`Ethereal` User's Guide: V1.1 for Ethereal 0.8.19
<<< Previous	Using `Ethereal`	Next >>>

Viewing packets you have captured

Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on that packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.

You can then expand any part of the tree view by clicking on the plus sign to the left of that part of the payload, and you can select individual fields by clicking on them in the tree view pane. An example with a TCP segment selected is shown in Figure 10. It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.

Figure 10. Ethereal with a TCP segment selected for viewing

You can also select and view packets when Ethereal is capturing if you selected "Update list of packets in real time" in the Ethereal Capture Preferences dialog box.

In addition, you can view individual packets in a separate window as shown in Figure 11. Do this by selecting the packet you are interested in in the packet list pane, and then select "Show Packet in New Windows" from the Display menu. This allows you to easily compare two or more packets.

Figure 11. Viewing a packet in a separate window

Finally, you can bring up a pop-up menu over either the packet list pane or the tree view pane by clicking your right mouse button. The menus that is popped up contains the following items:

Figure 12. Packet Pane pop-up menu

Follow TCP Stream: This menu item is the same as the Display menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes.
Decode As...: This menu item is the same as the Display menu item of the same name.
Display Filters...: This menu item is the same as the Edit menu item of the same name. It allows you to specify and manage filters.
Colorize Display...: This menu item is the same as the Display menu item of the same name. It allows you to colorize packets in the packet list pane.
Print...: This menu item is the same as the File menu item of the same name. It allows you to print packets.
Print Packet: This menu item is the same as the File menu item of the same name. It allows you to print the currently selected packet.
Show Packet in New Window: This menu item is the same as the Display menu item of the same name. It allows you to display the selected packet in another window.

Figure 13. Treeview Pane pop-up menu

Follow TCP Stream: This menu item is the same as the Display menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes.
Decode As...: This menu item is the same as the Display menu item of the same name.
Display Filters...: This menu item is the same as the Edit menu item of the same name. It allows you to specify and manage filters.
Resolve Name: This menu item causes name resolution to be performed for the selected packet, but NOT every packet in the capture.
Protocol Properties...: The menu item takes you to the protocol properties dialog if there are properties associated with the highlighted fields. More information on preferences can be found in Figure 29 in the Section called Ethereal preferences.
Match Selected: This menu item allows you to select all packets that have a matching value in the field selected in the tree view pane (middle pane).
Collapse All: Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list.
Expand All: This menu item expands all subtrees in all packets in the capture.

<<< Previous	Home	Next >>>
Filtering while capturing	Up	Display Options