next expected
acknowledgment number.

TCP ACKed unseen segment

Set when the expected next acknowledgment number is set for the reverse direction and it’s less than
the current acknowledgment number.

TCP Dup ACK <frame>#<acknowledgment number>

Set when all of the following are true:

138
 • The segment size is zero.

• The window size is non-zero and hasn’t changed, or there is valid SACK data.

• The next expected sequence number and last-seen acknowledgment number are non-zero (i.e., the
connection has been established).

• SYN, FIN, and RST are not set.

TCP Fast Retransmission

Set when all of the following are true:

• This is not a keepalive packet.

• In the forward direction, the segment size is greater than zero or the SYN or FIN is set.

• The next expected sequence number is greater than the current sequence number.

• We have at least two duplicate ACKs in the reverse direction.

• The current sequence number equals the next expected acknowledgment number.

• We saw the last acknowledgment less than 20ms ago.

Supersedes “Out-Of-Order” and “Retransmission”.

TCP Keep-Alive

Set when the segment size is zero or one, the current sequence number is one byte less than the next
expected sequence number, and none of SYN, FIN, or RST are set.
Supersedes “Fast Retransmission”, “Out-Of-Order”, “Spurious Retransmission”,
and “Retransmission”.

TCP Keep-Alive ACK

Set when all of the following are true:

• The segment size is zero.

• The window size is non-zero and hasn’t changed.

• The current sequence number is the same as the next expected sequence number.

• The current acknowledgment number is the same as the last-seen acknowledgment number.

• The most recently seen packet in the reverse direction was a keepalive.

• The packet is not a SYN, FIN, or RST.

Supersedes “Dup ACK” and “ZeroWindowProbeAck”.

139
TCP Out-Of-Order

Set when all of the following are true:

• This is not a keepalive packet.

• In the forward direction, the segment length is greater than zero or the SYN or FIN is set.

• The next expected sequence number is greater than the current sequence number.

• The next expected sequence number and the next sequence number differ.

• The last segment arrived within the Out-Of-Order RTT threshold. The threshold is either the value
shown in the “iRTT” (tcp.analysis.initial_rtt) field under “SEQ/ACK analysis” if it is present, or the
default value of 3ms if it is not.

Supersedes “Retransmission”.

TCP Port numbers reused

Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same
addresses and ports, and the sequence number is different than the existing conversation’s initial
sequence number.

TCP Previous segment not captured

Set when the current sequence number is greater than the next expected sequence number.

TCP Spurious Retransmission

Checks for a retransmission based on analysis data in the reverse direction. Set when all of the
following are true:
• The SYN or FIN flag is set.

• This is not a keepalive packet.

• The segment length is greater than zero.

• Data for this flow has been acknowledged. That is, the last-seen acknowledgment number has been
set.

• The next sequence number is less than or equal to the last-seen acknowledgment number.

Supersedes “Fast Retransmission”, “Out-Of-Order”, and “Retransmission”.

TCP Retransmission

Set when all of the following are true:

140
 • This is not a keepalive packet.

• In the forward direction, the segment length is greater than zero or the SYN or FIN flag is set.

• The next expected sequence number is greater than the current sequence number.

TCP Window Full

Set when the segment size is non-zero, we know the window size in the reverse direction, and our
segment size exceeds the window size in the reverse direction.

TCP Window Update

Set when the all of the following are true:

• The segment size is zero.

• The window size is non-zero and not equal to the last-seen window size, and there is no valid SACK
data.

• The sequence number is equal to the next expected sequence number.

• The acknowledgment number is equal to the last-seen acknowledgment number, • or to the next

expected sequence number when answering to a ZeroWindowProbe.

• None of SYN, FIN, or RST are set.

TCP ZeroWindow

Set when the receive window size is zero and none of SYN, FIN, or RST are set.

The window field in each TCP header advertises the amount of data a receiver can accept. If the
receiver can’t accept any more data it will set the window value to zero, which tells the sender to pause
its transmission. In some specific cases this is normal — for example, a printer might use a zero
window to pause the transmission of a print job while it loads or reverses a sheet of paper. However, in
most cases this indicates a performance or capacity problem on the receiving end. It might take a long
time (sometimes several minutes) to resume a paused connection, even if the underlying condition that
caused the zero window clears up quickly.

TCP ZeroWindowProbe

Set when the sequence number is equal to the next expected sequence number, the segment size is one,
and last-seen window size in the reverse direction was zero.
If the single data byte from a Zero Window Probe is dropped by the receiver (not ACKed), then a
subsequent segment should not be flagged as retransmission if all of the following conditions are true
for that segment: * The segment size is larger than one. * The next expected sequence number is one
less than the current sequence number.
141
This affects “Fast Retransmission”, “Out-Of-Order”, or “Retransmission”.

TCP ZeroWindowProbeAck

Set when the all of the following are true:

• The segment size is zero.

• The window size is zero.

• The sequence number is equal to the next expected sequence number.

• The acknowledgment number is equal to the last-seen acknowledgment number.

• The last-seen packet in the reverse direction was a zero window probe.

Supersedes “TCP Dup ACK”.

TCP Ambiguous Interpretations

Some captures are quite difficult to analyze automatically, particularly when the time frame may cover
both Fast Retransmission and Out-Of-Order packets. A TCP preference allows to switch the precedence
of these two interpretations at the protocol level.

TCP Conversation Completeness

TCP conversations are said to be complete when they have both opening and closing handshakes,
independently of any data transfer. However, we might be interested in identifying complete
conversations with some data sent, and we are using the following bit values to build a filter value on
the tcp.completeness field :
• 1 : SYN

• 2 : SYN-ACK

• 4 : ACK

• 8 : DATA

• 16 : FIN

• 32 : RST

For example, a conversation containing only a three-way handshake will be found with the filter
'tcp.completeness==7' (1+2+4) while a complete conversation with data transfer will be found with a
longer filter as closing a connection can be associated with FIN or RST packets, or even both :
'tcp.completeness==31 or tcp.completeness==47 or tcp.completeness==63'
Another way to select specific conversation values is to filter on individual flags, the summary field, or
a combination of them. Thus, '(tcp.completeness.fin==1 || tcp.completeness.rst==1) &&
tcp.completeness.str contains "DASS"' will find all 'Complete, WITH_DATA' conversations, while the
142
'Complete, NO_DATA' ones will be found with '(tcp.completeness.fin==1 || tcp.completeness.rst==1)
&& tcp.completeness.data==0 && tcp.completeness.str contains "ASS"'.

Time Stamps
Time stamps, their precisions and all that can be quite confusing. This section will provide you with
information about what’s going on while Wireshark processes time stamps.
While packets are captured, each packet is time stamped as it comes in. These time stamps will be
saved to the capture file, so they also will be available for (later) analysis.
So where do these time stamps come from? While capturing, Wireshark gets the time stamps from the
libpcap (Npcap) library, which in turn gets them from the operating system kernel. If the capture data is
loaded from a capture file, Wireshark obviously gets the data from that file.

