aboutsummaryrefslogtreecommitdiffstats
path: root/doc/wireshark.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wireshark.adoc')
-rw-r--r--doc/wireshark.adoc2967
1 files changed, 2967 insertions, 0 deletions
diff --git a/doc/wireshark.adoc b/doc/wireshark.adoc
new file mode 100644
index 0000000000..cf6ad7fa97
--- /dev/null
+++ b/doc/wireshark.adoc
@@ -0,0 +1,2967 @@
+=begin man
+
+=encoding utf8
+
+=end man
+
+=head1 NAME
+
+wireshark - Interactively dump and analyze network traffic
+
+=head1 SYNOPSIS
+
+B<wireshark>
+S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-f> E<lt>capture filterE<gt> ]>
+S<[ B<-Y> E<lt>display filterE<gt> ]>
+S<[ B<-w> E<lt>outfileE<gt> ]>
+S<[ B<options> ]>
+S<[ E<lt>infileE<gt> ]>
+
+=head1 DESCRIPTION
+
+B<Wireshark> is a GUI network protocol analyzer. It lets you
+interactively browse packet data from a live network or from a
+previously saved capture file. B<Wireshark>'s native capture file
+formats are B<pcapng> format and B<pcap> format; it can read and write
+both formats.. B<pcap> format is also the format used by B<tcpdump> and
+various other tools; B<tcpdump>, when using newer verions of the
+B<libpcap> library, can also read some pcapng files, and, on newer
+versions of macOS, can read all pcapng files and can write them as well.
+
+B<Wireshark> can also read / import the following file formats:
+
+=over 4
+
+=item *
+Oracle (previously Sun) B<snoop> and B<atmsnoop> captures
+
+=item *
+Finisar (previously Shomiti) B<Surveyor> captures
+
+=item *
+Microsoft B<Network Monitor> captures
+
+=item *
+Novell B<LANalyzer> captures
+
+=item *
+AIX's B<iptrace> captures
+
+=item *
+Cinco Networks B<NetXRay> captures
+
+=item *
+NETSCOUT (previously Network Associates/Network General) Windows-based
+B<Sniffer> captures
+
+=item *
+Network General/Network Associates DOS-based B<Sniffer> captures
+(compressed or uncompressed)
+
+=item *
+LiveAction (previously WildPackets/Savvius) B<*Peek>/B<EtherHelp>/B<PacketGrabber> captures
+
+=item *
+B<RADCOM>'s WAN/LAN analyzer captures
+
+=item *
+Viavi (previously Network Instruments) B<Observer> captures
+
+=item *
+B<Lucent/Ascend> router debug output
+
+=item *
+captures from HP-UX B<nettl>
+
+=item *
+B<Toshiba's> ISDN routers dump output
+
+=item *
+the output from B<i4btrace> from the ISDN4BSD project
+
+=item *
+traces from the B<EyeSDN> USB S0
+
+=item *
+the B<IPLog> format output from the Cisco Secure Intrusion Detection System
+
+=item *
+B<pppd logs> (pppdump format)
+
+=item *
+the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities
+
+=item *
+the text output from the B<DBS Etherwatch> VMS utility
+
+=item *
+Visual Networks' B<Visual UpTime> traffic capture
+
+=item *
+the output from B<CoSine> L2 debug
+
+=item *
+the output from InfoVista (previously Accellent) B<5View> LAN agents
+
+=item *
+Endace Measurement Systems' ERF format captures
+
+=item *
+Linux Bluez Bluetooth stack B<hcidump -w> traces
+
+=item *
+Catapult DCT2000 .out files
+
+=item *
+Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
+
+=item *
+IBM Series (OS/400) Comm traces (ASCII & UNICODE)
+
+=item *
+Juniper Netscreen snoop files
+
+=item *
+Symbian OS btsnoop files
+
+=item *
+TamoSoft CommView files
+
+=item *
+Tektronix K12xx 32bit .rf5 format files
+
+=item *
+Tektronix K12 text file format captures
+
+=item *
+Apple PacketLogger files
+
+=item *
+Captures from Aethra Telecommunications' PC108 software for their test
+instruments
+
+=item *
+Citrix NetScaler Trace files
+
+=item *
+Android Logcat binary and text format logs
+
+=item *
+Colasoft Capsa and PacketBuilder captures
+
+=item *
+Micropross mplog files
+
+=item *
+Unigraf DPA-400 DisplayPort AUX channel monitor traces
+
+=item *
+802.15.4 traces from Daintree's Sensor Network Analyzer
+
+=item *
+MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
+
+=item *
+Log files from the _candump_ utility
+
+=item *
+Logs from the BUSMASTER tool
+
+=item *
+Ixia IxVeriWave raw captures
+
+=item *
+Rabbit Labs CAM Inspector files
+
+=item *
+ _systemd_ journal files
+
+=item *
+3GPP TS 32.423 trace files
+
+=back
+
+There is no need to tell B<Wireshark> what type of
+file you are reading; it will determine the file type by itself.
+B<Wireshark> is also capable of reading any of these file formats if they
+are compressed using gzip. B<Wireshark> recognizes this directly from
+the file; the '.gz' extension is not required for this purpose.
+
+Like other protocol analyzers, B<Wireshark>'s main window shows 3 views
+of a packet. It shows a summary line, briefly describing what the
+packet is. A packet details display is shown, allowing you to drill
+down to exact protocol or field that you interested in. Finally, a hex
+dump shows you exactly what the packet looks like when it goes over the
+wire.
+
+In addition, B<Wireshark> has some features that make it unique. It can
+assemble all the packets in a TCP conversation and show you the ASCII
+(or EBCDIC, or hex) data in that conversation. Display filters in
+B<Wireshark> are very powerful; more fields are filterable in B<Wireshark>
+than in other protocol analyzers, and the syntax you can use to create
+your filters is richer. As B<Wireshark> progresses, expect more and more
+protocol fields to be allowed in display filters.
+
+Packet capturing is performed with the pcap library. The capture filter
+syntax follows the rules of the pcap library. This syntax is different
+from the display filter syntax.
+
+Compressed file support uses (and therefore requires) the zlib library.
+If the zlib library is not present, B<Wireshark> will compile, but will
+be unable to read compressed files.
+
+The pathname of a capture file to be read can be specified with the
+B<-r> option or can be specified as a command-line argument.
+
+=head1 OPTIONS
+
+Most users will want to start B<Wireshark> without options and configure
+it from the menus instead. Those users may just skip this section.
+
+=over 4
+
+=item -a|--autostop E<lt>capture autostop conditionE<gt>
+
+Specify a criterion that specifies when B<Wireshark> is to stop writing
+to a capture file. The criterion is of the form I<test:value>,
+where I<test> is one of:
+
+B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
+elapsed. Floating point values (e.g. 0.5) are allowed.
+
+B<files>:I<value> Stop writing to capture files after I<value> number of files
+were written.
+
+B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
+I<value> kB. If this option is used together with the -b option, Wireshark
+will stop writing to the current capture file and switch to the next one if
+filesize is reached. Note that the filesize is limited to a maximum value of
+2 GiB.
+
+B<packets>:I<value> Stop writing to a capture file after it contains I<value>
+packets. Same as B<-c>E<lt>capture packet countE<gt>.
+
+=item -b|--ring-buffer E<lt>capture ring buffer optionE<gt>
+
+Cause B<Wireshark> to run in "multiple files" mode. In "multiple files" mode,
+B<Wireshark> will write to several capture files. When the first capture file
+fills up, B<Wireshark> will switch writing to the next file and so on.
+
+The created filenames are based on the filename given with the B<-w> flag,
+the number of the file and on the creation date and time,
+e.g. outfile_00001_20210714120117.pcap, outfile_00002_20210714120523.pcap, ...
+
+With the I<files> option it's also possible to form a "ring buffer".
+This will fill up new files until the number of files specified,
+at which point B<Wireshark> will discard the data in the first file and start
+writing to that file and so on. If the I<files> option is not set,
+new files filled up until one of the capture stop conditions match (or
+until the disk is full).
+
+The criterion is of the form I<key:value>,
+where I<key> is one of:
+
+B<duration>:I<value> switch to the next file after I<value> seconds have
+elapsed, even if the current file is not completely filled up. Floating
+point values (e.g. 0.5) are allowed.
+
+B<files>:I<value> begin again with the first file after I<value> number of
+files were written (form a ring buffer). This value must be less than 100000.
+Caution should be used when using large numbers of files: some filesystems do
+not handle many files in a single directory well. The B<files> criterion
+requires one of the other criteria to be specified to
+control when to go to the next file. It should be noted that each B<-b>
+parameter takes exactly one criterion; to specify two criteria, each must be
+preceded by the B<-b> option.
+
+B<filesize>:I<value> switch to the next file after it reaches a size of
+I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
+
+B<interval>:I<value> switch to the next file when the time is an exact
+multiple of I<value> seconds.
+
+B<packets>:I<value> switch to the next file after it contains I<value>
+packets.
+
+Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
+of size one megabyte each.
+
+=item -B|--buffer-size E<lt>capture buffer sizeE<gt>
+
+Set capture buffer size (in MiB, default is 2 MiB). This is used by
+the capture driver to buffer packet data until that data can be written
+to disk. If you encounter packet drops while capturing, try to increase
+this size. Note that, while B<Wireshark> attempts to set the buffer size
+to 2 MiB by default, and can be told to set it to a larger value, the
+system or interface on which you're capturing might silently limit the
+capture buffer size to a lower value or raise it to a higher value.
+
+This is available on UNIX systems with libpcap 1.0.0 or later and on
+Windows. It is not available on UNIX systems with earlier versions of
+libpcap.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture buffer size.
+If used after an B<-i> option, it sets the capture buffer size for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture buffer size is not set specifically,
+the default capture buffer size is used instead.
+
+=item -c E<lt>capture packet countE<gt>
+
+Set the maximum number of packets to read when capturing live
+data. Same as B<-a packets:>E<lt>capture packet countE<gt>.
+
+=item -C E<lt>configuration profileE<gt>
+
+Start with the given configuration profile.
+
+=item --capture-comment E<lt>commentE<gt>
+
+When performing a capture file from the command line, with the B<-k>
+flag, add a capture comment to the output file, if supported by the
+capture format.
+
+This option may be specified multiple times. Note that Wireshark
+currently only displays the first comment of a capture file.
+
+=item -d E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt>
+
+Like Wireshark's B<Decode As...> feature, this lets you specify how a
+layer type should be dissected. If the layer type in question (for example,
+B<tcp.port> or B<udp.port> for a TCP or UDP port number) has the specified
+selector value, packets should be dissected as the specified protocol.
+
+Example: B<-d tcp.port==8888,http> will decode any traffic running over
+TCP port 8888 as HTTP.
+
+See the tshark(1) manual page for more examples.
+
+=item -D|--list-interfaces
+
+Print a list of the interfaces on which B<Wireshark> can capture, and
+exit. For each network interface, a number and an
+interface name, possibly followed by a text description of the
+interface, is printed. The interface name or the number can be supplied
+to the B<-i> flag to specify an interface on which to capture.
+
+This can be useful on systems that don't have a command to list them
+(UNIX systems lacking B<ifconfig -a> or Linux systems lacking
+B<ip link show>). The number can be useful on Windows systems, where
+the interface name might be a long name or a GUID.
