Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on that packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes. You can then expand any part of the tree view by clicking on the plus sign (the symbol itself may vary) to the left of that part of the payload, and you can select individual fields by clicking on them in the tree view pane. An example with a TCP packet selected is shown in . It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.

You can also select and view packets the same way, while Ethereal is capturing, if you selected "Update list of packets in real time" in the Ethereal Capture Preferences dialog box. In addition, you can view individual packets in a separate window as shown in . Do this by selecting the packet you are interested in in the packet list pane, and then select "Show Packet in New Windows" from the Display menu. This allows you to easily compare two or more packets.

Finally, you can bring up a pop-up menu over either the "Packet List", "Packet Details" or "Packet Bytes" pane by clicking your right mouse button. The following table gives an overview of which functions are available in the panes, where to find the corresponding function in the menu, and a short description of each item. Item List Details Bytes Menu Description Follow TCP stream X X X Analyze View all the data on a TCP stream between a pair of nodes. Decode As... X X X Analyze . Display Filters... X X X Analyze Specify and manage filters. Mark Packet X - - Edit Mark a packet. Time Reference X - - Edit Set/reset and find time references. Apply as Filter X X - Analyze . Prepare a Filter X X - Analyze . Coloring Rules... X - - View Colorize packets in the "Packet List" pane. Print... X - - File Print packets. Show Packet in New Window X - - View Display the selected packet in another window. Resolve name - X - - Cause a name resolution to be performed for the selected packet, but NOT for every packet in the capture. Go to Corresponding Packet - X - Go If the selected field has a packet number in it, go to it. The corresponding packet will often be a response which is requested by this packet, or the request for which this packet is a response. Export Selected Packet Bytes... - X X File->Export Export raw packet bytes to a binary file. Protocol Preferences... - X - Edit The menu item takes you to the preferences dialog and selects the page corresponding to the protocol if there are settings associated with the highlighted field. More information on preferences can be found in . Collapse All - X - View Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list. Expand All - X - View Expand all subtrees in all packets in the capture. Expand Tree - X - View Expand the currently selected subtree.

Follow TCP Stream This menu item is the same as the Analyze menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes. Decode As... This menu item is the same as the Analyze menu item of the same name. Display Filters... This menu item is the same as the Analyze menu item of the same name. It allows you to specify and manage display filters. Mark Packet This menu item is the same as the Edit menu item of the same name. It allows you to mark a packet. Time Reference This menu item is the same as the Edit menu items of the same name. It allows you to set and work with time references. Apply as Filter This menu item is the same as the Analyze menu items of the same name. Prepare a Filter This menu item is the same as the Analyze menu items of the same name. Coloring Rules... This menu item is the same as the View menu item of the same name. It allows you to colorize packets in the packet list pane. Print... This menu item is the same as the File menu item of the same name. It allows you to print packets. Show Packet in New Window This menu item is the same as the View menu item of the same name. It allows you to display the selected packet in another window.

Follow TCP Stream This menu item is the same as the Analyze menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes. Decode As... This menu item is the same as the Analyze menu item of the same name. Display Filters... This menu item is the same as the Analyze menu item of the same name. It allows you to specify and manage filters. Resolve Name This menu item causes name resolution to be performed for the selected packet, but NOT every packet in the capture. Go to Corresponding Packet If the selected field has a corresponding packet, go to it. Corresponding packets will usually be a request/response packet pair or such. Export Selected Packet Bytes... This menu item is the same as the File menu item of the same name. It allows you to export raw packet bytes to a binary file. Protocol Properties... The menu item takes you to the properties dialog and selects the page corresponding to the protocol if there are properties associated with the highlighted field. More information on preferences can be found in . Apply as Filter This menu item is the same as the Analyze menu items of the same name. Prepare a Filter This menu item is the same as the Analyze menu items of the same name. Collapse All Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list. Expand All This menu item expands all subtrees in all packets in the capture. Expand Tree This menu item expands the currently selected subtree.

Follow TCP Stream This menu item is the same as the Analyze menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes. Decode As... This menu item is the same as the Analyze menu item of the same name. Display Filters... This menu item is the same as the Analyze menu item of the same name. It allows you to specify and manage filters. Export Selected Packet Bytes... This menu item is the same as the File menu item of the same name. It allows you to export raw packet bytes to a binary file.

Ethereal has two filtering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of filter: Display filters. The first one has already been dealt with in . Display filters allow you to concentrate on the packets you are interested in. They allow you to select packets by: Protocol The presence of a field The values of fields A comparison between fields ... and a lot more! To select packets based on protocol type, simply type the protocol you are interested in in the Filter: field in the filter toolbar of the Ethereal window and press enter to initiate the filter. shows an example of what happens when you type tcp in the filter field. All protocol and field names are entered in lowercase. Also, don't forget to press enter after entering the filter expression.