Wireshark Internals

The internal format that Wireshark uses to keep a packet time stamp consists of the date (in days since
1.1.1970) and the time of day (in nanoseconds since midnight). You can adjust the way Wireshark
displays the time stamp data in the packet list, see the “Time Display Format” item in the The “View”
Menu for details.
While reading or writing capture files, Wireshark converts the time stamp data between the capture file
format and the internal format as required.
While capturing, Wireshark uses the libpcap (Npcap) capture library which supports microsecond
resolution. Unless you are working with specialized capturing hardware, this resolution should be
adequate.

Capture File Formats

Every capture file format that Wireshark knows supports time stamps. The time stamp precision
supported by a specific capture file format differs widely and varies from one second “0” to one
nanosecond “0.123456789”. Most file formats store the time stamps with a fixed precision (e.g.,
microseconds), while some file formats are even capable of storing the time stamp precision itself
(whatever the benefit may be).
The common libpcap capture file format that is used by Wireshark (and a lot of other tools) supports a
fixed microsecond resolution “0.123456” only.
Writing data into a capture file format that doesn’t provide the capability to store the actual precision
will lead to loss of information. For example, if you load a capture file with nanosecond resolution and
store the capture data in a libpcap file (with microsecond resolution) Wireshark obviously must reduce
the precision from nanosecond to microsecond.

Accuracy

143
People often ask “Which time stamp accuracy is provided by Wireshark?”. Well, Wireshark doesn’t
create any time stamps itself but simply gets them from “somewhere else” and displays them. So
accuracy will depend on the capture system (operating system, performance, etc.) that you use. Because
of this, the above question is difficult to answer in a general way.

USB connected network adapters often provide a very bad time stamp accuracy. The
incoming packets have to take “a long and winding road” to travel through the USB
cable until they actually reach the kernel. As the incoming packets are time stamped
NOTEwhen they are processed by the kernel, this time stamping mechanism becomes
very inaccurate.
Don’t use USB connected NICs when you need precise time stamp accuracy.

Time Zones
If you travel across the planet, time zones can be confusing. If you get a capture file from somewhere
around the world time zones can even be a lot more confusing ;-)
First of all, there are two reasons why you may not need to think about time zones at all:

• You are only interested in the time differences between the packet time stamps and don’t need to
know the exact date and time of the captured packets (which is often the case).

• You don’t get capture files from different time zones than your own, so there are simply no time zone
problems. For example, everyone in your team is working in the same time zone as yourself.

What are time zones?

People expect that the time reflects the sunset. Dawn should be in the morning maybe around
06:00 and dusk in the evening maybe at 20:00. These times will obviously vary depending on the
season. It would be very confusing if everyone on earth would use the same global time as this
would correspond to the sunset only at a small part of the world.
For that reason, the earth is split into several different time zones, each zone with a local time that
corresponds to the local sunset.
The time zone’s base time is UTC (Coordinated Universal Time) or Zulu Time (military and
aviation). The older term GMT (Greenwich Mean Time) shouldn’t be used as it is slightly
incorrect (up to 0.9 seconds difference to UTC). The UTC base time equals to 0 (based at
Greenwich, England) and all time zones have an offset to UTC between -12 to +14 hours!
For example: If you live in Berlin, you are in a time zone one hour earlier than UTC, so you are
in time zone “+1” (time difference in hours compared to UTC). If it’s 3 o’clock in Berlin it’s 2
o’clock in UTC “at the same moment”.
Be aware that at a few places on earth don’t use time zones with even hour offsets (e.g., New Delhi
uses UTC+05:30)!

144
 Further information can be found at: https://en.wikipedia.org/wiki/Time_zone
and https://en.wikipedia.org/wiki/Coordinated_Universal_Time.

What is daylight saving time (DST)?

Daylight Saving Time (DST), also known as Summer Time is intended to “save” some daylight
during the summer months. To do this, a lot of countries (but not all!) add a DST hour to the
already existing UTC offset. So you may need to take another hour (or in very rare cases even
two hours!) difference into your “time zone calculations”.
Unfortunately, the date at which DST actually takes effect is different throughout the world. You
may also note, that the northern and southern hemispheres have opposite DST’s (e.g., while it’s
summer in Europe it’s winter in Australia).
Keep in mind: UTC remains the same all year around, regardless of DST!

Further information can be found at https://en.wikipedia.org/wiki/Daylight_saving.

Further time zone and DST information can be found at https://wwp.greenwichmeantime.com/ and
https://www.timeanddate.com/worldclock/.

Set your computer’s time correctly!

If you work with people around the world it’s very helpful to set your computer’s time and time zone
right.
You should set your computers time and time zone in the correct sequence:

1. Set your time zone to your current location

2. Set your computer’s clock to the local time

This way you will tell your computer both the local time and also the time offset to UTC. Many
organizations simply set the time zone on their servers and networking gear to UTC in order to make
coordination and troubleshooting easier.

If you travel around the world, it’s an often-made mistake to adjust the hours of your
computer clock to the local time. Don’t adjust the hours but your time zone setting
TIP instead! For your computer, the time is essentially the same as before, you are simply in a
different time zone with a different local time.

You can use the Network Time Protocol (NTP) to automatically adjust your computer to the correct
time, by synchronizing it to Internet NTP clock servers. NTP clients are available for all operating
systems that Wireshark supports (and for a lot more), for examples see http://www.ntp.org/.

Wireshark and Time Zones

145
So what’s the relationship between Wireshark and time zones anyway?

Wireshark’s native capture file format (libpcap format), and some other capture file formats, such as the
Windows Sniffer, *Peek, Sun snoop formats, and newer versions of the Microsoft Network Monitor
and Network Instruments/Viavi Observer formats, save the arrival time of packets as UTC values.
UN*X systems, and “Windows NT based” systems represent time internally as UTC. When Wireshark
is capturing, no conversion is necessary. However, if the system time zone is not set correctly, the
system’s UTC time might not be correctly set even if the system clock appears to display correct local
time. When capturing, Npcap has to convert the time to UTC before supplying it to Wireshark. If the
system’s time zone is not set correctly, that conversion will not be done correctly.
Other capture file formats, such as the OOS-based Sniffer format and older versions of the Microsoft
Network Monitor and Network Instruments/Viavi Observer formats, save the arrival time of packets as
local time values.
Internally to Wireshark, time stamps are represented in UTC. This means that when reading capture
files that save the arrival time of packets as local time values, Wireshark must convert those local time
values to UTC values.
Wireshark in turn will display the time stamps always in local time. The displaying computer will
convert them from UTC to local time and displays this (local) time. For capture files saving the arrival
time of packets as UTC values, this means that the arrival time will be displayed as the local time in
your time zone, which might not be the same as the arrival time in the time zone in which the packet
was captured. For capture files saving the arrival time of packets as local time values, the conversion to
UTC will be done using your time zone’s offset from UTC and DST rules, which means the conversion
will not be done correctly; the conversion back to local time for display might undo this correctly, in
which case the arrival time will be displayed as the arrival time in which the packet was captured.
Table 28. Time zone examples for UTC arrival times (without DST)
Los Angeles New York Madrid London Berlin Tokyo

Capture File 10:00 10:00 10:00 10:00 10:00 10:00

(UTC)

Local Offset -8 -5 -1 0 +1 +9
to UTC

Displayed 02:00 05:00 09:00 10:00 11:00 19:00

Time (Local
Time)
For example, let’s assume that someone in Los Angeles captured a packet with Wireshark at exactly 2
o’clock local time and sends you this capture file. The capture file’s time stamp will be represented in
UTC as 10 o’clock. You are located in Berlin and will see 11 o’clock on your Wireshark display.
Now you have a phone call, video conference or Internet meeting with that one to talk about that
capture file. As you are both looking at the displayed time on your local computers, the one in Los
Angeles still sees 2 o’clock but you in Berlin will see 11 o’clock. The time displays are different as
both Wireshark displays will show the (different) local times at the same point in time.

