/doc/wireshark.pod.template - cse 2410 f13 wireshark - CS Projects

The data contained in this repository can be downloaded to your computer using one of several clients.
Please see the documentation of your version control software client for more information.

Please select the desired protocol below to get the URL.

This URL has Read-Only access.

Statistics

main_repo / doc / wireshark.pod.template @ master

History | View | Annotate | Download (98.2 KB)

       =begin man
       =encoding utf8
       =end man
       =head1 NAME
       wireshark - Interactively dump and analyze network traffic
       =head1 SYNOPSIS
       B<wireshark>
       S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
       S<[ B<-b> E<lt>capture ring buffer optionE<gt> ] ...>
       S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
       S<[ B<-c> E<lt>capture packet countE<gt> ]>
       S<[ B<-C> E<lt>configuration profileE<gt> ]>
       S<[ B<-D> ]>
       S<[ B<--display=>E<lt>X display to useE<gt> ] >
       S<[ B<-f> E<lt>capture filterE<gt> ]>
       S<[ B<-g> E<lt>packet numberE<gt> ]>
       S<[ B<-h> ]>
       S<[ B<-H> ]>
       S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
       S<[ B<-I> ]>
       S<[ B<-j> ]>
       S<[ B<-J> E<lt>jump filterE<gt> ]>
       S<[ B<-k> ]>
       S<[ B<-K> E<lt>keytabE<gt> ]>
       S<[ B<-l> ]>
       S<[ B<-L> ]>
       S<[ B<-m> E<lt>fontE<gt> ]>
       S<[ B<-n> ]>
       S<[ B<-N> E<lt>name resolving flagsE<gt> ] >
       S<[ B<-o> E<lt>preference/recent settingE<gt> ] ...>
       S<[ B<-p> ]>
       S<[ B<-P> E<lt>path settingE<gt>]>
       S<[ B<-r> E<lt>infileE<gt> ]>
       S<[ B<-R> E<lt>read (display) filterE<gt> ]>
       S<[ B<-s> E<lt>capture snaplenE<gt> ]>
       S<[ B<-S> ]>
       S<[ B<-t> a|ad|d|dd|e|r|u|ud ]>
       S<[ B<-v> ]>
       S<[ B<-w> E<lt>outfileE<gt> ]>
       S<[ B<-X> E<lt>eXtension optionE<gt> ]>
       S<[ B<-y> E<lt>capture link typeE<gt> ]>
       S<[ B<-Y> E<lt>displaY filterE<gt> ]>
       S<[ B<-z> E<lt>statisticsE<gt> ]>
       S<[ E<lt>infileE<gt> ]>
       =head1 DESCRIPTION
       B<Wireshark> is a GUI network protocol analyzer.  It lets you
       interactively browse packet data from a live network or from a
       previously saved capture file.  B<Wireshark>'s native capture file format
       is B<pcap> format, which is also the format used by B<tcpdump> and
       various other tools.
       B<Wireshark> can read / import the following file formats:
       =over 4
       =item *
       pcap - captures from B<Wireshark>/B<TShark>/B<dumpcap>, B<tcpdump>,
       and various other tools using libpcap's/WinPcap's/tcpdump's/WinDump's
       capture format
       =item *
       pcap-ng - "next-generation" successor to pcap format
       =item *
       B<snoop> and B<atmsnoop> captures
       =item *
       Shomiti/Finisar B<Surveyor> captures
       =item *
       Novell B<LANalyzer> captures
       =item *
       Microsoft B<Network Monitor> captures
       =item *
       AIX's B<iptrace> captures
       =item *
       Cinco Networks B<NetXRay> captures
       =item *
       Network Associates Windows-based B<Sniffer> captures
       =item *
       Network General/Network Associates DOS-based B<Sniffer> (compressed or uncompressed) captures
       =item *
       AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>/B<PacketGrabber> captures
       =item *
       B<RADCOM>'s WAN/LAN analyzer captures
       =item *
       Network Instruments B<Observer> version 9 captures
       =item *
       B<Lucent/Ascend> router debug output
       =item *
       files from HP-UX's B<nettl>
       =item *
       B<Toshiba's> ISDN routers dump output
       =item *
       the output from B<i4btrace> from the ISDN4BSD project
       =item *
       traces from the B<EyeSDN> USB S0.
       =item *
       the output in B<IPLog> format from the Cisco Secure Intrusion Detection System
       =item *
       B<pppd logs> (pppdump format)
       =item *
       the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities
       =item *
       the text output from the B<DBS Etherwatch> VMS utility
       =item *
       Visual Networks' B<Visual UpTime> traffic capture
       =item *
       the output from B<CoSine> L2 debug
       =item *
       the output from InfoVista's B<5View> LAN agents
       =item *
       Endace Measurement Systems' ERF format captures
       =item *
       Linux Bluez Bluetooth stack B<hcidump -w> traces
       =item *
       Catapult DCT2000 .out files
       =item *
       Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
       =item *
       IBM Series (OS/400) Comm traces (ASCII & UNICODE)
       =item *
       Juniper Netscreen snoop files
       =item *
       Symbian OS btsnoop files
       =item *
       TamoSoft CommView files
       =item *
       Textronix K12xx 32bit .rf5 format files
       =item *
       Textronix K12 text file format captures
       =item *
       Apple PacketLogger files
       =item *
       Files from Aethra Telecommunications' PC108 software for their test
       instruments
       =item *
       MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
       =item *
       Rabbit Labs CAM Inspector files
       =back
       There is no need to tell B<Wireshark> what type of
       file you are reading; it will determine the file type by itself.
       B<Wireshark> is also capable of reading any of these file formats if they
       are compressed using gzip.  B<Wireshark> recognizes this directly from
       the file; the '.gz' extension is not required for this purpose.
       Like other protocol analyzers, B<Wireshark>'s main window shows 3 views
       of a packet.  It shows a summary line, briefly describing what the
       packet is.  A packet details display is shown, allowing you to drill
       down to exact protocol or field that you interested in.  Finally, a hex
       dump shows you exactly what the packet looks like when it goes over the
       wire.
       In addition, B<Wireshark> has some features that make it unique.  It can
       assemble all the packets in a TCP conversation and show you the ASCII
       (or EBCDIC, or hex) data in that conversation.  Display filters in
       B<Wireshark> are very powerful; more fields are filterable in B<Wireshark>
       than in other protocol analyzers, and the syntax you can use to create
       your filters is richer.  As B<Wireshark> progresses, expect more and more
       protocol fields to be allowed in display filters.
       Packet capturing is performed with the pcap library.  The capture filter
       syntax follows the rules of the pcap library.  This syntax is different
       from the display filter syntax.
       Compressed file support uses (and therefore requires) the zlib library.
       If the zlib library is not present, B<Wireshark> will compile, but will
       be unable to read compressed files.
       The pathname of a capture file to be read can be specified with the
       B<-r> option or can be specified as a command-line argument.
       =head1 OPTIONS
       Most users will want to start B<Wireshark> without options and configure
       it from the menus instead.  Those users may just skip this section.
       =over 4
       =item -a  E<lt>capture autostop conditionE<gt>
       Specify a criterion that specifies when B<Wireshark> is to stop writing
       to a capture file.  The criterion is of the form I<test>B<:>I<value>,
       where I<test> is one of:
       B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
       elapsed.
       B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
       I<value> KiB.  If this option is used together with the -b option, Wireshark
       will stop writing to the current capture file and switch to the next one if
       filesize is reached.  Note that the filesize is limited to a maximum value of
 GiB.
       B<files>:I<value> Stop writing to capture files after I<value> number of files
       were written.
       =item -b  E<lt>capture ring buffer optionE<gt>
       Cause B<Wireshark> to run in "multiple files" mode.  In "multiple files" mode,
       B<Wireshark> will write to several capture files.  When the first capture file
       fills up, B<Wireshark> will switch writing to the next file and so on.
       The created filenames are based on the filename given with the B<-w> flag,
       the number of the file and on the creation date and time,
       e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
       With the I<files> option it's also possible to form a "ring buffer".
       This will fill up new files until the number of files specified,
       at which point B<Wireshark> will discard the data in the first file and start
       writing to that file and so on.  If the I<files> option is not set,
       new files filled up until one of the capture stop conditions match (or
       until the disk is full).
       The criterion is of the form I<key>B<:>I<value>,
       where I<key> is one of:
       B<duration>:I<value> switch to the next file after I<value> seconds have
       elapsed, even if the current file is not completely filled up.
       B<filesize>:I<value> switch to the next file after it reaches a size of
       I<value> KiB.  Note that the filesize is limited to a maximum value of 2 GiB.
       B<files>:I<value> begin again with the first file after I<value> number of
       files were written (form a ring buffer).  This value must be less than 100000.
       Caution should be used when using large numbers of files: some filesystems do
       not handle many files in a single directory well.  The B<files> criterion
       requires either B<duration> or B<filesize> to be specified to control when to
       go to the next file.  It should be noted that each B<-b> parameter takes exactly
       one criterion; to specify two criterion, each must be preceded by the B<-b>
       option.
       Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
       of size one megabyte.
       =item -B  E<lt>capture buffer sizeE<gt>
       Set capture buffer size (in MB, default is 2MB).  This is used by the
       the capture driver to buffer packet data until that data can be written
       to disk.  If you encounter packet drops while capturing, try to increase
       this size.  Note that, while B<Wireshark> attempts to set the buffer size
       to 2MB by default, and can be told to set it to a larger value, the
       system or interface on which you're capturing might silently limit the
       capture buffer size to a lower value or raise it to a higher value.
       This is available on UNIX systems with libpcap 1.0.0 or later and on
       Windows.  It is not available on UNIX systems with earlier versions of
       libpcap.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, it sets the default capture buffer size.
       If used after an B<-i> option, it sets the capture buffer size for
       the interface specified by the last B<-i> option occurring before
       this option.  If the capture buffer size is not set specifically,
       the default capture buffer size is used if provided.
       =item -c  E<lt>capture packet countE<gt>
       Set the maximum number of packets to read when capturing live
       data.
       =item -C  E<lt>configuration profileE<gt>
       Start with the given configuration profile.
       =item -D
       Print a list of the interfaces on which B<Wireshark> can capture, and
       exit.  For each network interface, a number and an
       interface name, possibly followed by a text description of the
       interface, is printed.  The interface name or the number can be supplied
       to the B<-i> flag to specify an interface on which to capture.
       This can be useful on systems that don't have a command to list them
       (e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
       the number can be useful on Windows 2000 and later systems, where the
       interface name is a somewhat complex string.
       Note that "can capture" means that B<Wireshark> was able to open
       that device to do a live capture; if, on your system, a program doing a
       network capture must be run from an account with special privileges (for
       example, as root), then, if B<Wireshark> is run with the B<-D> flag and
       is not run from such an account, it will not list any interfaces.
