By now you have installed Ethereal and are most likely keen to get started capturing your first packets. In the next chapters we will explore: How the Wireshark user interface works How to capture packets in Ethereal How to view packets in Ethereal How to filter packets in Ethereal ... and many other things!

You can start Ethereal from your shell or window manager. When starting Ethereal it's possible to specify optional settings using the command line. See for details. In the following chapters, a lot of screenshots from Ethereal will be shown. As Ethereal runs on many different platforms and there are different versions of the underlying GUI toolkit (GTK 1.x / 2.x) used, your screen might look different from the provided screenshots. But as there are no real differences in functionality, these screenshots should still be well understandable.

Lets look at Ethereal's user interface. shows Ethereal as you would usually see it after some packets captured or loaded (how to do this will be described later).

Ethereal's main window consist of parts that are commonly known from many other GUI programs. The menu (see ) is used to start actions. The main toolbar (see ) provides quick access to frequently used items from the menu. The filter toolbar (see ) provides a way to directly manipulate the currently used display filter (see ). The packet list pane (see ) displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes. The packet details pane (see ) displays the packet selected in the packet list pane in more detail. The packet bytes pane (see ) displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane. The statusbar (see ) shows some detailed information about the current program state and the captured data. The layout of the main window can be customized by changing preference settings. See for details!

The Wireshark menu sits on top of the Wireshark window. An example is shown in . Menu items will be greyed out if the corresponding feature isn't available. For example, you cannot save a capture file if you didn't capture or load any data before.

It contains the following items: File This menu contains items to open and merge capture files, save / print / export capture files in whole or in part, and to quit from Ethereal. See . Edit This menu contains items to find a packet, time reference or mark one or more packets, set your preferences, (cut, copy, and paste are not presently implemented). See . View This menu controls the display of the captured data, including the colorization of packets, zooming the font, show a packet in a separate window, expand and collapse trees in packet details, .... See . Go This menu contains items to go to a specific packet. See . Capture This menu allows you to start and stop captures and to edit capture filters. See . Analyze This menu contains items to manipulate display filters, enable or disable the dissection of protocols, configure user specified decodes and follow a TCP stream. See . Statistics This menu contains menu-items to display various statistic windows, including a summary of the packets that have been captured, display protocol hierarchy statistics and much more. See . Help This menu contains items to help the user, like access to some basic help, a list of the supported protocols, manual pages, online access to some of the webpages, and the usual about dialog. See . Each of these menu items is described in more detail in the sections that follow. You can access menu items directly or by pressing the corresponding accelerator keys, which are shown at the right side of the menu. For example, you can press the Control (or Strg in German) and the K keys together to open the capture dialog.

The Wireshark file menu contains the fields shown in .