146
Conclusion: You may not bother about the date/time of the time stamp you currently look at unless you
must make sure that the date/time is as expected. So, if you get a capture file from a different time zone
and/or DST, you’ll have to find out the time zone/DST difference between the two local times and
“mentally adjust” the time stamps accordingly. In any case, make sure that every computer in question
has the correct time and time zone setting.

Packet Reassembly
What Is It?
Network protocols often need to transport large chunks of data which are complete in themselves, e.g.,
when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g.,
limitation of the network packet size), or is stream-based like TCP, which doesn’t know data chunks at
all.
In that case the network protocol has to handle the chunk boundaries itself and (if required) spread the
data over multiple packets. It obviously also needs a mechanism to determine the chunk boundaries on
the receiving side.

Wireshark calls this mechanism reassembly, although a specific protocol specification might use a
different term for this (e.g., desegmentation, defragmentation, etc.).

How Wireshark Handles It

For some of the network protocols Wireshark knows of, a mechanism is implemented to find, decode
and display these chunks of data. Wireshark will try to find the corresponding packets of this chunk,
and will show the combined data as additional tabs in the “Packet Bytes” pane (for information about
this pane. See The “Packet Bytes” Pane).

Figure 77. The “Packet Bytes” pane with a reassembled tab

Reassembly might take place at several protocol layers, so it’s possible that multiple tabs in the “Packet
Bytes” pane appear.

NOTE You will find the reassembled data in the last packet of the chunk.

For example, in a HTTP GET response, the requested data (e.g., an HTML page) is returned. Wireshark
will show the hex dump of the data in a new tab “Uncompressed entity body” in the “Packet Bytes”
pane.

147
Reassembly is enabled in the preferences by default but can be disabled in the preferences for the
protocol in question. Enabling or disabling reassembly settings for a protocol typically requires two
things:
1. The lower-level protocol (e.g., TCP) must support reassembly. Often this reassembly can be enabled
or disabled via the protocol preferences.

2. The higher-level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble
fragmented protocol data. This too can often be enabled or disabled via the protocol preferences.

The tooltip of the higher-level protocol setting will notify you if and which lower-level protocol setting
also has to be considered.

TCP Reassembly

Protocols such as HTTP or TLS are likely to span multiple TCP segments. The TCP protocol preference
“Allow subdissector to reassemble TCP streams” (enabled by default) makes it possible for Wireshark
to collect a contiguous sequence of TCP segments and hand them over to the higherlevel protocol (for
example, to reconstruct a full HTTP message). All but the final segment will be marked with “[TCP
segment of a reassembled PDU]” in the packet list.
Disable this preference to reduce memory and processing overhead if you are only interested in TCP
sequence number analysis (TCP Analysis). Keep in mind, though, that higher-level protocols might be
wrongly dissected. For example, HTTP messages could be shown as “Continuation” and TLS records
could be shown as “Ignored Unknown Record”. Such results can also be observed if you start capturing
while a TCP connection was already started or when TCP segments are lost or delivered out-of-order.
To reassemble of out-of-order TCP segments, the TCP protocol preference “Reassemble out-of-order
segments” (currently disabled by default) must be enabled in addition to the previous preference. If all
packets are received in-order, this preference will not have any effect. Otherwise (if missing segments
are encountered while sequentially processing a packet capture), it is assuming that the new and
missing segments belong to the same PDU. Caveats:
• Lost packets are assumed to be received out-of-order or retransmitted later. Applications usually
retransmit segments until these are acknowledged, but if the packet capture drops packets, then
Wireshark will not be able to reconstruct the TCP stream. In such cases, you can try to disable this
preference and hopefully have a partial dissection instead of seeing just “[TCP segment of a
reassembled PDU]” for every TCP segment.

• When doing a capture in monitor mode (IEEE 802.11), packets are more likely to get lost due to
signal reception issues. In that case it is recommended to disable the option.

• If the new and missing segments are in fact part of different PDUs, then processing is currently
delayed until no more segments are missing, even if the begin of the missing segments completed a
PDU. For example, assume six segments forming two PDUs ABC and DEF. When received as
ABECDF, an application can start processing the first PDU after receiving ABEC. Wireshark

148
 however requires the missing segment D to be received as well. This issue will be addressed in the
future.

• In the GUI and during a two-pass dissection (tshark -2), the previous scenario will display both PDUs
in the packet with last segment (F) rather than displaying it in the first packet that has the final missing
segment of a PDU. This issue will be addressed in the future.

• When enabled, fields such as the SMB “Time from request” (smb.time) might be smaller if the request
follows other out-of-order segments (this reflects application behavior). If the previous scenario
however occurs, then the time of the request is based on the frame where all missing segments are
received.

Regardless of the setting of these two reassembly-related preferences, you can always use the “Follow
TCP Stream” option (Following Protocol Streams) which displays segments in the expected order.

Name Resolution
Name resolution tries to convert some of the numerical address values into a human readable format.
There are two possible ways to do these conversions, depending on the resolution to be done: calling
system/network services (like the gethostname() function) and/or resolving from Wireshark specific
configuration files. For details about the configuration files Wireshark uses for name resolution and
alike, see Files and Folders.
The name resolution feature can be enabled individually for the protocol layers listed in the following
sections.

Name Resolution Drawbacks

Name resolution can be invaluable while working with Wireshark and may even save you hours of
work. Unfortunately, it also has its drawbacks.
• Name resolution can often fail. The name to be resolved might simply be unknown by the name
servers asked, or the servers are just not available and the name is also not found in Wireshark’s
configuration files.

• Resolved names might not be available. Wireshark obtains name resolution information from a
variety of sources, including DNS servers, the capture file itself (e.g., for a pcapng file), and the hosts
files on your system and in your profile directory. The resolved names might not be available if you
open the capture file later or on a different machine. As a result, each time you or someone else opens
a particular capture file it may look slightly different due to changing environments.
• DNS may add additional packets to your capture file. You might run into the observer effect if the
extra traffic from Wireshark’s DNS queries and responses affects the problem you’re trying to
troubleshoot or any subsequent analysis.

The same sort of thing can happen when capturing over a remote connection, e.g., SSH or RDP.
149
 • Resolved DNS names are cached by Wireshark. This is required for acceptable performance.
However, if the name resolution information should change while Wireshark is running, Wireshark
won’t notice a change in the name resolution information once it gets cached. If this information
changes while Wireshark is running, e.g., a new DHCP lease takes effect, Wireshark won’t notice it.