+
+Note that "can capture" means that B<Wireshark> was able to open
+that device to do a live capture; if, on your system, a program doing a
+network capture must be run from an account with special privileges (for
+example, as root), then, if B<Wireshark> is run with the B<-D> flag and
+is not run from such an account, it will not list any interfaces.
+
+=item --display E<lt>X display to useE<gt>
+
+Specifies the X display to use. A hostname and screen (otherhost:0.0)
+or just a screen (:0.0) can be specified. This option is not available
+under Windows.
+
+=item --disable-protocol E<lt>proto_nameE<gt>
+
+Disable dissection of proto_name.
+
+=item --disable-heuristic E<lt>short_nameE<gt>
+
+Disable dissection of heuristic protocol.
+
+=item --enable-protocol E<lt>proto_nameE<gt>
+
+Enable dissection of proto_name.
+
+=item --enable-heuristic E<lt>short_nameE<gt>
+
+Enable dissection of heuristic protocol.
+
+=item -f E<lt>capture filterE<gt>
+
+Set the capture filter expression.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture filter expression.
+If used after an B<-i> option, it sets the capture filter expression for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture filter expression is not set specifically,
+the default capture filter expression is used if provided.
+
+Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
+can be used by prefixing the argument with "predef:".
+Example: B<-f "predef:MyPredefinedHostOnlyFilter">
+
+=item --fullscreen
+
+Start Wireshark in full screen mode (kiosk mode). To exit from fullscreen mode,
+open the View menu and select the Full Screen option. Alternatively, press the
+F11 key (or Ctrl + Cmd + F for macOS).
+
+=item -g E<lt>packet numberE<gt>
+
+After reading in a capture file using the B<-r> flag, go to the given I<packet number>.
+
+=item -h|--help
+
+Print the version number and options and exit.
+
+=item -H
+
+Hide the capture info dialog during live packet capture.
+
+=item -i|--interface E<lt>capture interfaceE<gt>|-
+
+Set the name of the network interface or pipe to use for live packet
+capture.
+
+Network interface names should match one of the names listed in
+"B<wireshark -D>" (described above); a number, as reported by
+"B<wireshark -D>", can also be used. If you're using UNIX, "B<netstat
+-i>", "B<ifconfig -a>" or "B<ip link>" might also work to list interface names,
+although not all versions of UNIX support the B<-a> flag to B<ifconfig>.
+
+If no interface is specified, B<Wireshark> searches the list of
+interfaces, choosing the first non-loopback interface if there are any
+non-loopback interfaces, and choosing the first loopback interface if
+there are no non-loopback interfaces. If there are no interfaces at all,
+B<Wireshark> reports an error and doesn't start the capture.
+
+Pipe names should be either the name of a FIFO (named pipe) or "-" to
+read data from the standard input. On Windows systems, pipe names must be
+of the form "\\pipe\.\B<pipename>". Data read from pipes must be in
+standard pcapng or pcap format. Pcapng data must have the same
+endianness as the capturing host.
+
+This option can occur multiple times. When capturing from multiple
+interfaces, the capture file will be saved in pcapng format.
+
+=item -I|--monitor-mode
+
+Put the interface in "monitor mode"; this is supported only on IEEE
+802.11 Wi-Fi interfaces, and supported only on some operating systems.
+
+Note that in monitor mode the adapter might disassociate from the
+network with which it's associated, so that you will not be able to use
+any wireless networks with that adapter. This could prevent accessing
+files on a network server, or resolving host names or network addresses,
+if you are capturing in monitor mode and are not connected to another
+network with another adapter.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
+If used after an B<-i> option, it enables the monitor mode for
+the interface specified by the last B<-i> option occurring before
+this option.
+
+=item -j
+
+Use after B<-J> to change the behavior when no exact match is found for
+the filter. With this option select the first packet before.
+
+=item -J E<lt>jump filterE<gt>
+
+After reading in a capture file using the B<-r> flag, jump to the packet
+matching the filter (display filter syntax). If no exact match is found
+the first packet after that is selected.
+
+=item -k
+
+Start the capture session immediately. If the B<-i> flag was
+specified, the capture uses the specified interface. Otherwise,
+B<Wireshark> searches the list of interfaces, choosing the first
+non-loopback interface if there are any non-loopback interfaces, and
+choosing the first loopback interface if there are no non-loopback
+interfaces; if there are no interfaces, B<Wireshark> reports an error and
+doesn't start the capture.
+
+=item -K E<lt>keytabE<gt>
+
+Load kerberos crypto keys from the specified keytab file.
+This option can be used multiple times to load keys from several files.
+
+Example: B<-K krb5.keytab>
+
+=item -l
+
+Turn on automatic scrolling if the packet display is being updated
+automatically as packets arrive during a capture (as specified by the
+B<-S> flag).
+
+=item -L|--list-data-link-types
+
+List the data link types supported by the interface and exit.
+
+=item --list-time-stamp-types
+
+List time stamp types supported for the interface. If no time stamp type can be
+set, no time stamp types are listed.
+
+=item -n
+
+Disable network object name resolution (such as hostname, TCP and UDP port
+names), the B<-N> flag might override this one.
+
+=item -N E<lt>name resolving flagsE<gt>
+
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions
+are turned on.
+
+The argument is a string that may contain the letters:
+
+B<m> to enable MAC address resolution
+
+B<n> to enable network address resolution
+
+B<N> to enable using external resolvers (e.g., DNS) for network address
+resolution
+
+B<t> to enable transport-layer port number resolution
+
+B<d> to enable resolution from captured DNS packets
+
+B<v> to enable VLAN IDs to names resolution
+
+=item -o E<lt>preference/recent settingE<gt>
+
+Set a preference or recent value, overriding the default value and any value
+read from a preference/recent file. The argument to the flag is a string of
+the form I<prefname:value>, where I<prefname> is the name of the
+preference/recent value (which is the same name that would appear in the
+preference/recent file), and I<value> is the value to which it should be set.
+Since B<Ethereal> 0.10.12, the recent settings replaces the formerly used
+-B, -P and -T flags to manipulate the GUI dimensions.
+
+If I<prefname> is "uat", you can override settings in various user access
+tables using the form uatB<:>I<uat filename>:I<uat record>. I<uat filename>
+must be the name of a UAT file, e.g. I<user_dlts>. I<uat_record> must be in
+the form of a valid record for that file, including quotes. For instance, to
+specify a user DLT from the command line, you would use
+
+ -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
+
+=item -p|--no-promiscuous-mode
+
+I<Don't> put the interface into promiscuous mode. Note that the
+interface might be in promiscuous mode for some other reason; hence,
+B<-p> cannot be used to ensure that the only traffic that is captured is
+traffic sent to or from the machine on which B<Wireshark> is running,
+broadcast traffic, and multicast traffic to addresses received by that
+machine.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, no interface will be put into the
+promiscuous mode.
+If used after an B<-i> option, the interface specified by the last B<-i>
+option occurring before this option will not be put into the
+promiscuous mode.
+
+=item -P E<lt>path settingE<gt>
+
+Special path settings usually detected automatically. This is used for
+special cases, e.g. starting Wireshark from a known location on an USB stick.
+
+The criterion is of the form I<key:path>, where I<key> is one of:
+
+B<persconf>:I<path> path of personal configuration files, like the
+preferences files.
+
+B<persdata>:I<path> path of personal data files, it's the folder initially
+opened. After the very first initialization, the recent file will keep the
+folder last used.
+
+=item -r|--read-file E<lt>infileE<gt>
+
+Read packet data from I<infile>, can be any supported capture file format
+(including gzipped files). It's not possible to use named pipes or stdin
+here! To capture from a pipe or from stdin use B<-i ->
+
+=item -R|--read-filter E<lt>read (display) filterE<gt>
+
+When reading a capture file specified with the B<-r> flag, causes the
+specified filter (which uses the syntax of display filters, rather than
+that of capture filters) to be applied to all packets read from the
+capture file; packets not matching the filter are discarded.
+
+=item -s|--snapshot-length E<lt>capture snaplenE<gt>
+
+Set the default snapshot length to use when capturing live data.
+No more than I<snaplen> bytes of each network packet will be read into
+memory, or saved to disk. A value of 0 specifies a snapshot length of
+262144, so that the full packet is captured; this is the default.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default snapshot length.
+If used after an B<-i> option, it sets the snapshot length for
+the interface specified by the last B<-i> option occurring before
+this option. If the snapshot length is not set specifically,
+the default snapshot length is used if provided.
+
+=item -S
+
+Automatically update the packet display as packets are coming in.
+
+=item -t a|ad|adoy|d|dd|e|r|u|ud|udoy
+
+Set the format of the packet timestamp displayed in the packet list
+window. The format can be one of:
+
+B<a> absolute: The absolute time, as local time in your time zone,
+is the actual time the packet was captured, with no date displayed
+
+B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as local time in your time zone, is the actual time and date
+the packet was captured
+
+B<adoy> absolute with date using day of year: The absolute date,
+displayed as YYYY/DOY, and time, as local time in your time zone,
+is the actual time and date the packet was captured
+
+B<d> delta: The delta time is the time since the previous packet was
+captured
+
+B<dd> delta_displayed: The delta_displayed time is the time since the
+previous displayed packet was captured
+
+B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<u> UTC: The absolute time, as UTC, is the actual time the packet was
+captured, with no date displayed
+
+B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as UTC, is the actual time and date the packet was captured
+
+B<udoy> UTC with date using day of year: The absolute date, displayed
+as YYYY/DOY, and time, as UTC, is the actual time and date the packet
+was captured
+
+The default format is relative.
+
+=item --time-stamp-type E<lt>typeE<gt>
+
+Change the interface's timestamp method. See --list-time-stamp-types.
+
+=item -u E<lt>s|hmsE<gt>
+
+Output format of seconds (def: s: seconds)
+
+=item -v|--version
+
+Print the full version information and exit.
+
+=item -w E<lt>outfileE<gt>
+
+Set the default capture file name, or '-' for standard output.
+
+=item -X E<lt>eXtension optionsE<gt>
+
+Specify an option to be passed to an B<Wireshark> module. The eXtension option
+is in the form I<extension_key:value>, where I<extension_key> can be:
+
+B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the
+default Lua scripts.
+
+B<lua_script>I<num>:I<argument> tells B<Wireshark> to pass the given argument
+to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.
+For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
+will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
+and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua
+script, namely 'other.lua'.
+
+B<read_format>:I<file_format> tells B<Wireshark> to use the given file format to read in the
+file (the file given in the B<-r> command option).
+
+B<stdin_descr>:I<description> tells B<Wireshark> to use the given description when
+capturing from standard input (B<-i ->).
+
+=item -y|--linktype E<lt>capture link typeE<gt>
+
+If a capture is started from the command line with B<-k>, set the data
+link type to use while capturing packets. The values reported by B<-L>
+are the values that can be used.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture link type.
+If used after an B<-i> option, it sets the capture link type for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture link type is not set specifically,
+the default capture link type is used if provided.
+
+=item -Y|--display-filter E<lt>displaY filterE<gt>
+
+Start with the given display filter.
+
+=item -z E<lt>statisticsE<gt>
+
+Get B<Wireshark> to collect various types of statistics and display the result
+in a window that updates in semi-real time.
+
+Currently implemented statistics are:
+
+=over 4
+
+=item B<-z help>
+
+Display all possible values for B<-z>.
+
+=item B<-z> afp,srt[,I<filter>]
+
+Show Apple Filing Protocol service response time statistics.
+
+=item B<-z> conv,I<type>[,I<filter>]
+
+Create a table that lists all conversations that could be seen in the
+capture. I<type> specifies the conversation endpoint types for which we
+want to generate the statistics; currently the supported ones are:
+
+ "eth" Ethernet addresses
+ "fc" Fibre Channel addresses
+ "fddi" FDDI addresses
+ "ip" IPv4 addresses
+ "ipv6" IPv6 addresses
+ "ipx" IPX addresses
+ "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
+ "tr" Token Ring addresses
+ "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
+
+If the optional I<filter> is specified, only those packets that match the
+filter will be used in the calculations.
+
+The table is presented with one line for each conversation and displays
+the number of packets/bytes in each direction as well as the total
+number of packets/bytes. By default, the table is sorted according to
+the total number of packets.
+
+These tables can also be generated at runtime by selecting the appropriate
+conversation type from the menu "Tools/Statistics/Conversation List/".
+
+=item B<-z> dcerpc,srt,I<name-or-uuid>,I<major>.I<minor>[,I<filter>]
+
+Collect call/reply SRT (Service Response Time) data for DCERPC interface
+I<name> or I<uuid>, version I<major>.I<minor>.
+Data collected is the number of calls for each procedure, MinSRT, MaxSRT
+and AvgSRT.
+Interface I<name> and I<uuid> are case-insensitive.
+
+Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR
+SRT statistics for a specific host.
+
+=item B<-z> bootp,stat[,I<filter>]
+
+Show DHCP (BOOTP) statistics.
+
+=item B<-z> expert
+
+Show expert information.
+
+=item B<-z> fc,srt[,I<filter>]
+
+Collect call/reply SRT (Service Response Time) data for FC. Data collected
+is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT.
+
+Example: B<-z fc,srt>
+will calculate the Service Response Time as the time delta between the
+First packet of the exchange and the Last packet of the exchange.
+
+The data will be presented as separate tables for all normal FC commands,
+Only those commands that are seen in the capture will have its stats
+displayed.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "fc,srt,fc.id==01.02.03"> will collect stats only for
+FC packets exchanged by the host at FC address 01.02.03 .
+
+=item B<-z> h225,counter[I<,filter>]
+
+Count ITU-T H.225 messages and their reasons. In the first column you get a
+list of H.225 messages and H.225 message reasons which occur in the current
+capture file. The number of occurrences of each message or reason is displayed
+in the second column.
+
+Example: B<-z h225,counter>
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "h225,counter,ip.addr==1.2.3.4"> will collect stats only for
+H.225 packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> h225,srt[I<,filter>]
+
+Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS.
+Data collected is the number of calls of each ITU-T H.225 RAS Message Type,
+Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet.
+You will also get the number of Open Requests (Unresponded Requests),
+Discarded Responses (Responses without matching request) and Duplicate Messages.
+
+Example: B<-z h225,srt>
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will collect stats only for
+ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> io,stat
+
+Collect packet/bytes statistics for the capture in intervals of 1 second.
+This option will open a window with up to 5 color-coded graphs where
+number-of-packets-per-second or number-of-bytes-per-second statistics
+can be calculated and displayed.
+
+This option can be used multiple times on the command line.
+
+This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat
+menu item.
+
+=item B<-z> ldap,srt[,I<filter>]
+
+Collect call/reply SRT (Service Response Time) data for LDAP. Data collected
+is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT.
+
+Example: B<-z ldap,srt>
+will calculate the Service Response Time as the time delta between the
+Request and the Response.
+
+The data will be presented as separate tables for all implemented LDAP commands,
+Only those commands that are seen in the capture will have its stats
+displayed.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: use B<-z "ldap,srt,ip.addr==10.1.1.1"> will collect stats only for
+LDAP packets exchanged by the host at IP address 10.1.1.1 .
+
+The only LDAP commands that are currently implemented and for which the stats will be available are:
+BIND
+SEARCH
+MODIFY
+ADD
+DELETE
+MODRDN
+COMPARE
+EXTENDED
+
+=item B<-z> megaco,srt[I<,filter>]
+
+Collect request/response SRT (Service Response Time) data for MEGACO.
+(This is similar to B<-z smb,srt>). Data collected is the number of calls
+for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT.
+
+Example: B<-z megaco,srt>
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "megaco,srt,ip.addr==1.2.3.4"> will collect stats only for
+MEGACO packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> mgcp,srt[I<,filter>]
+
+Collect request/response SRT (Service Response Time) data for MGCP.
+(This is similar to B<-z smb,srt>). Data collected is the number of calls
+for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT.
+
+Example: B<-z mgcp,srt>
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "mgcp,srt,ip.addr==1.2.3.4"> will collect stats only for
+MGCP packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> mtp3,msus[,<filter>]
+
+Show MTP3 MSU statistics.
+
+=item B<-z> multicast,stat[,<filter>]
+
+Show UDP multicast stream statistics.
+
+=item B<-z> rpc,programs
+
+Collect call/reply SRT data for all known ONC-RPC programs/versions.
+Data collected is the number of calls for each protocol/version, MinSRT,
+MaxSRT and AvgSRT.
+
+=item B<-z> rpc,srt,I<name-or-number>,I<version>[,<filter>]
+
+Collect call/reply SRT (Service Response Time) data for program
+I<name>/I<version> or I<number>/I<version>.
+Data collected is the number of calls for each procedure, MinSRT, MaxSRT and
+AvgSRT.
+Program I<name> is case-insensitive.
+
+Example: B<-z rpc,srt,100003,3> will collect data for NFS v3.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: S<B<-z rpc,srt,nfs,3,nfs.fh.hash==0x12345678>> will collect NFS v3
+SRT statistics for a specific file.
+
+=item B<-z> scsi,srt,I<cmdset>[,<filter>]
+
+Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>.
+
+Commandsets are 0:SBC 1:SSC 5:MMC
+
+Data collected
+is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
+
+Example: B<-z scsi,srt,0> will collect data for SCSI BLOCK COMMANDS (SBC).
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z scsi,srt,0,ip.addr==1.2.3.4> will collect SCSI SBC
+SRT statistics for a specific iscsi/ifcp/fcip host.
+
+=item B<-z> sip,stat[I<,filter>]
+
+This option will activate a counter for SIP messages. You will get the number
+of occurrences of each SIP Method and of each SIP Status-Code. Additionally you
+also get the number of resent SIP Messages (only for SIP over UDP).
+
+Example: B<-z sip,stat>
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will collect stats only for
+SIP packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> smb,srt[,I<filter>]
+
+Collect call/reply SRT (Service Response Time) data for SMB. Data collected
+is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
+
+Example: B<-z smb,srt>
+
+The data will be presented as separate tables for all normal SMB commands,
+all Transaction2 commands and all NT Transaction commands.
+Only those commands that are seen in the capture will have their stats
+displayed.
+Only the first command in a xAndX command chain will be used in the
+calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
+only the SessionSetupAndX call will be used in the statistics.
+This is a flaw that might be fixed in the future.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will collect stats only for
+SMB packets exchanged by the host at IP address 1.2.3.4 .
+
+=item B<-z> voip,calls
+
+This option will show a window that shows VoIP calls found in the capture file.
+This is the same window shown as when you go to the Statistics Menu and choose
+VoIP Calls.
+
+Example: B<-z voip,calls>
+
+=item B<-z> wlan,stat[,<filter>]
+
+Show IEEE 802.11 network and station statistics.
+
+=item B<-z> wsp,stat[,<filter>]
+
+Show WSP packet counters.
+
+=back
+
+=back
+
+=head1 INTERFACE
+
+=head2 MENU ITEMS
+
+=over 4
+
+=item File:Open
+
+=item File:Open Recent
+
+=item File:Merge
+
+Merge another capture file to the currently loaded one. The I<File:Merge>
+dialog box allows the merge "Prepended", "Chronologically" or "Appended",
+relative to the already loaded one.
+
+=item File:Close
+
+Open or close a capture file. The I<File:Open> dialog box
+allows a filter to be specified; when the capture file is read, the
+filter is applied to all packets read from the file, and packets not
+matching the filter are discarded. The I<File:Open Recent> is a submenu
+and will show a list of previously opened files.
+
+=item File:Save
+
+=item File:Save As
+
+Save the current capture, or the packets currently displayed from that
+capture, to a file. Check boxes let you select whether to save all
+packets, or just those that have passed the current display filter and/or
+those that are currently marked, and an option menu lets you select (from
+a list of file formats in which at particular capture, or the packets
+currently displayed from that capture, can be saved), a file format in
+which to save it.
+
+=item File:File Set:List Files
+
+Show a dialog box that lists all files of the file set matching the currently
+loaded file. A file set is a compound of files resulting from a capture using
+the "multiple files" / "ringbuffer" mode, recognizable by the filename pattern,
+e.g.: Filename_00001_20210714101530.pcap.
+
+=item File:File Set:Next File
+
+=item File:File Set:Previous File
+
+If the currently loaded file is part of a file set (see above), open the
+next / previous file in that set.
+
+=item File:Export
+
+Export captured data into an external format. Note: the data cannot be
+imported back into Wireshark, so be sure to keep the capture file.
+
+=item File:Print
+
+Print packet data from the current capture. You can select the range of
+packets to be printed (which packets are printed), and the output format of
+each packet (how each packet is printed). The output format will be similar
+to the displayed values, so a summary line, the packet details view, and/or
+the hex dump of the packet can be printed.
+
+Printing options can be set with the I<Edit:Preferences> menu item, or in the
+dialog box popped up by this menu item.
+
+=item File:Quit
+
+Exit the application.
+
+=item Edit:Copy:Description
+
+Copies the description of the selected field in the protocol tree to
+the clipboard.
+
+=item Edit:Copy:Fieldname
+
+Copies the fieldname of the selected field in the protocol tree to
+the clipboard.
+
+=item Edit:Copy:Value
+
+Copies the value of the selected field in the protocol tree to
+the clipboard.
+
+=item Edit:Copy:As Filter
+
+Create a display filter based on the data currently highlighted in the
+packet details and copy that filter to the clipboard.
+
+If that data is a field that can be tested in a display filter
+expression, the display filter will test that field; otherwise, the
+display filter will be based on the absolute offset within the packet.
+Therefore it could be unreliable if the packet contains protocols with
+variable-length headers, such as a source-routed token-ring packet.
+
+=item Edit:Find Packet
+
+Search forward or backward, starting with the currently selected packet
+(or the most recently selected packet, if no packet is selected). Search
+criteria can be a display filter expression, a string of hexadecimal
+digits, or a text string.
+
+When searching for a text string, you can search the packet data, or you
+can search the text in the Info column in the packet list pane or in the
+packet details pane.
+
+Hexadecimal digits can be separated by colons, periods, or dashes.
+Text string searches can be ASCII or Unicode (or both), and may be
+case insensitive.
+
+=item Edit:Find Next
+
+=item Edit:Find Previous
+
+Search forward / backward for a packet matching the filter from the previous
+search, starting with the currently selected packet (or the most recently
+selected packet, if no packet is selected).
+
+=item Edit:Mark Packet (toggle)
+
+Mark (or unmark if currently marked) the selected packet. The field
+"frame.marked" is set for packets that are marked, so that, for example,
+a display filters can be used to display only marked packets, and so that
+the L</"Edit:Find Packet"> dialog can be used to find the next or previous
+marked packet.