Menu Item Accelerator Description Open... Ctrl+O This menu item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in . Open Recent This menu item shows a submenu containing the recently opened capture files. Clicking on one of the submenu items will open the corresponding capture file directly. Merge... This menu item brings up the merge file dialog box that allows you to merge a capture file into the currently loaded one. It is discussed in more detail in . Close Ctrl+W This menu item closes the current capture. If you haven't saved the capture, you will be asked to do so first (this can be disabled by a preference setting). ------ Save Ctrl+S This menu item saves the current capture. If you have not set a default capture file name (perhaps with the -w <capfile> option), Ethereal pops up the Save Capture File As dialog box (which is discussed further in ). If you have already saved the current capture, this menu item will be greyed out. You cannot save a live capture while it is in progress. You must stop the capture in order to save. Save As... Shift+Ctrl+S This menu item allows you to save the current capture file to whatever file you would like. It pops up the Save Capture File As dialog box (which is discussed further in ). ------ File Set > List Files This menu item allows you to show a list of files in a file set. It pops up the Wireshark List File Set dialog box (which is discussed further in ). File Set > Next File If the currently loaded file is part of a file set, jump to the next file in the set. If it isn't part of a file set or just the last file in that set, this item is greyed out. File Set > Previous File If the currently loaded file is part of a file set, jump to the previous file in the set. If it isn't part of a file set or just the first file in that set, this item is greyed out. ------ Export > as "Plain Text" file... This menu item allows you to export all, or some, of the packets in the capture file to a plain ASCII text file. It pops up the Wireshark Export dialog box (which is discussed further in ). Export > as "PostScript" file... This menu item allows you to export the (or some) of the packets in the capture file to a PostScript file. It pops up the Wireshark Export dialog box (which is discussed further in ). Export > as "CSV" (Comma Separated Values packet summary) file... This menu item allows you to export the (or some) of the packet summaries in the capture file to a .csv file (e.g. used by spreadsheet programs). It pops up the Wireshark Export dialog box (which is discussed further in ). Export > as "PSML" file... This menu item allows you to export the (or some) of the packets in the capture file to a PSML (packet summary markup language) XML file. It pops up the Wireshark Export dialog box (which is discussed further in ). Export > as "PDML" file... This menu item allows you to export the (or some) of the packets in the capture file to a PDML (packet details markup language) XML file. It pops up the Wireshark Export dialog box (which is discussed further in ). Export > Selected Packet Bytes... Ctrl+H This menu item allows you to export the currently selected bytes in the packet bytes pane to a binary file. It pops up the Ethereal Export dialog box (which is discussed further in ) ------ Print... Ctrl+P This menu item allows you to print all (or some of) the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in ). ------ Quit Ctrl+Q This menu item allows you to quit from Ethereal. Ethereal will ask to save your capture file if you haven't saved it before (this can be disabled by a preference setting).

The Wireshark Edit menu contains the fields shown in .

Menu Item Accelerator Description Find Packet... Ctrl+F This menu item brings up a dialog box that allows you to find a packet by many criteria. There is further information on finding packets in . Find Next Ctrl+N This menu item tries to find the next packet matching the settings from "Find Packet...". Find Previous Ctrl+B This menu item tries to find the previous packet matching the settings from "Find Packet...". ------ Time Reference > Set Time Reference (toggle) Ctrl+T This menu item set a time reference on the currently selected packet. See for more information about the time referenced packets. Time Reference > Find Next This menu item tries to find the next time referenced packet. Time Reference > Find Previous This menu item tries to find the previous time referenced packet. Mark Packet (toggle) Ctrl+M This menu item "marks" the currently selected packet. See for details. Mark All Packets This menu item "marks" all packets. Unmark All Packets This menu item "unmarks" all marked packets. ------ Preferences... Shift+Ctrl+P This menu item brings up a dialog box that allows you to set preferences for many parameters that control Ethereal. You can also save your preferences so Ethereal will use them the next time you start it. More detail is provided in .

The Wireshark View menu contains the fields shown in .