       =item --display=E<lt>X display to useE<gt>
       Specifies the X display to use.  A hostname and screen (otherhost:0.0)
       or just a screen (:0.0) can be specified.  This option is not available
       under Windows.
       =item -f  E<lt>capture filterE<gt>
       Set the capture filter expression.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, it sets the default capture filter expression.
       If used after an B<-i> option, it sets the capture filter expression for
       the interface specified by the last B<-i> option occurring before
       this option.  If the capture filter expression is not set specifically,
       the default capture filter expression is used if provided.
       =item -g  E<lt>packet numberE<gt>
       After reading in a capture file using the B<-r> flag, go to the given I<packet number>.
       =item -h
       Print the version and options and exit.
       =item -H
       Hide the capture info dialog during live packet capture.
       =item -i  E<lt>capture interfaceE<gt>|-
       Set the name of the network interface or pipe to use for live packet
       capture.
       Network interface names should match one of the names listed in
       "B<wireshark -D>" (described above); a number, as reported by
       "B<wireshark -D>", can also be used.  If you're using UNIX, "B<netstat
       -i>" or "B<ifconfig -a>" might also work to list interface names,
       although not all versions of UNIX support the B<-a> flag to B<ifconfig>.
       If no interface is specified, B<Wireshark> searches the list of
       interfaces, choosing the first non-loopback interface if there are any
       non-loopback interfaces, and choosing the first loopback interface if
       there are no non-loopback interfaces.  If there are no interfaces at all,
       B<Wireshark> reports an error and doesn't start the capture.
       Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
       read data from the standard input.  On Windows systems, pipe names must be
       of the form ``\\pipe\.\B<pipename>''.  Data read from pipes must be in
       standard pcap format.
       This option can occur multiple times.  When capturing from multiple
       interfaces, the capture file will be saved in pcap-ng format.
       =item -I
       Put the interface in "monitor mode"; this is supported only on IEEE
 .11 Wi-Fi interfaces, and supported only on some operating systems.
       Note that in monitor mode the adapter might disassociate from the
       network with which it's associated, so that you will not be able to use
       any wireless networks with that adapter.  This could prevent accessing
       files on a network server, or resolving host names or network addresses,
       if you are capturing in monitor mode and are not connected to another
       network with another adapter.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
       If used after an B<-i> option, it enables the monitor mode for
       the interface specified by the last B<-i> option occurring before
       this option.
       =item -j
       Use after B<-J> to change the behavior when no exact match is found for
       the filter.  With this option select the first packet before.
       =item -J  E<lt>jump filterE<gt>
       After reading in a capture file using the B<-r> flag, jump to the packet
       matching the filter (display filter syntax).  If no exact match is found
       the first packet after that is selected.
       =item -k
       Start the capture session immediately.  If the B<-i> flag was
       specified, the capture uses the specified interface.  Otherwise,
       B<Wireshark> searches the list of interfaces, choosing the first
       non-loopback interface if there are any non-loopback interfaces, and
       choosing the first loopback interface if there are no non-loopback
       interfaces; if there are no interfaces, B<Wireshark> reports an error and
       doesn't start the capture.
       =item -K  E<lt>keytabE<gt>
       Load kerberos crypto keys from the specified keytab file.
       This option can be used multiple times to load keys from several files.
       Example: B<-K krb5.keytab>
       =item -l
       Turn on automatic scrolling if the packet display is being updated
       automatically as packets arrive during a capture (as specified by the
       B<-S> flag).
       =item -L
       List the data link types supported by the interface and exit.
       =item -m  E<lt>fontE<gt>
       Set the name of the font used by B<Wireshark> for most text.  B<Wireshark>
       will construct the name of the bold font used for the data in the byte
       view pane that corresponds to the field selected in the packet details
       pane from the name of the main text font.
       =item -n
       Disable network object name resolution (such as hostname, TCP and UDP port
       names), the B<-N> flag might override this one.
       =item -N  E<lt>name resolving flagsE<gt>
       Turn on name resolving only for particular types of addresses and port
       numbers, with name resolving for other types of addresses and port
       numbers turned off.  This flag overrides B<-n> if both B<-N> and B<-n> are
       present.  If both B<-N> and B<-n> flags are not present, all name resolutions
       are turned on.
       The argument is a string that may contain the letters:
       B<m> to enable MAC address resolution
       B<n> to enable network address resolution
       B<N> to enable using external resolvers (e.g., DNS) for network address
       resolution
       B<t> to enable transport-layer port number resolution
       B<C> to enable concurrent (asynchronous) DNS lookups
       =item -o  E<lt>preference/recent settingE<gt>
       Set a preference or recent value, overriding the default value and any value
       read from a preference/recent file.  The argument to the flag is a string of
       the form I<prefname>B<:>I<value>, where I<prefname> is the name of the
       preference/recent value (which is the same name that would appear in the
       preference/recent file), and I<value> is the value to which it should be set.
       Since B<Ethereal> 0.10.12, the recent settings replaces the formerly used
       -B, -P and -T flags to manipulate the GUI dimensions.
       If I<prefname> is "uat", you can override settings in various user access
       tables using the form uatB<:>I<uat filename>:I<uat record>.  I<uat filename>
       must be the name of a UAT file, e.g. I<user_dlts>.  I<uat_record> must be in
       the form of a valid record for that file, including quotes.  For instance, to
       specify a user DLT from the command line, you would use
           -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
       =item -p
       I<Don't> put the interface into promiscuous mode.  Note that the
       interface might be in promiscuous mode for some other reason; hence,
       B<-p> cannot be used to ensure that the only traffic that is captured is
       traffic sent to or from the machine on which B<Wireshark> is running,
       broadcast traffic, and multicast traffic to addresses received by that
       machine.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, no interface will be put into the
       promiscuous mode.
       If used after an B<-i> option, the interface specified by the last B<-i>
       option occurring before this option will not be put into the
       promiscuous mode.
       =item -P E<lt>path settingE<gt>
       Special path settings usually detected automatically.  This is used for
       special cases, e.g. starting Wireshark from a known location on an USB stick.
       The criterion is of the form I<key>B<:>I<path>, where I<key> is one of:
       B<persconf>:I<path> path of personal configuration files, like the
       preferences files.
       B<persdata>:I<path> path of personal data files, it's the folder initially
       opened.  After the very first initialization, the recent file will keep the
       folder last used.
       =item -r  E<lt>infileE<gt>
       Read packet data from I<infile>, can be any supported capture file format
       (including gzipped files).  It's not possible to use named pipes or stdin
       here! To capture from a pipe or from stdin use B<-i ->
       =item -R  E<lt>read (display) filterE<gt>
       When reading a capture file specified with the B<-r> flag, causes the
       specified filter (which uses the syntax of display filters, rather than
       that of capture filters) to be applied to all packets read from the
       capture file; packets not matching the filter are discarded.
       =item -s  E<lt>capture snaplenE<gt>
       Set the default snapshot length to use when capturing live data.
       No more than I<snaplen> bytes of each network packet will be read into
       memory, or saved to disk.  A value of 0 specifies a snapshot length of
 , so that the full packet is captured; this is the default.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, it sets the default snapshot length.
       If used after an B<-i> option, it sets the snapshot length for
       the interface specified by the last B<-i> option occurring before
       this option.  If the snapshot length is not set specifically,
       the default snapshot length is used if provided.
       =item -S
       Automatically update the packet display as packets are coming in.
       =item -t  a|ad|d|dd|e|r|u|ud
       Set the format of the packet timestamp displayed in the packet list
       window.  The format can be one of:
       B<a> absolute: The absolute time is the actual time the packet was captured,
       with no date displayed
       B<ad> absolute with date: The absolute date and time is the actual time and
       date the packet was captured
       B<d> delta: The delta time is the time since the previous packet was
       captured
       B<dd> delta_displayed: The delta_displayed time is the time since the
       previous displayed packet was captured
       B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
       B<r> relative: The relative time is the time elapsed between the first packet
       and the current packet
       B<u> UTC: The UTC time is the actual time the packet was captured,
       with no date displayed
       B<ud> UTC with date: The UTC date and time is the actual time and
       date the packet was captured
       The default format is relative.
       =item -v
       Print the version and exit.
       =item -w  E<lt>outfileE<gt>
       Set the default capture file name.
       =item -X E<lt>eXtension optionsE<gt>
       Specify an option to be passed to an B<Wireshark> module.  The eXtension option
       is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
       B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the
       default Lua scripts.
       B<stdin_descr>:I<description> tells B<Wireshark> to use the given description when
       capturing from standard input (B<-i ->).
       =item -y  E<lt>capture link typeE<gt>
       If a capture is started from the command line with B<-k>, set the data
       link type to use while capturing packets.  The values reported by B<-L>
       are the values that can be used.
       This option can occur multiple times.  If used before the first
       occurrence of the B<-i> option, it sets the default capture link type.
       If used after an B<-i> option, it sets the capture link type for
       the interface specified by the last B<-i> option occurring before
       this option.  If the capture link type is not set specifically,
       the default capture link type is used if provided.
       =item -Y  E<lt>displaY filterE<gt>
       Start with the given display filter.
       =item -z  E<lt>statisticsE<gt>
       Get B<Wireshark> to collect various types of statistics and display the result
       in a window that updates in semi-real time.
       Currently implemented statistics are:
       =over 4
       =item B<-z> conv,I<type>[,I<filter>]
       Create a table that lists all conversations that could be seen in the
       capture.  I<type> specifies the conversation endpoint types for which we
       want to generate the statistics; currently the supported ones are:
         "eth"   Ethernet addresses
         "fc"    Fibre Channel addresses
         "fddi"  FDDI addresses
         "ip"    IPv4 addresses
         "ipv6"  IPv6 addresses
         "ipx"   IPX addresses
         "tcp"   TCP/IP socket pairs   Both IPv4 and IPv6 are supported
         "tr"    Token Ring addresses
         "udp"   UDP/IP socket pairs   Both IPv4 and IPv6 are supported
       If the optional I<filter> is specified, only those packets that match the
       filter will be used in the calculations.
       The table is presented with one line for each conversation and displays
       the number of packets/bytes in each direction as well as the total
       number of packets/bytes.  By default, the table is sorted according to
       the total number of packets.
       These tables can also be generated at runtime by selecting the appropriate
       conversation type from the menu "Tools/Statistics/Conversation List/".
       =item B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>]
       Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>,
       version I<major>.I<minor>.
       Data collected is the number of calls for each procedure, MinSRT, MaxSRT
       and AvgSRT.
       Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
       This option can be used multiple times on the command line.
       If the optional I<filter>  is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR
       SRT statistics for a specific host.
       =item B<-z> fc,srt[,I<filter>]
       Collect call/reply SRT (Service Response Time) data for FC.  Data collected
       is the number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT.
