Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).

In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.

1.1.2. Features

The following are some of the many features Wireshark provides:

• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
• …​and a lot more!

However, to really appreciate its power you have to start using it.

Figure 1.1, “Wireshark captures packets and lets you examine their contents.” shows Wireshark having captured some packets and waiting for you to examine them.

Figure 1.1. Wireshark captures packets and lets you examine their contents.

The amount of resources Wireshark needs depends on your environment and on the size of the capture file you are analyzing. The values below should be fine for small to medium-sized capture files no more than a few hundred MB. Larger capture files will require more memory and disk space.

	Busy networks mean large captures
	A busy network can produce huge capture files. Capturing on even a 100 megabit network can produce hundreds of megabytes of capture data in a short time. A computer with a fast processor, and lots of memory and disk space is always a good idea.

If Wireshark runs out of memory it will crash. See https://wiki.wireshark.org/KnownBugs/OutOfMemory for details and workarounds.

Although Wireshark uses a separate process to capture packets, the packet analysis is single-threaded and won’t benefit much from multi-core systems.

You can get the latest copy of the program from the Wireshark website at https://www.wireshark.org/download.html. The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. Official Windows and macOS installers are signed by Wireshark Foundation using trusted certificates on those platforms. macOS installers are additionally notarized.

A new Wireshark version typically becomes available every six weeks.

If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. You will find more details in Section 1.6.5, “Mailing Lists”.

Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-x.y.z.txt. Announcement messages are archived at https://lists.wireshark.org/archives/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems.

In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn more about networking so he started writing Ethereal (the original name of the Wireshark project) as a way to solve both problems.

Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0. Within days patches, bug reports, and words of encouragement started arriving and Ethereal was on its way to success.

Not long after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it.

In October, 1998 Guy Harris was looking for something better than tcpview so he started applying patches and contributing dissectors to Ethereal.

In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses and started looking at it to see if it supported the protocols he needed. While it didn’t at that point new protocols could be easily added. So he started contributing dissectors and contributing patches.

The list of people who have contributed to the project has become very long since then, and almost all of them started with a protocol that they needed that Wireshark did not already handle. So they copied an existing dissector and contributed the code back to the team.

In 2006 the project moved house and re-emerged under a new name: Wireshark.

In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was the first deemed complete, with the minimum features implemented. Its release coincided with the first Wireshark Developer and User Conference, called Sharkfest.

In 2015 Wireshark 2.0 was released, which featured a new user interface.

In 2023 Wireshark moved to the Wireshark Foundation, a nonprofit corporation that operates under section 501(c)(3) of the U.S. tax code. The foundation provides the project’s infrastructure, hosts SharkFest, our developer and user conference, and promotes low level network education.

Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of Wireshark is handled by the Wireshark team, a loose group of individuals who fix bugs and provide new functionality.

There have also been a large number of people who have contributed protocol dissectors to Wireshark, and it is expected that this will continue. You can find a list of the people who have contributed code to Wireshark by checking the about dialog box of Wireshark, or at the authors page on the Wireshark web site.

Wireshark is an open source software project, and is released under the GNU General Public License (GPL) version 2. All source code is freely available under the GPL. You are welcome to modify Wireshark to suit your own needs, and it would be appreciated if you contribute your improvements back to the Wireshark team.

You gain three benefits by contributing your improvements back to the community:

The Wireshark source code and binary kits for some platforms are all available on the download page of the Wireshark website: https://www.wireshark.org/download.html.

If you have problems or need help with Wireshark there are several places that may be of interest (besides this guide, of course).

1.6.4. FAQ

The Frequently Asked Questions lists often asked questions and their corresponding answers.

	Read the FAQ
	Before sending any mail to the mailing lists below, be sure to read the FAQ. It will often answer any questions you might have. This will save yourself and others a lot of time. Keep in mind that a lot of people are subscribed to the mailing lists.

You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the FAQ page in the dialog shown.

An online version is available at the Wireshark website at https://www.wireshark.org/faq.html. You might prefer this online version, as it’s typically more up to date and the HTML format is easier to use.

1.6.5. Mailing Lists

There are several mailing lists of specific Wireshark topics available:

wireshark-announce

Information about new program releases, which usually appear about every six weeks.

wireshark-users

Topics of interest to users of Wireshark. People typically post questions about using Wireshark and others (hopefully) provide answers.

wireshark-dev

Topics of interest to developers of Wireshark. If you want to develop a protocol dissector or update the user interface, join this list.

You can subscribe to each of these lists from the Wireshark web site: https://www.wireshark.org/lists/. From there, you can choose which mailing list you want to subscribe to by clicking on the Subscribe/Unsubscribe/Options button under the title of the relevant list. The links to the archives are included on that page as well.

	The lists are archived
	You can search in the list archives to see if someone asked the same question some time before and maybe already got an answer. That way you don’t have to wait until someone answers your question.

1.6.6. Reporting Problems

	Note
	Before reporting any problems, please make sure you have installed the latest version of Wireshark.

When reporting problems with Wireshark please supply the following information:

1. The version number of Wireshark and the dependent libraries linked with it, such as Qt or GLib. You can obtain this from Wireshark’s about box or the command wireshark -v.
2. Information about the platform you run Wireshark on (Windows, Linux, etc. and 32-bit, 64-bit, etc.).
3. A detailed description of your problem.
4. If you get an error/warning message, copy the text of that message (and also a few lines before and after it, if there are some) so others may find the place where things go wrong. Please don’t give something like: “I get a warning while doing x” as this won’t give a good idea where to look.

