Understanding Wireshark: First Packet in A Conversation. Part of The Selected Conversation

UNDERSTANDING WIRESHARK
The Packet List Pane
No. The number of the packet in the capture file. This number won’t change, even if a display
filter is used.
Time The timestamp of the packet. The presentation format of this timestamp can be
changed,
Source The address where this packet is coming from.
Destination The address where this packet is going to.
Protocol The protocol name in a short (perhaps abbreviated) version.
Length The length of each packet.
Info Additional information about the packet content.
The first column shows how each packet is related to the selected packet. For example, in the
image above the first packet is selected, which is a DNS request. Wireshark shows a
rightward arrow for the request itself, followed by a leftward arrow for the response in packet
2. Why is there a dashed line? There are more DNS packets further down that use the same
port numbers. Wireshark treats them as belonging to the same conversation and draws a line
connecting them.
Related Packet symbol :
First packet in a conversation.
Part of the selected conversation.
Not part of the selected conversation.
Last packet in a conversation.
Request.
Response.
The selected packet acknowledges this packet.

The selected packet is a duplicate acknowledgement of this packet.
The selected packet is related to this packet in some other way, e.g. as
part of reassembly.
The Packet Details Pane
This pane shows the protocols and protocol fields of the packet selected in the “Packet List”
pane. The protocols and fields of the packet shown in a tree which can be expanded and
collapsed.
There is a context menu (right mouse click) available. See details in Figure 6.5, “Pop-up
menu of the “Packet Details” pane”.
Some protocol fields have special meanings.
Generated fields. Wireshark itself will generate additional protocol information which isn’t
present in the captured data. This information is enclosed in square brackets (“[” and “]”).
Generated information includes response times, TCP analysis, IP geolocation information,
and checksum validation.
Links. If Wireshark detects a relationship to another packet in the capture file it will generate
a link to that packet. Links are underlined and displayed in blue. If you double-clicked on a
link Wireshark will jump to the corresponding packet.
The Packet Bytes Pane

The packet bytes pane shows the data of the current packet (selected in the “Packet List”
pane) in a hexdump style
The “Packet Bytes” pane shows a canonical hex dump of the packet data. Each line contains
the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are
replaced with a period (“.”).
Depending on the packet data, sometimes more than one page is available, e.g. when
Wireshark has reassembled some packets into a single chunk of data. (See Section 7.8,
“Packet Reassembly” for details). In this case you can see each data source by clicking its
corresponding tab at the bottom of the pane.
The packet Bytes Pane with Tab
Additional pages typically contain data reassembled from multiple packets or decrypted data.
The context menu (right mouse click) of the tab labels will show a list of all available pages.
This can be helpful if the size in the pane is too small for all the tab labels.
Details Packet Pane