Name resolution in the packet list is done while the list is filled. If a name can be resolved after a
packet is added to the list, its former entry won’t be changed. As the name resolution results are cached,
you can use View › Reload to rebuild the packet list with the correctly resolved names.
However, this isn’t possible while a capture is in progress.

Ethernet Name Resolution (MAC Layer)

Try to resolve an Ethernet MAC address (e.g., 00:09:5b:01:02:03) to a human readable name.

ARP name resolution (system service): Wireshark will ask the operating system to convert an Ethernet
address to the corresponding IP address (e.g. 00:09:5b:01:02:03 → 192.168.0.1).
Ethernet codes (ethers file): If the ARP name resolution failed, Wireshark tries to convert the Ethernet
address to a known device name, which has been assigned by the user using an ethers file (e.g.,
00:09:5b:01:02:03 → homerouter).
Ethernet manufacturer codes (manuf file): If neither ARP or ethers returns a result, Wireshark tries to
convert the first 3 bytes of an ethernet address to an abbreviated manufacturer name, which has been
assigned by the IEEE (e.g. 00:09:5b:01:02:03 → Netgear_01:02:03).

IP Name Resolution (Network Layer)

Try to resolve an IP address (e.g., 216.239.37.99) to a human readable name.

DNS name resolution (system/library service): Wireshark will use a name resolver to convert an IP
address to the hostname associated with it (e.g., 216.239.37.99 → www.1.google.com).
Most applications use synchronously DNS name resolution. For example, your web browser must
resolve the host name portion of a URL before it can connect to the server. Capture file analysis is
different. A given file might have hundreds, thousands, or millions of IP addresses so for usability and
performance reasons Wireshark uses asynchronous resolution. Both mechanisms convert IP addresses
to human readable (domain) names and typically use different sources such as the system hosts file
(/etc/hosts) and any configured DNS servers.
Since Wireshark doesn’t wait for DNS responses, the host name for a given address might be missing
from a given packet when you view it the first time but be present when you view it subsequent times.
You can adjust name resolution behavior in the Name Resolution section in the Preferences Dialog. You
can control resolution itself by adding a hosts file to your personal configuration directory. You can also
edit your system hosts file, but that isn’t generally recommended.

TCP/UDP Port Name Resolution (Transport Layer)

150
Try to resolve a TCP/UDP port (e.g., 80) to a human readable name.

TCP/UDP port conversion (system service): Wireshark will ask the operating system to convert a TCP
or UDP port to its well-known name (e.g., 80 → http).

VLAN ID Resolution
To get a descriptive name for a VLAN tag ID a vlans file can be used.

SS7 Point Code Resolution

To get a node name for a SS7 point code a ss7pcs file can be used.

Checksums
Several network protocols use checksums to ensure data integrity. Applying checksums as described
here is also known as redundancy checking.

What are checksums for?

Checksums are used to ensure the integrity of data portions for data transmission or storage. A
checksum is basically a calculated summary of such a data portion.
Network data transmissions often produce errors, such as toggled, missing or duplicated bits. As
a result, the data received might not be identical to the data transmitted, which is obviously a bad
thing.
Because of these transmission errors, network protocols very often use checksums to detect such
errors. The transmitter will calculate a checksum of the data and transmits the data together with
the checksum. The receiver will calculate the checksum of the received data with the same
algorithm as the transmitter. If the received and calculated checksums don’t match a transmission
error has occurred.
Some checksum algorithms are able to recover (simple) errors by calculating where the expected
error must be and repairing it.
If there are errors that cannot be recovered, the receiving side throws away the packet.
Depending on the network protocol, this data loss is simply ignored or the sending side needs to
detect this loss somehow and retransmits the required packet(s).
Using a checksum drastically reduces the number of undetected transmission errors. However,
the usual checksum algorithms cannot guarantee an error detection of 100%, so a very small
number of transmission errors may remain undetected.
There are several different kinds of checksum algorithms; an example of an often used checksum
algorithm is CRC32. The checksum algorithm actually chosen for a specific network protocol
will depend on the expected error rate of the network medium, the importance of error detection,
the processor load to perform the calculation, the performance needed and many other things.

151
 Further information about checksums can be found at: https://en.wikipedia.org/wiki/ Checksum.

Wireshark Checksum Validation

Wireshark will validate the checksums of many protocols, e.g., IP, TCP, UDP, etc.

It will do the same calculation as a “normal receiver” would do, and shows the checksum fields in the
packet details with a comment, e.g., [correct] or [invalid, must be 0x12345678].
Checksum validation can be switched off for various protocols in the Wireshark protocol preferences,
e.g., to (very slightly) increase performance.
If the checksum validation is enabled and it detected an invalid checksum, features like packet
reassembly won’t be processed. This is avoided as incorrect connection data could “confuse” the
internal database.

Checksum Offloading

The checksum calculation might be done by the network driver, protocol driver or even in hardware.
For example: The Ethernet transmitting hardware calculates the Ethernet CRC32 checksum and the
receiving hardware validates this checksum. If the received checksum is wrong Wireshark won’t even
see the packet, as the Ethernet hardware internally throws away the packet.
Higher-level checksums are “traditionally” calculated by the protocol implementation and the
completed packet is then handed over to the hardware.
Recent network hardware can perform advanced features such as IP checksum calculation, also known
as checksum offloading. The network driver won’t calculate the checksum itself but will simply hand
over an empty (zero or garbage filled) checksum field to the hardware.

Checksum offloading often causes confusion as network packets to be transmitted

are given to Wireshark before they are handed over to the hardware. Wireshark gets these
“empty” checksums and displays them as invalid, even though the NOTEpackets will
contain valid checksums when they transit the network.

This only applies to packets that are locally generated by the capture point. Received
packets will have traveled through network hardware and should have correct
checksums.

Checksum offloading can be confusing and having a lot of [invalid] messages on the screen can be
quite annoying. As mentioned above, invalid checksums may lead to unreassembled packets, making
the analysis of the packet data much harder.
You can do two things to avoid this checksum offloading problem:

• Turn off the checksum offloading in the network driver, if this option is available.

152
 • Turn off checksum validation of the specific protocol in the Wireshark preferences. Recent releases
of Wireshark disable checksum validation by default due to the prevalence of offloading in modern
hardware and operating systems.

Partial Checksums

TCP and UDP checksums are calculated over both the payload and from selected elements from the
IPv4 or IPv6 header, known as the pseudo header. Linux and Windows, when offloading checksums,
will calculate the contribution from the pseudo header and place it in the checksum field. The driver
then directs the hardware to calculate the checksum over the payload area, which will produce the
correct result including the pseudo header’s portion of the sum as a matter of mathematics.
This precomputation speeds up the hardware checksum calculation later, allows the driver to direct the
hardware to do checksums over encapsulated payloads (Local Checksum Offload), and allows
applications to send the kernel large "superpacket" buffers that will be later divided by the hardware
into multiple maximum size packets when sent on the network (TCP Segmentation Offload (TSO) and
Generic Segmentation Offload (GSO)).