	Don’t send confidential information!
	If you send capture files to the mailing lists be sure they don’t contain any sensitive or confidential information like passwords or personally identifiable information (PII). In many cases you can use a tool like TraceWrangler to sanitize a capture file before sharing it.

	Don’t send large files
	Do not send large files (> 1 MB) to the mailing lists. Instead, provide a download link. For bugs and feature requests, you can create an issue on GitLab Issues and upload the file there.

$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt
backtrace
^D

As with all things there must be a beginning and so it is with Wireshark. To use Wireshark you must first install it. If you are running Windows or macOS you can download an official release at https://www.wireshark.org/download.html, install it, and skip the rest of this chapter.

If you are running another operating system such as Linux or FreeBSD you might want to install from source. Several Linux distributions offer Wireshark packages but they commonly provide out-of-date versions. No other versions of UNIX ship Wireshark so far. For that reason, you will need to know where to get the latest version of Wireshark and how to install it.

This chapter shows you how to obtain source and binary packages and how to build Wireshark from source should you choose to do so.

The general steps are the following:

You can obtain both source and binary distributions from the Wireshark main page or the download page at https://www.wireshark.org/download.html. Select the package most appropriate for your system.

The official Windows packages can be downloaded from the Wireshark main page or the download page. Installer names contain the version and platform. For example, Wireshark-4.5.0-x64.exe installs Wireshark 4.5.0 for Windows on 64-bit Intel processors. The Wireshark installer includes Npcap which is required for packet capture. Windows packages automatically update. See Section 2.8, “Updating Wireshark” for details.

Simply download the Wireshark installer from https://www.wireshark.org/download.html and execute it. Official packages are signed by Wireshark Foundation. You can choose to install several optional components and select the location of the installed package. The default settings are recommended for most users.

> Wireshark-4.2.5-x64.exe /NCRC /S /desktopicon=yes /D=C:\Program Files\Foo

> Wireshark-4.2.5-x64.exe /S /EXTRACOMPONENTS=sshdump,udpdump

We strongly recommended using the binary installer for Windows unless you want to start developing Wireshark on the Windows platform.

For further information how to obtain sources and build Wireshark for Windows from the sources see the Developer’s Guide at:

You may also want to have a look at the Development Wiki (https://wiki.wireshark.org/Development) for the latest available development documentation.

The official macOS packages can be downloaded from the Wireshark main page or the download page. They are signed by Wireshark Foundation. Packages are distributed as disk images (.dmg) containing the application bundle. Package names contain the platform and version. To install Wireshark simply open the disk image and drag Wireshark to your /Applications folder. macOS packages automatically update. See Section 2.8, “Updating Wireshark” for details.

In order to capture packets, you must install the “ChmodBPF” launch daemon. You can do so by opening the Install ChmodBPF.pkg file in the Wireshark .dmg or from Wireshark itself by opening Wireshark → About Wireshark selecting the “Folders” tab, and double-clicking “macOS Extras”.

The installer package includes Wireshark along with ChmodBPF and system path packages. See the included Read me first.html file for more details.

In general installing the binary under your version of UNIX will be specific to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld.

yum install wireshark wireshark-qt

rpm -ivh wireshark-2.0.0-1.x86_64.rpm wireshark-qt-2.0.0-1.x86_64.rpm

2.6.2. Installing from debs under Debian, Ubuntu and other Debian derivatives

If you can just install from the repository then use

apt install wireshark

Apt should take care of all of the dependency issues for you.

	Capturing requires privileges
	By installing Wireshark packages non-root, users won’t gain rights automatically to capture packets. To allow non-root users to capture packets follow the procedure described in https://gitlab.com/wireshark/wireshark/-/blob/master/packaging/debian/README.Debian (/usr/share/doc/wireshark-common/README.Debian.gz)

USE="c-ares ipv6 snmp ssl kerberos threads selinux" emerge wireshark

pkg_add -r wireshark

We recommended using the binary installer for your platform unless you want to start developing Wireshark.

Building Wireshark requires the proper build environment including a compiler and many supporting libraries. For more information, see the Developer’s Guide at:

By default, Wireshark on Windows and macOS will check for new versions and notify you when they are available. If you have the Check for updates preference disabled or if you run Wireshark in an isolated environment you should subscribe to the wireshark-announce mailing list to be notified of new versions. See Section 1.6.5, “Mailing Lists” for details on subscribing to this list.

New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is done the same way as installing it. Simply download and run the installer on Windows, or download and drag the application on macOS. A reboot is usually not required and all your personal settings will remain unchanged.

We offer two update channels, Stable and Development. The Stable channel is the default, and only installs packages from stable (even-numbered) release branches. The Development channel installs development and release candidate packages when they are available, and stable releases otherwise. To configure your release channel, go to Preferences → Advanced and search for “update.channel”. See Section 11.5, “Preferences” for details.

By now you have installed Wireshark and are likely keen to get started capturing your first packets. In the next chapters we will explore:

You can start Wireshark from your shell or window manager.

	Power user tip
	When starting Wireshark it’s possible to specify optional settings using the command line. See Section 11.2, “Start Wireshark from the command line” for details.

The following chapters contain many screenshots of Wireshark. As Wireshark runs on many different platforms with many different window managers, different styles applied and there are different versions of the underlying GUI toolkit used, your screen might look different from the provided screenshots. But as there are no real differences in functionality these screenshots should still be well understandable.