+
+=item Edit:Find Next Mark
+
+=item Edit:Find Previous Mark
+
+Find next/previous marked packet.
+
+=item Edit:Mark All Packets
+
+=item Edit:Unmark All Packets
+
+Mark / Unmark all packets that are currently displayed.
+
+=item Edit:Time Reference:Set Time Reference (toggle)
+
+Set (or unset if currently set) the selected packet as a Time Reference packet.
+When a packet is set as a Time Reference packet, the timestamps in the packet
+list pane will be replaced with the string "*REF*".
+The relative time timestamp in later packets will then be calculated relative
+to the timestamp of this Time Reference packet and not the first packet in
+the capture.
+
+Packets that have been selected as Time Reference packets will always be
+displayed in the packet list pane. Display filters will not affect or
+hide these packets.
+
+If there is a column displayed for "Cumulative Bytes" this counter will
+be reset at every Time Reference packet.
+
+=item Edit:Time Reference:Find Next
+
+=item Edit:Time Reference:Find Previous
+
+Search forward / backward for a time referenced packet.
+
+=item Edit:Configuration Profiles
+
+Manage configuration profiles to be able to use more than one set of
+preferences and configurations.
+
+=item Edit:Preferences
+
+Set the GUI, capture, printing and protocol options
+(see L</Preferences> dialog below).
+
+=item View:Main Toolbar
+
+=item View:Filter Toolbar
+
+=item View:Statusbar
+
+Show or hide the main window controls.
+
+=item View:Packet List
+
+=item View:Packet Details
+
+=item View:Packet Bytes
+
+Show or hide the main window panes.
+
+=item View:Time Display Format
+
+Set the format of the packet timestamp displayed in the packet list window.
+
+=item View:Name Resolution:Resolve Name
+
+Try to resolve a name for the currently selected item.
+
+=item View:Name Resolution:Enable for ... Layer
+
+Enable or disable translation of addresses to names in the display.
+
+=item View:Colorize Packet List
+
+Enable or disable the coloring rules. Disabling will improve performance.
+
+=item View:Auto Scroll in Live Capture
+
+Enable or disable the automatic scrolling of the
+packet list while a live capture is in progress.
+
+=item View:Zoom In
+
+=item View:Zoom Out
+
+Zoom into / out of the main window data (by changing the font size).
+
+=item View:Normal Size
+
+Reset the zoom factor of zoom in / zoom out back to normal font size.
+
+=item View:Resize All Columns
+
+Resize all columns to best fit the current packet display.
+
+=item View:Expand / Collapse Subtrees
+
+Expands / Collapses the currently selected item and it's subtrees in the packet details.
+
+=item View:Expand All
+
+=item View:Collapse All
+
+Expand / Collapse all branches of the packet details.
+
+=item View:Colorize Conversation
+
+Select color for a conversation.
+
+=item View:Reset Coloring 1-10
+
+Reset Color for a conversation.
+
+=item View:Coloring Rules
+
+Change the foreground and background colors of the packet information in
+the list of packets, based upon display filters. The list of display
+filters is applied to each packet sequentially. After the first display
+filter matches a packet, any additional display filters in the list are
+ignored. Therefore, if you are filtering on the existence of protocols,
+you should list the higher-level protocols first, and the lower-level
+protocols last.
+
+=over
+
+=item How Colorization Works
+
+Packets are colored according to a list of color filters. Each filter
+consists of a name, a filter expression and a coloration. A packet is
+colored according to the first filter that it matches. Color filter
+expressions use exactly the same syntax as display filter expressions.
+
+When Wireshark starts, the color filters are loaded from:
+
+=over
+
+=item 1. The user's personal color filters file or, if that does not exist,
+
+=item 2. The global color filters file.
+
+=back
+
+If neither of these exist then the packets will not be colored.
+
+=back
+
+=item View:Show Packet In New Window
+
+Create a new window containing a packet details view and a hex dump
+window of the currently selected packet; this window will continue to
+display that packet's details and data even if another packet is
+selected.
+
+=item View:Reload
+
+Reload a capture file. Same as I<File:Close> and I<File:Open> the same
+file again.
+
+=item Go:Back
+
+Go back in previously visited packets history.
+
+=item Go:Forward
+
+Go forward in previously visited packets history.
+
+=item Go:Go To Packet
+
+Go to a particular numbered packet.
+
+=item Go:Go To Corresponding Packet
+
+If a field in the packet details pane containing a packet number is
+selected, go to the packet number specified by that field. (This works
+only if the dissector that put that entry into the packet details put it
+into the details as a filterable field rather than just as text.) This
+can be used, for example, to go to the packet for the request
+corresponding to a reply, or the reply corresponding to a request, if
+that packet number has been put into the packet details.
+
+=item Go:Previous Packet
+
+=item Go:Next Packet
+
+=item Go:First Packet
+
+=item Go:Last Packet
+
+Go to the previous / next / first / last packet in the capture.
+
+=item Go:Previous Packet In Conversation
+
+=item Go:Next Packet In Conversation
+
+Go to the previous / next packet of the conversation (TCP, UDP or IP)
+
+=item Capture:Interfaces
+
+Shows a dialog box with all currently known interfaces and displaying the
+current network traffic amount. Capture sessions can be started from here.
+Beware: keeping this box open results in high system load!
+
+=item Capture:Options
+
+Initiate a live packet capture (see L</"Capture Options Dialog">
+below). If no filename is specified, a temporary file will be created
+to hold the capture. The location of the file can be chosen by setting your
+TMPDIR environment variable before starting B<Wireshark>. Otherwise, the
+default TMPDIR location is system-dependent, but is likely either F</var/tmp>
+or F</tmp>.
+
+=item Capture:Start
+
+Start a live packet capture with the previously selected options. This won't
+open the options dialog box, and can be convenient for repeatedly capturing
+with the same options.
+
+=item Capture:Stop
+
+Stop a running live capture.
+
+=item Capture:Restart
+
+While a live capture is running, stop it and restart with the same options
+again. This can be convenient to remove irrelevant packets, if no valuable
+packets were captured so far.
+
+=item Capture:Capture Filters
+
+Edit the saved list of capture filters, allowing filters to be added,
+changed, or deleted.
+
+=item Analyze:Display Filters
+
+Edit the saved list of display filters, allowing filters to be added,
+changed, or deleted.
+
+=item Analyze:Display Filter Macros
+
+Create shortcuts for complex macros
+
+=item Analyze:Apply as Filter
+
+Create a display filter based on the data currently highlighted in the
+packet details and apply the filter.
+
+If that data is a field that can be tested in a display filter
+expression, the display filter will test that field; otherwise, the
+display filter will be based on the absolute offset within the packet.
+Therefore it could be unreliable if the packet contains protocols with
+variable-length headers, such as a source-routed token-ring packet.
+
+The B<Selected> option creates a display filter that tests for a match
+of the data; the B<Not Selected> option creates a display filter that
+tests for a non-match of the data. The B<And Selected>, B<Or Selected>,
+B<And Not Selected>, and B<Or Not Selected> options add to the end of
+the display filter in the strip at the top (or bottom) an AND or OR
+operator followed by the new display filter expression.
+
+=item Analyze:Prepare as Filter
+
+Create a display filter based on the data currently highlighted in the
+packet details. The filter strip at the top (or bottom) is updated but
+it is not yet applied.
+
+=item Analyze:Enabled Protocols
+
+Allow protocol dissection to be enabled or disabled for a specific
+protocol. Individual protocols can be enabled or disabled by clicking
+on them in the list or by highlighting them and pressing the space bar.
+The entire list can be enabled, disabled, or inverted using the buttons
+below the list.
+
+When a protocol is disabled, dissection in a particular packet stops
+when that protocol is reached, and Wireshark moves on to the next packet.
+Any higher-layer protocols that would otherwise have been processed will
+not be displayed. For example, disabling TCP will prevent the dissection
+and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
+dependent on TCP.
+
+The list of protocols can be saved, so that Wireshark will start up with
+the protocols in that list disabled.
+
+=item Analyze:Decode As
+
+If you have a packet selected, present a dialog allowing you to change
+which dissectors are used to decode this packet. The dialog has one
+panel each for the link layer, network layer and transport layer
+protocol/port numbers, and will allow each of these to be changed
+independently. For example, if the selected packet is a TCP packet to
+port 12345, using this dialog you can instruct Wireshark to decode all
+packets to or from that TCP port as HTTP packets.
+
+=item Analyze:User Specified Decodes
+
+Create a new window showing whether any protocol ID to dissector
+mappings have been changed by the user. This window also allows the
+user to reset all decodes to their default values.
+
+=item Analyze:Follow TCP Stream
+
+If you have a TCP packet selected, display the contents of the data
+stream for the TCP connection to which that packet belongs, as text, in
+a separate window, and leave the list of packets in a filtered state,
+with only those packets that are part of that TCP connection being
+displayed. You can revert to your old view by pressing ENTER in the
+display filter text box, thereby invoking your old display filter (or
+resetting it back to no display filter).
+
+The window in which the data stream is displayed lets you select:
+
+=over 8
+
+=item *
+whether to display the entire conversation, or one or the other side of
+it;
+
+=item *
+whether the data being displayed is to be treated as ASCII or EBCDIC
+text or as raw hex data;
+
+=back
+
+and lets you print what's currently being displayed, using the same
+print options that are used for the I<File:Print Packet> menu item, or
+save it as text to a file.
+
+=item Analyze:Follow UDP Stream
+
+=item Analyze:Follow TLS Stream
+
+(Similar to Analyze:Follow TCP Stream)
+
+=item Analyze:Expert Info
+
+=item Analyze:Expert Info Composite
+
+(Kind of) a log of anomalies found by Wireshark in a capture file.
+
+=item Analyze:Conversation Filter
+
+=item Statistics:Summary
+
+Show summary information about the capture, including elapsed time,
+packet counts, byte counts, and the like. If a display filter is in
+effect, summary information will be shown about the capture and about
+the packets currently being displayed.
+
+=item Statistics:Protocol Hierarchy
+
+Show the number of packets, and the number of bytes in those packets,
+for each protocol in the trace. It organizes the protocols in the same
+hierarchy in which they were found in the trace. Besides counting the
+packets in which the protocol exists, a count is also made for packets
+in which the protocol is the last protocol in the stack. These
+last-protocol counts show you how many packets (and the byte count
+associated with those packets) B<ended> in a particular protocol. In
+the table, they are listed under "End Packets" and "End Bytes".
+
+=item Statistics:Conversations
+
+Lists of conversations; selectable by protocol. See Statistics:Conversation List below.
+
+=item Statistics:End Points
+
+List of End Point Addresses by protocol with packets/bytes/.... counts.
+
+=item Statistics:Packet Lengths
+
+Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
+
+=item Statistics:I/O Graphs
+
+Open a window where up to 5 graphs in different colors can be displayed
+to indicate number of packets or number of bytes per second for all packets
+matching the specified filter.
+By default only one graph will be displayed showing number of packets per second.
+
+The top part of the window contains the graphs and scales for the X and
+Y axis. If the graph is too long to fit inside the window there is a
+horizontal scrollbar below the drawing area that can scroll the graphs
+to the left or the right. The horizontal axis displays the time into
+the capture and the vertical axis will display the measured quantity at
+that time.