       Example: B<-z fc,srt>
       will calculate the Service Response Time as the time delta between the
       First packet of the exchange and the Last packet of the exchange.
       The data will be presented as separate tables for all normal FC commands,
       Only those commands that are seen in the capture will have its stats
       displayed.
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "fc,srt,fc.id==01.02.03"> will collect stats only for
       FC packets exchanged by the host at FC address 01.02.03 .
       =item B<-z> h225,counter[I<,filter>]
       Count ITU-T H.225 messages and their reasons.  In the first column you get a
       list of H.225 messages and H.225 message reasons which occur in the current
       capture file.  The number of occurrences of each message or reason is displayed
       in the second column.
       Example: B<-z h225,counter>
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "h225,counter,ip.addr==1.2.3.4"> will collect stats only for
       H.225 packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> h225,srt[I<,filter>]
       Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS.
       Data collected is the number of calls of each ITU-T H.225 RAS Message Type,
       Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet.
       You will also get the number of Open Requests (Unresponded Requests),
       Discarded Responses (Responses without matching request) and Duplicate Messages.
       Example: B<-z h225,srt>
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will collect stats only for
       ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> io,stat
       Collect packet/bytes statistics for the capture in intervals of 1 second.
       This option will open a window with up to 5 color-coded graphs where
       number-of-packets-per-second or number-of-bytes-per-second statistics
       can be calculated and displayed.
       This option can be used multiple times on the command line.
       This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat
       menu item.
       =item B<-z> ldap,srt[,I<filter>]
       Collect call/reply SRT (Service Response Time) data for LDAP.  Data collected
       is the number of calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT.
       Example: B<-z ldap,srt>
       will calculate the Service Response Time as the time delta between the
       Request and the Response.
       The data will be presented as separate tables for all implemented LDAP commands,
       Only those commands that are seen in the capture will have its stats
       displayed.
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: use B<-z "ldap,srt,ip.addr==10.1.1.1"> will collect stats only for
       LDAP packets exchanged by the host at IP address 10.1.1.1 .
       The only LDAP commands that are currently implemented and for which the stats will be available are:
       BIND
       SEARCH
       MODIFY
       ADD
       DELETE
       MODRDN
       COMPARE
       EXTENDED
       =item B<-z> megaco,srt[I<,filter>]
       Collect request/response SRT (Service Response Time) data for MEGACO.
       (This is similar to B<-z smb,srt>).  Data collected is the number of calls
       for each known MEGACO Command, Minimum SRT, Maximum SRT and Average SRT.
       Example: B<-z megaco,srt>
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "megaco,srt,ip.addr==1.2.3.4"> will collect stats only for
       MEGACO packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> mgcp,srt[I<,filter>]
       Collect request/response SRT (Service Response Time) data for MGCP.
       (This is similar to B<-z smb,srt>).  Data collected is the number of calls
       for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT.
       Example: B<-z mgcp,srt>
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "mgcp,srt,ip.addr==1.2.3.4"> will collect stats only for
       MGCP packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> rpc,programs
       Collect call/reply SRT data for all known ONC-RPC programs/versions.
       Data collected is the number of calls for each protocol/version, MinSRT,
       MaxSRT and AvgSRT.
       =item B<-z> rpc,srt,I<program>,I<version>[,<filter>]
       Collect call/reply SRT (Service Response Time) data for I<program>/I<version>.  Data collected
       is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
       Example: B<-z rpc,srt,100003,3> will collect data for NFS v3.
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: S<B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678>> will collect NFS v3
       SRT statistics for a specific file.
       =item B<-z> scsi,srt,I<cmdset>[,<filter>]
       Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>.
       Commandsets are 0:SBC   1:SSC  5:MMC
       Data collected
       is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
       Example: B<-z scsi,srt,0> will collect data for SCSI BLOCK COMMANDS (SBC).
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z scsi,srt,0,ip.addr==1.2.3.4> will collect SCSI SBC
       SRT statistics for a specific iscsi/ifcp/fcip host.
       =item B<-z> sip,stat[I<,filter>]
       This option will activate a counter for SIP messages.  You will get the number
       of occurrences of each SIP Method and of each SIP Status-Code.  Additionally you
       also get the number of resent SIP Messages (only for SIP over UDP).
       Example: B<-z sip,stat>
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will collect stats only for
       SIP packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> smb,srt[,I<filter>]
       Collect call/reply SRT (Service Response Time) data for SMB.  Data collected
       is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
       Example: B<-z smb,srt>
       The data will be presented as separate tables for all normal SMB commands,
       all Transaction2 commands and all NT Transaction commands.
       Only those commands that are seen in the capture will have their stats
       displayed.
       Only the first command in a xAndX command chain will be used in the
       calculation.  So for common SessionSetupAndX + TreeConnectAndX chains,
       only the SessionSetupAndX call will be used in the statistics.
       This is a flaw that might be fixed in the future.
       This option can be used multiple times on the command line.
       If the optional I<filter> is provided, the stats will only be calculated
       on those calls that match that filter.
       Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will collect stats only for
       SMB packets exchanged by the host at IP address 1.2.3.4 .
       =item B<-z> voip,calls
       This option will show a window that shows VoIP calls found in the capture file.
       This is the same window shown as when you go to the Statistics Menu and choose
       VoIP Calls.
       Example: B<-z voip,calls>
       =back
       =back
       =head1 INTERFACE
       =head2 MENU ITEMS
       =over 4
       =item File:Open
       =item File:Open Recent
       =item File:Merge
       Merge another capture file to the currently loaded one.  The I<File:Merge>
       dialog box allows the merge "Prepended", "Chronologically" or "Appended",
       relative to the already loaded one.
       =item File:Close
       Open or close a capture file.  The I<File:Open> dialog box
       allows a filter to be specified; when the capture file is read, the
       filter is applied to all packets read from the file, and packets not
       matching the filter are discarded.  The I<File:Open Recent> is a submenu
       and will show a list of previously opened files.
       =item File:Save
       =item File:Save As
       Save the current capture, or the packets currently displayed from that
       capture, to a file.  Check boxes let you select whether to save all
       packets, or just those that have passed the current display filter and/or
       those that are currently marked, and an option menu lets you select (from
       a list of file formats in which at particular capture, or the packets
       currently displayed from that capture, can be saved), a file format in
       which to save it.
       =item File:File Set:List Files
       Show a dialog box that lists all files of the file set matching the currently
       loaded file.  A file set is a compound of files resulting from a capture using
       the "multiple files" / "ringbuffer" mode, recognizable by the filename pattern,
       e.g.: Filename_00001_20050604101530.pcap.
       =item File:File Set:Next File
       =item File:File Set:Previous File
       If the currently loaded file is part of a file set (see above), open the
       next / previous file in that set.
       =item File:Export
       Export captured data into an external format.  Note: the data cannot be
       imported back into Wireshark, so be sure to keep the capture file.
       =item File:Print
       Print packet data from the current capture.  You can select the range of
       packets to be printed (which packets are printed), and the output format of
       each packet (how each packet is printed).  The output format will be similar
       to the displayed values, so a summary line, the packet details view, and/or
       the hex dump of the packet can be printed.
       Printing options can be set with the I<Edit:Preferences> menu item, or in the
       dialog box popped up by this menu item.
       =item File:Quit
       Exit the application.
       =item Edit:Copy:Description
       Copies the description of the selected field in the protocol tree to
       the clipboard.
       =item Edit:Copy:Fieldname
       Copies the fieldname of the selected field in the protocol tree to
       the clipboard.
       =item Edit:Copy:Value
       Copies the value of the selected field in the protocol tree to
       the clipboard.
       =item Edit:Copy:As Filter
       Create a display filter based on the data currently highlighted in the
       packet details and copy that filter to the clipboard.
       If that data is a field that can be tested in a display filter
       expression, the display filter will test that field; otherwise, the
       display filter will be based on the absolute offset within the packet.
       Therefore it could be unreliable if the packet contains protocols with
       variable-length headers, such as a source-routed token-ring packet.
       =item Edit:Find Packet
       Search forward or backward, starting with the currently selected packet
       (or the most recently selected packet, if no packet is selected).  Search
       criteria can be a display filter expression, a string of hexadecimal
       digits, or a text string.
       When searching for a text string, you can search the packet data, or you
       can search the text in the Info column in the packet list pane or in the
       packet details pane.
       Hexadecimal digits can be separated by colons, periods, or dashes.
       Text string searches can be ASCII or Unicode (or both), and may be
       case insensitive.
       =item Edit:Find Next
       =item Edit:Find Previous
       Search forward / backward for a packet matching the filter from the previous
       search, starting with the currently selected packet (or the most recently
       selected packet, if no packet is selected).
       =item Edit:Mark Packet (toggle)
       Mark (or unmark if currently marked) the selected packet.  The field
       "frame.marked" is set for packets that are marked, so that, for example,
       a display filters can be used to display only marked packets, and so that
       the L</"Edit:Find Packet"> dialog can be used to find the next or previous
       marked packet.
       =item Edit:Find Next Mark
       =item Edit:Find Previous Mark
       Find next/previous marked packet.
       =item Edit:Mark All Packets
       =item Edit:Unmark All Packets
       Mark / Unmark all packets that are currently displayed.
       =item Edit:Time Reference:Set Time Reference (toggle)
       Set (or unset if currently set) the selected packet as a Time Reference packet.
       When a packet is set as a Time Reference packet, the timestamps in the packet
       list pane will be replaced with the string "*REF*".
       The relative time timestamp in later packets will then be calculated relative
       to the timestamp of this Time Reference packet and not the first packet in
       the capture.
       Packets that have been selected as Time Reference packets will always be
       displayed in the packet list pane.  Display filters will not affect or
       hide these packets.
       If there is a column displayed for "Cumulative Bytes" this counter will
       be reset at every Time Reference packet.
       =item Edit:Time Reference:Find Next
       =item Edit:Time Reference:Find Previous
       Search forward / backward for a time referenced packet.
       =item Edit:Configuration Profiles
       Manage configuration profiles to be able to use more than one set of
       preferences and configurations.
       =item Edit:Preferences
       Set the GUI, capture, printing and protocol options
       (see L</Preferences> dialog below).
       =item View:Main Toolbar
       =item View:Filter Toolbar
       =item View:Statusbar
       Show or hide the main window controls.
       =item View:Packet List
       =item View:Packet Details
       =item View:Packet Bytes
       Show or hide the main window panes.
       =item View:Time Display Format
       Set the format of the packet timestamp displayed in the packet list window.
       =item View:Name Resolution:Resolve Name
       Try to resolve a name for the currently selected item.
       =item View:Name Resolution:Enable for ... Layer
       Enable or disable translation of addresses to names in the display.
       =item View:Colorize Packet List
       Enable or disable the coloring rules.  Disabling will improve performance.
       =item View:Auto Scroll in Live Capture
       Enable or disable the automatic scrolling of the
       packet list while a live capture is in progress.
       =item View:Zoom In
       =item View:Zoom Out
       Zoom into / out of the main window data (by changing the font size).
       =item View:Normal Size
       Reset the zoom factor of zoom in / zoom out back to normal font size.
       =item View:Resize All Columns
       Resize all columns to best fit the current packet display.
       =item View:Expand Subtrees
       Expands the currently selected item and it's subtrees in the packet details.
       =item View:Expand All
       =item View:Collapse All
       Expand / Collapse all branches of the packet details.
       =item View:Colorize Conversation
       Select color for a conversation.
       =item View:Reset Coloring 1-10
       Reset Color for a conversation.
       =item View:Coloring Rules
       Change the foreground and background colors of the packet information in
       the list of packets, based upon display filters.  The list of display
       filters is applied to each packet sequentially.  After the first display
       filter matches a packet, any additional display filters in the list are
       ignored.  Therefore, if you are filtering on the existence of protocols,
       you should list the higher-level protocols first, and the lower-level
       protocols last.
       =over
       =item How Colorization Works
       Packets are colored according to a list of color filters.  Each filter
       consists of a name, a filter expression and a coloration.  A packet is
       colored according to the first filter that it matches.  Color filter
       expressions use exactly the same syntax as display filter expressions.
       When Wireshark starts, the color filters are loaded from:
       =over
       =item 1.
       The user's personal color filters file or, if that does not exist,
       =item 2.
       The global color filters file.
       =back
       If neither of these exist then the packets will not be colored.
       =back
       =item View:Show Packet In New Window
       Create a new window containing a packet details view and a hex dump
       window of the currently selected packet; this window will continue to
       display that packet's details and data even if another packet is
       selected.
       =item View:Reload
       Reload a capture file.  Same as I<File:Close> and I<File:Open> the same
       file again.
       =item Go:Back
       Go back in previously visited packets history.
       =item Go:Forward
       Go forward in previously visited packets history.
       =item Go:Go To Packet
       Go to a particular numbered packet.
       =item Go:Go To Corresponding Packet
       If a field in the packet details pane containing a packet number is
       selected, go to the packet number specified by that field.  (This works
       only if the dissector that put that entry into the packet details put it
       into the details as a filterable field rather than just as text.) This
       can be used, for example, to go to the packet for the request
       corresponding to a reply, or the reply corresponding to a request, if
       that packet number has been put into the packet details.
       =item Go:Previous Packet
       =item Go:Next Packet
       =item Go:First Packet
       =item Go:Last Packet
       Go to the previous / next / first / last packet in the capture.
       =item Go:Previous Packet In Conversation
       =item Go:Next Packet In Conversation
       Go to the previous / next packet of the conversation (TCP, UDP or IP)
       =item Capture:Interfaces
       Shows a dialog box with all currently known interfaces and displaying the
       current network traffic amount.  Capture sessions can be started from here.
       Beware: keeping this box open results in high system load!
       =item Capture:Options
       Initiate a live packet capture (see L</"Capture Options Dialog">
       below).  If no filename is specified, a temporary file will be created
       to hold the capture.  The location of the file can be chosen by setting your
       TMPDIR environment variable before starting B<Wireshark>.  Otherwise, the
       default TMPDIR location is system-dependent, but is likely either F</var/tmp>
       or F</tmp>.
       =item Capture:Start
       Start a live packet capture with the previously selected options.  This won't
       open the options dialog box, and can be convenient for repeatedly capturing
       with the same options.
       =item Capture:Stop
       Stop a running live capture.
       =item Capture:Restart
       While a live capture is running, stop it and restart with the same options
       again.  This can be convenient to remove irrelevant packets, if no valuable
       packets were captured so far.
       =item Capture:Capture Filters
       Edit the saved list of capture filters, allowing filters to be added,
       changed, or deleted.
       =item Analyze:Display Filters
       Edit the saved list of display filters, allowing filters to be added,
       changed, or deleted.
       =item Analyze:Display Filter Macros
       Create shortcuts for complex macros
       =item Analyze:Apply as Filter
       Create a display filter based on the data currently highlighted in the
       packet details and apply the filter.
       If that data is a field that can be tested in a display filter
       expression, the display filter will test that field; otherwise, the
       display filter will be based on the absolute offset within the packet.
       Therefore it could be unreliable if the packet contains protocols with
       variable-length headers, such as a source-routed token-ring packet.
       The B<Selected> option creates a display filter that tests for a match
       of the data; the B<Not Selected> option creates a display filter that
       tests for a non-match of the data.  The B<And Selected>, B<Or Selected>,
       B<And Not Selected>, and B<Or Not Selected> options add to the end of
       the display filter in the strip at the top (or bottom) an AND or OR
       operator followed by the new display filter expression.
       =item Analyze:Prepare a Filter
       Create a display filter based on the data currently highlighted in the
       packet details.  The filter strip at the top (or bottom) is updated but
       it is not yet applied.
       =item Analyze:Enabled Protocols
       Allow protocol dissection to be enabled or disabled for a specific
       protocol.  Individual protocols can be enabled or disabled by clicking
       on them in the list or by highlighting them and pressing the space bar.
       The entire list can be enabled, disabled, or inverted using the buttons
       below the list.
       When a protocol is disabled, dissection in a particular packet stops
       when that protocol is reached, and Wireshark moves on to the next packet.
       Any higher-layer protocols that would otherwise have been processed will
       not be displayed.  For example, disabling TCP will prevent the dissection
       and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
       dependent on TCP.
       The list of protocols can be saved, so that Wireshark will start up with
       the protocols in that list disabled.
       =item Analyze:Decode As
       If you have a packet selected, present a dialog allowing you to change
       which dissectors are used to decode this packet.  The dialog has one
       panel each for the link layer, network layer and transport layer
       protocol/port numbers, and will allow each of these to be changed
       independently.  For example, if the selected packet is a TCP packet to
       port 12345, using this dialog you can instruct Wireshark to decode all
       packets to or from that TCP port as HTTP packets.
       =item Analyze:User Specified Decodes
       Create a new window showing whether any protocol ID to dissector
       mappings have been changed by the user.  This window also allows the
       user to reset all decodes to their default values.
       =item Analyze:Follow TCP Stream
       If you have a TCP packet selected, display the contents of the data
       stream for the TCP connection to which that packet belongs, as text, in
       a separate window, and leave the list of packets in a filtered state,
       with only those packets that are part of that TCP connection being
       displayed.  You can revert to your old view by pressing ENTER in the
       display filter text box, thereby invoking your old display filter (or
       resetting it back to no display filter).
       The window in which the data stream is displayed lets you select:
       =over 8
       =item *
       whether to display the entire conversation, or one or the other side of
       it;
       =item *
       whether the data being displayed is to be treated as ASCII or EBCDIC
       text or as raw hex data;
       =back
       and lets you print what's currently being displayed, using the same
       print options that are used for the I<File:Print Packet> menu item, or
       save it as text to a file.
       =item Analyze:Follow UDP Stream
       =item Analyze:Follow SSL Stream
       (Similar to Analyze:Follow TCP Stream)
       =item Analyze:Expert Info
       =item Analyze:Expert Info Composite
       (Kind of) a log of anomalies found by Wireshark in a capture file.
       =item Analyze:Conversation Filter
       =item Statistics:Summary
       Show summary information about the capture, including elapsed time,
       packet counts, byte counts, and the like.  If a display filter is in
       effect, summary information will be shown about the capture and about
       the packets currently being displayed.
       =item Statistics:Protocol Hierarchy
       Show the number of packets, and the number of bytes in those packets,
       for each protocol in the trace.  It organizes the protocols in the same
       hierarchy in which they were found in the trace.  Besides counting the
       packets in which the protocol exists, a count is also made for packets
       in which the protocol is the last protocol in the stack.  These
       last-protocol counts show you how many packets (and the byte count
       associated with those packets) B<ended> in a particular protocol.  In
       the table, they are listed under "End Packets" and "End Bytes".
       =item Statistics:Conversations
       Lists of conversations; selectable by protocol.  See Statistics:Conversation List below.
       =item Statistics:End Points
       List of End Point Addresses by protocol with packets/bytes/.... counts.
       =item Statistics:Packet Lengths
       Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
       =item Statistics:IO Graphs
       Open a window where up to 5 graphs in different colors can be displayed
       to indicate number of packets or number of bytes per second for all packets
       matching the specified filter.
       By default only one graph will be displayed showing number of packets per second.
       The top part of the window contains the graphs and scales for the X and
       Y axis.  If the graph is too long to fit inside the window there is a
       horizontal scrollbar below the drawing area that can scroll the graphs
       to the left or the right.  The horizontal axis displays the time into
       the capture and the vertical axis will display the measured quantity at
       that time.
       Below the drawing area and the scrollbar are the controls.  On the
       bottom left there will be five similar sets of controls to control each
       individual graph such as "Display:<button>" which button will toggle
       that individual graph on/off.  If <button> is ticked, the graph will be
       displayed.  "Color:<color>" which is just a button to show which color
       will be used to draw that graph (color is only available in Gtk2
       version) and finally "Filter:<filter-text>" which can be used to specify
       a display filter for that particular graph.
       If filter-text is empty then all packets will be used to calculate the
       quantity for that graph.  If filter-text is specified only those packets
       that match that display filter will be considered in the calculation of
       quantity.
       To the right of the 5 graph controls there are four menus to control
       global aspects of the draw area and graphs.  The "Unit:" menu is used to
       control what to measure; "packets/tick", "bytes/tick" or "advanced..."
       packets/tick will measure the number of packets matching the (if
       specified) display filter for the graph in each measurement interval.
       bytes/tick will measure the total number of bytes in all packets matching
       the (if specified) display filter for the graph in each measurement
       interval.
       advanced... see below
       "Tick interval:" specifies what measurement intervals to use.  The
       default is 1 second and means that the data will be counted over 1
       second intervals.
       "Pixels per tick:" specifies how many pixels wide each measurement
       interval will be in the drawing area.  The default is 5 pixels per tick.
       "Y-scale:" controls the max value for the y-axis.  Default value is
       "auto" which means that B<Wireshark> will try to adjust the maxvalue
       automatically.
       "advanced..." If Unit:advanced...  is selected the window will display
       two more controls for each of the five graphs.  One control will be a
       menu where the type of calculation can be selected from
       SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a
       single display filter field can be specified.
       The following restrictions apply to type and field combinations:
       SUM: available for all types of integers and will calculate the SUM of
       all occurrences of this field in the measurement interval.  Note that
       some field can occur multiple times in the same packet and then all
       instances will be summed up.  Example: 'tcp.len' which will count the
       amount of payload data transferred across TCP in each interval.
       COUNT: available for all field types.  This will COUNT the number of times
       certain field occurs in each interval.  Note that some fields
       may occur multiple times in each packet and if that is the case
       then each instance will be counted independently and COUNT
       will be greater than the number of packets.