Wireshark 4.2.0 and later can calculate the partial checksum contribution from the
pseudo header, and when validating TCP and UDP checksums will mark partial
checksums as valid but partial. The packets with partial checksums will not be
NOTEcolored as Bad Checksums by the default coloring rules, and will still be used
for reassembly. This eliminates spurious checksum errors seen on packets transmitted
from the capturing host on those platforms that use partial checksums when offloading.

Statistics

Introduction
Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu.
These statistics range from general information about the loaded capture file (like the number of
captured packets), to statistics about specific protocols (e.g., statistics about the number of HTTP
requests and responses captured).
General statistics
• Capture File Properties about the capture file.

• Protocol Hierarchy of the captured packets.

• Conversations e.g., traffic between specific IP addresses.

• Endpoints e.g., traffic to and from IP addresses.

• I/O Graphs visualizing the number of packets (or similar) in time.

Protocol specific statistics

• Service Response Time between request and response of some protocols.
153
 • Various other protocol specific statistics.

The protocol specific statistics require detailed knowledge about the specific
NOTEprotocol. Unless you are familiar with that protocol, statistics about it may be
difficult to understand.

Wireshark has many other statistics windows that display detailed information about specific protocols
and might be described in a later version of this document.
Some of these statistics are described at https://gitlab.com/wireshark/wireshark/-/wikis/Statistics.

The “Capture File Properties” Dialog

General information about the current capture file.

154
Figure 78. The “Capture File Properties” dialog

This dialog shows the following information:

Details
Notable information about the capture file.

File
General information about the capture file, including its full path, size, cryptographic hashes, file
format, and encapsulation.
Time
The timestamps of the first and the last packet in the file along with their difference.
Capture
Information about the capture environment. This will only be shown for live captures or if this
information is present in a saved capture file. The pcapng format supports this, while pcap
doesn’t.
Interfaces
Information about the capture interface or interfaces.

Statistics
A statistical summary of the capture file. If a display filter is set, you will see values in the
Captured column, and if any packets are marked, you will see values in the Marked column.
The values in the Captured column will remain the same as before, while the values in the
Displayed column will reflect the values corresponding to the packets shown in the display. The
values in the Marked column will reflect the values corresponding to the marked packages.
Capture file comments
Some capture file formats (notably pcapng) allow a text comment for the entire file. You can view
and edit this comment here.
[ Refresh ]
Updates the information in the dialog.

[ Save Comments ]
Saves the contents of the “Capture file comments” text entry.

[ Close ]
Closes the dialog

[ Copy To Clipboard ]
Copies the “Details” information to the clipboard.

[ Help ]
155
 Opens this section of the User’s Guide.

Resolved Addresses
The Resolved Addresses window shows the list of resolved addresses and their host names. Users can
choose the Hosts field to display IPv4 and IPv6 addresses only. In this case, the dialog displays host
names for each IP address in a capture file with a known host. This host is typically taken from DNS
answers in a capture file. In case of an unknown host name, users can populate it based on a reverse
DNS lookup. To do so, follow these steps:

1. Enable Resolve Network Addresses in the View › Name Resolution menu as this option is disabled
by default.

2. Select Use an external network name resolver in the Preferences › Name Resolution menu. This
option is enabled by default.

The resolved addresses are not updated automatically after a user changes the
NOTE
settings. To display newly available names, the user has to reopen the dialog.

The Ports tab shows the list of service names, ports and types.

Wireshark reads the entries for port mappings from the hosts service configuration files. See
Configuration Files section for more information.

156
Figure 79. Resolved Addresses window

The “Protocol Hierarchy” Window

The protocol hierarchy of the captured packets.

Figure 80. The “Protocol Hierarchy” Window

157
This is a tree of all the protocols in the capture. Each row contains the statistical values of one protocol.
Two of the columns (Percent Packets and Percent Bytes) serve double duty as bar graphs. If a display
filter is set it will be shown at the bottom.
The [ Copy ] button will let you copy the window contents as CSV or YAML.

Protocol hierarchy columns

Protocol
This protocol’s name.

Percent Packets
The percentage of protocol packets relative to all packets in the capture.

Packets
The total number of packets that contain this protocol.

Percent Bytes
The percentage of protocol bytes relative to the total bytes in the capture.

Bytes
The total number of bytes of this protocol.

Bits/s
The bandwidth of this protocol relative to the capture time.

End Packets
The absolute number of packets of this protocol where it was the highest protocol in the stack (last
dissected).
End Bytes
The absolute number of bytes of this protocol where it was the highest protocol in the stack (last
dissected).
End Bits/s
The bandwidth of this protocol relative to the capture time where was the highest protocol in the
stack (last dissected).
PDUs
The total number of PDUs of this protocol.

Packets usually contain multiple protocols. As a result, more than one protocol will be counted for each
packet. Example: In the screenshot 100% of packets are IP and 99.3% are TCP (which is together much
more than 100%).
Protocol layers can consist of packets that won’t contain any higher layer protocol, so the sum of all
higher layer packets may not sum to the protocol’s packet count. This can be caused by segments and
158
fragments reassembled in other frames, TCP protocol overhead, and other undissected data. Example:
In the screenshot 99.3% of the packets are TCP but the sum of the subprotocols (TLS, HTTP, Git, etc.)
is much less.
A single packet can contain the same protocol more than once. In this case, the entry in the PDUs
column will be greater than that of Packets. Example: In the screenshot there are many more TLS and
Git PDUs than there are packets.

Conversations
A network conversation is the traffic between two specific endpoints. For example, an IP conversation
is all the traffic between two IP addresses. The description of the known endpoint types can be found in
Endpoints.

The “Conversations” Window

The conversations window is similar to the endpoint Window. See The “Endpoints” Window for a
description of their common features. Along with addresses, packet counters, and byte counters the
conversation window adds four columns: the start time of the conversation (“Rel Start”) or (“Abs
Start”), the duration of the conversation in seconds, and the average bits (not bytes) per second in each
direction. A timeline graph is also drawn across the “Rel Start” / “Abs Start” and “Duration” columns.

Figure 81. The “Conversations” window

Each row in the list shows the statistical values for exactly one conversation.

Name resolution will be done if selected in the window and if it is active for the specific protocol layer
(MAC layer for the selected Ethernet endpoints page). Limit to display filter will only show
conversations matching the current display filter. Absolute start time switches the start time column
between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start times match the “Seconds

159
Since First Captured Packet” time display format in the packet list and absolute start times match the
“Time of Day” display format.
If a display filter had been applied before the dialog is opened, Limit to display filter will be set
automatically. Additionally, after a display filter had been applied, two columns ("Total Packets") and
("Percent Filtered") show the number of unfiltered total packets and the percentage of packets in this
filter display.
The [ Copy ] button will copy the list values to the clipboard in CSV (Comma Separated Values),
YAML format or JSON format. The numbers are generally exported without special formatting, but this
can be enabled if needed.
The [ Follow Stream… ] button will show the stream contents as described in The “Follow TCP
Stream” dialog box dialog. The [ Graph… ] button will show a graph as described in The “I/O Graphs”
Window.
[ Conversation Types ] lets you choose which traffic type tabs are shown. See Endpoints for a list of
endpoint types. The enabled types are saved in your profile settings.

