Practical Packet Analysis Notes 1

Hubbing out involves placing a hub or something like a Throwing Star lan tap between a host and switch. Per the books, in most situations duplex of target is cut to half.

View->Coloring Rules is a handy way to add your own rules to make traffic stand out.

Mark a packet so it stands out with white text & black backdrop. CTRL+M and you can advance or reverse with ctrl-shift-n and ctrl-shift-b.

You can merge pcaps. Tie together captures from multiple devices to get a better view. File-> Merge

Create capture and display filters. Wireshark uses comparison and logical operators.

 Comparison Operators
==     equal to
!=     not equal to
>     greater than
<     less than
>=     greater than or equal to
<=     less than or equal to

Logical Operators
and     both conditions must be true
or        either one of the conditions must be true
xor     one and only one condition must be true
not     neither one of the conditions is true
Sample Filter Expressions
host     display all traffic from host

!ip     display all non IP traffic

ip.dst==     Display all traffic with a destination of

You can manage and apply existing filters, or create a new filter from a current expression from within the filter construction dialog by clicking on the small filter icon to the left of the filter expression icon within the filter toolbar!

Name Resolution

You can enable name resolution by opening the Capture Options dialog. Capture–> Options and then select Options tab.

  1. MAC Name Resolution – Uses ARP to convert layer 2 MAC address into layer 3 IP addresses;  display 00:11:22:33:44:55:66 as
  2. Network Name Resolution – Uses DNS to resolve IP addresses to human readable DNS names; display as SalesWorkstation001.
  3. Transport Name Resolution – Convert port number to associated transport technology; display port 80 as http.

Name resolution may not be desirable. It can add processing overhead and resolution can fail. A capture does not store name resolution data, so expect this overhead when reviewing previously saved captures.

Protocol Dissection

Wireshark relies on protocol dissectors to to convert raw data into something understood by Wireshark, but it can select the wrong protocol dissector. Most commonly this occurs when a standard protocol is using a non-standard port. For instance, HTTP traffic flowing over port 22 could be classified as SSH!

Right click on a packet and from the menu select “Decode As.” This enables you to select a different protocol dissector than that which was chosen by Wireshark.

Following TCP Streams

Right click on a packet in the Packet list pane of the main window to Follow->TCP Stream  and view related packets and their payload that is delivered to the application level in the OSI stack. You can also select a TCP packet in the TCP  tab of the Statistics->Conversations dialog.


Statistics->Endpoints  summarizes traffic measured in bits, bytes, and packets grouped by hosts.