       MAX: available for all integer and relative time fields.  This will calculate
       the max seen integer/time value seen for the field during the interval.
       Example: 'smb.time' which will plot the maximum SMB response time.
       MIN: available for all integer and relative time fields.  This will calculate
       the min seen integer/time value seen for the field during the interval.
       Example: 'smb.time' which will plot the minimum SMB response time.
       AVG: available for all integer and relative time fields.This will
       calculate the average seen integer/time value seen for the field during
       the interval.  Example: 'smb.time' which will plot the average SMB
       response time.
       LOAD: available only for relative time fields (response times).
       Example of advanced:
       Display how NFS response time MAX/MIN/AVG changes over time:
       Set first graph to:
          filter:nfs&&rpc.time
          Calc:MAX rpc.time
       Set second graph to
          filter:nfs&&rpc.time
          Calc:AVG rpc.time
       Set third graph to
          filter:nfs&&rpc.time
          Calc:MIN rpc.time
       Example of advanced:
       Display how the average packet size from host a.b.c.d changes over time.
       Set first graph to
          filter:ip.addr==a.b.c.d&&frame.pkt_len
          Calc:AVG frame.pkt_len
       LOAD:
       The LOAD io-stat type is very different from anything you have ever seen
       before! While the response times themselves as plotted by MIN,MAX,AVG are
       indications on the Server load (which affects the Server response time),
       the LOAD measurement measures the Client LOAD.
       What this measures is how much workload the client generates,
       i.e. how fast will the client issue new commands when the previous ones
       completed.
       i.e. the level of concurrency the client can maintain.
       The higher the number, the more and faster is the client issuing new
       commands.  When the LOAD goes down, it may be due to client load making
       the client slower in issuing new commands (there may be other reasons as
       well, maybe the client just doesn't have any commands it wants to issue
       right then).
       Load is measured in concurrency/number of overlapping i/o and the value
 means there is a constant load of one i/o.
       In each tick interval the amount of overlap is measured.
       See the graph below containing three commands:
       Below the graph are the LOAD values for each interval that would be calculated.
         |     |     |     |     |     |     |     |     |
         |     |     |     |     |     |     |     |     |
         |     |  o=====*  |     |     |     |     |     |
         |     |     |     |     |     |     |     |     |
         |  o========*     | o============*  |     |     |
         |     |     |     |     |     |     |     |     |
         --------------------------------------------------> Time
 1500   500  750   1000   500    0     0
       =item Statistics:Conversation List
       This option will open a new window that displays a list of all
       conversations between two endpoints.  The list has one row for each
       unique conversation and displays total number of packets/bytes seen as
       well as number of packets/bytes in each direction.
       By default the list is sorted according to the number of packets but by
       clicking on the column header; it is possible to re-sort the list in
       ascending or descending order by any column.
       By first selecting a conversation by clicking on it and then using the
       right mouse button (on those platforms that have a right
       mouse button) wireshark will display a popup menu offering several different
       filter operations to apply to the capture.
       These statistics windows can also be invoked from the Wireshark command
       line using the B<-z conv> argument.
       =item Statistics:Service Response Time
       =over 4
       =item *
       AFP
       =item *
       CAMEL
       =item *
       DCE-RPC
       Open a window to display Service Response Time statistics for an
       arbitrary DCE-RPC program
       interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,
       B<Maximum SRT> and B<Average SRT> for all procedures for that
       program/version.  These windows opened will update in semi-real time to
       reflect changes when doing live captures or when reading new capture
       files into B<Wireshark>.
       This dialog will also allow an optional filter string to be used.
       If an optional filter string is used only such DCE-RPC request/response pairs
       that match that filter will be used to calculate the statistics.  If no filter
       string is specified all request/response pairs will be used.
       =item *
       Diameter
       =item *
       Fibre Channel
       Open a window to display Service Response Time statistics for Fibre Channel
       and display B<FC Type>, B<Number of Calls>, B<Minimum SRT>,
       B<Maximum SRT> and B<Average SRT> for all FC types.
       These windows opened will update in semi-real time to
       reflect changes when doing live captures or when reading new capture
       files into B<Wireshark>.
       The Service Response Time is calculated as the time delta between the
       First packet of the exchange and the Last packet of the exchange.
       This dialog will also allow an optional filter string to be used.
       If an optional filter string is used only such FC first/last exchange pairs
       that match that filter will be used to calculate the statistics.  If no filter
       string is specified all request/response pairs will be used.
       =item *
       GTP
       =item *
       H.225 RAS
       Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
       Data collected is B<number of calls> for each known ITU-T H.225 RAS Message Type,
       B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.
       You will also get the number of B<Open Requests> (Unresponded Requests),
       B<Discarded Responses> (Responses without matching request) and Duplicate Messages.
       These windows opened will update in semi-real time to reflect changes when
       doing live captures or when reading new capture files into B<Wireshark>.
       You can apply an optional filter string in a dialog box, before starting
       the calculation.  The statistics will only be calculated
       on those calls matching that filter.
       =item *
       LDAP
       =item *
       MEGACO
       =item *
       MGCP
       Collect requests/response SRT (Service Response Time) data for MGCP.
       Data collected is B<number of calls> for each known MGCP Type,
       B<Minimum SRT>, B<Maximum SRT>, B<Average SRT>, B<Minimum in Packet>, and B<Maximum in Packet>.
       These windows opened will update in semi-real time to reflect changes when
       doing live captures or when reading new capture files into B<Wireshark>.
       You can apply an optional filter string in a dialog box, before starting
       the calculation.  The statistics will only be calculated
       on those calls matching that filter.
       =item *
       NCP
       =item *
       ONC-RPC
       Open a window to display statistics for an arbitrary ONC-RPC program interface
       and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.
       These windows opened will update in semi-real time to reflect changes when
       doing live captures or when reading new capture files into B<Wireshark>.
       This dialog will also allow an optional filter string to be used.
       If an optional filter string is used only such ONC-RPC request/response pairs
       that match that filter will be used to calculate the statistics.  If no filter
       string is specified all request/response pairs will be used.
       By first selecting a conversation by clicking on it and then using the
       right mouse button (on those platforms that have a right
       mouse button) wireshark will display a popup menu offering several different
       filter operations to apply to the capture.
       =item *
       RADIUS
       =item *
       SCSI
       =item *
       SMB
       Collect call/reply SRT (Service Response Time) data for SMB.  Data collected
       is the number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
       The data will be presented as separate tables for all normal SMB commands,
       all Transaction2 commands and all NT Transaction commands.
       Only those commands that are seen in the capture will have its stats
       displayed.
       Only the first command in a xAndX command chain will be used in the
       calculation.  So for common SessionSetupAndX + TreeConnectAndX chains,
       only the SessionSetupAndX call will be used in the statistics.
       This is a flaw that might be fixed in the future.
       You can apply an optional filter string in a dialog box, before starting
       the calculation.  The stats will only be calculated
       on those calls matching that filter.
       By first selecting a conversation by clicking on it and then using the
       right mouse button (on those platforms that have a right
       mouse button) wireshark will display a popup menu offering several different
       filter operations to apply to the capture.
       =item *
       SMB2
       =back
       =item Statistics:BOOTP-DHCP
       =item Statistics:Compare
       Compare two Capture Files
       =item Statistics:Flow Graph
       Flow Graph: General/TCP
       =item Statistics:HTTP
       HTTP Load Distribution, Packet Counter & Requests
       =item Statistics:IP Addresses
       Count/Rate/Percent by IP Address
       =item Statistics:IP Destinations
       Count/Rate/Percent by IP Address/protocol/port
       =item Statistics:IP Protocol Types
       Count/Rate/Percent by IP Protocol Types
       =item Statistics:ONC-RPC Programs
       This dialog will open a window showing aggregated SRT statistics for all
       ONC-RPC Programs/versions that exist in the capture file.
       =item Statistics:TCP Stream Graph
       Graphs: Round Trip; Throughput; Time-Sequence (Stevens); Time-Sequence (tcptrace)
       =item Statistics:UDP Multicast streams
       Multicast Streams Counts/Rates/... by Source/Destination Address/Port pairs
       =item Statistics:WLAN Traffic
       WLAN Traffic Statistics
       =item Telephony:ITU-T H.225
       Count ITU-T H.225 messages and their reasons.  In the first column you get a
       list of H.225 messages and H.225 message reasons, which occur in the current
       capture file.  The number of occurrences of each message or reason will be displayed
       in the second column.
       This window opened will update in semi-real time to reflect changes when
       doing live captures or when reading new capture files into B<Wireshark>.
       You can apply an optional filter string in a dialog box, before starting
       the counter.  The statistics will only be calculated
       on those calls matching that filter.
       =item Telephony:SIP
       Activate a counter for SIP messages.  You will get the number of occurrences of each
       SIP Method and of each SIP Status-Code.  Additionally you also get the number of
       resent SIP Messages (only for SIP over UDP).
       This window opened will update in semi-real time to reflect changes when
       doing live captures or when reading new capture files into B<Wireshark>.
       You can apply an optional filter string in a dialog box, before starting
       the counter.  The statistics will only be calculated
       on those calls matching that filter.
       =item Tools:Firewall ACL Rules
       =item Help:Contents
       Some help texts.
       =item Help:Supported Protocols
       List of supported protocols and display filter protocol fields.
       =item Help:Manual Pages
       Display locally installed HTML versions of these manual pages in a web browser.
       =item Help:Wireshark Online
       Various links to online resources to be open in a web browser, like
       L<http://www.wireshark.org>.
       =item Help:About Wireshark
       See various information about Wireshark (see L</About> dialog below), like the
       version, the folders used, the available plugins, ...
       =back
       =head2 WINDOWS
       =over 4
       =item Main Window
       The main window contains the usual things like the menu, some toolbars, the
       main area and a statusbar.  The main area is split into three panes, you can
       resize each pane using a "thumb" at the right end of each divider line.
       The main window is much more flexible than before.  The layout of the main
       window can be customized by the I<Layout> page in the dialog box popped
       up by I<Edit:Preferences>, the following will describe the layout with the
       default settings.
       =over 6
       =item Main Toolbar
       Some menu items are available for quick access here.  There is no way to
       customize the items in the toolbar, however the toolbar can be hidden by
       I<View:Main Toolbar>.
       =item Filter Toolbar
       A display filter can be entered into the filter toolbar.
       A filter for HTTP, HTTPS, and DNS traffic might look like this:
         tcp.port == 80 || tcp.port == 443 || tcp.port == 53
       Selecting the I<Filter:> button lets you choose from a list of named
       filters that you can optionally save.  Pressing the Return or Enter
       keys, or selecting the I<Apply> button, will cause the filter to be
       applied to the current list of packets.  Selecting the I<Reset> button
       clears the display filter so that all packets are displayed (again).
