Chapter 6. Working With Captured Packets

Table of Contents

6.1. Viewing Packets You Have Captured
6.2. Pop-up Menus
6.2.1. Pop-up Menu Of The “Packet List” Column Header
6.2.2. Pop-up Menu Of The “Packet List” Pane
6.2.3. Pop-up Menu Of The “Packet Details” Pane
6.2.4. Pop-up Menu Of The “Packet Bytes” Pane
6.2.5. Pop-up Menu Of The “Packet Diagram” Pane
6.3. Filtering Packets While Viewing
6.4. Building Display Filter Expressions
6.4.1. Display Filter Fields
6.4.2. Comparing Values
6.4.3. Combining Expressions
6.4.4. Slice Operator
6.4.5. The Layer Operator
6.4.6. The At Operator
6.4.7. Membership Operator
6.4.8. Arithmetic operators
6.4.9. Functions
6.4.10. Field References
6.4.11. Sometimes Fields Change Names
6.4.12. Some protocol names can be ambiguous
6.5. The “Display Filter Expression” Dialog Box
6.6. Defining And Saving Filters
6.7. Defining And Saving Filter Macros
6.8. Finding Packets
6.8.1. The “Find Packet” Toolbar
6.9. Go To A Specific Packet
6.9.1. The “Go Back” Command
6.9.2. The “Go Forward” Command
6.9.3. The “Go to Packet” Toolbar
6.9.4. The “Go to Corresponding Packet” Command
6.9.5. The “Go to First Packet” Command
6.9.6. The “Go to Last Packet” Command
6.10. Marking Packets
6.11. Ignoring Packets
6.12. Time Display Formats And Time References
6.12.1. Packet Time Referencing
6.13. Time Shifting Packets

6.1. Viewing Packets You Have Captured

Once you have captured some packets or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.

You can then expand any part of the tree to view detailed information about each protocol in each packet. Clicking on an item in the tree will highlight the corresponding bytes in the byte view. An example with a TCP packet selected is shown in Figure 6.1, “Wireshark with a TCP packet selected for viewing”. It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.

Figure 6.1. Wireshark with a TCP packet selected for viewing

ws packet selected

You can also select and view packets the same way while Wireshark is capturing if you selected “Update list of packets in real time” in the “Capture Preferences” dialog box.

In addition you can view individual packets in a separate window as shown in Figure 6.2, “Viewing a packet in a separate window”. You can do this by double-clicking on an item in the packet list or by selecting the packet in which you are interested in the packet list pane and selecting ViewShow Packet in New Window. This allows you to easily compare two or more packets, even across multiple files.

Figure 6.2. Viewing a packet in a separate window

ws packet sep win

Along with double-clicking the packet list and using the main menu there are a number of other ways to open a new packet window: