User InterfaceIntroduction
By now you have installed Ethereal and
are most likely keen to get started capturing your first packets. In
the next chapters we will explore:
How the Ethereal user interface works
How to capture packets in Ethereal
How to view packets in Ethereal
How to filter packets in Ethereal
... and many other things!
Start Ethereal
You can start Ethereal from your shell or window manager.
Tip!
When starting Ethereal it's possible to specify optional settings using
the command line. See for details.
Note!
In the following chapters, a lot of screenshots from Ethereal will be shown.
As Ethereal runs on many different platforms and there are different
versions of the underlying GUI toolkit (GTK 1.x / 2.x) used, your
screen might look different from the provided screenshots. But as there
are no real differences in functionality, these screenshots should still
be understandable.
The Main window
Lets look at Ethereal's user interface. shows
Ethereal as you would usually see it after some packets captured or loaded
(how to do this will be described later).
Ethereal's main window consist of parts that are commonly known from many
other GUI programs.
The menu (see )
is used to start actions.
The main toolbar (see )
provides quick access to frequently used items from the menu.
The filter toolbar (see )
provides a way to directly manipulate the currently used display filter
(see ).
The packet list pane (see )
displays a summary of each packet captured. By clicking on packets
in this pane you control what is displayed in the other two panes.
The packet details pane (see )
displays the packet selected in the packet list pane in more detail.
The packet bytes pane (see )
displays the data from the packet selected in the packet list pane, and
highlights the field selected in the packet details pane.
The statusbar (see )
shows some detailed information about the current program state and
the captured data.
Tip!
The layout of the main window can be customized by changing preference settings.
See for details!
The Menu
The Ethereal menu sits on top of the Ethereal window.
An example is shown in .
Note!
Menu items will be greyed out if the corresponding feature isn't
available. For example, you cannot save a capture file if you didn't
capture or load any data before.
It contains the following items:
File
This menu contains items to open and merge capture files,
save / print / export capture files in whole or in part,
and to quit from Ethereal. See .
Edit
This menu contains items to find a packet, time reference or mark one
or more packets, set your preferences,
(cut, copy, and paste are not presently implemented).
See .
ViewThis menu controls the display of the captured data,
including the colorization of packets, zooming the font,
show a packet in a separate window, expand and collapse trees in packet details, ....
See .
GoThis menu contains items to go to a specific packet.
See .
CaptureThis menu allows you to start and stop captures and to edit capture filters.
See .
Analyze
This menu contains items to manipulate display filters, enable or
disable the dissection of protocols, configure user specified decodes
and follow a TCP stream.
See .
Statistics
This menu contains menu-items to display various statistic windows,
including a summary of the packets that have been captured,
display protocol hierarchy statistics and much more.
See .
Help
This menu contains items to help the user, like access to some basic
help, a list of the supported protocols, manual pages, online access
to some of the webpages, and the usual about dialog.
See .
Each of these menu items is described in more detail in the sections
that follow.
Tip!
You can access menu items directly or by pressing the corresponding
accelerator keys, which are shown at the right side of the
menu. For example, you can press the Control (or Strg in German) and the K
keys together to open the capture dialog.
The "File" menu
The Ethereal file menu contains the fields shown in
.
File menu itemsMenu ItemAcceleratorDescriptionOpen...Ctrl+O
This menu item brings up the file open dialog box that
allows you to load a capture file for viewing. It is
discussed in more detail in .
Open Recent
This menu item shows a submenu containing the recently opened
capture files. Clicking on one of the submenu items will open the
corresponding capture file directly.
Merge...
This menu item brings up the merge file dialog box that
allows you to merge a capture file into the currently loaded one.
It is discussed in more detail in .
CloseCtrl+W
This menu item closes the current capture. If you
haven't saved the capture, you will be asked to do so first
(this can be disabled by a preference setting).
------SaveCtrl+S
This menu item saves the current capture. If you
have not set a default capture file name (perhaps with
the -w <capfile> option), Ethereal pops up the
Save Capture File As dialog box (which is discussed
further in ).
Note!
If you have already saved the current capture, this
menu item will be greyed out.
Note!
You cannot save a live capture while it is in
progress. You must stop the capture in order to
save.
Save As...Shift+Ctrl+S
This menu item allows you to save the current capture
file to whatever file you would like. It pops up the
Save Capture File As dialog box (which is discussed
further in ).
------Export > as "Plain Text" file...