This window will be updated frequently so it will be useful even if you open it before
TIP
(or while) you are doing a live capture.

Endpoints
A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer. The
endpoint statistics of Wireshark will take the following endpoints into account:

If you are looking for a feature other network tools call a hostlist, here is the right
TIP place to look. The list of Ethernet or IP endpoints is usually what you’re looking for.

Endpoint and Conversation types

Bluetooth
A MAC-48 address similar to Ethernet.

Ethernet
Identical to the Ethernet device’s MAC-48 identifier.

Fibre Channel
A MAC-48 address similar to Ethernet.

IEEE 802.11
A MAC-48 address similar to Ethernet.

FDDI
Identical to the FDDI MAC-48 address.
160
IPv4
Identical to the 32-bit IPv4 address.

IPv6
Identical to the 128-bit IPv6 address.

IPX
A concatenation of a 32-bit network number and 48-bit node address, by default the Ethernet
interface’s MAC-48 address.
JXTA
A 160-bit SHA-1 URN.

NCP
Similar to IPX.

RSVP
A combination of various RSVP session attributes and IPv4 addresses.
SCTP
A combination of the host IP addresses (plural) and the SCTP port used. So different SCTP ports on
the same IP address are different SCTP endpoints, but the same SCTP port on different IP addresses
of the same host are still the same endpoint.
TCP
A combination of the IP address and the TCP port used. Different TCP ports on the same IP address
are different TCP endpoints.
Token Ring
Identical to the Token Ring MAC-48 address.

UDP
A combination of the IP address and the UDP port used, so different UDP ports on the same IP
address are different UDP endpoints.
USB
Identical to the 7-bit USB address.

Broadcast and multicast endpoints

NOTEBroadcast and multicast traffic will be shown separately as additional endpoints.

Of course, as these aren’t physical endpoints the real traffic will be received by some or
all of the listed unicast endpoints.

The “Endpoints” Window

161
This window shows statistics about the endpoints captured.

Figure 82. The “Endpoints” window

For each supported protocol, a tab is shown in this window. Each tab label shows the number of
endpoints captured (e.g., the tab label “Ethernet · 4” tells you that four ethernet endpoints have been
captured). If no endpoints of a specific protocol were captured, the tab label will be greyed out
(although the related page can still be selected).
Each row in the list shows the statistical values for exactly one endpoint.

Name resolution will be done if selected in the window and if it is active for the specific protocol layer
(MAC layer for the selected Ethernet endpoints page). Limit to display filter will only show
conversations matching the current display filter. Note that in this example we have MaxMind DB
configured which gives us extra geographic columns. See MaxMind Database Paths for more
information.
If a display filter had been applied before the dialog is opened, Limit to display filter will be set
automatically. Additionally, after a display filter had been applied, two columns ("Total Packets") and
("Percent Filtered") show the number of unfiltered total packets and the percentage of packets in this
filter display.
The [ Copy ] button will copy the list values to the clipboard in CSV (Comma Separated Values),
YAML format or JSON format. The numbers are generally exported without special formatting, but this
can be enabled if needed. The [ Map ] button will show the endpoints mapped in your web browser.
[ Endpoint Types ] lets you choose which traffic type tabs are shown. See Endpoints above for a list of
endpoint types. The enabled types are saved in your profile settings.

This window will be updated frequently, so it will be useful even if you open it before
TIP
(or while) you are doing a live capture.

162
Packet Lengths
Shows the distribution of packet lengths and related information.

Figure 83. The “Packet Lengths” window

Information is broken down by packet length ranges as shown above.

Packet Lengths
The range of packet lengths.

Ranges can be configured in the “Statistics → Stats Tree” section of the Preferences Dialog.

Count
The number of packets that fall into this range.

Average
The arithmetic mean of the packet lengths in this range.

Min Val, Max Val

The minimum and maximum lengths in this range.

Rate (ms)
The average packets per millisecond for the packets in this range.

Percent
The percentage of packets in this range, by count.

Burst Rate
Packet bursts are detected by counting the number of packets in a given time interval and comparing
that count to the intervals across a window of time. Statistics for the interval with the maximum
number of packets are shown. By default, bursts are detected across 5 millisecond intervals and
intervals are compared across 100 millisecond windows.

163
 These calculations can be adjusted in the “Statistics” section of the Preferences Dialog.

Burst Start
The start time, in seconds from the beginning of the capture, for the interval with the maximum
number of packets.
You can show statistics for a portion of the capture by entering a display filter into the Display filter
entry and pressing [ Apply ].
[ Copy ] copies the statistics to the clipboard. [ Save as… ] lets you save the data as text, CSV, YAML,
or XML.

The “I/O Graphs” Window

Lets you plot packet and protocol data in a variety of ways.

Figure 84. The “I/O Graphs” window

As shown above, this window contains a chart drawing area along with a customizable list of graphs.
Graphs are saved in your current profile. They are divided into time intervals, which can be set as
described below. Hovering over the graph shows the last packet in each interval except as noted below.
Clicking on the graph takes you to the associated packet in the packet list. Individual graphs can be
configured using the following options:
Enabled

164
 Draw or don’t draw this graph.

Graph Name
The name of this graph.

Display Filter
Limits the graph to packets that match this filter.

Color
The color to use for plotting the graph’s lines, bars, or points.

Style
How to visually represent the graph’s data, e.g., by drawing a line, bar, circle, plus, etc.
Y Axis
The value to use for the graph’s Y axis. Can be one of:

Packets, Bytes, or Bits

The total number of packets, packet bytes, or packet bits that match the graph’s display filter per
interval. Zero values are omitted in some cases.
SUM(Y Field)
The sum of the values of the field specified in “Y Field” per interval.

COUNT FRAMES(Y Field)

The number of frames that contain the field specified in “Y Field” per interval. Unlike the plain
“Packets” graph, this always displays zero values.
COUNT FIELDS(Y Field)
The number of instances of the field specified in “Y Field” per interval. Some fields, such as
dns.resp.name, can show up multiple times in a packet.
MAX(Y Field), MIN(Y Field), AVG(Y Field)
The maximum, minimum, and arithmetic mean values of the specified “Y Field” per interval. For
MAX and MIN values, hovering and clicking the graph will show and take you to the packet
with the MAX or MIN value in the interval instead of the most recent packet.
LOAD(Y Field)
If the “Y Field” is a relative time value, this is the sum of the “Y Field” values divided by the
interval time. This can be useful for tracking response times.
Y Field
The display filter field from which to extract values for the Y axis calculations listed above.

SMA Period

165
 Show an average of values over a specified period of intervals.

The chart as a whole can be configured using the controls under the graph list:

[+]
Add a new graph.

[-]
Add a new graph.

[ Copy ]
Copy the selected graph.
[ Clear ]
Remove all graphs.

Mouse drags / zooms

When using the mouse inside the graph area, either drag the graph contents or select a zoom area.
Interval
Set the interval period for the graph.

Time of day
Switch between showing the absolute time of day or the time relative from the start of capture in the
X axis.
Log scale
Switch between a logarithmic or linear Y axis.

