Dlt-viewer Windows Installer

[Kristeen Cheek]

Thisbook is not intended to explain network sniffing in general and itwill not provide details about specific network protocols. A lot ofuseful information regarding these topics can be found at the WiresharkWiki at

In the past, such tools were either very expensive, proprietary, or both.However, with the advent of Wireshark, that has changed. Wireshark isavailable for free, is open source, and is one of the best packetanalyzers available today.

Wireshark can capture traffic from many different network media types,including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific mediatypes supported may be limited by several factors, including your hardwareand operating system. An overview of the supported media types can be found at

Wireshark is an open source software project, and is released under theGNU General Public License (GPL). You can freely useWireshark on any number of computers you like, without worrying about licensekeys or fees or such. In addition, all source code is freely available under theGPL. Because of that, it is very easy for people to add new protocols toWireshark, either as plugins, or built into the source, and they often do!

The amount of resources Wireshark needs depends on your environment and on thesize of the capture file you are analyzing. The values below should be fine forsmall to medium-sized capture files no more than a few hundred MB. Largercapture files will require more memory and disk space.

A busy network can produce huge capture files. Capturing oneven a 100 megabit network can produce hundreds of megabytes ofcapture data in a short time. A computer with a fast processor, and lots ofmemory and disk space is always a good idea.

Wireshark should support any version of Windows that is still within itsextended supportlifetime. At the time of writing this includes Windows 11, 10,Server 2022,Server 2019,and Server 2016.It also requires the following:

You can get the latest copy of the program from the Wireshark website at download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror.Official Windows and macOS installers are signed by Wireshark Foundation using trusted certificates on those platforms.macOS installers are additionally notarized.

Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-x.y.z.txt.Announcement messages are archived at -announce/ and SIGNATURES files can be found at -versions/.Both are GPG-signed and include verification instructions for Windows, Linux, and macOS.As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems.

In late 1997 Gerald Combs needed a tool for tracking down network problemsand wanted to learn more about networking so he started writing Ethereal (theoriginal name of the Wireshark project) as a way to solve both problems.

Ethereal was initially released after several pauses in development in July1998 as version 0.2.0. Within days patches, bug reports, and words ofencouragement started arriving and Ethereal was on its way to success.

The list of people who have contributed to the project has become very longsince then, and almost all of them started with a protocol that they needed thatWireshark did not already handle. So they copied an existing dissector andcontributed the code back to the team.

In 2008, after ten years of development, Wireshark finally arrived at version1.0. This release was the first deemed complete, with the minimum featuresimplemented. Its release coincided with the first Wireshark Developer and UserConference, called Sharkfest.

Wireshark was initially developed by Gerald Combs. Ongoing development andmaintenance of Wireshark is handled by the Wireshark team, a loose group ofindividuals who fix bugs and provide new functionality.

There have also been a large number of people who have contributedprotocol dissectors to Wireshark, and it is expected that this willcontinue. You can find a list of the people who have contributed code toWireshark by checking the about dialog box of Wireshark, or at theauthors page on the Wireshark web site.

Wireshark is an open source software project, and is released under theGNU General Public License (GPL) version 2. All source code isfreely available under the GPL. You are welcome to modify Wireshark to suit yourown needs, and it would be appreciated if you contribute your improvements backto the Wireshark team.

Before sending any mail to the mailing lists below, be sure to read the FAQ. Itwill often answer any questions you might have. This will save yourself andothers a lot of time. Keep in mind that a lot of people are subscribed to themailing lists.

You can subscribe to each of these lists from the Wireshark web site: From there, you can choose which mailinglist you want to subscribe to by clicking on theSubscribe/Unsubscribe/Options button under the title of the relevantlist. The links to the archives are included on that page as well.

As with all things there must be a beginning and so it is with Wireshark. Touse Wireshark you must first install it. If you are running Windows or macOSyou can download an official release at , install it,and skip the rest of this chapter.

If you are running another operating system such as Linux or FreeBSD you mightwant to install from source. Several Linux distributions offer Wiresharkpackages but they commonly provide out-of-date versions. No other versions of UNIXship Wireshark so far. For that reason, you will need to know where to get thelatest version of Wireshark and how to install it.

Simply download the Wireshark installer from and execute it.Official packages are signed by Wireshark Foundation.You can choose to install several optional components and select the location of the installed package.The default settings are recommended for most users.

As mentioned above, the Wireshark installer also installs Npcap.If you prefer to install Npcap manually or want to use a different version than theone included in the Wireshark installer, you can download Npcap fromthe main Npcap site at

Wireshark updates may also include a new version of Npcap.Manual Npcap updates instructions can be found on the Npcap website at You may have to reboot your machine after installinga new Npcap version.

In general installing the binary under your version of UNIX will be specific tothe installation methods used with your version of UNIX. For example, under AIX,you would use smit to install the Wireshark binary package, while under Tru64UNIX (formerly Digital UNIX) you would use setld.

Many distributions use yum or a similar package management tool to makeinstallation of software (including its dependencies) easier. If yourdistribution uses yum, use the following command to install Wiresharktogether with the Qt GUI:

New versions of Wireshark are usually released every four to six weeks.Updating Wireshark is done the same way as installing it.Simply download and run the installer on Windows, or download and drag the application on macOS.A reboot is usually not required and all your personal settings will remain unchanged.

The following chapters contain many screenshots of Wireshark. AsWireshark runs on many different platforms with many different window managers,different styles applied and there are different versions of the underlying GUItoolkit used, your screen might look different from the provided screenshots.But as there are no real differences in functionality these screenshots shouldstill be well understandable.

Embeds the used TLS decryption secrets into the capture file, which letsTLS be decrypted without having the separate keylog file.Note that the ability to save decryption secrets depends on your fileformat. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

This will discard all embedded decryption secrets from the capture file.Note that the ability to save decryption secrets depends on your fileformat. E.g., pcapng supports Decryption Secrets Blocks, pcap does not.

Wireshark keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item expands all subtrees in all packets in the capture.

This item allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane.

Change the current display filter and apply it immediately. Depending onthe chosen menu item, the current display filter string will be replacedor appended to by the selected protocol field in the packet detailspane.

This allows you to create command-line ACL rules for many different firewall products, including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf and Windows Firewall (via netsh). Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported.

This allows you to extract credentials from the current capture file. Some of the dissectors (ftp, http, imap, pop, smtp) have been instrumented to provide the module with usernames and passwords and more will be instrumented in the future. The window dialog provides you the packet number where the credentials have been found, the protocol that provided them, the username and protocol specific information.

This can launch an application such as a web browser or a terminal window with the SSLKEYLOGFILE environment variable set to the same value as the TLS secret log file. Note that you will probably have to quit your existing web browser session in order to have it run under a fresh environment.

The main toolbar provides quick access to frequently used itemsfrom the menu. This toolbar cannot be customized by the user, but it canbe hidden using the View menu if the space on the screen is needed toshow more packet data.

3a8082e126