This menu item allows you to export all, or some, of the packets in
the capture file to a plain ASCII text file.
It pops up the Ethereal Export dialog box (which is discussed further in
).
Export > as "PostScript" file...
This menu item allows you to export the (or some) of the packets in
the capture file to a PostScript file.
It pops up the Ethereal Export dialog box (which is discussed further in
).
Export > as "PSML" file...
This menu item allows you to export the (or some) of the packets in
the capture file to a PSML (packet summary markup language) XML file.
It pops up the Ethereal Export dialog box (which is discussed further in
).
Export > as "PDML" file...
This menu item allows you to export the (or some) of the packets in
the capture file to a PDML (packet details markup language) XML file.
It pops up the Ethereal Export dialog box (which is discussed further in
).
Export > Selected Packet Bytes...Ctrl+H
This menu item allows you to export the currently selected bytes
in the packet bytes pane to a binary file. It pops up the
Ethereal Export dialog box (which is discussed further in
)
------Print...Ctrl+P
This menu item allows you to print all (or some of) the packets in
the capture file. It pops up the Ethereal Print dialog
box (which is discussed further in
).
------QuitCtrl+Q
This menu item allows you to quit from Ethereal.
Ethereal will ask to save your capture file if you haven't saved
it before (this can be disabled by a preference setting).
The "Edit" menu
The Ethereal Edit menu contains the fields shown in
.
Edit menu itemsMenu ItemAcceleratorDescriptionFind Packet...Ctrl+F
This menu item brings up a dialog box that allows you
to find a packet by many criteria.
There is further information on finding packets in
.
Find NextCtrl+N
This menu item tries to find the next packet matching the
settings from "Find Packet...".
Find PreviousCtrl+B
This menu item tries to find the previous packet matching the
settings from "Find Packet...".
------Time Reference > Set Time ReferenceCtrl+T
This menu item set a time reference on the currently selected
packet. See for more information
about the time referenced packets.
Time Reference > Find Next
This menu item tries to find the next time referenced packet.
Time Reference > Find Previous
This menu item tries to find the previous time referenced packet.
Mark PacketCtrl+M
This menu item "marks" the currently selected packet. See
for details.
Mark All Packets
This menu item "marks" all packets.
Unmark All PacketsThis menu item "unmarks" all marked packets.
------Preferences...Shift+Ctrl+P
This menu item brings up a dialog box that allows
you to set preferences for many parameters that control
Ethereal. You can also save your preferences so Ethereal
will use them the next time you start it. More detail
is provided in .
The "View" menu
The Ethereal View menu contains the fields shown in
.
View menu itemsMenu ItemAcceleratorDescriptionMain Toolbar
This menu item hides or shows the main toolbar, see
.
Filter Toolbar
This menu item hides or shows the filter toolbar, see
.
Statusbar
This menu item hides or shows the statusbar, see
.
------Packet List
This menu item hides or shows the packet list pane, see
.
Packet Details
This menu item hides or shows the packet details pane, see
.
Packet Bytes
This menu item hides or shows the packet bytes pane, see
.
------Time Display Format > Time of Day
Selecting this tells Ethereal to display time
stamps in time of day format, see
.
Note!
The fields "Time of Day", "Date and Time of
Day", "Seconds Since Beginning of Capture" and "Seconds Since
Previous Packet" are mutually exclusive.
Time Display Format > Date and Time of Day
Selecting this tells Ethereal to display the
time stamps in date and time of day format, see
.
Time Display Format > Seconds Since Beginning of Capture
Selecting this tells Ethereal to display time
stamps in seconds since beginning of capture format, see
.
Time Display Format > Seconds Since Previous Packet
Selecting this tells Ethereal to display time stamps in
seconds since previous packet format, see
.
Name Resolution > Resolve Name
This item allows you to trigger a name resolve of the current packet
only, see .
Name Resolution > Enable for MAC Layer
This item allows you to control whether or not
Ethereal translates MAC addresses into names, see
.
Name Resolution > Enable for Network Layer
This item allows you to control whether or not
Ethereal translates network addresses into names, see
.
Name Resolution > Enable for Transport Layer
This item allows you to control whether or not
Ethereal translates transport addresses into names, see
.
Auto Scroll in Live Capture
This item allows you to specify that Ethereal
should scroll the packet list pane as new packets come
in, so you are always looking at the last packet. If you
do not specify this, Ethereal simply adds new packets onto
the end of the list, but does not scroll the packet list
pane.