Automatic updates
Redraw each graph automatically.

Enable legend
Show a graph legend.

The main dialog buttons along the bottom let you do the following:

The [ Help ] button will take you to this section of the User’s Guide.

The [ Copy ] button will copy values from selected graphs to the clipboard in CSV (Comma Separated
Values) format.
[ Copy from ] will let you copy graphs from another profile.

[ Close ] will close this dialog.

166
[ Save As… ] will save the currently displayed graph as an image or CSV data.

TIP You can see a list of useful keyboard shortcuts by right-clicking on the graph.

Missing Values Are Zero

Wireshark’s I/O Graph window doesn’t distinguish between missing and zero values. For scatter plots it
is assumed that zero values indicate missing data, and those values are omitted. Zero values are shown
in line graphs, and bar charts.

Service Response Time

The service response time is the time between a request and the corresponding response. This
information is available for many protocols, including the following:
• AFP

• CAMEL

• DCE-RPC

• Diameter

• Fibre Channel

• GTP

• GTPv2

• H.225 RAS

• LDAP

• MEGACO

• MGCP

• NCP

• ONC-RPC

• PFCP

• RADIUS

• SCSI

• SMB

• SMB2

• SNMP

167
As an example, the SMB2 service response time is described below in more detail. The other Service
Response Time windows will show statistics specific to their respective protocols, but will offer the
same menu options.

The “SMB2 Service Response Time Statistics” Window

This window shows the number of transactions for each SMB2 opcode present in the capture file along
with various response time statistics. Right-clicking on a row will let you apply or prepare filters for,
search for, or colorize a specific opcode. You can also copy all of the response time information or save
it in a variety of formats.

Figure 85. The “SMB2 Service Response Time Statistics” window

You can optionally apply a display filter in order to limit the statistics to a specific set of packets.

The main dialog buttons along the bottom let you do the following:

The [ Copy ] button will copy the response time information as text.

[ Save As… ] will save the response time information in various formats.

[ Close ] will close this dialog.

DHCP (BOOTP) Statistics

168
The Dynamic Host Configuration Protocol (DHCP) is an option of the Bootstrap Protocol (BOOTP). It
dynamically assigns IP addresses and other parameters to a DHCP client. The DHCP (BOOTP)
Statistics window displays a table over the number of occurrences of a DHCP message type. The user
can filter, copy or save the data into a file.

NetPerfMeter Statistics
The NetPerfMeter Protocol (NPMP) is the control and data transfer protocol of NetPerfMeter, the
transport protocol performance testing tool. It transmits data streams over TCP, SCTP, UDP and DCCP
with given parameters, such as frame rate, frame size, saturated flows, etc.
With these statistics you can:
• Observed number of messages and bytes per message type.

• The share of messages and bytes for each message type.

• See the first and last occurrence of each message type.

• See the interval between first and last occurrence of each message type (if there are at least 2 messages
of the corresponding type).

• See the message and byte rate within the interval for each message type (if there are at least 2
messages of the corresponding type).

See NetPerfMeter – A TCP/MPTCP/UDP/SCTP/DCCP Network Performance Meter Tool and Section

6.3 of Evaluation and Optimisation of Multi-Path Transport using the Stream Control Transmission
Protocol for more details about NetPerfMeter and the NetPerfMeter Protocol.

Figure 86. NetPerfMeter Statistics window

ONC-RPC Programs
Open Network Computing (ONC) Remote Procedure Call (RPC) uses TCP or UDP protocols to map a
program number to a specific port on a remote machine and call a required service at that port. The
ONC-RPC Programs window shows the description for captured program calls, such as program name,
its number, version, and other data.

169
29West
The 29West technology now refers to Ultra-Low Latency Messaging (ULLM) technology. It allows
sending and receiving a high number of messages per second with microsecond delivery times for zero-
latency data delivery.

The Statistics › 29West shows:

The Topics submenu shows counters for: • Advertisement by Topic

• Advertisement by Source

• Advertisement by Transport

• Queries by Topic

• Queries by Receiver

• Wildcard Queries by Pattern

• Wildcard Queries by Receiver

The Queues submenu shows counters for: • Advertisement by Queue

• Advertisement by Source

• Queries by Queue

• Queries by Receiver

The UIM submenu shows Streams: Each stream is provided by Endpoints, Messages,
Bytes, and the First and Last Frame statistics.

The LBT-RM submenu The LBT-RM Transport Statistics window shows

the Sources and Receivers sequence numbers for
transport and other data.

The LBT-RU submenu The LBT-Ru Transport Statistics window shows

the Sources and Receivers sequence numbers for
transport and other data.

ANCP
The Access Node Control Protocol (ANCP) is an TCP based protocol, which operates between an
Access Node and Network Access Server. The Wireshark ANCP dissector supports the listed below
messages:
• Adjacency Message

• Topology Discovery Extensions, such as Port-Up and Port-Down Messages

170
 • Operation And Maintenance (OAM) Extension, such as Port Management Message.

The ANCP window shows the related statistical data. The user can filter, copy or save the data into a
file.

BACnet
Building Automation and Control Networks (BACnet) is a communication protocol which provides
control for various building automated facilities, such as light control, fire alarm control, and others.
Wireshark provides the BACnet statistics which is a packet counter. You can sort packets by instance
ID, IP address, object type or service.

Collectd
Collectd is a system statistics collection daemon. It collects various statistics from your system and
converts it for the network use. The Collectd statistics window shows counts for values, which split into
type, plugin, and host as well as total packets counter. You can filter, copy or save the data to a file.

DNS
The Domain Name System (DNS) associates different information, such as IP addresses, with domain
names. DNS returns different codes, request-response and counters for various aggregations. The DNS
statistics window enlists a total count of DNS messages, which are divided into groups by request types
(opcodes), response code (rcode), query type, and others.

Figure 87. DNS statistics window

171
You might find these statistics useful for quickly examining the health of a DNS service or other
investigations. See the few possible scenarios below:
• The DNS server might have issues if you see that DNS queries have a long request-response time or,
if there are too many unanswered queries.

• DNS requests with abnormally large requests and responses might be indicative of DNS tunneling or
command and control traffic.

• The order of magnitude more DNS responses than requests and the responses are very large might
indicate that the target is being attacked with a DNS-based DDoS.

You can filter, copy or save the data into a file.

Flow Graph
The Flow Graph window shows connections between hosts. It displays the packet time, direction, ports
and comments for each captured connection. You can filter all connections by ICMP Flows, ICMPv6
Flows, UIM Flows and TCP Flows. Flow Graph window is used for showing multiple different topics.
Based on it, it offers different controls.

Figure 88. Flow Graph window

Each vertical line represents the specific host, which you can see in the top of the window.

The numbers in each row at the very left of the window represent the time packet. You can change the
time format in the View › Time Display Format. If you change the time format, you must relaunch the
Flow Graph window to observe the time in a new format.
The numbers at the both ends of each arrow between hosts represent the port numbers.

Left-click a row to select a corresponding packet in the packet list.