Let’s look at Wireshark’s user interface. Figure 3.1, “The Main window” shows Wireshark as you would usually see it after some packets are captured or loaded (how to do this will be described later).

Figure 3.1. The Main window

Wireshark’s main window consists of parts that are commonly known from many other GUI programs.

	Tip
	The layout of the main window can be customized by changing preference settings. See Section 11.5, “Preferences” for details.

Wireshark’s main menu is located either at the top of the main window (Windows, Linux) or at the top of your main screen (macOS). An example is shown in Figure 3.2, “The Menu”.

	Note
	Some menu items will be disabled (greyed out) if the corresponding feature isn’t available. For example, you cannot save a capture file if you haven’t captured or loaded any packets.

Figure 3.2. The Menu

The main menu contains the following items:

Each of these menu items is described in more detail in the sections that follow.

	Shortcuts make life easier
	Most common menu items have keyboard shortcuts. For example, you can press the Control and the K keys together to open the “Capture Options” dialog.

The Wireshark file menu contains the fields shown in Table 3.2, “File menu items”.

Figure 3.3. The “File” Menu

The Wireshark Edit menu contains the fields shown in Table 3.3, “Edit menu items”.

Figure 3.4. The “Edit” Menu

The Wireshark View menu contains the fields shown in Table 3.4, “View menu items”.

Figure 3.5. The “View” Menu

The Wireshark Go menu contains the fields shown in Table 3.6, “Go menu items”.

Figure 3.6. The “Go” Menu

The Wireshark Capture menu contains the fields shown in Table 3.7, “Capture menu items”.

Figure 3.7. The “Capture” Menu

The Wireshark Analyze menu contains the fields shown in Table 3.8, “Analyze menu items”.

Figure 3.8. The “Analyze” Menu

The Wireshark Statistics menu contains the fields shown in Table 3.9, “Statistics menu items”.

Figure 3.9. The “Statistics” Menu

Each menu item brings up a new window showing specific statistics.

The Wireshark Telephony menu contains the fields shown in Table 3.10, “Telephony menu items”.

Figure 3.10. The “Telephony” Menu

Each menu item shows specific telephony related statistics.

The Wireless menu lets you analyze Bluetooth and IEEE 802.11 wireless LAN activity as shown in Figure 3.11, “The “Wireless” Menu”.

Figure 3.11. The “Wireless” Menu

Each menu item shows specific Bluetooth and IEEE 802.11 statistics.

The Wireshark Tools menu contains the fields shown in Table 3.12, “Tools menu items”.

Figure 3.12. The “Tools” Menu

The Wireshark Help menu contains the fields shown in Table 3.13, “Help menu items”.

Figure 3.13. The “Help” Menu

	Note
	Opening a Web browser might be unsupported in your version of Wireshark. If this is the case the corresponding menu items will be hidden. If calling a Web browser fails on your machine, nothing happens, or the browser starts but no page is shown, have a look at the web browser setting in the preferences dialog.

The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu if the space on the screen is needed to show more packet data.

Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu items. For example, in the image below shows the main window toolbar after a file has been opened. Various file-related buttons are enabled, but the stop capture button is disabled because a capture is not in progress.

Figure 3.14. The “Main” toolbar

The filter toolbar lets you quickly edit and apply display filters. More information on display filters is available in Section 6.3, “Filtering Packets While Viewing”.

Figure 3.15. The “Filter” toolbar

The packet list pane displays all the packets in the current capture file.

Figure 3.16. The “Packet List” pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the “Packet Details” and “Packet Bytes” panes.

While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns. As higher-level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only.

For example, let’s look at a packet containing TCP inside IP inside an Ethernet packet. The Ethernet dissector will write its data (such as the Ethernet addresses), the IP dissector will overwrite this by its own (such as the IP addresses), the TCP dissector will overwrite the IP information, and so on.

There are many different columns available. You can choose which columns are displayed in the preferences. See Section 11.5, “Preferences”.

The default columns will show:

The first column shows how each packet is related to the selected packet. For example, in the image above the first packet is selected, which is a DNS request. Wireshark shows a rightward arrow for the request itself, followed by a leftward arrow for the response in packet 2. Why is there a dashed line? There are more DNS packets further down that use the same port numbers. Wireshark treats them as belonging to the same conversation and draws a line connecting them.

The packet list has an Intelligent Scrollbar which shows a miniature map of nearby packets. Each raster line of the scrollbar corresponds to a single packet, so the number of packets shown in the map depends on your physical display and the height of the packet list. A tall packet list on a high-resolution (“Retina”) display will show you quite a few packets. In the image above the scrollbar shows the status of more than 500 packets along with the 15 shown in the packet list itself.

Right clicking will show a context menu, described in Figure 6.4, “Pop-up menu of the “Packet List” pane”.

The packet details pane shows the current packet (selected in the “Packet List” pane) in a more detailed form.

Figure 3.17. The “Packet Details” pane

This pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. The protocol summary lines (subtree labels) and fields of the packet are shown in a tree which can be expanded and collapsed.

There is a context menu (right mouse click) available. See details in Figure 6.5, “Pop-up menu of the “Packet Details” pane”.

Some protocol fields have special meanings.

The packet bytes pane shows the data of the current packet (selected in the “Packet List” pane) in a hexdump style.

Figure 3.18. The “Packet Bytes” pane

The “Packet Bytes” pane shows a canonical hex dump of the packet data. Each line contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a period (“.”).

Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has reassembled some packets into a single chunk of data. (See Section 7.8, “Packet Reassembly” for details). In this case you can see each data source by clicking its corresponding tab at the bottom of the pane.