------Zoom InCtrl++
Zoom into the packet data (increase the font size).
Zoom OutCtrl+-
Zoom out of the packet data (decrease the font size).
Normal SizeCtrl+=
Set zoom level back to 100% (set font size back to normal).
------Collapse All
Ethereal keeps a list of all the protocol subtrees
that are expanded, and uses it to ensure that the
correct subtrees are expanded when you display a packet.
This menu item collapses the tree view of all packets
in the capture list.
Expand All
This menu item expands all subtrees in all packets in
the capture.
Expand Tree
This menu item expands the currently selected subtree in the
packet details tree.
------Coloring Rules...
This menu item brings up a dialog box that allows you
to color packets in the packet list pane according to
filter expressions you choose. It can be very useful
for spotting certain types of packets, see
.
------Show Packet in New Window
This menu item brings up the selected packet in a
separate window. The separate window shows only the
tree view and byte view panes.
ReloadCtrl-R
This menu item allows you to reload the current
capture file.
The "Go" menu
The Ethereal Go menu contains the fields shown in
.
Go menu itemsMenu ItemAcceleratorDescriptionGo to Packet...Ctrl-G
This menu item brings up a dialog box that allows you
to specify a packet number, and then goes to that packet. See
for details.
Go to Corresponding Packet
This menu item goes to the corresponding packet of the currently
selected protocol field. If the selected field doesn't correspond
to a packet, this item is greyed out.
------First Packet
This menu item jumps to the first packet of the capture file.
Last Packet
This menu item jumps to the last packet of the capture file.
The "Capture" menu
The Ethereal Capture menu contains the fields shown in
.
Capture menu itemsMenu ItemAcceleratorDescriptionStart...Ctrl+K
This menu item brings up the Capture Options
dialog box (discussed further in
) and allows you to
start capturing packets.
StopCtrl+E
This menu item stops the currently running capture, see
) .
Interfaces ...
This menu item brings up a dialog box that shows what's going on
at the network interfaces Ethereal knows of, see
) .
Capture Filters...
This menu item brings up a dialog box that allows you to
create and edit capture filters. You can name filters,
and you can save them for future use. More detail on
this subject is provided in
The "Analyze" menu
The Ethereal Analyze menu contains the fields shown in
.
Analyze menu itemsMenu ItemAcceleratorDescriptionDisplay Filters...
This menu item brings up a dialog box that allows you
to create and edit display filters. You can name
filters, and you can save them for future use. More
detail on this subject is provided in
Apply as Filter > ...
These menu items will change the current display filter and apply
the changed filter immediately. Depending on the chosen menu item,
the current display filter string will be replaced or appended to
by the selected protocol field in the packet details pane.
Prepare a Filter > ...
These menu items will change the current display filter but won't
apply the changed filter. Depending on the chosen menu item,
the current display filter string will be replaced or appended to
by the selected protocol field in the packet details pane.
------Enabled Protocols...Shift+Ctrl+R
This menu item allows the user to enable/disable protocol
dissectors, see Decode As...
This menu item allows the user to force Ethereal to
decode certain packets as a particular protocol, see
User Specified Decodes...
This menu item allows the user to force Ethereal to
decode certain packets as a particular protocol, see
------Follow TCP Stream
This menu item brings up a separate window and displays
all the TCP segments captured that are on the same TCP
connection as a selected packet, see
The "Statistics" menu
The Ethereal Statistics menu contains the fields shown in
.
All menu items will bring up a new window showing specific statistical
information.
Statistics menu itemsMenu ItemAcceleratorDescriptionSummary
Show information about the data captured, see .
Protocol Hierarchy
Display a hierarchical tree of protocol statistics, see .
Conversations
Display a list of conversations (traffic between two endpoints),
see .
Endpoints
Display a list of endpoints (traffic to/from an address), see
.
IO Graphs
Display user specified graphs (e.g. the number of packets in the
course of time), see .
------Conversation List
Display a list of conversations, obsoleted by the combined window
of Conversations above, see
.
Endpoint List
Display a list of endpoints, obsoleted by the combined window
of Endpoints above, see
.
Service Response Time
Display the time between a request and the corresponding response, see
.
------ANSISee BOOTP-DHCPSee GSMSee HTTPHTTP request/response statistics, see ISUP Message TypesSee ITU-T H.225See MTP3See ONC-RPC ProgramsSee RTPSee SIPSee TCP Stream GraphSee WAP-WSPSee
The "Help" menu
The Ethereal Help menu contains the fields shown in
.