Menu Item Accelerator Description Main Toolbar This menu item hides or shows the main toolbar, see . Filter Toolbar This menu item hides or shows the filter toolbar, see . Statusbar This menu item hides or shows the statusbar, see . ------ Packet List This menu item hides or shows the packet list pane, see . Packet Details This menu item hides or shows the packet details pane, see . Packet Bytes This menu item hides or shows the packet bytes pane, see . ------ Time Display Format > Date and Time of Day: 1970-01-01 01:02:03.123456 Selecting this tells Ethereal to display the time stamps in date and time of day format, see . The fields "Time of Day", "Date and Time of Day", "Seconds Since Beginning of Capture" and "Seconds Since Previous Packet" are mutually exclusive. Time Display Format > Time of Day: 01:02:03.123456 Selecting this tells Ethereal to display time stamps in time of day format, see . Time Display Format > Seconds Since Beginning of Capture: 123.123456 Selecting this tells Ethereal to display time stamps in seconds since beginning of capture format, see . Time Display Format > Seconds Since Previous Packet: 1.123456 Selecting this tells Ethereal to display time stamps in seconds since previous packet format, see . Time Display Format > ------ Time Display Format > Automatic (File Format Precision) Selecting this tells Ethereal to display time stamps with the precision given by the capture file format used, see . The fields "Automatic", "Seconds" and "...seconds" are mutually exclusive. Time Display Format > Seconds: 0 Selecting this tells Ethereal to display time stamps with a precision of one second, see . Time Display Format > ...seconds: 0.... Selecting this tells Ethereal to display time stamps with a precision of one second, decisecond, centisecond, millisecond, microsecond or nanosecond, see . Name Resolution > Resolve Name This item allows you to trigger a name resolve of the current packet only, see . Name Resolution > Enable for MAC Layer This item allows you to control whether or not Ethereal translates MAC addresses into names, see . Name Resolution > Enable for Network Layer This item allows you to control whether or not Ethereal translates network addresses into names, see . Name Resolution > Enable for Transport Layer This item allows you to control whether or not Ethereal translates transport addresses into names, see . Colorize Packet List This item allows you to control wether or not Ethereal should colorize the packet list. Enabling colorization will slow down the display of new packets while capturing / loading capture files. Auto Scroll in Live Capture This item allows you to specify that Ethereal should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Ethereal simply adds new packets onto the end of the list, but does not scroll the packet list pane. ------ Zoom In Ctrl++ Zoom into the packet data (increase the font size). Zoom Out Ctrl+- Zoom out of the packet data (decrease the font size). Normal Size Ctrl+= Set zoom level back to 100% (set font size back to normal). Resize All Columns Resize all column widths so the content will fit into it. Resizing may take a significant amount of time, especially if a large capture file is loaded. ------ Expand Subtrees This menu item expands the currently selected subtree in the packet details tree. Expand All Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture. Collapse All This menu item collapses the tree view of all packets in the capture list. ------ Coloring Rules... This menu item brings up a dialog box that allows you to color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets, see . ------ Show Packet in New Window This menu item brings up the selected packet in a separate window. The separate window shows only the tree view and byte view panes. Reload Ctrl-R This menu item allows you to reload the current capture file.

The Wireshark Go menu contains the fields shown in .

Menu Item Accelerator Description Back Alt+Left Jump to the recently visited packet in the packet history, much like the page history in a web browser. Forward Alt+Right Jump to the next visited packet in the packet history, much like the page history in a web browser. Go to Packet... Ctrl-G Bring up a dialog box that allows you to specify a packet number, and then goes to that packet. See for details. Go to Corresponding Packet Go to the corresponding packet of the currently selected protocol field. If the selected field doesn't correspond to a packet, this item is greyed out. ------ First Packet Jump to the first packet of the capture file. Last Packet Jump to the last packet of the capture file.

The Wireshark Capture menu contains the fields shown in .

Menu Item Accelerator Description Interfaces... This menu item brings up a dialog box that shows what's going on at the network interfaces Ethereal knows of, see ) . Options... Ctrl+K This menu item brings up the Capture Options dialog box (discussed further in ) and allows you to start capturing packets. Start Immediately start capturing packets with the same settings than the last time. Stop Ctrl+E This menu item stops the currently running capture, see ) . Restart This menu item stops the currently running capture and starts again with the same options, this is just for convenience. Capture Filters... This menu item brings up a dialog box that allows you to create and edit capture filters. You can name filters, and you can save them for future use. More detail on this subject is provided in

The Wireshark Analyze menu contains the fields shown in .

Menu Item Accelerator Description Display Filters... This menu item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in Apply as Filter > ... These menu items will change the current display filter and apply the changed filter immediately. Depending on the chosen menu item, the current display filter string will be replaced or appended to by the selected protocol field in the packet details pane. Prepare a Filter > ... These menu items will change the current display filter but won't apply the changed filter. Depending on the chosen menu item, the current display filter string will be replaced or appended to by the selected protocol field in the packet details pane. ------ Enabled Protocols... Shift+Ctrl+R This menu item allows the user to enable/disable protocol dissectors, see Decode As... This menu item allows the user to force Ethereal to decode certain packets as a particular protocol, see User Specified Decodes... This menu item allows the user to force Ethereal to decode certain packets as a particular protocol, see ------ Follow TCP Stream This menu item brings up a separate window and displays all the TCP segments captured that are on the same TCP connection as a selected packet, see

The Wireshark Statistics menu contains the fields shown in .