As you might have noticed, only packets of the TCP protocol are displayed now (e.g. packets 1-10 are hidden). The packet numbering will remain as before, so the first packet shown is now packet number 11. When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file and not its content! You can filter on any protocol that Ethereal understands. You can also filter on any field that a dissector adds to the tree view, but only if the dissector has added an abbreviation for the field. A list of such fields is available in the Ethereal in the Add Expression... dialog box. You can find more information on the Add Expression... dialog box in . For example, to narrow the packet list pane down to only those packets to or from the IP address 192.168.0.1, use ip.addr==192.168.0.1. To remove the filter, click on the Clear button to the right of the filter field.

Ethereal provides a simple but powerful display filter language that you can build quite complex filter expressions with. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this.

Every field in the packet details pane can be used as a filter string, this will result in showing only the packets where this field exists. For example: the filter string: tcp will show all packets containing the tcp protocol. There is a complete list of all filter fields available through the menu item "Help/Supported Protocols" in the page "Display Filter Fields" of the upcoming dialog. XXX - add some more info here and a link to the statusbar info.

You can build display filters that compare values using a number of different comparison operators. They are shown in . You can use English and C-like terms in the same way, they can even be mixed in a filter string! English C-like Description and example eq == Equal ip.addr==10.0.0.5 ne != Not equal ip.addr!=10.0.0.5 gt > Greater than frame.pkt_len > 10 lt < Less than frame.pkt_len < 128 ge >= Greater than or equal to frame.pkt_len ge 0x100 le <= Less than or equal to frame.pkt_len <= 0x20 In addition, all protocol fields are typed. provides a list of the types and example of how to express them. Type Example Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent: ip.len le 1500 ip.len le 02734 ip.len le 0x436 Signed integer (8-bit, 16-bit, 24-bit, 32-bit) Boolean A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment header. Thus the filter expression tcp.flags.syn will select only those packets for which this flag exists, that is, TCP segments where the segment header contains the SYN flag. Similarly, to find source-routed token ring packets, use a filter expression of tr.sr. Ethernet address (6 bytes) eth.addr == ff:ff:ff:ff:ff:ff IPv4 address ip.addr == 192.168.0.1 IPv6 address IPX network number String (text) Double-precision floating point number

You can combine filter expressions in Ethereal using the logical operators shown in English C-like Description and example and && Logical AND ip.addr==10.0.0.5 and tcp.flags.fin or || Logical OR ip.addr==10.0.0.5 or ip.addr==192.1.1.1 xor ^^ Logical XOR tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 not ! Logical NOT not llc [...] Substring Operator Ethereal allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackes [] containing a comma separated list of range specifiers. eth.src[0:3] == 00:00:83 The example above uses the n:m format to specify a single range. In this case n is the beginning offset and m is the length of the range being specified. eth.src[1-2] == 00:83 The example above uses the n-m format to specify a single range. In this case n is the beginning offset and m is the ending offset. eth.src[:4] == 00:00:83:00 The example above uses the :m format, which takes everything from the beginning of a sequence to offset m. It is equivalent to 0:m eth.src[4:] == 20:20 The example above uses the n: format, which takes everything from offset n to the end of the sequence. eth.src[2] == 83 The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent to n:1. eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83 Ethereal allows you to string together single ranges in a comma separated list to form compound ranges as shown above.

Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4. Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected. Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as "the packet contains a field named ip.addr with a value different from 1.2.3.4". As an IP datagram contains both a source and a destination address, the expression will evaluate to true whenever at least one of the two addresses differs from 1.2.3.4. If you want to filter out all packets containing IP datagrams to or from IP address 1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it reads "show me all the packets for which it is not true that a field named ip.addr exists with a value of 1.2.3.4", or in other words, "filter out all packets for which there are no occurrences of a field named ip.addr with the value 1.2.3.4".

When you are accustomed to Ethereal's filtering system and know what labels you wish to use in your filters it can be very quick to simply type a filter string. However if you are new to Ethereal or are working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to type. The Filter Expression dialog box helps with this. The "Filter Expression" dialog box is an excellent way to learn how to write Ethereal display filter strings.

When you first bring up the Filter Expression dialog box you are shown a tree list of field names, organized by protocol, and a box for selecting a relation. Field Name Select a protocol field from the protocol field tree. Every protocol with filterable fields is listed at the top level. By clicking on the "+" next to a protocol name you can get a list of the field names available for filtering for that protocol. Relation Select a relation from the list of available relation. The is present is a unary relation which is true if the selected field is present in a packet. All other listed relations are binary relations which require additional data (e.g. a Value to match) to complete. When you select a field from the field name list and select a binary relation (such as the equality relation ==) you will be given the opportunity to enter a value, and possibly some range information. Value You may enter an appropriate value in the Value text box. The Value will also indicate the type of value for the field name you have selected ( like character string ). Predefined values Some of the protocol fields have predefined values available, much like enum's in C. If the selected protocol field has such values defined, you can choose it here. Range XXX - add an explanation here! OK When you have built a satisfactory expression click OK and a filter string will be built for you. Cancel You can leave the Add Expression... dialog box without any effect by clicking the Cancel

You can define filters with Ethereal and give them labels for later use. This can save time in remembering and retyping some of the more complex filters you use. To define a new filter or edit an existing filter, select the Capture Filters... menu item from the Capture menu or the Display Filters... menu item from the Analyze menu. Ethereal will then pop up the Filters dialog as shown in . The mechanisms for defining and saving capture filters and display filters are almost identical. So both will be described here, differences between these two will be marked as such. You must use Save to save your filters permanently. Ok or Apply will not save the filters, so they will be lost when you close Ethereal.

