Wireshark is loaded with some awesome features. Let's go through a few, though there are more.
The Decode-As feature allows Wireshark to decode the packet based on the selected protocol. Usually Wireshark will automatically identify and decode incoming packets based on the standard port—for example, port 443 will be decoded as SSL. If the services are running on the non-standard port, for example SSL standard port is 443 and the service is running on 4433, in this case the Decode-As feature can be used to decode this communication using the SSL protocol preference.
Open the sample https.pcap file from. HTTPS traffic is captured when the file is opened in Wireshark. It doesn't show SSL-related data; instead it just shows all TCP communications:
To decode this traffic as SSL, follow these steps:
The protocol preference feature provides the flexibility for you to customize how the Wireshark display is processed, and how packets are analyzed. You can set protocol preferences by one of the following methods:
- Go to Edit | Preferences | Protocols to adjust the settings
- A simple way is to right-click on a protocol in the Packet Details pane and select Protocol Preferences
Wireshark supports a large set of protocols and it's preferences, for example HTTP protocol preferences and their meanings as defined in the following table:
|
HTTP protocol preferences |
What does this mean? |
|---|---|
|
Reassemble HTTP headers spanning multiple TCP segments |
HTTP dissector will reassemble the HTTP header if it has been transmitted over more than one TCP segment |
|
Reassemble HTTP bodies spanning multiple TCP segments |
HTTP dissector will reassemble the HTTP body if it has been transmitted over more than one TCP segment |
|
Reassemble chunked transfer-coded bodies |
Reassemble all chunks across the segments and add them to the payload |
|
Decompress entity bodies |
Used for the visualization of compressed data ( |
|
SSL/TLS ports |
Add/remove SSL/TLS ports (default is |
|
Custom HTTP header fields |
Define new header fields |
The following screenshot shows HTTP protocol preferences in Wireshark:
Tip
Refer to the example of finding the top HTTP response time in Chapter 05, Analyze the DHCP, DHCPv6, DNS, HTTP Protocols when using protocol preferences.
Use the IO graph to check client and server interaction data for a meaningful analysis. The Wireshark IO graph measures throughput (the rate is packet-per-tick), where each tick is one second. In this example we will see how to make use of the IO graph. Open the file http_01.pcap in Wireshark and follow the given steps:
- Click on Statistics | IO graph.
- The IO graph dialog box will appear.
- In the IO graph dialog box try to find the spike and click on it.
- When you click on the graph (the high area), Wireshark will automatically show the corresponding packet in the Packet List pane.
- Go back to the IO graph dialog box.
- Choose Graph2 and enter
tcp.analysis.duplicate_ack. - Click on Graph2 to apply the filter.
- The IO graph dialog will show the throughput of the duplicate ACK.
There are a lot of use cases for IO graphs. Some of them are as follows:
- Use IO graphs to analyze traffic patterns, for example how the traffic is distributed by plotting graphs on protocols for example
tcp,http,udp,ntp, andldap. - IO graphs come in handy when performing security analysis. More examples of IO graphs are available in Chapter 07, Network Security Analysis.
The following screenshots show the results of the preceding steps:
The TCP stream feature allows users to see the data from a TCP stream. Open the file http_01.pcap in Wireshark and follow the TCP stream to get the first HTTP OK, as shown:
In this example we have located the HTTP OK on packet#35 and then right clicked and selected Follow TCP Stream:
Once the stream is applied, a TCP stream dialog box will open displaying which request is sent and what response is received in this HTTP conversation:
The stream content is available in six formats as shown; the red content in the screenshot is the request, the blue content in the screenshot is the response:
The Export Specified Packets feature allows you to export the filtered packet in different files. For example, open http.pcap in Wireshark and export the HTTP OK packet. The steps for exporting a specified packet are as follows:
- Apply the filter
http.response.code == 200in the Filter bar:
- Go to File | Export Specified Packets. This opens up the dialog box with the export options, as shown:
