Chapter 6. Working with captured packets

Table of Contents

6.1. Viewing packets you have captured
6.2. Pop-up menus
6.2.1. Pop-up menu of the "Packet List" column header
6.2.2. Pop-up menu of the "Packet List" pane
6.2.3. Pop-up menu of the "Packet Details" pane
6.3. Filtering packets while viewing
6.4. Building display filter expressions
6.4.1. Display filter fields
6.4.2. Comparing values
6.4.3. Combining expressions
6.4.4. A common mistake
6.5. The "Filter Expression" dialog box
6.6. Defining and saving filters
6.7. Defining and saving filter macros
6.8. Finding packets
6.8.1. The "Find Packet" dialog box
6.8.2. The "Find Next" command
6.8.3. The "Find Previous" command
6.9. Go to a specific packet
6.9.1. The "Go Back" command
6.9.2. The "Go Forward" command
6.9.3. The "Go to Packet" dialog box
6.9.4. The "Go to Corresponding Packet" command
6.9.5. The "Go to First Packet" command
6.9.6. The "Go to Last Packet" command
6.10. Marking packets
6.11. Ignoring packets
6.12. Time display formats and time references
6.12.1. Packet time referencing

6.1. Viewing packets you have captured

Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.

You can then expand any part of the tree view by clicking on the plus sign (the symbol itself may vary) to the left of that part of the payload, and you can select individual fields by clicking on them in the tree view pane. An example with a TCP packet selected is shown in Figure 6.1, “Wireshark with a TCP packet selected for viewing”. It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.

Figure 6.1. Wireshark with a TCP packet selected for viewing

Wireshark with a TCP packet selected for viewing


You can also select and view packets the same way, while Wireshark is capturing, if you selected "Update list of packets in real time" in the Wireshark Capture Preferences dialog box.

In addition, you can view individual packets in a separate window as shown in Figure 6.2, “Viewing a packet in a separate window”. Do this by selecting the packet in which you are interested in the packet list pane, and then select "Show Packet in New Windows" from the Display menu. This allows you to easily compare two or even more packets.

Figure 6.2. Viewing a packet in a separate window

Viewing a packet in a separate window