eXtensible Markup Language (XML)

For a description of XML refer to Wikipedia's XML Page

Protocol dependencies

XML content is normally dissected by Wireshark from several MIME media-types. The MIME content is provided by a wide variety of protocols including HTTP, JXTA, RTSP and SIP. You can add MIME processing support to your dissector via :

Example traffic

XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).


The XML dissector is fully functional. and it has the ability to load XML DTDs and use them to choose the filter fields to be used when parsing XML.

/!\ The XML dissector is not an XML validator! It uses the DTDs just to be able to extract information for the filtering engine.

Preference Settings

* Use Heuristics. Tries to recognise unknown XML media types


There's a directory in the wireshark data dir called dtds that contains DTDs (Take a look at what's in there). All files ending in .dtd will be processed.

For an explanation on how XML DTDs are made you can take a look at this tutorial

Because the dissector only interested in names, almost anything that "looks like" a DTD is ok, you do not need a real one.

The minimum file contains just the <? wireshark:protocol ?> XML processing instruction (XMLPI).

The following DTD tags are (partially) implemented and must be after the <?wireshark:protocol?> XMLPI tag

There are more complex DTD tags that allow "parameterized types" or "templates" that aren't implemented. The DTD parser does not currently support file inclusion, i.e. You will have cut-and-paste common sections "by hand" into your DTD files.

example DTD

this creates the following filter fields

given the xml:

all these filter expressions match:

<? wireshark:protocol ?>

The <?wireshark:protocol?> XML processing instruction is used to tell wireshark how to interpret with the rest of the DTD file

The PI allows the following attributes:


The name to be used as the root of the namespace, the protocol. It SHOULD be there.


A description of the protocol described by the DTD.


The MIME media type associated with this DTD. MIME content with this type will be dissected using the DTD.


root="that" has the effect that all field names from there will be "this.that"


Recursion in elements is stopped abruptly the second time the same element is found a "root name" will be used instead.

will create:


The only form accepted by the current DTD parser is:

Other forms will cause a syntax error.


These are "replace" text.

is equivalent to:

{*} Note: entities of both types (% and no %) are resolved by the DTD parser. There is no information whatsoever available about entities while dissecting.


Elements are the main building blocks of both XML and HTML documents.

The first ELEMENT tag found will be the default root if none was given with the <?wireshark:protocol?>. If it's name is different from proto_name the root name will be protoname.elemname


Attributes provide extra information about elements.

ATTLIST parameters will be ignored we just care about the name.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here.

Display Filter

A complete list of XML display filter fields can be found in the display filter reference

Show only the XML based traffic:

XML based protocols for which a DTD exists in the dtds directory will have their own protocol fields instead. You won't get RSS (for which a default DTD exists) if you filter with xml instead try

Capture Filter

You cannot directly filter XML protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

Capture only the XML traffic over HTTP that uses HTTP's default port (80):


I don't have an RSS capture at hand, but the statement in the Display Filter section about xml not working as a filter where a DTD exists doesn't seem true for the protocol I'm playing with... Martin Mathieson

XML (last edited 2013-06-14 19:44:59 by vincent)