+
+Below the drawing area and the scrollbar are the controls. On the
+bottom left there will be five similar sets of controls to control each
+individual graph such as "Display:<button>" which button will toggle
+that individual graph on/off. If <button> is ticked, the graph will be
+displayed. "Color:<color>" which is just a button to show which color
+will be used to draw that graph. Finally "Filter:<filter-text>" which
+can be used to specify a display filter for that particular graph.
+
+If filter-text is empty then all packets will be used to calculate the
+quantity for that graph. If filter-text is specified only those packets
+that match that display filter will be considered in the calculation of
+quantity.
+
+To the right of the 5 graph controls there are four menus to control
+global aspects of the draw area and graphs. The "Unit:" menu is used to
+control what to measure; "packets/tick", "bytes/tick" or "advanced..."
+
+packets/tick will measure the number of packets matching the (if
+specified) display filter for the graph in each measurement interval.
+
+bytes/tick will measure the total number of bytes in all packets matching
+the (if specified) display filter for the graph in each measurement
+interval.
+
+advanced... see below
+
+"Tick interval:" specifies what measurement intervals to use. The
+default is 1 second and means that the data will be counted over 1
+second intervals.
+
+"Pixels per tick:" specifies how many pixels wide each measurement
+interval will be in the drawing area. The default is 5 pixels per tick.
+
+"Y-scale:" controls the max value for the y-axis. Default value is
+"auto" which means that B<Wireshark> will try to adjust the maxvalue
+automatically.
+
+"advanced..." If Unit:advanced... is selected the window will display
+two more controls for each of the five graphs. One control will be a
+menu where the type of calculation can be selected from
+SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a
+single display filter field can be specified.
+
+The following restrictions apply to type and field combinations:
+
+SUM: available for all types of integers and will calculate the SUM of
+all occurrences of this field in the measurement interval. Note that
+some field can occur multiple times in the same packet and then all
+instances will be summed up. Example: 'tcp.len' which will count the
+amount of payload data transferred across TCP in each interval.
+
+COUNT: available for all field types. This will COUNT the number of times
+certain field occurs in each interval. Note that some fields
+may occur multiple times in each packet and if that is the case
+then each instance will be counted independently and COUNT
+will be greater than the number of packets.
+
+MAX: available for all integer and relative time fields. This will calculate
+the max seen integer/time value seen for the field during the interval.
+Example: 'smb.time' which will plot the maximum SMB response time.
+
+MIN: available for all integer and relative time fields. This will calculate
+the min seen integer/time value seen for the field during the interval.
+Example: 'smb.time' which will plot the minimum SMB response time.
+
+AVG: available for all integer and relative time fields.This will
+calculate the average seen integer/time value seen for the field during
+the interval. Example: 'smb.time' which will plot the average SMB
+response time.
+
+LOAD: available only for relative time fields (response times).
+
+Example of advanced:
+Display how NFS response time MAX/MIN/AVG changes over time:
+
+Set first graph to:
+
+ filter:nfs&&rpc.time
+ Calc:MAX rpc.time
+
+Set second graph to
+
+ filter:nfs&&rpc.time
+ Calc:AVG rpc.time
+
+Set third graph to
+
+ filter:nfs&&rpc.time
+ Calc:MIN rpc.time
+
+Example of advanced:
+Display how the average packet size from host a.b.c.d changes over time.
+
+Set first graph to
+
+ filter:ip.addr==a.b.c.d&&frame.pkt_len
+ Calc:AVG frame.pkt_len
+
+LOAD:
+The LOAD io-stat type is very different from anything you have ever seen
+before! While the response times themselves as plotted by MIN,MAX,AVG are
+indications on the Server load (which affects the Server response time),
+the LOAD measurement measures the Client LOAD.
+What this measures is how much workload the client generates,
+i.e. how fast will the client issue new commands when the previous ones
+completed.
+i.e. the level of concurrency the client can maintain.
+The higher the number, the more and faster is the client issuing new
+commands. When the LOAD goes down, it may be due to client load making
+the client slower in issuing new commands (there may be other reasons as
+well, maybe the client just doesn't have any commands it wants to issue
+right then).
+
+Load is measured in concurrency/number of overlapping i/o and the value
+1000 means there is a constant load of one i/o.
+
+In each tick interval the amount of overlap is measured.
+See the graph below containing three commands:
+Below the graph are the LOAD values for each interval that would be calculated.
+
+ | | | | | | | | |
+ | | | | | | | | |
+ | | o=====* | | | | | |
+ | | | | | | | | |
+ | o========* | o============* | | |
+ | | | | | | | | |
+ --------------------------------------------------> Time
+ 500 1500 500 750 1000 500 0 0
+
+=item Statistics:Conversation List
+
+This option will open a new window that displays a list of all
+conversations between two endpoints. The list has one row for each
+unique conversation and displays total number of packets/bytes seen as
+well as number of packets/bytes in each direction.
+
+By default the list is sorted according to the number of packets but by
+clicking on the column header; it is possible to re-sort the list in
+ascending or descending order by any column.
+
+By first selecting a conversation by clicking on it and then using the
+right mouse button (on those platforms that have a right
+mouse button) Wireshark will display a popup menu offering several different
+filter operations to apply to the capture.
+
+These statistics windows can also be invoked from the Wireshark command
+line using the B<-z conv> argument.
+
+=item Statistics:Service Response Time
+
+=over 4
+
+=item *
+AFP
+
+=item *
+CAMEL
+
+=item *
+DCE-RPC
+
+Open a window to display Service Response Time statistics for an
+arbitrary DCE-RPC program
+interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,
+B<Maximum SRT> and B<Average SRT> for all procedures for that
+program/version. These windows opened will update in semi-real time to
+reflect changes when doing live captures or when reading new capture
+files into B<Wireshark>.
+
+This dialog will also allow an optional filter string to be used.
+If an optional filter string is used only such DCE-RPC request/response pairs
+that match that filter will be used to calculate the statistics. If no filter
+string is specified all request/response pairs will be used.
+
+=item *
+Diameter
+
+=item *
+Fibre Channel
+
+Open a window to display Service Response Time statistics for Fibre Channel
+and display B<FC Type>, B<Number of Calls>, B<Minimum SRT>,
+B<Maximum SRT> and B<Average SRT> for all FC types.
+These windows opened will update in semi-real time to
+reflect changes when doing live captures or when reading new capture
+files into B<Wireshark>.
+The Service Response Time is calculated as the time delta between the
+First packet of the exchange and the Last packet of the exchange.
+
+This dialog will also allow an optional filter string to be used.
+If an optional filter string is used only such FC first/last exchange pairs
+that match that filter will be used to calculate the statistics. If no filter
+string is specified all request/response pairs will be used.
+
+=item *
+GTP
+
+=item *
+H.225 RAS
+
+Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
+Data collected is B<number of calls> for each known ITU-T H.225 RAS Message Type,
+B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.
+You will also get the number of B<Open Requests> (Unresponded Requests),
+B<Discarded Responses> (Responses without matching request) and Duplicate Messages.
+These windows opened will update in semi-real time to reflect changes when
+doing live captures or when reading new capture files into B<Wireshark>.
+
+You can apply an optional filter string in a dialog box, before starting
+the calculation. The statistics will only be calculated
+on those calls matching that filter.
+
+=item *
+LDAP
+
+=item *
+MEGACO
+
+=item *
+MGCP
+
+Collect requests/response SRT (Service Response Time) data for MGCP.
+Data collected is B<number of calls> for each known MGCP Type,
+B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.
+These windows opened will update in semi-real time to reflect changes when
+doing live captures or when reading new capture files into B<Wireshark>.
+
+You can apply an optional filter string in a dialog box, before starting
+the calculation. The statistics will only be calculated
+on those calls matching that filter.
+
+=item *
+NCP
+
+=item *
+ONC-RPC
+
+Open a window to display statistics for an arbitrary ONC-RPC program interface
+and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.
+These windows opened will update in semi-real time to reflect changes when
+doing live captures or when reading new capture files into B<Wireshark>.
+
+This dialog will also allow an optional filter string to be used.
+If an optional filter string is used only such ONC-RPC request/response pairs
+that match that filter will be used to calculate the statistics. If no filter
+string is specified all request/response pairs will be used.
+
+By first selecting a conversation by clicking on it and then using the
+right mouse button (on those platforms that have a right
+mouse button) Wireshark will display a popup menu offering several different
+filter operations to apply to the capture.
+
+=item *
+RADIUS
+
+=item *
+SCSI
+
+=item *
+SMB
+
+Collect call/reply SRT (Service Response Time) data for SMB. Data collected
+is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
+
+The data will be presented as separate tables for all normal SMB commands,
+all Transaction2 commands and all NT Transaction commands.
+Only those commands that are seen in the capture will have its stats
+displayed.
+Only the first command in a xAndX command chain will be used in the
+calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
+only the SessionSetupAndX call will be used in the statistics.
+This is a flaw that might be fixed in the future.
+
+You can apply an optional filter string in a dialog box, before starting
+the calculation. The stats will only be calculated
+on those calls matching that filter.
+
+By first selecting a conversation by clicking on it and then using the
+right mouse button (on those platforms that have a right
+mouse button) Wireshark will display a popup menu offering several different
+filter operations to apply to the capture.
+
+=item *
+SMB2
+
+=back
+
+=item Statistics:BOOTP-DHCP
+
+
+
+=item Statistics:Compare
+
+Compare two Capture Files
+
+=item Statistics:Flow Graph
+
+Flow Graph: General/TCP
+
+=item Statistics:HTTP
+
+HTTP Load Distribution, Packet Counter & Requests
+
+=item Statistics:IP Addresses
+
+Count/Rate/Percent by IP Address
+
+=item Statistics:IP Destinations
+
+Count/Rate/Percent by IP Address/protocol/port
+
+=item Statistics:IP Protocol Types
+
+Count/Rate/Percent by IP Protocol Types
+
+=item Statistics:ONC-RPC Programs
+
+This dialog will open a window showing aggregated SRT statistics for all
+ONC-RPC Programs/versions that exist in the capture file.
+
+=item Statistics:TCP Stream Graph
+
+Graphs: Round Trip; Throughput; Time-Sequence (Stevens); Time-Sequence (tcptrace)
+
+=item Statistics:UDP Multicast streams
+
+Multicast Streams Counts/Rates/... by Source/Destination Address/Port pairs
+
+=item Statistics:WLAN Traffic
+
+WLAN Traffic Statistics
+
+=item Telephony:ITU-T H.225
+
+Count ITU-T H.225 messages and their reasons. In the first column you get a
+list of H.225 messages and H.225 message reasons, which occur in the current
+capture file. The number of occurrences of each message or reason will be displayed
+in the second column.
+This window opened will update in semi-real time to reflect changes when
+doing live captures or when reading new capture files into B<Wireshark>.
+
+You can apply an optional filter string in a dialog box, before starting
+the counter. The statistics will only be calculated
+on those calls matching that filter.
+
+=item Telephony:SIP
+
+Activate a counter for SIP messages. You will get the number of occurrences of each
+SIP Method and of each SIP Status-Code. Additionally you also get the number of
+resent SIP Messages (only for SIP over UDP).
+
+This window opened will update in semi-real time to reflect changes when
+doing live captures or when reading new capture files into B<Wireshark>.
+
+You can apply an optional filter string in a dialog box, before starting
+the counter. The statistics will only be calculated
+on those calls matching that filter.
+
+=item Tools:Firewall ACL Rules
+
+
+
+=item Help:Contents
+
+Some help texts.