The default mode for viewing will highlight the bytes for a field where the mouse pointer is hovering above. The highlight will follow the mouse cursor as it moves. If this highlighting is not required or wanted, there are two methods for deactivating the functionality:

Figure 3.19. The “Packet Bytes” pane with tabs

Additional tabs typically contain data reassembled from multiple packets or decrypted data.

The packet diagram pane shows the current packet (selected in the “Packet List” pane) as a diagram, similar to ones used in textbooks and IETF RFCs.

Figure 3.20. The “Packet Diagram” pane

This pane shows the protocols and top-level protocol fields of the packet selected in the “Packet List” pane as a series of diagrams.

There is a context menu (right mouse click) available. For details see Figure 6.7, “Pop-up menu of the “Packet Diagram” pane”.

The statusbar displays informational messages.

In general, the left side will show context related information, the middle part will show information about the current capture file, and the right side will show the selected configuration profile. Drag the handles between the text areas to change the size.

Figure 3.21. The initial Statusbar

This statusbar is shown while no capture file is loaded, e.g., when Wireshark is started.

Figure 3.22. The Statusbar with a loaded capture file

Figure 3.23. The Statusbar with a configuration profile menu

For a detailed description of configuration profiles, see Section 11.6, “Configuration Profiles”.

Figure 3.24. The Statusbar with a selected protocol field

This is displayed if you have selected a protocol field in the “Packet Details” pane.

	Tip
	The value between the parentheses (in this example “ipv6.src”) is the display filter field for the selected item. You can become more familiar with display filter fields by selecting different packet detail items.

Figure 3.25. The Statusbar with a display filter message

This is displayed if you are trying to use a display filter which may have unexpected results.

Capturing live network data is one of the major features of Wireshark.

The Wireshark capture engine provides the following features:

The capture engine still lacks the following features:

Setting up Wireshark to capture packets for the first time can be tricky. A comprehensive guide “How To setup a Capture” is available at https://wiki.wireshark.org/CaptureSetup.

Here are some common pitfalls:

If you have any problems setting up your capture environment, you should have a look at the guide mentioned above.

The following methods can be used to start capturing packets with Wireshark:

$ wireshark -i eth0 -k

This will start Wireshark capturing on interface eth0. More details can be found at Section 11.2, “Start Wireshark from the command line”.

When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces. Network activity for each interface will be shown in a sparkline next to the interface name. It is possible to select more than one interface and capture from them simultaneously.

Figure 4.1. Capture interfaces on Microsoft Windows

Figure 4.2. Capture interfaces on macOS

Some interfaces allow or require configuration prior to capture. This will be indicated by a configuration icon () to the left of the interface name. Clicking on the icon will show the configuration dialog for that interface.

Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter.

Wireshark isn’t limited to just network interfaces — on most systems you can also capture USB, Bluetooth, and other types of packets. Note also that an interface might be hidden if it’s inaccessible to Wireshark or if it has been hidden as described in Section 4.6, “The “Manage Interfaces” Dialog Box”.

When you select Capture → Options…​ (or use the corresponding item in the main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in Figure 4.3, “The “Capture Options” input tab”. If you are unsure which options to choose in this dialog box, leaving the defaults settings as they are should work well in many cases.

Figure 4.3. The “Capture Options” input tab

The “Input” tab contains the “Interface” table, which shows the following columns:

Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses.

If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings above will be overridden.

“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same time.

Manage Interfaces opens the Figure 4.6, “The “Manage Interfaces” dialog box” where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added.

Compile Selected BPFs opens Figure 4.7, “The “Compiled Filter Output” dialog box”, which shows you the compiled bytecode for your capture filter. This can help to better understand the capture filter you created.

	Linux power user tip
	The execution of BPFs can be sped up on Linux by turning on BPF Just In Time compilation by executing $ echo 1 >/proc/sys/net/core/bpf_jit_enable if it is not enabled already. To make the change persistent you can use sysfsutils.

Figure 4.4. The “Capture Options” output tab

The “Output” tab shows the following information:

More details about capture files can be found in Section 4.8, “Capture files and file modes”.

Figure 4.5. The “Capture Options” options tab

The “Options” tab shows the following information:

See Section 7.9, “Name Resolution” for more details on each of these options.

You can double-click on an interface row in the “Input“ tab or click Start from any tab to commence the capture. You can click Cancel to apply your changes and close the dialog.

Figure 4.6. The “Manage Interfaces” dialog box

The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage the following:

The “Pipes” tab lets you capture from a named pipe. To successfully add a pipe, its associated named pipe must have already been created. Click + and type the name of the pipe including its path. Alternatively, Browse can be used to locate the pipe.

To remove a pipe from the list of interfaces, select it and press -.

On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different machine. The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it.

On Linux or Unix you can capture (and do so more securely) through an SSH tunnel.

To add a new remote capture interface, click + and specify the following:

Each interface can optionally be hidden. In contrast to the local interfaces, they are not saved in the preferences file.

	Note
	Make sure you have outside access to port 2002 on the target platform. This is the default port used by the Remote Packet Capture Protocol service.

To remove a host including all its interfaces from the list, select it and click the - button.

This figure shows the results of compiling the BPF filter for the selected interfaces.

Figure 4.7. The “Compiled Filter Output” dialog box

In the list on the left the interface names are listed. The results of compiling a filter for the selected interface are shown on the right.

While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into a capture file.