172
Right-click on the graph for additional options, such as selecting the previous, current, or next packet in
the packet list. This menu also contains shortcuts for moving the diagram.
Available controls:

• [ Limit to display filter ] filters calls just to ones matching display filter. When display filter is active
before window is opened, checkbox is checked.

• [ Flow type ] allows limit type of protocol flows should be based on.

• [ Addresses ] allows switch shown addresses in diagram.

• [ Reset Diagram ] resets view position and zoom to default state.

• [ Export ] allows export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG and
ASCII (diagram is stored with ASCII characters only)).

Figure 89. Flow Graph window showing VoIP call sequences Additional

shortcuts available for VoIP calls:

• On selected RTP stream

◦ S - Selects the stream in RTP Streams window (if not opened, it opens it and put it on
background).
◦ D - Deselects the stream in RTP Streams window (if not opened, it opens it and put it on
background).
Additional controls available for VoIP calls:

• [ Reset Diagram ] resets view position and zoom to default state.

• [ Play Streams ] sends selected RTP stream to playlist of RTP Player window.

173
 • [ Export ] allows to export diagram as image in multiple different formats (PDF, PNG, BMP, JPEG
and ASCII (diagram is stored with ASCII characters only)).

HART-IP
Highway Addressable Remote Transducer over IP (HART-IP) is an application layer protocol. It sends
and receives digital information between smart devices and control or monitoring systems. The HART-
IP statistics window shows the counter for response, request, publish and error packets. You can filter,
copy or save the data to a file.

HPFEEDS
Hpfeeds protocol provides a lightweight authenticated publishing and subscription. It supports arbitrary
binary payloads which can be separated into different channels. HPFEEDS statistics window shows a
counter for payload size per channel and opcodes. You can filter, copy or save the data to a file.

HTTP Statistics
HTTP Packet Counter
Statistics for HTTP request types and response codes.

HTTP Requests
HTTP statistics based on the host and URI.

HTTP Load Distribution

HTTP request and response statistics based on the server address and host.

HTTP Request Sequences

HTTP Request Sequences uses HTTP’s Referer and Location headers to sequence a capture’s HTTP
requests as a tree. This enables analysts to see how one HTTP request leads to the next.

174
Figure 90. The “HTTP Request Sequences” window

HTTP2
Hypertext Transfer Protocol version 2 (HTTP/2) allows multiplexing various HTTP requests and
responses over a single connection. It uses a binary encoding which is consisting of frames. The
HTTP/2 statistics window shows the total number of HTTP/2 frames and also provides a breakdown
per frame types, such as HEADERS, DATA, and others.
As HTTP/2 traffic is typically encrypted with TLS, you must configure decryption to observe HTTP/2
traffic. For more details, see the TLS wiki page.

Sametime
Sametime is a protocol for the IBM Sametime software. The Sametime statistics window shows the
counter for message type, send type, and user status.

TCP Stream Graphs

Show different visual representations of the TCP streams in a capture.

Time Sequence (Stevens)

175
 This is a simple graph of the TCP sequence number over time, similar to the ones used in Richard
Stevens’ “TCP/IP Illustrated” series of books.
Time Sequence (tcptrace)
Shows TCP metrics similar to the tcptrace utility, including forward segments, acknowledgements,
selective acknowledgements, reverse window sizes, and zero windows.
Throughput
Average throughput and goodput.

Round Trip Time

Round trip time vs time or sequence number. RTT is based on the acknowledgment timestamp
corresponding to a particular segment.
Window Scaling
Window size and outstanding bytes.

UDP Multicast Streams

The UDP Multicast Streams window shows statistics for all UDP multicast streams. It includes source
addresses and ports, destination addresses and ports, packets counter and other data. You can specify
the burst interval, the alarm limits and output speeds. To apply new settings, press [ Enter ].
With these statistics you can:

• Measure the burst size for a video stream. This uses the sliding window algorithm.

• Measure of the output buffer size limit, that no packet drop will occur. This uses the Leaky bucket
algorithm.

• Detect the packet loss inside the MPEG2 video stream.

Figure 91. UDP Multicast Streams window

176
Reliable Server Pooling (RSerPool)
The Reliable Server Pooling (RSerPool) windows show statistics for the different protocols of Reliable
Server Pooling (RSerPool):
• Aggregate Server Access Protocol (ASAP)

• Endpoint Handlespace Redundancy Protocol (ENRP)

Furthermore, statistics for application protocols provided by RSPLIB are provided as well:

• Component Status Protocol (CSP)

• CalcApp Protocol

• Fractal Generator Protocol

• Ping Pong Protocol

• Scripting Service Protocol (SSP) With these statistics you can:

• Observed number of messages and bytes per message type.

• The share of messages and bytes for each message type.

• See the first and last occurrence of each message type.

• See the interval between first and last occurrence of each message type (if there are at least 2 messages
of the corresponding type).

• See the message and byte rate within the interval for each message type (if there are at least 2
messages of the corresponding type).

See Thomas Dreibholz’s Reliable Server Pooling (RSerPool) Page and Chapter 3 of Reliable Server
Pooling – Evaluation, Optimization and Extension of a Novel IETF Architecture for more details about
RSerPool and its protocols.

Figure 92. ASAP Statistics window

177
Figure 93. ENRP Statistics window

Figure 94. Component Status Protocol Statistics window

Figure 95. CalcApp Protocol Statistics window

Figure 96. Fractal Generator Protocol Statistics window

Figure 97. Ping Pong Protocol Statistics window

Figure 98. Scripting Service Protocol Statistics window

178
F5
In F5 Networks, TMM stands for Traffic Management Microkernel. It processes all load-balanced
traffic on the BIG-IP system.
The F5 statistics menu shows packet and byte counts for both Virtual Server Distribution and tmm
Distribution submenus.
Each Virtual Server Distribution window contains the statistics for the following data:

• A line for each named virtual server name.

• A line for traffic with a flow ID and no virtual server name.

• A line for traffic without a flow ID.

Each tmm Distribution window contains the statistics for the following data:

• A line for each tmm, which contains:

◦ A line for each ingress and egress (should add to tmm total), which contains:
▪ Traffic with a virtual server name.
▪ Traffic with a flow ID and no virtual server name.
▪ Traffic without a flow ID.

IPv4 Statistics
Internet Protocol version 4 (IPv4) is a core protocol for the internet layer. It uses 32-bit addresses and
allows packets routing from one source host to the next one.

The Statistics › IPv4 menu provides the packet counter by submenus:

• All Addresses. Divides data by IP address.

• Destination and Ports. Divides data by IP address, and further by IP protocol type, such as TCP, UDP,
and others. It also shows port number.

• IP Protocol Types. Divides data by IP protocol type.

• Source TTLs. Divides data by source IP address and then by TTL. Also shows the destination IP
address for each TTL value.

• Source and Destination addresses. Divides data by source and destination IP address.

You can see similar statistics in the Statistics › Conversations and Statistics › Endpoints menus.

179
IPv6 Statistics
Internet Protocol version 6 (IPv6) is a core protocol for the internet layer. It uses 128-bit addresses and
routes internet traffic. Similar to IPv4 Statistics, the Statistics › IPv6 menu shows the packet counter in
each submenu.

180