Question

When you start inspecting and comparing packets in a packet capture, you'll notice the second column is based on time. Most computer systems start counting at 0, and Wireshark is no different. The first column is set to a time value of 0, and all other timestamps base their times on that first packet capture. To view statistics for a number of packets, select Statistics on the menu. The statistics vary according to protocols, address, port, streams, or conversations.

A conversation is a pair of physical or logical entities communicating. Conversations can include MAC, ARP, ICMP pings, or port numbers. To compare the conversations in the packet capture, go to the Statistics tab, and then inside that menu, go to Conversations. The default tabs across the top of the Conversation dialog box will show you the data broken down into Ethernet, IPv4, IPv6, TCP, and UDP. Each line shows the values for exactly one conversation. To add other conversation statistics, click Conversation Types in the lower‐right corner. When working with a large file, sorting on the bytes transferred between hosts enables you to find the most active communication based on packets or duration of conversation. In Figure 7.8 , notice the column for IPv4 conversations has been sorted to show the most active conversation between source and destinations.

Figure 7.8 : Wireshark conversations sorted by IPv4 protocol

There is another tool in Wireshark that logs anomalies found in a capture file: the Expert Info tool. The idea behind this tool is to provide a better understanding and display of notable network behavior. Both novice and expert users can solve issues quickly rather than combing through every packet manually. Expert info, as you see in Figure 7.9 , is considered a hint.

Figure 7.9 : Expert Info tool color‐coded “hints”

Every Expert Info type has a specific severity level. Table 7.3 lists the different Expert Info severity levels.

Table 7.3 : Expert Info severity levels

LEVEL	COLOR	EXPLANATION
Chat	Blue	Informational, usual workflow
Note	Cyan	Normal errors
Warning	Yellow	Unusual errors
Error	Red	Serious problem

You can configure a graph of the captured network packets. You can configure the I/O graph to see the overall traffic as well as highs and lows in your traffic, which is typically based on a per‐second, per‐packet rate. You can use this to rectify problems, and you can even use it for monitoring. By default, the y‐axis will set the interval to 1 second, and the y‐axis will be packets like you see in Figure 7.10 . Click any point on the graph to focus on that packet in the background. There are three different styles of graphs you can use: line, impulse, and dots. If you are graphing multiple items, you can choose different styles for each graph.

Figure 7.10 : Graphing all packets versus just TCP errors

After capturing network traffic on your own system, the Nmap scan, and web browser traffic, if you want to branch out and look at other, more‐complicated traffic but you don't have access to a more complicated network, there is a link inside Wireshark that will help you build a strong skill set with this tool. Under the Help menu are sample captures that can be interesting to dissect. On the page that lists the sample captures, one of the simplest to begin with is HTTP.cap , which is a simple HTTP request and response.