By default, Wireshark saves packets to a temporary file. You can also tell Wireshark to save to a specific (“permanent”) file and switch to a different file after a given time has elapsed or a given number of packets have been captured. These options are controlled in the “Capture Options” dialog’s “Output” tab.

Figure 4.8. Capture output options

	Tip
	Working with large files (several hundred MB) can be quite slow. If you plan to do a long-term capture or capturing from a high traffic network, think about using one of the “Multiple files” options. This will spread the captured packets over several smaller files which can be much more pleasant to work with.

Using the “Multiple files” option may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g., where data is exchanged at the establishing phase and only referred to in later packets). As it keeps this information only for the loaded file, using one of the multiple file modes may cut these contexts. If the establishing phase is saved in one file and the things you would like to see is in another, you might not see some of the valuable context related information.

Information about the folders used for capture files can be found in Appendix B, Files and Folders.

In most cases you won’t have to modify link-layer header type. Some exceptions are as follows:

If you are capturing on an Ethernet device you might be offered a choice of “Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be captured, select “DOCSIS”, otherwise select “Ethernet”.

If you are capturing on an 802.11 device on some versions of BSD you might be offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the captured packets to have fake (“cooked”) Ethernet headers. “802.11” will cause them to have full IEEE 802.11 headers. Unless the capture needs to be read by an application that doesn’t support 802.11 headers you should select “802.11”.

If you are capturing on an Endace DAG card connected to a synchronous serial line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If the protocol on the serial line is PPP, select “PPP over serial” and if the protocol on the serial line is Cisco HDLC, select “Cisco HDLC”.

If you are capturing on an Endace DAG card connected to an ATM network you might be offered a choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs to be read by an application that doesn’t support SunATM headers, select “RFC 1483 IP-over-ATM”, otherwise select “Sun raw ATM”.

Wireshark supports limiting the packet capture to packets that match a capture filter. Wireshark capture filters are written in libpcap filter language. Below is a brief overview of the libpcap filter language’s syntax. Complete documentation can be found at the pcap-filter man page. You can find many Capture Filter examples at https://wiki.wireshark.org/CaptureFilters.

You enter the capture filter into the “Filter” field of the Wireshark “Capture Options” dialog box, as shown in Figure 4.3, “The “Capture Options” input tab”.

A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or) and optionally preceded by not:

[not] primitive [and|or [not] primitive ...]

An example is shown in Example 4.1, “A capture filter for telnet that captures traffic to and from a particular host”.

tcp port 23 and host 10.0.0.5

This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives and the and conjunction. Another example is shown in Example 4.2, “Capturing all telnet traffic not from 10.0.0.5”, and shows how to capture all telnet traffic except that from 10.0.0.5.

tcp port 23 and not src host 10.0.0.5

You might see the following dialog box while a capture is running:

Figure 4.9. The “Capture Information” dialog box

This dialog box shows a list of protocols and their activity over time. It can be enabled via the “capture.show_info” setting in the “Advanced” preferences.

This chapter will describe input and output of capture data.

Wireshark can read in previously saved capture files. To read them, simply select the File → Open menu or toolbar item. Wireshark will then pop up the “File Open” dialog box, which is discussed in more detail in Section 5.2.1, “The “Open Capture File” Dialog Box”.

	You can use drag and drop to open files
	On most systems you can open a file by simply dragging it in your file manager and dropping it onto Wireshark’s main window.

If you haven’t previously saved the current capture file you will be asked to do so to prevent data loss. This warning can be disabled in the preferences.

In addition to its native file format (pcapng), Wireshark can read and write capture files from a large number of other packet capture programs as well. See Section 5.2.2, “Input File Formats” for the list of capture formats Wireshark understands.

5.2.1. The “Open Capture File” Dialog Box

The “Open Capture File” dialog box allows you to search for a capture file containing previously captured packets for display in Wireshark. The following sections show some examples of the Wireshark “Open File” dialog box. The appearance of this dialog depends on the system. However, the functionality should be the same across systems.

Common dialog behavior on all systems:

• Select files and directories.
• Click the Open button to accept your selected file and open it.
• Click the Cancel button to go back to Wireshark and not load a capture file.
• The Help button will take you to this section of the “User’s Guide”.

Wireshark adds the following controls:

• View file preview information such as the size and the number of packets in a selected a capture file.

• Specify a read filter with the “Read filter” field. This filter will be used when opening the new file. The text field background will turn green for a valid filter string and red for an invalid one. Read filters can be used to exclude various types of traffic, which can be useful for large capture files. They use the same syntax as display filters, which are discussed in detail in Section 6.3, “Filtering Packets While Viewing”.
• Optionally force Wireshark to read a file as a particular type using the “Automatically detect file type” drop-down.

Figure 5.1. “Open” on Microsoft Windows

This is the common Windows file open dialog along with some Wireshark extensions.

Figure 5.2. “Open” - Linux and UNIX

This is the common Qt file open dialog along with some Wireshark extensions.

You can save captured packets by using the File → Save or File → Save As…​ menu items. You can choose which packets to save and which file format to be used.

Not all information will be saved in a capture file. For example, most file formats don’t record the number of dropped packets. See Section B.1, “Capture Files” for details.

5.3.1. The “Save Capture File As” Dialog Box

The “Save Capture File As” dialog box allows you to save the current capture to a file. The exact appearance of this dialog depends on your system. However, the functionality is the same across systems. Examples are shown below.

Figure 5.3. “Save” on Microsoft Windows

This is the common Windows file save dialog with some additional Wireshark extensions.

Figure 5.4. “Save” on Linux and UNIX

This is the common Qt file save dialog with additional Wireshark extensions.

You can perform the following actions:

• Type in the name of the file in which you wish to save the captured packets.
• Select the directory to save the file into.
• Specify the format of the saved capture file by clicking on the “Save as” drop-down box. You can choose from the types described in Section 5.3.2, “Output File Formats”. Some capture formats may not be available depending on the packet types captured.
• The Help button will take you to this section of the “User’s Guide”.
• “Compress with gzip” will compress the capture file as it is being written to disk.
• Click the Save button to accept your selected file and save it.
• Click on the Cancel button to go back to Wireshark without saving any packets.

If you don’t provide a file extension to the filename (e.g., .pcap) Wireshark will append the standard file extension for that file format.

	Wireshark can convert file formats
	You can convert capture files from one format to another by opening a capture and saving it as a different format.

If you wish to save some of the packets in your capture file you can do so via Section 5.7.1, “The “Export Specified Packets” Dialog Box”.

5.3.2. Output File Formats

Wireshark can save the packet data in its native file format (pcapng) and in the file formats of other protocol analyzers so other tools can read the capture data.

	Saving in a different format might lose data
	Saving your file in a different format might lose information such as comments, name resolution, and time stamp resolution. See Section 7.6, “Time Stamps” for more information on time stamps.

The following file formats can be saved by Wireshark (with the known file extensions):

• pcapng (*.pcapng). A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
• pcap (*.pcap). The default format used by the libpcap packet capture library. Used by tcpdump, _Snort, Nmap, Ntop, and many other tools.
• Accellent 5Views (*.5vw)
• captures from HP-UX nettl ({asterisktrc0,*.trc1)
• Microsoft Network Monitor - NetMon (*.cap)
• Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*.fdc,*.syc)
• Cinco Networks NetXray captures (*.cap)
• Network Associates Sniffer - Windows (*.cap)
• Network Instruments/Viavi Observer (*.bfr)
• Novell LANalyzer (*.tr1)
• Oracle (previously Sun) snoop (*.snoop,*.cap)
• Visual Networks Visual UpTime traffic (*.*)
• Symbian OS btsnoop captures (*.log)
• Tamosoft CommView captures (*.ncf)
• Catapult (now Ixia/Keysight) DCT2000 .out files (*.out)
• Endace Measurement Systems’ ERF format capture(*.erf)
• EyeSDN USB S0 traces (*.trc)
• Tektronix K12 text file format captures (*.txt)
• Tektronix K12xx 32bit .rf5 format captures (*.rf5)
• Android Logcat binary logs (*.logcat)
• Android Logcat text logs (*.*)
• Citrix NetScaler Trace files (*.cap)

New file formats are added from time to time.

Whether or not the above tools will be more helpful than Wireshark is a different question ;-)

	Third party protocol analyzers may require specific file extensions
	Wireshark examines a file’s contents to determine its type. Some other protocol analyzers only look at a file’s extension. For example, you might need to use the .cap extension in order to open a file using the Windows version of Sniffer.

Sometimes you need to merge several capture files into one. For example, this can be useful if you have captured simultaneously from multiple interfaces at once (e.g., using multiple instances of Wireshark).

There are three ways to merge capture files using Wireshark:

5.4.1. The “Merge With Capture File” Dialog Box

This lets you select a file to be merged into the currently loaded file. If your current data has not been saved you will be asked to save it first.

Most controls of this dialog will work the same way as described in the “Open Capture File” dialog box. See Section 5.2.1, “The “Open Capture File” Dialog Box” for details.

Specific controls of this merge dialog are:

Prepend packets

Prepend the packets from the selected file before the currently loaded packets.

Merge chronologically

Merge both the packets from the selected and currently loaded file in chronological order.

Append packets

Append the packets from the selected file after the currently loaded packets.

Figure 5.5. “Merge” on Microsoft Windows

This is the common Windows file open dialog with additional Wireshark extensions.

Figure 5.6. “Merge” on Linux and UNIX

This is the Qt file open dialog with additional Wireshark extensions.

Wireshark can read in a hex dump and write the data described into a temporary libpcap capture file. It can read hex dumps with multiple packets in them, and build a capture file of multiple packets. It is also capable of generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully processable packet dumps from hexdumps of application-level data only. Alternatively, a Dummy PDU header can be added to specify a dissector the data should be passed to initially.

Two methods for converting the input are supported:

I 2019-05-14T19:04:57Z
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........

> 0:00:00.265620 a130368b000000080060
> 0:00:00.280836 a1216c8b00000000000089086b0b82020407
< 0:00:00.295459 a2010800000000000000000800000000
> 0:00:00.296982 a1303c8b00000008007088286b0bc1ffcbf0f9ff
> 0:00:00.305644 a121718b0000000000008ba86a0b8008
< 0:00:00.319061 a2010900000000000000001000600000
> 0:00:00.330937 a130428b00000008007589186b0bb9ffd9f0fdfa3eb4295e99f3aaffd2f005
> 0:00:00.356037 a121788b0000000000008a18

regex: ^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$
timestamp: %H:%M:%S.%f
dir: in: <   out: >
encoding: HEX

5.5.3. The “Import From Hex Dump” Dialog Box

This dialog box lets you select a text file, containing a hex dump of packet data, to be imported and set import parameters.

Figure 5.7. The “Import from Hex Dump” dialog in Hex Dump mode

Specific controls of this import dialog are split in three sections:

File Source

Determine which input file has to be imported

Input Format

Determine how the input file has to be interpreted.