Help menu itemsMenu ItemAcceleratorDescriptionContentsF1
This menu item brings up a basic help system.
Supported Protocols
This menu item brings up a dialog box showing the supported
protocols and protocol fields.
Manual Pages > ...
This menu item starts a Web browser showing one of the locally
installed html manual pages.
Ethereal Online > ...
This menu item starts a Web browser showing the chosen
webpage from:
&EtherealWebSite;.
------About Ethereal
This menu item brings up an information window that
provides some information on Ethereal, such as the plugins, the
used folders, ...
Note!
Calling a Web browser might be unsupported in your version of Ethereal.
If this is the case, the corresponding menu items will be hidden.
Note!
If calling a Web browser fails on your machine, maybe because just nothing
happens or the browser is started but no page is shown, have a look at the
webbrowser setting in the preferences dialog.
The "Main" toolbar
The main toolbar provides quick access to frequently used items from the
menu. This toolbar cannot be customized by the user, but it can be hidden
using the View menu, if the space on the screen is needed to show even
more packet data.
As in the menu, only the items useful in the current program state will
be available. The others will be greyed out (e.g. you cannot save a capture
file if you haven't loaded one).
Main toolbar itemsToolbar IconToolbar ItemCorresponding Menu ItemDescriptionStart Capture...Capture/Start...
This item brings up the Capture Options
dialog box (discussed further in
) and allows you to
start capturing packets.
Note!
If a live capture is in progress, and you are using "Update List
of Packets in Realtime", this icon will be replaced by the Stop
Capture icon
.
Stop CaptureCapture/Stop
This item stops the currently running live capture process
).
Note!
This icon is shown if a live capture is in progress, and you are
using "Update List of Packets in Realtime", otherwise the Start
Capture icon
is shown.
------Open...File/Open...
This item brings up the file open dialog box that
allows you to load a capture file for viewing. It is
discussed in more detail in .
Save As...File/Save As...
This item allows you to save the current capture file to whatever
file you would like. It pops up the Save Capture File As dialog
box (which is discussed further in ).
Note!
If you currently have a temporary capture file, the Save icon
will be
shown instead.
CloseFile/Close
This item closes the current capture. If you
have not saved the capture, you will be asked to save it first.
ReloadView/Reload
This item allows you to reload the current capture file.
Print...File/Print...
This item allows you to print all (or some of) the packets in
the capture file. It pops up the Ethereal Print dialog
box (which is discussed further in
).
------Find Packet...Edit/Find Packet...
This item brings up a dialog box that allows you
to find a packet. There is further information on finding packets
in .
Find PreviousEdit/Find Previous
This item tries to find the previous packet, matching the
settings from "Find Packet...".
Find NextEdit/Find Next
This item tries to find the next packet, matching the
settings from "Find Packet...".
------Go to Packet...Go/Go to Packet...
This item brings up a dialog box that allows you
to specify a packet number to go to that packet.
Go To First PacketGo/First Packet
This item jumps to the first packet of the capture file.
Go To Last PacketGo/Last Packet
This item jumps to the last packet of the capture file.
------Zoom InView/Zoom In
Zoom into the packet data (increase the font size).
Zoom OutView/Zoom Out
Zoom out of the packet data (decrease the font size).
Normal SizeView/Normal Size
Set zoom level back to 100%.
------Capture Filters...Capture/Capture Filters...
This item brings up a dialog box that allows you to
create and edit capture filters. You can name filters,
and you can save them for future use. More detail on
this subject is provided in
.
Display Filters...Analyze/Display Filters...
This item brings up a dialog box that allows you
to create and edit display filters. You can name
filters, and you can save them for future use. More
detail on this subject is provided in
.
Coloring Rules...View/Coloring Rules...
This item brings up a dialog box that allows you
color packets in the packet list pane according to
filter expressions you choose. It can be very useful
for spotting certain types of packets. More
detail on this subject is provided in
.
Preferences...Edit/Preferences
This item brings up a dialog box that allows
you to set preferences for many parameters that control
Ethereal. You can also save your preferences so Ethereal
will use them the next time you start it. More detail
is provided in
The "Filter" toolbar
The filter toolbar lets you quickly edit and apply display filters. More information on
display filters is available in .