All menu items will bring up a new window showing specific statistical information. Menu Item Accelerator Description Summary Show information about the data captured, see . Protocol Hierarchy Display a hierarchical tree of protocol statistics, see . Conversations Display a list of conversations (traffic between two endpoints), see . Endpoints Display a list of endpoints (traffic to/from an address), see . IO Graphs Display user specified graphs (e.g. the number of packets in the course of time), see . ------ Conversation List Display a list of conversations, obsoleted by the combined window of Conversations above, see . Endpoint List Display a list of endpoints, obsoleted by the combined window of Endpoints above, see . Service Response Time Display the time between a request and the corresponding response, see . ------ ANSI See GSM See H.225... See ISUP Message Types See MTP3 See RTP See SCTP See SIP See VoIP Calls... See WAP-WSP... See ------ BOOTP-DHCP See HTTP HTTP request/response statistics, see ISUP Messages See ONC-RPC Programs See TCP Stream Graph See

The Wireshark Help menu contains the fields shown in .

Menu Item Accelerator Description Contents F1 This menu item brings up a basic help system. Supported Protocols This menu item brings up a dialog box showing the supported protocols and protocol fields. Manual Pages > ... This menu item starts a Web browser showing one of the locally installed html manual pages. Ethereal Online > ... This menu item starts a Web browser showing the chosen webpage from: &EtherealWebSite;. ------ About Ethereal This menu item brings up an information window that provides some information on Ethereal, such as the plugins, the used folders, ... Calling a Web browser might be unsupported in your version of Ethereal. If this is the case, the corresponding menu items will be hidden. If calling a Web browser fails on your machine, maybe because just nothing happens or the browser is started but no page is shown, have a look at the webbrowser setting in the preferences dialog.

The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu, if the space on the screen is needed to show even more packet data. As in the menu, only the items useful in the current program state will be available. The others will be greyed out (e.g. you cannot save a capture file if you haven't loaded one).

Toolbar Icon Toolbar Item Corresponding Menu Item Description Interfaces... Capture/Interfaces... This item brings up the Capture Interfaces List dialog box (discussed further in ). Options... Capture/Options... This item brings up the Capture Options dialog box (discussed further in ) and allows you to start capturing packets. Start Capture/Start This item starts capturing packets with the options form the last time. Stop Capture/Stop This item stops the currently running live capture process ). Restart Capture/Restart This item stops the currently running live capture process and restarts it again, for convenience. ------ Open... File/Open... This item brings up the file open dialog box that allows you to load a capture file for viewing. It is discussed in more detail in . Save As... File/Save As... This item allows you to save the current capture file to whatever file you would like. It pops up the Save Capture File As dialog box (which is discussed further in ). If you currently have a temporary capture file, the Save icon will be shown instead. Close File/Close This item closes the current capture. If you have not saved the capture, you will be asked to save it first. Reload View/Reload This item allows you to reload the current capture file. Print... File/Print... This item allows you to print all (or some of) the packets in the capture file. It pops up the Wireshark Print dialog box (which is discussed further in ). ------ Find Packet... Edit/Find Packet... This item brings up a dialog box that allows you to find a packet. There is further information on finding packets in . Go Back Go/Go Back This item jumps back in the packet history. Go Forward Go/Go Forward This item jumps forward in the packet history. Go to Packet... Go/Go to Packet... This item brings up a dialog box that allows you to specify a packet number to go to that packet. Go To First Packet Go/First Packet This item jumps to the first packet of the capture file. Go To Last Packet Go/Last Packet This item jumps to the last packet of the capture file. ------ Colorize View/Colorize Colorize the packet list (or not). Auto Scroll in Live Capture View/Auto Scroll in Live Capture Auto scroll packet list while doing a live capture (or not). ------ Zoom In View/Zoom In Zoom into the packet data (increase the font size). Zoom Out View/Zoom Out Zoom out of the packet data (decrease the font size). Normal Size View/Normal Size Set zoom level back to 100%. Resize Columns View/Resize Columns Resize columns, so the content fits into them. ------ Capture Filters... Capture/Capture Filters... This item brings up a dialog box that allows you to create and edit capture filters. You can name filters, and you can save them for future use. More detail on this subject is provided in . Display Filters... Analyze/Display Filters... This item brings up a dialog box that allows you to create and edit display filters. You can name filters, and you can save them for future use. More detail on this subject is provided in . Coloring Rules... View/Coloring Rules... This item brings up a dialog box that allows you color packets in the packet list pane according to filter expressions you choose. It can be very useful for spotting certain types of packets. More detail on this subject is provided in . Preferences... Edit/Preferences This item brings up a dialog box that allows you to set preferences for many parameters that control Ethereal. You can also save your preferences so Ethereal will use them the next time you start it. More detail is provided in ------ Help Help/Contents This item brings up help dialog box.