       There is no way to customize the items in the toolbar, however the toolbar
       can be hidden by I<View:Filter Toolbar>.
       =item Packet List Pane
       The top pane contains the list of network packets that you can scroll
       through and select.  By default, the packet number, packet timestamp,
       source and destination addresses, protocol, and description are
       displayed for each packet; the I<Columns> page in the dialog box popped
       up by I<Edit:Preferences> lets you change this (although, unfortunately,
       you currently have to save the preferences, and exit and restart
       Wireshark, for those changes to take effect).
       If you click on the heading for a column, the display will be sorted by
       that column; clicking on the heading again will reverse the sort order
       for that column.
       An effort is made to display information as high up the protocol stack
       as possible, e.g. IP addresses are displayed for IP packets, but the
       MAC layer address is displayed for unknown packet types.
       The right mouse button can be used to pop up a menu of operations.
       The middle mouse button can be used to mark a packet.
       =item Packet Details Pane
       The middle pane contains a display of the details of the
       currently-selected packet.  The display shows each field and its value
       in each protocol header in the stack.  The right mouse button can be
       used to pop up a menu of operations.
       =item Packet Bytes Pane
       The lowest pane contains a hex and ASCII dump of the actual packet data.
       Selecting a field in the packet details highlights the corresponding
       bytes in this section.
       The right mouse button can be used to pop up a menu of operations.
       =item Statusbar
       The statusbar is divided into three parts, on the left some context dependent
       things are shown, like information about the loaded file, in the center the
       number of packets are displayed, and on the right the current configuration
       profile.
       The statusbar can be hidden by I<View:Statusbar>.
       =back
       =item Preferences
       The I<Preferences> dialog lets you control various personal preferences
       for the behavior of B<Wireshark>.
       =over 6
       =item User Interface Preferences
       The I<User Interface> page is used to modify small aspects of the GUI to
       your own personal taste:
       =over 6
       =item Selection Bars
       The selection bar in the packet list and packet details can have either
       a "browse" or "select" behavior.  If the selection bar has a "browse"
       behavior, the arrow keys will move an outline of the selection bar,
       allowing you to browse the rest of the list or details without changing
       the selection until you press the space bar.  If the selection bar has a
       "select" behavior, the arrow keys will move the selection bar and change
       the selection to the new item in the packet list or packet details.
       =item Save Window Position
       If this item is selected, the position of the main Wireshark window will
       be saved when Wireshark exits, and used when Wireshark is started again.
       =item Save Window Size
       If this item is selected, the size of the main Wireshark window will
       be saved when Wireshark exits, and used when Wireshark is started again.
       =item Save Window Maximized state
       If this item is selected the maximize state of the main Wireshark window
       will be saved when Wireshark exists, and used when Wireshark is started again.
       =item File Open Dialog Behavior
       This item allows the user to select how Wireshark handles the listing
       of the "File Open" Dialog when opening trace files.  "Remember Last
       Directory" causes Wireshark to automatically position the dialog in the
       directory of the most recently opened file, even between launches of Wireshark.
       "Always Open in Directory" allows the user to define a persistent directory
       that the dialog will always default to.
       =item Directory
       Allows the user to specify a persistent File Open directory.  Trailing
       slashes or backslashes will automatically be added.
       =item File Open Preview timeout
       This items allows the user to define how much time is spend reading the
       capture file to present preview data in the File Open dialog.
       =item Open Recent maximum list entries
       The File menu supports a recent file list.  This items allows the user to
       specify how many files are kept track of in this list.
       =item Ask for unsaved capture files
       When closing a capture file or Wireshark itself if the file isn't saved yet
       the user is presented the option to save the file when this item is set.
       =item Wrap during find
       This items determines the behavior when reaching the beginning or the end
       of a capture file.  When set the search wraps around and continues, otherwise
       it stops.
       =item Settings dialogs show a save button
       This item determines if the various dialogs sport an explicit Save button
       or that save is implicit in OK / Apply.
       =item Web browser command
       This entry specifies the command line to launch a web browser.  It is used
       to access online content, like the Wiki and user guide.  Use '%s' to place
       the request URL in the command line.
       =item Display LEDs in the Expert Infos dialog tab labels
       This item determines if LED-like colored images are displayed in the
       Expert Infos dialog tab labels.
       =back
       =item Layout Preferences
       The I<Layout> page lets you specify the general layout of the main window.
       You can choose from six different layouts and fill the three panes with the
       contents you like.
       =over 6
       =item Scrollbars
       The vertical scrollbars in the three panes can be set to be either on
       the left or the right.
       =item Alternating row colors
       =item Hex Display
       The highlight method in the hex dump display for the selected protocol
       item can be set to use either inverse video, or bold characters.
       =item Toolbar style
       =item Filter toolbar placement
       =item Custom window title
       =back
       =item Column Preferences
       The I<Columns> page lets you specify the number, title, and format
       of each column in the packet list.
       The I<Column title> entry is used to specify the title of the column
       displayed at the top of the packet list.  The type of data that the column
       displays can be specified using the I<Column format> option menu.
       The row of buttons on the left perform the following actions:
       =over 6
       =item New
       Adds a new column to the list.
       =item Delete
       Deletes the currently selected list item.
       =item Up / Down
       Moves the selected list item up or down one position.
       =back
       =item Font Preferences
       The I<Font> page lets you select the font to be used for most text.
       =item Color Preferences
       The I<Colors> page can be used to change the color of the text
       displayed in the TCP stream window and for marked packets.  To change a color,
       simply select an attribute from the "Set:" menu and use the color selector to
       get the desired color.  The new text colors are displayed as a sample text.
       =item Capture Preferences
       The I<Capture> page lets you specify various parameters for capturing
       live packet data; these are used the first time a capture is started.
       The I<Interface:> combo box lets you specify the interface from which to
       capture packet data, or the name of a FIFO from which to get the packet
       data.
       The I<Data link type:> option menu lets you, for some interfaces, select
       the data link header you want to see on the packets you capture.  For
       example, in some OSes and with some versions of libpcap, you can choose,
       on an 802.11 interface, whether the packets should appear as Ethernet
       packets (with a fake Ethernet header) or as 802.11 packets.
       The I<Limit each packet to ... bytes> check box lets you set the
       snapshot length to use when capturing live data; turn on the check box,
       and then set the number of bytes to use as the snapshot length.
       The I<Filter:> text entry lets you set a capture filter expression to be
       used when capturing.
       If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
       REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create a
       default capture filter that excludes traffic from the hosts and ports
       defined in those variables.
       The I<Capture packets in promiscuous mode> check box lets you specify
       whether to put the interface in promiscuous mode when capturing.
       The I<Update list of packets in real time> check box lets you specify
       that the display should be updated as packets are seen.
       The I<Automatic scrolling in live capture> check box lets you specify
       whether, in an "Update list of packets in real time" capture, the packet
       list pane should automatically scroll to show the most recently captured
       packets.
       =item Printing Preferences
       The radio buttons at the top of the I<Printing> page allow you choose
       between printing packets with the I<File:Print Packet> menu item as text
       or PostScript, and sending the output directly to a command or saving it
       to a file.  The I<Command:> text entry box, on UNIX-compatible systems,
       is the command to send files to (usually B<lpr>), and the I<File:> entry
       box lets you enter the name of the file you wish to save to.
       Additionally, you can select the I<File:> button to browse the file
       system for a particular save file.
       =item Name Resolution Preferences
       The I<Enable MAC name resolution>, I<Enable network name resolution> and
       I<Enable transport name resolution> check boxes let you specify whether
       MAC addresses, network addresses, and transport-layer port numbers
       should be translated to names.
       The I<Enable concurrent DNS name resolution> allows Wireshark to send out
       multiple name resolution requests and not wait for the result before
       continuing dissection.  This speeds up dissection with network name
       resolution but initially may miss resolutions.  The number of concurrent
       requests can be set here as well.
       I<SMI paths>
       I<SMI modules>
       =item RTP Player Preferences
       This page allows you to select the number of channels visible in the
       RTP player window.  It determines the height of the window, more channels
       are possible and visible by means of a scroll bar.
       =item Protocol Preferences
       There are also pages for various protocols that Wireshark dissects,
       controlling the way Wireshark handles those protocols.
       =back
       =item Edit Capture Filter List
       =item Edit Display Filter List
       =item Capture Filter
       =item Display Filter
       =item Read Filter
       =item Search Filter
       The I<Edit Capture Filter List> dialog lets you create, modify, and
       delete capture filters, and the I<Edit Display Filter List> dialog lets
       you create, modify, and delete display filters.
       The I<Capture Filter> dialog lets you do all of the editing operations
       listed, and also lets you choose or construct a filter to be used when
       capturing packets.
       The I<Display Filter> dialog lets you do all of the editing operations
       listed, and also lets you choose or construct a filter to be used to
       filter the current capture being viewed.
       The I<Read Filter> dialog lets you do all of the editing operations
       listed, and also lets you choose or construct a filter to be used to
       as a read filter for a capture file you open.
       The I<Search Filter> dialog lets you do all of the editing operations
       listed, and also lets you choose or construct a filter expression to be
       used in a find operation.
       In all of those dialogs, the I<Filter name> entry specifies a
       descriptive name for a filter, e.g.  B<Web and DNS traffic>.  The
       I<Filter string> entry is the text that actually describes the filtering
       action to take, as described above.The dialog buttons perform the
       following actions:
       =over 6
       =item New
       If there is text in the two entry boxes, creates a new associated list
       item.
       =item Edit
       Modifies the currently selected list item to match what's in the entry
       boxes.
       =item Delete
       Deletes the currently selected list item.
       =item Add Expression...
       For display filter expressions, pops up a dialog box to allow you to
       construct a filter expression to test a particular field; it offers
       lists of field names, and, when appropriate, lists from which to select
       tests to perform on the field and values with which to compare it.  In
       that dialog box, the OK button will cause the filter expression you
       constructed to be entered into the I<Filter string> entry at the current
       cursor position.
       =item OK
       In the I<Capture Filter> dialog, closes the dialog box and makes the
       filter in the I<Filter string> entry the filter in the I<Capture
       Preferences> dialog.  In the I<Display Filter> dialog, closes the dialog
       box and makes the filter in the I<Filter string> entry the current
       display filter, and applies it to the current capture.  In the I<Read
       Filter> dialog, closes the dialog box and makes the filter in the
       I<Filter string> entry the filter in the I<Open Capture File> dialog.
       In the I<Search Filter> dialog, closes the dialog box and makes the
       filter in the I<Filter string> entry the filter in the I<Find Packet>
       dialog.
       =item Apply
       Makes the filter in the I<Filter string> entry the current display
       filter, and applies it to the current capture.