+
+=item Help:Supported Protocols
+
+List of supported protocols and display filter protocol fields.
+
+=item Help:Manual Pages
+
+Display locally installed HTML versions of these manual pages in a web browser.
+
+=item Help:Wireshark Online
+
+Various links to online resources to be open in a web browser, like
+L<https://www.wireshark.org>.
+
+=item Help:About Wireshark
+
+See various information about Wireshark (see L</About> dialog below), like the
+version, the folders used, the available plugins, ...
+
+=back
+
+=head2 WINDOWS
+
+=over 4
+
+=item Main Window
+
+The main window contains the usual things like the menu, some toolbars, the
+main area and a statusbar. The main area is split into three panes, you can
+resize each pane using a "thumb" at the right end of each divider line.
+
+The main window is much more flexible than before. The layout of the main
+window can be customized by the I<Layout> page in the dialog box popped
+up by I<Edit:Preferences>, the following will describe the layout with the
+default settings.
+
+=over 6
+
+=item Main Toolbar
+
+Some menu items are available for quick access here. There is no way to
+customize the items in the toolbar, however the toolbar can be hidden by
+I<View:Main Toolbar>.
+
+=item Filter Toolbar
+
+A display filter can be entered into the filter toolbar.
+A filter for HTTP, HTTPS, and DNS traffic might look like this:
+
+ tcp.port in {80 443 53}
+
+Selecting the I<Filter:> button lets you choose from a list of named
+filters that you can optionally save. Pressing the Return or Enter
+keys, or selecting the I<Apply> button, will cause the filter to be
+applied to the current list of packets. Selecting the I<Reset> button
+clears the display filter so that all packets are displayed (again).
+
+There is no way to customize the items in the toolbar, however the toolbar
+can be hidden by I<View:Filter Toolbar>.
+
+=item Packet List Pane
+
+The top pane contains the list of network packets that you can scroll
+through and select. By default, the packet number, packet timestamp,
+source and destination addresses, protocol, and description are
+displayed for each packet; the I<Columns> page in the dialog box popped
+up by I<Edit:Preferences> lets you change this (although, unfortunately,
+you currently have to save the preferences, and exit and restart
+Wireshark, for those changes to take effect).
+
+If you click on the heading for a column, the display will be sorted by
+that column; clicking on the heading again will reverse the sort order
+for that column.
+
+An effort is made to display information as high up the protocol stack
+as possible, e.g. IP addresses are displayed for IP packets, but the
+MAC layer address is displayed for unknown packet types.
+
+The right mouse button can be used to pop up a menu of operations.
+
+The middle mouse button can be used to mark a packet.
+
+=item Packet Details Pane
+
+The middle pane contains a display of the details of the
+currently-selected packet. The display shows each field and its value
+in each protocol header in the stack. The right mouse button can be
+used to pop up a menu of operations.
+
+=item Packet Bytes Pane
+
+The lowest pane contains a hex and ASCII dump of the actual packet data.
+Selecting a field in the packet details highlights the corresponding
+bytes in this section.
+
+The right mouse button can be used to pop up a menu of operations.
+
+=item Statusbar
+
+The statusbar is divided into three parts, on the left some context dependent
+things are shown, like information about the loaded file, in the center the
+number of packets are displayed, and on the right the current configuration
+profile.
+
+The statusbar can be hidden by I<View:Statusbar>.
+
+=back
+
+=item Preferences
+
+The I<Preferences> dialog lets you control various personal preferences
+for the behavior of B<Wireshark>.
+
+=over 6
+
+=item User Interface Preferences
+
+The I<User Interface> page is used to modify small aspects of the GUI to
+your own personal taste:
+
+=over 6
+
+=item Selection Bars
+
+The selection bar in the packet list and packet details can have either
+a "browse" or "select" behavior. If the selection bar has a "browse"
+behavior, the arrow keys will move an outline of the selection bar,
+allowing you to browse the rest of the list or details without changing
+the selection until you press the space bar. If the selection bar has a
+"select" behavior, the arrow keys will move the selection bar and change
+the selection to the new item in the packet list or packet details.
+
+=item Save Window Position
+
+If this item is selected, the position of the main Wireshark window will
+be saved when Wireshark exits, and used when Wireshark is started again.
+
+=item Save Window Size
+
+If this item is selected, the size of the main Wireshark window will
+be saved when Wireshark exits, and used when Wireshark is started again.
+
+=item Save Window Maximized state
+
+If this item is selected the maximize state of the main Wireshark window
+will be saved when Wireshark exists, and used when Wireshark is started again.
+
+=item File Open Dialog Behavior
+
+This item allows the user to select how Wireshark handles the listing
+of the "File Open" Dialog when opening trace files. "Remember Last
+Directory" causes Wireshark to automatically position the dialog in the
+directory of the most recently opened file, even between launches of Wireshark.
+"Always Open in Directory" allows the user to define a persistent directory
+that the dialog will always default to.
+
+=item Directory
+
+Allows the user to specify a persistent File Open directory. Trailing
+slashes or backslashes will automatically be added.
+
+=item File Open Preview timeout
+
+This items allows the user to define how much time is spend reading the
+capture file to present preview data in the File Open dialog.
+
+=item Open Recent maximum list entries
+
+The File menu supports a recent file list. This items allows the user to
+specify how many files are kept track of in this list.
+
+=item Ask for unsaved capture files
+
+When closing a capture file or Wireshark itself if the file isn't saved yet
+the user is presented the option to save the file when this item is set.
+
+=item Wrap during find
+
+This items determines the behavior when reaching the beginning or the end
+of a capture file. When set the search wraps around and continues, otherwise
+it stops.
+
+=item Settings dialogs show a save button
+
+This item determines if the various dialogs sport an explicit Save button
+or that save is implicit in OK / Apply.
+
+=item Web browser command
+
+This entry specifies the command line to launch a web browser. It is used
+to access online content, like the Wiki and user guide. Use '%s' to place
+the request URL in the command line.
+
+=back
+
+=item Layout Preferences
+
+The I<Layout> page lets you specify the general layout of the main window.
+You can choose from six different layouts and fill the three panes with the
+contents you like.
+
+=over 6
+
+=item Scrollbars
+
+The vertical scrollbars in the three panes can be set to be either on
+the left or the right.
+
+=item Alternating row colors
+
+=item Hex Display
+
+The highlight method in the hex dump display for the selected protocol
+item can be set to use either inverse video, or bold characters.
+
+=item Toolbar style
+
+=item Filter toolbar placement
+
+=item Custom window title
+
+=back
+
+=item Column Preferences
+
+The I<Columns> page lets you specify the number, title, and format
+of each column in the packet list.
+
+The I<Column title> entry is used to specify the title of the column
+displayed at the top of the packet list. The type of data that the column
+displays can be specified using the I<Column format> option menu.
+The row of buttons on the left perform the following actions:
+
+=over 6
+
+=item New
+
+Adds a new column to the list.
+
+=item Delete
+
+Deletes the currently selected list item.
+
+=item Up / Down
+
+Moves the selected list item up or down one position.
+
+=back
+
+=item Font Preferences
+
+The I<Font> page lets you select the font to be used for most text.
+
+=item Color Preferences
+
+The I<Colors> page can be used to change the color of the text
+displayed in the TCP stream window and for marked packets. To change a color,
+simply select an attribute from the "Set:" menu and use the color selector to
+get the desired color. The new text colors are displayed as a sample text.
+
+=item Capture Preferences
+
+The I<Capture> page lets you specify various parameters for capturing
+live packet data; these are used the first time a capture is started.
+
+The I<Interface:> combo box lets you specify the interface from which to
+capture packet data, or the name of a FIFO from which to get the packet
+data.
+
+The I<Data link type:> option menu lets you, for some interfaces, select
+the data link header you want to see on the packets you capture. For
+example, in some OSes and with some versions of libpcap, you can choose,
+on an 802.11 interface, whether the packets should appear as Ethernet
+packets (with a fake Ethernet header) or as 802.11 packets.
+
+The I<Limit each packet to ... bytes> check box lets you set the
+snapshot length to use when capturing live data; turn on the check box,
+and then set the number of bytes to use as the snapshot length.
+
+The I<Filter:> text entry lets you set a capture filter expression to be
+used when capturing.
+
+If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
+REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create a
+default capture filter that excludes traffic from the hosts and ports
+defined in those variables.
+
+The I<Capture packets in promiscuous mode> check box lets you specify
+whether to put the interface in promiscuous mode when capturing.
+
+The I<Update list of packets in real time> check box lets you specify
+that the display should be updated as packets are seen.
+
+The I<Automatic scrolling in live capture> check box lets you specify
+whether, in an "Update list of packets in real time" capture, the packet
+list pane should automatically scroll to show the most recently captured
+packets.
+
+=item Printing Preferences
+
+The radio buttons at the top of the I<Printing> page allow you choose
+between printing packets with the I<File:Print Packet> menu item as text
+or PostScript, and sending the output directly to a command or saving it
+to a file. The I<Command:> text entry box, on UNIX-compatible systems,
+is the command to send files to (usually B<lpr>), and the I<File:> entry
+box lets you enter the name of the file you wish to save to.
+Additionally, you can select the I<File:> button to browse the file
+system for a particular save file.
+
+=item Name Resolution Preferences
+
+The I<Enable MAC name resolution>, I<Enable network name resolution> and
+I<Enable transport name resolution> check boxes let you specify whether
+MAC addresses, network addresses, and transport-layer port numbers
+should be translated to names.
+
+The I<Enable concurrent DNS name resolution> allows Wireshark to send out
+multiple name resolution requests and not wait for the result before
+continuing dissection. This speeds up dissection with network name
+resolution but initially may miss resolutions. The number of concurrent
+requests can be set here as well.
+
+I<SMI paths>
+
+I<SMI modules>
+
+=item RTP Player Preferences
+
+This page allows you to select the number of channels visible in the
+RTP player window. It determines the height of the window, more channels
+are possible and visible by means of a scroll bar.
+
+=item Protocol Preferences
+
+There are also pages for various protocols that Wireshark dissects,
+controlling the way Wireshark handles those protocols.
+
+=back
+
+=item Edit Capture Filter List
+
+=item Edit Display Filter List
+
+=item Capture Filter
+
+=item Display Filter
+
+=item Read Filter
+
+=item Search Filter
+
+The I<Edit Capture Filter List> dialog lets you create, modify, and
+delete capture filters, and the I<Edit Display Filter List> dialog lets
+you create, modify, and delete display filters.
+
+The I<Capture Filter> dialog lets you do all of the editing operations
+listed, and also lets you choose or construct a filter to be used when
+capturing packets.
+
+The I<Display Filter> dialog lets you do all of the editing operations
+listed, and also lets you choose or construct a filter to be used to
+filter the current capture being viewed.
+
+The I<Read Filter> dialog lets you do all of the editing operations
+listed, and also lets you choose or construct a filter to be used to
+as a read filter for a capture file you open.
+
+The I<Search Filter> dialog lets you do all of the editing operations
+listed, and also lets you choose or construct a filter expression to be
+used in a find operation.
+
+In all of those dialogs, the I<Filter name> entry specifies a
+descriptive name for a filter, e.g. B<Web and DNS traffic>. The
+I<Filter string> entry is the text that actually describes the filtering
+action to take, as described above.The dialog buttons perform the
+following actions:
+
+=over 6
+
+=item New
+
+If there is text in the two entry boxes, creates a new associated list
+item.