Number
The packet list pane will show you the exact number of captured data bits. Since the packets
are organized in several columns, it’s fairly easy to interpret. The default categories are:
No. (Number): As mentioned, you can find the exact number of captured packets in this
column. The digits will remain the same even after filtrating the data.
Time: As you might’ve guessed, the packet’s timestamp is displayed here.
Source: It shows where the packet originated.
Destination: It shows the place where the packet will be kept.
Protocol: It displays the name of the protocol, typically in an abbreviation.
Length: It shows the number of bytes contained in the captured packet.
Info: The column includes any additional information about a particular packet.
Time
As Wireshark analyzes the network traffic, each captured package is time stamped. The
timestamps are then included in the packet list pane and available for later inspection.
Wireshark doesn’t create the timestamps themselves. Instead, the analyzer tool gets them
from the Npcap library. However, the source of the timestamp is actually the kernel. That’s
why the accuracy of the timestamp can vary from file to file.
You can choose the format in which the timestamps will be displayed in the packet list. In
addition, you can set the preferred precision or number of decimal places that are displayed.
Apart from the default precision setting, there’s also:
 Seconds
 Tenths of a second
 Hundredths of a second
 Milliseconds
 Microseconds
 Nanoseconds
Source
As the name suggests, the source of the packet is the place of origin. If you want to obtain the
source code of a Wireshark repository, you can download it by using a Git client. However,
the method requires you to have a GitLab account. It’s possible to do it without one, but it’s
better to sign up just in case.
Once you’ve registered an account, follow these steps:
1. Make sure Git is functional by using this command: “$ git -–version.”
2. Double-check if your email address and username are configured.
3. Next, make a clone of the Workshark source. Use the “$ git clone -o upstream
git@gitlab.com:wireshark/wireshark.git” SSH URL to make the copy.
4. If you don’t have a GitLab account, try the HTTPS URL: “$ git clone -o upstream
https://gitlab.com/wireshark/wireshark.git.”
All the sources will be subsequently copied to your device. Keep in mind the cloning might
take a while, especially if you have a sluggish network connection.
Destination
If you want to know the IP address of a particular packet’s destination, you can use the
display filter to locate it. Here’s how:
1. Enter “ip.addr == 8.8.8.8” into the Wireshark “Filter Box.” Then, click “Enter.
2. The packet list pane will be reconfigured only to show the packet destination. Find the
IP address you’re interested in by scrolling through the list.
3. Once you’re done, select “Clear” from the toolbar to reconfigure the packet list pane
Protocol
A protocol is a guideline that determines the data transmission between different devices that
are connected to the same network. Each Wireshark packet contains a protocol, and you can
bring it up by using the display filter. Here’s how:
1. At the top of the Wireshark window, click on the “Filter” dialog box.
2. Enter the name of the protocol you want to examine. Typically, protocol titles are
written in lowercase letters.
3. Click “Enter” or “Apply” to enable the display filter.
Length
The length of a Wireshark packet is determined by the number of bytes captured in that
particular network snippet. That number usually corresponds with the number of raw data
bytes listed at the bottom of the Wireshark window.
If you want to examine the distribution of lengths, open the “Packet Lengths” window. All
the info is divided into the following columns:
 Packet lengths
 Count
 Average
 Min Val/Max Val
 Rate
 Percent
 Burst rate
 Burst start
Info
If there are any anomalies or similar items within a particular captured packet, Wireshark will
note it. The information will then be displayed in the packet list pane for further examination.
That way, you’ll have a clear picture of atypical network behavior, which will result in
speedier reactions.
FAQ
How can I filter the packet data?
Filtering is an efficient feature that allows you to look into the specifics of a particular data
sequence. There are two types of Wireshark filters: capture and display. Capture filters are
there to restrict the packet capture to fit specific demands. In other words, you can sift
through different types of traffic by applying a capture filter. As the name suggests, display
filters allow you to hone in on a particular element of the packet, from packet length to
protocol.
Applying a filter is a pretty straightforward process. You can type the filter title in the dialog
box at the top of the Wireshark window. In addition, the software will usually auto-complete
the name of the filter.
Alternately, if you want to comb through the default Wireshark filters, do the following:
1. Open the “Analyze” tab in the toolbar at the top of the Wireshark window.
2. From the drop-down list, select “Display Filter.”
3. Browse through the list and click on the one you want to apply.
Finally, here are some common Wireshark filters that can come in handy:
• To only view the source and destination IP address, use: “ip.src==IP-address and
ip.dst==IP-address”
• To only view SMTP traffic, type: “tcp.port eq 25”
• To capture all subnet traffic, apply: “net 192.168.0.0/24”
• To capture everything but the ARP and DNS traffic, use: “port not 53 and not arp”

Understanding Wireshark: First Packet in A Conversation. Part of The Selected Conversation

Uploaded by

Copyright:

Available Formats

Understanding Wireshark: First Packet in A Conversation. Part of The Selected Conversation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding Wireshark: First Packet in A Conversation. Part of The Selected Conversation

Uploaded by

Copyright:

Available Formats

UNDERSTANDING WIRESHARK

The Packet List Pane

First packet in a conversation.

Part of the selected conversation.

Not part of the selected conversation.

Last packet in a conversation.

The selected packet acknowledges this packet.

The Packet Details Pane

The Packet Bytes Pane

Details Packet Pane

You might also like