       =item Save
       If the list of filters being edited is the list of
       capture filters, saves the current filter list to the personal capture
       filters file, and if the list of filters being edited is the list of
       display filters, saves the current filter list to the personal display
       filters file.
       =item Close
       Closes the dialog without doing anything with the filter in the I<Filter
       string> entry.
       =back
       =item The Color Filters Dialog
       This dialog displays a list of color filters and allows it to be
       modified.
       =over
       =item THE FILTER LIST
       Single rows may be selected by clicking.  Multiple rows may be selected
       by using the ctrl and shift keys in combination with the mouse button.
       =item NEW
       Adds a new filter at the bottom of the list and opens the Edit Color
       Filter dialog box.  You will have to alter the filter expression at
       least before the filter will be accepted.  The format of color filter
       expressions is identical to that of display filters.  The new filter is
       selected, so it may immediately be moved up and down, deleted or edited.
       To avoid confusion all filters are unselected before the new filter is
       created.
       =item EDIT
       Opens the Edit Color Filter dialog box for the selected filter. (If this
       button is disabled you may have more than one filter selected, making it
       ambiguous which is to be edited.)
       =item ENABLE
       Enables the selected color filter(s).
       =item DISABLE
       Disables the selected color filter(s).
       =item DELETE
       Deletes the selected color filter(s).
       =item EXPORT
       Allows you to choose a file in which to save the current list of color
       filters.  You may also choose to save only the selected filters.  A
       button is provided to save the filters in the global color filters file
       (you must have sufficient permissions to write this file, of course).
       =item IMPORT
       Allows you to choose a file containing color filters which are then
       added to the bottom of the current list.  All the added filters are
       selected, so they may be moved to the correct position in the list as a
       group.  To avoid confusion, all filters are unselected before the new
       filters are imported.  A button is provided to load the filters from the
       global color filters file.
       =item CLEAR
       Deletes your personal color filters file, reloads the global
       color filters file, if any, and closes the dialog.
       =item UP
       Moves the selected filter(s) up the list, making it more likely that
       they will be used to color packets.
       =item DOWN
       Moves the selected filter(s) down the list, making it less likely that
       they will be used to color packets.
       =item OK
       Closes the dialog and uses the color filters as they stand.
       =item APPLY
       Colors the packets according to the current list of color filters, but
       does not close the dialog.
       =item SAVE
       Saves the current list of color filters in your personal color filters
       file.  Unless you do this they will not be used the next time you start
       Wireshark.
       =item CLOSE
       Closes the dialog without changing the coloration of the packets.  Note
       that changes you have made to the current list of color filters are not
       undone.
       =back
       =item Capture Options Dialog
       The I<Capture Options Dialog> lets you specify various parameters for
       capturing live packet data.
       The I<Interface:> field lets you specify the interface from which to
       capture packet data or a command from which to get the packet data via a
       pipe.
       The I<Link layer header type:> field lets you specify the interfaces link
       layer header type.  This field is usually disabled, as most interface have
       only one header type.
       The I<Capture packets in promiscuous mode> check box lets you specify
       whether the interface should be put into promiscuous mode when
       capturing.
       The I<Limit each packet to ... bytes> check box and field lets you
       specify a maximum number of bytes per packet to capture and save; if the
       check box is not checked, the limit will be 65535 bytes.
       The I<Capture Filter:> entry lets you specify the capture filter using a
       tcpdump-style filter string as described above.
       The I<File:> entry lets you specify the file into which captured packets
       should be saved, as in the I<Printer Options> dialog above.  If not
       specified, the captured packets will be saved in a temporary file; you
       can save those packets to a file with the I<File:Save As> menu item.
       The I<Use multiple files> check box lets you specify that the capture
       should be done in "multiple files" mode.  This option is disabled, if the
       I<Update list of packets in real time> option is checked.
       The I<Next file every ...  megabyte(s)> check box and fields lets
       you specify that a switch to a next file should be done
       if the specified filesize is reached.  You can also select the appropriate
       unit, but beware that the filesize has a maximum of 2 GiB.
       The check box is forced to be checked, as "multiple files" mode requires a
       file size to be specified.
       The I<Next file every ... minute(s)> check box and fields lets
       you specify that the switch to a next file should be done after the specified
       time has elapsed, even if the specified capture size is not reached.
       The I<Ring buffer with ... files> field lets you specify the number
       of files of a ring buffer.  This feature will capture into to the first file
       again, after the specified amount of files were used.
       The I<Stop capture after ... files> field lets you specify the number
       of capture files used, until the capture is stopped.
       The I<Stop capture after ... packet(s)> check box and field let
       you specify that Wireshark should stop capturing after having captured
       some number of packets; if the check box is not checked, Wireshark will
       not stop capturing at some fixed number of captured packets.
       The I<Stop capture after ... megabyte(s)> check box and field lets
       you specify that Wireshark should stop capturing after the file to which
       captured packets are being saved grows as large as or larger than some
       specified number of megabytes.  If the check box is not checked, Wireshark
       will not stop capturing at some capture file size (although the operating
       system on which Wireshark is running, or the available disk space, may still
       limit the maximum size of a capture file).  This option is disabled, if
       "multiple files" mode is used,
       The I<Stop capture after ...  second(s)> check box and field let you
       specify that Wireshark should stop capturing after it has been capturing
       for some number of seconds; if the check box is not checked, Wireshark
       will not stop capturing after some fixed time has elapsed.
       The I<Update list of packets in real time> check box lets you specify
       whether the display should be updated as packets are captured and, if
       you specify that, the I<Automatic scrolling in live capture> check box
       lets you specify the packet list pane should automatically scroll to
       show the most recently captured packets as new packets arrive.
       The I<Enable MAC name resolution>, I<Enable network name resolution> and
       I<Enable transport name resolution> check boxes let you specify whether
       MAC addresses, network addresses, and transport-layer port numbers
       should be translated to names.
       =item About
       The I<About> dialog lets you view various information about Wireshark.
       =item About:Wireshark
       The I<Wireshark> page lets you view general information about Wireshark,
       like the installed version, licensing information and such.
       =item About:Authors
       The I<Authors> page shows the author and all contributors.
       =item About:Folders
       The I<Folders> page lets you view the directory names where Wireshark is
       searching it's various configuration and other files.
       =item About:Plugins
       The I<Plugins> page lets you view the dissector plugin modules
       available on your system.
       The I<Plugins List> shows the name and version of each dissector plugin
       module found on your system.
       On Unix-compatible systems, the plugins are looked for in the following
       directories: the F<lib/wireshark/plugins/$VERSION> directory under the
       main installation directory (for example,
       F</usr/local/lib/wireshark/plugins/$VERSION>), and then
       F<$HOME/.wireshark/plugins>.
       On Windows systems, the plugins are looked for in the following
       directories: F<plugins\$VERSION> directory under the main installation
       directory (for example, F<C:\Program Files\Wireshark\plugins\$VERSION>),
       and then F<%APPDATA%\Wireshark\plugins\$VERSION> (or, if %APPDATA% isn't
       defined, F<%USERPROFILE%\Application Data\Wireshark\plugins\$VERSION>).
       $VERSION is the version number of the plugin interface, which
       is typically the version number of Wireshark.  Note that a dissector
       plugin module may support more than one protocol; there is not
       necessarily a one-to-one correspondence between dissector plugin modules
       and protocols.  Protocols supported by a dissector plugin module are
       enabled and disabled using the I<Edit:Protocols> dialog box, just as
       protocols built into Wireshark are.
       =back
       =head1 CAPTURE FILTER SYNTAX
       See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
       or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
       =head1 DISPLAY FILTER SYNTAX
       For a complete table of protocol and protocol fields that are filterable
       in B<Wireshark> see the wireshark-filter(4) manual page.
       =head1 FILES
       These files contains various B<Wireshark> configuration settings.
       =over 4
       =item Preferences
       The F<preferences> files contain global (system-wide) and personal
       preference settings.  If the system-wide preference file exists, it is
       read first, overriding the default settings.  If the personal preferences
       file exists, it is read next, overriding any previous values.  Note: If
       the command line flag B<-o> is used (possibly more than once), it will
       in turn override values from the preferences files.
       The preferences settings are in the form I<prefname>B<:>I<value>,
       one per line,
       where I<prefname> is the name of the preference
       and I<value> is the value to
       which it should be set; white space is allowed between B<:> and
       I<value>.  A preference setting can be continued on subsequent lines by
       indenting the continuation lines with white space.  A B<#> character
       starts a comment that runs to the end of the line:
         # Vertical scrollbars should be on right side?
         # TRUE or FALSE (case-insensitive).
         gui.scrollbar_on_right: TRUE
       The global preferences file is looked for in the F<wireshark> directory
       under the F<share> subdirectory of the main installation directory (for
       example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
       systems, and in the main installation directory (for example,
       F<C:\Program Files\Wireshark\preferences>) on Windows systems.
       The personal preferences file is looked for in F<$HOME/.wireshark/preferences> on
       UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
       %APPDATA% isn't defined, F<%USERPROFILE%\Application
       Data\Wireshark\preferences>) on Windows systems.
       Note: Whenever the preferences are saved by using the I<Save> button
       in the I<Edit:Preferences> dialog box, your personal preferences file
       will be overwritten with the new settings, destroying any comments and
       unknown/obsolete settings that were in the file.
       =item Recent
       The F<recent> file contains personal settings (mostly GUI related) such
       as the current B<Wireshark> window size.  The file is saved at program exit and
       read in at program start automatically.  Note: The command line flag B<-o>
       may be used to override settings from this file.
       The settings in this file have the same format as in the F<preferences>
       files, and the same directory as for the personal preferences file is
       used.
       Note: Whenever Wireshark is closed, your recent file
       will be overwritten with the new settings, destroying any comments and
       unknown/obsolete settings that were in the file.
       =item Disabled (Enabled) Protocols
       The F<disabled_protos> files contain system-wide and personal lists of
       protocols that have been disabled, so that their dissectors are never
       called.  The files contain protocol names, one per line, where the
       protocol name is the same name that would be used in a display filter
       for the protocol:
         http
         tcp     # a comment
       If a protocol is listed in the global F<disabled_protos> file, it is not
       displayed in the I<Analyze:Enabled Protocols> dialog box, and so cannot
       be enabled by the user.
       The global F<disabled_protos> file uses the same directory as the global
       preferences file.
       The personal F<disabled_protos> file uses the same directory as the
       personal preferences file.
       Note: Whenever the disabled protocols list is saved by using the I<Save>
       button in the I<Analyze:Enabled Protocols> dialog box, your personal
       disabled protocols file will be overwritten with the new settings,
       destroying any comments that were in the file.
       =item Name Resolution (hosts)
       If the personal F<hosts> file exists, it is
       used to resolve IPv4 and IPv6 addresses before any other
       attempts are made to resolve them.  The file has the standard F<hosts>
       file syntax; each line contains one IP address and name, separated by
       whitespace.  The same directory as for the personal preferences file is used.