The leftmost button labeled "Filter:" can be clicked to
bring up the filter construction dialog, described in .
The left middle text box provides an area to enter or edit display
filter strings, see
. A syntax check of your filter string is done while you are typing.
The background will turn red if you enter an incomplete or invalid
string, and will become green when you enter a valid string. You can
click on the pull down arrow to select a previously-entered filter
string from a list. The entries in the pull down list will remain
available even after a program restart.
Note!
After you've changed something in this field, don't forget to press
the Apply button (or the Enter/Return key), to apply this filter
string to the display.
Note!
This field is also where the current filter in effect is displayed.
The middle button labeled "Add Expression..." opens a dialog box that lets
you edit a display filter from a list of protocol fields, described in
The right middle button labeled "Clear" resets the current
display filter and clears the edit area.
The rightmost button labeled "Apply" applies the current
value in the edit area as the new display filter.
Note!
Applying a display filter on large capture files might take quite a long time!
The "Packet List" pane
The packet list pane displays all the packets in the current capture
file.
Each line in the packet list corresponds to one packet in the capture
file. If you select a line in this pane, more details will be displayed in
the "Packet Details" and "Packet Bytes" panes.
While dissecting a packet, Ethereal will place information from the
protocol dissectors into the columns. As higher level protocols might
overwrite information from lower levels, you will typically see the
information from the highest possible level only.
For example, let's look at a packet containing TCP inside IP inside
an Ethernet packet. The Ethernet dissector will write its data (such as
the Ethernet addresses), the IP dissector will overwrite this by its own
(such as the IP addresses), the TCP dissector will overwrite the IP
information, and so on.
There are a lot of different columns available. Which columns are
displayed can be selected by preference settings, see
.
The default columns will show:
No.
The number of the packet in the capture file. This number won't change,
even if a display filter is used.
Time
The timestamp of the packet. The presentation format of this timestamp
can be changed, see .
Source
The address where this packet is coming from.
Destination
The address where this packet is going to.
Protocol
The protocol name in a short (perhaps abbreviated) version.
Info
Additional information about the packet content.
There is a context menu (right mouse click) available, see details in
.
The "Packet Details" pane
The packet details pane shows the current packet (selected in the "Packet List"
pane) in a more detailed form.
This pane shows the protocols and protocol fields of the packet selected
in the "Packet List" pane. The protocols and fields of the packet are
displayed using a tree, which can be expanded and collapsed.
There is a context menu (right mouse click) available, see details in
.
Some protocol fields are specially displayed.
Generated fields
Ethereal itself will generate additional protocol fields which are
surrounded by brackets. The information in these fields is derived from the
known context to other packets in the capture file. For example, Ethereal
is doing a sequence/acknowledge analysis of each TCP stream,
which is displayed in the [SEQ/ACK analysis] fields of the TCP protocol.
Links
If Ethereal detected a relationship to another packet in the capture file,
it will generate a link to that packet. Links are underlined and displayed
in blue. If double-clicked, Ethereal jumps to the corresponding packet.
The "Packet Bytes" pane
The packet bytes pane shows the data of the current packet (selected in the "Packet List"
pane) in a hexdump style.
As usual for a hexdump, the left side shows the offset in the packet data,
in the middle the packet data is shown in a hexadecimal representation and
on the right the corresponding ASCII characters (or . if not appropriate)
are displayed.
There is a context menu (right mouse click) available, see details in
.
Depending on the packet data, sometimes more than one page is available,
e.g. when Ethereal has reassembled some packets into a single chunk of
data, see . In this case there are
some additional tabs shown at the bottom of the pane to let you select
the page you want to see.
Note!
The additional pages might contain data picked from multiple packets.
The context menu (right mouse click) of the tab labels will show a list of
all available pages. This can be helpful if the size in the pane is too
small for all the tab labels.
The Statusbar
The statusbar displays informational messages.
In general, the left side will show context related information, while the
right side will show the current number of packets.
This statusbar is shown while no capture file is loaded, e.g. when
Ethereal is started.
The left side shows information about the capture file, its
name, its size and the elapsed time while it was being captured.
The right side shows the current number of packets in the
capture file. The following values are displayed:
P: the number of captured packetsD: the number of packets currently being
displayedM: the number of marked packets
This is displayed if you have selected a protocol field from the
"Packet Details" pane.
Tip!
The value between the brackets (in this example
arp.opcode) can be used as a display filter string,
representing the selected protocol field.