Encapsulation

Determine how the data is to be encapsulated.

5.5.5. Input Format

This section is split in the two alternatives for input conversion, accessible in the two Tabs "Hex Dump" and "Regular Expression"

In addition to the conversion mode specific inputs, there are also common parameters, currently only the timestamp format.

5.5.5.1. The Hex Dump tab

Offsets

Select the radix of the offsets given in the text file to import. This is usually hexadecimal, but decimal and octal are also supported. Select None when only the bytes are present. These will be imported as a single packet.

Direction indication

Tick this box if the text file to import has direction indicators before each frame. These are on a separate line before each frame and start with either I or i for input and O or o for output.

5.5.5.2. The Regular Expression tab

Figure 5.8. The "Regular Expression" tab inside the "Import from Hex Dump” dialog.

Packet format regular expression

This is the regex used for searching packets and metadata inside the input file. Named capturing subgroups are used to find the individual fields. Anchors ^ and $ are set to match directly before and after newlines \n or \r\n. See GRegex for a full documentation.

Data encoding

The Encoding used for the binary data. Supported encodings are plain-hexadecimal, -octal, -binary and base64. Plain here means no additional characters are present in the data field beyond whitespaces, which are ignored. Any unexpected characters abort the import process.

Ignored whitespaces are \r, \n, \t, \v, ` ` and only for hex :, only for base64 =.

Any incomplete bytes at the field’s end are assumed to be padding to fill the last complete byte. These bits should be zero, however, this is not checked.

Direction indication

The lists of characters indicating incoming vs. outgoing packets. These fields are only available when the regex contains a (?<dir>…​) group.

5.5.5.3. Common items

Timestamp Format

This is the format specifier used to parse the timestamps in the text file to import. It uses the same format as strptime(3) with the addition of %f for zero padded fractions of seconds. The precision of %f is determined from its length. The most common fields are %H, %M and %S for hours, minutes and seconds. The straightforward HH:MM:SS format is covered by %T. For a full definition of the syntax look for strptime(3),

In Regex mode this field is only available when a (?<time>…​) group is present.

In Hex Dump mode if there are no timestamps in the text file to import, leave this field empty and timestamps will be generated based on the time of import.

When using the “Multiple Files” option while doing a capture (see: Section 4.8, “Capture files and file modes”), the capture data is spread over several capture files, called a file set.

As it can become tedious to work with a file set by hand, Wireshark provides some features to handle these file sets in a convenient way.

The following features in the File → File Set submenu are available to work with file sets in a convenient way:

5.6.1. The “List Files” Dialog Box

Figure 5.9. The “List Files” dialog box

Each line contains information about a file of the file set:

Filename

The name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.

Created

The creation time of the file.

Last Modified

The last time the file was modified.

Size

The size of the file.

The last line will contain info about the currently used directory where all of the files in the file set can be found.

The content of this dialog box is updated each time a capture file is opened/closed.

The Close button will, well, close the dialog box.

Wireshark provides a variety of options for exporting packet data. This section describes general ways to export data from the main Wireshark application. There are many other ways to export or extract data from capture files, including processing tshark output and customizing Wireshark and TShark using Lua scripts.

5.7.1. The “Export Specified Packets” Dialog Box

Figure 5.10. The “Export Specified Packets” dialog box

This is similar to the “Save” dialog box, but it lets you save specific packets. This can be useful for trimming irrelevant or unwanted packets from a capture file. See Packet Range for details on the range controls.

5.7.2. The “Export Packet Dissections” Dialog Box

This lets you save the packet list, packet details, and packet bytes as plain text, CSV, JSON, and other formats.

Figure 5.11. The “Export Packet Dissections” dialog box

The format can be selected from the “Export As” drop-down and further customized using the “Packet Range” and “Packet Format” controls. Some controls are unavailable for some formats, notably CSV and JSON. The following formats are supported:

• Plain text as shown in the main window
• Comma-separated values (CSV)
• C-compatible byte arrays
• PSML (summary XML)
• PDML (detailed XML)
• JavaScript Object Notation (JSON)

Here are some examples of exported data:

Plain text. 

No.     Time           Source                Destination           Protocol Length SSID       Info
      1 0.000000       200.121.1.131         172.16.0.122          TCP      1454              10554 → 80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]

Frame 1: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits)
Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13
Internet Protocol Version 4, Src: 200.121.1.131 (200.121.1.131), Dst: 172.16.0.122 (172.16.0.122)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 1440
    Identification: 0x0141 (321)
    Flags: 0x0000
    ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 106
    Protocol: TCP (6)
    Header checksum: 0xd390 [validation disabled]
    [Header checksum status: Unverified]
    Source: 200.121.1.131 (200.121.1.131)
    Destination: 172.16.0.122 (172.16.0.122)
    [Source GeoIP: PE, ASN 6147, Telefonica del Peru S.A.A.]
Transmission Control Protocol, Src Port: 10554, Dst Port: 80, Seq: 1, Ack: 1, Len: 1400

Tip

If you would like to be able to import any previously exported packets from a plain text file it is recommended that you do the following: Add the “Absolute date and time” column. Temporarily hide all other columns. Disable the Edit → Preferences → Protocols → Data “Show not dissected data on new Packet Bytes pane” preference. More details are provided in Section 11.5, “Preferences” Include the packet summary line. Exclude column headings. Exclude packet details. Include the packet bytes.

CSV. 

"No.","Time","Source","Destination","Protocol","Length","SSID","Info","Win Size"
"1","0.000000","200.121.1.131","172.16.0.122","TCP","1454","","10554  >  80 [ACK] Seq=1 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
"2","0.000011","172.16.0.122","200.121.1.131","TCP","54","","[TCP ACKed unseen segment] 80  >  10554 [ACK] Seq=1 Ack=11201 Win=53200 Len=0","53200"
"3","0.025738","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Spurious Retransmission] 10554  >  80 [ACK] Seq=1401 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"
"4","0.025749","172.16.0.122","200.121.1.131","TCP","54","","[TCP Window Update] [TCP ACKed unseen segment] 80  >  10554 [ACK] Seq=1 Ack=11201 Win=63000 Len=0","63000"
"5","0.076967","200.121.1.131","172.16.0.122","TCP","1454","","[TCP Previous segment not captured] [TCP Spurious Retransmission] 10554  >  80 [ACK] Seq=4201 Ack=1 Win=65535 Len=1400 [TCP segment of a reassembled PDU]","65535"

JSON. 

{
    "_index": "packets-2014-06-22",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.encap_type": "1",
          "frame.time": "Jun 22, 2014 13:29:41.834477000 PDT",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1403468981.834477000",
          "frame.time_delta": "0.450535000",
          "frame.time_delta_displayed": "0.450535000",
          "frame.time_relative": "0.450535000",
          "frame.number": "2",
          "frame.len": "86",
          "frame.cap_len": "86",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ipv6:icmpv6",
          "frame.coloring_rule.name": "ICMP",
          "frame.coloring_rule.string": "icmp || icmpv6"
        },
        "eth": {
          "eth.dst": "33:33:ff:9e:e3:8e",
          "eth.dst_tree": {
            "eth.dst_resolved": "33:33:ff:9e:e3:8e",
            "eth.dst.oui": "3355647",
            "eth.addr": "33:33:ff:9e:e3:8e",
            "eth.addr_resolved": "33:33:ff:9e:e3:8e",
            "eth.addr.oui": "3355647",
            "eth.dst.lg": "1",
            "eth.lg": "1",
            "eth.dst.ig": "1",
            "eth.ig": "1"
          },
          "eth.src": "00:01:5c:62:8c:46",
          "eth.src_tree": {
            "eth.src_resolved": "00:01:5c:62:8c:46",
            "eth.src.oui": "348",
            "eth.src.oui_resolved": "Cadant Inc.",
            "eth.addr": "00:01:5c:62:8c:46",
            "eth.addr_resolved": "00:01:5c:62:8c:46",
            "eth.addr.oui": "348",
            "eth.addr.oui_resolved": "Cadant Inc.",
            "eth.src.lg": "0",
            "eth.lg": "0",
            "eth.src.ig": "0",
            "eth.ig": "0"
          },
          "eth.type": "0x000086dd"
        },
        "ipv6": {
          "ipv6.version": "6",
          "ip.version": "6",
          "ipv6.tclass": "0x00000000",
          "ipv6.tclass_tree": {
            "ipv6.tclass.dscp": "0",
            "ipv6.tclass.ecn": "0"
          },
          "ipv6.flow": "0x00000000",
          "ipv6.plen": "32",
          "ipv6.nxt": "58",
          "ipv6.hlim": "255",
          "ipv6.src": "2001:558:4080:16::1",
          "ipv6.addr": "2001:558:4080:16::1",
          "ipv6.src_host": "2001:558:4080:16::1",
          "ipv6.host": "2001:558:4080:16::1",
          "ipv6.dst": "ff02::1:ff9e:e38e",
          "ipv6.addr": "ff02::1:ff9e:e38e",
          "ipv6.dst_host": "ff02::1:ff9e:e38e",
          "ipv6.host": "ff02::1:ff9e:e38e",
          "ipv6.geoip.src_summary": "US, ASN 7922, Comcast Cable Communications, LLC",
          "ipv6.geoip.src_summary_tree": {
            "ipv6.geoip.src_country": "United States",
            "ipv6.geoip.country": "United States",
            "ipv6.geoip.src_country_iso": "US",
            "ipv6.geoip.country_iso": "US",
            "ipv6.geoip.src_asnum": "7922",
            "ipv6.geoip.asnum": "7922",
            "ipv6.geoip.src_org": "Comcast Cable Communications, LLC",
            "ipv6.geoip.org": "Comcast Cable Communications, LLC",
            "ipv6.geoip.src_lat": "37.751",
            "ipv6.geoip.lat": "37.751",
            "ipv6.geoip.src_lon": "-97.822",
            "ipv6.geoip.lon": "-97.822"
          }
        },
        "icmpv6": {
          "icmpv6.type": "135",
          "icmpv6.code": "0",
          "icmpv6.checksum": "0x00005b84",
          "icmpv6.checksum.status": "1",
          "icmpv6.reserved": "00:00:00:00",
          "icmpv6.nd.ns.target_address": "2001:558:4080:16:be36:e4ff:fe9e:e38e",
          "icmpv6.opt": {
            "icmpv6.opt.type": "1",
            "icmpv6.opt.length": "1",
            "icmpv6.opt.linkaddr": "00:01:5c:62:8c:46",
            "icmpv6.opt.src_linkaddr": "00:01:5c:62:8c:46"
          }
        }
      }
    }
  }
]

5.7.3. The “Export Selected Packet Bytes” Dialog Box

Export the bytes selected in the “Packet Bytes” pane into a raw binary file.

Figure 5.12. The “Export Selected Packet Bytes” dialog box

File name

The file name to export the packet data to.

Save as type

The file extension.