Wireshark is loaded with some awesome features. Let's go through a few, though there are more.
The Decode-As feature allows Wireshark to decode the packet based on the selected protocol. Usually Wireshark will automatically identify and decode incoming packets based on the standard port—for example, port 443
will be decoded as SSL. If the services are running on the non-standard port, for example SSL standard port is 443
and the service is running on 4433
, in this case the Decode-As feature can be used to decode this communication using the SSL protocol preference.
Open the sample https.pcap
file from. HTTPS traffic is captured when the file is opened in Wireshark. It doesn't show SSL-related data; instead it just shows all TCP communications:
To decode this traffic as SSL, follow these steps:
The protocol preference feature provides the flexibility for you to customize how the Wireshark display is processed, and how packets are analyzed. You can set protocol preferences by one of the following methods:
Wireshark supports a large set of protocols and it's preferences, for example HTTP protocol preferences and their meanings as defined in the following table:
HTTP protocol preferences |
What does this mean? |
---|---|
Reassemble HTTP headers spanning multiple TCP segments |
HTTP dissector will reassemble the HTTP header if it has been transmitted over more than one TCP segment |
Reassemble HTTP bodies spanning multiple TCP segments |
HTTP dissector will reassemble the HTTP body if it has been transmitted over more than one TCP segment |
Reassemble chunked transfer-coded bodies |
Reassemble all chunks across the segments and add them to the payload |
Decompress entity bodies |
Used for the visualization of compressed data ( |
SSL/TLS ports |
Add/remove SSL/TLS ports (default is |
Custom HTTP header fields |
Define new header fields |
The following screenshot shows HTTP protocol preferences in Wireshark:
Refer to the example of finding the top HTTP response time in Chapter 05, Analyze the DHCP, DHCPv6, DNS, HTTP Protocols when using protocol preferences.
Use the IO graph to check client and server interaction data for a meaningful analysis. The Wireshark IO graph measures throughput (the rate is packet-per-tick), where each tick is one second. In this example we will see how to make use of the IO graph. Open the file http_01.pcap
in Wireshark and follow the given steps:
tcp.analysis.duplicate_ack
.There are a lot of use cases for IO graphs. Some of them are as follows:
tcp
, http
, udp
, ntp
, and ldap
.The following screenshots show the results of the preceding steps:
The TCP stream feature allows users to see the data from a TCP stream. Open the file http_01.pcap
in Wireshark and follow the TCP stream to get the first HTTP OK, as shown:
In this example we have located the HTTP OK on packet#35 and then right clicked and selected Follow TCP Stream:
Once the stream is applied, a TCP stream dialog box will open displaying which request is sent and what response is received in this HTTP conversation:
The stream content is available in six formats as shown; the red content in the screenshot is the request, the blue content in the screenshot is the response:
The Export Specified Packets feature allows you to export the filtered packet in different files. For example, open http.pcap
in Wireshark and export the HTTP OK packet. The steps for exporting a specified packet are as follows:
http.response.code == 200
in the Filter bar:18.221.126.56