+
+=item Edit
+
+Modifies the currently selected list item to match what's in the entry
+boxes.
+
+=item Delete
+
+Deletes the currently selected list item.
+
+=item Add Expression...
+
+For display filter expressions, pops up a dialog box to allow you to
+construct a filter expression to test a particular field; it offers
+lists of field names, and, when appropriate, lists from which to select
+tests to perform on the field and values with which to compare it. In
+that dialog box, the OK button will cause the filter expression you
+constructed to be entered into the I<Filter string> entry at the current
+cursor position.
+
+=item OK
+
+In the I<Capture Filter> dialog, closes the dialog box and makes the
+filter in the I<Filter string> entry the filter in the I<Capture
+Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
+box and makes the filter in the I<Filter string> entry the current
+display filter, and applies it to the current capture. In the I<Read
+Filter> dialog, closes the dialog box and makes the filter in the
+I<Filter string> entry the filter in the I<Open Capture File> dialog.
+In the I<Search Filter> dialog, closes the dialog box and makes the
+filter in the I<Filter string> entry the filter in the I<Find Packet>
+dialog.
+
+=item Apply
+
+Makes the filter in the I<Filter string> entry the current display
+filter, and applies it to the current capture.
+
+=item Save
+
+If the list of filters being edited is the list of
+capture filters, saves the current filter list to the personal capture
+filters file, and if the list of filters being edited is the list of
+display filters, saves the current filter list to the personal display
+filters file.
+
+=item Close
+
+Closes the dialog without doing anything with the filter in the I<Filter
+string> entry.
+
+=back
+
+=item The Color Filters Dialog
+
+This dialog displays a list of color filters and allows it to be
+modified.
+
+=over
+
+=item THE FILTER LIST
+
+Single rows may be selected by clicking. Multiple rows may be selected
+by using the ctrl and shift keys in combination with the mouse button.
+
+=item NEW
+
+Adds a new filter at the bottom of the list and opens the Edit Color
+Filter dialog box. You will have to alter the filter expression at
+least before the filter will be accepted. The format of color filter
+expressions is identical to that of display filters. The new filter is
+selected, so it may immediately be moved up and down, deleted or edited.
+To avoid confusion all filters are unselected before the new filter is
+created.
+
+=item EDIT
+
+Opens the Edit Color Filter dialog box for the selected filter. (If this
+button is disabled you may have more than one filter selected, making it
+ambiguous which is to be edited.)
+
+=item ENABLE
+
+Enables the selected color filter(s).
+
+=item DISABLE
+
+Disables the selected color filter(s).
+
+=item DELETE
+
+Deletes the selected color filter(s).
+
+=item EXPORT
+
+Allows you to choose a file in which to save the current list of color
+filters. You may also choose to save only the selected filters. A
+button is provided to save the filters in the global color filters file
+(you must have sufficient permissions to write this file, of course).
+
+=item IMPORT
+
+Allows you to choose a file containing color filters which are then
+added to the bottom of the current list. All the added filters are
+selected, so they may be moved to the correct position in the list as a
+group. To avoid confusion, all filters are unselected before the new
+filters are imported. A button is provided to load the filters from the
+global color filters file.
+
+=item CLEAR
+
+Deletes your personal color filters file, reloads the global
+color filters file, if any, and closes the dialog.
+
+=item UP
+
+Moves the selected filter(s) up the list, making it more likely that
+they will be used to color packets.
+
+=item DOWN
+
+Moves the selected filter(s) down the list, making it less likely that
+they will be used to color packets.
+
+=item OK
+
+Closes the dialog and uses the color filters as they stand.
+
+=item APPLY
+
+Colors the packets according to the current list of color filters, but
+does not close the dialog.
+
+=item SAVE
+
+Saves the current list of color filters in your personal color filters
+file. Unless you do this they will not be used the next time you start
+Wireshark.
+
+=item CLOSE
+
+Closes the dialog without changing the coloration of the packets. Note
+that changes you have made to the current list of color filters are not
+undone.
+
+=back
+
+=item Capture Options Dialog
+
+The I<Capture Options Dialog> lets you specify various parameters for
+capturing live packet data.
+
+The I<Interface:> field lets you specify the interface from which to
+capture packet data or a command from which to get the packet data via a
+pipe.
+
+The I<Link layer header type:> field lets you specify the interfaces link
+layer header type. This field is usually disabled, as most interface have
+only one header type.
+
+The I<Capture packets in promiscuous mode> check box lets you specify
+whether the interface should be put into promiscuous mode when
+capturing.
+
+The I<Limit each packet to ... bytes> check box and field lets you
+specify a maximum number of bytes per packet to capture and save; if the
+check box is not checked, the limit will be 262144 bytes.
+
+The I<Capture Filter:> entry lets you specify the capture filter using a
+tcpdump-style filter string as described above.
+
+The I<File:> entry lets you specify the file into which captured packets
+should be saved, as in the I<Printer Options> dialog above. If not
+specified, the captured packets will be saved in a temporary file; you
+can save those packets to a file with the I<File:Save As> menu item.
+
+The I<Use multiple files> check box lets you specify that the capture
+should be done in "multiple files" mode. This option is disabled, if the
+I<Update list of packets in real time> option is checked.
+
+The I<Next file every ... megabyte(s)> check box and fields lets
+you specify that a switch to a next file should be done
+if the specified filesize is reached. You can also select the appropriate
+unit, but beware that the filesize has a maximum of 2 GiB.
+The check box is forced to be checked, as "multiple files" mode requires a
+file size to be specified.
+
+The I<Next file every ... minute(s)> check box and fields lets
+you specify that the switch to a next file should be done after the specified
+time has elapsed, even if the specified capture size is not reached.
+
+The I<Ring buffer with ... files> field lets you specify the number
+of files of a ring buffer. This feature will capture into the first file
+again, after the specified number of files have been used.
+
+The I<Stop capture after ... files> field lets you specify the number
+of capture files used, until the capture is stopped.
+
+The I<Stop capture after ... packet(s)> check box and field let
+you specify that Wireshark should stop capturing after having captured
+some number of packets; if the check box is not checked, Wireshark will
+not stop capturing at some fixed number of captured packets.
+
+The I<Stop capture after ... megabyte(s)> check box and field lets
+you specify that Wireshark should stop capturing after the file to which
+captured packets are being saved grows as large as or larger than some
+specified number of megabytes. If the check box is not checked, Wireshark
+will not stop capturing at some capture file size (although the operating
+system on which Wireshark is running, or the available disk space, may still
+limit the maximum size of a capture file). This option is disabled, if
+"multiple files" mode is used,
+
+The I<Stop capture after ... second(s)> check box and field let you
+specify that Wireshark should stop capturing after it has been capturing
+for some number of seconds; if the check box is not checked, Wireshark
+will not stop capturing after some fixed time has elapsed.
+
+The I<Update list of packets in real time> check box lets you specify
+whether the display should be updated as packets are captured and, if
+you specify that, the I<Automatic scrolling in live capture> check box
+lets you specify the packet list pane should automatically scroll to
+show the most recently captured packets as new packets arrive.
+
+The I<Enable MAC name resolution>, I<Enable network name resolution> and
+I<Enable transport name resolution> check boxes let you specify whether
+MAC addresses, network addresses, and transport-layer port numbers
+should be translated to names.
+
+=item About
+
+The I<About> dialog lets you view various information about Wireshark.
+
+=item About:Wireshark
+
+The I<Wireshark> page lets you view general information about Wireshark,
+like the installed version, licensing information and such.
+
+=item About:Authors
+
+The I<Authors> page shows the author and all contributors.
+
+=item About:Folders
+
+The I<Folders> page lets you view the directory names where Wireshark is
+searching it's various configuration and other files.
+
+=item About:Plugins
+
+The I<Plugins> page lets you view the dissector plugin modules
+available on your system.
+
+The I<Plugins List> shows the name and version of each dissector plugin
+module found on your system.
+
+On Unix-compatible systems, the plugins are looked for in the following
+directories: the F<lib/wireshark/plugins/$VERSION> directory under the
+main installation directory (for example,
+F</usr/local/lib/wireshark/plugins/$VERSION>), and then
+F<$HOME/.wireshark/plugins>.
+
+On Windows systems, the plugins are looked for in the following
+directories: F<plugins\$VERSION> directory under the main installation
+directory (for example, F<C:\Program Files\Wireshark\plugins\$VERSION>),
+and then F<%APPDATA%\Wireshark\plugins\$VERSION> (or, if %APPDATA% isn't
+defined, F<%USERPROFILE%\Application Data\Wireshark\plugins\$VERSION>).
+
+$VERSION is the version number of the plugin interface, which
+is typically the version number of Wireshark. Note that a dissector
+plugin module may support more than one protocol; there is not
+necessarily a one-to-one correspondence between dissector plugin modules
+and protocols. Protocols supported by a dissector plugin module are
+enabled and disabled using the I<Edit:Protocols> dialog box, just as
+protocols built into Wireshark are.
+
+=back
+
+=head1 CAPTURE FILTER SYNTAX
+
+See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
+or, if that doesn't exist, L<https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters>.
+
+=head1 DISPLAY FILTER SYNTAX
+
+For a complete table of protocol and protocol fields that are filterable
+in B<Wireshark> see the wireshark-filter(4) manual page.
+
+=head1 FILES
+
+These files contains various B<Wireshark> configuration settings.
+
+=over 4
+
+=item Preferences
+
+The F<preferences> files contain global (system-wide) and personal
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
+the command line flag B<-o> is used (possibly more than once), it will
+in turn override values from the preferences files.
+
+The preferences settings are in the form I<prefname:value>,
+one per line,
+where I<prefname> is the name of the preference
+and I<value> is the value to
+which it should be set; white space is allowed between B<:> and
+I<value>. A preference setting can be continued on subsequent lines by
+indenting the continuation lines with white space. A B<#> character
+starts a comment that runs to the end of the line:
+
+ # Vertical scrollbars should be on right side?
+ # TRUE or FALSE (case-insensitive).
+ gui.scrollbar_on_right: TRUE
+
+The global preferences file is looked for in the F<wireshark> directory
+under the F<share> subdirectory of the main installation directory (for
+example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
+systems, and in the main installation directory (for example,
+F<C:\Program Files\Wireshark\preferences>) on Windows systems.
+
+The personal preferences file is looked for in
+F<$XDG_CONFIG_HOME/wireshark/preferences>
+(or, if F<$XDG_CONFIG_HOME/wireshark> does not exist while F<$HOME/.wireshark>
+is present, F<$HOME/.wireshark/preferences>) on
+UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
+%APPDATA% isn't defined, F<%USERPROFILE%\Application
+Data\Wireshark\preferences>) on Windows systems.
+
+Note: Whenever the preferences are saved by using the I<Save> button
+in the I<Edit:Preferences> dialog box, your personal preferences file
+will be overwritten with the new settings, destroying any comments and
+unknown/obsolete settings that were in the file.
+
+=item Recent
+
+The F<recent> file contains personal settings (mostly GUI related) such
+as the current B<Wireshark> window size. The file is saved at program exit and
+read in at program start automatically. Note: The command line flag B<-o>
+may be used to override settings from this file.
+
+The settings in this file have the same format as in the F<preferences>
+files, and the same directory as for the personal preferences file is
+used.