The filter toolbar lets you quickly edit and apply display filters. More information on display filters is available in .

The leftmost button labeled "Filter:" can be clicked to bring up the filter construction dialog, described in . The left middle text box provides an area to enter or edit display filter strings, see . A syntax check of your filter string is done while you are typing. The background will turn red if you enter an incomplete or invalid string, and will become green when you enter a valid string. You can click on the pull down arrow to select a previously-entered filter string from a list. The entries in the pull down list will remain available even after a program restart. After you've changed something in this field, don't forget to press the Apply button (or the Enter/Return key), to apply this filter string to the display. This field is also where the current filter in effect is displayed. The middle button labeled "Add Expression..." opens a dialog box that lets you edit a display filter from a list of protocol fields, described in The right middle button labeled "Clear" resets the current display filter and clears the edit area. The rightmost button labeled "Apply" applies the current value in the edit area as the new display filter. Applying a display filter on large capture files might take quite a long time!

The packet list pane displays all the packets in the current capture file.

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. While dissecting a packet, Ethereal will place information from the protocol dissectors into the columns. As higher level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only. For example, let's look at a packet containing TCP inside IP inside an Ethernet packet. The Ethernet dissector will write its data (such as the Ethernet addresses), the IP dissector will overwrite this by its own (such as the IP addresses), the TCP dissector will overwrite the IP information, and so on. There are a lot of different columns available. Which columns are displayed can be selected by preference settings, see . The default columns will show: No. The number of the packet in the capture file. This number won't change, even if a display filter is used. Time The timestamp of the packet. The presentation format of this timestamp can be changed, see . Source The address where this packet is coming from. Destination The address where this packet is going to. Protocol The protocol name in a short (perhaps abbreviated) version. Info Additional information about the packet content. There is a context menu (right mouse click) available, see details in .

The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form.

This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. There is a context menu (right mouse click) available, see details in . Some protocol fields are specially displayed. Generated fields Ethereal itself will generate additional protocol fields which are surrounded by brackets. The information in these fields is derived from the known context to other packets in the capture file. For example, Ethereal is doing a sequence/acknowledge analysis of each TCP stream, which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol. Links If Ethereal detected a relationship to another packet in the capture file, it will generate a link to that packet. Links are underlined and displayed in blue. If double-clicked, Ethereal jumps to the corresponding packet.

The packet bytes pane shows the data of the current packet (selected in the "Packet List" pane) in a hexdump style.

As usual for a hexdump, the left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters (or . if not appropriate) are displayed. There is a context menu (right mouse click) available, see details in . Depending on the packet data, sometimes more than one page is available, e.g. when Ethereal has reassembled some packets into a single chunk of data, see . In this case there are some additional tabs shown at the bottom of the pane to let you select the page you want to see.

The additional pages might contain data picked from multiple packets. The context menu (right mouse click) of the tab labels will show a list of all available pages. This can be helpful if the size in the pane is too small for all the tab labels.

The statusbar displays informational messages. In general, the left side will show context related information, while the right side will show the current number of packets.

This statusbar is shown while no capture file is loaded, e.g. when Wireshark is started.

The left side shows information about the capture file, its name, its size and the elapsed time while it was being captured. The right side shows the current number of packets in the capture file. The following values are displayed: P: the number of captured packets D: the number of packets currently being displayed M: the number of marked packets

This is displayed if you have selected a protocol field from the "Packet Details" pane. The value between the brackets (in this example arp.opcode) can be used as a display filter string, representing the selected protocol field.