New This button adds a new filter to the list of filters. The currently entered values from Filter name and Filter string will be used. If any of these fields are empty, it will be set to "new". Delete This button deletes the selected filter. It will be greyed out, if no filter is selected. Filter You can select a filter from this list (which will fill in the filter name and filter string in the fields down the bottom of the dialog box). Filter name: You can change the name of the currently selected filter here. The filter name will only be used in this dialog to identify the filter for your convenience, it will not be used elsewhere. You can add multiple filters with the same name, but this is not very useful. Filter string: You can change the filter string of the currently selected filter here. Display Filter only: the string will be syntax checked while you are typing. Add Expression... Display Filter only: This button brings up the Add Expression dialog box which assists in building filter strings. You can find more information about the Add Expression dialog in OK Display Filter only: This button applies the selected filter to the current display and closes the dialog. Apply Display Filter only: This button applies the selected filter to the current display, and keeps the dialog open. Save Save the current settings in this dialog. The file location and format is explained in . Close Close this dialog. This will discard unsaved settings.

You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet... menu item from the Edit menu. Ethereal will pop up the dialog box shown in .

You might first select the kind of thing to search for: Display filter Simply enter a display filter string into the Filter: field, select a direction, and click on OK. For example, to find the three way handshake for a connection from host 192.168.0.1, use the following filter string: ip.addr==192.168.0.1 and tcp.flags.syn For more details on display filters, see Hex Value Search for a specific byte sequence in the packet data. For example, use "00:00" to find the next packet including two null bytes in the packet data. String Find a string in the packet data, with various options. The value to be found will by syntax checked while you type it in. If the syntax check of your value succeeded, the background of the entry field will turn green, if it fails, it will turn red. You can choose the direction to be searched for: Up Search upwards in the packet list (decreasing packet numbers). Down Search downwards in the packet list (increasing packet numbers).

"Find Next" will continue searching with the same options like in the last "Find Packet" run.

"Find Previous" will do the same thing as "Find Next", but with reverse search direction.

You can easily jump to specific packets with one of the menu items in the Go menu.

This dialog box will let you enter a packet number. When you press OK, Ethereal will jump to that packet.

If a protocol field is selected, which points to another packet in the capture file, this command will jump to that packet. As these protocol fields now work like links (just as in your Web browser), it's easier simply to double-click on the field to jump to the corresponding field.

This command will simply jump to the first packet displayed.

This command will simply jump to the last packet displayed.

You can mark packets in the "Packet List" pane. A marked packet will be shown with black background, regardless of the coloring rules set. Marking a packet can be useful to find it later while analyzing in a large capture file. The packet marks are not stored in the capture file or anywhere else, so all packet marks will be lost if you close the capture file. You can use packet marking to control the output of packets when saving/exporting/printing. To do so, an option in the packet range is available, see . There are three functions to manipulate the marked state of a packet: Mark packet toggle the marked state of a single packet. Mark all packets set the mark state of all packets. Unmark all packets reset the mark state of all packets. These mark function are available from the "Edit" menu, and the "Mark packet" function is also available from the popup menu of the "Packet List" pane.

While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis. When the packets are displayed, the presentation of these timestamps can be chosen by the user. There are four presentation formats available: Time of Day, e.g. 20:02:48.863096 The absolute time of the day when the packet was captured. Date and Time of Day, e.g. 2004-06-22 20:02:48.863096 The absolute date and time of the day when the packet was captured. Seconds Since Beginning of Capture, e.g. 123.299139 The time relative to the start of the capture file or the first "Time Reference" before this packet (see ). Seconds Since Previous Packet, e.g. 1.162423 The time relative to the previous packet. The time format can be selected from the View menu, see . XXX - how is the GMT / localtime thing handled.

The user can set time references to packets. A time reference is the starting point for all subsequent packet time calculations. It will be useful, if you want to see the time values relative to a special packet, e.g. the start of a new request. It's possible to set multiple time references in the capture file. The time references will not be saved permanently and will be lost when you close the capture file. Time referencing will only be useful, if the time display format is set to "Seconds Since Beginning of Capture". If one of the other time display formats are used, time referencing will have no effect (and will make no sense either). To work with time references, choose one of the "Time Reference" items in the "Edit" menu , see , or from the popup menu of the "Packet List" pane. Set Time Reference (toggle) Toggles the time reference state of the currently selected packet to on or off. Find Next Find the next time referenced packet in the "Packet List" pane. Find Previous Find the previous time referenced packet in the "Packet List" pane.

A time referenced packet will be marked with the string *REF* in the Time column (see packet number 10). All subsequent packets will show the time since the last time reference.