+
+Note: Whenever Wireshark is closed, your recent file
+will be overwritten with the new settings, destroying any comments and
+unknown/obsolete settings that were in the file.
+
+=item Disabled (Enabled) Protocols
+
+The F<disabled_protos> files contain system-wide and personal lists of
+protocols that have been disabled, so that their dissectors are never
+called. The files contain protocol names, one per line, where the
+protocol name is the same name that would be used in a display filter
+for the protocol:
+
+ http
+ tcp # a comment
+
+If a protocol is listed in the global F<disabled_protos> file, it is not
+displayed in the I<Analyze:Enabled Protocols> dialog box, and so cannot
+be enabled by the user.
+
+The global F<disabled_protos> file uses the same directory as the global
+preferences file.
+
+The personal F<disabled_protos> file uses the same directory as the
+personal preferences file.
+
+Note: Whenever the disabled protocols list is saved by using the I<Save>
+button in the I<Analyze:Enabled Protocols> dialog box, your personal
+disabled protocols file will be overwritten with the new settings,
+destroying any comments that were in the file.
+
+=item Name Resolution (hosts)
+
+If the personal F<hosts> file exists, it is
+used to resolve IPv4 and IPv6 addresses before any other
+attempts are made to resolve them. The file has the standard F<hosts>
+file syntax; each line contains one IP address and name, separated by
+whitespace. The same directory as for the personal preferences file is used.
+
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file
+will not be consulted for capture filter name resolution.
+
+=item Name Resolution (subnets)
+
+If an IPv4 address cannot be translated via name resolution (no exact
+match is found) then a partial match is attempted via the F<subnets> file.
+Both the global F<subnets> file and personal F<subnets> files are used
+if they exist.
+
+Each line of this file consists of an IPv4 address, a subnet mask length
+separated only by a / and a name separated by whitespace. While the address
+must be a full IPv4 address, any values beyond the mask length are subsequently
+ignored.
+
+An example is:
+
+# Comments must be prepended by the # sign!
+192.168.0.0/24 ws_test_network
+
+A partially matched name will be printed as "subnet-name.remaining-address".
+For example, "192.168.0.1" under the subnet above would be printed as
+"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
+printed address would be "ws_test_network.0.1".
+
+=item Name Resolution (ethers)
+
+The F<ethers> files are consulted to correlate 6-byte hardware addresses to
+names. First the personal F<ethers> file is tried and if an address is not
+found there the global F<ethers> file is tried next.
+
+Each line contains one hardware address and name, separated by
+whitespace. The digits of the hardware address are separated by colons
+(:), dashes (-) or periods (.). The same separator character must be
+used consistently in an address. The following three lines are valid
+lines of an F<ethers> file:
+
+ ff:ff:ff:ff:ff:ff Broadcast
+ c0-00-ff-ff-ff-ff TR_broadcast
+ 00.00.00.00.00.00 Zero_broadcast
+
+The global F<ethers> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ethers> file is looked for in the same directory as the personal
+preferences file.
+
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file
+will not be consulted for capture filter name resolution.
+
+=item Name Resolution (manuf)
+
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask. The format of the
+file is the same as the F<ethers> files, except that entries such as:
+
+ 00:00:0C Cisco
+
+can be provided, with the 3-byte OUI and the name for a vendor, and
+entries such as:
+
+ 00-00-0C-07-AC/40 All-HSRP-routers
+
+can be specified, with a MAC address and a mask indicating how many bits
+of the address must match. The above entry, for example, has 40
+significant bits, or 5 bytes, and would match addresses from
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+multiple of 8.
+
+The F<manuf> file is looked for in the same directory as the global
+preferences file.
+
+=item Name Resolution (services)
+
+The F<services> file is used to translate port numbers into names.
+Both the global F<services> file and personal F<services> files are used
+if they exist.
+
+The file has the standard F<services> file syntax; each line contains one
+(service) name and one transport identifier separated by white space. The
+transport identifier includes one port number and one transport protocol name
+(typically tcp, udp, or sctp) separated by a /.
+
+An example is:
+
+mydns 5045/udp # My own Domain Name Server
+mydns 5045/tcp # My own Domain Name Server
+
+=item Name Resolution (ipxnets)
+
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
+found there the personal one is tried next.
+
+The format is the same as the F<ethers>
+file, except that each address is four bytes instead of six.
+Additionally, the address can be represented as a single hexadecimal
+number, as is more common in the IPX world, rather than four hex octets.
+For example, these four lines are valid lines of an F<ipxnets> file:
+
+ C0.A8.2C.00 HR
+ c0-a8-1c-00 CEO
+ 00:00:BE:EF IT_Server1
+ 110f FileServer3
+
+The global F<ipxnets> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ipxnets> file is looked for in the same directory as the
+personal preferences file.
+
+=item Capture Filters
+
+The F<cfilters> files contain system-wide and personal capture filters.
+Each line contains one filter, starting with the string displayed in the
+dialog box in quotation marks, followed by the filter string itself:
+
+ "HTTP" port 80
+ "DCERPC" port 135
+
+The global F<cfilters> file uses the same directory as the
+global preferences file.
+
+The personal F<cfilters> file uses the same directory as the personal
+preferences file. It is written through the Capture:Capture Filters
+dialog.
+
+If the global F<cfilters> file exists, it is used only if the personal
+F<cfilters> file does not exist; global and personal capture filters are
+not merged.
+
+=item Display Filters
+
+The F<dfilters> files contain system-wide and personal display filters.
+Each line contains one filter, starting with the string displayed in the
+dialog box in quotation marks, followed by the filter string itself:
+
+ "HTTP" http
+ "DCERPC" dcerpc
+
+The global F<dfilters> file uses the same directory as the
+global preferences file.
+
+The personal F<dfilters> file uses the same directory as the
+personal preferences file. It is written through the Analyze:Display
+Filters dialog.
+
+If the global F<dfilters> file exists, it is used only if the personal
+F<dfilters> file does not exist; global and personal display filters are
+not merged.
+
+=item Color Filters (Coloring Rules)
+
+The F<colorfilters> files contain system-wide and personal color filters.
+Each line contains one filter, starting with the string displayed in the
+dialog box, followed by the corresponding display filter. Then the
+background and foreground colors are appended:
+
+ # a comment
+ @tcp@tcp@[59345,58980,65534][0,0,0]
+ @udp@udp@[28834,57427,65533][0,0,0]
+
+The global F<colorfilters> file uses the same directory as the
+global preferences file.
+
+The personal F<colorfilters> file uses the same directory as the
+personal preferences file. It is written through the View:Coloring Rules
+dialog.
+
+If the global F<colorfilters> file exists, it is used only if the personal
+F<colorfilters> file does not exist; global and personal color filters are
+not merged.
+
+=item Plugins
+
+See above in the description of the About:Plugins page.
+
+=back
+
+=head1 ENVIRONMENT VARIABLES
+
+=over 4
+
+=item WIRESHARK_CONFIG_DIR
+
+This environment variable overrides the location of personal configuration
+files. It defaults to F<$XDG_CONFIG_HOME/wireshark> (or F<$HOME/.wireshark> if
+the former is missing while the latter exists). On Windows,
+F<%APPDATA%\Wireshark> is used instead. Available since Wireshark 3.0.
+
+=item WIRESHARK_DEBUG_WMEM_OVERRIDE
+
+Setting this environment variable forces the wmem framework to use the
+specified allocator backend for *all* allocations, regardless of which
+backend is normally specified by the code. This is mainly useful to developers
+when testing or debugging. See I<README.wmem> in the source distribution for
+details.
+
+=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
+
+This environment variable causes the plugins and other data files to be loaded
+from the build directory (where the program was compiled) rather than from the
+standard locations. It has no effect when the program in question is running
+with root (or setuid) permissions on *NIX.
+
+=item WIRESHARK_DATA_DIR
+
+This environment variable causes the various data files to be loaded from
+a directory other than the standard locations. It has no effect when the
+program in question is running with root (or setuid) permissions on *NIX.
+
+=item ERF_RECORDS_TO_CHECK
+
+This environment variable controls the number of ERF records checked when
+deciding if a file really is in the ERF format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item IPFIX_RECORDS_TO_CHECK
+
+This environment variable controls the number of IPFIX records checked when
+deciding if a file really is in the IPFIX format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
+
+If this environment variable is set, B<Wireshark> will call abort(3)
+when a dissector bug is encountered. abort(3) will cause the program to
+exit abnormally; if you are running B<Wireshark> in a debugger, it
+should halt in the debugger and allow inspection of the process, and, if
+you are not running it in a debugger, it will, on some OSes, assuming
+your environment is configured correctly, generate a core dump file.
+This can be useful to developers attempting to troubleshoot a problem
+with a protocol dissector.
+
+=item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
+
+If this environment variable is set, B<Wireshark> will call abort(3)
+if a dissector tries to add too many items to a tree (generally this
+is an indication of the dissector not breaking out of a loop soon enough).
+abort(3) will cause the program to exit abnormally; if you are running
+B<Wireshark> in a debugger, it should halt in the debugger and allow
+inspection of the process, and, if you are not running it in a debugger,
+it will, on some OSes, assuming your environment is configured correctly,
+generate a core dump file. This can be useful to developers attempting to
+troubleshoot a problem with a protocol dissector.
+
+=item WIRESHARK_QUIT_AFTER_CAPTURE
+
+Cause B<Wireshark> to exit after the end of the capture session. This
+doesn't automatically start a capture; you must still use B<-k> to do
+that. You must also specify an autostop condition, e.g. B<-c> or B<-a
+duration:...>. This means that you will not be able to see the results
+of the capture after it stops; it's primarily useful for testing.
+
+=item WIRESHARK_LOG_LEVEL
+
+This environment variable controls the verbosity of diagnostic messages to
+the console. From less verbose to most verbose levels can be C<critical>,
+C<warning>, C<message>, C<info>, C<debug> or C<noisy>. Levels above the
+current level are also active. Levels C<critical> and C<error> are always
+active.
+
+=item WIRESHARK_LOG_FATAL
+
+Sets the fatal log level. Fatal log levels cause the program to abort.
+This level can be set to C<Error>, C<critical> or C<warning>. C<Error> is
+always fatal and is the default.
+
+=item WIRESHARK_LOG_DOMAINS
+
+This environment variable selects which log domains are active. The filter is
+given as a case-insensitive comma separated list. If set only the included
+domains will be enabled. The default domain is always considered to be enabled.
+Domain filter lists can be preceded by '!' to invert the sense of the match.
+
+=item WIRESHARK_LOG_DEBUG
+
+List of domains with C<debug> log level. This sets the level of the provided
+log domains and takes precedence over the active domains filter. If preceded
+by '!' this disables the C<debug> level instead.
+
+=item WIRESHARK_LOG_NOISY
+
+Same as above but for C<noisy> log level instead.
+
+=back
+
+=head1 AUTHORS
+
+Wireshark would not be the powerful, featureful application it is without the generous contributions of hundreds of developers.
+
+A complete list of authors can be found in the AUTHORS file in Wireshark's source code repository and at L<https://www.wireshark.org/about.html#authors>.
+
+=head1 SEE ALSO
+
+wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1), mergecap(1),
+text2pcap(1), pcap-filter(7) or tcpdump(8)
+
+=head1 NOTES
+
+The latest version of B<Wireshark> can be found at
+L<https://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<https://www.wireshark.org/docs/man-pages>.