       Capture filter name resolution is handled by libpcap on UNIX-compatible
       systems and WinPcap on Windows.  As such the Wireshark personal F<hosts> file
       will not be consulted for capture filter name resolution.
       =item Name Resolution (ethers)
       The F<ethers> files are consulted to correlate 6-byte hardware addresses to
       names.  First the personal F<ethers> file is tried and if an address is not
       found there the global F<ethers> file is tried next.
       Each line contains one hardware address and name, separated by
       whitespace.  The digits of the hardware address are separated by colons
       (:), dashes (-) or periods (.).  The same separator character must be
       used consistently in an address.  The following three lines are valid
       lines of an F<ethers> file:
         ff:ff:ff:ff:ff:ff          Broadcast
         c0-00-ff-ff-ff-ff          TR_broadcast
 .00.00.00.00.00          Zero_broadcast
       The global F<ethers> file is looked for in the F</etc> directory on
       UNIX-compatible systems, and in the main installation directory (for
       example, F<C:\Program Files\Wireshark>) on Windows systems.
       The personal F<ethers> file is looked for in the same directory as the personal
       preferences file.
       Capture filter name resolution is handled by libpcap on UNIX-compatible
       systems and WinPcap on Windows.  As such the Wireshark personal F<ethers> file
       will not be consulted for capture filter name resolution.
       =item Name Resolution (manuf)
       The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
       hardware address with the manufacturer's name; it can also contain well-known
       MAC addresses and address ranges specified with a netmask.  The format of the
       file is the same as the F<ethers> files, except that entries such as:
 :00:0C      Cisco
       can be provided, with the 3-byte OUI and the name for a vendor, and
       entries such as:
 -00-0C-07-AC/40     All-HSRP-routers
       can be specified, with a MAC address and a mask indicating how many bits
       of the address must match.  The above entry, for example, has 40
       significant bits, or 5 bytes, and would match addresses from
 -00-0C-07-AC-00 through 00-00-0C-07-AC-FF.  The mask need not be a
       multiple of 8.
       The F<manuf> file is looked for in the same directory as the global
       preferences file.
       =item Name Resolution (ipxnets)
       The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
       names.  First the global F<ipxnets> file is tried and if that address is not
       found there the personal one is tried next.
       The format is the same as the F<ethers>
       file, except that each address is four bytes instead of six.
       Additionally, the address can be represented as a single hexadecimal
       number, as is more common in the IPX world, rather than four hex octets.
       For example, these four lines are valid lines of an F<ipxnets> file:
         C0.A8.2C.00              HR
         c0-a8-1c-00              CEO
 :00:BE:EF              IT_Server1
 f                     FileServer3
       The global F<ipxnets> file is looked for in the F</etc> directory on
       UNIX-compatible systems, and in the main installation directory (for
       example, F<C:\Program Files\Wireshark>) on Windows systems.
       The personal F<ipxnets> file is looked for in the same directory as the
       personal preferences file.
       =item Capture Filters
       The F<cfilters> files contain system-wide and personal capture filters.
       Each line contains one filter, starting with the string displayed in the
       dialog box in quotation marks, followed by the filter string itself:
         "HTTP" port 80
         "DCERPC" port 135
       The global F<cfilters> file uses the same directory as the
       global preferences file.
       The personal F<cfilters> file uses the same directory as the personal
       preferences file.  It is written through the Capture:Capture Filters
       dialog.
       If the global F<cfilters> file exists, it is used only if the personal
       F<cfilters> file does not exist; global and personal capture filters are
       not merged.
       =item Display Filters
       The F<dfilters> files contain system-wide and personal display filters.
       Each line contains one filter, starting with the string displayed in the
       dialog box in quotation marks, followed by the filter string itself:
         "HTTP" http
         "DCERPC" dcerpc
       The global F<dfilters> file uses the same directory as the
       global preferences file.
       The personal F<dfilters> file uses the same directory as the
       personal preferences file.  It is written through the Analyze:Display
       Filters dialog.
       If the global F<dfilters> file exists, it is used only if the personal
       F<dfilters> file does not exist; global and personal display filters are
       not merged.
       =item Color Filters (Coloring Rules)
       The F<colorfilters> files contain system-wide and personal color filters.
       Each line contains one filter, starting with the string displayed in the
       dialog box, followed by the corresponding display filter.  Then the
       background and foreground colors are appended:
         # a comment
         @tcp@tcp@[59345,58980,65534][0,0,0]
         @udp@udp@[28834,57427,65533][0,0,0]
       The global F<colorfilters> file uses the same directory as the
       global preferences file.
       The personal F<colorfilters> file uses the same directory as the
       personal preferences file.  It is written through the View:Coloring Rules
       dialog.
       If the global F<colorfilters> file exists, it is used only if the personal
       F<colorfilters> file does not exist; global and personal color filters are
       not merged.
       =item GTK rc files
       The F<gtkrc> files contain system-wide and personal GTK theme settings.
       The global F<gtkrc> file uses the same directory as the
       global preferences file.
       The personal F<gtkrc> file uses the same directory as the personal
       preferences file.
       =item Plugins
       See above in the description of the About:Plugins page.
       =back
       =head1 ENVIRONMENT VARIABLES
       =over 4
       =item WIRESHARK_APPDATA
       On Windows, Wireshark normally stores all application data in %APPDATA% or
       %USERPROFILE%.  You can override the default location by exporting this
       environment variable to specify an alternate location.
       =item WIRESHARK_DEBUG_EP_NO_CHUNKS
       Normally per-packet memory is allocated in large "chunks."  This behavior
       doesn't work well with debugging tools such as Valgrind or ElectricFence.
       Export this environment variable to force individual allocations.
       Note: disabling chunks also disables canaries (see below).
       =item WIRESHARK_DEBUG_SE_NO_CHUNKS
       Normally per-file memory is allocated in large "chunks."  This behavior
       doesn't work well with debugging tools such as Valgrind or ElectricFence.
       Export this environment variable to force individual allocations.
       Note: disabling chunks also disables canaries (see below).
       =item WIRESHARK_DEBUG_EP_NO_CANARY
       Normally per-packet memory allocations are separated by "canaries" which
       allow detection of memory overruns.  This comes at the expense of some extra
       memory usage.  Exporting this environment variable disables these canaries.
       =item WIRESHARK_DEBUG_SE_USE_CANARY
       Exporting this environment variable causes per-file memory allocations to be
       protected with "canaries" which allow for detection of memory overruns.
       This comes at the expense of significant extra memory usage.
       =item WIRESHARK_DEBUG_SCRUB_MEMORY
       If this environment variable is set, the contents of per-packet and
       per-file memory is initialized to 0xBADDCAFE when the memory is allocated
       and is reset to 0xDEADBEEF when the memory is freed.  This functionality is
       useful mainly to developers looking for bugs in the way memory is handled.
       =item WIRESHARK_DEBUG_WMEM_OVERRIDE
       Setting this environment variable forces the wmem framework to use the
       specified allocator backend for *all* allocations, regardless of which
       backend is normally specified by the code. This is mainly useful to developers
       when testing or debugging. See I<README.wmem> in the source distribution for
       details.
       =item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
       This environment variable causes the plugins and other data files to be loaded
       from the build directory (where the program was compiled) rather than from the
       standard locations.  It has no effect when the program in question is running
       with root (or setuid) permissions on *NIX.
       =item WIRESHARK_DATA_DIR
       This environment variable causes the various data files to be loaded from
       a directory other than the standard locations.  It has no effect when the
       program in question is running with root (or setuid) permissions on *NIX.
       =item WIRESHARK_PYTHON_DIR
       This environment variable points to an alternate location for Python.
       It has no effect when the program in question is running with root (or setuid)
       permissions on *NIX.
       =item ERF_RECORDS_TO_CHECK
       This environment variable controls the number of ERF records checked when
       deciding if a file really is in the ERF format.  Setting this environment
       variable a number higher than the default (20) would make false positives
       less likely.
       =item IPFIX_RECORDS_TO_CHECK
       This environment variable controls the number of IPFIX records checked when
       deciding if a file really is in the IPFIX format.  Setting this environment
       variable a number higher than the default (20) would make false positives
       less likely.
       =item WIRESHARK_ABORT_ON_DISSECTOR_BUG
       If this environment variable is set, B<Wireshark> will call abort(3)
       when a dissector bug is encountered.  abort(3) will cause the program to
       exit abnormally; if you are running B<Wireshark> in a debugger, it
       should halt in the debugger and allow inspection of the process, and, if
       you are not running it in a debugger, it will, on some OSes, assuming
       your environment is configured correctly, generate a core dump file.
       This can be useful to developers attempting to troubleshoot a problem
       with a protocol dissector.
       =item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
       If this environment variable is set, B<Wireshark> will call abort(3)
       if a dissector tries to add too many items to a tree (generally this
       is an indication of the dissector not breaking out of a loop soon enough).
       abort(3) will cause the program to exit abnormally; if you are running
       B<Wireshark> in a debugger, it should halt in the debugger and allow
       inspection of the process, and, if you are not running it in a debugger,
       it will, on some OSes, assuming your environment is configured correctly,
       generate a core dump file.  This can be useful to developers attempting to
       troubleshoot a problem with a protocol dissector.
       =item WIRESHARK_EP_VERIFY_POINTERS
       This environment variable, if set, causes certain uses of pointers to be
       audited to ensure they do not point to memory that is deallocated after each
       packet has been fully dissected.  This can be useful to developers writing or
       auditing code.
       =item WIRESHARK_SE_VERIFY_POINTERS
       This environment variable, if set, causes certain uses of pointers to be
       audited to ensure they do not point to memory that is deallocated after when
       a capture file is closed.  This can be useful to developers writing or
       auditing code.
       =item WIRESHARK_QUIT_AFTER_CAPTURE
       Cause B<Wireshark> to exit after the end of the capture session.  This
       doesn't automatically start a capture; you must still use B<-k> to do
       that.  You must also specify an autostop condition, e.g.  B<-c> or B<-a
       duration:...>.  This means that you will not be able to see the results
       of the capture after it stops; it's primarily useful for testing.
       =item WIRESHARK_ABORT_ON_OUT_OF_MEMORY
       This environment variable, if present, causes abort(3) to be called if certain
       out-of-memory conditions (which normally result in an exception and an
       explanatory error message) are experienced.  This can be useful to developers
       debugging out-of-memory conditions.
       =back
       =head1 SEE ALSO
       wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1), mergecap(1),
       text2pcap(1), pcap-filter(7) or tcpdump(8)
       =head1 NOTES
       The latest version of B<Wireshark> can be found at
       L<http://www.wireshark.org>.
       HTML versions of the Wireshark project man pages are available at:
       L<http://www.wireshark.org/docs/man-pages>.
       =head1 AUTHORS